FBI Hacks Tor Service

[Callie Del Noire]

http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/

Okay.. I'm conflicted about this. Child Porn is a bad thing. Period. BUT.. you're crossign a dangerous line when you start breaking laws and violating the territory of allied nations like this.

This isn't counter intelligence work. This is Cyberwarfare, cut and dried. And definitely creeps into the search without warrant territory.  Very worrisome territory.

[mia h]

I wouldn't be surprised if the FBI were using the same legal justifications that were reported as being used with PRISM to get around the need for warrants and probable cause.

With PRISM they came to the legal conclusion that a search is only a search when it involves a human looking at something. So if a computer automatically sifts through information then it's not really a search. Now if that computer then reports that there might be something worth looking at within the data that then constitutes probable cause allowing the FBI\NSA etc to get a warrant to do a search. Kafka would have been so proud.

The way the article reads the FBI would definitely be breaking the law in the UK, but assume you found the FBI's little virus on your computer what do you do? Try and report them? Well that virus supposedly only targeted people looking at child-porn, so anyone who reported finding it is painting a big target on their back regardless of what they were actually doing. But if nobody reports the crime then did it really happen?

[Neysha]

Are there practical alternatives to policing child pornography hosted and accessed on hidden servers?

[Shjade]

Finding the sources instead of the viewers...? *shrug*

[Moraline]

Slightly off topic side note:   I knew I recognized the name of the guy that wrote that article...  Kevin Poulsen (Hacker name: "Dark Dante")

"One of the most feared yet idolized hackers of all time, Kevin Poulsen is considered by many to be a hacking prodigy. His youth was spent using his talents strictly for juvenile fun and the pursuit of knowledge. But the deeper he delved into hacking, the further he went to the dark side. Eventually, his criminal exploits led to the first ever espionage case leveled against a hacker. "

~ http://library.thinkquest.org/04oct/00460/poulsen.html (note: They are 10 years off on his date of birth, it should read 1965, not 1975, but it's the same guy.


"When Kevin Poulsen was 17, he used his primitive TRS-80 "color computer" to hack into the US Department of Defense's Arpanet, the predecessor of the Internet. He wasn't prosecuted. He was later a computer programmer at SRI and Sun Microsystems, and worked as a consultant testing Pentagon computer security.

In 1988, when authorities suspected Poulsen had cracked a database on the federal investigation of Ferdinand Marcos, they came after him, and he disappeared. As a fugitive, Poulsen needled the FBI by hacking federal computers and revealing details of wiretaps on foreign consulates, suspected mobsters, and the American Civil Liberties Union. He also hacked into the details on FBI front companies. At the highest levels of U.S. law enforcement, they started calling him "The Hannibal Lecter of computer crime"."

~ http://www.nndb.com/people/453/000022387/

[gaggedLouise]

Slightly off topic side note:   I knew I recognized the name of the guy that wrote that article...  Kevin Poulsen (Hacker name: "Dark Dante")

So this is the guy that inspired War Games? Or did he emulate Broderick's exploits from the film within a year of its release?

OT: Someday in not too long, there will have to appear some "non-standard internet protocols" and encrypted http to keep the governments' eyes out of what people re doing and talking about online.

[mia h]

Are there practical alternatives to policing child pornography hosted and accessed on hidden servers?

That this horrible material is being hosted on obfuscated servers isn't really the issue; how would you feel if every conversation, every email, every phone call you made was being monitored? Not because you have done anything wrong but because there is a chance than someone else has and we should stop that wrongness. We know you've done nothing wrong so when we do look into you we won't find anything, but those people who have done wrong things they won't want us looking but you're not one of them, are you?

It's very easy to use the "won't you think of the children?" argument to justify just about any action, but that doesn't make it right or legal. In this case it's the FBI, they are a civilian organization and should be subject to the same laws as everyone else but in this (and possibly many other instances) they appear to invoke a variant of the ancient rule - It's not cheating if you don't get caught.

[Moraline]

So this is the guy that inspired War Games? Or did he emulate Broderick's exploits from the film within a year of its release?

OT: Someday in not too long, there will have to appear some "non-standard internet protocols" and encrypted http to keep the governments' eyes out of what people re doing and talking about online.

I'm not really sure if Kevin Poulsen was the inspiration or not for the War Games movie. I remember watching War Games on YouTube but I don't really know much about the making of movie itself.

I think my main point in posting that was to point out that Kevin Poulsen has a clear agenda that is very anti-FBI. These guys put him in prison for 5 years before he even got a trial. They were almost ready to lock him away and throw away the key.

I don't entirely trust the source or perspective of that article. There's a lot more to be said then it tells us. I'm not saying that he's intentionally trying to make the FBI look bad but it wouldn't surprise me if he was dropping the hint of a spin on it to do it. It's just questionable overall.

[Callie Del Noire]

http://www.wired.com/threatlevel/2013/09/nsa-backdoor/

There has been an on going desire to 'read folks mail for security reasons' by the government since the idea of Email took off. To say that the man in the first article doesn't have an agenda would be stupid. He does. Does he have a point? yes he does.

Do you know that the feds have to have a warrant to access your home computer BUT don't for any smartphone they find on you when they stop you. Not arrest.. .. not charge.. but simply detain for questioning. They can pick it up, save a back up and look at anything and everything on it without a warrant or even just cause.

Now you have proof that the NSA and FBI are considering that any system they can get into isn't the same as the account books of a company or person. You are looking at a REDUCTION of personal privacy and liberty. Without any judical process involved for the most part.  Cops have been cleared to use GPS tracking, your own cell phones and other methods without needing a warrant or justification.

Sooner or later this WILL lead to abuse.  THAT is my concern.

[Neysha]

That this horrible material is being hosted on obfuscated servers isn't really the issue; how would you feel if every conversation, every email, every phone call you made was being monitored? Not because you have done anything wrong but because there is a chance than someone else has and we should stop that wrongness. We know you've done nothing wrong so when we do look into you we won't find anything, but those people who have done wrong things they won't want us looking but you're not one of them, are you?

It's very easy to use the "won't you think of the children?" argument to justify just about any action, but that doesn't make it right or legal. In this case it's the FBI, they are a civilian organization and should be subject to the same laws as everyone else but in this (and possibly many other instances) they appear to invoke a variant of the ancient rule - It's not cheating if you don't get caught.

Please don't misconstrue my question.

If you have no answer to my question, then please don't anawer via editorializing my alledged POV.

Thank you. :)

[mia h]

Please don't misconstrue my question.

If you have no answer to my question, then please don't anawer via editorializing my alledged POV.

Thank you. :)

And what POV is it that I'm supposedly alledging?

[Shjade]

And what POV is it that I'm supposedly alledging?

Neysha never asked, "Won't you think of the children?"

I suspect your restatement of that bit wasn't intended to suggest Neysha was using that justification as part of her inquiry and thus miscommunication occurred. Just a guess, though.

[Neysha]

I'm just wondering if there are any practical alternative law enforcement procedures or operations to deal with any possible criminal activity that utilizes these hidden servers.

[Cyrano Johnson]

It's a fair question.

[Callie Del Noire]

Okay.. think on it like this.

If you leave 'backdoors' in the standards of security in the foundation that internet commucation and commerce works on. How long will it be before someone who isn't a Fed uses it? Come on.. you put a weak point in structure.. it is going to be found. We have websites that do nothing but deconstruct hardware, software and protocols.

What might require computation that only BIG companies and government today will not always require them tomorrow. Moore's law makes that pretty much inevitable, assuming someone doesn't find a way to do it easier, faster and with less.

Fun note. When I made my first MP3 back in '94ish. It took me an hour to pull the audio out of a CD, then 20 minutes to encode it. Today I made a song into an mp3 in like 3 seconds.

[mia h]

Callie,
there are a few problems with that line of reasoning, and although it has nothing to the reasoning someone managed to disprove Moore's Law a couple of years ago something to do with the physical limits of silicon. The first question is did the FBI do something illegal? And they've pretty much admitted that they did. The follow up question is was there an alternative? The answer should be. Who cares? If there was a legal alternative and they didn't use it, then the FBI did something that was illegal. However if there wasn't a legal alternative and the FBI did what it admitted then the FBI still did something that is illegal. So any alternatives or lack thereof are a complete irrelevance.

Of course It's easy use straw man arguments to justify these types of actions "We're doing this to protect you from terrorists\Mussolini's ghost\dancing chickens\whatever else scares you" but using unpopularity of certain elements of society as a pretext for doing whatever they wanted is how all the best dictatorships got started or as Benjamin Franklin put it:

They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety


Neysha,
I'm still waiting for an answer.

[Neysha]

Irrelevant to the alleged violation of civil liberties yes, but it's still a valid question to ask in general and I will, because this thread is as good as any to bring it up since the topic is relevant in subject matter to my question.

And since you keep bringing it up (as some sort of strawman when I've done nothing to promote the FBI's handling of this situation) I will ask it again:

I'm just wondering if there are any practical alternative law enforcement procedures or operations to deal with any possible criminal activity that utilizes these hidden servers.

Does ANYONE have an actual answer? If you DON'T have an answer either way, please don't respond to my question.

Thank you. :)

[Kythia]

This might be quite a naïve answer because, in all honesty, I'm not sure I understand what a "hidden server" is.  But why does that matter (that it's hidden I mean).

So, the FBI discover a massive stash of kiddie porn on my computer, and equally hypothetically I'm somewhere the FBI have jurisdiction.  Obviously I can be prosecuted without servers or wherever that shizzles hosted coming in to it at all.  But understandably the FBI want to take it down, make it unavailable.  Well, they have my computer.  Surely even if the server is hidden my computer knows how to find it?  Otherwise, well, how is it finding it? 

As I say, I don't understand the technical aspects so I may well be being stupid there.

[gaggedLouise]

This might be quite a naïve answer because, in all honesty, I'm not sure I understand what a "hidden server" is.  But why does that matter (that it's hidden I mean).

So, the FBI discover a massive stash of kiddie porn on my computer, and equally hypothetically I'm somewhere the FBI have jurisdiction.  Obviously I can be prosecuted without servers or wherever that shizzles hosted coming in to it at all.  But understandably the FBI want to take it down, make it unavailable.  Well, they have my computer.  Surely even if the server is hidden my computer knows how to find it?  Otherwise, well, how is it finding it? 

As I say, I don't understand the technical aspects so I may well be being stupid there.

I admit I'm not getting what "hidden servers" means either. Servers hosted on a machine that's hidden by a router or gateway that makes it "stealth" for most inbound traffic? Or is it the well-known trick of planting a trojan on some ordinary machine, opening up a backdoor for loading lots of kid porn and the like into that machine and then opening up to lots of other, anonymous users? Or just that the files and folders are listed under vanilla-sounding, innocent names?

[mia h]

Kythia, if you look at what Marques was charged with it wasn't possessing child-porn but facilitating access to it. So using a bit of educated guess work, if you look at what happened with The Pirate Bay they weren't found guilty of breaching copyright but of facilitating breaches of copyright, TPB didn't and doesn't hold copies of the movies etc that are torrented but hold links to other people that do. So it would appear that Freedom Hosting is acting like TPB of child-porn.
Best guess is that they are using a combination of TOR anonimisers and magnet links to hide the source of whatever it is that is being shared.
Now because of what the FBI was doing in hacking the browser they weren't going after the owners of the hidden servers but after the people that were accessing the sites.

[Neysha]

I'm technically illiterate but frombwhat i've read, Tor's main intention and purpose was to be used to shirld human and civil rights groups from unsavory authority types and sadly has been repurposed to a degree by child pornographers and other criminal behavior and operations.

But even beyond Tor I'm sure there are many ways to hide or obscure ones identity on the internet. I'm curious if there are any alternative law enforcement techniques that can be utilized whether specifically against criminals using Tor or to broaden the conversation, against other methods of 'hiding' in cyberspace.

[mia h]

And what POV is it that I'm supposedly alledging?

Well I suppose there is half an answer of sorts

And since you keep bringing it up (as some sort of strawman when I've done nothing to promote the FBI's handling of this situation) 

But could point to exactly where in any of my posts I wrote that you supported the FBI?
If you can't support the allegation that I'm deciding what your opinion is you should apologise.

And I don't care how "polite" it is, where do you get the nerve to tell people what they can and can't respond to?

[Callie Del Noire]

I admit I'm not getting what "hidden servers" means either. Servers hosted on a machine that's hidden by a router or gateway that makes it "stealth" for most inbound traffic? Or is it the well-known trick of planting a trojan on some ordinary machine, opening up a backdoor for loading lots of kid porn and the like into that machine and then opening up to lots of other, anonymous users? Or just that the files and folders are listed under vanilla-sounding, innocent names?

Here is what is a TOR server/router about.

http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29

Ironically this is the same sort of thing that the government relies on for their own operations. You have to have secure/discrete communication systems for some government operations.

Undermining the systems that operate on the internet can do far more harm than putting in 'easy access' to a TOR system or even more frightening a cryptographic standard. By putting in backdoor systems into software and hardware you leave it vulnerable. Today it might be the US government, but when you have people handling the software and systems.. how long till a Snowden or Manning drops a system build on the internet or sells it to a company or country?

TOR systems are by their nature 'grey' at the very least. I've used one to check out Silk Road.. what you find there is a very different world from the world of Ebay, Facebook and even Eilliquy. The problem is it's a stone in the path. Today it's 'back doors in grey/black software' then you have the NSA engineering back doors into the encryption routines that we use for all manners of things.

Today the government says it's only in the 'pursuit of enemies of the state' that they use such things. Question is.. who defines that term?  Today it's a racially profiled group of people who just happen to follow the faith of Islam.

Fifty years ago it was a man of faith from Birmingham, Alabama. (Martin Luther King Jr.).

With the amount of data and information one can get on a person online and via their electronic signature, the ability to follow/track/invade a person's privacy with minimal effort and time. Luckily warrantless GPS tracking (and a murkily defined group of things) were recently tossed out of a federal appeals court AND legislation was introduced to counter it as well. (http://news.cnet.com/8301-1009_3-57575796-83/lawmakers-introduce-bill-on-warrantless-gps-tracking/)

Today there are more ways, and more coming, that shrink the world. My issue isn't with the pursuit of perverts and terrorists but the methods being used have minimal oversight and even less regulation on it's use. Technology is rapidly advancing. The time between concept and implementation is radically shrinking. Edward Snowden stated there was little to no oversight or control on how the tools he utilized were used.
A lot of folks forget the State Department employee who tracked presidential candidates' passports in 2008

Back to the issue on hand..

Care to explain how a TOR service based who knows where falls within the jurisdiction of the Federal DOMESTIC Law enforcement agency? The guy the FBI are trying to extradite is in Ireland. Where is the crime? Is it at the point of access by the end user or the content provider. I know that might be a scary thought for internet entities, do you want to be held legally responsible to any of HUNDREDS of jurisdictions? 

How does engineering exploits into the foundation of a phenomenally LARGE part of our world economy isn't a dangerous move?

Because of there will always be a class between the rights of the individual and the needs of the government. We are losing our equilibrium in the process.

I'm technically illiterate but frombwhat i've read, Tor's main intention and purpose was to be used to shirld human and civil rights groups from unsavory authority types and sadly has been repurposed to a degree by child pornographers and other criminal behavior and operations.

But even beyond Tor I'm sure there are many ways to hide or obscure ones identity on the internet. I'm curious if there are any alternative law enforcement techniques that can be utilized whether specifically against criminals using Tor or to broaden the conversation, against other methods of 'hiding' in cyberspace.

Can TOR systems be used for things like civil rights movements within countries like Iran, Syria or Egypt (just to name a few) where massive media suppression and surveillance is common place? Yes. And to some extent it is. It is also the 'shadownet' where warez sites, illegal item sites like Silk Road live and even where kiddie porn rings hide.

The big thing.. the FBI already KNEW that Freedom Hosting had kiddie porn on it. It had been reported by LOTS of folks.

[Neysha]

So how will it be solved? Would greater judicial oversight from the Courts be preferable and actually pursuing warrants before incestigation be enough?

[Callie Del Noire]

So how will it be solved? Would greater judicial oversight from the Courts be preferable and actually pursuing warrants before investigation be enough?

That's the problem.

We are seeing technology advance faster than the consideration of impact. We have a legislative branch that is increasingly mired in contention. To the point this last congress has been the LEAST productive in decades. It's a process that worked good in the past but today our congressional committees need to be a lot more responsive to tech advances and considerate what the law can do to technology and with it.

There are very powerful tools that law enforcement needs but like the military they need Rules of Engagement. The agencies in question might not be the best point to set the rules and let's be honest oversight on a congressional level is a bit slow.

I would suggest a nonpartisan group might be suitable for the 'in the interim' consideration of law enforcement tactics but let's be honest.. today 'non-partisan' is a bad word in DC.

We had a closed committee set up for intelligence actions when it became needed to do it.