Slashdot Mirror

← Back to Stories (view on slashdot.org)

An FBI Hacking Campaign Targeted Over a Thousand Computers (vice.com)

Posted by Soulskill on from the go-big-or-go-home dept.

derekmead writes: In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved.

Just a month after launch, a bulletin board called Playpen had nearly 60,000 member accounts. By the following year, this number had ballooned to almost 215,000, with over 117,000 total posts, and an average of 11,000 unique visitors each week. Many of those posts, according to FBI testimony, contained some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could avoid detection online.

But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency's term for a hacking tool.

13 of 138 comments (clear)

  1. Not hacking by 110010001000 · · Score: 5, Insightful

    They weren't hacking. They were obtaining the IP address of connected machines who were using Tor to access child porn sites. I just call that good investigation. Your IP address isn't private information, just like your postal address isn't.

    1. Re:Not hacking by Anonymous Coward · · Score: 3, Informative

      They used some form of malware/trojan to extract certain information. That's the greypoint from the FA:

      “Basically, if you visited the homepage, and started to sign up for a membership, or started to log in, the warrant authorised deployment of the NIT,” Fieman said. From here, the NIT would send a target's IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same computer, the computer's Host Name, operating system username, and the computer's MAC address."

    2. Re:Not hacking by 110010001000 · · Score: 3, Insightful

      I just call it clever programming. After all, your computer is connecting to ME and sending me information that I am requesting. I'm not logging/breaking into your machine and getting the information. There are no laws that state what "information you shouldn't be able to get".

    3. Re:Not hacking by RenderSeven · · Score: 4, Informative

      They apparently had a warrant, so it probably doesnt matter if its hacking or not. However as to what they can collect without a warrant, IANAL but expectation of privacy would almost certainly be the litmus test or at least a factor. A conversation in public is fair game but a conversation in your home is privileged even though "flaws" in your home allow exploits like laser microphones to listen. Some of it comes down to deciding if consuming online media is "speech" and thus (arguably) protected (loss of anonymity can be considered "chilling effect"). Without SCOTUS guidelines it seems to depend on the judge, and what he had for breakfast.

    4. Re:Not hacking by gweihir · · Score: 3, Informative

      Except when your software (TOR) does not give out your IP address willingly. Then some kind of hacking/cracking/compromise technique is used and that is highly problematic. In a sane legal system it would also compromise any and all evidence found on the target computers as it typically comes with the ability to change things on the target and do so without trace.

      This cure here may well be much, much worse than the disease. If the targeted group were a different one, this might be called "state-sponsored terrorism." Anybody that believes these techniques are only used against child pornographers is kidding themselves. Just have a look at the history of the FBI.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Slippery Slope by duke_cheetah2003 · · Score: 5, Insightful

    Bit of a slippery slope when Law Enforcement is breaking laws to catch criminals. This is not good policing in my opinion. There should be no excuse for breaking the law, especially in an effort to enforce the law. Law enforcement should never be 'do as I say, not as I do.'

    A simple test is.. if a citizen did this to another citizen, would that be against the law? Last I checked, hacking your neighbors computer and collecting information from it is definitely against the law. (Unless you're Microsoft and say you're going to do it in your EULA, bit that's a different can of worms.)

    1. Re:Slippery Slope by Anonymous Coward · · Score: 3

      Police use military equipment and armored vehicles to selectively enforce laws around the US, the slope slipped a looong time ago

    2. Re:Slippery Slope by Penguinisto · · Score: 4, Insightful

      As long as they got warrants (even if they're "John Doe" warrants), they're in the clear, methinks.

      I suspect that it would pretty much follow the same legal framework as wiretapping, albeit the 'tap' is put directly in the 'phone', without knowing fully who owns said phone.

      If this is indeed the case, I have zero problems with it - covertly swipe a website/host via legal means, and use it as a honeypot to catch/trap offenders, using a modified wiretap warrant/framework to 'tap' the computers that connect to said site. Assuming everything is properly documented and that the procedure is transparent enough to stand up in court, you then monitor that user's activities to not only collect evidence but to identify the user behind it.

      The only real problems would be with computers used by multiple individuals, in which case you'd have to suss out which user is responsible. Another problem would be to have a procedure (and malware) in place that doesn't give a defense attorney enough credible ammunition to claim his client was framed, or that evidence was 'planted'. This is why the procedure(s) would have to be transparent to all (it would become that way anyway come the first court case, if the prosecution wanted any hope of winning a conviction.)

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    3. Re:Slippery Slope by killkillkill · · Score: 3, Insightful

      Uhh... I read it

      Reuters revealed that the Special Operations Division (SOD) of the U.S. Drug Enforcement Administration advises DEA agents to practice parallel construction when creating criminal cases against Americans that are actually based on NSA warrantless surveillance

      And the sited article:

      http://www.reuters.com/article...

      Of course two senior DEA agents said your quote, so it must all be hogwash.

  3. They had a warrant... by gQuigs · · Score: 5, Informative

    The issue was did this one warrant let the government hack into everyone who tried to use Tor to connect this hidden site. Tor prevented the FBI from determining their IP address without further attacks on individual computers. The other issue is if the Judge knew they were authorizing this many computers to possibly be hacked.

    I believe they waited until the user tried to login, create an account, or something like that, so just accidentally browsing to the site shouldn't have triggered the attack.

    From the facts I have from this article, I think the FBI did the right thing.

    1. Re:They had a warrant... by Gr33nJ3ll0 · · Score: 3, Informative

      They took over a known child pornography site, and continued to operate it. They used an existing service (not set up a new one) and monitored existing users (nothing about enticing new ones). I don't see this as being hugely different from sitting outside an business known for selling drugs, and writing down the info of everybody who goes in, or tapping the lines, and recording phone numbers. Further they got a warrant to do exactly that.

  4. Re:So the gov knowingly ran a child porn site? by guruevi · · Score: 5, Interesting

    In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit; there are exceptions for tort and contract law.

    It's a very interesting legal stance if the government says it has sovereign immunity, they claim to have not committed any actions that would invoke the tort exceptions. Therefore, running a child porn website does, according to the government, not do any harm to any potential victims (which is what tort is) and thus dissemination of child porn which is 'illegal because it harms the children', may then fall under first amendment protections just like any other website.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  5. Re:Good by ShanghaiBill · · Score: 3, Interesting

    It is not so clear that this is "good". There is not much evidence for a causal link from porn to sexual crime. Most countries that have liberalized their pornography laws have experienced a decline in sexual violence toward women and children. Child porn is illegal even if is entirely animated, or made with adult actors portraying adolescents. That pushes the entire genre onto the dark web. If, instead, the law only banned the actual abuse of children, rather than thought crime, there could be a legal market that would drive out most of the material involving actual harm to children.