An FBI Hacking Campaign Targeted Over a Thousand Computers

derekmead writes: In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved.

Just a month after launch, a bulletin board called Playpen had nearly 60,000 member accounts. By the following year, this number had ballooned to almost 215,000, with over 117,000 total posts, and an average of 11,000 unique visitors each week. Many of those posts, according to FBI testimony, contained some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could avoid detection online.

But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency's term for a hacking tool.

Not hacking

[110010001000]

They weren't hacking. They were obtaining the IP address of connected machines who were using Tor to access child porn sites. I just call that good investigation. Your IP address isn't private information, just like your postal address isn't.

Re:Not hacking

They used some form of malware/trojan to extract certain information. That's the greypoint from the FA:

“Basically, if you visited the homepage, and started to sign up for a membership, or started to log in, the warrant authorised deployment of the NIT,” Fieman said. From here, the NIT would send a target's IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same computer, the computer's Host Name, operating system username, and the computer's MAC address."

Re:Not hacking

[110010001000]

Right...you would need a flaw in the browser that is going to send you that information. I'm not sure if that is "hacking", or just monitoring. After all, the client machine initiated the connection to the host machine, which then obtained the information. I doubt there is a law against this. If you connect to my machine why can't I obtain as much information about your machine as I can, using any means? I mean maybe it is hacking, but it isn't clear cut. There are no laws that I know of that says you can't exploit bugs to obtain mac addresses of machines that connect to you.

Re:Not hacking

[110010001000]

I just call it clever programming. After all, your computer is connecting to ME and sending me information that I am requesting. I'm not logging/breaking into your machine and getting the information. There are no laws that state what "information you shouldn't be able to get".

Re:Not hacking

[RenderSeven]

They apparently had a warrant, so it probably doesnt matter if its hacking or not. However as to what they can collect without a warrant, IANAL but expectation of privacy would almost certainly be the litmus test or at least a factor. A conversation in public is fair game but a conversation in your home is privileged even though "flaws" in your home allow exploits like laser microphones to listen. Some of it comes down to deciding if consuming online media is "speech" and thus (arguably) protected (loss of anonymity can be considered "chilling effect"). Without SCOTUS guidelines it seems to depend on the judge, and what he had for breakfast.

Re:Not hacking

[gweihir]

Except when your software (TOR) does not give out your IP address willingly. Then some kind of hacking/cracking/compromise technique is used and that is highly problematic. In a sane legal system it would also compromise any and all evidence found on the target computers as it typically comes with the ability to change things on the target and do so without trace.

This cure here may well be much, much worse than the disease. If the targeted group were a different one, this might be called "state-sponsored terrorism." Anybody that believes these techniques are only used against child pornographers is kidding themselves. Just have a look at the history of the FBI.

Re:Not hacking

[gweihir]

Sorry, but that is bullshit. Sure, it may work if somebody incompetent set up a normal browser to work over TOR, or actually is grossly stupid enough to really set up LAN tunneling over TOR (But to what end? It would not do anything useful...), but with a competent set-up or the TOR browser bundle, there is no way to do what the FBI did without compromising the browser process. And, incidentally, with the freedom-hosting attack, they did exactly this: They sent malcode to the browser and took it over. As far as we know they did not do a lot with the compromised browser, but that is besides the point.

Re:Not hacking

[gweihir]

Actually, forget what I said about this being possible on misconfiguration. Your statements are so far removed from how TOR works that I got confused as to what you were saying.

So: For a client TOR installation, this is impossible without compromising the target browser over an existing (!), client-initiated connection. You cannot initiate a connection, scan, ping or do anything else from the server side to a TOR client. The network will not route your packages. You cannot even address the target as you only see the IP address of the exit-relay, but that one is terminating many connections from clients. Seriously, TOR is not a VPN. What you can do is attacks against hidden services, but anybody can connect to them via TOR. But again, you cannot scan the network there, you can only attack the service itself, i.e. usually the web-server running there.

Your statements are complete, unmitigated nonsense.

Slippery Slope

[duke_cheetah2003]

Bit of a slippery slope when Law Enforcement is breaking laws to catch criminals. This is not good policing in my opinion. There should be no excuse for breaking the law, especially in an effort to enforce the law. Law enforcement should never be 'do as I say, not as I do.'

A simple test is.. if a citizen did this to another citizen, would that be against the law? Last I checked, hacking your neighbors computer and collecting information from it is definitely against the law. (Unless you're Microsoft and say you're going to do it in your EULA, bit that's a different can of worms.)

Re:Slippery Slope

Police use military equipment and armored vehicles to selectively enforce laws around the US, the slope slipped a looong time ago

Re:Slippery Slope

[110010001000]

If your neighbors computer connected to yours, and you collected information about it, is that against the law? If I understood it, they were gathering information of computers which were accessing the sites.

Re:Slippery Slope

[Penguinisto]

As long as they got warrants (even if they're "John Doe" warrants), they're in the clear, methinks.

I suspect that it would pretty much follow the same legal framework as wiretapping, albeit the 'tap' is put directly in the 'phone', without knowing fully who owns said phone.

If this is indeed the case, I have zero problems with it - covertly swipe a website/host via legal means, and use it as a honeypot to catch/trap offenders, using a modified wiretap warrant/framework to 'tap' the computers that connect to said site. Assuming everything is properly documented and that the procedure is transparent enough to stand up in court, you then monitor that user's activities to not only collect evidence but to identify the user behind it.

The only real problems would be with computers used by multiple individuals, in which case you'd have to suss out which user is responsible. Another problem would be to have a procedure (and malware) in place that doesn't give a defense attorney enough credible ammunition to claim his client was framed, or that evidence was 'planted'. This is why the procedure(s) would have to be transparent to all (it would become that way anyway come the first court case, if the prosecution wanted any hope of winning a conviction.)

Re:Slippery Slope

[kwiecmmm]

Not really, this is the same as turning someone in the mob and using them against others.

I am against government surveillance, but this seems to be just the government using an illegal site to figure out who is using it. They just kept the site running for a couple weeks to catch and track down its users, who were breaking the law by being on a child porn site.

Re:Slippery Slope

[bill_mcgonigle]

This is why the procedure(s) would have to be transparent to all

"In theory" ... they'd also obey their Constitutional restrictions. I the real world, they're lawless and get by on parallel construction. The government was instituted to protect our liberties and now it's our greatest threat against them.

"When you gaze long into an abyss the abyss also gazes into you."

Re:Slippery Slope

[messymerry]

NOBODY in the United States is excused from their obligation to honor the provisions of the Constitution,,,especially when they took an oath on it. Questions???

Re:Slippery Slope

[killkillkill]

Uhh... I read it

Reuters revealed that the Special Operations Division (SOD) of the U.S. Drug Enforcement Administration advises DEA agents to practice parallel construction when creating criminal cases against Americans that are actually based on NSA warrantless surveillance

And the sited article:

http://www.reuters.com/article...

Of course two senior DEA agents said your quote, so it must all be hogwash.

Re:Slippery Slope

[JimMcc]

What if the connection was accidental/unintentional?

According to the FA, the information was only captured when the user started the login process, or started the registration process. I don't know about you, but if I accidently landed on a child porn website the very first thing I would do would be to get out of it. I certainly wouldn't start to register as a user to the site.

Or some rogue process did it?

That's a different issue, but a highly unlikely event.

They had a warrant...

[gQuigs]

The issue was did this one warrant let the government hack into everyone who tried to use Tor to connect this hidden site. Tor prevented the FBI from determining their IP address without further attacks on individual computers. The other issue is if the Judge knew they were authorizing this many computers to possibly be hacked.

I believe they waited until the user tried to login, create an account, or something like that, so just accidentally browsing to the site shouldn't have triggered the attack.

From the facts I have from this article, I think the FBI did the right thing.

Re:They had a warrant...

[phantomfive]

The answer is yes, they did have a warrant, that allowed anyone who logged into the site to be hacked (according to the article).

Re:They had a warrant...

[fermion]

It did not seem to be a fishing expedition where everyone who passed by was targeted. This seemed to be good police work and shows we don't need to violate civil rights in order to protect the innocent. Creating an account on something like this is pretty much intent to commit a crime. And is no different than working on any other marginal website. When you go to a web site there are all sorts of crap that can be put onto your computer. It is why we have to run so protected now. Any website can be a vector to take over and destroy a computer. It is so common it hardly seems like it is breaking the law. So the authorities are held up to higher standard than the criminals, which is good.

Re:They had a warrant...

[Gr33nJ3ll0]

They took over a known child pornography site, and continued to operate it. They used an existing service (not set up a new one) and monitored existing users (nothing about enticing new ones). I don't see this as being hugely different from sitting outside an business known for selling drugs, and writing down the info of everybody who goes in, or tapping the lines, and recording phone numbers. Further they got a warrant to do exactly that.

Re:Don't get it

[gfxguy]

I don't get it, either, but again, if you're playing percentages, there's always someone... if it's not prepubescent kids, it's animals, or feet, or fat, or insert whatever. They say psychopaths make up 1% of the population... that's a LOT of psychopaths out there... people who not only don't care about hurting other people, but can get off on it.

So the gov knowingly ran a child porn site?

[sgrover]

I haven't seen it in the comments yet, but by seizing the site and NOT shutting it down, the government chose to run a child porn server. Does that not then put them under the same legal scrutiny as those they were investigating? Of course I did not read the article and may be missing a bunch of detail, but if the gov was actively serving child porn, then THAT is a crime in my eyes - regardless if it was a honeypot or not.

Re:So the gov knowingly ran a child porn site?

[guruevi]

In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit; there are exceptions for tort and contract law.

It's a very interesting legal stance if the government says it has sovereign immunity, they claim to have not committed any actions that would invoke the tort exceptions. Therefore, running a child porn website does, according to the government, not do any harm to any potential victims (which is what tort is) and thus dissemination of child porn which is 'illegal because it harms the children', may then fall under first amendment protections just like any other website.

Re:Good

[ShanghaiBill]

It is not so clear that this is "good". There is not much evidence for a causal link from porn to sexual crime. Most countries that have liberalized their pornography laws have experienced a decline in sexual violence toward women and children. Child porn is illegal even if is entirely animated, or made with adult actors portraying adolescents. That pushes the entire genre onto the dark web. If, instead, the law only banned the actual abuse of children, rather than thought crime, there could be a legal market that would drive out most of the material involving actual harm to children.

Re:Good

[ShanghaiBill]

AFAIK, the FBI can't prosecute US citizens for thought crimes.

Then you are obliviously ignorant, and probably should spend a few minutes educating yourself about American child porn laws before you comment on them again.

prosecuted people for criminal behaviour, i.e. passing on the products of criminal acts (against children) ...

This NOT what they are doing. Child porn is illegal, even if it involves NO CHILDREN whatsoever. Many of the people being prosecuted were making or viewing animations or adult actors, not anything involving actual children.

Re:Good

[Vitriol+Angst]

I agree. While I abhor sexual abuse of children (required statement), it's an easy target of outrage but has far-reaching consequences to charge criminal offenses of people who view such things on the internet. It is a thought crime -- the abuse of the children is the people making the content -- and I think it should end there.

Free access to porn has shown a relative drop in rapes. Violence in games shows a huge drop in violence (relative to the same demographic without video games -- though not sure where they find those anymore).

I think the next battlefield will be on realistic sex robots. People will be morally outraged if they look this way or that. There's no abuse because it's a mechanism. If it stops rapists, sex addicts and molesters from doing damage to real people -- what is the harm?

I think too often we have morals based laws, that don't really meet the public interest of; "what does the most good for the most people?" Sure, we all might be creeped out by someone's preferences, but by not criminalizing the USE of materials, we can better get the CREATORS of harm. And in the future, STDs, Prostitution, and Sexual offenses may take a nose dive as Sexbots hit the scene.

It would be interesting to see the real stats on whether viewing makes someone more or less likely to abuse a kid. Perhaps there's a difference when there is a blog of people reinforcing how "OK" it is. The real question is; what path prevents child abuse?

Re:Good

[Vitriol+Angst]

AFAIK, the FBI can't prosecute US citizens for thought crimes.

But how is a website or BBS showing material NOT a thought crime? You might say; the materials are prohibited. But we could outlaw bibles, and then everyone with a bible would be an outlaw. What ABOUT the bible is illegal? Reading the words, of course. They'll say it's possession, but really, it's in what you might learn, think and how it might change your behavior. No clear smoking gun on Pedophilia.

So this is a thought crime. They can see, view and hear but don't DO. Crime is an act that harms people. Until someone actually affects a person or property -- no crime. The only crime is based on prohibited material.

Is the crime in viewing an actual minor, or in viewing someone who LOOKS like a minor -- or a cartoon? What if I'm married to a 26 year old woman who 4 feet tall and looks really cute? Do I go to jail? Sure these people may clearly be looking for kids -- or maybe someone likes tiny women, but how do you define such a thing and does it really matter?

The user in this case is assuming there is privacy. They are viewing material to get stimulated. They didn't touch anyone.

I hate taking the side of Pedos -- but we don't even know if all these people are actual pedophiles. Some of them might just be into extremes and next week they'll be looking at chubby chicks. Some of them may have been abused in the past. If you criminalize this -- you don't have a situation where people can seek help. There are so many cases in our own history where stigmatizing causes MORE of the thing we are trying to reduce.

This is thought crime -- pure and simple. And if the rights of people who have done NO HARM are not considered, as reprehensible as they are, then the long arm of the law might do a reach-around into something else, like colluding with each other to change laws we think are wrong.