
FBI's 'Unprecedented' Hacking Campaign Targeted Over a Thousand Computers - NN88
https://motherboard.vice.com/read/the-fbis-unprecedented-hacking-campaign-targeted-over-a-thousand-computers
======
danbmil99
OK, we shed no tears for patrons of child abuse. The issue is that once we
allow a state agency to trample the 4th amendment for an admittedly noble
cause, we open the door to these techniques being used to dragnet for
violators of any laws, just or not.

Why wouldn't the judges who signed these warrants sign similar warrants to
catch suspected terrorists? What about people who visit sites that allegedlly
support terrorism? What about sites that support illegal activity such as
Marijuana cultivation and use? Online piracy? Trading in technology that
subverts copyright protection?

Welcome to the slippery slope...

~~~
stephengillie
Speaking of slippery slopes, this "hack" probably falls under the broader
meaning of the term. They probably put some kind of Flash banner on the page,
and caught all the people with improperly-configured systems.

~~~
belorn
It was a javascript vulnerability, CVE-2013-1690. After free of a
DocumentViewerImpl object, triggered via an specially crafted web page using
onreadystatechange events and the window.stop() API, you could execute
arbitrary code.

[http://resources.infosecinstitute.com/fbi-tor-
exploit/](http://resources.infosecinstitute.com/fbi-tor-exploit/)

~~~
Buge
That was the 2013 instance. The FBI did it again in 2015 and that's what this
article is about. The article specifically says it's probably different than
the 2013 instance.

------
dexwiz
I don't really understand the outrage. This is like bank thieves protesting
the use of a dye pack. Or addicts complaing that cops sit outside their
dealers house. People's didn't stumble on to this site, they searched it out.
It sounds like the FBI infected computers that visited the site. They didnt
release malware to the world to randomly scan for illegal content.

Child pornagraphy is a particularly heinous crime is today's society. So don't
ever expect the courts to be lienent.

~~~
davorb
Correct me if I'm wrong (I'm not from the US), but I cannot for the life of me
see how it could be legal for the FBI to break into people's computers.

When you have a police force that sees itself as above the law, then you have
a _very_ big problem.

~~~
jonnybgood
> I cannot for the life of me see how it could be legal for the FBI to break
> into people's computers.

They got a warrant. It's exactly what they're suppose to do.

~~~
adventured
A warrant approach without a very narrow, extremely well defined scope,
completely destroys the original point of warrants.

From the article:

> But Fieman said that the warrant “effectively authorizes an unlimited number
> of searches, against unidentified targets, anywhere in the world.”

That blatantly isn't a warrant. It's a new form of unlimited government
surveillance and hacking. Half the comments on here are falling for the all-
too-obvious: but it's for a good cause, spin. Hey, just leave your doors
unlocked, and invite in the police to search every inch of your home and
electronics any time they like, we'll catch far more criminals that way.

~~~
jonnybgood
> That blatantly isn't a warrant.

You're telling me your opinion. I would like to know how you don't think it's
a warrant by the definition of the law.

~~~
adventured
It's not an opinion, it's backed by two centuries of vast US rulings on what a
warrant is: intentionally narrow in scope, no broader than absolutely
necessary, well defined in its purpose and target, leaving as little room for
abuse as possible. The 'warrant' granted in this example is extremely broad,
almost entirely undefined in how it's to be implemented, and allowing for the
targeting of essentially any person on earth. It's close to being the exact
opposite of what the law has defined a warrant as throughout US history.

One of the primary complaints of the founding fathers was the abuse by the
British when it came to general warrants. They specifically attempted to limit
warrants just for this very reason, so abusive agents of the government
couldn't turn them into general warrants.

The fact that this example warrant allowed for infinite targeting (ie had no
actual specific targets in mind), means that it is not a warrant by the
definition set over the prior 200 years in the US. It is an obvious general
warrant, and non-constitutional.

~~~
SCHiM
I think you are correct in your interpretation of what the US judges and
founding fathers had in mind for warrants over the course of the past 200
years. However computer networks haven't been around for 200 years, and they
do change the circumstances somewhat.

The warrant in question might have a vague list of targets, but in practise it
applies to any and all people that connect to these services. And it's not
like you can stumble upon them by googling...

~~~
dawnbreez
The issue isn't that the warrant did what it was supposed to do.

It's that you can issue such a warrant and target massive numbers of people
regardless of whether or not you specifically suspect them. The point of the
warrant system is to prevent LEOs from searching (you|your property) without
knowing what you supposedly did. The warrant issued here allows arbitrary
attacks against arbitrary targets, and that's not good, regardless of
technology.

------
api
I don't have a huge problem with this. The site was clearly only for child
porn, so signing up is equivalent to, say, willingly trying to hire a hit man
or plotting a robbery.

I actually think this is a good example of digital police work, as opposed to
utterly indiscriminate dragnets and trying to ban or backdoor crypto. This
targeted a specific criminal activity and people clearly linking themselves to
it. It was not indiscriminate.

It also shows that police work is absolutely possible in a world with crypto,
proving the anti-crypto doomsday rhetoric wrong.

~~~
Nutmog
In another story a while ago, somebody ran a fake child porn site to see who
would sign up. I think they found that some of their applicants were law
enforcement and researchers. So no, signing up isn't already committing a
crime.

~~~
api
Law enforcement officers and researchers could file for their case to be
dismissed by providing evidence of their reason for accessing the material.

This is an argument for privacy around criminal charges since even being
_charged_ with CP can ruin someone's reputation. Many civilized countries have
this. But this is a separate issue.

------
Nutmog
Why do people have so much resentment for child porn users? The only harm
they're doing is participating in a market in which other participants abuse
people. It's equivalent to hating drug users for indirectly funding murderous
Mexican drug gangs. Sure it's a bit bad, but HN commenters seem to be much
happier with drug users than child porn users.

There's also the fact that child-abuse porn is lumped in the same basket as
harmless pictures of naked children. The latter in itself it harmless - many
parents take photos of their children in the bath, etc. But somehow it
transforms from good to worse-than-bad if someone gets sexual pleasure from
it.

~~~
jacquesm
As a parent I can very much see why 'child porn users' should be on the
receiving end of some discipline. The market they create is what eventually
causes the problem, there is no way that their urges will not lead to trouble
unless they keep themselves in check (and I'm sure plenty do).

As far as the 'hating drug users' bit goes, I don't particularly like drug
users, but to me they're less of a problem than the people that make the drug
laws in the first place. Drug addicts are patients just as child porn
consumers are patients but in the case of the drug addicts there exists a
possible world where their addiction does not have to lead to murderous
Mexican drug gangs. I don't see a way in which a child porn consumer gets to
have his/her kicks without having to abuse a child and that's why for me the
two are different.

> The latter in itself it harmless - many parents take photos of their
> children in the bath, etc. But somehow it transforms from good to worse-
> than-bad if someone gets sexual pleasure from it.

This is the law being abused and it is a pity that this is the case. But when
normal people use the world child porn they are most likely not talking about
parents taking pictures of their children in the bath. If that is your view of
what child porn constitutes then I'm really happy for you. Run a site where
you can upload videos for a while and do the reviewing, then we'll have this
talk again.

~~~
Nutmog
That's a good argument about drug violence being a consequence of its
illegality as well as use, not just use.

I wonder then about viewers of violent crime. If anyone has watched an ISIS
beheading video, are they are bad as violent child porn viewers? That seems
like a closer analogy - the violence is committed for the purpose of making
videos for users to watch - and presumably further some goal of attracting
fighters or whatever.

~~~
jacquesm
Those videos are abhorrent. I would never watch one simply because there can't
possibly be any gain from it. But the one thing those IS characters probably
do not realize is that those videos serve yet another purpose: they dehumanize
IS, and in that sense they make it a lot easier to sleep well if we decide to
end that nonsense in a more drastic fashion.

After all, imagine the Nazi's taking selfies and sending multimedia out into
the world about what was happening inside the concentration camps. The war
would possibly have ended a lot sooner because quite a few people that were
still defending the regime and were claiming 'wir haben es nicht gewusst'
would have stood up to do something about it. One of those attempts might have
succeeded. It would have also served as anti-propaganda in getting other
nations to jump on board of the allies train sooner.

I see IS as a last ditch attempt at consolidation, if it fails they might as
well not have tried hence their flaunting of all the rules, nothing left to
lose.

~~~
Nutmog
You might not like them, but the average person probably doesn't have the same
resentment they have towards child porn viewers. I've seen people openly
talking about watching such videos on the internet and edited versions are
even broadcast on the news. It's not a crime and it's not demonized.

Not seeing any strong reasons, I suspect the real answer is that people feel
hate towards sexual deviants of any sort just as they always have. It used to
be gays but now they're off limits, so pedophiles are about all they have left
to hate. Maybe that combined with a bit of "think of the children!". There's
also widespread hatred toward incest but it doesn't seem so severe, perhaps
because when it's adults, only the former emotion applies, not the latter.

~~~
jacquesm
> You might not like them, but the average person probably doesn't have the
> same resentment they have towards child porn viewers.

That's quite a claim.

> I've seen people openly talking about watching such videos on the internet

Not around me.

> and edited versions are even broadcast on the news.

Again, not any news that I've seen.

We apparently inhabit completely different circles and cultures.

> It's not a crime and it's not demonized.

Posession of child pornography is a crime where I live.

Watching it is hard to criminalize since you can't prove who watched what so I
can see why that would not be a crime and should not be a crime.

> Not seeing any strong reasons, I suspect the real answer is that people feel
> hate towards sexual deviants of any sort just as they always have.

I don't see this either.

You can be a 'sexual deviant' (your words, not mine) all you want, it's fine
with me. But the line gets drawn where children get abused and that's why
possession of child pornography (and not being of a paedophillic disposition)
is a crime.

> It used to be gays but now they're off limits, so pedophiles are about all
> they have left to hate.

That's an insanely dumb line. Gays are 'off limits' because just like
pedophiles they are _people_ first. You don't get to bash gay people for their
sexuality (or your own insecurities) any more than you get to bash pedophiles.
That's not the point. The pedophiles that get bashed are the ones that act on
their urges in such a way that they endanger the people that we happen to
cherish most, our (collective) children and their behavior in such situations
makes use of the power asymmetry between adults and children (who are all but
defenseless).

In that sense the outrage is no less than if a big adult guy would rape a
slightly built woman. (Or at least, I would expect it to be no less, it
certainly wouldn't be less for me.)

> Maybe that combined with a bit of "think of the children!".

No, we just don't expect the children to stand up for themselves. They're
physically weak (in the case of child pornography there does not seem to be a
lower limit on what gets people excited, it goes all the way to newborns...),
they are small, they generally defer to the authority of the adults present
and they end up scarred for life from these ordeals.

> There's also widespread hatred toward incest but it doesn't seem so severe,
> perhaps because when it's adults, only the former emotion applies, not the
> latter.

Incest is taboo in many cultures. There are several reasons for that (most of
them good, some of them debatable) but the definition of incest is probably
not what you think it is (it can involve consent and it may involve only
adults). Incest is more about bloodlines than anything else.

~~~
Nutmog
>We apparently inhabit completely different circles and cultures.

Sorry I was unclear. I meant beheading videos. Please reread it with that in
mind.

Everything you've said about child porn is only about violent child porn and
other kinds of child abuse. I completely agree with you on that. What I'm
concerned with is harmless child porn which people still demonize too. For
example when a parent's innocent bath video gets leaked to a child porn ring.
That does't transform it from OK to bad. It makes no difference to the child.
Yet it does become illegal and people do hate the viewers of that video
despite the child not being harmed.

~~~
jacquesm
> What I'm concerned with is harmless child porn which people still demonize
> too.

The smarter people see no problem in that. The only times those should be used
under the child porn label is when they are used in collections having nothing
to do with the original people involved.

I have three kids, one older, two younger. There is _no way_ that I'd let a
picture of the younger ones without any clothes on get out of my control (the
older one is old enough to be his own master now), and I'm extremely
protective of what happens with pictures that contain them at all. My main
reason for being that careful is that the internet has a habit of destroying
data that you'd like to have but it will preserve for ever data that you'd
like to go away.

~~~
Nutmog
If it's used by someone who doesn't know the child, isn't that pretty much
harmless? The only possible harm I can imagine is that the child is somehow
identified and discovers it later in life and gets embarrassed by it. Sure
that's not nice but it's hardly the worst crime on the internet. And even then
it's surely very hard to identify young children.

~~~
jacquesm
Why would something have to be the 'worst crime on the internet' to be a crime
anyway? Just like shoplifting is a crime so is murder. Shoplifting clearly
isn't the 'worst crime' in society, but that's not a reason why we should not
put a stop to it.

I'm not sure what you're getting at with all this 'oh but childporn isn't so
bad', it's almost as if for some reason you feel this is a subject that needs
a strong defense without showing why you feel this is the case.

I'm not going to say 'rape isn't the worst crime so let's give rapists a pass'
either, absent a motive I can't find myself to side with the criminals in this
case.

Though I very much would like the law enforcement officers to stick to the
legal side of the line when it comes to pursuing these people simply because I
believe that is how the law should work. If that gets lost then we're all
complicit in the crimes done in our name and I'd prefer for society to lose
out on getting a few criminals caught if that means we get to keep the moral
high ground. That's a controversial point with some but it matters to me.

You seem to have given the subject a lot more thought than I ever would, but
then again I don't have much reasons to think really hard about what the
implications of child pornography would be. My contact with it has been
limited to passing it on to law enforcement when detected with as much
documentation as I could find on whoever was spreading it around and from that
perspective I have very little love for child pornographers no matter what the
source of their material and no matter whether or not in your were not harmed
because they can't be identified. That's a very very thin bit of ice you're
skating on because it all rests on what _you_ feel is the truth. Such a
personal perspective at odds with the law and with what society generally
believes to be normal can lead to a lot of trouble.

In other words, those people that have vast collections of nude pictures of
other peoples children will not have to count on my sympathy if they start
brandishing excuses like the ones you listed.

~~~
Nutmog
I feel it needs a strong defense because many people seem to actually treat it
as the worst crime on the internet. And more importantly, many people are
locked up and have their lives destroyed because of committing this crime. The
perpetrators are often vulnerable people themselves and nobody seems to want
to stand up for them. In some cases they're not actually harming anyone but
still get severely punished for it, both by the law and by the hostility of
most people in society. I personally feel that the severe way we treat them is
mainly because most people have a hatred for sexual deviants of any sort and
the "causing harm" is a convenient excuse to justify extreme punishments and
hostility. If that's true, then our society is no better than it was when we
treated gays that way.

------
vilda
If FBI was running the service from their premises, wasn't FBI the distributor
of child pornography?

~~~
omginternets
No, in the same way that the FBI can set up sting operations where they sell
drugs/guns/contraband to willing participants.

There are things the government can legally do which the private citizen
cannot.

~~~
throwaway8348
Only this time people are suffering and I haven't heard of any law enforcement
selling people to hunt human traffickers.

There must be moral limits or not? This is terrible!

~~~
omginternets
>selling people

You say that like it's even remotely comparable or germaine. A big fat red
herring is what this is.

Returning to the point, you may not like it, but the law says it's legal to
set up sting operations by serving child pornography. The ethics are certainly
debatable, but you have your answer as to why it's being done: CP is a
commodity, not a physical person, and that's fair game for law-enforcement in
the same way as guns, drugs and blood-diamonds are fair game.

------
moistgorilla
I'm trying to understand how this was overreaching. They legally had access to
the server that this website was hosted on, then they simply logged the real
ip addresses that visited the website once they had access to the server. By
accessing the content on the server the FBI possess aren't they voluntarily
giving up their IP. Even if it's inadvertent?

I don't see how they are unjustly violating someone's privacy in this
situation.

~~~
hollerith
>they simply logged the real ip addresses that visited the website once they
had access to the server.

Not so: one of the primary purposes of TOR is to hide the user's IP address.

~~~
bcook
IIRC, with the Freedom Hosting bust the FBI compromised the Hidden Services
server, then used a browser javascript exploit to leak the real IPs of those
who connected. So, your quoted text is very plausible.

Tor is intended to be anonymous, but not absolutely.

~~~
hollerith
We're talking past each other. The way I interpreted the text I quoted, if the
FBI needed to make use of a javascript exploit, then they're doing more than
"simply logging".

Context is important when interpreting text. The context of the quoted text
included the question of whether the judge knew, when he or she issued the
warrant, that the FBI would try to break into all the computers being used to
sign into the site.

------
throwaway8348
How can they run a child porn server? How is that legal?

~~~
omginternets
The same way they can sell you an illegal gun and arrest you. This is nothing
new and nothing shady from a judicial perspective (barring entrapment, of
course).

