FBI Seizes Server Providing Anonymous Remailer Service

sunbird writes "At 16:00 ET on April 18, federal agents seized a server located in a New York colocation facility shared by May First / People Link and Riseup.net. The server was operated by the European Counter Network ("ECN"), the oldest independent internet service provider in Europe. The server was seized as a part of the investigation into bomb threats sent via the Mixmaster anonymous remailer received by the University of Pittsburgh that were previously discussed on Slashdot. As a result of the seizure, hundreds of unrelated people and organizations have been disrupted."

What does this help?

Unless the server was keeping logs, and I presume that it wasn't, how could seizing it possibly help the investigation?

Re:What does this help?

[Reasonable+Facsimile]

Unless the server was keeping logs, and I presume that it wasn't, how could seizing it possibly help the investigation?

The files are in the computer.

Re:What does this help?

[Wowsers]

It's a clear signal to people that if you run a business and your server is in the US, the US can kill your business stone dead in a raid which may have nothing to do with you other than being co-hosted at a server farm. And people wonder why less business is going to the US.

Re:What does this help?

[cyachallenge]

If you remember in some of the pirate bay litigation they actually seized the computer RAM. :) The RAM contained case relevant material (at least when it had voltage going through it. Law and technical computer topics rarely mix well.

Re:What does this help?

[Guppy06]

and I presume that it wasn't

Don't presume, verify.

Re:What does this help?

[KiloByte]

or they are technically illiterate.

From a technical point of view, their action is completely pointless. But from the social point of view, it works. They're sending a loud and clear message: if you try to stand up to your rights, you WILL be trampled.

Re:What does this help?

[TheCarp]

You know, we took an outage in our dev lab yesterday when a PDU blew, and took out some fiber that was running next to it. Shit happens...maybe not often, but it does. Any individual server can go, for any number of reasons, some of which are totally outside the server.

If we are talking about unimportant services, sure... leave it up to a single server. If your business depends on it though? Well then I guess if your business isn't worth keeping up in an outage...then enjoy but... I would consider that important enough to have a couple, in different places.... hopefully in an active/active config but, even a warm spare means being back up reasonably fast.

Its not about how likely it is...given enough time unlikely events happen. Its a question of how fast you can recover WHEN it happens.

Re:What does this help?

[Jeremiah+Cornelius]

The legal and forensic arguments from which this action stem are a part of American policy which can, in fact apply to any jurisdiction. Taken pretty strictly as it is defined, the policy can be expressed: "Look, We're the FBI. That means your fucked, no matter what you do."

Re:What does this help?

[0123456]

You know, we took an outage in our dev lab yesterday when a PDU blew, and took out some fiber that was running next to it. Shit happens...maybe not often, but it does.

Dual PSUs fed from two independent PDUs fed by two independent power sources. We would just shrug and replace the PDU if that happened.

Its a question of how fast you can recover WHEN it happens.

Much faster from a blown PDU than from having your server confiscated by the Feds because some other user may have broken the law.

Re:What does this help?

[JazzLad]

Extrapolating

Re:What does this help?

[hairyfeet]

Or even more likely they are like the vast majority of computer users out there and don't know the difference between RAM, CPU and HDD. I don't know how many times i've dealt with extremely smart people, people that hold very complex jobs, that simply don't understand the difference between memory and hard drive or CPU and GPU.

Sadly to many the PC is a "black box" that they know enough about to operate but don't even know the tiniest bit when it comes to what its made of or what it actually does. I've actually talked to cops that thought you should be able to "hack" a machine by simply being told the physical address of the person or that you should be able to push some button and magically have every password that has ever been used by a person simply by having their system. Too much CSI I guess but at least they didn't tell me to trace down an IP address using VB.

Re:What does this help?

[Zemran]

My hosting is up for renewal next month and I am already looking to move out of the US for security even though I do not think that I am doing anything of interest to them, I do not know what else is being done at my provider. It is not just bad guys that get taken down, everyone using that service suffered. I do not want to suffer when the jackboots arrive. I want somewhere safe and stable like Switzerland. I am sure that someone will post a reply quoting a bad incident in Switzerland but we could fill several pages with bad incidents in the US.

Re:What does this help?

[Yvanhoe]

It is not likely at all. We are in 2012 and during several years, various companies have shamelessly sold the "cyber-war" concept. There has been billions (really) of dollars made in training and countermeasure tools for federal organizations.

You are not in the 90s anymore where a scriptkiddy could brute-force FBI passwords without being noticed. You now should assume competence in the people charged with these affairs.

Re:What does this help?

[hairyfeet]

And you are assuming the same government that spent $600 on a toilet seat didn't piss a large amount of that money away on kickbacks and buying worthless training videos created by insiders who got no bid contracts. By your logic that would mean those retarded TSA goons would have the same level and skill as a secret service agent, because after all we have supposedly spent millions and millions on their training right? yet we have people walking through that forgot to take a fricking handgun out of their bag and not get caught while they yank diapers off little old ladies.

If ever "Never ascribe to malice that which is adequately explained by incompetence" fit it would have to be the US government friend. All too many of them only care about is getting elected or looking like they are "doing something" that will get them a bigger budget. And look up the whole "taking the RAM" incident, we aren't talking some rare thing that would actually stop anybody but instead they believed according to their brief that "the RAM contained evidence" which I wouldn't be surprised if they got from some CSI where they magicked the contents of the memory and found the killer...using technobabble "science" of course.

Did they at least manage to figure out what server

[Qzukk]

Or did they just kick over all the racks and rip everything out like they seem to do on a regular basis?

Correction

[busyqth]

FBI seizes terrorist server run by commies.
Grateful American people throw candy and flowers at heroic agents.

Re:Correction

[ColdWetDog]

So we should give the terrorists lots of nukes and a command and control system?

Sounds perfectly reasonable.

Re:Correction

[cavreader]

All the major nuclear states have proven they are responsible in the handling of nuclear weapons. They also have high levels of security to prevent these weapons from being compromised and provided to 3rd parties. The current Iranian issue is not really about them actually using a nuke if they had one. This is about them being able to provide the weapons to one of the 3rd party organizations they support. That's their standard method of projecting military power while being able to maintain plausible deniability. If a terrorist was able to get a nuke and use it Iran is counting on not being definitively identified as the supplier thus avoiding any immediate retaliatory strike. However, the source of the weapon would eventually be identified but it might take a few months in which time the initial outrage would have dissipated. Would the world approve of a retaliatory attack 6 months after the weapon has been used?

nonsense

[Tom]

More importantly: Unless the server operator was a total dofus, this brings them exactly zero steps towards resolving their problem, because this is exactly the kind of attack that Mixmasters was designed to withstand.

Idiots. Is nobody teaching these fools basics about the stuff they encounter?

Re:nonsense

More importantly: Unless the server operator was a total dofus, this brings them exactly zero steps towards resolving their problem, because this is exactly the kind of attack that Mixmasters was designed to withstand.

Idiots. Is nobody teaching these fools basics about the stuff they encounter?

I hate to defend them, but look at it from the FBI's point of view. Maybe the server operator was a total - or even a partial - doofus. The Feds would be even bigger doofuses (as in, negligent in their) to assume otherwise and not investigate the server. That's their job.

Re:nonsense

[tibit]

So, they really need a whole big stinkin' server? If you're a professional, you'd switch the server to single user mode, dump the drive contents to a portable drive, reboot the server, and be on your merry way. If they have proper forensic data analysis tools, they should be able to deal with all popular raid arrays out there, so given those you shut the server down, use a portable disk imager to copy the drives, you then replace the drives, power the server back up, and are on your merry way. I just don't get what they need the server itself for. They are after the data, not the hardware.

Re:nonsense

[Em+Adespoton]

Have you ever done data forensics? The first thing you learn is that it's not the same data if it's not on the original storage medium.

Of course, what they SHOULD be able to do is shut the server down, clone the drive, pull the drive that has the warrant, and drop in the cloned drive. Of course, this requires cooperation with the victim, which obviously wasn't available in this case.

To put it another way: they weren't after the hardware OR the data, they were after the incriminating evidence. Data by itself is hearsay (no way to prove beyond a shadow of a doubt that it was preserved in the same state and context).

Re:nonsense

[Burning1]

I suspect they wanted the drives themselves for analysis - makes it possible to look for deleted or over-written information that might not exist on a duplicated disk.

Re:nonsense

[cpu6502]

>>>I just don't get what they need the server itself for. They are after the data, not the hardware.

Likewise the Russian government doesn't need to grab servers in order to investigate claims of "illegally-copied software", but they do it anyway in order to shut down groups that are critical of government. The FBI is simply employing the same tactic to silence human rights groups (many of which are critical of the Congress) under the cover of an "investigation". Two birds killed with one warrant.

Re:nonsense

[BronsCon]

the FBI have equipment that can clone disks without needing to even apply power to the drive.

Then they're in the wrong business. They need to start producing and selling these ultra-efficient disks that don't require power for read operations. Imagine the battery life on your laptop running one of THOSE!

Re:nonsense

[bmo]

makes it possible to look for deleted or over-written information that might not exist on a duplicated disk.

Deleted stuff is never erased, just marked as "free space" by the OS.

Overwritten data, these days, is unrecoverable, even if only overwritten once. There has not been a single criminal case that I can remember where data was overwritten and then recovered on modern drives. The standard of multiple overwrites for true erasure is from the days when disks were physically huge, and the recorded area was huge, and head alignment wasn't always the greatest thing in the world.

Go read the epilogue to Peter Gutmann's paper

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

A simple dd of the original drives would have given investigators all the information that was available, including deleted files.

--
BMO

Re:nonsense

[tibit]

There is no such thing and hasn't been for more than a decade. It's a legend that was once true: in times of MFM and RLL drives, and early PRML drives. Nobody offers such analysis, feel free to prove me wrong by providing someone who would quote it for any hard drive that was shipped in the last decade. The quote would be for data recovery after the drive was overwritten precisely once with zeroes.

Re:nonsense

[the+eric+conspiracy]

Forensic investigation of a computer includes a capture of the machine's memory, not just the drive contents.

Re:nonsense

[tibit]

You misunderstood what the cited article was saying. First of all, the article was essentially hearsay - a story of what Johnson said, retold by someone who didn't have much clue. Yet, obviously, nowhere did they say that they used magnetic force microscopy to recover data from the platters, as that would be the only technology that would have a chance (except, these days, it doesn't). All they did was a regular read from the drive and found some sectors that the zero-fill didn't overwrite. What happened, most likely, was that the zero-fill was only attempted on areas declared unallocated by the filesystem. Such areas are necessarily declared conservatively -- you should never trust a free-space erase on a mounted filesystem, and that's what seems to have happened here.

Nowhere does the article disagree with what I'm saying, because, again, the legend of recovering the data from a zeroed-out hard drive is at this time nothing more. If you're lucky as in winning the lotto jackpot, and you're looking for very small amounts of data (say cryptographic keys), you may be able to recover useful error-correctable data from sectors that got reallocated because they started to fail. This doesn't require opening up the drive, merely gaining access to it via the factory/manufacturer mechanisms (there are software tools for that), so that you can read any sector, whether mapped into the space accessible via regular ATA data access calls or not. That's a slim chance, but if you're after a key or other short blurb, it's a low-hanging fruit -- and yes, in that case you need original drive, not an image.

The deal with the drive you cite was as follows: it never got fully overwritten with zeroes. Was that the case, you'd never read about any large (more than dozens or hundreds randomly scattered sectors worth) data coming off of it, because, again, it's not possible anymore. If you want to overwrite a drive, you boot a DBAN CD/dongle and do it. One set of zeroes is enough. If you really worry about the few tens of nanometers worth of possibly relevant domains left over "between" the tracks, you can always overwrite it a couple times; I'd think thrice with random data plus once with zeroes is enough. You don't muck around with free-space overwriting, OS reinstallation, or anything of that sort.

I think I posted something about it once somewhere where I argued that "obviously it's possible duh duh" -- I used to believe it until I looked at a honest-to-goodness drive platters with a magnetic force microscope. Even at a highest magnification, where a single pixel is a few nanometers across, you can't see anything but random hash "between" the tracks. At such magnification, the individual bits are huge, and any remnants would be quite obvious. They were very obvious in times of early PRML drives and before that. That time is long gone. Thus, an obvious tip: don't store sensitive data on old hard drives (say early IDE drives).

Re:nonsense

[bmo]

Forensic investigation of a computer includes a capture of the machine's memory,

But that doesn't mean you need to walk away with the whole machine. Unplugging it and carrying it out the door does nothing for preservation of data in DRAM, which needs power to refresh memory. You can yank the RAM out and put it in dry ice to keep things from discharging too quickly, but you are under a pretty strict clock to get the RAM unplugged and into the analysis machine on the crash cart. If you physically unplug the entire server and cart it out the door, you've lost whatever data that was in RAM by the time you reach the truck door.

Taking the entire server or rack of machines is nothing but intimidation.

--
BMO

Re:nonsense

[Leebert]

If that were correct then backups would not be admissible evidence. They are.

Welcome to Criminal Justice 101.

Your first homework assignment is to read this:

http://en.wikipedia.org/wiki/Best_evidence_rule

Spoiler alert: Doing it is possible, but only in certain circumstances and it raises questions that you'd rather avoid as a prosecution. So they don't do it if they don't have to.

(If it sounds snarky, I didn't mean to be. Trying to be funny but also informative...)

Re:nonsense

[bmo]

It overwrites the file multiple times if necessary before optionally deleting it. As far as I know, shred is part of standard Linux so you should have it too.

There is another tool you might like, and that's bcwipe.

It does shred, but it also wipes free space on currently mounted drives.

Jetico's bcwipe is open source and cost-free for *nix if you compile it yourself (it's *not* GPL or Free/Libre).

I like it. I use it often.

--
BMO

Damn you George Bush!

[Vinegar+Joe]

I can't wait for the elections to come!

Re:Damn you George Bush!

[PRMan]

I simply don't get this comment....If Obama was the god of freedom that Leftists claim, he would have overturned the over-extending post-911 policies of the Bush Administration such as the Patriot Act instead of reveling in them and expanding them like many non-liberals warned that he would.

And you said you didn't get the joke...

Re:Damn you George Bush!

[evil_aaronm]

Who needs legislation when the Pres has Executive Orders and legal council that will parse those orders 10 ways cubed to justify, if not make it look like the very definition of the "American Ideal" when, in fact, he's shitting on the Constitution? Remember "water boarding"? Was there any legislation for that? How about "extraordinary rendition"? "Free speech zones"?

Not New

[jimmerz28]

Whenever they take servers "down" it's like a ogre killing a spider with a tree trunk. They smash the table, furniture, and destroy the house along with the poor spider.

Re:Not New

don't worry the spider will not be harmed it will walk out between the debris and find a new place to hide...

Re:Not New

[Kjella]

You're assuming the message was for the spider and not for everyone who has a spider in their house. And the message is that if you carry a service we don't like, we'll make sure to inflict as much damage as possible when we come for it. You get a pretty good self-censoring effect out of it. Same reason TOR doesn't scale very well, you'd have to be mildly insane to run an exit node as a private person.

So someone sends some bomb threats ..

[n5vb]

..and the FBI seizes the server they used?

Anyone else think this is more believable as a denial of service attack, or as a pretext for taking down a troublesome server they couldn't legally seize by any other means, than as an actual threat?

Unless the person sending them was stupid enough to think that a remailer would protect them from ever being caught, and didn't care that it was going to mean taking down the whole service for everyone else using it..

Can You Say False Flag Opp?

[msaroff]

Someone bosts a gazillion bomb threats, and computers associated with OWS and other protests get seized.

Awfully convenient.

Any guess as to whether the bomb threats can be traced back th Langley or Ft. Meade?

Re:Can You Say False Flag Opp?

[WrecklessSandwich]

Someone bosts a gazillion bomb threats, and computers associated with OWS and other protests get seized.

Awfully convenient.

Any guess as to whether the bomb threats can be traced back th Langley or Ft. Meade?

Put down your tinfoil hat. This person has more or less paralyzed a major university campus for an entire semester and the FBI barely has anything to go on. They already subpoenaed/questioned/arrested everyone they can find that's had a major quarrel with the school in recent memory (and one nutjob from the 80s). They're grasping at straws with the remailer services they know were used because they don't have any other leads and finals week is coming up.

While we're at it, TFA is pretty vague on the facts. Riseup calls the seizure "an attack against us", when the seized server was owned and operated by ECN. At the same time, the top of the page says "Riseup had a server seized by the US Federal Authorities". Either these groups are more closely related than their press release makes clear, or they're being deliberately misleading. It also doesn't help their credibility that they clearly state that the FBI had a warrant (which, being a warrant, is signed by a judge), and then they turn around and call it an "extra-judicial punishment". It's unfortunate that they've been inconvenienced by the situation, but they're acting like the server is gone forever. Playing the victim when 28,000 people are having their (already paid for) education compromised and the FBI didn't break any rules is not a good way to garner sympathy.

Re:What did you expect?

[v1]

If we dont let them send bomb threats, we're undermining free speech and the Internet"

To which I reply "They need to find a different way to discourage or stop them from sending bomb threats. Inflicting me with collateral damage in the quest for better law enforcement is unacceptable, and so is removing my ability to speak with anonymity."

Given the choice, I think I'd rather deal with the occasional bomb threat than not be able to speak anonymously.

Anonymous vs anonymous

[milbournosphere]

From what I can tell, the service was providing anonymous re-mailer services, not re-mailer services to Anonymous. This being the case, they're not going after a service used by the hacker group; they're going after a service offering anonymous communications to your average citizen. Not cool, gov'mint, not cool.

They had a warrant.

[cpu6502]

They followed proper constitutional procedure (for a change). So blame the judge not the fbi.

Re:They had a warrant.

[Chazerizer]

And, in addition, the company who provided the service had agreed to cooperate with the investigation: http://www.post-gazette.com/stories/local/neighborhoods-city/internet-service-to-help-in-probe-of-pitt-threats-631734/ God that title is really misleading.

Re:They had a warrant.

[evil_aaronm]

As little as I appreciate the FBI, you can't fault their approach. Always ask for more than you need: you might not get it - but then again, you just might.

Re:What did you expect?

[houghi]

Given the choice, I think I'd rather deal with the occasional bomb threat than not be able to speak anonymously.

Give me liberty or give me death.
There: Translated that for you.
Also: I rather die on my feet then live on my knees.

Re:What did you expect?

[Em+Adespoton]

If we dont let them send bomb threats, we're undermining free speech and the Internet"

To which I reply "They need to find a different way to discourage or stop them from sending bomb threats. Inflicting me with collateral damage in the quest for better law enforcement is unacceptable, and so is removing my ability to speak with anonymity."

Given the choice, I think I'd rather deal with the occasional bomb threat than not be able to speak anonymously.

Or, to totally mangle a famous quote:

"First they came for the anonymous, but I was not anonymous, so I did nothing." That's probably true to life for most people actually....

Re:Did they at least manage to figure out what ser

[evil_aaronm]

Man, you would not believe the rush you get from going all commando on racks of servers. "Blink those lights funny at me, beeyotch, and I'll bust a cap right between your USB ports!"

Re:What did you expect?

[DdJ]

FYI, we're not dealing with "the occasional bomb threat" here.

The University of Pittsburgh (which is down the street from where I work) has gotten multiple bomb threats per day every day for weeks now.

Many students have been driven out of their dorms, to live off campus, because the evacuations were too disruptive. The campus police are no doubt way over budget. Classes are disrupted to the point where folks on academic probation were told this semester "doesn't count".

At this moment, as I type this, two buildings have evacuation notices. Earlier today, eleven buildings had to be evacuated.

And today was not exceptional.

If you want to follow this yourselves, evacuation notices go out over the @PittTweet twitter account.

Now, I'm not trying to say "knocking every anonymous remailer off the internet is justified". Please don't assume I think that. I'm just pointing out that this very much isn't a case of "the occasional bomb threat". It's basically a full-on ongoing multi-day denial-of-service attack on the Pitt police, Pittsburgh police, and a bunch of the university, happening in meatspace.

Re:Mass disruption

[evil_aaronm]

Well, hell, in that case, let's nuke NYC, LA, DC, Detroit, etc. There's gotta be more than a few criminals in those towns. Sucks for the collateral damage, but, you know, gotta weed out those bad guys. They probably hate America, too, so all the more reason.

Re:What did you expect?

[Sipper]

"Stand back... I'm going to try LOGIC..."

FYI, we're not dealing with "the occasional bomb threat" here.

The University of Pittsburgh (which is down the street from where I work) has gotten multiple bomb threats per day every day for weeks now.

Many students have been driven out of their dorms, to live off campus, because the evacuations were too disruptive.

...

I agree that this situation stinks, and that obviously constantly evacuating buildings is very disruptive. However at the same time, can't the University of Pittsburgh and the Pittsburg police stop doing that and ignore the bomb threats, knowing that their leg is being pulled? I realize that there may be some legal precident why they can't... but at some point logic and common sense, along with the knowlege of "The boy who cried wolf" should also come into play. :-/

Can we get a little streisand effect?

[mrmeval]

Take your hacked router, your raspberry pi, your beagle board and fire up a remailer service off of some public wifi or other, run it off solar, coil leech, thermal gradient sucker, piezo traffic leech or whatever power you can get.

Didn't someone do a patch to mixmaster so it could do hold and forward like fidonet?

Who will FBI the FBI ?

[Taco+Cowboy]

"Look, We're the FBI. That means your fucked, no matter what you do."

The question that is begging to be asked is ---

Who will FBI the FBI ?

Re:Who will FBI the FBI ?

[Svartormr]

"Look, We're the FBI. That means your fucked, no matter what you do."

The question that is begging to be asked is ---

Who will FBI the FBI ?

The FBFBII ?

Re:What did you expect?

[Obfuscant]

However at the same time, can't the University of Pittsburgh and the Pittsburg police stop doing that and ignore the bomb threats, knowing that their leg is being pulled?

No. The next time it might not be a joke.

Universities are being sued for not doing enough to stop violence on campus when it happens, as rare as it is, and as much as they do. It's never enough for the lawyers and "grieving heirs".

It's a large "corporation" to start with, and state schools have the combined pockets of the taxpayer to pick. You can't sue a school for being too careful, only if something happens and you can convince a judge that they might not have done enough. Why make it a slam-dunk victory for millions by ignoring the last, valid threat?

This is the same reason that cops have to go check out 911 hangup calls. Most likely, it was someone who dialed by accident and then said "oh shit" and hung up. If they try to dodge the problem by turning their cell phone off, or not answering, the cops will show up to see if everything is ok. If the cops just ignored the call, they'd be sued by everyone involved when it turns out that the caller was forced to hang up, or the wire was ripped out of the wall, by her violent husband or vice versa, and someone wound up dead.

Re:Offtopic^2

[qubezz]

This is not a Rush Limbaugh forum, and your retarded post has nothing to do with the topic. If you watch the BBC documentary Madagascar, Lemurs and Spies, you'll see that Gibson looks guilty as hell. A researcher working with an endangered group of Lemurs sees illegal logging in protected wilderness, and they get a hidden camera lawyer posing as an American wood buyer to go deep inside the logging operation, documenting the mass harvesting and lumber mills there producing pallets of fingerboard blanks with the Gibson front company name all over. The sawmill owner even brags on camera about what they are doing.

By your logic, you would shut up and go away if the justice department put people at Gibson in jail. More likely, you would be here bitching about how another American company was shut down by the feds.

Re:What did you expect?

[NeverSuchBefore]

continual random searches of people and places

That sounds about as awful of a solution as the TSA. If the solution violates people's privacy, I don't want it. I'd rather them evacuate the building for the 50th time.

Re:FBI = DOS?

[Skapare]

And not only that, it is one that other mail servers have every right to refuse data or connections from if they want only communications which are fully traceable. Think about what objective exists by the FBI seizing a computer that was used (let's assume for sake of argument that this really was used in that way) to transmit these threats, but has no record of what was sent or where it came from. All it's doing is interrupting the ability to send anonymous mail. But specifically it interrupts the ability of the person making these threats from doing so. Is that a good idea? If it is, then why not configure the UofP computers to refuse connections from this or any other anonymous remailer. That should be just as effective. Why not just ignore the threats? These are all basically the same effect in that the threat maker is deprived of the communications.

What are the implications of ignoring a threat? The threat might represent a real danger. Maybe there is a real bomb ... this time. Then ANY form of interrupting the communication represents the equivalent of ignoring the threat.

I don't know what the best solution is. But we are currently acting irrationally out of insane public policy. On the one hand by not communicating we risk danger. On the other hand by communicating we real idle threats. We are our own problem and we need to find a solution to that.

Re:What did you expect?

[Culture20]

can't the University of Pittsburgh and the Pittsburg police stop doing that and ignore the bomb threats, knowing that their leg is being pulled? [...] "The boy who cried wolf" should also come into play

There are two morals to the story of "The boy who cried wolf":
Don't consistently lie or you'll get eaten (the moral for children)
Sometimes, children's lies end up being the truth, so pay attention every time or they'll get eaten (the moral for adults)
If you want to discourage lying, punish the liars when they're caught, but don't ignore what seems like a lie because it might be the truth.