
Running a Dark Web pedophile honeypot - nkurz
http://geekslop.com/2015/catching-pedophiles-running-secret-dark-web-tor-honeypot
======
sarahj
Some of the technical points of this article are simply wrong...

> The exit node IP address of the user was easily obtained using the two
> different methods discussed briefly above.

This is really not a vulnerability but simply how tor, and the internet at
large, works - hidden services by design protect the __service __not the user
(the user is protected by tor by default) - what the author actually did here
was "leak" their non-hidden services IP.

> and true external IP address (see partial data example to the above). And to
> answer the second question, “no”, this did not involve the placement of
> malicious malware. Read on…

The author then goes on to state that they gave the users malicious malware to
run which revealed their ip address. They justify that this was not malware by
stating:

> It should be noted that this was _not_ malware per se. It did not replicate
> and was run voluntarily by the user. The user was notified that a “security
> scan” was going to be run on their machine and they freely chose to run the
> scan.

The author then goes on to publish a list of tor exit nodes with tor user
agents...which they could have gotten directly from the tor directory
services...

And, as pointed out by others, the author never really goes on to state why
they think Tor is the devil - they built a honeypot and were disgusted by the
flies it attracted....I'm not really sure what they were expecting...

~~~
jrcii
The author appears to believe that "Tor is the devil" because "4,000-5,000
hidden services are running at any given time. Secondly, the content served by
these sites is almost universally illegal or immoral (by my definition
anyway). A conservative estimate would be maybe 1 out of 200 or so hidden
service websites contain content I would deem worthy of the protection an
anonymous network provides. Sites featuring free speech dumps or libraries of
hard-to-find underground literature are few and far between on the Dark Web."

~~~
mahouse
Are knives the devil, because knives can be used to kill people?

~~~
Gankro
Their argument doesn't appear to be "Tor is bad because it can be used for bad
stuff" but "Tor is bad because it is _overwhelmingly_ used for bad stuff
_today_ ". That seems to be a meaningful distinction to me.

(I don't really care about the argument/premise itself, I just find your
sloppy attempt at a counter-argument to be weak)

~~~
narrator
Since we're talking about the devil: The biblical standard for acceptable
collateral damage is kind of interesting. God in the old testament said he
wouldn't smite a city if there are at least 10 righteous people in it.
/theologynerd

[http://biblia.com/bible/nkjv/Gen%2018.20%E2%80%9333](http://biblia.com/bible/nkjv/Gen%2018.20%E2%80%9333)

~~~
hackuser
There's a much different notion of God in that passage (and much of the Old
Testament) than most have now. The number 10 is arrived at after Abraham
persuades God to lower the standard from 50. There are at least a few stories
where mortals persuade God to change his/her mind.

------
ThomPete
Maybe it's just me but I don't really like the tendency to treat pedophiles as
if they are the devils themselves.

Let there be no doubt. I have two kids and there is probably no limit to what
I would do to someone who did anything to my kids. But it's not as simply as
just condemning pedophiles for being that and I ultimately think there is
something morally or ethically questionable about this approach.

It's fairly well established that many pedophiles where in fact victims of
pedophilia in their childhood themselves and so I would like to see a less
hysteric and more balanced response to the issue.

Just because he is helping catching the bad guys does not give him the moral
upper hand as he seem to think he has. Too bad such a complex issue gets
treated with such brushing generalizations.

Maybe I am reading too much into what he writes, but these honeypots to hit
random people just feels wrong to me. Like snooping on someone else life.

~~~
forrestthewoods
The war on drugs didn't work out as intended. The war on pedophilia seems much
safer.

Except of course for teenage sexting. Where the legal system has ruined lives
for no reason. Or the weird edge cases it introduces. Such as a theoretical
case where someone wearing Go Pro comes across a pedophile actively abusing a
child out in the wild. The good samaritan Go Pro wearer is now guilty of both
production and possession of child pornography. The laws do not leave any
room.

Oh well!

~~~
Systemist
That you can read the law such that your hypothetical Go Pro wearer is guilty
of those things, doesn't mean that prosecutors would ever bring such a case.
Laws are drawn more broadly than they're enforced, and even an overzealous
prosecutor has to get through a judge and jury.

~~~
digler999
> even an overzealous prosecutor has to get through a judge and jury.

No, what they do is threaten you with some hypothetical 30 year term if they
_were_ to charge you will all the broad interpretations of the law. This fear
of hard time is then used as a carrot to get you to plead guilty to lesser
charges that you may not have even done.

They get around the "judges" by the minimum sentencing laws: "sorry, my hands
are tied, I _have_ to lock you up for ____ years because I _have_ to follow
federal sentencing guidelines."

Furthermore, there is a huge incentive to prosecute "sex crimes" because
that's a gold star for the prosecutor/judge. At the end of the year, or at
election time they can say "We locked up N sex offenders this year for a
combined total of X years".

------
zxcvcxz
"pedophiles use encryption, so encryption is the devil." seems to be where
this is going. That's a slippery slope and a bit unethical to use pedophiles
to push an authoritarian political agenda. I bet it's fun to call all his
critics pedophile sympathizers and sit upon a moral high-horse of self-
righteousness while pushing his authoritarian ideology under the guise of
social justice.. That's the thing about these people, they take on social
issues for which they can't be criticized without the criticizer looking like
a pedophile, racist, or a misogynist. I guess it gives them a sense of power.

~~~
craigmccaskill
Sadly this is where the UK government seems to be going [1]. They want all
encryption to have a backdoor or be outlawed.

[1] [http://www.businessinsider.com/david-cameron-encryption-
back...](http://www.businessinsider.com/david-cameron-encryption-back-doors-
iphone-whatsapp-2015-7?r=UK)

~~~
juliangregorian
How do governments come up with this stuff? Don't they have state secrets to
keep?

------
imrehg
Is it just me, or the rhetorical question in the title ("why I now think Tor
is the devil") never got answered?

Also not clear whether the Dark Web spider project was just to later seed the
honeypot sites to appear legit, or was it a project on its own? The quote "The
reports are published nightly on a hacker-related Dark Web site that I am
involved with" hints at the latter, and then I'd double don't understand why
Tor would be the devil, if for other uses (hackers) the author is happy to
take advantage of it?

I'm a bit confused about what good does it do to reveal the exit node
addresses? It has nothing to do with the actual Tor user, and could be even
considered "public info" the way Tor is used, doesn't it?

~~~
nightpool
Yeah this is clearly by someone who doesn't really understand how Tor works.
Revealing exit node IP addresses is completely useless—this is a fundamental
tenant of Tor's security. In fact, I believe that at any given time you can
easily query the network for a list of all Tor exit nodes.

I think the "why I now think Tor is the devil" question is answered in the
opening—because it has illegal/immoral stuff on it. I'm not sure why anyone
would be surprised about this though...

EDIT: In fact, I don't think that the security scanner was even that
effective: "around 5-10% of the registered users chose to run the scanner"
(later, he changes this to 4-7%) and that "some of the users who opted to run
the software appeared to be government or private researchers". I don't know
what percentage of people using Tor for illegal activity would be incautious
enough to run some random program on their computer, but I would be surprised
if it was very high.

~~~
geek_slop
It was 4-7%. I pre-wrote the article estimating the final numbers and then
shut down the site two days early. Traffic dropped suddenly leading me to
believe something was up.

The exit node IP is not totally useless. It's enough to prompt a knock on your
door by the authorities. Granted, once they recognize you're running an exit
node there's nothing they can do (otherwise Charter could also be held liable)
but still, it can prompt an action by the authorities.

My guess that they some were researchers: at least one came from a university
IP address while others were very bare-bone machines with minimal running
services, possibly virtual machines or test boxes.

~~~
aftbit
Here you go, all Tor exit nodes: [https://check.torproject.org/exit-
addresses](https://check.torproject.org/exit-addresses)

The Tor project does a lot of work to make operating an exit node safer and
less likely to prompt the authorities to intervene. This is good, because even
if the authorities did want to talk to exit node providers, those people
_couldn't_ provide any useful logs.

~~~
gizmo686
Although they could be made to run a packet sniffer, which could provide
useful information.

~~~
utuxia
But the traffic between nodes is encrypted. All they may get is the previous
node's IP address....then they have to start over. Go find that node operator
and get them to do the same.

------
dvt
It seems like the author is emotionally invested in this topic:

> Given my circumstances, I have seen first-hand, the psychological damage a
> pedophile’s actions cause. The damage done to these children is permanent
> and no matter how much counseling and assistance they seek – the experience
> is forever embedded into their self, shaping (and sometimes limiting) what
> they become as adults.

I can't pretend like I really _get_ this because I've never dealt with
pedophiles or pedophilia first-hand but I can agree, however, that people that
hurt children are doing something morally wrong. With that said, this kinds of
vigilante-esque behavior can be (and often times is) the absolute antithesis
of justice.

> On two different occasions I contacted the FBI about the project and offered
> to provide full sets of data that I had collected.

Since OP tried to approach the FBI on two different occasions, it doesn't
really seem to me like this was merely an innocuous "security" experiment
(like this one: [http://www.tomsguide.com/us/spoiled-onions-tor-
network,news-...](http://www.tomsguide.com/us/spoiled-onions-tor-
network,news-18237.html)). It seems like OP really feels a deep hatred towards
pedophiles and was, in a sense, out to get them.

Thankfully, we have the justice system that handles this for us. These are
people that try to be impartial, fair, and just. When accused, we have the
court system -- a system that values innocence until proven guilt. I hope I
won't be taken out of context here. I'm not defending pedophilia (or drug
trafficking or murder -- a few other Tor commodities). Do you really feel
compelled to "get the bad guys?" Great. Go to a police academy or go to law
school. Real life isn't like a superhero graphic novel. The law, for the most
part, works. More importantly, it provides some boundaries for those that
enforce it.

I had to read Mill's On Liberty in a Philosophy of Law class I took a few
years ago and Chapter IV, _Of the Limits to the Authority of Society over the
Individual_ , really stuck with me. I would strongly suggest OP give it a good
read:
[http://www.bartleby.com/130/4.html](http://www.bartleby.com/130/4.html).

~~~
mikekchar
I couldn't really finish reading the article. I hope the original author will
realize that hanging on to his anger will only perpetuate the crimes committed
against his daughter. His characterisation of permanent damage done to his
daughter makes me wonder if she will ever be able to escape the trauma _in his
eyes_. Will he be able to provide a safe place for her to go where people know
about her past but care only about her present? If _he_ thinks of her as
having limited potential for the future, how will she escape that past? She
needs a father, not an avenger.

It's amazing the damage people can do chasing justice.

~~~
PhasmaFelis
So your argument is that, because this guy says that child rape does permanent
damage, you can tell that his parenting probably hurts his daughter more than
being repeatedly raped did?

~~~
turkeysandwich
His parenting isn't worse than her abuse, obviously.

But he should still chill the fuck out. Yes, bad things happen. But no, you're
not permanently broken. You can grow up and have a normal life.

~~~
geek_slop
Disagree - in many cases they are permanently impacted, even if they are not
aware of it. Who were are is a product of our life experiences and a child,
especially one that is molested repeatedly during extend periods of their
youth, are permanently changed. They form an especially deep distrust of
adults and may lose the ability to utilize all the subtle clues we all
incorporate when forming an opinion of a person.

------
athenot
As a father of a little girl, this is a depressing read for me. Yes in the
back of my mind I know this stuff is going on but it's really sad seeing the
collection of data showing people who are partaking in this stuff.

Also this gave me a nasty flashback of looking at filenames (never content) of
deleted files in the process of gathering evidence against a family member who
now sits on the registered sex offender list...

~~~
johnnycarcin
Tell me about it. Awhile back as a reason to learn some new things I setup a
Tor hidden service/page crawler and a basic search engine. For troubleshooting
purposes (and to see how popular the site was) I was logging what was being
searched for. After about a two weeks of having the site up I shut it down
because 90% of the searches were for child porn. As a Tor supporter it was
kind of eye opening. I guess though if you had the logs for Google you might
see something similar...

~~~
belorn
I suspect this is where the myth of 99% of the Internet is made out of porn
comes from. It is very easy to get misleading statistics, especially if you
have small sample size or where a minority of users are creating the majority
of the collected data points.

Add to this the amount of bots out there, and "false" data generated by
police, federal investigators and interest groups doing the very thing people
pay them to do, and you would really have to design the data collecting system
in such a way that it identified who is doing the searching and what their
usage patterns are.

For example, If they return every hour on the hour, such result would likely
be made by a bot, or if every search is extremely specific, it could very
likely be an investigator doing work in a specific case. If I did this kind of
research, I would contact professional investigators in order to work together
and to collect search patterns so to exclude that kind of traffic.

------
api
An interesting point I heard here I think, long ago...

The fact that tor is full of stuff like kidporn is actually a positive
commentary on our society. It means that almost everyone, even people with
wildly unpopular views, feel comfortable discussing them in the open. Tor
isn't full of manifestos and political texts because people don't feel the
need to hide that stuff.

I am sort of glad tor exists in spite of the nasty uses some put it to. It's
like the modern equivalent of what having a well armed militia around was once
supposed to achieve. It's like a backup system.

~~~
sgt
Interesting point. Society can change though - and networks like Tor may be
come increasingly important in the future.

------
ikeboy
> Had I been the FBI, they would have been caught.

Considering that no actual files were made available for download, and many of
the visitors were likely researchers, there wouldn't be enough to prosecute,
but given the implied level of security the actual pedos were using, the FBI
could just search their computers and would likely find enough evidence.

>For instance, pedophiles form their own communities and within those
communities, a sense of trust is developed.

Or, pedos aren't drawn from the same population that knows how to do stuff
securely, they just read a guide or two on how to use Tor. I'd assume you
could get "4-7%" of many groups of people to download something and run it,
that doesn't show that pedos necessarily are more trusting. (In fact, I'd
expect higher numbers from random internet users, thus implying that pedos are
_less_ trusting, which I'd expect at a minimum given the fact that they _can_
access Tor).

------
xorcist
Numbering hidden services is something you publish papers on, and most
researchers arrive at much larger numbers than 4000. But just as the author
pulled numbers out of thin air (20 out the 4000 are deemed worthy of
anonymity), 9 out of 10 paedophiles caught by him would turn out to be other
researchers (or "researchers"). They are much more likely to run the spyware
he offered.

At any time, Tor is frequented by many like him. Some law enforcement, some
working for child abuse organizations, some academia, and a lot of regular
people with the same ambitions. Advertising a high child porn site is the best
way to attract them. Most likely many of them have an unhealthy interest in
this stuff, and line between "researcher" and paedophile is not always clear.
The law does not make a distinction.

------
woah
Wait... Is anyone else seeing this? The guy ran a crawler that visited many
such illegal sites, then used stats on the number of visits that his honeypot
got to draw conclusions about TOR. What is the standard of evidence that he is
using? Seems like some weird methodology.

------
sgt
So with pedophilia being a deviant behavior, yet relatively common through the
ages, it doesn't seem like it's going away any time soon. Wouldn't legal
computer generated child pornography be a potential solution?

One could argue that this type of pornography would encourage pedophiles to
seek out real girls, but then the same would apply for married men looking at
porn. Do most of them seek out women in bars or escort services? I doubt that.

------
wodenokoto
I didn't understand what he offers users that entices them to go to a higher
level.

At what point do users give up since there is no content on the website?

------
utuxia
I don't think he understands how Tor works. Everything you visit on tor gets
your exit node IP address. That's how it works.

~~~
nightpool
Technically, because of how hidden services work in the tor architecture (both
the service AND the user are hidden from each other) there's no "exit ip" when
connecting to a hidden service, it just happens somewhere in the intermediary
hops. (with the hidden service pretending that its just getting a response
from somewhere up the chain)

so what the author of this article was actually doing was just leaking his
_own_ IP. lol

------
AlyssaRowan
Firstly, so - the writer is geek_slop? - let me get this straight about you?:

· You adopted a girl at some point.

· You are not law enforcement, and are not authorised by them in any way.

· You disclose, here in this webpage, that you ran a hidden service site, via
Tor, explicitly for paedophiles.

· You have admitted the above, to the FBI.

· You haven't considered what child protective services' post-adoptive
services might think of _your doing this_?

Um, I am a trifle concerned that you may have let your emotional investment
get in the way of good research, or good sense, thinking this vigilantism
through to its logical conclusion.

Secondly, I think I'm enough of an expert on the topic of malware to say that
the software, designed to cause a privacy breach upon whomever runs it and to
disguise that purpose so that they may be tricked into running it voluntarily,
_is_ definitely malware: what is technically known as a "Trojan Horse",
essentially doing the same job as the FBI's "CIPAV", but worse.

Thirdly, I've spoken with law enforcement on this topic before, in the context
of discussing anonymous networks like Tor. They are frequently _displeased_
about vigilantes ruining their operations by doing shit like this - it makes
the paedophiles more paranoid and careful, actively disrupting ongoing law
enforcement investigations.

Fourthly, it's not valid research. geek_slop doesn't appear to be familiar
with how Tor actually works, in fact, they actually list the wonderful exit
nodes they got, apparently unaware that the list of exit nodes is _public_ and
by design doesn't tell you anything at all about the visitors to your site.
Web crawlers (including "Dark Web" \- a wording which is another sign that the
author does not have a strong background in anonymous networks - it's
correctly "onion site" now, formerly "hidden service") naturally find _related
sites_ that link to each other, if you're going by links, which they might
have done. If they're neutrally HSdir crawling, most of them are dead (because
they're ephemeral services created by a P2P chat app?). We know all that from
previous research (Dr Gareth Owen, University of Portsmouth, Tor Hidden
Services and Deanonymisation, 31C3
[https://www.youtube.com/watch?v=oZdeRmlj8Gw](https://www.youtube.com/watch?v=oZdeRmlj8Gw)
).

Finally, this crawler might in fact be the exact same "dumb crawler" I
previously identified as doing repeated HSdir directory service lookups
(instead of caching) while refreshing paedophile sites, causing
disproportionate load on the Tor network's HSdir services and strongly skewing
Dr Owen's results on this topic (if it's not yours, it's probably IWF's). So,
um, thanks for that.

~~~
mrsteveman1
Excellent points. Regardless of the intent here, geek_slop may have only
succeeded in getting the FBI and others to start an actual investigation _of
geek_slop_.

------
cuillevel3
Wow, I think this 'experiment' was highly unethical.

------
merb
Question: Didn't he need to host some illegal / immoral stuff to get some
visitors around this topic. Somehow I question the "research".

------
buster
Nice article! I only "visited" the dark web once and was surprised and
disgusted about the content, which was like 99% illegal, immoral shit.

Did the FBI corporate with you? You said, you contacted them twice

------
methou
I got a 403 error while accessing the site.

~~~
geek_slop
Sorry, it's under an insane load right now. I fully expect to find a dead
server when I wake up in the morning.

------
shruubi
I must say, even reading the article made me feel quite uneasy. I can't
imagine doing this myself, but if it leads to the capture of some pedophiles
then I tip my hat to this person.

------
kauffj
> On two different occasions I contacted the FBI about the project and offered
> to provide full sets of data that I had collected.

The FBI twice rejecting a set of information that could have reasonably led to
the arrest of several pedophiles seems like a big mistake.

~~~
zxcvcxz
Personally I'm glad some random guy can't hand off a whole bunch of IPs to the
FBI and tell them they're all pedophiles. I'm sure it would cost thousands of
dollars to sift through the data too, and would be pretty useless seeing as
the guy wasn't hosting child porn.

Besides, taking down these pedophiles might be "fun" to some people, but if
you really want to help children you need to go after the people
producing/hosting child pornography.

~~~
bennettfeely
> In this particularly disturbing case, a father of three hints that he is
> willing to share pictures of his children.

> npt@hotmail.com: hi im a married dad of 3, i prefer girls from pt to jb. I’m
> looking forward to joining in and sharing in the community

A little later in the article there is an entire section devoted to his
findings that many visitors of the site were predators seeking to do more than
look at photographs. In addition,

> Many visitors offered photos from their “private collection” as a means to
> bribe me for entrance to the website. They took care to note that the
> material they were offering me was original.

~~~
zxcvcxz
Isn't that pretty much what the author was doing? Offering child porn to
people on tor? How do we know the people contacting him weren't trying to
honeypot _him_?

~~~
bennettfeely
> None of the websites contained any illegal content. Since I am not a legal
> authority (nor an expert in the law), I had to scale back the content. No
> illegal pictures nor files existed on any of the sites. In fact, each site
> contained exactly one image – a decorative background image to give the site
> a bit of flair (hidden service sites are notoriously lean). None of the
> honeypot sites explicitly offered to provide illegal content and instead,
> served to lure the user in by a vague promise of what may be found behind
> the locked door. Admittedly, this was a huge disadvantage over a FBI-driven
> honeypot and likely the reason why many visitors did not register and
> quickly moved on after landing on the home page.

Later on he explains,

> Scans on the server dropped and some of the users who opted to run the
> software appeared to be government or private researchers.

~~~
zxcvcxz
If he wasn't explicitly offering child porn then how can he assume people who
visited his honey pot were looking for child porn if they didn't explicitly
state it? Sure the guy offering pictures seems like a pedophile, but what
about the others?

~~~
geek_slop
More than one offered pictures and in fact, according to other sources, seems
to be a frequent method for pedos to prove to the hidden service operator that
they are indeed "legit".

~~~
digler999
you wasted valuable time and resources of law enforcement. good on you

------
InTheArena
Probably condemning myself to eternal down-voting here, but some of the
reactions here are depressing as fuck.

There is no world in which this content is acceptable. The presence of this on
TOR is not "good for society" in any way shape or form, and reveals that
society can't be trusted with anonymous speech...

Which is a really big problem, because there are a shit-ton of other problems
that require anonymous speech.

~~~
sumitviii
Internet is like a loud speaker. Just because some people can use it to
communicate some profanities doesn't mean that it should be banned.

------
whatisup
Smells like False Flag.
[https://en.wikipedia.org/wiki/False_flag](https://en.wikipedia.org/wiki/False_flag)

