An FBI Hacking Campaign Targeted Over a Thousand Computers

derekmead writes: In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved.

Just a month after launch, a bulletin board called Playpen had nearly 60,000 member accounts. By the following year, this number had ballooned to almost 215,000, with over 117,000 total posts, and an average of 11,000 unique visitors each week. Many of those posts, according to FBI testimony, contained some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could avoid detection online.

But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency's term for a hacking tool.

Not hacking

[110010001000]

They weren't hacking. They were obtaining the IP address of connected machines who were using Tor to access child porn sites. I just call that good investigation. Your IP address isn't private information, just like your postal address isn't.

Re:Not hacking

They used some form of malware/trojan to extract certain information. That's the greypoint from the FA:

“Basically, if you visited the homepage, and started to sign up for a membership, or started to log in, the warrant authorised deployment of the NIT,” Fieman said. From here, the NIT would send a target's IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same computer, the computer's Host Name, operating system username, and the computer's MAC address."

Re:Not hacking

[110010001000]

Maybe I misunderstood, but I thought the NIT was placed on the servers hosting the sites (and maybe the Tor nodes) and used flaws in the connecting client computers browsers to get IP addresses, etc. Probably from the HTTP headers. I didn't think they installed NIT on the client computers themselves. I might we wrong. That is the problem with these sensationalist stories: you never know what they really did. In my opinion if you are just capturing information that the client machine is willing to send (even via a flaw) it isn't really hacking. More like monitoring.

Re:Not hacking

[110010001000]

Right...but is that really hacking? Maybe it is. They are just using a bug to obtain information from a machine that connected to their compromised site. I'm sure lots of companies do that too. If I craft some JavaScript that sends me your MAC address via a bug in the JS implementation when your machine connects to me, is that hacking? Or just clever programming.

Re:Not hacking

You can't extract certain details like the MAC Address, Computer hostname/username from HTTP traffic alone, unless you've got something running in the browser ex-filtrating that kind of information.

It could be possible to extract most of that information via Javascript, but I'm assuming that most of their targets had NoScript or JS turned off in the Tor Browser (or whatever they used with Tor). I think that kind of information retrieval would fall into the category you're thinking off, active fingerprinting and the like.

Re:Not hacking

[110010001000]

Right...you would need a flaw in the browser that is going to send you that information. I'm not sure if that is "hacking", or just monitoring. After all, the client machine initiated the connection to the host machine, which then obtained the information. I doubt there is a law against this. If you connect to my machine why can't I obtain as much information about your machine as I can, using any means? I mean maybe it is hacking, but it isn't clear cut. There are no laws that I know of that says you can't exploit bugs to obtain mac addresses of machines that connect to you.

Re:Not hacking

[110010001000]

I just call it clever programming. After all, your computer is connecting to ME and sending me information that I am requesting. I'm not logging/breaking into your machine and getting the information. There are no laws that state what "information you shouldn't be able to get".

Re:Not hacking

[RenderSeven]

They apparently had a warrant, so it probably doesnt matter if its hacking or not. However as to what they can collect without a warrant, IANAL but expectation of privacy would almost certainly be the litmus test or at least a factor. A conversation in public is fair game but a conversation in your home is privileged even though "flaws" in your home allow exploits like laser microphones to listen. Some of it comes down to deciding if consuming online media is "speech" and thus (arguably) protected (loss of anonymity can be considered "chilling effect"). Without SCOTUS guidelines it seems to depend on the judge, and what he had for breakfast.

Re:Not hacking

[lgw]

And if you connect to a bank, and exploit a flaw in their web server to extract customer information? Is that just clever programming? There are laws that state what "information you shouldn't be able to get": any information that you weren't authorized to get. The only thing that makes this legal, FBI or no, is the warrant. Fortunately, the FBI did the right thing here and got a warrant, so there's no gray area.

Re:Not hacking

[gweihir]

Except when your software (TOR) does not give out your IP address willingly. Then some kind of hacking/cracking/compromise technique is used and that is highly problematic. In a sane legal system it would also compromise any and all evidence found on the target computers as it typically comes with the ability to change things on the target and do so without trace.

This cure here may well be much, much worse than the disease. If the targeted group were a different one, this might be called "state-sponsored terrorism." Anybody that believes these techniques are only used against child pornographers is kidding themselves. Just have a look at the history of the FBI.

Re:Not hacking

[gweihir]

So you think all breaking into computers is legal? Because that is all "capturing information that the client machine is willing to send (even via a flaw)". That flaw might make it willing to send, say, 500'000 user data sets.

If the FBI campaign against freedom hosting is an indicator (or if this is actually the same thing), then they sent malware to the target browser that compromised it via a JavaScript exploit. It then took over the client browser process to determine from the OS what the IP address of the local computer is. There is no gray area here, this is just what criminal hackers do. Incidentally, this gives them the ability to put any file they like on the target system and it should invalidate any and all evidence found on the target machine. Also, in the campaign against freedom hosting, they caught a lot of people doing entirely legal things, like accessing their tor-mail account.

Re:Not hacking

[gweihir]

Incidentally, what they did is highly criminal for any person the warrant does not cover. (And they have no way of finding out before they attack....) An argument can be made that this is anybody using a computer outside of the US. Just think of a modified example where the Chinese Government hacks users of a TOR web-forum devoted to discussing freedom using a warrant that does also allow hacking the computers of US citizens or Europeans, or with a warrant only covering China, but they ignore that. See the problem?

Re:Not hacking

[HiThere]

Not hacking, but it sounds like entrapment.

Re:Not hacking

[AHuxley]

Re "If you connect to my machine why can't I obtain as much information about your machine as I can, using any means?"
Senator: Let's monitor P2P for illegal files (April 17, 2008)
http://www.cnet.com/news/senat...
"But in about half its cases, for purposes of longer-term tracking, the software captures "unique serial numbers" from the person's computer ... "
It seems the get a unique "number" policy is an older method thats been used for a while now.
Is the number created from a larger set of details about a computer as seen down from the web or within a computer OS by pushed down gov crafted bespoke software?
But the MAC address was listed as something thats also been collected. Some consumer grade OS helps? Or gov software enters without any AV heuristic and behavioural protection been alerted to something new/different.
Third party outgoing software firewalls would not be alerted.. or AV products set to a high detection setting...

Re:Not hacking

[sumdumass]

Sort of. A JavaScript-enabled exploit need not be present in some or most cases though. TOR is essentially a tunnel into your network to the destination computer. Its sort of like you had no router to proxy or masq your private ip. Using information from the tcp packet which is necessary to send results from a page view back, you can use simple network tool like angry ip scanner and Xprobe2 almost as if you were on the network.

You can use different tools to discover the mac address and fingerprint the OS. Once this is done, at least for Windows systems (especially if Windows networking is enabled ) you can find information about the user logged in and so on. I would suggest that almost everything they discovered could likely be found without installing any software remotely. But if they needed to install something along the same lines as the tools, you could use PsExec or similar. Actually, you could do all your fingerprinting with that tool provided you have a little information about the computer (which you might get from a website registration process ) . You can also use PsExec to download a copy of the registry and security SAMs (my mind is drawing a blank at the moment but the same process to recover or change Windows passwords )

The one wrench in this would be if they had a firewall enabled on the computer using the TOR connection. It would block scanning and some will gladly alert the user with annoying pop-up notifications. The FBI might have a program that wraps a bunch of these tools up and automates their usr.

Re:Not hacking

[gweihir]

Sorry, but that is bullshit. Sure, it may work if somebody incompetent set up a normal browser to work over TOR, or actually is grossly stupid enough to really set up LAN tunneling over TOR (But to what end? It would not do anything useful...), but with a competent set-up or the TOR browser bundle, there is no way to do what the FBI did without compromising the browser process. And, incidentally, with the freedom-hosting attack, they did exactly this: They sent malcode to the browser and took it over. As far as we know they did not do a lot with the compromised browser, but that is besides the point.

Re:Not hacking

[gweihir]

Actually, forget what I said about this being possible on misconfiguration. Your statements are so far removed from how TOR works that I got confused as to what you were saying.

So: For a client TOR installation, this is impossible without compromising the target browser over an existing (!), client-initiated connection. You cannot initiate a connection, scan, ping or do anything else from the server side to a TOR client. The network will not route your packages. You cannot even address the target as you only see the IP address of the exit-relay, but that one is terminating many connections from clients. Seriously, TOR is not a VPN. What you can do is attacks against hidden services, but anybody can connect to them via TOR. But again, you cannot scan the network there, you can only attack the service itself, i.e. usually the web-server running there.

Your statements are complete, unmitigated nonsense.

Re:Not hacking

[AmiMoJo]

It's worse than that. Imagine someone wrote a virus that set up a TOR connection and downloaded a few dodgy web pages into a Truecrypt container with disposable key. Really basic, script kiddie stuff. Now the FBI comes along and arrests everyone they can get an IP address for, and of course because the virus opens the page in a hidden IE window it gets hacked.

Now imagine some enterprising paedophile writes such a virus and infects as many people as possible, and themselves. They get arrested, but go free because it was all the virus doing it, and look how many other innocent people got caught up! In fact you might as well abandon the entire investigation now. Sorry, I can't decrypt that Truecrypt container, the virus destroyed the key.

Re:Not hacking

[sumdumass]

How naive you are.

The tor routing has no clue to what or the size of the payload your browser requests. It will route anything sent in response to you connecting to my server. You can in fact run applications over TOR and if you can do that with ease you can also run network tools in response to connections to a server.

The browser generally has no firewalling to stop this.

Re:Not hacking

[gweihir]

I did say you can attack only within the context of an existing connection. But that is it. If you attempt send any other packets to the client they will a) be dropped by the TOR exit relay and b) will be dropped on client side, as a client does not open a server socket and hence does accept absolutely no connection requests. In addition, there is not even a way to address the client in these other packets, so the idea does not make any sense at all.

The thing is that you cannot "run network tools" against a client with an unknown IP if all you have is an existing connection. You can only run them against the TOR exit node, which gives you absolutely nothing. Seeing that does need some minimal understanding of what "network tools" are and what they do and how TOR and TCP/IP works. Apparently you completely lack that knowledge. There is no tunnel in TOR. TOR does connection routing and that only for client-side initiated connections.

Incidentally, you do not understand how firewalls work either and what they are good for. If there is no service running on a host (and the a browser certainly will not run any listening-sockets), a firewall is completely immaterial. The target TCP/IP stack drops all packets sent outside a connection unless there is a server-socket listening for them.

Seriously, how incompetent and arrogant can you get? You do not even understand the very basics.

Re:Not hacking

[gweihir]

Well, pedophile images are already used in scams and, get this, the police in some countries advises people to not tell them about these criminal acts as the very possession of these images is illegal. How completely broken must a law be to have the effect that innocent people cannot tell the police anymore about crimes committed against them? That is just pure evil.

The scenarios you describe and others like it are actually something that is pretty sure to happen at some time and this is why making the possession of some specific bits illegal is so stupid. Sure, production of this material must be illegal and commercial distribution must be so too, as both directly do or contribute to child abuse. But possession and non-commercial distribution without law enforcement having to prove intent is extremely easy to abuse in a digital, networked world.

Re:Not hacking

[kmoser]

From here, the NIT would send a target's IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same computer, the computer's Host Name, operating system username, and the computer's MAC address."

So, basically Windows 10 telemetry.

Re:Not hacking

[david_thornley]

If it was A warrant, that warrant is unconstitutional. A warrant has to be specific, and it needs to be supported by probable cause that someone swears is true. If somebody notices what looks like child porn, and is willing to swear to it, a warrant could be issued to search any computers in the house for child porn. A warrant that covers the whole country is not in any way specific.

Re:Good

[malditaenvidia]

This sort of thing makes you wish they had used the other type of hacking.

Slippery Slope

[duke_cheetah2003]

Bit of a slippery slope when Law Enforcement is breaking laws to catch criminals. This is not good policing in my opinion. There should be no excuse for breaking the law, especially in an effort to enforce the law. Law enforcement should never be 'do as I say, not as I do.'

A simple test is.. if a citizen did this to another citizen, would that be against the law? Last I checked, hacking your neighbors computer and collecting information from it is definitely against the law. (Unless you're Microsoft and say you're going to do it in your EULA, bit that's a different can of worms.)

Re:Slippery Slope

Police use military equipment and armored vehicles to selectively enforce laws around the US, the slope slipped a looong time ago

Re:Slippery Slope

[110010001000]

If your neighbors computer connected to yours, and you collected information about it, is that against the law? If I understood it, they were gathering information of computers which were accessing the sites.

Re:Slippery Slope

[Penguinisto]

As long as they got warrants (even if they're "John Doe" warrants), they're in the clear, methinks.

I suspect that it would pretty much follow the same legal framework as wiretapping, albeit the 'tap' is put directly in the 'phone', without knowing fully who owns said phone.

If this is indeed the case, I have zero problems with it - covertly swipe a website/host via legal means, and use it as a honeypot to catch/trap offenders, using a modified wiretap warrant/framework to 'tap' the computers that connect to said site. Assuming everything is properly documented and that the procedure is transparent enough to stand up in court, you then monitor that user's activities to not only collect evidence but to identify the user behind it.

The only real problems would be with computers used by multiple individuals, in which case you'd have to suss out which user is responsible. Another problem would be to have a procedure (and malware) in place that doesn't give a defense attorney enough credible ammunition to claim his client was framed, or that evidence was 'planted'. This is why the procedure(s) would have to be transparent to all (it would become that way anyway come the first court case, if the prosecution wanted any hope of winning a conviction.)

Re:Slippery Slope

[kwiecmmm]

Not really, this is the same as turning someone in the mob and using them against others.

I am against government surveillance, but this seems to be just the government using an illegal site to figure out who is using it. They just kept the site running for a couple weeks to catch and track down its users, who were breaking the law by being on a child porn site.

Re:Slippery Slope

[bill_mcgonigle]

This is why the procedure(s) would have to be transparent to all

"In theory" ... they'd also obey their Constitutional restrictions. I the real world, they're lawless and get by on parallel construction. The government was instituted to protect our liberties and now it's our greatest threat against them.

"When you gaze long into an abyss the abyss also gazes into you."

Re:Slippery Slope

[phantomfive]

A simple test is.. if a citizen did this to another citizen, would that be against the law?

Then no one would ever get arrested and put into jail, for any reason whatsoever.

Re:Slippery Slope

[messymerry]

NOBODY in the United States is excused from their obligation to honor the provisions of the Constitution,,,especially when they took an oath on it. Questions???

Re:Slippery Slope

[turbidostato]

"Yes, I understand that the majority of them (probably) aren't actively engaged in actual, physical abuse of a child....but still. If it was my child, I admit I'd be all for them doing this even though it almost certainly contravenes some law(s)."

Revenge, while understandable, shouldn't be the basis of a legal or ethical system. Even moreso on a country that claims to be "the land of the free".

Under current moral standards it seems Nick Ut would have been processed because of "the girl in the picture" instead of winning a Pulitzer.

Re:Slippery Slope

[killkillkill]

Uhh... I read it

Reuters revealed that the Special Operations Division (SOD) of the U.S. Drug Enforcement Administration advises DEA agents to practice parallel construction when creating criminal cases against Americans that are actually based on NSA warrantless surveillance

And the sited article:

http://www.reuters.com/article...

Of course two senior DEA agents said your quote, so it must all be hogwash.

Re: Slippery Slope

Parallel construction is ALSO used to protect illegal intelligence gathering methods and other wanton lawlessness on the part of government agencies. I'm all for putting those methods in direct jeopardy when the law is broken.

Fortunately that does not seem to be the case here, unless of course there's more to this than they let on, such as maybe the FBI being behind the origin of the site in the first place. No proof or even suspicion of that at this time of course, but given their track record of manufacturing 'terrorists' for the purpose of arresting them and making a public show of it, who knows?

That's really the problem with this sort of thing as it relates to law enforcement and technology. I want to believe they did good here. I really do. It's just that given past behavior I have a hard time trusting anything they say, and it's sad things have come to that.

Re:Slippery Slope

[Citizen+of+Earth]

The FBI has also confessed to operating a web site that distributes extreme pedo-porn. When will the FBI director be doing a perp walk?

Re:Slippery Slope

[gweihir]

There is also the little problem that by the way TOR works they have no idea where a target computer is before they break in. This makes what they did "state-sponsored organized crime" if they even caught one user not on US soil and may well make it "state-sponsored cyber-terrorism" in some countries. Not good at all. Just think of the same scenario but with the Chinese doing it (where all pornography is illegal) or the Iranians (where all non-Muslim religious writing is illegal). See the problem?

Re:Slippery Slope

[gweihir]

Indeed. This can only be justified by "regardless of what it is, if the FBI does it it is legal". That does not work with the rule of law and is only possible in a full-blown police-state. As soon as they had the possibility to switch it off, they had both a moral and a legal imperative to do so immediately. In a very real sense, they committed mass-child-abuse.

Re:Slippery Slope

[ScentCone]

Police use military equipment and armored vehicles to selectively enforce laws around the US, the slope slipped a looong time ago

Do you understand how silly you sound?

How much metal is a vehicle allowed to have before you consider it illegal for a police department to use? Please be specific.

Re:Slippery Slope

[Thaelon]

What if the connection was accidental/unintentional? Or some rogue process did it?

More a general question than this specific case, but just a thought.

Re:Slippery Slope

[WOOFYGOOFY]

Yeah I am all for what they did and the way they did it. Your comment however:
I subscribe to the theory that when you break the laws of a country (i.e. by distributing child porn), you should forfeit the right to be protected by those same laws"

is the definition of fascism. No one knows if you broke the law until a jury or judge says so. What you're saying is, let's have no laws set upon the police because they only go after people who are (suspected of) breaking the law. That makes zero sense.

If we implemented that policy, we'd have cops framing everyone they suspected or really, after a little while under your regime, anyone they just didn't like.

Sure framing people is illegal and immoral but hey, no laws apply to law breakers so have at it.

We need the criminal justice system to work properly so people have faith in it and its results. That means protecting the accused whether you like them or not. Absent that, their is lawlessness everywhere, on the part of ordinary citizens, who would there's nothing fair about "the law" and law enforcement which would quickly devolve into thuggery, blackmail, racketeering, extortion and murder.

Do you think you're the first person to contemplate how law should be applied to people accused of a crime? This goes back centuries and the subject has been the focus of generations and generations of the world's best minds. Trashing it all for some idea you get into your head because it "makes sense to me!" is a frightening prospect. It's also the roots of fascism, which always needs lots of shallow-thinking "sounds good to me! " types like you to actually bring them to power.

You need to take a serious, searching and thorough moral inventory of yourself and you need to examine the criteria you're accepting of when coming to conclusions about how you would like to see society structured.

Re:Slippery Slope

[ScentCone]

It's about military-classifications used domestically, not about armor thickness.

OK. And, which specific feature of a "military" truck is it that makes the law enforcement person riding around in it a criminal? Please be specific.

Re:Slippery Slope

[JimMcc]

How much metal is a vehicle allowed to have before you consider it illegal for a police department to use? Please be specific.

To keep this on the subject matter I'll quote what Supreme Court Justice Potter Stewart said about porn, "I know it when I see it". Military grade vehicles look quite different than civilian vehicles. You certainly would notice if your local sheriff's deputy started patrolling your neighborhood in a HumVee instead of a Crown Vic.

Re:Slippery Slope

[JimMcc]

What if the connection was accidental/unintentional?

According to the FA, the information was only captured when the user started the login process, or started the registration process. I don't know about you, but if I accidently landed on a child porn website the very first thing I would do would be to get out of it. I certainly wouldn't start to register as a user to the site.

Or some rogue process did it?

That's a different issue, but a highly unlikely event.

Re:Slippery Slope

[dcollins117]

As long as they got warrants (even if they're "John Doe" warrants), they're in the clear, methinks.

I suspect you are right but the problem I have is that the only information a judge receives when deciding whether to issue a warrant is provided soley by the LEO and the prosecution. There should be some mechanism for the accused to defend himself against malicious prosecution, IMHO.

Given the opportunity to only present one side of the story I could paint anyone as a baby-shaking, dog-kicking, drug-dealing, devil-worshiping, child-molesting, panty-sniffing terrorist psychopathic monster.

What judge is going to deny a warrant based on that presentation.

Re:Slippery Slope

[Beeftopia]

A simple test is.. if a citizen did this to another citizen, would that be against the law?

I'm not sure that's a good test:

1) If one citizen deprives another of his liberty, that's kidnapping. If the government does it, it's incarceration.

2) If one citizen forcibly takes money from another, that's robbery. If the government does it, it's a fine.

3) If one citizen kills another, that's murder. If the government does it, it's capital punishment.

Why does this curious dichotomy exist? Because we elect people who will maintain law and order, to promote justice and all the other stuff in the preamble to the Constitution. Sometimes they have to apply force sometimes to achieve these ends because there are people willing to apply force to do evil, like robbery, kidnapping and murder.
 

Re:Slippery Slope

[sumdumass]

The warrant process is not a prosecution. It is a check on LEO in gathering evidence that they could not legally or constitutionally otherwise have done. The prosecution will only start after evidence of a crime is collected.

What you are missing is that they are supposed to inform the judge that there is reason to believe baby-shaking, dog-kicking, drug-dealing, devil-worshiping, child-molesting, panty-sniffing terrorist psychopathic monster is or has participated in a specific crime.

Re:Slippery Slope

[tehcyder]

I think you need to think through the consequences of giving all potential criminals advance notice of warrants that are going to be served against them.

Re:Slippery Slope

[david_thornley]

Legal protections are for the innocent, yes, but people are innocent until proven guilty in a court of law. Removing protections from someone accused of a heinous crime makes it more likely that law-abiding citizens will be convicted once accused.

Re:Slippery Slope

[david_thornley]

Technically, the prosecution in a legal case should be required to show the entire chain of evidence, under actual rather than theoretical pan of perjury. At that point, the defense lawyer challenges evidence, usually in a pre-trial hearing. If the defense lawyer can show that evidence was gathered improperly, that evidence cannot be legally presented. There isn't currently a requirement to provide names, although the Constitution does say the defendant has the right to confront his accusers.

That's not the practice, unfortunately.

Re:Slippery Slope

[david_thornley]

I don't know the laws in question. It is possible that they explicitly allow for use by law enforcement for honeypots. There isn't anything automatically illegal about child porn, it's illegal because there are laws specifically against it.

They had a warrant...

[gQuigs]

The issue was did this one warrant let the government hack into everyone who tried to use Tor to connect this hidden site. Tor prevented the FBI from determining their IP address without further attacks on individual computers. The other issue is if the Judge knew they were authorizing this many computers to possibly be hacked.

I believe they waited until the user tried to login, create an account, or something like that, so just accidentally browsing to the site shouldn't have triggered the attack.

From the facts I have from this article, I think the FBI did the right thing.

Re:They had a warrant...

[phantomfive]

The answer is yes, they did have a warrant, that allowed anyone who logged into the site to be hacked (according to the article).

Re:They had a warrant...

[fermion]

It did not seem to be a fishing expedition where everyone who passed by was targeted. This seemed to be good police work and shows we don't need to violate civil rights in order to protect the innocent. Creating an account on something like this is pretty much intent to commit a crime. And is no different than working on any other marginal website. When you go to a web site there are all sorts of crap that can be put onto your computer. It is why we have to run so protected now. Any website can be a vector to take over and destroy a computer. It is so common it hardly seems like it is breaking the law. So the authorities are held up to higher standard than the criminals, which is good.

Re:They had a warrant...

[Perl-Pusher]

I'm not concerned with the hacking. What concerns me is they hosted a child pornography site. That's kind of like posing as a an assassin to catch people who hire hitmen yet carry out the assassination.

Re:They had a warrant...

[Gr33nJ3ll0]

They took over a known child pornography site, and continued to operate it. They used an existing service (not set up a new one) and monitored existing users (nothing about enticing new ones). I don't see this as being hugely different from sitting outside an business known for selling drugs, and writing down the info of everybody who goes in, or tapping the lines, and recording phone numbers. Further they got a warrant to do exactly that.

Re: They had a warrant...

[radi0man]

Did they do the right thing by actively facilitating the mass distribution of child pornography?

Re:They had a warrant...

it is hugely different, what they did was take over the drug business and continued running it

Re:Don't get it

[110010001000]

There are over 3 billion Internet users. The number that accessed these sites is a small fraction of Internet users. A small fraction of the public are pedophiles, and a significant portion of them probably seek out these sites in order to fulfill their deviant behavior, since it is so easy to obtain via the Internet. What i don't get it how an adult can find children sexually attractive. There are no normal cues that trigger sexual interest. I just feel sorry for the exploited children.

Re:Don't get it

[gfxguy]

It's all about the percentages, not the raw numbers. United Nations says over 3 billion people are using the internet. 60k from 3B is really not a large number, relatively speaking.

Re:Don't get it

[tsqr]

From TFS: "Many of those posts, according to FBI testimony, contained some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could avoid detection online."

Re:Don't get it

[onepoint]

well look at it differently ... 400,000,000 general population of males from USA and Europe give or take a little, 1% is 4 million, 1% of that is 40,000 so with 215K, that means that there is a lot of people ( about .0005% ) that like this stuff. So the FBI most likely knows a large percentage of them now in the USA. Problem now is what to do with them all. and what does this tell us about society. How about the poor FBI team that had to deal with the web site, those people are psychologically damaged for life ( I got to think that the other .9995 are not into this ).

as to what the images are, I got no clue, but I got to think it's like that south park episode

Re:Don't get it

[gfxguy]

I don't get it, either, but again, if you're playing percentages, there's always someone... if it's not prepubescent kids, it's animals, or feet, or fat, or insert whatever. They say psychopaths make up 1% of the population... that's a LOT of psychopaths out there... people who not only don't care about hurting other people, but can get off on it.

So the gov knowingly ran a child porn site?

[sgrover]

I haven't seen it in the comments yet, but by seizing the site and NOT shutting it down, the government chose to run a child porn server. Does that not then put them under the same legal scrutiny as those they were investigating? Of course I did not read the article and may be missing a bunch of detail, but if the gov was actively serving child porn, then THAT is a crime in my eyes - regardless if it was a honeypot or not.

Re:So the gov knowingly ran a child porn site?

[guruevi]

In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit; there are exceptions for tort and contract law.

It's a very interesting legal stance if the government says it has sovereign immunity, they claim to have not committed any actions that would invoke the tort exceptions. Therefore, running a child porn website does, according to the government, not do any harm to any potential victims (which is what tort is) and thus dissemination of child porn which is 'illegal because it harms the children', may then fall under first amendment protections just like any other website.

Re:So the gov knowingly ran a child porn site?

[gweihir]

This begs the question why possession of CP is illegal. The usual argument is that it continues to harm the victims.

Re:Don't get it

[GameboyRMH]

I don't know what was on this site in particular, but I know that there are many darknet forums filled with egregious, very non-jailbait child porn, right down to infants. People find them by word-of-mouth and darknet pages (like the infamous "hard candy" page, a hidden list of child porn .onion sites on The Hidden Wiki).

We're a fucked-up species and a certain proportion of adult humans are sexually attracted to children for some reason...it's clean over 1% even by the most conservative estimates, and 1% of 7.1 billion is 70 million, so there are way more than enough for a forum to have 60k users.

If it makes you feel better, even among these, many "have a conscience" and see CP as one of the least harmful ways to get their rocks off.

Old news

[campuscodi]

Didn't the FBI already admit to this in the summer of 2014? Don't see any new information on this topic. I think they actually caught a man that made false bomb threats in Seattle in August 2015 using this very same method.

Re:Don't get it

[gweihir]

Interesting thing, instruction how people "could avoid detection online" are not illegal, or even immoral. What is the point of including this piece of information?

Accidental tourist?

[teknosapien]

I wonder how many of those 11,000 unique visits were accidental or a product of phishing(goatse.cx)
Now granted I think this is deplorable and disgusting (think of the Children!)
But I think they need to really scrutinize the data that they have so that innocent mistakes/typos/bad linkage are not falsely accused

Re:Accidental tourist?

[tehcyder]

I don't think many people end up on the legendary "dark web" by accident.

Re:Accidental tourist?

[teknosapien]

Though that maybe true, there are some that end up there for reasons other than child exploitation.

Re:Accidental tourist?

[david_thornley]

They won't reliably get convictions for just visiting a website. However, a visit is grounds for further investigation, probably leading to taking copies of all the hard disks in the house. If they find significant amounts of kiddie porn there, they've got a very good case.

What else is there to say

[WOOFYGOOFY]

GO FBI GO !!!!

Re:What else is there to say

[tobiah]

Your thoughts about touching the doll have been recorded and sent to the proper authorities. Please remain calm while our extraction team executes a warrant within one standard deviations of your present location.

Mixed feelings

[davidwr]

I'm glad that the site was (eventually) shut down. The article didn't mention it, but I hope the kids in the pictures are all identified, located, rescued if they were still in an abusive situation, and offered a lifetime supply of mental-health help (yeah yeah, I know, some number > 0% of abused children don't need mental help later, but the offer should be there for those who do need it).

I have little or no problem using these types of warrants if they are used to prevent crimes or identify victims, but I have a real problem with the "fruits" of the warrants being used to actually prosecute people. If the feds had simply seized contraband, helped kids that needed help, and made the perps who were stung publicly admit what they did in exchange for no criminal prosecution, that would seem to be a better solution from civil-liberties point of view. Unfortunately, it would stink from a fairness-to-the-victim point of view and it would also likely incite vigilante behavior from neighbors and others, leading to a net increase in criminal behavior. It would also be an incentive for a false confession for people who were really innocent ("So, my wifi got hacked but if I don't admit guilt and submit myself to unearned public ridicule you will send me to trial and at best my lawyers will bankrupt me? Where do I sign?") Hence my mixed feelings.

I also blame the buggy Tor bundle for making this easy for the feds:

Why wasn't it designed with an intermediate layer that filtered out any traffic not destined for the TOR network?

Example:

* Initialization from boot CD: Go to known locations and retrieve canonical, signed list of TOR entry points and download signed version of current TOR software.

* Start "lowest layer", which block all traffic except to/from known Tor entry points.

* Start TOR software. Even if there is a bug in the TOR software that would allow contacting an IP address other than known-good entry points, it would be blocked by the lower layer.

Start "mid-layer" which blocks all traffic except to the local TOR interface that is running in the immediately-lower layer.

Start a "high-layer" which applications run in. Applications are all socks/proxied to the local TOR software running at a lower layer. Exploits at this layer would not be able to get "out" to the "real internet" as they would be blocked by the lower layers. They couldn't even determine the machine's "real" local-LAN IP address that the lowest layer can see, they only know what they are told by the TOR layer, which is probably a NAT or other fake address.

Re:Mixed feelings

[david_thornley]

I'm talking about something I don't know about here, and will take steps not to know about, but some activities in child porn seem also likely to physically harm the victims as well as causing mental harm. We shouldn't forget about that.

Re:Mixed feelings

[davidwr]

I'm talking about something I don't know about here, and will take steps not to know about, but some activities in child porn seem also likely to physically harm the victims as well as causing mental harm. We shouldn't forget about that.

By the time the photograph is taken, the physical harm has already been done (I'm not saying more physical harm won't happen in the moments after the camera is turned off, but it's not directly related to the child porn being created).

The danger of distribution of child porn outside of controlled environments (law enforcement, clinical/therapeutic environments, etc.) is that it may create a demand for new child porn, which does mean kids getting hurt.

Distribution of child porn of still-living victims (and we hope all of them are still alive, save for those who have already died of old age) is that the knowledge that photographs were taken and that they either are definitely "floating around" out there or the uncertainty as to whether they are "out there" or not is a lifelong psychological burden.

The distribution of child porn also puts a psychological burden on the loved ones of the children in the photographs (assuming of course that those loved ones weren't involved in the creation or distribution of the porn and weren't involved in abusing the children in any other way).

But as far as distribution creating "new" physical harm to the original victims, no it doesn't (for this purpose, I'm not counting secondary physical harm, such as ulcers or harm resulting from attempted or successful suicides - those come from the BELIEF that the image is or may be circulating, not the actual circulation of the image, and they are at their root a psychological problem and the long-term treatment is, at its root, psychology-based).

Re: Mixed feelings

[davidwr]

I think you missed my point:

I'm talking about cases where but for acts by law enforcement that I read as illegal, law enforcement would not have known who committed the crime in the first place.

Anyone granted "immunity" under the proposal I made would be a public pariah. Sure, they wouldn't have a criminal record or sex-offender status but they would be all over the news. That alone makes it almost impossible for them to hang around any kid or teen whose parents or adult neighbors are paying attention. It's also removes a barrier for those people caught up in child porn who want to get therapy - I would imagine many of them are afraid to see a therapist because they are afraid that "mandatory reporting" laws apply to the crimes they committed, whether or not they really do (I think all U.S. states have mandatory-therapist-reporting for "contact" abuse, but I don't know if any, some, or all have such a laws if a patent admits to viewing child porn or admits that they are likely to do so in the future - my guess is some or all do - I am not a lawyer).

Again, the big reasons I'm not wholly in favor of this proposal is that it's obviously unfair to the victims and (because it is correctly-perceived as being unfair to victims) it encourages "vigilante justice" - which means it encourages future crimes (albeit with an unsympathetic victim).

Re:Mixed feelings

[david_thornley]

I think we're in agreement here. People physically and mentally hurt by horrible crimes should get the care they need. Distribution of child porn can lead to further mental harm, and can encourage scum to make more such, causing more physical and mental harm.

Re:Good

[ShanghaiBill]

It is not so clear that this is "good". There is not much evidence for a causal link from porn to sexual crime. Most countries that have liberalized their pornography laws have experienced a decline in sexual violence toward women and children. Child porn is illegal even if is entirely animated, or made with adult actors portraying adolescents. That pushes the entire genre onto the dark web. If, instead, the law only banned the actual abuse of children, rather than thought crime, there could be a legal market that would drive out most of the material involving actual harm to children.

Re:Good

[matbury]

If, instead, the law only banned the actual abuse of children, rather than thought crime, there could be a legal market that would drive out most of the material involving actual harm to children.

AFAIK, the FBI can't prosecute US citizens for thought crimes. If they had a lawful warrant and prosecuted people for criminal behaviour, i.e. passing on the products of criminal acts (against children), then I don't see any problem with what they're doing. This is an actual case of the FBI doing what they're supposed to do instead of going after political dissidents and whistle blowers. We should be praising these actions, not criticising them.

Re:Good

[ShanghaiBill]

AFAIK, the FBI can't prosecute US citizens for thought crimes.

Then you are obliviously ignorant, and probably should spend a few minutes educating yourself about American child porn laws before you comment on them again.

prosecuted people for criminal behaviour, i.e. passing on the products of criminal acts (against children) ...

This NOT what they are doing. Child porn is illegal, even if it involves NO CHILDREN whatsoever. Many of the people being prosecuted were making or viewing animations or adult actors, not anything involving actual children.

Also read

[s.petry]

The Franklin Cover-up. The pretense that Government people are altruistic angels guarding over us all is idiotic. People really need to get a grasp of that fantasy and treat it for what it is.

Re:Don't get it

[tsqr]

Interesting thing, instruction how people "could avoid detection online" are not illegal, or even immoral.

(a) Offense defined.--A person commits an offense if, with intent to hinder the apprehension, prosecution, conviction or punishment of another for crime or violation of the terms of probation, parole, intermediate punishment or Accelerated Rehabilitative Disposition, he:
(1) harbors or conceals the other;
(2) provides or aids in providing a weapon, transportation, disguise or other means of avoiding apprehension or effecting escape;
(3) conceals or destroys evidence of the crime, or tampers with a witness, informant, document or other source of information, regardless of its admissibility in evidence;
(4) warns the other of impending discovery or apprehension, except that this paragraph does not apply to a warning given in connection with an effort to bring another into compliance with law; or
(5) provides false information to a law enforcement officer.

Re:Good

[Vitriol+Angst]

I agree. While I abhor sexual abuse of children (required statement), it's an easy target of outrage but has far-reaching consequences to charge criminal offenses of people who view such things on the internet. It is a thought crime -- the abuse of the children is the people making the content -- and I think it should end there.

Free access to porn has shown a relative drop in rapes. Violence in games shows a huge drop in violence (relative to the same demographic without video games -- though not sure where they find those anymore).

I think the next battlefield will be on realistic sex robots. People will be morally outraged if they look this way or that. There's no abuse because it's a mechanism. If it stops rapists, sex addicts and molesters from doing damage to real people -- what is the harm?

I think too often we have morals based laws, that don't really meet the public interest of; "what does the most good for the most people?" Sure, we all might be creeped out by someone's preferences, but by not criminalizing the USE of materials, we can better get the CREATORS of harm. And in the future, STDs, Prostitution, and Sexual offenses may take a nose dive as Sexbots hit the scene.

It would be interesting to see the real stats on whether viewing makes someone more or less likely to abuse a kid. Perhaps there's a difference when there is a blog of people reinforcing how "OK" it is. The real question is; what path prevents child abuse?

Re:Good

[Vitriol+Angst]

AFAIK, the FBI can't prosecute US citizens for thought crimes.

But how is a website or BBS showing material NOT a thought crime? You might say; the materials are prohibited. But we could outlaw bibles, and then everyone with a bible would be an outlaw. What ABOUT the bible is illegal? Reading the words, of course. They'll say it's possession, but really, it's in what you might learn, think and how it might change your behavior. No clear smoking gun on Pedophilia.

So this is a thought crime. They can see, view and hear but don't DO. Crime is an act that harms people. Until someone actually affects a person or property -- no crime. The only crime is based on prohibited material.

Is the crime in viewing an actual minor, or in viewing someone who LOOKS like a minor -- or a cartoon? What if I'm married to a 26 year old woman who 4 feet tall and looks really cute? Do I go to jail? Sure these people may clearly be looking for kids -- or maybe someone likes tiny women, but how do you define such a thing and does it really matter?

The user in this case is assuming there is privacy. They are viewing material to get stimulated. They didn't touch anyone.

I hate taking the side of Pedos -- but we don't even know if all these people are actual pedophiles. Some of them might just be into extremes and next week they'll be looking at chubby chicks. Some of them may have been abused in the past. If you criminalize this -- you don't have a situation where people can seek help. There are so many cases in our own history where stigmatizing causes MORE of the thing we are trying to reduce.

This is thought crime -- pure and simple. And if the rights of people who have done NO HARM are not considered, as reprehensible as they are, then the long arm of the law might do a reach-around into something else, like colluding with each other to change laws we think are wrong.

Re:Good

[Phronesis]

Child porn is illegal, even if it involves NO CHILDREN whatsoever. Many of the people being prosecuted were making or viewing animations or adult actors, not anything involving actual children.

Didn't Ashcroft v. Free Speech Coalition 535 US 234 (2002) overturn that and rule that the First Amendment protects cartoons, animations, and other works that do not show the sexual violation of actual children?

Re:Don't get it

[tehcyder]

It's all about the percentages, not the raw numbers. United Nations says over 3 billion people are using the internet. 60k from 3B is really not a large number, relatively speaking.

And yet a not dissimilar proportion of terrorists means that all Muslims are terrorists, in many people's eyes here.

Re:Don't get it

[tehcyder]

Interesting thing, instruction how people "could avoid detection online" are not illegal, or even immoral. What is the point of including this piece of information?

Telling someone how to hide isn't a crime. Telling an escaped serial killer how to hide is.

Counterintelligence

[fulldecent]

One interpretation of this article is that FBI (or contractors) has non-public, zero-day, or old-but-unpatched vulnerabilities which it is using against client machines to collect information. We assume that only misconfigured machines are vulnerable.

A benefit of this knowledge is that it may be possible collect these exploits with a REVERSE honeypot. Simply use a MORE secure browser (Tails in Tails + non-extradition origin + Tor Browser). Then spider the Dark Web but make sure your spider DOES follow post requests and do data fuzzing. This is the most likely to register as an intelligence target.

You could determine a successful exploit occurred if: the outer Tails or the inner Tails (virtualization) sent any traffic to the network. Normal non-exploited behavior would be that all traffic (spidering) would occur only with the innermost Tor Browser connection. So this would require three levels of "wire level" logging. As soon as you detect exploited behavior, stop everything, publish the logs and then act like Gene Hackman in Enemy of the State.

Of course this can all be done without any human interaction with unsavory websites, it can be legal based on origin location and it can arbitrarily secured against detection. Older versions of Tor Browser and known exploits could be used to validate this system. Sorry, this probably belonged as a blog post or a GitHub new repo first commit!

Re:Good

[david_thornley]

Last I looked at the US Federal law, it wasn't child porn if it didn't have an identifiable individual, under 18 when the porn was produced, doing something sexual (and there were restrictions on what constitutes that). Definitions can differ in other jurisdictions, and some states may have more sweeping laws.

Of course, this doesn't mean the FBI can't investigate, or a Federal prosecutor file charges, if none of the porn they find meets that standard.