I feel like people are getting mad at the FBI for not pulling the trolley car lever in the right way, which is a valid thing to be mad about, but I believe the FBI made the right choice.<p>First, let's not rely too heavily the analogies with drugs or prostitution. The differences between CP and drugs / prostitution are too large to ignore anyway.<p>CP consumers are often producers as well. That's a fact—you want CP, so you make some yourself and swap it with others to get more. This isn't universal but it's common enough that you should know about it. So the visitors to the CP web site are not all just consumers of CP but many of them are producers as well. This is relevant because you have to weigh the damage of distributing CP against the benefit of catching people who produce CP. People have stated that distribution revictimizes the children, but I would weigh that against the ability to catch people who were either producing their own or at least supporting other producers of CP.<p>So the FBI discovers this server, operates it for less than 30 days with a Tor exploit, and catches 200 people using the site. Yes, the FBI was complicit in the distribution of CP, but rephrased as a trolley car problem, this is basically like <i>not</i> pulling the lever, allowing the distribution to continue for a short time, and using that to catch 200 consumers—and how many of them are producers? You can pull the lever now and stop the distribution of CP, or you can let the trolley barrel down the tracks for a short time and save all these people somewhere else.<p>(People are saying that the exploit may have done damage to other police investigations from other countries—I don't see any evidence that the exploit damaged the computer, merely that it leaked information about the computer.)
This is about the Freedom Hosting hack in 2013. In 2013 Wired wrote<p>> On August 4, all the sites hosted by Freedom Hosting — some with no connection to child porn — began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle [<a href="https://www.wired.com/2013/09/freedom-hosting-fbi/" rel="nofollow">https://www.wired.com/2013/09/freedom-hosting-fbi/</a>]<p>However, as far as we know, unlike the more recent Playpen thing, in the Freedom hosting case the FBI did not actually serve child pornography, they just displayed an error message. I don't see anything in this article that suggests otherwise.
I think there's a rather extreme hierarchy of wrongs here.<p>1. The crime that utterly dwarfs all others is involving children in the making of child porn.<p>2. After that, the crimes that dwarf all the rest are those that provide financial or practical support to child porn makers. Consuming child porn is generally regarded as one of those, and I'm fine with that categorization.<p>3. I'm sorry, but violating a victim's theoretical privacy by distributing the images a little further doesn't seem to be nearly as big a deal as helping to prevent the next live video of child porn from being made.<p>I'm usually regarded as being pro-privacy, but privacy is not something to be a rabid extremist about. Preventing physical sexual abuse of children, on the other hand, is a fine area for extremism.
This is less like a drug or prostitution sting where the mark is arrested before the contraband can be consumed, and more like a hired hitman sting where the victim is actually murdered.<p>From a moral point of view, Child pornography is de-ontologically wrong. Nothing can justify its existence. Even if such a sting managed to shut down the entire industry, it would be moot to attempt to argue for its moral goodness in consequentialist terms.<p>The FBI could have used other means to establish criminal intent in the visitors to the websites along with the fact that they had used Tor to search out and visit those websites in the first place. They could have made prospective viewers engage in a series of incriminating acts such as requiring them follow a series of links with the promise of finding the material, or making them refresh the page. There was no need to provide the actual offensive material in order to make a solid case.
I once experimented with a Tor router on a VM that isolated another VM's internet connectivity.<p>The idea was |Stealth VM| --> |Tor router VM| --> |Virtual Box NAT|<p>The Tor router VM was running redsocks[0] to route all TCP traffic through tor's socks proxy interface. The stealth VM also used tor's DNS service.<p>That way, even if the stealth VM is compromised, it can't access the internet directly.<p>[0] <a href="http://darkk.net.ru/redsocks/" rel="nofollow">http://darkk.net.ru/redsocks/</a>
My example of an analogy would be like taking over a drug house and putting GPS in each shipment, but still allowing the drugs to get sold and consumed.<p>I'm not sure whether this is OK or not.
I have no love for those who visit child porn on Tor, but in general I am now very wary of the FBI. I can't help but feel it's a powerful organization that's slowly turning into a dark oppressive one. The power grab from the CIA for the Petraeus affair. Using the sensitive nerve of terrorism to demand Apple unlock a phone. Throwing a last-minute wrench in the Clinton campaign. This is not going to end, especially under Trump.
> <i>a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data. As part of the operation that took down Playpen, the FBI was then able to identify and arrest the nearly 200 child porn suspects.</i><p>So, is getting someone arrested as easy as spoofing their network information and visiting those sites? I can already imagine trolls using this to have people swatted.
It seems like this was related to their seizure of Freedom Hosting, and that they only hosted them for 30 days or less, reading the linked affidavit.<p>So they seized an onion hosting provider that had 23 cp sites, they ran those sites for a few weeks, then shut them down.
I think the clear differential here is that compromising the server and tracking its users while it was in operation by Freedom Hosting would perhaps be "OK" but confiscating the server, moving it to HQ, and then operating the site themselves is decidedly not.<p>Keep in mind, you can't just pause the site and expect your targets not to notice, they had to actively maintain the site (and consider what that means) to keep their targets coming back. It's disgusting and disturbing. And if it's what we know about it, it's also just the tip of the iceberg.<p>At least with Fast & Furious I think it was real criminals running the guns and just a failure to intervene. I think a failure to intervene here would be seen as unacceptable as well. But here we have way more than failure to intervene, they effectively provided the guns and helped run them across the border.
IOW the FBI is directly responsible for the spread and proliferation of child pornography. They've hurt more people than they've rescued.<p>Time to charge the FBI with aiding and abetting. Period. Equal treatment under the law. Period.
<i>That NIT, which many security experts have dubbed as malware, used a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data.</i><p>That's quite the exploit.
I understand the ban on child porn is justified via the interstate commerce clause:<p><i>Federal jurisdiction is implicated if the child pornography offense occurred in interstate or foreign commerce. This includes, for example, using the U.S. Mails or common carriers to transport child pornography across state or international borders. Additionally, federal jurisdiction almost always applies when the Internet is used to commit a child pornography violation. Even if the child pornography image itself did not traveled across state or international borders, federal law may be implicated if the materials, such as the computer used to download the image or the CD Rom used to store the image, originated or previously traveled in interstate or foreign commerce.</i><p><a href="https://www.justice.gov/criminal-ceos/citizens-guide-us-federal-law-child-pornography" rel="nofollow">https://www.justice.gov/criminal-ceos/citizens-guide-us-fede...</a><p>Theoretically, would a general citizen be exempt from the ban if he manufactured his own CD-ROMs, and his own CPUs in-state?<p>It might be illegal for them to operate the sites for extended periods of time. It doesn't seem illegal for them to deploy malware as part of an investigation. I'm looking at (f) here:<p><a href="https://www.law.cornell.edu/uscode/text/18/1030" rel="nofollow">https://www.law.cornell.edu/uscode/text/18/1030</a><p>So the worst that could happen is that the evidence gets thrown out. If they weren't going to otherwise be able to nab the person, the worst that could happen is they lose the case.
50 comments and nobody pointed out that the honeypot sites would attack visitors regardless of their citizenship.<p>Given that 95% of people in the world are not from US, how many visitors were police officers from other countries, conducting their own investigation?
When I have debates about encryption and surveillance, CP & terrorism are arguments that are difficult to address. I think this solves a part of the problem.
Forget the Firefox Tor browser, use Whonix<p>Two Virtual Machines, the one you actually use for browsing and stuff only connects through the gateway virtual machine.<p>If an exploit breaks out the firefox skin, it is just in the host VM, if it somehow breaks out of the host VM it is in the gateway VM.<p>We could keep going down possibilities, but we are far removed from attack vectors that actually exist.