From the Wired article, "Instead of going for the easy bust, the FBI spent a solid year surveilling McGrath, while working with Justice Department lawyers on the legal framework for what would become Operation Torpedo. Finally, on November 2012, the feds swooped in on McGrath, seized his servers and spirited them away to an FBI office in Omaha.
A federal magistrate signed three separate search warrants: one for each of the three hidden services. The warrants authorized the FBI to modify the code on the servers to deliver the NIT to any computers that accessed the sites. The judge also allowed the FBI to delay notification to the targets for 30 days."
The FBI modified the .onion sites to serve a malicious script which was used to de-anonymize users. It's worth noting that only those using Tor improperly would be vulnerable. The FBI tracking payload required scripting to be enabled in the browser--a common blunder among inexperienced Tor users.
(Score: 3, Insightful) by metamonkey on Wednesday August 06 2014, @05:29PM
Depends on the threshold for action. If somebody accessed the home page and then immediately clicked out (didn't send any more requests for that service) then they shouldn't be targeted. Just the make the threshold something like "must have downloaded at least 10 pictures" and I don't think it's much different than any other sting operation that law enforcement operates in meatspace to combat drugs or guns.
Okay 3, 2, 1, let's jam.
(Score: 2) by keplr on Wednesday August 06 2014, @05:39PM
Define download. Just visiting a page causes its entire contents to be "downloaded" to your computer, and usually cached to the HDD which persists even if you abruptly close the window. I don't know how the site was designed, but it's entirely possible that the homepage itself contained illegal images.
I don't respond to ACs.
(Score: 2) by metamonkey on Wednesday August 06 2014, @06:23PM
Since the FBI was hosting the honeypot and would also be defining the threshold of an arrest-worthy offense, I would assume they would take this into account. On the Google Analytics dashboard I have for my website it shows you the bounce rate. What percentage of people never make it past your first page, and how long they stuck around for. Since this attack worked by running a script in the target's browser, I would imagine they could record such information.
I'm doing a lot of imagining here, but I would also imagine they would want to record such information as it would help the prosecution's case. If there's a mens rea requirement to the applicable laws (and there always should be, but the last 20 years of legislation, not so much) then the prosecution would have to prove that the defendant knowingly and willfully accessed this information. "I clicked on it, it opened up, and the instant I saw what it was I closed the browser" is a legitimate defense. So having a log from the server and script showing that the defendant opened up the site, looked at the front page for 30 seconds and then went through clicking every link would be useful evidence.
Okay 3, 2, 1, let's jam.
(Score: 2) by bob_super on Wednesday August 06 2014, @06:57PM
> On the Google Analytics dashboard ...
I'm not paranoid enough to use TOR, but my NoScript has been told to always block Google Analytics and similar scripts. What are the odds that the feds would have and be willing to use that actual information, rather than pat themselves on the back for filling more jail cells?
(Score: 2, Interesting) by Anonymous Coward on Wednesday August 06 2014, @07:02PM
> If there's a mens rea requirement to the applicable law
There is no mens rea requirement for child abuse imagery, [yalelawtech.org] only the discretion of the prosecutor. Given just how eager people are to turn off their minds when it comes to images of child abuse, the prosecutor has everything to lose if he does not prosecute. Just look at all those cases where they've prosecuted teenagers for sexting under the theory that they were manufacturing images of child abuse.
(Score: 2) by RaffArundel on Wednesday August 06 2014, @06:14PM
Perhaps there was a threshold, otherwise there would be a lot of wasted court time if not. I can imagine the defense would definitely seize the click-bait approach - a "Rick-Roll" defense most likely, since I doubt there would be a lot of sympathy for goatse/tubgirl in the courtroom.
However, my concern is more around if using an anonymizing service lowered the bar. I could see the government saying "yeah, he clicked once, but WHY WAS HE HIDING HIS TRACKS IF IT WAS AN ACCIDENT?!?!" which sets a very bad precedent. I'm less concerned over hemocyanin's quote from TFA, which is much appreciated, that this was "an egregious violation of the Fourth Amendment" from the defense lawyers. They actually obtained warrants and set up a sting operation under judicial review and approval. I like that better than the "secret-court-with-no-oversite-or-fake-a-911-call-to-send-in-the-overmiliterized-police" approach in other cases.
If it were up to me, I'd shut it down or replace the page with a big fat notice: "law enforcement was here". The idea of people doing this disgusts me, which is why it is hard to talk about "rights" rationally when there is a legitimate think-of-the-children argument. Sting operation would be tempting, but you are targeting consumers not creators, so not worth it IMO.