
FBI operated 23 Tor-hidden child porn sites, deployed malware from them - legodt
http://arstechnica.com/tech-policy/2016/11/fbi-operated-23-tor-hidden-child-porn-sites-deployed-malware-from-them/
======
klodolph
I feel like people are getting mad at the FBI for not pulling the trolley car
lever in the right way, which is a valid thing to be mad about, but I believe
the FBI made the right choice.

First, let's not rely too heavily the analogies with drugs or prostitution.
The differences between CP and drugs / prostitution are too large to ignore
anyway.

CP consumers are often producers as well. That's a fact—you want CP, so you
make some yourself and swap it with others to get more. This isn't universal
but it's common enough that you should know about it. So the visitors to the
CP web site are not all just consumers of CP but many of them are producers as
well. This is relevant because you have to weigh the damage of distributing CP
against the benefit of catching people who produce CP. People have stated that
distribution revictimizes the children, but I would weigh that against the
ability to catch people who were either producing their own or at least
supporting other producers of CP.

So the FBI discovers this server, operates it for less than 30 days with a Tor
exploit, and catches 200 people using the site. Yes, the FBI was complicit in
the distribution of CP, but rephrased as a trolley car problem, this is
basically like _not_ pulling the lever, allowing the distribution to continue
for a short time, and using that to catch 200 consumers—and how many of them
are producers? You can pull the lever now and stop the distribution of CP, or
you can let the trolley barrel down the tracks for a short time and save all
these people somewhere else.

(People are saying that the exploit may have done damage to other police
investigations from other countries—I don't see any evidence that the exploit
damaged the computer, merely that it leaked information about the computer.)

~~~
TaylorAlexander
It makes sense to me that, while some number of people would want to consume
CP, only a very small fraction of them would be willing and able to secure a
child to photograph. I imagine much less than 1% of the people who are
involved with CP do more than consume it online.

Do you have a source for your information regarding the prevalence of
production?

~~~
klodolph
Apparently one of the websites required users to submit CP in order to access
content.

You can imagine all you like, but this hasn't radically changed just because
we have the internet.

~~~
dwiel
Was it required to be unique? Plenty of private file sharing sites enforce
seeding/sharing as well.

~~~
cup
Yes. If you read the foi documents they had tasks that were required to be
shown in the new material. It's sick.

~~~
mcbits
Did the FBI lift these requirements or close down new registrations entirely
when they ran the sites? If not, it would make them culpable for more than
"just" continuing to host existing content.

------
vilhelm_s
This is about the Freedom Hosting hack in 2013. In 2013 Wired wrote

> On August 4, all the sites hosted by Freedom Hosting — some with no
> connection to child porn — began serving an error message with hidden code
> embedded in the page. Security researchers dissected the code and found it
> exploited a security hole in Firefox to identify users of the Tor Browser
> Bundle [[https://www.wired.com/2013/09/freedom-hosting-
> fbi/](https://www.wired.com/2013/09/freedom-hosting-fbi/)]

However, as far as we know, unlike the more recent Playpen thing, in the
Freedom hosting case the FBI did not actually serve child pornography, they
just displayed an error message. I don't see anything in this article that
suggests otherwise.

~~~
tombrossman
That's correct, the FBI hosted error messages and exploits after taking over,
and supposedly did not distribute images of abuse. This point is conspicuously
absent from the Ars story.

Motherboard passed on this story but it appears it was too sensationalist for
Ars to resist. See thread here for more info:
[https://twitter.com/josephfcox/status/797070958205038592](https://twitter.com/josephfcox/status/797070958205038592)

------
CurtMonash
I think there's a rather extreme hierarchy of wrongs here.

1\. The crime that utterly dwarfs all others is involving children in the
making of child porn.

2\. After that, the crimes that dwarf all the rest are those that provide
financial or practical support to child porn makers. Consuming child porn is
generally regarded as one of those, and I'm fine with that categorization.

3\. I'm sorry, but violating a victim's theoretical privacy by distributing
the images a little further doesn't seem to be nearly as big a deal as helping
to prevent the next live video of child porn from being made.

I'm usually regarded as being pro-privacy, but privacy is not something to be
a rabid extremist about. Preventing physical sexual abuse of children, on the
other hand, is a fine area for extremism.

~~~
Bjartr
Screw chilling effects, I'm going to ask this anyway because being afraid of
having these discussions is detrimental to making real progress as a society.

Making the assumption* that some decent fraction of those who consume such
media would be sated if they could get it and not move on to actually hurting
children. Then couldn't a preventative measure be to take all the existing
child porn and make it available to them?

Though I guess that risks normalizing the condition and could lead to it being
more commonplace (certainly it would appear so as those who successfully
suppress it would hide it less) and if it's more commonplace than the fraction
that does still act harmfully upon the impulse could, in absolute numbers,
exceed those that do today. Figuring out how things fall would first require a
good understanding of the numbers.

*I don't know if this is true or false and would be interested to know if there is existing general consensus on the evolution of seeking out fantasy fulfillment over time in general and how it's affected by free access v. restricted access to related material.

~~~
openasocket
Regarding your assumption: I have a family member who's a child psychologist
specializing in abuse cases, and according to her the vast majority of those
who consume CP have abused children. Hard numbers are hard to come by because
of the illicit nature of pedophilia, but studies involving anonymous surveys
(in which the individual's name is withheld and their answers can't be used
against them by law enforcement) supports that.

~~~
Lawtonfogle
I don't buy it for a second. Instead, I think that those who use but don't
physically touch an actual child are so unlikely to get caught, the numbers
are horribly biased.

To give some example numbers, say that 5% of those who view the material ever
directly harm a child. And say that 100% of those who harm a child view the
material. Now, say that 50% of those who harm a child get busted, but only 1%
of those who don't get busted for viewing the material. The end result would
be that of those caught about 5 of every 7 who viewed material harmed a child
directly.

Now, the numbers are made up, but there are many values that lead to a false
conclusion if people only look at those caught.

~~~
openasocket
Those surveys were of people convicted of possession of CP only.

~~~
Lawtonfogle
And how many charged with child molestation will have the police raid their
homes and check their computers? How many will end up only being charged with
child porn to spare the actual child the trauma of going through a case and
how many times is there not enough evidence to convict for child molestation
but there is plenty to convict for child porn?

~~~
openasocket
Admittedly, I don't have the study on me, so I can't confirm this. But I
imagine the study would screen out anyone like that, that seems like a pretty
obvious thing to do.

------
Zuider
This is less like a drug or prostitution sting where the mark is arrested
before the contraband can be consumed, and more like a hired hitman sting
where the victim is actually murdered.

From a moral point of view, Child pornography is de-ontologically wrong.
Nothing can justify its existence. Even if such a sting managed to shut down
the entire industry, it would be moot to attempt to argue for its moral
goodness in consequentialist terms.

The FBI could have used other means to establish criminal intent in the
visitors to the websites along with the fact that they had used Tor to search
out and visit those websites in the first place. They could have made
prospective viewers engage in a series of incriminating acts such as requiring
them follow a series of links with the promise of finding the material, or
making them refresh the page. There was no need to provide the actual
offensive material in order to make a solid case.

~~~
corecoder
> They could have made prospective viewers engage in a series of incriminating
> acts such as requiring them follow a series of links with the promise of
> finding the material, or making them refresh the page.

I find this part very interesting: is this well established, that is, is it
clear before the law which acts are surely incriminating? Is clicking on a
link enough to establish intent?

~~~
adventured
> Is clicking on a link enough to establish intent?

Legally no it's not, that's a very weak binding and they know it. That's why
any type of sting - whether cp or other - will attempt to get the user to
sign-up, view content, or otherwise willfully provide personal information (eg
a credit card).

~~~
clifanatic
I seem to recall that it was enough to get those "catch a predator" TV show
guys: the fact that they showed up at a specific location was enough to get
them successfully prosecuted.

------
omribahumi
I once experimented with a Tor router on a VM that isolated another VM's
internet connectivity.

The idea was |Stealth VM| --> |Tor router VM| --> |Virtual Box NAT|

The Tor router VM was running redsocks[0] to route all TCP traffic through
tor's socks proxy interface. The stealth VM also used tor's DNS service.

That way, even if the stealth VM is compromised, it can't access the internet
directly.

[0] [http://darkk.net.ru/redsocks/](http://darkk.net.ru/redsocks/)

~~~
zizzles
How is this different than Whonix?

[https://en.wikipedia.org/wiki/Whonix](https://en.wikipedia.org/wiki/Whonix)

~~~
omribahumi
From reading it, looks like it's the same concept.

Thanks. Didn't know about it.

------
unethical_ban
My example of an analogy would be like taking over a drug house and putting
GPS in each shipment, but still allowing the drugs to get sold and consumed.

I'm not sure whether this is OK or not.

~~~
jakewins
As noted elsewhere in the thread - FBI did not continue to serve child porn
off of those sites, it swapped it to an error message that served malware
targeting the TOR browser.

~~~
75j
Source? This Reason article says differently:

" _Operation Pacifier is reminiscent of reverse drug stings in which cops pose
as dealers to catch retail buyers, except that in this case the FBI actually
disseminated contraband. It did not merely pose as a distributor of child
pornography; it was a distributor of child pornography. During the two weeks
the FBI was running The Playpen, about 100,000 people visited the site,
accessing at least 48,000 photos, 200 videos, and 13,000 links. In fact, the
FBI seems to have made The Playpen a lot more popular by making it faster and
more accessible._ "

[http://reason.com/blog/2016/08/31/the-fbi-distributes-
child-...](http://reason.com/blog/2016/08/31/the-fbi-distributes-child-
pornography-to)

~~~
openasocket
Operation Pacifier is a completely different case. The operation discussed in
the article occurred two years earlier.

~~~
75j
The Ars article discusses Playpen / Operation Pacifier in the first sentence.
But you're saying that these 23 other sites only displayed an error message
and distributed malware? Ok, but still, the FBI did in at least one instance
distribute child porn, and that was mentioned in the article at hand, so I
don't see why my analogy is out of place in this discussion.

~~~
openasocket
> I don't see why my analogy is out of place in this discussion.

It's not out of place at all. I just wanted to add some context to make things
clear, that your Reason link doesn't contradict the claim that in the Freedom
Hosting case they only displayed an error message.

~~~
75j
Thanks, clarification appreciated!

------
chickenbane
I have no love for those who visit child porn on Tor, but in general I am now
very wary of the FBI. I can't help but feel it's a powerful organization
that's slowly turning into a dark oppressive one. The power grab from the CIA
for the Petraeus affair. Using the sensitive nerve of terrorism to demand
Apple unlock a phone. Throwing a last-minute wrench in the Clinton campaign.
This is not going to end, especially under Trump.

------
uniclaude
> _a Tor exploit of some kind to force the browser to return the user’s actual
> IP address, operating system, MAC address, and other data. As part of the
> operation that took down Playpen, the FBI was then able to identify and
> arrest the nearly 200 child porn suspects._

So, is getting someone arrested as easy as spoofing their network information
and visiting those sites? I can already imagine trolls using this to have
people swatted.

~~~
openasocket
It would be really difficult to spoof the IP address and create valid TCP
connections. Plus, your method would only work if you knew in advance that
certain sites were currently being used in a sting operation. If you could
figure that out, that kind of defeats the purpose of a sting operation.

~~~
solotronics
it would be trivial to hack their wifi or insert a rogue device into their
home network

~~~
openasocket
At that point, you might as well hack into their laptop, put a bunch of CP on
there, and then call the cops.

Forensic analysis of the hard drive would exonerate you though.

~~~
wyager
> Forensic analysis of the hard drive would exonerate you though.

No. Anything an analyst could feasibly look at can be spoofed with root
access. The only thing that could potentially approximate the actual age of a
hard drive write is thermal annealing of the storage medium, but this isn't
really true anymore with SSDs (and was never practical even for HDDs).

~~~
openasocket
Yeah, but it's not that simple. You'd have to install the Tor Browser Bundle,
make it look like it was installed long before. You'd have to change the MAC
times on the CP files to indicate a consistent pattern, and make sure the
victim doesn't have an alibi for any of the times you're putting down. But you
can't backdate the download time to before the image was produced, so you have
to do your research on that. And of course you'd have to get your hands on a
bunch of CP without getting caught yourself.

I'm not saying it's impossible, but it sounds pretty difficult to me. Maybe
I'm wrong though.

------
ikeboy
It seems like this was related to their seizure of Freedom Hosting, and that
they only hosted them for 30 days or less, reading the linked affidavit.

So they seized an onion hosting provider that had 23 cp sites, they ran those
sites for a few weeks, then shut them down.

------
sschueller
Isn't the whole issue the exploitation of children? As in the FBI should be
going after the creators and distributors not become a distributor.

~~~
stephengillie
It's the "War On Drugs" model, where they chase the end-users and end-
distributors, but don't stop the problem at the source. Occasionally, they hit
a big target and make a big show of it, but most of what they do is police the
populace.

~~~
awqrre
If they would stop the problem at the source, they might be out of work... but
anyways I think that it is not a good idea to become an outlaw to catch other
outlaws...

------
zaroth
I think the clear differential here is that compromising the server and
tracking its users while it was in operation by Freedom Hosting would perhaps
be "OK" but confiscating the server, moving it to HQ, and then operating the
site themselves is decidedly not.

Keep in mind, you can't just pause the site and expect your targets not to
notice, they had to actively maintain the site (and consider what that means)
to keep their targets coming back. It's disgusting and disturbing. And if it's
what we know about it, it's also just the tip of the iceberg.

At least with Fast & Furious I think it was real criminals running the guns
and just a failure to intervene. I think a failure to intervene here would be
seen as unacceptable as well. But here we have way more than failure to
intervene, they effectively provided the guns and helped run them across the
border.

------
aezell
This is the same as cops offering to sell drugs or sex and then busting the
buyers.

~~~
mikeash
Except that when the cops run drug or prostitution stings, they don't
_actually_ provide drugs or sex, do they? I thought they offered without
actually having the product, then nail the buyer based on their intent to buy.

Actually providing the sting targets with illegal material seems a lot
shadier.

~~~
stray8
How are you suppose to do a pornography bust on the internet without actually
providing some product?

~~~
mikeash
I don't know, but "you can't bust people if you don't do X" is not a good
argument for X being OK. Not all criminals must be caught, and we generally
value the integrity of law enforcement over catching every single bad guy.

------
lightedman
IOW the FBI is directly responsible for the spread and proliferation of child
pornography. They've hurt more people than they've rescued.

Time to charge the FBI with aiding and abetting. Period. Equal treatment under
the law. Period.

~~~
ethanbond
> They've hurt more people than they've rescued

source?

------
smaili
_That NIT, which many security experts have dubbed as malware, used a Tor
exploit of some kind to force the browser to return the user’s actual IP
address, operating system, MAC address, and other data._

That's quite the exploit.

------
MichaelBurge
I understand the ban on child porn is justified via the interstate commerce
clause:

 _Federal jurisdiction is implicated if the child pornography offense occurred
in interstate or foreign commerce. This includes, for example, using the U.S.
Mails or common carriers to transport child pornography across state or
international borders. Additionally, federal jurisdiction almost always
applies when the Internet is used to commit a child pornography violation.
Even if the child pornography image itself did not traveled across state or
international borders, federal law may be implicated if the materials, such as
the computer used to download the image or the CD Rom used to store the image,
originated or previously traveled in interstate or foreign commerce._

[https://www.justice.gov/criminal-ceos/citizens-guide-us-
fede...](https://www.justice.gov/criminal-ceos/citizens-guide-us-federal-law-
child-pornography)

Theoretically, would a general citizen be exempt from the ban if he
manufactured his own CD-ROMs, and his own CPUs in-state?

It might be illegal for them to operate the sites for extended periods of
time. It doesn't seem illegal for them to deploy malware as part of an
investigation. I'm looking at (f) here:

[https://www.law.cornell.edu/uscode/text/18/1030](https://www.law.cornell.edu/uscode/text/18/1030)

So the worst that could happen is that the evidence gets thrown out. If they
weren't going to otherwise be able to nab the person, the worst that could
happen is they lose the case.

~~~
alexmingoia
Good idea, but that defense has already been rejected by the Supreme Court
twice. Their reason? I kid you not... "the butterfly effect". The Supreme
Court considers any activity that doesn't leave the state to possibly affect
interstate commerce so they can regulate everything with that clause. See
Wickard v. Filburn and most recently Gonzales v. Raich. Prepare to be enraged.

~~~
wool_gather
Enraging indeed.

"Where necessary to make a regulation of interstate commerce effective,
Congress may regulate even those _intra_ state activities that do not
themselves substantially affect _inter_ state commerce" [emphasis mine]

\-- Justice Antonin Scalia, in the majority opinion for Gonzales v. Raich,
using his vaunted legal genius to find a reason, any reason at all, to stop
people from doing things that he didn't like.

One of the most influential hypocrites of the new millenium, if not the whole
history of the republic.

------
eeZah7Ux
50 comments and nobody pointed out that the honeypot sites would attack
visitors regardless of their citizenship.

Given that 95% of people in the world are not from US, how many visitors were
police officers from other countries, conducting their own investigation?

~~~
clarry
And how many people were not visiting these sites to obtain child porn?

Quite recently, I ended up on an image board [whose name suggested to me it's
got to do with topics such as freedom of speech] I hadn't heard of before,
with sections whose short names meant nothing to me. So out of curiosity, I
opened the first one.

Well, that board is no more.

~~~
Miner49er
In that case it would certainly be entrapment wouldn't it? How do they intend
to prove whether this was entrapment or not?

------
draw_down
When you gaze long into the abyss, the abyss gazes also into you.

------
antoineMoPa
When I have debates about encryption and surveillance, CP & terrorism are
arguments that are difficult to address. I think this solves a part of the
problem.

------
forthwoart
> FBI opreated 23 Tor-hidden child porn sites Uh, what? I don't think the end
> justifies the means here

~~~
centizen
Out of context this sounds much worse than it is - the FBI forcefully took
control of a hosting network that included 23 child-porn service sites. They
then used it as a platform to serve malware to the visitors of the sites.
Within a month, they shut down the websites.

~~~
mikeash
If the FBI seized a store that sold illegal drugs, and kept operating the
stores and selling illegal drugs for a month afterwards, would that be
considered OK? I'm not getting hugely up in arms about this, but it doesn't
seem right.

~~~
rz2k
What if it were controlling a kingpin for a month in order to identify
multiple lower levels of distributors and dealers? I believe that consumers of
child pornography are considered likely participants in the further trade of
material and creators of more content than the typical drug user is.

~~~
mikeash
It seems to me that allowing a criminal to continue committing crimes is
different from taking ownership of a server and continuing to operate it. The
criminal has agency, while the server does not. But it's not entirely clear
cut, for sure.

------
api
Doesn't this show that yes you can do police work in the post crypto age?

~~~
Raphmedia
They arrested the stupid users. Pedophiles are not known for being among the
brightest. Those people downloaded the Tor browser and blindly started
browsing on it.

It wouldn't have been so easy to get information on 200 real cyber criminals.

~~~
brianwawok
That sounds a bit like strawman.

Do you have a citation that a pedo has less IQ than the average member of
society?

I think by using Tor that puts them in the top 1% of internet user knowledge,
which is against your statement.

~~~
elliottcarlson
Just because they are using Tor (either by searching how to hide their tracks,
or just because the community for this kind of content in general will
gravitate to something like Tor), doesn't really mean they would be in the top
1% - they followed instructions that someone in the top 1% created.

Whether that means they have a lower IQ than the average member of society
though, that is a whole other thing.

~~~
brianwawok
I do not think anyone outside the top 1% could even follow the directions to
download and use tor. You are vastly overestimating the compute power of the
average person.

~~~
Raphmedia
I mean, it's a simple link to a simple installer. Click on this and you will
be ready to go:
[https://www.torproject.org/dist/torbrowser/6.0.5/torbrowser-...](https://www.torproject.org/dist/torbrowser/6.0.5/torbrowser-
install-6.0.5_en-US.exe)

------
dsfyu404ed
Shit, if they keep going at this rate pretty soon they're gonna need to start
worrying about ant-trust laws.

------
nameisu
GREAT MOVE

------
cloudjacker
Forget the Firefox Tor browser, use Whonix

Two Virtual Machines, the one you actually use for browsing and stuff only
connects through the gateway virtual machine.

If an exploit breaks out the firefox skin, it is just in the host VM, if it
somehow breaks out of the host VM it is in the gateway VM.

We could keep going down possibilities, but we are far removed from attack
vectors that actually exist.

