I feel like people are getting mad at the FBI for not pulling the trolley car lever in the right way, which is a valid thing to be mad about, but I believe the FBI made the right choice.
First, let's not rely too heavily the analogies with drugs or prostitution. The differences between CP and drugs / prostitution are too large to ignore anyway.
CP consumers are often producers as well. That's a fact—you want CP, so you make some yourself and swap it with others to get more. This isn't universal but it's common enough that you should know about it. So the visitors to the CP web site are not all just consumers of CP but many of them are producers as well. This is relevant because you have to weigh the damage of distributing CP against the benefit of catching people who produce CP. People have stated that distribution revictimizes the children, but I would weigh that against the ability to catch people who were either producing their own or at least supporting other producers of CP.
So the FBI discovers this server, operates it for less than 30 days with a Tor exploit, and catches 200 people using the site. Yes, the FBI was complicit in the distribution of CP, but rephrased as a trolley car problem, this is basically like not pulling the lever, allowing the distribution to continue for a short time, and using that to catch 200 consumers—and how many of them are producers? You can pull the lever now and stop the distribution of CP, or you can let the trolley barrel down the tracks for a short time and save all these people somewhere else.
(People are saying that the exploit may have done damage to other police investigations from other countries—I don't see any evidence that the exploit damaged the computer, merely that it leaked information about the computer.)
This is about the Freedom Hosting hack in 2013. In 2013 Wired wrote
> On August 4, all the sites hosted by Freedom Hosting — some with no connection to child porn — began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle [https://www.wired.com/2013/09/freedom-hosting-fbi/]
However, as far as we know, unlike the more recent Playpen thing, in the Freedom hosting case the FBI did not actually serve child pornography, they just displayed an error message. I don't see anything in this article that suggests otherwise.
That's correct, the FBI hosted error messages and exploits after taking over, and supposedly did not distribute images of abuse. This point is conspicuously absent from the Ars story.
I think there's a rather extreme hierarchy of wrongs here.
1. The crime that utterly dwarfs all others is involving children in the making of child porn.
2. After that, the crimes that dwarf all the rest are those that provide financial or practical support to child porn makers. Consuming child porn is generally regarded as one of those, and I'm fine with that categorization.
3. I'm sorry, but violating a victim's theoretical privacy by distributing the images a little further doesn't seem to be nearly as big a deal as helping to prevent the next live video of child porn from being made.
I'm usually regarded as being pro-privacy, but privacy is not something to be a rabid extremist about. Preventing physical sexual abuse of children, on the other hand, is a fine area for extremism.
Screw chilling effects, I'm going to ask this anyway because being afraid of having these discussions is detrimental to making real progress as a society.
Making the assumption* that some decent fraction of those who consume such media would be sated if they could get it and not move on to actually hurting children. Then couldn't a preventative measure be to take all the existing child porn and make it available to them?
Though I guess that risks normalizing the condition and could lead to it being more commonplace (certainly it would appear so as those who successfully suppress it would hide it less) and if it's more commonplace than the fraction that does still act harmfully upon the impulse could, in absolute numbers, exceed those that do today. Figuring out how things fall would first require a good understanding of the numbers.
*I don't know if this is true or false and would be interested to know if there is existing general consensus on the evolution of seeking out fantasy fulfillment over time in general and how it's affected by free access v. restricted access to related material.
People who question what the FBI is doing are not "rabid extremist". That combines an ad-hominem and a straw man fallacy in the same line.
You then claim that preventing child abuse is a fine area for extremism. That's an appeal to emotion and also a fallacy.
Perhaps we could debate whether extremism is justified but let's do it without all the nonsense you wrap around your argument to cloud the real question. You say that extremism is justified but all of the reasons your posit as justification are fallacies.
This is less like a drug or prostitution sting where the mark is arrested before the contraband can be consumed, and more like a hired hitman sting where the victim is actually murdered.
From a moral point of view, Child pornography is de-ontologically wrong. Nothing can justify its existence. Even if such a sting managed to shut down the entire industry, it would be moot to attempt to argue for its moral goodness in consequentialist terms.
The FBI could have used other means to establish criminal intent in the visitors to the websites along with the fact that they had used Tor to search out and visit those websites in the first place. They could have made prospective viewers engage in a series of incriminating acts such as requiring them follow a series of links with the promise of finding the material, or making them refresh the page. There was no need to provide the actual offensive material in order to make a solid case.
My example of an analogy would be like taking over a drug house and putting GPS in each shipment, but still allowing the drugs to get sold and consumed.
The FBI discovers a child prostitution ring and infiltrates it, but keeps running it and forces the children to have sex for a month to ensnare more customers.
If one accepts the idea of re-victimization, then I'm not sure how what the FBI did here can be considered acceptable, or any different than the analogy above.
As noted elsewhere in the thread - FBI did not continue to serve child porn off of those sites, it swapped it to an error message that served malware targeting the TOR browser.
This runs afoul of drug legalization morality. Drug trade may be bad for society, but to lots of people it's not a unambiguous universal evil.
Here's a better one: Fighting sex trafficking by abducting and selling children, but training them to rat on their captors first. I think that better captures the disaster that this is.
Not that it matters at this point. The new administration is going to give these folks a medal.
I'm pro depending on the context, gravity and overall plan. If a gov operates a drug house for some time in order to shut down 50% of the market for 30x that time (one month of bad for 3 years of massive improvement) then I'd accept.
It feels like a pretty typical sting-style operation to me. Undercover ops usually require some degree of temporary cooperation with the illegal activity in order to shut it down permanently.
I have no love for those who visit child porn on Tor, but in general I am now very wary of the FBI. I can't help but feel it's a powerful organization that's slowly turning into a dark oppressive one. The power grab from the CIA for the Petraeus affair. Using the sensitive nerve of terrorism to demand Apple unlock a phone. Throwing a last-minute wrench in the Clinton campaign. This is not going to end, especially under Trump.
> a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data. As part of the operation that took down Playpen, the FBI was then able to identify and arrest the nearly 200 child porn suspects.
So, is getting someone arrested as easy as spoofing their network information and visiting those sites? I can already imagine trolls using this to have people swatted.
It would be really difficult to spoof the IP address and create valid TCP connections. Plus, your method would only work if you knew in advance that certain sites were currently being used in a sting operation. If you could figure that out, that kind of defeats the purpose of a sting operation.
It's the "War On Drugs" model, where they chase the end-users and end-distributors, but don't stop the problem at the source. Occasionally, they hit a big target and make a big show of it, but most of what they do is police the populace.
I think the clear differential here is that compromising the server and tracking its users while it was in operation by Freedom Hosting would perhaps be "OK" but confiscating the server, moving it to HQ, and then operating the site themselves is decidedly not.
Keep in mind, you can't just pause the site and expect your targets not to notice, they had to actively maintain the site (and consider what that means) to keep their targets coming back. It's disgusting and disturbing. And if it's what we know about it, it's also just the tip of the iceberg.
At least with Fast & Furious I think it was real criminals running the guns and just a failure to intervene. I think a failure to intervene here would be seen as unacceptable as well. But here we have way more than failure to intervene, they effectively provided the guns and helped run them across the border.
Except that when the cops run drug or prostitution stings, they don't actually provide drugs or sex, do they? I thought they offered without actually having the product, then nail the buyer based on their intent to buy.
Actually providing the sting targets with illegal material seems a lot shadier.
It's a little bit like that in certain ways, but it's certainly not the same. They simply didn't turn off the servers immediately after gaining control of them.
That depends: do they typically bust the buyers after they've bought real drugs and already used them? It's all fake bags of white powder that never get used, yeah?
For me this sort of hinges on whether actual child pornography was distributed (and then, i imagine, consumed and re-distributed by pedophiles) in the name of making a bust.
That NIT, which many security experts have dubbed as malware, used a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data.
I understand the ban on child porn is justified via the interstate commerce clause:
Federal jurisdiction is implicated if the child pornography offense occurred in interstate or foreign commerce. This includes, for example, using the U.S. Mails or common carriers to transport child pornography across state or international borders. Additionally, federal jurisdiction almost always applies when the Internet is used to commit a child pornography violation. Even if the child pornography image itself did not traveled across state or international borders, federal law may be implicated if the materials, such as the computer used to download the image or the CD Rom used to store the image, originated or previously traveled in interstate or foreign commerce.
Theoretically, would a general citizen be exempt from the ban if he manufactured his own CD-ROMs, and his own CPUs in-state?
It might be illegal for them to operate the sites for extended periods of time. It doesn't seem illegal for them to deploy malware as part of an investigation. I'm looking at (f) here:
So the worst that could happen is that the evidence gets thrown out. If they weren't going to otherwise be able to nab the person, the worst that could happen is they lose the case.
Good idea, but that defense has already been rejected by the Supreme Court twice. Their reason? I kid you not... "the butterfly effect". The Supreme Court considers any activity that doesn't leave the state to possibly affect interstate commerce so they can regulate everything with that clause. See Wickard v. Filburn and most recently Gonzales v. Raich. Prepare to be enraged.
I would say the worst that could happen is the FBI is knowingly distributing child pornography, providing access to illegal materials and re-victimizing minors.
> Theoretically, would a general citizen be exempt from the ban if he manufactured his own CD-ROMs, and his own CPUs in-state?
I would be seriously impressed if you could manufacture your own computer capable of accessing the Internet and displaying an image from a single US state. Semiconductor manufacturing, networking software, electronics manufacturing, and so on are thoroughly global industries.
But even if you could, in the end, they're using this clause from the constitution:
> To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.
to give them jurisdiction in cases of Internet child pornography.
The entity determining whether or not this jurisdiction is valid is not like a computer program that will look at a homebrew computer, check where all the parts came from, look at the text of the law, and say "Whoops, nothing in this case crossed state lines, we don't have jurisdiction, you're free to go."
I see this attitude on HN way too often.
Instead, remember that it's a bunch of humans who considered the problem of child pornography, chose to fight it, and only then looked for a source of jurisdiction. That source does not actually need to be valid (not that I actually dispute that the FBI should have jurisdiction when US citizens commit crimes using the Internet), but it's important to realize that it only needs to be strong enough to stand up to the political will to oppose it. And there are no prosecutors with a will or the political power to oppose the FBI for going after sexual predators.
This state of affairs probably results in some overreach. But even considering the potential problems with this approach taken to the extreme, I find it extremely hard to align myself against the FBI. What if the FBI operated honeypot sites with zero-day exploits inserted for them by Microsoft, Apple, and Google, hacking modems and demanding ISPs snoop on their users, opposing HTTPS rollout, and generally causing great harm to law-abiding users of the internet? But these actions protected kids? How much harm would it take to shift my allegiance into opposing the FBI? Scary stuff.
50 comments and nobody pointed out that the honeypot sites would attack visitors regardless of their citizenship.
Given that 95% of people in the world are not from US, how many visitors were police officers from other countries, conducting their own investigation?
And how many people were not visiting these sites to obtain child porn?
Quite recently, I ended up on an image board [whose name suggested to me it's got to do with topics such as freedom of speech] I hadn't heard of before, with sections whose short names meant nothing to me. So out of curiosity, I opened the first one.
When I have debates about encryption and surveillance, CP & terrorism are arguments that are difficult to address. I think this solves a part of the problem.
Out of context this sounds much worse than it is - the FBI forcefully took control of a hosting network that included 23 child-porn service sites. They then used it as a platform to serve malware to the visitors of the sites. Within a month, they shut down the websites.
This is not that trivial to answer. In this case, the FBI went against the law by operating these servers - a typical case of "the ends justify the means". Should we allow police work not to play by the rules? That usually doesn't end well.
The FBI used a Tor Browser Exploit instead of disclosing it responsibly. If this is police work in the post crypto are, then we are all going to be a lot less secure.
They arrested the stupid users. Pedophiles are not known for being among the brightest. Those people downloaded the Tor browser and blindly started browsing on it.
It wouldn't have been so easy to get information on 200 real cyber criminals.
[+] [-] klodolph|9 years ago|reply
First, let's not rely too heavily the analogies with drugs or prostitution. The differences between CP and drugs / prostitution are too large to ignore anyway.
CP consumers are often producers as well. That's a fact—you want CP, so you make some yourself and swap it with others to get more. This isn't universal but it's common enough that you should know about it. So the visitors to the CP web site are not all just consumers of CP but many of them are producers as well. This is relevant because you have to weigh the damage of distributing CP against the benefit of catching people who produce CP. People have stated that distribution revictimizes the children, but I would weigh that against the ability to catch people who were either producing their own or at least supporting other producers of CP.
So the FBI discovers this server, operates it for less than 30 days with a Tor exploit, and catches 200 people using the site. Yes, the FBI was complicit in the distribution of CP, but rephrased as a trolley car problem, this is basically like not pulling the lever, allowing the distribution to continue for a short time, and using that to catch 200 consumers—and how many of them are producers? You can pull the lever now and stop the distribution of CP, or you can let the trolley barrel down the tracks for a short time and save all these people somewhere else.
(People are saying that the exploit may have done damage to other police investigations from other countries—I don't see any evidence that the exploit damaged the computer, merely that it leaked information about the computer.)
[+] [-] vilhelm_s|9 years ago|reply
> On August 4, all the sites hosted by Freedom Hosting — some with no connection to child porn — began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle [https://www.wired.com/2013/09/freedom-hosting-fbi/]
However, as far as we know, unlike the more recent Playpen thing, in the Freedom hosting case the FBI did not actually serve child pornography, they just displayed an error message. I don't see anything in this article that suggests otherwise.
[+] [-] tombrossman|9 years ago|reply
Motherboard passed on this story but it appears it was too sensationalist for Ars to resist. See thread here for more info: https://twitter.com/josephfcox/status/797070958205038592
[+] [-] cloudjacker|9 years ago|reply
[deleted]
[+] [-] CurtMonash|9 years ago|reply
1. The crime that utterly dwarfs all others is involving children in the making of child porn.
2. After that, the crimes that dwarf all the rest are those that provide financial or practical support to child porn makers. Consuming child porn is generally regarded as one of those, and I'm fine with that categorization.
3. I'm sorry, but violating a victim's theoretical privacy by distributing the images a little further doesn't seem to be nearly as big a deal as helping to prevent the next live video of child porn from being made.
I'm usually regarded as being pro-privacy, but privacy is not something to be a rabid extremist about. Preventing physical sexual abuse of children, on the other hand, is a fine area for extremism.
[+] [-] Bjartr|9 years ago|reply
Making the assumption* that some decent fraction of those who consume such media would be sated if they could get it and not move on to actually hurting children. Then couldn't a preventative measure be to take all the existing child porn and make it available to them?
Though I guess that risks normalizing the condition and could lead to it being more commonplace (certainly it would appear so as those who successfully suppress it would hide it less) and if it's more commonplace than the fraction that does still act harmfully upon the impulse could, in absolute numbers, exceed those that do today. Figuring out how things fall would first require a good understanding of the numbers.
*I don't know if this is true or false and would be interested to know if there is existing general consensus on the evolution of seeking out fantasy fulfillment over time in general and how it's affected by free access v. restricted access to related material.
[+] [-] YPCrumble|9 years ago|reply
You then claim that preventing child abuse is a fine area for extremism. That's an appeal to emotion and also a fallacy.
Perhaps we could debate whether extremism is justified but let's do it without all the nonsense you wrap around your argument to cloud the real question. You say that extremism is justified but all of the reasons your posit as justification are fallacies.
[+] [-] ball_of_lint|9 years ago|reply
It is definitely good that this happened and that the people using the sites for CP were identified and caught.
It is scary for the FBI, an agency that upholds the law, to break the law, even if it is for good reason.
[+] [-] Zuider|9 years ago|reply
From a moral point of view, Child pornography is de-ontologically wrong. Nothing can justify its existence. Even if such a sting managed to shut down the entire industry, it would be moot to attempt to argue for its moral goodness in consequentialist terms.
The FBI could have used other means to establish criminal intent in the visitors to the websites along with the fact that they had used Tor to search out and visit those websites in the first place. They could have made prospective viewers engage in a series of incriminating acts such as requiring them follow a series of links with the promise of finding the material, or making them refresh the page. There was no need to provide the actual offensive material in order to make a solid case.
[+] [-] omribahumi|9 years ago|reply
The idea was |Stealth VM| --> |Tor router VM| --> |Virtual Box NAT|
The Tor router VM was running redsocks[0] to route all TCP traffic through tor's socks proxy interface. The stealth VM also used tor's DNS service.
That way, even if the stealth VM is compromised, it can't access the internet directly.
[0] http://darkk.net.ru/redsocks/
[+] [-] omribahumi|9 years ago|reply
[+] [-] unethical_ban|9 years ago|reply
I'm not sure whether this is OK or not.
[+] [-] 75j|9 years ago|reply
The FBI discovers a child prostitution ring and infiltrates it, but keeps running it and forces the children to have sex for a month to ensnare more customers.
If one accepts the idea of re-victimization, then I'm not sure how what the FBI did here can be considered acceptable, or any different than the analogy above.
[+] [-] jakewins|9 years ago|reply
[+] [-] ajross|9 years ago|reply
Here's a better one: Fighting sex trafficking by abducting and selling children, but training them to rat on their captors first. I think that better captures the disaster that this is.
Not that it matters at this point. The new administration is going to give these folks a medal.
[+] [-] agumonkey|9 years ago|reply
[+] [-] cookiecaper|9 years ago|reply
[+] [-] chickenbane|9 years ago|reply
[+] [-] uniclaude|9 years ago|reply
So, is getting someone arrested as easy as spoofing their network information and visiting those sites? I can already imagine trolls using this to have people swatted.
[+] [-] openasocket|9 years ago|reply
[+] [-] ikeboy|9 years ago|reply
So they seized an onion hosting provider that had 23 cp sites, they ran those sites for a few weeks, then shut them down.
[+] [-] sschueller|9 years ago|reply
[+] [-] stephengillie|9 years ago|reply
[+] [-] zaroth|9 years ago|reply
Keep in mind, you can't just pause the site and expect your targets not to notice, they had to actively maintain the site (and consider what that means) to keep their targets coming back. It's disgusting and disturbing. And if it's what we know about it, it's also just the tip of the iceberg.
At least with Fast & Furious I think it was real criminals running the guns and just a failure to intervene. I think a failure to intervene here would be seen as unacceptable as well. But here we have way more than failure to intervene, they effectively provided the guns and helped run them across the border.
[+] [-] aezell|9 years ago|reply
[+] [-] mikeash|9 years ago|reply
Actually providing the sting targets with illegal material seems a lot shadier.
[+] [-] foobarbecue|9 years ago|reply
[+] [-] namecast|9 years ago|reply
For me this sort of hinges on whether actual child pornography was distributed (and then, i imagine, consumed and re-distributed by pedophiles) in the name of making a bust.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] lightedman|9 years ago|reply
Time to charge the FBI with aiding and abetting. Period. Equal treatment under the law. Period.
[+] [-] ethanbond|9 years ago|reply
source?
[+] [-] smaili|9 years ago|reply
That's quite the exploit.
[+] [-] MichaelBurge|9 years ago|reply
Federal jurisdiction is implicated if the child pornography offense occurred in interstate or foreign commerce. This includes, for example, using the U.S. Mails or common carriers to transport child pornography across state or international borders. Additionally, federal jurisdiction almost always applies when the Internet is used to commit a child pornography violation. Even if the child pornography image itself did not traveled across state or international borders, federal law may be implicated if the materials, such as the computer used to download the image or the CD Rom used to store the image, originated or previously traveled in interstate or foreign commerce.
https://www.justice.gov/criminal-ceos/citizens-guide-us-fede...
Theoretically, would a general citizen be exempt from the ban if he manufactured his own CD-ROMs, and his own CPUs in-state?
It might be illegal for them to operate the sites for extended periods of time. It doesn't seem illegal for them to deploy malware as part of an investigation. I'm looking at (f) here:
https://www.law.cornell.edu/uscode/text/18/1030
So the worst that could happen is that the evidence gets thrown out. If they weren't going to otherwise be able to nab the person, the worst that could happen is they lose the case.
[+] [-] alexmingoia|9 years ago|reply
[+] [-] js_what_|9 years ago|reply
[+] [-] LeifCarrotson|9 years ago|reply
I would be seriously impressed if you could manufacture your own computer capable of accessing the Internet and displaying an image from a single US state. Semiconductor manufacturing, networking software, electronics manufacturing, and so on are thoroughly global industries.
But even if you could, in the end, they're using this clause from the constitution:
> To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.
to give them jurisdiction in cases of Internet child pornography.
The entity determining whether or not this jurisdiction is valid is not like a computer program that will look at a homebrew computer, check where all the parts came from, look at the text of the law, and say "Whoops, nothing in this case crossed state lines, we don't have jurisdiction, you're free to go."
I see this attitude on HN way too often.
Instead, remember that it's a bunch of humans who considered the problem of child pornography, chose to fight it, and only then looked for a source of jurisdiction. That source does not actually need to be valid (not that I actually dispute that the FBI should have jurisdiction when US citizens commit crimes using the Internet), but it's important to realize that it only needs to be strong enough to stand up to the political will to oppose it. And there are no prosecutors with a will or the political power to oppose the FBI for going after sexual predators.
This state of affairs probably results in some overreach. But even considering the potential problems with this approach taken to the extreme, I find it extremely hard to align myself against the FBI. What if the FBI operated honeypot sites with zero-day exploits inserted for them by Microsoft, Apple, and Google, hacking modems and demanding ISPs snoop on their users, opposing HTTPS rollout, and generally causing great harm to law-abiding users of the internet? But these actions protected kids? How much harm would it take to shift my allegiance into opposing the FBI? Scary stuff.
[+] [-] 15155|9 years ago|reply
[+] [-] eeZah7Ux|9 years ago|reply
Given that 95% of people in the world are not from US, how many visitors were police officers from other countries, conducting their own investigation?
[+] [-] clarry|9 years ago|reply
Quite recently, I ended up on an image board [whose name suggested to me it's got to do with topics such as freedom of speech] I hadn't heard of before, with sections whose short names meant nothing to me. So out of curiosity, I opened the first one.
Well, that board is no more.
[+] [-] draw_down|9 years ago|reply
[+] [-] revelation|9 years ago|reply
[+] [-] antoineMoPa|9 years ago|reply
[+] [-] forthwoart|9 years ago|reply
[+] [-] centizen|9 years ago|reply
[+] [-] foobarbecue|9 years ago|reply
[+] [-] api|9 years ago|reply
[+] [-] pmlnr|9 years ago|reply
[+] [-] revelation|9 years ago|reply
[+] [-] Raphmedia|9 years ago|reply
It wouldn't have been so easy to get information on 200 real cyber criminals.
[+] [-] stewartjarod|9 years ago|reply