Windows DRM-Protected Files Used To Decloak Tor Browser Users

An anonymous reader writes from a report via BleepingComputer: Downloading and trying to open Windows DRM-protected multimedia files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned. On Windows, multimedia files encoded with special Microsoft SDK will automatically open an IE window and access a URL to check the file's license. Since this request is sent outside of the Tor Browser and without user interaction, this can be used to ping law enforcement servers and detect the user's real IP address and other details. For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency. The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more. A video of the attack is available here.

Umm... just WMVs?

[speedplane]

So opening an WMV in windows media and phone-home to a server... couldn't the same be done with Adobe reader and PDFs? Or with countless pieces of software out there?

Re:Umm... just WMVs?

[infolation]

This is why the hapless Windows-using would-be criminal should be using something more idiot-resistant, not Windows and the Tor browser. Like Tails for example. That way the hapless offender's DRM-infested movie files, PDFs etc can be forced to phone-home through the Tor network. If the criminal is too hapless to evade law-enforcement, it's caveat emptor.

Re:Umm... just WMVs?

[Gadget_Guy]

The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

Re:Umm... just WMVs?

[MayeulC]

And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.
Maybe an esoteric proxy configuration that only works with a manually configured browser could do?

But the easiest option is just to ditch windows if you're serious about security. And maybe also modern x86-based CPUs, since they usually contain ring -2 to -5 coprocessors with DMA, network access, and other niceties.

Re:Umm... just WMVs?

[Gadget_Guy]

And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.

If you run "Windows Firewall with Advanced Security" it shows absolutely everything. I have yet to find anything that bypasses the firewall. Even Windows 10's agressive updates don't work if you block by default, although I have no evidence of the telemetry one way or the other.

That said, if you have an application that runs with elevated security then it can add its own firewall rules. The way around that is to create a special user that just for editing the firewall entries, grant it access to the registry setting and revoke administrator rights. That's only required if you are paranoid though, or if you have a specific requirement. I did this to stop Steam from constantly creating firewall entries for itself and all games. I needed to lock it down to only work over my local connection to prevent it from downloading via my work when I set up a VPN to access the servers.

Re:Umm... just WMVs?

[nospam007]

"Or with countless pieces of software out there?"

Exactly! That's why one should use a VPN on top of TOR. (or under in this case:-)

Re:Umm... just WMVs?

[Burz]

Better still is Whonix (VM isolation for both Tor and Torbrowser). TAILS may have a fancy configuration to attempt leak prevention, but privilege escalation attacks are a dime a dozen on Linux.

Re:Umm... just WMVs?

[thegarbz]

The issue here is that the DRM process pings a custom server. Most modern software doesn't randomly let the content creator reach the public internet. E.g doing this in acrobat would result in a confirmation being presented to the user that content is about to be retrieved from the internet.

Most of this software also needs to be installed, whereas Windows just exists on many target devices already.

Re: Umm... just WMVs?

you can test with something like wireshark which is usfull in seeing connections of all kinds to your computer. usefull in this case to see if there is any hidden connections being made that the fire wall may be allowing. im sure windows firewall is fine but hey proof is in the pudding and theree are ways of verifying.

Re: Umm... just WMVs?

or a ssh(a computer in no way associated nor ever connect with your real ip) through tor to a vpn that is not connected with that account to you no credit cards never signed with real.

Re: Umm... just WMVs?

which means you could go to sites that ban tor.

Re:Umm... just WMVs?

[AmiMoJo]

Whonix runs in a VM on top of a host OS. VM escape flaws are a thing, and if malicious code gets out of the VM then it's running on your host OS. I guess you could have a dedicated host OS with nothing on it. Anyway, running code in a VM is not without risk.

Booting Tails directly on the machine has a few advantages. Nothing saved to disk, no evidence you even ran it.

Neither system is perfect and both have their advantages.

Re: Umm... just WMVs?

tails on vm is mostly pointless because of save state nothing is saved any way under that consideration. security is not anout any one thing but about layers and a vm definetly is a pretty good layer but as you said its not a end all. thrre are layers and midigation.

Re:Umm... just WMVs?

[sudon't]

The safest solution is to block outgoing traffic by default and whitelist what you want to allow in the firewall.

And avoid both DRM and Windows like the plague, even if you're not doing something that would get you in trouble with your government.

Re: Umm... just WMVs?

[allo]

tails in a vm would have prevented this.

tails is about disallowing non-tor connections for the primary user.

Re:Umm... just WMVs?

[jbmartin6]

i tested it against the telemetry traffic using an external capture, and it was all blocked. The complaint about that setup has always been that MS could tweak it at any time.

Re:Umm... just WMVs?

[The-Ixian]

Or use a TOR hardware device to make sure ALL traffic headed out your NIC is anonymized...

Re:Umm... just WMVs?

Yes, but people expect PDFs to ping home via JavaScript. Nobody expects video files to ping back home.

Re:Umm... just WMVs?

[chihowa]

Speaking of firewalls, does anyone know of an application-level egress firewall, like Little Snitch, for Windows or Linux?

Re: Umm... just WMVs?

[pr0nbot]

Does it also prevent a user process from knowing the real IP address? (I genuinely don't know.) If it didn't, then I suppose the phone-home mechanism would just query the IP and transmit it as data.

Re:Umm... just WMVs?

If you don't want to download via your work VPN, simply VPN Connection > Properties > IPv4/6 > Advanced > Uncheck: "Use default gateway on remote network"

Re: Umm... just WMVs?

[allo]

Depends on your type of internet connection.
Usual DSL setup with some router at the dsl port and your pc at a lan interface of the router (or tails in a vm, talking to the host via a NAT-network (default on most vm softwares)), a malware running as the restricted user would only get the LAN ips and the tor-exit ip (not by reading it, but by using some kind of whatismyip service or directly accessing some honeypot/pleaselogme url).

Re:Umm... just WMVs?

[operagost]

Or you could trust your HARDWARE firewall, not the Windows OS firewall, to do that.

Re:Umm... just WMVs?

[Gadget_Guy]

But how does the hardware firewall block specific applications from accessing the Internet?

By granting internet access on a per application basis with the software firewall, I don't have to worry about bugs or unintended consequences of some program have network access that I didn't expect. My media player only ever plays files from my computer, so I have never needed to grant it permission to talk to arbitrary servers, so this trick would never have affected me. It's a great way of neutering malware and backdoors/telemetry in programs.

Re:Umm... just WMVs?

[myowntrueself]

And of course, to do that, you would have to trust the windows firewall, which doesn't show everything.

If you run "Windows Firewall with Advanced Security" it shows absolutely everything. I have yet to find anything that bypasses the firewall. Even Windows 10's agressive updates don't work if you block by default, although I have no evidence of the telemetry one way or the other.

That said, if you have an application that runs with elevated security then it can add its own firewall rules. The way around that is to create a special user that just for editing the firewall entries, grant it access to the registry setting and revoke administrator rights. That's only required if you are paranoid though, or if you have a specific requirement. I did this to stop Steam from constantly creating firewall entries for itself and all games. I needed to lock it down to only work over my local connection to prevent it from downloading via my work when I set up a VPN to access the servers.

In Linux its fairly trivial to set up the firewall to block all egress except via a VPN; you configure so that only the VPN can egress via the physical network adaptor (eg eth0) restricting port and destination IP address. Then allow traffic via the tun device used by OpenVPN. In this way you can't accidentally leak anything outside the VPN.

How do you do that in Windows? I never saw any ability to do firewalling by network adaptor.

Thanks

Re:Umm... just WMVs?

[myowntrueself]

"Or with countless pieces of software out there?"

Exactly! That's why one should use a VPN on top of TOR. (or under in this case:-)

VPN into Tor then VPN through Tor. Then use 7 proxies.

Re:Umm... just WMVs?

[tepples]

What pocket-size hardware firewall do you recommend for use with a laptop computer?

Re:Umm... just WMVs?

[networkBoy]

Neither system is perfect and both have their advantages.

and *both* are vastly better than plain Tor on otherwise vanilla Windows host.
-nB

Re:Umm... just WMVs?

Another complaint is that your computer is wasting CPU cycles and RAM generating perpetual spyware reports in the background.

Re:Umm... just WMVs?

[Gadget_Guy]

How do you do that in Windows? I never saw any ability to do firewalling by network adaptor.

You can limit any firewall rule to work on one or more interface types on the Advanced tab of the rule's properties. This isn't quite as good as specifying the adaptor if you have really complicated networks, but it does the trick for 99.9% of cases. The three interface types are (as copied from the help file for the firewall):

Local area network
The rule applies only to communications sent through wired local area network (LAN) connections that you have configured on the computer.

Remote access
The rule applies only to communications sent through remote access, such as a virtual private network (VPN) connection or dial-up connection that you have configured on the computer.

Wireless
The rule applies only to communications sent through wireless network adapters that you have configured on the computer.

So for my example, if I don't want Steam to download updates through my work's VPN then I would turn off the remote access interface on its rule. This does not change the routing, so if I have connected the VPN then Steam simply stops being able to access the Internet. This suits me fine, but if you wanted Steam to continue downloading with the local network while the VPN was active then you would have to fiddle with the routing. Unfortunately, I don't know of any way of doing this on a per-application basis. You would have to set the routing for the Steam servers by IP address.

When the VPN disconnects, any application that was only allowed to access the remote access interface would similarly lose the ability access the net, preventing those pesky leaks. This is not as easy as you described on Linux, as you can't change the default settings for the interface. This means you have to manually change each rule to disable the local area network interface to ensure everything has to go through the VPN. This isn't so bad, because Powershell comes with a lot of firewall manipulation commands. I haven't needed to use them yet, but I do see interface types mentioned when I did a man *firewall* (which shows all help topics containing the name firewall). You can use this to make a bulk change and then manually set the VPN rules to allow the LAN interface.

Re:Umm... just WMVs?

[shutdown+-p+now]

NextThingCo CHIP would be great for something like that. It's literally pocket sized, has built-in WiFi, and two interfaces at that - so one can connect to the external network, while the other one serves as an API, with the device serving as a bridge/firewall between the two. And it costs $10 (although you need to bring your own battery).

You'd have to set this all up yourself, though.

Re:Umm... just WMVs?

[Burz]

Running code isolated by a bare-metal VMM like Xen is much better than running it in bare-metal Linux from a security standpoint. Comparing Linux and Xen vulns, there is a stark contrast. And that is even before one subtracts DOS and vulns in superfluous Qemu components.

So, yes, VM breakout "is a thing", but mainly on hypervisors that were designed to run on top of a complex OS and dedicated foremost to administrative convenience.

Tails has the drawback that its vulnerable to DMA attacks, i.e. if your NIC or USB controller is compromised, then it can do anything and even has a chance to install malware in the BIOS, drive firmware, etc. Qubes uses the IOMMU to isolate risky hardware, so this type of attack is prevented.

Any DRM that phones home will do that

[Crashmarik]

Of course that means the FBI has be able to host the files on the server, and has to have sufficient control to deliver a uniquely keyed file to the users they wish to target. Sort of implies you have hit a honeypot if they get you with that.

Re:Any DRM that phones home will do that

Or I could download the file and send it to you saying it's something else. Now prove you didn't use TOR to download that file and wiped TOR off your HDD when you were finished.

Re:Any DRM that phones home will do that

[edtice1559]

Or they can just host the file on the CP server and get a list of people who have downloaded it. That doesn't prove anything but it gives them leads in terms of people they should investigate. If I were a judge, I would consider this probably cause. An AC has pointed out a way that this could be abused by dishonest LE and I don't see a good solution for that, unfortunately. But I struggle with the idea that we object to every tool that law enforcement uses even when done judiciously.

Re:Any DRM that phones home will do that

[Crashmarik]

I don't know that I am comfortable with that. Should everyone who bought a copy of the Anarchist's cookbook expect a higher level of surveillance ?

Re:Any DRM that phones home will do that

[FatdogHaiku]

I don't know that I am comfortable with that. Should everyone who bought a copy of the Anarchist's cookbook expect a higher level of surveillance ?

I don't think so...
But if you downloaded it illegally?
Well, it might be bad policy to short an Anarchist's royalty check...
Oh, don't mess with the Alchemists either...

Re:Any DRM that phones home will do that

[LordWabbit2]

It seems to be heading that way, the general idea being why would you be downloading it in the first place if not to create explosives. Yes I know, curiosity and all that, besides the fact that there is a lot more to the cookbook than blowing stuff up.

Re:Any DRM that phones home will do that

It seems to be heading that way, the general idea being why would you be downloading it in the first place if not to create explosives.

1. I have no intention of making explosives - because I have a good life. Still, I want to know in advance - the world could take a turn for the worse.
2. I wanna write a thriller/crime/spy novel someday, so I need some realistic bomb/terror recipes. I don't want some random chemistry teacher saying my book is bullshit.

Re: Any DRM that phones home will do that

another: it has some a huge legacy like 60's i think and is a curious thing. a manual like this would have to evolve. the internet would have destroyed its relevence anyway.

Re:Any DRM that phones home will do that

[edtice1559]

No, because buying the Anarchist's Cookbook isn't illegal. Setting up surveillance of people who bought the book is a form of harassment. This is more the equivalent of the police busting an illegal gun dealer and then writing down the license plates of people who show up there over the next few days. It doesn't mean those people are guilty but it does give them leads on who some of the customers might be. And they will investigate whoever shows up to buy an illegal gun.

Quick Workaround

[gavron]

1. Determine which TOR-nodes you're talking to. (Netstat or Ethereal)
2. Remove default route through your ISPs router
3. Add specific routes to the /32s the TOR-nodes are on through the ISP router

Traffic routed through TOR will work fine.
Traffic going outside of TOR will fail except for the local network (your home or office LAN).

E

Re:Quick Workaround

[fluffernutter]

Except you probably don't want to do this on the machine you are going to watch Netflix on while waiting for the download to complete.

Re:Quick Workaround

[rtb61]

So watch netflix on your Android TV, whilst doing other stuff on your computer. I do this all of the time, well, not netflix, but streamed youtube et al, whilst gaming, shopping etc. and no, I do not want corporations spying on me, I do not want them to install software without my specific permission, nor do I want them to delete content without my permission. You can see it coming, the only copy of a wedding video, fresh from the camera, stored on windows and because ohh ahh copyrighted music for which the owner does not permission is in the background, well, along comes Mr Clippy, here let me fix that for you and deletes the wedding video, gone for ever. Don't think it will happen, M$ the company that resets privacy settings, not once but over and over again, they don't care, their attitude fuck the end users, they do as they are told and this repeated again and again and again and only temporarily stops or slows down when users kick up an almighty stink and then a couple of years down track, M$ tries it on again.

Re:Quick Workaround

[AHuxley]

Revert back to an OS that will not live preview your files.
Any file could have a link that gets used on any modern OS trying to help with a search by showing a preview of that file "live" during desktop search results.

Re:Quick Workaround

[fluffernutter]

You forgot

Re:Quick Workaround

[a_n_d_e_r_s]

Or just stop using Windows.

Re:Quick Workaround

For those who can't stop using Windows, you can switch to Windows 3.1.

Re:Quick Workaround

[AmiMoJo]

Problem is Tor likes to switch nodes at least every 15 minutes.

A better option is to route everything through a router running Tor. Nothing can avoid going through it, no matter how compromised your machine becomes nothing can bypass it to get your real IP address.

Re:Quick Workaround

[pnutjam]

Bingo, all this stuff should be at the router level. I have a very nice pfsense setup, with one active NIC. Any machine using it as a gateway goes right out the VPN, no other option. Anything pointed at the regular gateway, ignores the VPN and doesn't even know it's there.

Re:Quick Workaround

[allo]

useful workaround:

iptables -A OUTPUT -m user --uid vpnuser -d 127.0.0.1 --dport 9050 -j ACCEPT
iptables -A OUTPUT -m user --uid vpnuser -j REJECT

and tor running as another user.

Re:Quick Workaround

Why not just change the execution permissions for IE to Deny temporarily, preventing the system from running it in the first place? When the user is done they can always put it back.

Re:Quick Workaround

[tepples]

the only copy of a wedding video, fresh from the camera, stored on windows and because ohh ahh copyrighted music for which the owner does not permission is in the background

Next time try planning ahead and encouraging a policy to play only free music at weddings in your extended family.

Re:Quick Workaround

1. Determine which TOR-nodes you're talking to. (Netstat or Ethereal)
2. Remove default route through your ISPs router
3. Add specific routes to the /32s the TOR-nodes are on through the ISP router

Traffic routed through TOR will work fine.
Traffic going outside of TOR will fail except for the local network (your home or office LAN).

E

Yeah, then your IP will only be reported to one of the FBI's servers ... The one on which they also host a Tor exit node.

Re:Quick Workaround

[ZorroXXX]

If you are using firewalld and want a more permanent solution, you can add the following to /etc/firewalld/direct.xml

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <chain table="filter" chain="NONET_DENY" ipv="ipv4"/>
  <rule table="filter" chain="NONET_DENY" ipv="ipv4" priority="0">--match owner '!' --gid-owner nonet --jump RETURN</rule>
  <rule table="filter" chain="NONET_DENY" ipv="ipv4" priority="1">--destination 127.0.0.1 --jump RETURN</rule>
  <rule table="filter" chain="NONET_DENY" ipv="ipv4" priority="2">--match limit --limit 20/min --jump LOG --log-prefix 'iptables:nonet_deny ' --log-level 7</rule>
  <rule table="filter" chain="NONET_DENY" ipv="ipv4" priority="3">--jump DROP</rule>

  <rule table="filter" chain="OUTPUT_direct" ipv="ipv4" priority="0">--jump NONET_DENY</rule>
  <rule table="filter" chain="OUTPUT_direct" ipv="ipv4" priority="0">--jump SOMENET_DENY</rule>

  <chain table="filter" chain="SOMENET_DENY" ipv="ipv4"/>
  <rule table="filter" chain="SOMENET_DENY" ipv="ipv4" priority="0">--match owner '!' --gid-owner somenet --jump RETURN</rule>
  <rule table="filter" chain="SOMENET_DENY" ipv="ipv4" priority="1">--destination 127.0.0.1 --jump RETURN</rule>

  <!-- Your whitelist here -->
  <rule table="filter" chain="SOMENET_DENY" ipv="ipv4" priority="2">--destination 8.8.8.8 --protocol udp --destination-port 53 --jump RETURN</rule>
  <rule table="filter" chain="SOMENET_DENY" ipv="ipv4" priority="2">--destination  216.34.181.45 --protocol tcp --destination-port 443 --jump RETURN</rule>

  <rule table="filter" chain="SOMENET_DENY" ipv="ipv4" priority="4">--match limit --limit 20/min --jump LOG --log-prefix 'iptables:somenet_deny ' --log-level 7</rule>
  <rule table="filter" chain="SOMENET_DENY" ipv="ipv4" priority="5">--jump DROP</rule>
</direct>

The above assumes two groups nonet and somenet, which are given no and some net access respectively. By using groups like that it makes it simple to test programs you are suspicious of by just running them with another group, e.g.

sg somenet "internet-explorer4linux https://slashdot.org/"

However, differentiating on separate users might be more appropriate in other cases. You can do both.

Re:Quick Workaround

[allo]

For a really sophisticated solution, have a look into "ip rule", the "fwmark" option of iptables and matching cgroups.

The advantage: What is in a cgroup stays in a cgroup. Even when a program changes user, its process and children are still in the cgroup.
Of course, who is able to control the cgroup(s) can reassign the processes. So you may consider root putting the process in a cgroup, which it cannot escape without root privileges.

I'm ok with this behavior in those use cases

...but see the bigger issue.

Re:I'm ok with this behavior in those use cases

[amiga3D]

Well if you're up to no good you certainly should learn linux and also get some good info on computer security. Use one computer for fun, youtube, surfing, contacting family and friends, playing games. For anything where security is paramount you should use a hardened system. The more dire the ramifications of a breach the more hardened. Perhaps a CD based OS that is impossible to overwrite the system files. A custom built router with a good open source router OS. Keep all files encrypted on a removable micro-SD card. I'm sure if I was involved in anything like this I'd think of other things to do and avoid. Mostly I'm astounded by how careless people engaged in seriously illegal activity often are.

Re:I'm ok with this behavior in those use cases

"First they came for the kiddy fiddlers, and no one objected..." Then a month from now, the FBI is ordered to embed these bugs in videos of services at mosques, and videos of anti-Trump protests, and videos of CNN interviews, and seed them all around the internet to build The Bigly List of Brown People and Dissenters.

In the Bush era, I would have laughed this off as a slippery slope argument. In present times, knowing what Snowden has taught us and watching the current political climate, I don't see it as a laughing matter.

Re:I'm ok with this behavior in those use cases

If you show up on an intelligence agency radar you are well and truly fucked. None of the national intelligence services have the resources to collect or process every bit being transmitted through the hellish labyrinth other wise known as the Internet. However, they do possess an array of tools and skills to use against specific targets. The whole mass data collection proposals were basically shit canned because the information flowing through the internet is 99% bullshit regurgitated by people with an IQ of 50. Even one of the Snowden documents mentioned the mass data collection program was cancelled as being of little worth to the security agencies. The internet has morphed into a useless and rather dangerous weapon used primarily to raise the level of animosity between people all over the world.

Re:I'm ok with this behavior in those use cases

true but remember that snowden happened under obama. Both sides want control. Its easy to see it with trump because its no really good at lying but people like hillary would have done it in the name of justice more quietly.

Re: I'm ok with this behavior in those use cases

Nothing but good happened under the great and benevolent President Barack Hussein Obama, the greatest president this nation ever had, recipient of the Nobel Peace Prize and loved by Europe. Stop spreading lies or we'll track you down and kill you.

Re:I'm ok with this behavior in those use cases

you're a partisan idiot. obama did more to ruin transparency and hide corruption more than anyone else in recent memory.

Re:I'm ok with this behavior in those use cases

[TechnoJoe]

In the Bush era, I would have laughed this off as a slippery slope argument. In present times, knowing what Snowden has taught us and watching the current political climate, I don't see it as a laughing matter.

This summary sounds oddly specific.

For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography

Pro Tip

If you don't know how to avoid this hack, make sure to take Computer Networking 101 or Intro to Computer Security when you are in prison.

Not Tor Problems!

Why is anybody using Tor to watch DRM-protected videos (ie. entertainment), run third-party Javascript, and do all sort of trivial shit like this??

Look, it's a tool, and if you use it correctly, you're pretty damn safe. You can't treat it like a normal browser. If you do, you'll get bit in the ass.

Re:Not Tor Problems!

[jonwil]

They aren't using it to watch entertainment videos. They are going to underground web sites (child porn, drugs, weapons etc) and being tricked into viewing a video put there by law enforcement that is designed to phone home in this way.

Re:Not Tor Problems!

[amiga3D]

I have to wonder at the ethics of law enforcement hosting illegal content.

Re:Not Tor Problems!

[grep+-v+'.*'+*]

I was at a Novell conference a decade or so ago. (God -- has it been that long??) Laura Chappell was hosting a session, and in it said that for a while she was hosting Kitty Porn and advertising on some nefarious sites. When someone interested would fetch her pics (no videos I guess) they got pictures of Kittens in (I assume) various sexual positions -- nursing, stretching their legs, licking each other, etc. With a caption of "Your IP address has been logged and will be turned over to law enforcement."

She remarked at the time about how many interrupted downloads she saw, but of course their IP address really had already been logged. No idea what ended up happening.

A friend of mine also at the conference said he thought she was "Technically Hot". (RIP Tim. Say "Hi" to Jay for me.)

ARE they hosting actual child porn (left in place from when they took over a system) or is it an innocuous file just named something funny?

Along those same lines, a decade ago someone was (but never did, or at least I never heard about it) was going to create a million MP3 files, all actually containing a content of "This Is Not A Music File!", name them all by current bands / albums / song names, and make them available for public download. The point was getting take-down notices and RIAA/MPAA claims against them when it was obvious the file contents were not infringing in the least and then objecting to the false claim of ownership.

Re:Not Tor Problems!

[houghi]

How do you know that? For all I know they are just people who are using it to watch entertainment videos. And then they are being tricked by law enforcement. So they where innocent until the law enforcement made them guilty.

I have seen child porn. I was not looking for it. I even had to explain myself to the police after they called my job and asked if they could speak to me concerning a child porn. Luckily I had a CEO who not only understood almost instantly what was going on, but also offered to pay for my lawyer if I would need one, because of the fuckup of the police.

The fuckup was not only that I informed them (Oh, sorry, we did not read our email) and the provider. The provider was asked to leave the website up while the URL was already posted on several Usenetgeroups (this was a while ago) just so the case would be bigger for them.

Yes, they did know why the 15 year old boy who posted the image was.

the reason why they took it down was because I contacted the newspaper and they did an interview with me and it was public (No, not the URL)

They tried to get me for the following offenses:
1) Taking a false identity, because I did not use my real name and address when I made my free email account
2) Spreading of childporn, because in a reply I did on a anti-abuse Usenetgroup the URL was in the reply
3) Obstruction of the law, because I contacted the newspaper, even if I had send them an email and they did not reply in any way.

At one moment they left the room and I was alone and there where several floppies around I could easily take. I am still not sure if that was another attempt of entrapment or if they where that stupid. The fact that they did not know what headers where or had no ide there was a difference between a login and an email address, I assume they where just stoopid.

So using entrapment on such a random scale is great if you want to boost your arrest numbers, but it is not really good for anything else.

Re: Not Tor Problems!

that would be called entrapment at best and probably planting evidence in reality.

Re:Not Tor Problems!

[slashrio]

For all I know they are just people who are using it to watch entertainment videos.

Or to just browse the web without facebook, google, nsa, etc. recording your every move.
In other words: exercising your right to privacy.

...they called my job and asked if they could speak to me concerning a child porn.

Seriously? Already at the start of their investigation they are damaging your career by mentioning to your colleagues they want to talk to you about child porn?
That's a very malicious lack of discretion.

Re:Not Tor Problems!

They are going to underground web sites (child porn, drugs, weapons etc)

I love how the press and other folks who suck the press teat act like Tor is only ever used for nefarious purposes. NOBODY could ever need to be anonymous on the internet for valid reasons. Soon we'll all need our special genital scanner that allows us on the internet.

Re:Not Tor Problems!

[allo]

I don't think its illegal to download a file with a kitten. So they may log the ips, but what do they want to sue the user for?

Re:Not Tor Problems!

They aren't using it to watch entertainment videos. They are going to underground web sites (child porn, drugs, weapons etc) and being tricked into viewing a video put there by law enforcement that is designed to phone home in this way.

and being tricked into viewing a Rick Astley video

Re:Not Tor Problems!

that woman from the story above is hilariously retarded, i mean, REALLY REALLY FUCKING STUPID

so she will turn some dude to the police because some dude downloaded pictures of what turned to be cats, and she is expecting something to happen, legally, to those dudes

im not a sexist guy but she sould have never abandoned the kitchen

Re:Not Tor Problems!

[amiga3D]

She wasn't actually turning them in, she was fucking with their minds. You might need to get your own stupid ass in the kitchen, bitch.

Quicker workaround

[rsilvergun]

install Linux. Heck, in a VM if you're lazy.

Re:Quicker workaround

stop using IE (physically break it)
stop using windows
stop using .asf .wma .wmv files. seriously these formats should be erased from existence!!!
deny all media players access to the web. seriously no video or music HAS to have access to the internet unless it has drm shit. and you should NEVEr buy drmed music or videos. if you want lyrics, open your browser.

Re:Quicker workaround

[amiga3D]

If all else fails you could try obeying the law.

Re:Quicker workaround

None of the above things says you are breaking the law.

DRM isn;t for you the consumer, it's to restrict you the buyer. Therefore don't touch DRM stuff.

Re:Quicker workaround

If all else fails you could try obeying the law.

So it is okay to have a tracking device on your car or phone if you obey the law?

Re:Quicker workaround

[Burz]

install Linux. Heck, in a VM if you're lazy.

In a VM if you're smart.... https://www.qubes-os.org/

Re:Quicker workaround

A phone *is* a tracking device.

Re:Quicker workaround

Not if you use a IP phone and connect over random open wifi through a vpn. Poor man's secret phone . .

Re:Quicker workaround

[cdrudge]

If all else fails you could try obeying the law.

From the summary:
"target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos"

Last I checked, merely viewing propaganda videos, product demos, or news videos is not illegal. At least not yet.

Re:Quicker workaround

Buy second habnd phone from overseas
Buy prepaid sim from a store without cameras using cash.

Good luck tracking it.

Re:Quicker workaround

[allo]

> stop using IE (physically break it)
I am not sure, you know what physically means.

Re:Quicker workaround

[amiga3D]

well at least they can't be sent to jail then.

Re:Quicker workaround

Sure, but they'll be catalogued as committing precrime, which is illegal, just not yet. How to rectify that situation? Pass a law, but make sure that it's right before a holiday. Maybe let a few nutters prattle on about it, no one will believe them. One year later, quickly round all those guilty criminals up. Make a fuss about it on the news, and make sure they understand that viewing those types of videos is ungood for them, and they are being removed from society for the betterment of it. Bonus points if they are encouraged to mention their friends under alternative-interrogation techniques. Doubleplusgood. Total subversion of Ex Post Facto, if the local government supports that construct.

It's always the pedos

So tired of these stories making reference to pedos. Sure they exist, but every time the govt is caught spying, the media trots out the pedophiles to justify it. Not everyone who views "questionable" content is a crook. I've read plenty of articles, and watched plenty of videos, on how to make bombs and explosives, yet have never actually made one. Nor do I ever plan to do so. Forbidden knowledge and all that.....

Re:It's always the pedos

Sounds like something a pedo would say

Re: It's always the pedos

well you know only pedos care about security and anon *sarcastic*. it makes for something every one can get behind.

Re:It's always the pedos

It is sort of ironic, too, that the vast majority of pedophiles are so-called prominent, respectable members of society who are deeply connected to these pedophile rings and child traffickers.

Intelligence agencies such as CIA, Mossad, as well as organized crime gangs such as the Italian mafia use pedophilia as a tool to compromise powerful and influential people. Operations such as the Mossad's "Lolita Island", run by pedophile Jeffrey Epstein and former republican party's sadistic pedophile Larry King's house on Embassy Row in DC are just two examples of hi-profile blackmail operations.

Some known prominent 'guests' of Epstein include the Clintons and members of the British Royal family, among others. Larry King was reputed to have 'dirt' on many US republican party members, as well as prominent businessmen such as Peter Citron and Alan Baer.

George Bush Sr. is reputed to be a homosexual pedophile, according to victim Paul Bonacci (although Bonacci has stated that he wasn't raped by Bush himself, but witnessed other children being abused by Bush). Bonacci does however, name several politicians and prominent individuals that he was 'passed around to' in his interview with former FBI special agent Ted Gunderson Interview is here

This practice has be going on for generations.

A few examples would include Elm House, Kincora House, Dolphin Square in the UK; Pizzagate, the Franklin Cover-Up and McMartin Preschool in the USA; the Cornwall Clan in Canada; the Mark Dutroux case in Belgium; the Hollywood pedophile ring discussed by Corey Feldman and Elijah Wood; and on and on.

Nearly every case that comes into the public domain has a botched investigation and the victims are accused of lying, threatened if they do not recant their story, and/or mysteriously die or 'commit suicide'. The abusers are portrayed as victims and are rarely ever prosecuted.

It's time for a massive takedown...

Re:It's always the pedos

Sounds like something a synth would say....

It's right there in the FAQ:Don't torrent over Tor

[maggotbrain_777]

This is kind of no-brainer since it says, right in the Tor Browser FAQ [Section B], not to torrent while using the browser:

"Don't torrent over Tor
Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that's how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else."

https://www.torproject.org/download/download.html.en#warning

WMP Settings

[Somebody+Is+Using+My]

The Windows media player - at least through Windows 7 - had an option to "download usage rights automatically when I play or sync a file". I wonder if this "attack" still takes place if this feature is not enabled.

Re:WMP Settings

[The-Ixian]

I was thinking the same thing. I always uncheck all those boxes when I launch WMP for the first time.

Though really, I don't think I have launched WMP in years... why bother when you have VLC?

VLC is associated with all of the file media file types that Windows knows about so is the DRM laden WMV (or whatever) able to call WMP explicitly when you launch it? I don't think that is how it works. Even if it did, if you have never run WMP before, you will get the first run dialog which has the option you mention plain as day as a checkbox.

Seems like this tracking mechanism is to catch total morons.

Re:WMP Settings

I wonder if this "attack" still takes place if this feature is not enabled.

public WindowsMediaPlayerSetupPage2Form()
{
              InitializeComponent();
}

private void InitializeComponent()
{
        this.stupidPromptLabel.Text = "Download usage rights automatically when I play or sync a file";
}

private void nextBtn_Click(object sender, EventArgs e)
{
        regWrite("downloadRights", 1); /* What you thought you were actually given a choice? That's cute. */

        SAMWrite("hideNetworkActivitiesFromUser", 1); /* Make sure they don't find out. */
}

Missed something important

[zugmeister]

For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography.

Apparently it's no longer even worth noting that representatives of the US government will run a child porn site offering downloads!
Again.
Yes, "pretending". So a honeypot without honey. That'll get real far now won't it?

Re:Missed something important

[amiga3D]

They're only skimming the most ignorant off the top of the cesspool.

Re:Missed something important

[edtice1559]

I don't necessary support the practice but it does seem to be SOP that, when the government busts a CP site, they continue to run it for a period of time in hopes of catching the users. The honeypot will likely have honey in some cases. Well at least if one considers CP honey. I consider it poison.

Re:Missed something important

Well at least if one considers CP honey. I consider it poison.

The obligatory virtue signalling is strong in this one. Why don't you just end every comment with "I Obey!"

I Obey!

Re:Missed something important

I'd like to see a slashdot article on honeytraps. No, I'm not an expert at identifying and avoiding them.

Re: Missed something important

Do you have a vested interest in protecting pedophiles?

Re: Missed something important

i see nothing wrong with cp honeypots.

Re: Missed something important

[Opportunist]

If my only choice is to side with pedos or a tyrannical government, I side with the pedos. Out of pure self interest.

I'm way over 18. Guess which of the two is a threat to me.

Re:Missed something important

They're only skimming the most ignorant off the top of the cesspool.

But that helps!
You catch one ignorant pedo, and his PC. He has a contact list with lots of other friends because he joined a pedo sharing ring. So you bust a lot of others, and their contacts in turn. Some of which has really good security, but dumb friends.

Re:It's right there in the FAQ:Don't torrent over

But, but, but, TOR is for TORRENTS. It's right there in the NAME of the things!

Ask OS makers next?

[AHuxley]

Why not just get a list of all this weeks files of interest found on the net. All the files of interest created and shared over a few days.
Give the checksums to all the big US OS brands to add to their new OS AV efforts.
Recored every IP that responds to a checksum as part of anti virus spread tracking if the user "allowed" such self reporting to the OS.
Use the advanced and near instant indexing on most modern OS to report the file when it is opened and have the users OS report that file on the OS brand?
Remove and replace the checksum list for next week so it will not slow any modern computer down.
Any advance user could test the file in any way and find no issue.
A new OS AV update of a few megabytes spread over a few days per week could hold how many new file checksums per week every week?
The OS would do all the reporting on an average user who trusted the OS brand with AV.

Re:Ask OS makers next?

Next? There's a high likelihood this is already happening in Windows 10. Every time you open a file, Windows 10 is sending unknown "telemetry" back to the mother ship. Those Windows Defender and Microsoft Security Essentials updates you get every day? They're hash lists. You can bet your ass those lists contain more than just virus signatures, and matches are being recorded somewhere.

WMV DRM

That's something from the last millennium ffs.

Not so fast... Re:Not Tor Problems!

[theshowmecanuck]

Vice has an article titled "Countries that Use Tor Most Are Either Highly Repressive or Highly Liberal," that you might want to read.

"The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network," Jardine writes.

Bridges had the strongest association with political repression. "Moving from a country like Burkina Faso (political repression equals 8) to a country like Uzbekistan (political repression equals 14) results in an increase of around 212.58 Tor bridge users per 100,000 Internet users per year," the paper reads.

If that were the only reason to use Tor you would be absolutely right. But my understanding is that Tor is also used (used more in fact) in countries where the governments will throw you in jail or kill you for the only reason of trying to exercise free speech. Those governments can employ the same tactics to find and jail political dissenters. And that would be a shame. It would be nice to be able to figure out the wheat from the chaff. But there are many governments that I wouldn't want making that determination, including the one being lead by the latest POTUS. In fact Tor might become a necessity for free speech in the USA soon.

Tor and Windows?

Tor and Windows?
ha ha ha ha ha
That is like reading the plaintext over a loudhailer while your buddy encodes the message to securely send off. Tor being the 'securely' and Windows being the 'loudhailer'.

captcha sooth: "mental", which is what Windows users are.

It's right there in your post!

" you also slow down the entire Tor network for everyone else.""

This right here is the ultimate reason. TOR has always been slow as fuck and they've found a handy scapegoat to blame it on. I torrent through a VPN myself, but if you must use TOR or a VPN at all, you set that shit up in your gateway so every device at the house has to go through it. Amateurs.

You've convinced me!

I'm reinstalling DOS right now.

Opsec

[Orgasmatron]

If you require perfect opsec all the time, you are doomed eventually.

Also, who the hell does this? The only sane way to use TOR for something dangerous is on a machine that has never and will never be connected to the internet directly or through NAT. And that computer's only network jack should be plugged into a disposable router running a bootable live system that does all-TOR all-day.

In other words, even if the client computer is trying to turn you in, which it is, it shouldn't know anything other than the reserved/private IP that your router gives it and the IP or onion address your browser is visiting.

tor on windows

is like tor on a phone theres too much you really dont have control of and that phone home. also loging in to a site you access de anon you too. drm can be like the same thing especially on windows. you can clear history and the like of flash. look out for super cookies too.

A good point

[rewardian]

But if you're doing anything interested on the 'net, you should use a more secure system (I'd recommend not-Windows, but etc.) that would've indicated this attempt so articles like this aren't necessary to protect your browsing history. I've heard so many people outside the computer industry decry our attempts to tell them that the Internet, much like the real world, isn't a nice place. Well, the present is always evolving, so have faith if you will, but this is the current landscape.

Hosting Illegal Child Pornography is ILLEGAL

[The_Dougster]

Law enforcement should be not allowed to host child porn, even if it is trapped. It is clearly entrapment. IMO this is clearly a serious breach of the laws. If the material is illegal, then law enforcement should not be allowed to present it to the public. It presents a danger to the casual web surfer that is artificially implanted. The material is illegal. Period. No honeypots should be allowed.

Re:Hosting Illegal Child Pornography is ILLEGAL

[rewardian]

I'm down to entertain the conspiratorial, but I assume that the U.S. federal agencies infiltrated hosts with illegal material and then protected the files in a way as to record hosts that opened the file. I'm not a lawyer, but there's probably an argument to be made dependent on whether someone creates or assumes control of this entrapping honeypot. They probably didn't take out advertising or publish original material.

Re:Hosting Illegal Child Pornography is ILLEGAL

Yes but renaming a file to make it look like something else isnt hosting child porn.
Dont pull your head out of you ass, you may see some porn and then ive entrapped you for telling you to do it....idiot.

Use linux when you use Tor?

[Nyder]

I find it funny how all the work arounds listed no one suggested the best work around. Use linux, don't use windows.

Re:Use linux when you use Tor?

[AHuxley]

Depends on a few files can be added in a long list of files in the one gets the past any software outgoing firewall as it looks like its "part" of the OS?
Download an archive of many, many files. 10 files don't work out of many?
One phones home on OS X, Windows, Linux when clicked on or opened or searched for and a live preview is created with spotlight?

Re: Use linux when you use Tor?

well with tor browser it is best to go all linux but it is sand boxed and usses all its stuff to so it even torDNS for resolving and to thier credit its relitivelly a tight ship even on windows.

Re:Use linux when you use Tor?

[ruir]

Have you ever heard about systemd? Seems an excellent idea...

using tor on windows, bad idea!

[Gunstick]

trusting your tor traffic to a closed source OS?

what could possibly go wrong...

Re: It's right there in the FAQ:Don't torrent over

no vpns are for ilegal content torrenting. makes a good sales pitch but really itsabout what dmca that do not go that far relitively.

investigative nature.

These kind of thing starts with child pornography and next thing you know you can't search and look at any information they don't want you to look at. People with an investigative nature will be the first to get affected. Microsoft is facillitating indeed , it just wont be you they facilitate, but any oppresive form of power will thank microsoft for it. As if this kind of technique is absolutly necesary to fight child pornography. Isn't any File treated this way a form of entrapment that may be very questionable, give any file the right filename to get the clickbait going....

an IP address is not reliable evidence.

[hideki.adam]

This has the usual problem.

It assumes an IP address can be traced to a particular user and only that user, this is not the case,

There could be openwireless.org nodes, Tor exit nodes, proxies, malware, badly secured/open access points or god knows what else.

The idea that an IP address is evidence of identity of the downloader has always been problematic at best.

Re: an IP address is not reliable evidence.

gov's(and sofisticated others) can trace back tor is an issue and why there are work arounds like js exploits and other things..

A video of the attack is available here.

Does it contain DRM?

Re: Anarchist's cookbook

[slashrio]

Didn't you download that over Tor??

Re: VM

[slashrio]

It's sufficient to install a tor proxy in a VM and use that as the network VM. No more leaking.

Re: Qubes-OS

[slashrio]

That's what I'm talking about. :)

Might be illegal, but look up entrapment

[raymorris]

Distributing child porn, when done by the FBI, may be illegal. I don't feel like reading the statute right now, many laws have exceptions for law enforcement in the course of their duties.

That, however, has nothing whatsoever to do with entrapment. Entrapment is when a person with no intention of committing any crime is induced to do so by the police.

If a person decides of their own free will to go to a child porn site and start downloading videos called "12 year old fucked.wmv" there is no entrapment. They've already decided to download and view that. Whether or not the police track the IP or anything else can't make it entrapment.

What *would* be entrapment would be if an undercover cop pretending to be their friend said to a person:
"You know a lot about computers and security and all that, right? You have that Thor thing or whatever? I want to download some stuff without being tracked. I'll give you $50 if you download '12 year old fucked.wmv' for me and put it on a USB drive."

THAT would be entrapment.

Re:It's right there in the FAQ:Don't torrent over

[wbr1]

Ummm... for this attack it does not matter whether the media file is hosted on a torrent or any other service. It is not the act of downloading it that de-anonymizes, it is opening the file and the player dials home for a DRM check.

proxy

Assuming you're not using linux...
Assuming you're stupid enough to browse ~~a honeypot~~ CP...
Assuming you're not paranoid enough to set 127.0.0.1 as a proxy so IE, edge, and browsers that use default Windows settings to connect out fail...
Assuming all of that, LEOs then have to assume that you're also using your home connection and not at a neighbor's house or at a library, also that you're not using an old fashioned proxy or a vpn, or that upon popping up an IE window you--being a paranoid pervert afraid of getting sent to federal 'pound you in the ass' prison--don't simply yank and destroy your hard drive and claim ignorance...

It's a whole lot of LEOs making assumptions.

Mobsters had it mostly correct.

Crimes are best committed in person with people you trust. Using a computer of any kind during or to prepare for a crime is just as dumb as using a telephone.

You meet in person. You keep the groups small. You make the groups permanently smaller when trust is broken. If you can't manage that then you really have no business being a criminal.

The mistake old mobsters made was not culling the chaff frequently enough.

Re: Anarchist's cookbook

No TOR in 1998 ! but toasted flounder fillets ...

Not news...

[Kjella]

Malware makers have used DRM'd WMVs to launch IE to the exploit page of their choice for more than a decade, maybe two. The only media player I know dumb enough to load it by default is Microsoft's own, if you use VLC or really any other player you're safe.

Entrapment = coerced into committing a crime

[phorm]

It's not entrapment, because they're not inducing people to do something they wouldn't already do. Just like if they have a fake prostitute or drug-dealer who is actually a cop. If you walk up and ask for services, you're busted. If they don't approach you and start offering rather enthusiastically, it's not entrapment.

Now if they start sending people with banner ads "hey come to nasty site X", running sketchy redirects from legit adult sites, etc, then THAT is entrapment. People who went to the site willingly without anything other than it being available were not entrapped.

The moral implications of hosting a site with such filth is an issue, but again doesn't meet the standard for entrapment.

Cable Modem?

Forgive me if I don't fully understand security of computer systems, but what about the cable modem?

Like I can use Linux or Windows on a computer that has never been on the internet before, and a virgin router or gateway or whatever with all the setting to block incoming/outgoing packets or whatever, but what about the cable modem?

All of my efforts to VPN or mask IP or anonymize browsers, but all of these things are in the client side of the cable modem which is needed to access the internet, and which has a very unique IP address and serial number...

Wont the cable modem sell you out anyway?

How does this all work?

VM + proxy

- Use Tor in a VM
- Configure all VM network traffic to go through a proxy (or Tor!)

Re:It's right there in the FAQ:Don't torrent over

Also, BitTorrent nowadays supports UDP trackers and uses UDP for its DHT network.

Tor only supports TCP.

CAPTCHA: pothole

Use Portal, Use Tor, Use Signal

Seriously, this only works if you don't have the tor connection externalized at the gateway, thus the bypass. If you used Portal, then your windows devices has no choice, everything gets converted to tor at the Portal gateway device, there is no other path.

Portal, it's @thegrugq approved!