

Hacker builds tracking system to nab Tor pedophiles - andrewcooke
http://blogs.zdnet.com/security/?p=114

======
cousin_it
In my opinion, downloading and looking at pictures of naked children shouldn't
be a crime. Making child porn also shouldn't be a crime unless it falls under
child abuse laws. For example, animated or CGI child porn should be legal
because its production and consumption harms no one. (Currently it's illegal
and people have gone to jail for it.) We stopped imprisoning and castrating
homosexuals sometime ago, but apparently people can't internalize the too-
abstract ideas of "victimless crime" and "private business". See that guy?
He's a wacko, I tell you. He loves watching movies where people _kill_ other
people with _guns_! One day he'll get a gun and attack our kids, our precious
little darlings.

And about that hacker from the article, I wonder if his system can be used to
catch copyright infringers? People who download offensive texts? People who
visit blacklisted sites, where the blacklist depends on the country? Human
inventions are beautiful that way - you never know how other people will
repurpose them. I hear the guy who invented dynamite didn't intend it to be
used for killing, either.

~~~
ErrantX
> Currently it's illegal and people have gone to jail for it

Actually it's something of a legal grey area in most places. If that's _all_
your caught with then you could well just get a slap on the wrists - but
that's rarely the case.

I see where your coming from with the arguments; but it's, sadly, not in any
way a victimless crime.

------
Zak
Great. He's breaking Tor.

I want to see pedophiles in jail too, but if Tor is broken for this purpose,
Tor will become useless for any purpose. Governments and others will catch on
and take advantage of the same techniques to detect whatever other activity
they happen to be interested in.

If you're a supporter of the sort of privacy Tor provides, this is a Bad
Thing.

~~~
die_sekte
> I want to see pedophiles in jail too, […]

So you're essentially pro-thought-crime persecution. I will give you the
benefit of the doubt and guess that you meant "I want to see child rapists in
jail too, […]". A pedophile does not harm children just by being a pedophile
or by being attracted to them, they only harm them when they abuse them.

I agree, however, with the rest of you post.

~~~
Zak
You have a point. I don't really like the idea of thought crimes, however, to
create child pornography, real children have to be sexually exploited.
Consuming such content encourages its production.

For what it's worth, I don't think things like child pornography that don't
involve actual children should be illegal. Stories, cartoons and photoshop
jobs don't involve any actual victims.

~~~
die_sekte
You certainly also have a point.

I think it would be nice if child pornography could be produced by computer
simulations and pedophiles thus would be able to feed their addiction without
causing harm. Being able to focus the available resources on treating actual
child abusers would be nice.

------
mahmud
Moore is headed to a massive government paycheck if he keeps it up. "Catching
pedophiles" is the best business plan; the name practically funds itself.

~~~
count
Moore is former USAF Intelligence. He already had the 'govt paycheck'.

~~~
mahmud
Officer pay != Contracting firm pay.

Every government on earth wants to tear Tor open; he stands to make it big, if
he can lie hard enough :-)

------
jxcole
We saw the same sorts of issues when freenet came about. The problem is that
if you build a purely anonymous system in an environment that is not oppressed
(like the US), mostly people look at child porn, or share photos of people
being totured/murdered/whatever. There is little logic to going to all the
trouble to anonymize if you are doing something that is perfectly legal.

~~~
nollidge
Unjust laws, identity theft, embarassing but perfectly legal activities...
there's plenty of logic to going anonymous.

------
codexon
I see several problems with this method.

1\. You need to run an exit node for unencrypted HTTP traffic to be able to
inject html.

2\. Tor warns you when you are potentially leaking DNS requests when you are
using an old protocol like socks4 instead of sock4a. Anyone who is using Tor
is presumably smart enough to activate this option on Firefox or whatever
browser they happen to use,

3\. The Java applet leaking DNS requests is a big hole which I believe is
fixed by now. Even if it did work, it is entirely dependent on point 2 which
is easily preventable.

------
siculars
why would a tor user allow a java applet to be installed on his/her computer?

------
orblivion
Tor is being used for nefarious purposes? Who could have anticipated that?

Stuff like Tor is _made_ for purposes that at least somebody considers
nefarious. The relevance of this is that he apparently found a vulnerability.

------
zdwiel
I'm not sure if I should be glad that someone exposed a problem with tor and
that the government could be exploiting it already, or if I should be sad that
someone just showed the government how to do it.

------
lonestar
If the alleged pedophile is savvy enough to use Tor, won't he be running his
web traffic over SSL, rendering this sort of attack useless?

~~~
showerst
I'm not 100% certain of this, but I believe even SSL is vulnerable to certain
man-in-the-middle attacks when routed through a single point like tor.

For example: [http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-
node-...](http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-
mitm-attacks)

A google search returns lots of results, although I'm unsure if any are 'in
the wild' exploits.

------
cx01
Note that this is an article from 2007.

~~~
andrewcooke
ugh. so it is (sorry). so what happened?

[edit: from <http://www.links.org/?p=205>

"the Tor folks have known about this attack. It’s really hard to counter. It
would be a lot more helpful for people to work on deeper browser integration
to break the attack than to distribute attack code to demonstrate that a
known, documented attack works."]

------
wendroid
<http://www.securityfocus.com/news/11447?ref=rss>

