
Feds bust through huge Tor-hidden child porn site using questionable malware - r721
http://arstechnica.com/tech-policy/2015/07/feds-bust-through-huge-tor-hidden-child-porn-site-using-questionable-malware/
======
noonespecial
_...the defense expert investigators wrote that they "do not consider the NIT
to be 'hacking'" because the NIT "exploited a configuration setting that did
not require offensive-based actions."_

But you'll get maliciously prosecuted for guessing a sequential URL and typing
it into your address bar thanks to CFAA...

~~~
JustSomeNobody
Wait, so my grocery store posts their add every week and as I get to the last
page and I want to jump back to the front, I usually change the .../16.html to
a .../1.html. I could go to prison for that?

TF!? When are lawmakers going to learn how the web works?

~~~
skymt
The relevant part of the CFAA, chopped up for readability:

> Whoever ... intentionally accesses a computer without authorization or
> exceeds authorized access, and thereby obtains ... information from any
> protected computer ... shall be punished as provided in subsection (c) of
> this section.

That requires both intent and access in excess of authorization. So since
1.html is a public page, you're authorized to read it. If 1.html was the
personal information of the customer with ID #1, as in the AT&T case, that
would violate CFAA.

Also notable is the definition of a "protected computer." It's any computer
"which is used in or affecting interstate or foreign commerce or
communication," which is every computer connected to the Internet.

~~~
dublinben
The pages containing personal information of AT&T customers _were_ publicly
available though. We have already seen that an overzealous prosecutor will
construe regular access as "without authorization or exceeds authorized
access" whenever convenient.

~~~
grkvlt
As with everything in law, intent is key. Just because something _can_ be
accessed by the public, does not mean it is _intended_ to be accessed by the
public.

------
mirimir
This is reminiscent of the 2013 takedown of Freedom Hosting.[0,1] Exploiting a
JavaScript vulnerability in Firefox, compromised sites dropped a Windows
executable (“Magneto”) which phoned home (bypassing Tor) with the user's MAC
address and hostname. Gareth Owen identified it as EgotisticalGiraffe,[1]
which is an NSA tool.[2]

[0] [http://resources.infosecinstitute.com/fbi-tor-
exploit/](http://resources.infosecinstitute.com/fbi-tor-exploit/)

[1] [https://ghowen.me/fbi-tor-malware-analysis/](https://ghowen.me/fbi-tor-
malware-analysis/)

[2]
[http://www.theguardian.com/world/interactive/2013/oct/04/ego...](http://www.theguardian.com/world/interactive/2013/oct/04/egotistical-
giraffe-nsa-tor-document)

Edit: Rereading, I see:

>The NIT exploit bypassed Tor by creating a direct socket connection that
eschews Tor's routing—in this particular case, by using a Flash component.
This functionality, the experts noted, was identical to Metasploit's
decloaking code.

Anonymous used the Metasploit code in a previous attack on Freedom Hosting.
Both vulnerabilities used against Freedom Hosting have long been patched. I
wonder what vulnerability this takedown exploited. One of the Hacking Team
ones, maybe?

~~~
NullCharacter
Er, no, since the whole HT leak happened within the last two weeks and this
operation took place mostly between 2014 and early 2015.

You give the Government wayyyy too much credit if you think it can go from
leaked exploit to arrests generated from said leaked exploit within a two week
period. The process, like all processes quagmired in bureaucracy, takes
_months_.

~~~
mirimir
Maybe the FBI and Hacking Team had overlapping sets of exploits. Is there
double selling by exploit dealers?

------
dkopi
"The setup was seized in February 2015, but law enforcement allowed it to run
for two additional weeks as a way to monitor its nearly 215,000 users."

So the FBI was serving child porn for over 2 weeks to hundreds of thousands of
users?

~~~
awjr
Isn't this similar to allowing small time drug dealers to operate to get to
the people at the top?

~~~
mikekchar
While I'm sure that's the rationale, I wonder if there is a difference. If the
FBI seized drugs and then continued to sell them, isn't that against the law?
If the FBI seized a computer and used to to distribute child porn wouldn't
that also be against the law? I can see _not_ seizing it and allowing the
original operators to continue for 2 weeks.

Does the FBI operate under different laws? For example, if I know my neighbour
is hosting child porn on their computer and I wait 2 weeks to report them,
probably I'm safe. If take his computer and host the files on the same machine
for 2 weeks before handing it over to the police, I'm pretty sure I'd be
arrested. What law is different for the FBI to be able to do that (if they
did)?

~~~
swombat
I think there is a pretty strong case that those are different.

In the case of selling drugs (assuming that drugs are harmful, and so on,
which is obviously debatable), then selling and delivering the drugs to users
causes tangible harm that wouldn't happen without the sale of the drug.

In the case of child porn, the child porn has presumably already been created
- they're not filming new child porn and distributing that, I presume. So the
bulk of the harm is already done. The direct harm from pedophiles downloading
that porn and viewing it is minimal. The problem with the child porn is that
it needs to be filmed/created in the first place, which involves child abuse,
a direct and immediate harm, and that people who enjoy child porn are asserted
to eventually graduate to abusing children themselves (a more distant and
hypothetical harm, which is negated by arresting those people after having
identified them).

So, whilst I also dislike the police's actions in corrupting tools useful for
free speech, I don't see that letting the server run for another two weeks to
identify more users, and actively selling and distributing drugs for two
weeks, are equivalent.

~~~
couchand
You're right that it may not be morally equivalent, but that's not really
relevant to the legal analysis. Possessing and distributing child porn is a
crime, regardless of whether you believe it directly causes harm. So the
grandparent's question remains: _Does the FBI operate under different laws?_

~~~
atrus
Should a cop get a ticket for chasing a speeder?

~~~
psykovsky
Yes. If the speeder is endangering people by driving fast so is the cop.

~~~
swombat
I see, so in that case I guess prison guards should be sent to jail for
kidnapping and holding people against their will. I mean, if you're going to
take your reasoning to its natural conclusion...

Hint: violence is not illegal per aw, it's only illegal when done by someone
other than the state, in a way that violates the laws of the land. To exist, a
state must maintain a monopoly on violence - and in order to maintain that
monopoly it must from time to time use or at least threaten violence. At
least, that's how it works today. Perhaps in the future that will change...

~~~
logfromblammo
It is in the interests of society that its police be held to the same rule of
law as everyone else, or to an even higher standard.

But in this case, it is equally legal for a prison guard to hold a duly
convicted criminal against his will as a private citizen, because the
criminal's right to roam free was suspended by judicial order in the
sentencing phase of his trial.

The logical standard for permitting police to engage a fleeing suspect with a
high-speed chase is by determining that the suspect would present a greater
threat to the public if allowed to escape than the damage that could occur
during the pursuit.

Since innocents have been killed in the past by both fleeing suspects and
police pursuit vehicles, one might suspect that police would only start a hot
pursuit for known-violent murder suspects, and for everyone else, radio in a
description of the vehicle and its passengers so that other cops further ahead
of it can block traffic or throw down spike strips. Unfortunately, this is
often trumped by the de facto "adrenaline standard".

The fact of the matter is, cops who speed _can_ be ticketed for it. But then
the cop who issued that ticket to another cop is overwhelmingly harassed by
her peers as a "traitor" to the cop culture. (search: florida "donna watts"
"fausto lopez" 2011) The net result is that police are held to a _lower_
standard of law than everyone else, and that creates a culture of corruption.

------
omginternets
I'm both thrilled that child-porn distributors are standing trial, and utterly
dismayed that people use Flash on Tor.

~~~
SXX
Freaks don't automatically become cyber crime experts. Otherwise they'll
likely be using browser inside VM that only have access to TOR proxy and no
connection to real internet.

~~~
omginternets
The Tor Browser Bundle is plainly and loudly advertised on the Tor homepage as
being the Right Way of internetting anonymously.

You don't have to be a cyber crime expert to get this particular thing right.

~~~
mirimir
It's not that simple. Using the Tor browser bundle, there is no protection
against phone-home exploits outside the browser. Firewall rules would prevent
them, but that's up to users. Far better is to use Whonix Tor gateway and
workstation VMs in VirtualBox. The workstation VM has no Internet connectivity
except via Tor running in the gateway.

Using the Tor browser bundle in Windows is especially risky. The FBI has
relied on Firefox bugs and dropped Windows executables. In the Freedom Hosting
case, the FBI used a Firefox vulnerability that had just been patched in Tor
browser a week or so before.

~~~
omginternets
>Using the Tor browser bundle, there is no protection

Of course not, which is precisely why running Flash is ludicrously stupid.

Nobody is claiming that the "victims" of these other exploits are stupid --
just the ones who installed and used Flash (and probably had to deactivate
noscript in the process).

And more to the point, any remotely reasonable person will RTFM (at least
superficially) before using a tool to do something highly illegal. Not doing
so is the very definition of stupid.

~~~
asddubs
it's pedophiles, not tech experts or even users. I would guess a lot of them
don't significantly use their computers, and only got someone to show them the
whole tor thing, or watched a youtube video on it or something.

~~~
Jach
I guess you missed this:
[https://web.archive.org/web/20130119025623/http://dee.su/upl...](https://web.archive.org/web/20130119025623/http://dee.su/uploads/baal.html)

------
belorn
If one were to take a look in the long run, what does it mean to the software
industry as a whole that bugs are being exploited by script kiddies to mess
around, protesters who want to block access in order to raise awareness,
criminals that want to steal money or trade illegal content, police that want
to catch criminals, secret police that want to keep track of everything a
population does, spies that want to keep track of everyone, and military that
simply want to break things and take down the bad guys. Each and everyone
depends on the same software bugs being unpatched and kept a secret.

------
fweespeech
Regardless of the cause, is anyone else considered with the legal precedents
they are setting to catch pedophiles and drug dealers?

Legally, there is no real difference between doing this to catch those sorts
of people and doing it to de-anonymize whistleblowers under the guise of
"National Security" who use Tor to relay such information to the press. :/

~~~
NullCharacter
You're absolutely right. Legally there is absolutely no difference between
busting pedophiles on Tor and busting "whistleblowers" talking to the press,
legally speaking. No difference. It's legally the exact same.

~~~
fweespeech
The mechanism used to justify seizing Lavabit's SSL keys and this is the same,
despite your sarcastic comment.

------
joshstrange
Semi-related question: If I write a spider for Tor and my spider collects CP
(NOT by design but just in the course of spidering) how responsible am I for:

* Having that data in my DB

* Showing said site in search results

I assume the answer is something like: "You're not as long as when you do
notice it you report it and then delete it off your servers (Maybe also
blacklist the Tor URL so it doesn't get re-spidered/indexed).

I haven't written anything to do this but the concept is extremely interesting
to me but I'd hate to write something, let it run, forget about it (keeping it
running or just holding on to the data if I ever want to do something with
it), and then getting in trouble down the line for having CP or other illegal
material. I've tried googling for this but couldn't find anything good.

TL;DR: Are search engines (On the web or Tor) responsible for the content of
the sites they index

------
jebblue
I'm glad they busted them but hopeful that using the technology to stop
clearly bad guys does not lead to abuse of the ability to use the technology
on a wider basis. It probably will though eventually. It would be great if use
required the consensus of at least three courts and one of them federal.

