FBI Dismisses Child Porn Case Rather Than Reveal Their Tor Browser Exploit

An anonymous reader writes: Federal prosecutors just dropped charges against a child pornography suspect rather than reveal the source code for their Tor exploit. Of the 200 cases they're prosecuting nationwide, this is only the second one where the FBI has asked that the case be dismissed. "Disclosure is not currently an option," federal prosecutors wrote in a court ruling Friday. The Department of Justice is still prosecuting 135 different people believed to have accessed an illegal child pornography web site. Before shutting it down, the FBI seized the site and operated it themselves for 13 more days, which allowed them to deploy malware to expose the users' real IP addresses.

Re:Deploy malware?

Tor does NOT disable Javascript by default. It ought to, but it doesn't. The last official statement was they felt nobody would use Tor if it shipped with Javascript disabled, because so much of the web depends on it.

Re:Deploy malware?

> Tor disables javascript, by default...

It absolutely does not. It has noscript by default, but you have to make that change. With javascript disabled by default, many websites simply fail to function.

Tor project seems to assume that javascript is simply vulnerable permanently, which is generally what all sane computer users should assume at this point. Their solution seems to be to put some kinda sandbox around it, which should at least give them a bit of a race to run versus attackers.

Your other assumptions are totally reasonable however- run a bunch of nodes and you can break a lot of the assumptions about tor.

Re: Which is more important?

[Pseudonym]

Bank infrastructure is typically less secure than Tor.

Re: Which is more important?

I'll counter, how many CIA agents rely on TOR? "The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997."

To avoid public scrutiny

https://arstechnica.com/tech-policy/2015/04/fbi-would-rather-prosecutors-drop-cases-than-disclose-stingray-details/ April 7, 2015

The FBI actually has a policy to drop cases instead of revealing their detection (spying) methods, to avoid public scrutiny of what they're doing.

The new document, which was released Tuesday by the New York Civil Liberties Union (NYCLU) in response to its March 2015 victory in a lawsuit filed against the Erie County Sheriff’s Office (ECSO) in Northwestern New York, includes this paragraph: "In order to ensure that such wireless collection equipment/technology continues to be available for use by the law enforcement community, the equipment/technology and any information related to its functions, operation and use shall be protected from potential compromise by precluding disclosure of this information to the public in any manner including but not limited to: press releases, in court documents, during judicial hearings, or during other public forums or proceedings."

That has to do with their 'Stingray' technology, but I'm sure it applies to any kind of digital surveillance.

Besides, if they didn't drop the case the court would have probably ruled against them, like what happened in a case that slashdot mentioned last year: https://yro.slashdot.org/story/16/07/13/0411255/us-judge-throws-out-cell-phone-stingray-evidence-for-the-first-time

Re:Now we know where the moral compass is pointing

[hairyfeet]

Uhh there was one busted in Australia not too long ago who was raping, torturing, and murdering kids on a private darknet PPV. I can't remember the guy's name but they gave the "genre" a name..."hurtcore" because it was as much about causing pain and suffering as it was the rape. The article I read about the case said it was shit that made "A Serbian Film" look tame and it was all real.

I don't want to search too actively for the terms that would bring up the article for obvious reasons but I did find an article about their web admin being busted where they mention hurtcore.

Re: Which is more important?

[lucm]

A system is only a good as i.t engineers set it up to be,it can have every bell and whistle possible,but if someone does something wrong or stupid,then possibly all the bells and whistles etc are no use..

When it comes to high-end hardware, be it storage or networking, the vendor sends its own team to install and configure the device, and keeps monitoring and patching it. And guess what, that's what they do for a living and they're usually very good at it.

Horror stories can and do happen. I've seen IBM wiping out huge SAN subsystems by mistake during an upgrade, or an HP engineer tripping on a power bar and pulling out a handful of optical fibers, disrupting networks in a whole building.

What I have never seen or heard about is someone putting a misconfigured 1/2 million dollar core switch in production and nobody noticing the problem. Could it happen? Maybe. But that's not "typical".

Re:Now we know where the moral compass is pointing

[ShanghaiBill]

Uhh there was one busted in Australia not too long ago who was raping, torturing, and murdering kids on a private darknet PPV.

Peter Scully. He is accused of murdering one girl, but he didn't film it. The things he did film were horrific, but did not include any killings. So no "snuff film".