Slashdot Mirror
The Story of the Pedophile-catching Hacker
missing30 writes "A Turkish hacker seeding usenet groups with trojan horses has made it a habit to hunt down pedophiles trolling the groups. The cases go back to 2000, with the mysterious good samaritan responsible for several arrests. The man now has tacit approval from the FBI for his actions." From the article: "At the urging of Montgomery Police Capt. Kevin Murphy, '1069' eventually turned over more and more information that led back to a computer owned by Bradley Joseph Steiger, who had worked as an emergency room physician in Alabama. The hacker's finds included information from Steiger's AT&T WorldNet account, records from his checking account, and a list of directories on his computer's hard drive where sexually explicit photographs were stored."
I say the ends don't justify the means.
I don't think the police should be allowed to use illicitly gained information or that they should be allowed to encourage private citizens to commit felonies.
>
>"we have not seen anything to indicate that this person is other than...a citizen of Turkey."
> That turned out not to be entirely true: The FBI actually had made contact with "1069"
>through a U.S. phone number
>
Where does it end?
If it is OK to do to catch pedophiles then it is OK to do the catch terrorists and I know I've read several accounts of where patriot and other anti terror acts have been used for entirely unrelated crimes.
Who will guard the guards?
To hack anyone as long as you say you are hacking to catch "pedophiles"? Sounds more like the FBI trying to side-step normal limitations of spying on people.
Great Intellect...
Only a pedophile would have anything to hide from hackers. I bet you hate America. Please turn yourself in to your nearest police station or orphanage. Thank you.
that's awesome, and it may give those fbi agents a different view on things like the 2600 magazine, Off the Wall/Hook, and Emmanuel Goldstein.
Mild mannered pedophile catcher by day...
Evil identity theif by night.
Next time a hacker will plant the images himself and then get brownie points with the FBI.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Otherwise, anyone in
Oops. Sorry. Those credit card numbers were accidentally leaked, along with your Social Security Number and such.
But at least those Russian "hackers" know you weren't collecting kiddie porn.
This hacker obviously planted that child pornography on my computer with a trojan, in an attempt to blackmail me, a promonent local physician...
I've been doing something similar, I've been stalking around on Napster and the like since about 2000, gathering "evidence". I now have quite a healthy collection of "evidence". I wonder if this will work as a defence when the RIAA come knocking?
This scares the crap out of me. Some third party "hacks" it to a computer of and idividual and claims he/she found child porn/terrist plots/cream cheese recipies....or whatever. Why isnt anyone yelling...... he/she might have just as well planted it themselves how are we to know? He/she had access to the computer. Seems like a real easy way to get someone in trouble they arent going to check. This is the reason the FBI and other "Gov" police agencies have rule that have to be followed. This is sick and very scary. I am not saying that they didnt do it but damn, talk about an easy way to railroad someone.
I find myself torn after reading the issue. Obviously, what hacker 1069 is doing is good and aiding the authorities by stopping the exploitation of children. However, his means are questionable as well as those of the authorities.
What if third party multinationals are allowed to hack into US systems to aid in the capture of terrorists? Obviously, there was a large amount of evidence provided that made sure the pedophiles being caught were definitely guilty, but couldn't evidence just as likely be planted?
What's even more concerning is that this person doesn't seem to be a third party hacker from Istanbul, but an American citizen (note the american telephone number). If this is the case, isn't this a message saying vigilantism (which strikes at the very base of authority, the fact that it is only the government that is allowed to use force against it's citizens) is accepted? If it is accepted in catching pedophiles, which is a pretty black and white case, what about when it enters the gray areas? What about when it starts being entangled with constitutional rights? (Due process of law seems to be a big one involved).
I believe the authorities involved might very easily have started on a slippery slope. Who knows where it will lead? How much do we value due process? How much do we value freedom? How much do we value results, irregardless of how they were gotten?
But remember:
"Any society that would give up a little liberty to gain a little security will deserve neither and lose both." - Benjamin Franklin
A quandry indeed.
The real question is, will this evidence hold up in court?
The legitimate law enforcement agencies use illegally gained information on a regular basis.
How do they get away with it? They don't present that particular information in court. They leverage that information into admissible evidence by converting it into probable cause for a legitimate search. This is the very problem with widespread, illegal monitoring of the public and why the public might be inclined to support the practice, at least until they become the target.
KFG
That's a very disturbing fantasy you got there. May I check your harddrive?
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
As I read the brief article it defiantly made me consider both sides of the story; however, in the end I side with my heart. Fuck the kid touchers, let em' rot. This guy could be doing some real garbage cracking, screwing with legit business and good people, but, he didn't. He went after the scum. I agree 100% with 1069. Go for it!
Before I get the crap flamed out of me I will remind, it's just my opinion.
You know, pedophilia is defined as mental illness in the ICD http://en.wikipedia.org/wiki/ICD .
And pedophilia can be treaten in non-medical and medical therapies.
I don't see a reason to disclose the Name of the pedophile. But I guess that's what infotainment is all about, right?
The fact that the hacker was trying to catch pedophiles is the last concern when figuring out if this is lawful or not. First and foremost, he broke into people's computers and did unlawful things to illicit his information. On those grounds alone it should not be admissible in court. Imagine if you were a store owner and you arrive there one day and see that your place has been broken into and all your files have been gone through. Then you find out that it was just a rogue 'burglar' who breaks into businesses to see if they're legally filing their taxes correctly. The government sides with him and you're left with a hole in your store, thousands of dollars in damages and uncountable damages from the data he might have taken from you, etc... Is that fair or even close to legal? Sure there's lots of hatred towards pedophiles and it's VERY easy to step aside and cheer this because it's presumably dropping their numbers, but the bottom line is it's intirely immoral regardless of whether he's stopping pedophiles, rapists or tax evasion.
Normally I'd agree that taking the law into your own hands is not only illegal but a very bad idea; however, there are always exceptions. 99% of vigilanteism is a bad idea, as it does not entail people taking the law into their own hands to help others in a non-violent way, but usually runs from personal matters gone awry to the militant folks that "help patrol" the U.S.-Mexico border or other groups that believe it their duty to create a mob mentality when handling real or perceived threats (I can't help but add my favorite quote, from Men in Black of all movies: "A person is smart and intuitive; people are dumb, panicky, and dangerous animals").
The difference is, when it comes to pederasty, I can't really think of many methods I wouldn't condone to cull the abomination. However, many people make a great logical fault in believing that they need to make the rules based on the exception (people that try and use pedophilia as the means to creating whatever laws they want) or in believing that the exception must fall under the same rules as all other crimes in being found and prosecuted, lest authorities create abusive legislature on the pretense of catching child molesters.
There is a middle road in all things, and vigilanteism makes a fine one for this. You don't want to give police the rights to do what a blackhat does to find a pedophile, but you want the pedophile caught.
However, the case in point is an exception. The man lives in another country and the FBI, of course, won't and couldn't file charges, but I don't believe that this constitutes "tacit approval"... although the FBI may simply be trying to send a signal to the blackhat community that reads something like "Sweet Christ, we have no fucking idea how to use computers (Database? The fuck is that?), if any of you guys wants to give us a hand in catching these guys, by all means, go ahead. Do whatever you can."
The feds can't approve of someone breaking the law, obviously, or acknowledge that someone without warrants or CARNIVORE can do the job better than the ol' FBI. But they can turn a blind eye to it, if only for the crime of pedophilia and nothing else.
If I recall correctly, wasn't there a hacker group in the U.S. that did this in the late 90's or are still doing this? I distinctly remember seeing a few adverts and hearing a few inquiries about people who wanted to join up in the old hidden IRC rooms way back when. Ah, sweet nostalgia... days of linux shell accounts, little sleep, and keeping an extra machine running only OS/2 Warp, if only out of spite, back when code came so easily. Christ, my mind has addled.
Ex nihilo nihil fit.
If a job's not worth doing, it's not worth doing right.
My immediate reaction to this story was: if '1069' had the capability to break in to a computer to extract images, he also had the opportunity to plant the images there in the first place. A strong line of defense would be to assert that the anonymous 1069 is some sort of vigilante nut who gains access to the computers of innocent people, plants bogus evidence on them, then turns the victims in to authorities.
This whole case has so many holes that the defense could use, I'm amazed that they were able to convict. Stiger's attorney had to have blown it.
Thank you for being that guy. As a pedophile myself, it is very tiring to read of "pedophile-catchers" and how terribly evil pedophiles are. I did not choose to be a pedophile, and it is without my reach to change. Still, it is not hard for me to live a perfectly crimeless life. At 30, I have never had sex with anything but my palm (that statement may not have a very dramatical effect, considering this is Slashdot), and I am at peace with the prospect of dying as a virgin. Dying (and living) alone, however, is not as nice, but you make the best of the cards you've been dealt in life.
How very appropriate that the captcha Slash dealt me was "reject".
While I don't advocate hacking for any other purpose other than to expose threats in an ethical manner, I feel that the good that this man did to bring these pedophiles to justice cancels out the unethical act of hacking those pedophile's computers. Let us say an unethical act like hacking could be expressed in a negative number, such as -3. Let us also say that an ethical act of bringing pedophiles to justice is expressed as a postive number, say 5. You add the sums of the ethical and unethical acts, and together you get 2. The outcome of the actions, and their final sum measured says that in the end, his acts were positivly ethical, overall. Add that to the fact that he is not bound to our laws and opinions of what is right or wrong. This should be considered when forming your opinion on whether the ends justifies the means.
There is nothing compelling this guy to go legit. You really think that this hacker is going to go through four years of school, studying law enforcement, and then emigrate to the US to search for pedophiles online?
All that's happened is that authorities have given a green light for hackers to go after evil people online as vigilanties with absolutely no oversight, including this guy. And you think future hackers aren't going to plant evidence on innocent peoples hard drives for notoriety, or passes from the FBI? How do we know that that hasn't happened in this case?
Vigilante 'justice' is not justice at all. It is simply retribution, and will quickly descend into gang warfare if not stopped by impartial authorities. Regular, civilized impartial justice isn't perfect, but it's far better than the alternative.
Computers are useless. They can only give you answers.
-- Pablo Picasso
1. Why are newsgroups such as this allowed to exist in the first place?
2. The hacker was putting trojans in a newsgroup that existed for the sole purpose of distributing child pornography, which;
3. The arrested went to on his own volition;
4. The FBI didn't contact 1069 and have him hack others' computers; he contacted the FBI with the information;
5. The FBI investigated the arrested person and discovered that not only was he in possession of child pornograph but;
6. He was involved in the manufacture of it by taking photos of himself with his victim, aged 4-6;
7. Let him rot in jail.
The level of hatred isn't really justified, considering that the crimes of rapists, murderers and slave owners(they exist), are far, far worse. People never seem to get to the same level of arousal unless pedophilia is involved in some way. It's not even that major of an issue, despite its oversell by the media.
It's the 21st century's Two Minute Hate, so we can all wax apoplectic at those evil, evil men, and gladly offer up our free society to do so.
May the Maths Be with you!
Your heart lies to you. It tells you about the good things that could be without pointing out their unlikelihood or the bad alternative outcomes.
If 1069 never went after non-pedophiles, and if he never presented false evidence, and if the FBI's use of that evidence didn't violate any rules and encourage the public to come to accept illegal activies from the police, then this could be a good thing. Break any of those ifs, though, and the result is a terrifying distopia that I want no part of.
My heart agrees with you: pedophiles are scum, and as a parent, their mass death wouldn't bother me one bit. However, my brain thinks that we need to step back and re-assess whether we want to revert to vigilante justice, and that due process and rules of evidence are far more important than any individual situation, regardless of how horrid it may be.
Dewey, what part of this looks like authorities should be involved?
And you think future hackers aren't going to plant evidence on innocent peoples hard drives for notoriety, or passes from the FBI?
All the suspect has to do is claim that there's no way that the planted evidence is his, because all of *his* illicit material is encrypted. oops...
I can't believe they'd ask the guy to keep "investigating." It seems to break every basic rule of police procedure and preservation of evidence.
If this guy's defense lawyer isn't a total retard, or if he doesn't blow it and confess under interrogation, he's going to walk.
All he has to say is "hey, I don't know where the porn came from -- my computer was hacked! The police even have proof that some mysterious Turkish guy was in my computer!" And what are the police going to say, ask the judge and jury to take the word of some anonymous guy on IRC, that he didn't plant the evidence?
When you do your 'investigation' that way, they're creating a hole the size of the Titanic.
Look, I don't like defending kiddy pornographers, but it seems like a pretty good defense that there's a good possibility that you're being framed, when all the evidence came to the police by way of some mysterious, psuedonymous foreigner who had the opportunity to plant the material themselves; unless Mr. Turkish Hacker is willing to come and testify, that is.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The entire point of this article is that the information was gathered by committing a crime.
Good point! Let's get rid of them. But then, they could just use alt.slashdot.flamebait instead. Better be safe and shutdown all of usenet.
That's what Mr. Anonymous said. He didn't say he wasn't distributing the virus through other channels as well (see below)
Well, his computer did. And we know his computer was hacked via back-door trojan by someone who trolls said newsgroup.
And we know for sure that 1069 isn't an off-duty (on-duty?) FBI agent with a Turkish accent.
And we have already establish his computer had been hacked into.
Where did you get this? I didn't see that in TFA.
That'll save those kids.
Here is an alternate scenario. A clever pedophile grabs a copy of Sub7 and sends it out into spam. They phone home and he uses those hacked computers to download porn - anonymously and for free. Poor doctor notices his computer is running very slowly and installs anti-virus, which removes Sub7. Bereft of his porn, there is now an angry, but clever pedophile. He anonymously calls the feds and gets the doctor arrested. While the feds are pursing one presumably innocent man, they don't have time to track down 1069.
All we have is a known virus-writer who claims to be doing a community service. Is writing viruses now OK? What if future pedophiles get wise and stop using those groups? Maybe I should seed alt.slashdot.flamebait with my own virus. Eventually I'll find something worth reporting. That would be OK, right?
There's a big difference here. Normally, when you have an informant, they either need to give the police enough information to go and do the investigation themselves and find the conclusive evidence; or, if they come up with the evidence themselves (or provide a lot of very specific information), then they usually have to go and testify in court.
In this case, the 'mystery hacker' basically came up with the evidence (he told them exactly where to find it, and he had ample opportunity to have planted it), but he's not in a position where he could easily testify. Because he had access to the defendant's computer (illegally), but can't come testify (because he's in Turkey, because the police don't know who he is, whatever), it seems like they're giving the guy a good defense that the evidence was planted.
It's just sloppy policework.
For a phyiscal-goods example, it's as if somebody dropped a dime on you and told the police that when they had broken into your car earlier in the day to steal your radio, they saw that you had a baggie of heroin in the ashtray. So the police go and arrest you, and find the bag of heroin. Without being able to track down the informant and get their testimony, or some form of physical evidence linking the bag to you in such a way that doesn't leave you with a planted-evidence defense, they have a pretty weak case. (Unless they can get you to confess, which is actually pretty common.)
I'll be interested in seeing what the outcome of this case actually is. If they guy doesn't negotiate some sort of plea deal, and the only thing they found on his computer was the porn that the hacker told them about, I think he has a pretty good chance of either getting off, or forcing the police to find some way of getting the hacker to come in and testify.
Allowing in evidence that was obtained in this manner would be a mistake, and justice wouldn't be served in the long run by it, even if the immediate consequence was letting the guy off the hook.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I read from the court documents that the evidence collected was physical as well as digital, and that additional evidence...chains, cuffs, etcetera was collected from Steiger's home that also appeared in the photographs.
Yes, there are several ways to tell if and when files have been modified, NONE of which can't be subverted by a capable hacker.
If this guy is clever enough to deploy trojans, he's in the business of fooling people, and your typical "forensic specialist" would be a pushover to him. Your statement does not match reality... it may get more airplay because many expert witnesses, especially in the field of technology, are more politicians than technologists and the court doesn't know better, but it won't fly here.
This reminds me of the recent publicity over the VA laptop computer that was stolen, and the feds claimed they recovered it and the data was "untouched". 90% of everyone who routinely participates on Slashdot knows that's a total load of bullshit. The VA data, encrypted or not, could have been copied without anyone ever knowing. Save those lies for people who know better.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Even if you can unambiguously date every file, that only makes a set up harder, not impossible.
Consider the following (rather extreme) thought experiment:
You create a trojan that downloads a bunch of child porn to some out of the way place on the infected computer and then removes itself. You selectively distribute it to individual users, so as to make discovery less likely. Perhaps you make it fairly smart, so that it hunts for directories containing legal porn and hides material there or in an analogously labeled place.
Then, ten months later, you release a very simple trojan that installs itself, looks for child porn using a very general search, and then reports what it finds. Make sure your victim gets it, and also post it to child porn usenet groups and other seemingly incriminating places in order to distribute it as widely as possible.
Then, when it finds the porn on your victim's computer, you go the FBI. Tell them what you found, and give them the source code to your new trojan. They take a close look at your victim's hard drive and find your trojan right where you said it would be, no other backdoors or exploits, and a 10 month old stash of kiddie porn.
I'm no computer forensics expert, but trying to prove that a machine has never been infected by software able to download material and then remove itself seems pretty close to impossible, at least if you don't know exactly what you're looking for. (Sure, there are security policies that would make such an identification possible, but I imagine a large number of home pc users don't employ them.)
If you're lucky enough to find a really tasty exploit in some exisiting software (like an unpatched browser) you might even be able to get by without ever writting anything (except the pornographic images) to the hard drive.
Now, I will readily agree this is a pretty extreme example. But, if it weren't for ethical constraints, I or thousands of other slashdot readers could pull this off, given a few months of work and a suitable victim (a windows user who's lazy about patches and doesn't run a good virus checker). There are plenty of personal grudges out there that would compel someone to go to this much trouble to set up a foe. And, if you are lucky enough to make friends with some organized crime types, you could probably turn a nice profit offering it as a service.
Now, if you really want to go to town and are willing to risk early discovery, you modify the user's software so that it adds a few MB of kiddy porn to every burned CD and DVD and then mounts them with a filter that removes any sign of their existence. Now the FBI finds physical media obviously burned and handled by the victim, containing child porn. Your victim is going to have a tough time explaining that he had no idea that the DVD he burned of legal porn also contained a directory called "young children" full of explicit images.
Again, because he said so? Otherwise, breaking into a computer is as close to tampering as it can get.
Unless you assume the victim of the hack to be guilty in the first place, then yes, there were no innocents.
I can't think how this whole thing could be any more fishy. You jump to judging the guy and praising the hacker, because the subject is child porn; or to apply the meme: "Won't somebody think of the children!"
It's scary how you dismiss due process because the crime gets to you on a personal level or whatever.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
The NYT recently published a chilling study of Internet usage by pedophiles who did much worse than simply store dirty pictures on their hard drives.
I read the New York Times article, and it was far from "chilling". I think it would be more accurately described as sensationalistic. What exactly were the pedophiles doing on the internet that was worse than storing dirty pictures on their hard drives? Chatting with each other? Oh the horror!
A ten-year prison sentence for knowingly abetting a felony on the Internet could help
Please explain, Captain Think-of-the-children, what you mean by this statement. Are you suggesting there should be a 10 year sentence for approving of certain actions? If I say, "I approve of girls having sex at the age of 15," I should go to prison for 10 years? So much for freedom of speech.
If crime in the U.S. reaches the level it has in the former Soviet Union, there will be no Bill of Rights left to protect.
This type of statement is often used to argue, "In order to save the Bill of Rights, we have to ignore the Bill of Rights." Complete rubbish. If you want to abandon the Bill of Rights and everything the United States is supposed to stand for, just come out and say it.
As the target machines where infected with Sub7, why wouldn't the FBI get a warrant to access the trojanned machine themselves the Sub7 back door?
Gary McKinnon is "not a citizen of the United States and are not bound by our laws" and yet he was extradited to face trial in the US. He was accessing Pentagon, NASA, US Air Force and other DoD facilities in 2001 and 2002 the same time 1069 was breaking into private US citzen's systems.
As usual, it's one law for private individuals, one law for the poice.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
"My heart agrees with you: pedophiles are scum, and as a parent, their mass death wouldn't bother me one bit."
Well it would have to be a mass murder, because there are a lot of us and we aren't going anywhere. You may put a few hundred paedophiles in prison on child porn charges and some of the 10% of child sex abuses which are committed by paedophiles might result in prison sentences (and rightly so if it's sex abuse), however if you think you're going to have the 33% of people who have at least some attraction to children, or the 5-25% who are technically paedophiles killed, you're fooling yourself. It's not illegal to be a paedophile, because it is not illegal to exist, however it is illegal to abuse children and download child porn.
For the record, the huge majority of us spend time with children, without needing sexual relationships. I spend time with my younger brother's friend and I'm going to become a teacher. I don't need sex with young boys, even though I find them sexually attractive; spending time with them is enough.
People won't be able to fight paeds so hard in the future, because we're fighting back. See AN if you want an example.
And, if you're really so terrified of us, maybe you should learn more
~ BLue
"To the future or to the past, to a time when thought is free" ~ Nineteen Eighty-Four
For all the reasons you've listed 1069 isn't performing performing any good, but a grave injustice.
Hard to believe a caring human being could hold such a morally awful position.
Looking at the facts of the case as stated, the result appears to be that two children were saved from sexual servitude or even horrible deaths and that two pederasts were jailed. If what we are told is true, justice was clearly done -- if you wish to refute me, please identify who is being unjustly treated. The childen? The criminals? The police? Please do not claim that you, as a representative of the "people", are experiencing an injustice, because you are not.
If this hacker really did present the police with information which would allow them to save two children from sexual abuse, what would you have wanted to happen?
I believe what you are actually claiming is that allowing law enforcement officials to operate in this fashion is illegal and would allow possible injustices to occur in the future. I agree that sometimes injustices must occur because of the "system", the rules that ensure fairness: this is not one of those cases.
Do you really believe that police shouldn't be allowed to use evidence gathered by criminals? Why? Exactly how do you think law enforcement works, anyway? Police routinely use informers, stool pigeons and the like -- why is this wrong? There are very specific rules on conduct, on admissability of evidence, and defence attorneys routinely and often successfully challenge the believability of such witnesses because of their poor character, but there's nothing intrinsically "unjust" in having criminals testify against other criminals, it happens every day.
In fact, it's not even clear that the hacker is doing anything that is illegal.
If the facts are as presented, the police had physical evidence linking the criminals with the children in question -- the possibly-unreliable hacker's information would be presented as corroborating evidence. It's interesting to note that the defense attorney did not in fact challenge the reliability of the evidence as gathered.
I might add that I'm very much a liberal and strongly support strict oversight of the police and limits to their powers. But this is not one of those cases I think illustrates any sort of problem, and worse, I think you seriously damage our case by screaming about "injustice" in a case where your mother or any common-sense person would see that justice was obviously done (if the facts are as presented in the short article in question).
Oh, and don't waste the Franklin quotation! It gets a little weaker each time we use it pointlessly. Save it for things where it really applies.