
A Warning: Do not turn in illegal files you found to the police. - ferongr
https://boards.4chan.org/g/res/38432928
======
ddinh
Here's the original post, in case the 4chan thread gets deleted:

 _A few months ago I posted here looking for help with a SD card I found while
renovating a school. It was hidden in a wall outlet, and had several files
with names on them, and obviously was a bunch of encrypted containers.

Well, I managed to brute force one of them and inside was more containers, but
a month ago I managed to open another and this time there was videos and
pictures, stuff that made me go to the cops right away.

So I turned over everything to them and told them all I knew, and that's when
the bullshit began. Right from the start the police thought I had something to
do with it. They took every device in my home that could store data, my phone,
my laptops and computers, my PS3, even all my USB drives and camera. They
questioned my family and went to my job and harassed everyone that I had any
contact with,

Right now I still haven't gotten any of my property back, and my friends and
family think I am a creep. I am writing this to give a warning to everyone
that works with IT if they end up in a situation like me. Don't go to the
authorities, don't try and do the right thing, don't say a fucking thing just
destroy what you found and move on. Trying to be a good person is just going
to fuck your life over_

~~~
ars
Doesn't sound real to me.

He brute forced two encrypted containers? Who does that for an SD card you
find?

And hidden in a wall outlet? Really? Someone just walks around carrying a
screwdriver for opening wall outlets, and hopes not to get shocked? There are
far easier places to hide things.

And cops questioning family and job contacts for this?

Sorry, but I don't believe a word of it.

~~~
kevingadd
A hidden SD card containing encrypted archives could be lots of things. It's
like a puzzle. I'm sure it made him curious. Why would you assume the contents
are illegal? I wouldn't.

To me the op is no different from people who participate in ARGs. Only in this
case, the prize at the end of the game was a ruined life.

If the police behavior sounds implausible, you haven't read any stories about
similar cases.

~~~
jamesaguilar
> To me the op is no different from people who participate in ARGs.

Except, you know, the game part of ar_G_. Real life is not a video game. If
you live as if it is, something bad is probably going to happen to you
eventually. Brute forcing something that doesn't belong to you is not just bad
form, it's stupid, and depending on what it happens to be, possibly illegal.

Does that make the police harassing him OK? Perhaps not. Is any part of this
story even true? Also perhaps not.

~~~
kevingadd
Many ARGs intentionally attempt to seem as real as possible, which is part of
the appeal. There have been examples in the past where this has caused
problems for people (the ill-fated game Majestic being one example). Contrived
cryptography/hacking puzzles also show up as hiring screens, etc.

My point is that his _mindset_ is essentially the same: He ran across an
intriguing puzzle and tried to solve it.

~~~
jamesaguilar
OK. He should solve the meta-puzzle first. "What is this likely to be, and in
what proportion of possible worlds is the outcome of knowing the answer to
that question good for me."

~~~
kevingadd
I agree. A lot of problems that afflict innocent people in our society can be
chalked up to not doing that kind of higher-level thinking - what would be a
person's possible motives for setting up this scenario? What are the potential
consequences? Am I risking my finances, health, or livelihood by getting
involved?

------
kevingadd
This mindset, along with the police behavior that motivates it, will
eventually turn the US into a mind-your-own-business country, where crimes can
happen in broad daylight and people get in trouble while passersby do nothing.
We've seen a similar culture in action in news stories from China.

The net result: cops' job gets harder, and they only have themselves to blame
for alienating the people who should be their allies. At least maximum
employment will be guaranteed for them.

~~~
asdf1234
> where crimes can happen in broad daylight and people get in trouble while
> passersby do nothing

There are plenty of places in the U.S. where this has been the case for
decades.

~~~
dsrguru
Not at all like the situation in China. In the U.S., if you're in a
neighborhood with a large organized crime presence, passers-by will often
refuse to testify, but what the parent is talking about in China today and the
U.S. in this hypothetical future is different. In China, there is a recent
history or at least public perception of victims falsely accusing good
samaritan helpers of being the perpetrators in order to sue someone, even if
they can't catch the perpetrator. The parent is saying that the U.S. could
become the same way, except with would-be good samaritans/crime reporters not
being afraid of the victims but of the police.

------
acheron
The police are not your friends. Sorry this guy had to learn that in a hard
way. (Though apparently they have not yet shot his dog [1], so I guess he's
gotten off easy so far.)

[1]
[http://www.theagitator.com/?s=puppycide](http://www.theagitator.com/?s=puppycide)

~~~
phaed
Indeed, calling the cops for any reason whatsoever will get you a good 30%
chance you will be harassed, put in jail, or killed in the process. Don't do
it.

~~~
alayne
What's the source of your 30% statistic?

~~~
trekky1700
Their own research, he called the police three times to see the response he
would get, and the third time they came to his house and found nothing amiss,
they arrested him. _jokes_

------
ivanca
Remember people, don't talk with the police:
[https://www.youtube.com/watch?v=6wXkI4t7nuc](https://www.youtube.com/watch?v=6wXkI4t7nuc)

~~~
tagabek
Let's say you get pulled over and the cop asks you how fast you were going. Do
you just not say anything?

~~~
jmcgough
Yeah. When they say "do you know why I pulled you over?" they're looking for
an admission of guilt.

~~~
lopatin
There's a conflicting opinion from a cop on Reddit. Basically he agrees that
you should shut your mouth, not let them search your car just for the heck of
it, etc ..., but when it comes to the question "Do you know why I stopped
you?", playing dumb won't do you any favors. There's a lot of other useful
info he says that are relevant to the thread.

[http://www.reddit.com/r/everymanshouldknow/comments/1rsizj/e...](http://www.reddit.com/r/everymanshouldknow/comments/1rsizj/emskr_how_to_talk_to_law_enforcement/cdqixlx?context=1)

------
sillysaurus2
Why are we so quick to believe OP's story at face value? There could be
factors which led the police to investigate; factors which OP chose not to
disclose.

There is, generally, no way to "brute force" an encrypted container containing
child pornography for the simple reason that no one who respects the gravity
of the situation would dare choose a password less than 8 characters. Even 8
a-z characters requires (26^8)/2==104.4 billion attempts to bruteforce on
average, which is high. Real passwords are likely longer.

I realize how flimsy this argument is. They could've chosen a dictionary word
as their password, which could indeed be brute forced. All I'm encouraging is
for people to _think_. Turning in evidence of child pornography is the only
way that child pornographers will be caught. Having the reaction of "don't go
to authorities" will yield a worse society. Is our attitude really to be "fuck
society, I'm looking out for myself"?

~~~
DanBC
> There is, generally, no way to "brute force" an encrypted container
> containing child pornography for the simple reason that no one who respects
> the gravity of the situation would dare choose a password less than 8
> characters. Even 8 a-z characters requires (26^8)/2 attempts to bruteforce
> on average, which is absurdly high.

That's just not true. People viewing images of child sexual abuse used to buy
access _using their credit card_ \- Pete Townsend for one. (Obviously we need
to be careful here; lots of crooks were using stolen credit cards).

Many people viewing images of child sexual abuse just aren't very good at
encryption or anonymity.

See "DeAnonymizing alt.anonymous.messages" [http://ritter.vg/blog-
deanonymizing_amm.html](http://ritter.vg/blog-deanonymizing_amm.html)

> _The slides cover the information-theoretic differences between SSL, Onion
> Routing, Mix Networks, and Shared Mailboxes. It talks about the size of the
> dataset I analyzed, and some broad percentages of the types of messages in
> it (PGP vs Non-PGP, Remailed vs Non-Remailed). Then I go into a large
> analysis of the types of PGP-encrypted messages there are. Messages
> encrypted to public keys, to passwords and passphrases, and PGP messages not
> encrypted at all!_

I strongly agree that turning in the card is the only sensible choice. It's a
scary option though.

------
pretense
It's almost like HN has no understanding of how trolling on 4chan works.

~~~
dlsx
>It's an unbelievable story.

Keep telling yourself that.

------
asdfs
Here's an archive link, as that thread will presumably 404 pretty quickly:
[http://rbt.asia/g/thread/S38432928](http://rbt.asia/g/thread/S38432928)

------
pmiller2
The first thing this person should have done if he/she wanted to actually help
the victims was go to his/her own lawyer for advice. Barring that, the advice
in the 4chan thread to destroy it is probably best for him (sadly).

~~~
prawn
He could've tried to deliver it anonymously? I wonder if touching it (and
potentially leaving DNA) was risky?

------
ScottBurson
This tale is all too believable. I wish I lived in a world where the police
had the common sense to ask themselves, Why would the person who collected
this material bring it to us? It makes no sense whatsoever that he would.

Anyway, independent of the truth of the anecdote, the advice seems sound. Why
risk it?

~~~
ars
> Why risk it?

Because depending on exactly what is on that card there may be a child in real
pain?

Maybe it's old photos, but if it's recent stuff you can actually help someone.

~~~
phaed
Chance of you being jailed for it: above average. Chance that anyone will be
helped by you turning it in: far below average. Take your chances, if you
dare.

Doing anything to cover yourself, such as sending it to the cops through the
mail anonymously will further raise the chances that the cops will try to pin
it on you.

------
badalyan
Not that I don't believe it could be true, but are we really supposed to trust
a 4chan post?

~~~
pmiller2
It doesn't much matter if it's really true or not. The real question is
whether it's plausible or not. And, it is.

~~~
joshmaker
>It doesn't much matter if it's really true or not. The real question is
whether it's plausible or not.

God lord, is that really the standard we want to use for any news source (even
social news aggregation, such as Hacker News)? I may be lying but I'm lying
well so that's basically as good as the truth?

~~~
hackinthebochs
Whether or not this story actually happened is irrelevant as there's nothing
any of us can do to help the situation. It is however useful as a jumping off
point for discussion and to come to a consensus about what we should do in a
similar scenario.

~~~
joshmaker
If we say facts are irrelevant and we're just going to go with our "gut" or
our initial opinion, then what's the point of having a discussion?

~~~
hackinthebochs
Facts about this particular incident are irrelevant to a generalized
discussion about police power and how we as people should respond to an
irrational and/or overzealous police force. It is entirely uninteresting to
discuss particular facts of an isolated incident; the real discussion comes
from a generalization of the issues involved. For the purpose of initiating
discussion, all that matters is that the scenario described is _plausible_. Of
course its more than plausible, similar scenarios have played out before where
well intentioned reports ended up getting investigated themselves. Discussing
the pros vs cons of such a scenario do not require that the initial jumping
off point be provably true.

------
gexla
I would think that if you were to find something that you really think needs
to be investigated, then it would be best to send it to experts on the subject
rather than people who have no idea how to deal with it. The experts would
have the training, funding and experience to properly deal with this. This
would be especially critical if the material required fast action.

ETA:

It seems to me that if someone were to bring in this material, then
investigating the "messenger" would be a waste of time. The information you
need is largely in the images.

I imagine the first priority (other than decryption) would be to run the
images against a national database. If there are images which aren't in the
database, then you have new victims which may need immediate help. Then
investigate the images for anything which would put a time and a place on the
images. Investigating the person who turns these in seems like it would be
quite a ways down the list.

------
robryan
What possible motive would he have to turn it in if he had anything to do with
it?

------
leap
Please do not post anything ever again from 4chan. Most posts there are
nothing but lunatic and juvenile.

~~~
samweinberg
I agree with you, but not for those reasons. 4chan threads expire. It's best
to link to a backup or screenshot.

------
drakaal
Been there. Done that.

[http://www.dslreports.com/shownews/25000](http://www.dslreports.com/shownews/25000)

------
delucain
What really amazes me is how many people on that thread were asking for a
copy.

~~~
babby
>Same reason most of us are here on 4chan, just morbid curiosity.

------
kayoone
The big question to me is why in the world would someone producing that kind
of material hide it in a public place like that?

I also cant believe so many 4chan retards suggest he should have just burnt it
and go on with his life. There might still be kids suffering at the moment or
in the future in relation to this, so how can one possibly ignore it ? That
feeling of not having atleast tried something to help would haunt me.

~~~
dlsx
I think you are missing the point. Which is that there is _risk_ involved in a
situation where not only should there be no risk, but this guy should be
praised for his honesty.

The justice system, and the police bureaucracy is working against it's
citizens. Something it was designed against from it's inception, so the only
fucking reason things are the way they are is corruption and greed. Maybe a
privatized prison industry isn't a good idea. Maybe, the bureaucracy is the
problem, and that is the issue you should be concerned with.

------
OnionChamp
People are saying it's doubtful that he'd be able to brute-force two encrypted
containers, but it's not. Most people use bad passphrases, because most
password advice is terrible ("use a line from a poem but change some letters
to numbers"), and because entropy is actually pretty difficult concept to
understand and explain.

------
chasing
Let me tell you a similar story:

So this one time there was this one guy who was just, like, totally minding
his own business and the police just _arrested_ him. Therefore the United
States is a police state and you should never ever talk with cops for any
reason whatsoever.

~~~
jzwinck
It happened to me:
[http://gothamist.com/2011/08/08/video_hikers_arrested_for_no...](http://gothamist.com/2011/08/08/video_hikers_arrested_for_not_showi.php)

~~~
incompatible
I take it that it's a defacto requirement that you always need to carry ID in
the US?

~~~
fiatmoney
There's no requirement to carry one, but in many states you must produce it if
you are carrying it, and of course you need one to drive. If you're being
cited for something, even something that doesn't typically come with jail time
like say jaywalking, lack of ID usually translates into being arrested so they
can "ascertain your identity".

Hiibel is the main precedent here.

[http://en.wikipedia.org/wiki/Hiibel_v._Sixth_Judicial_Distri...](http://en.wikipedia.org/wiki/Hiibel_v._Sixth_Judicial_District_Court_of_Nevada)

------
KyeRussell
mirror:
[https://archive.installgentoo.net/g/thread/38432928](https://archive.installgentoo.net/g/thread/38432928)

------
AmVess
This is very possible. However, you can do both the right thing as well as
protecting yourself by providing the evidence to the police in an anonymous
fashion.

~~~
ihsw
Half of the evidence is the location of the SD card, and concealing your
presence in that location would be extremely difficult.

------
lopatin
Question, kind of relevant to the topic of talking to police: I heard that a
cop can only search your car if there is a crime being committed. Say you
admit to speeding. Then you admitted to police that you committed a crime.
Does that mean that the cop can search your car now?

------
kevinchen
Original link is broken now and neither Google nor the Internet Archive have
caches. Anyone happen to have a copy?

------
john2x
Would going to a local newspaper help in this situation?

------
mdisraeli
As the poster on 4chan concludes, you may not want to speak to the police
about such things. However, not doing so could potentially result in
accusations of knowing but not reporting a crime, or worse - destruction of
evidence. I suspect there's no winning here, sadly :(

What follows is my initial thoughts off the top of my head as to how I might
attempt to mitigate any accusations. This is not legal advice.

Firstly, if it looks to have been deliberately concealed, contact your
building's security and/or the police (non-emergency). Don't touch it yourself
at all. I cannot stress this enough. When contacting the police, ask them for
instructions on what you should do, and get a name. If you can't stay at the
scene until someone arrives, just tell them as much. You should be given a
reference number and can update them if you need to be relived by someone.

Odds are, an unknown concealed item that is not likely to be an explosive or
drugs is probably of little interest to your typical cop, and (sadly?) they
will never get around to looking at it.

There might be some legitimate reasons to investigate further, for example
with respect to an organisation's security. If you are in a large
organisation, escalate the matter upwards and touch nothing, no matter how
tempting. For many good reasons, security/fraud investigations often are on a
strict need-to-know basis. Get the appropriate person to contact the police
and take their guidance.

Let's assume for the purpose of this post that you are the right person, and
there is no existing investigation which this may relate to. Your natural
curiosity should be ignored, however, unless you have a genuine concern of
data exfiltration or other potentially malicious activities.

But who I am kidding, of course you do, most organisations do! Now you need to
make sure you can preserve as much evidence as possible, perform a detailed
investigation, but all the time protect yourself from both legal and technical
risks. What follows assumes high risk. Do your own judgement on the risks
involved and if the steps below mitigate them adequately (they are probably
over the top, this is not a bad thing). Assume that before and after each of
these there is a "Listen to the police and/or your legal team".

1\. Photograph in situ first, ideally with some means to date the photograph.
If possible, get a second person involved. If the area is covered by CCTV, get
the footage pulled for cross-referencing. Photographs are useful for the
higher resolution details.

1a. Record everything on video.

2\. Speaking of CCTV, you'll want to get someone to look at the tapes. This is
left as an exercise for the reader, especially the bit about making it not
soul-destroying manual observation. This point also covers all the non-
technical but essential things like "who had access to this area", "do we
stock that type of device", etc. Never forget that the old-fashioned non-
technical questions can often give the best answers.

2\. Use gloves and carefully remove the device. Take note of the environment
it was in, with special interest for clues as to how long it has been there.
Examine briefly for any markings. Place immediately into clear plastic bag,
marking it with a description of the contents and ideally adding tamper seals.
Clear plastic bag means you can verify the device hasn't changed. When not
performing investigatory work, the bag should be locked in a dedicated place
for evidential material.

3\. Establish an air-gapped secure system to perform analysis on. Assume that
malware will be present and that you will want to be able to detect and
analyse it. Ideally have an investigations laboratory to add physical controls
around the air-gap.

4\. Establish a log book. Record the date, time, action taken, and tamper seal
codes before and after. There will be more things you will wish to record, of
course - this is only a rough guide.

5\. Acquire a write-block device. These are utterly essential for any form of
forensic investigation, and typically block at (what courts consider to be)
hardware-level any modification to the device.

6\. Attach the device to your air-gapped system using the write-blocker. At
this point, the air-gapped system is dirty and will need to be forensically
wiped/destroyed once you are finished.

7\. Using Encase, similar forensic tools, or failing that GNU dd_rescue, image
the device. Never, ever, work off the original device. The police and/or
auditors may want to take their own copy, this is normal.

8\. With respect to the log book, treat this image like the original device.
This log book is what you use to back up "I was performing a security
investigation". This includes any automated testing or password cracking you
attempt.

9\. If your organisation handles classified information, it goes without
saying that identifying if any is present is your top priority - no matter
what the implications that then has

10\. Limit who gets to actually view the data on the device to an absolute
minimum. You don't know what's there, it could be personal HR information or
finances, or that hush-hush restructuring project. The fewer eyes the better.
Ideally this should be someone trained in forensic examination and with a high
enough clearance to view any potential contents.

11\. Know when to give up. Seriously, you could spend years diving into the
contents of a 64GB device, and never actually get anything useful.

12\. Ask a legal person about how long to retain the device for once you've
finished.

13\. Assuming you have identified that the contents need further examination,
look into eDiscovery tools like Symantec Clearwell, and visualisation tools
like the excellent Gephi. Perform technical wizardry rather than wading
through a hundred thousand files manually. You're reading hacker news,
remember! ;)

14\. Assuming that the police have been involved, update them. However if it
really is an unknown item and there is otherwise little that is suspicious,
they probably won't be that interested and/or will close the call silently.

Apparently I Am Not A Lawyer, And I Repeatedly Assert This Fact. I work in IT
Security, and have been involved in quite a few investigations or varying
types. Due to their nature, we knew the source of the data on most occasions,
so many of the above steps were unnecessary. I'd rather suggest too many
protective controls than too few - safer if I know I'm not a lawyer!

------
amerika_blog
Robert Putnam concluded that the less a society has in common in terms of
background, culture, heritage and values, the more alienated it becomes:

[http://boston.com/news/globe/ideas/articles/2007/08/05/the_d...](http://boston.com/news/globe/ideas/articles/2007/08/05/the_downside_of_diversity/)

Soon we're going to be a society where no one trusts anyone else, and thus it
will be better to ignore the CP flowing around instead of getting involved.
Reminds me of the mentality they have in third world countries about the local
gangster warlords. Hear nothing, see nothing, say nothing.

