Web Entrapment

Frightening sting operation by the FBI. They posted links to supposed child porn videos on boards frequented by those types, and obtained search warrants based on access attempts.

This seems like incredibly flimsy evidence. Someone could post the link as an embedded image, or send out e-mail with the link embedded, and completely mess with the FBI’s data—and the poor innocents’ lives. Such are the problems when the mere clicking on a link is justification for a warrant.

See also this Slashdot thread and this article.

Tags: , , , , , ,

Posted on March 27, 2008 at 2:46 PM61 Comments

Comments

Swami Nona March 27, 2008 3:19 PM

Even better, if you leave your wifi open someone can pull up outside your house, open their laptop, connect to your wireless, click on the link and then drive away. Then the FBI gets to seize your computer.

I wonder how many people interested in child pornography now try to find a neighbor’s wifi to leech off of when they go porn surfing. I wonder how long it will be before the warrants cover the entire neighborhood.

Swami Nona March 27, 2008 3:32 PM

@David, Phoenix, AZ

Except that they’d just blame the sender and pass a law against sending links.

jammit March 27, 2008 3:41 PM

I never thought the FBI would stoop to Rickrolling.
Is it even necessary to use a link to an illegal activity? Hasn’t Chris Hansen already proven these guys fall out of the sky and onto your lap? How about buying a domain name that lets you pay for kiddie pics? Credit cards accepted. I don’t think the FBI checked with a lawyer on this one.

Hang on a minute March 27, 2008 3:49 PM

I see the possible threats here, but I’m not convinced of them. For starters, if the feds set up the box and then only hit one or two specific sites, the likelihood of this link getting spammed is low. Especially, if the victims don’t realize that they were captured. Especially, if the box were only up for 2-3 days.

If they take proper precautions, then chances are that rickrolling can’t occur.

Further, the student in question deliberately destroyed his own computer equipment shortly before the feds arrested him. Sounds innocent to me.

Look, I’m not saying that the feds should do this. What I do think is that most people reporting on this are spinning the story in an excessively negative light. Quite probably the threat to innocent people is low.

The worst part seems to be the lack of referring link in the capture. But as that can be forged it might not matter.

jeffd March 27, 2008 4:08 PM

@Hang on a minute:

If I were to drive up to my coworker’s house and connect to his wifi, I could then start trolling the boards and clicking links with the intent of getting him raided by the FBI.

Fred X. Quimby March 27, 2008 4:44 PM

Anyone want to take bets on how long it will be before we start reading stories from the MSM telling us how unsecured wi-fi enables pederast-terrorists?

ax0n March 27, 2008 5:03 PM

Leo Laporte was throwing a fit over this on the most recent TWiT. One of the other speakers (I believe Dvorak) was not convinced it was true.

At this point, there’s very little our government could do to us that would take me completely by surprise.

Valdis Kletnieks March 27, 2008 5:04 PM

@Hang: “What I do think is that most people reporting on this are spinning the story in an excessively negative light. Quite probably the threat to innocent people is low.”

For now, anyhow. However, remember that some of us live in a country where protesters are diverted to “Free Speech Zones” and concepts like requiring wiretap warrants for wiretaps and habeus corpus for political prisoners are considered outdated concepts.

You want to see the real rickrolling fun of this start, wait till the RIAA finds out the FBI has the technical ability to do this, and starts using this method to find filesharers to file lawsuits against… at which point the threat to innocent people will become very high… Oh wait – they already file lawsuits based on merely “a P2P indexer reported the IP address was offering..” so it won’t make any real difference to the RIAA. But that should give you an idea of how/why some of us are worried about the abuses…

Bode March 27, 2008 5:32 PM

I recommend you read this post by law professor and cybercrime expert Orin Kerr. He has worked as a justice department prosecutor and written a law school textbook on cybercrime:

http://volokh.com/archives/archive_2008_03_16-2008_03_22.shtml#1206052151

As Prof. Kerr says, the strength of the case is where the links were located. They weren’t sent out as email, and they weren’t sent out as spam. The posting was completely offensive, on a child pr0n board, and someone clicked. The defendant did not get rickrolled, and the the link did not say “hot britney pics.” Instead, it said “rape of a 4yo, anal and oral.” I assume many of those offended by this law enforcement technique click on this sort of thing for fun, just to see what comes out? I assume you would also be shocked and offended if you were prosecuted for using your rootkit tools to 0wn a vulnerable honeypot computer the FBI put out there?

Finally, regarding wifi: there was evidence on the defendant’s computer (thumbs.db) that the images were downloaded. That evidence wouldn’t exist with wifi theft, and the search warrant and charges would certainly be different.

I am as skeptical as everyone, and agree that this is dangerous and has the potential for abuse. Child porn is pretty horrible, though, and very real. This is not a horseman of the apocalypse, so the right balance has to be struck. I’m curious what sort of techniques Bruce would suggest in this situation.

Anonymous March 27, 2008 5:35 PM

Link prefetching
From Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Link_prefetching

Sites using prefetching

  • Google is the first well-known website that takes advantage of this feature so as to mprove the user experience. If the first hit is considered very probable to be the desired hit, it is assigned as a prefetchable link.

Cairnarvon March 27, 2008 5:49 PM

Entrapment and serious ignorance of technology, in one convenient package!

I hope someone (other than innocent civilians) loses his job over this. Even if the “evidence” doesn’t stand up in court (which it really, really shouldn’t) and no conviction results, even completely unfounded accusations of pedophilia can ruin lives.

sevesteen March 27, 2008 6:31 PM

The original version of this that I read said that clicking on both sets of links shortly after they were posted generated probable cause to search, but was not in itself a charge. I’d be OK if it were done like that, with reservations about minimizing the disruption caused by seizing stuff.

I’ve got a serious problem with clicking on the links being a crime by itself.

Anonymous March 27, 2008 6:38 PM

Fasterfox FAQ
http://fasterfox.mozdev.org/faq.html

What is prefetching?

“Prefetching” is the silent loading of links in the background before you click them. This speeds up browsing because in many cases, by the time you click a link it is already cached on your machine and there is zero load time needed.

By default, Firefox prefetches links which are explicitly marked by the web page designer to be prefetched. This is seldom done in practice, so you rarely benefit from it.

Fasterfox’s “Enhanced Prefetching” causes all of the links on the page to be eligible for prefetching, which leads to a very noticeable difference in snappiness while surfing the web.

Anonymous March 27, 2008 6:44 PM

What’s WebRifle
http://www.bevoni.com/webrifle/index.htm

WebRifle® 2.x is a real-time web surfing accelerator specifically designed for Internet Explorer® to achieve a faster and more effective approach to the internet.

It enhances your web navigation by predicting your need for web pages with a sophisticated algorithm to anticipate hyperlinks and to retrieve web pages before the browser needs to display them. And if you drag&drop some links into WebRifle® control window it will download your links in the background while you are surfing.

. . .

Anonymous March 27, 2008 7:38 PM

@Bode: “Finally, regarding wifi: there was evidence on the defendant’s computer (thumbs.db) that the images were downloaded. That evidence wouldn’t exist with wifi theft, and the search warrant … would certainly be different.”

the search warrant would be different if the image thumbnails weren’t on the defendant’s computer? how, exactly, do you know what’s on the computer before a search warrant is issued?

DBH March 27, 2008 8:56 PM

Anything better? Actually, I’m pretty ok with this. Better techniques would probably bring in the referrer, but, if executed properly, they probably catch pervs. Sort of like that TV show, to catch a predator. Stings work like this, and no one complains when it is drugs or high finance, but somehow internet crime is a problem? And frankly, anyone who clicks on ‘Rape of a …” deserves what they get. My four year old deserves that kind of protection.

sooth sayer March 27, 2008 9:08 PM

@Bruce .. may be FBI “guessed” that folks coming to these sites were likely to hurt little children ..

Anonymous March 27, 2008 9:30 PM

@sooth sayer

‘may be FBI “guessed” that folks coming to these sites were likely to hurt little children’

Your reading comprehension problems are surfacing again, Mr. Sayer. To list a few of them here (yet again):

  1. IP numbers != people
  2. there was no child involved at all in this case — this is thoughtcrime in its purest form
  3. entrapment is illegal in all civilized countries

And so on. But this is all beside the point, isn’t it, Mr. Sayer? If Mr. Schneier’s commentary is so offensive to you, why do you persist in reading it? If you must comment on it anyways, is it too much to ask your remarks make a little sense?

Anonymous March 27, 2008 9:37 PM

@DBH

“My four year old deserves that kind of protection.”

Let’s be blunt, Mr. DBH: the FBI doesn’t give a shit about your four year old.

Let’s go further, laying the entire hand on the table: depending on them for any protection at all is, in my book, tantamount to an abdication of parental duty.

Sadly, Mr. DBH, the plain fact of the matter is that the greatest risk to your four year old is you, not strangers who click on links to non-existent “child pornography”. Statistics from every country on the planet show this is true today, has been true as far back in the past as we can go, and is likely to remain true more or less forever.

markm March 27, 2008 9:48 PM

“They weren’t sent out as email, and they weren’t sent out as spam. The posting was completely offensive, on a child pr0n board, and someone clicked.”

Except that the records the FBI kept don’t really show that someone clicked. They didn’t keep referrer data to show that (absent spoofing) their link was reached through the pr0n board, nor did they do anything to eliminate prefetching and webcrawling robots. That is, (1) some browsers might be prefetching the links before anyone can read the site and decide that’s not what they want, (2) if someone noticed what they were up to, they could have distributed the link with an innocuous description or (3) wrote a malicious script and tried to implant it in other computer, and finally (4) tracing back the IP address is rather uncertain nowadays.

A little more thought could have eliminated (1), (2), and maybe (3): point the pr0n board link to an actual page with an explicit description containing another link with pre-fetching blocked. If you can figure out how to do it without arousing suspicion, add one of those anti-robot routines used in many places to block spam comments, and you can be sure that at least some human knowingly clicked the final link. Determining who it was??? I’d assume that like most internet users in general, most pederasts aren’t computer-savvy enough to anonymize their browsing… Unless they get their kiddie friends to help.

John M. March 28, 2008 12:06 AM

An important point made in the CNET article:

Entrapment: Not a defense
So far, at least, attorneys defending the hyperlink-sting cases do not appear to have raised unlawful entrapment as a defense.

“Claims of entrapment have been made in similar cases, but usually do not get very far,” said Stephen Saltzburg, a professor at George Washington University’s law school. “The individuals who chose to log into the FBI sites appear to have had no pressure put upon them by the government…It is doubtful that the individuals could claim the government made them do something they weren’t predisposed to doing or that the government overreached.”<

What’s really frightening about this is the potential life-destroying act of unwittingly clicking on one of these links or having someone do it on your wifi network. Even being a suspect in a case like this will mark you for life.

ace March 28, 2008 3:51 AM

Out of topic of the main post:

http://www.foxnews.com/story/0,2933,342329,00.html

“Woman Forced to Remove Nipple Ring Piercing at Airport”

“TSA spokesman Dwayne Baird said he was unaware of the incident. There is no specific TSA policy on dealing with body piercings, he said, “as long as it doesn’t sound the alarms.” If an alarm does sound, “until that is resolved, we’re not going to let them go through the checkpoint, no matter what they’re wearing or where they’re wearing it.””

Anonymous March 28, 2008 5:24 AM

“… clicking on one of these links”

@John M. (and others)

The link-prefetching resources in the comments above show that there’s no need for a person to click on one of these links. Merely browsing to the page containing the link is sufficient for some software to HTTP GET and cache the resource on disk.

In other words, the FBI’s assertion that the evidence from their logs shows “intent” is false. The FBI agent and AUSA who made that claim were wrong. They either lied to the court –or, more likely– were simply clueless.

The FBI’s operation should be analogized to setting a trap-gun. That is, a gun with the trigger attached to a trip-wire and left unattended. Trap-guns are illegal in every state that I’m aware of, even when they’re placed in locked buildings with no public access. If you set a trap-gun, and someone gets killed, then you’ll be convicted of murder.

SteveJ March 28, 2008 6:18 AM

To all those going on about link pre-fetching: if it’s a criminal offence to download kiddie porn videos, you guys should probably turn your pre-fetching off while you’re surfing kiddie porn bulletin boards. They’re likely to contain links to kiddie porn, so you should take reasonable precautions against committing an offence by downloading it.

I’m not sure that simply visiting the board shouldn’t be grounds for a warrant to search a PC. If I was caught up in a police raid on a crack-house then sure, maybe I didn’t buy any crack. In fact, maybe I’m a veritable saint, and I was doing voluntary work to help crack-addicts get straight. But it’s reasonable for the police to search my pockets, isn’t it? But the police probably can’t get the access logs for the board (that is, raid the crack-house), whereas they can for their own server (that is, put up a card in the crack-house saying, “to get free crack go to this address”), so they post a link, and search those who follow it.

To those going on about entrapment – yes, the courts have to draw a line between legal sting operations and illegal entrapment. If you want that line moved, lobby your congressman.

In any case, entrapment is when the police encourage a person to commit offence, and then prosecute them for that act. In this case, police are encouraging a person to commit an offence, and then using that act as grounds to obtain a search warrant, in the hope of prosecuting them for multiple other offences of the same nature which they have already committed.

If a prosecution was made simply for downloading the sting file, then I’d share the concerns about entrapment. But that’s not how kiddie porn prosecutions go – when has anyone ever been prosecuted for visiting one URL, as oppose to having a stash of porn on their PC?

@Anonymous:

This is nothing like a trap-gun. Somebody walking through a dark room is not held to reasonably expect to be shot as a result. Somebody following links on a kiddie-porn bulletin board is held to reasonably expect to download kiddie-porn. Furthermore, the question of whether someone can be rightly convicted in the courts of a pornography offence is rather different from the question of whether they can be rightly executed for trespass by an enthusiastic amateur. The two cases are very little alike.

SteveJ March 28, 2008 6:37 AM

“when has anyone ever been prosecuted for visiting one URL”

Sorry, strictly I should have said ‘when else’?

Vosburgh is appealing that this is exactly what happened, so the outcome of that appeal is pretty significant.

I just think it’s incorrect to conclude at this stage that entrapment by this means is a serious threat. And even if does turn out to be that, most of the problem seems to be that “attempting to download a file” is an offence, which is a legislative problem as much as it is one of law enforcement. The way to solve that is to spam federal legislators with innocuous-looking versions of the link, so that they face dawn raids and are motivated to fix the problem.

Anonymous March 28, 2008 7:12 AM

@SteveJ

“To all those going on about link pre-fetching: if it’s a criminal offence to download kiddie porn videos, you guys should probably turn your pre-fetching off while you’re surfing kiddie porn bulletin boards. They’re likely to contain links to kiddie porn, so you should take reasonable precautions against committing an offence by downloading it.”

I didn’t even know link pre-fetch existed until yesterday; I have subsequently disabled it simply because I don’t know what is going to be on ANY page when I pull it. Neither do you. Hell, Bruce could wake up tomorrow and add a link to “child pornography” with some acerbic comment on it, and thousands of people could end up in jail, or, per your “logic”, subject to a dawn raid and full search and seizure.

DBH March 28, 2008 7:13 AM

@anonymous (some irony there)

Individual agents probably are quite concerned about the perversion they see. The agency as a whole responds to political pressure, I agree. And convictions are the yardstick. To those who’ve raised reasonable concerns, let them be addressed, but again, even surfing places which talks about links like the one mentioned are beyond the pale. Having a family member who works in child protective services, yes the odds are small, but the damage and horror done by those few is inestimable. So again, I’m happy they are out there snapping up these pervs.

Anonymous March 28, 2008 7:15 AM

“This is nothing like a trap-gun. Somebody walking through a dark room is not held to reasonably expect to be shot as a result. Somebody following links on a kiddie-porn bulletin board is held to reasonably expect to download kiddie-porn.”

@SteveJ

When an operation like this results in technically-ignorant judge or magistrate mindlessly approving a no-knock warrant, then you’re going to get someone killed.

As far as turning off so-called “compliant” link-prefetching (see the wikipedia article), should people be expected to turn it off while visiting Google? That is the major place where it’s used these days.

And as far as turning off web accelerators like FasterFox and WebRifle (so-called “non-compliant” prefetch), do you seriously believe that the average user knows anything about how they work? Apparently not even FBI cyber-sleuths know about prefetching. Unless they lied to the magistrate.

You are being unreasonable.

Anonymous March 28, 2008 7:27 AM

@DBH

“Having a family member who works in child protective services, yes the odds are small, but the damage and horror done by those few is inestimable. So again, I’m happy they are out there snapping up these pervs.”

I guess this is all a matter of perspective, isn’t it?

On the one hand, we have probably millions (if a full census was possible) of day-in-day-out child abusers, oh, excuse me, parents exacting their pernicious toll upon a similar number of children. Misery to the N’th power.

On the other we have a microscopic fraction of them who brandish cameras and use the internet.

Conclusion: you simply don’t get it.

If I invented a device that, when activated, instantly killed every last pedophile on the planet — literally every single one — the net reduction in risk to your four year old would be essentially unobservable.

This is why if the FBI was truly concerned about the welfare of your child, they would simply arrive at your door and begin the search for evidence. Indeed, there is more evidence to act in this manner than IP numbers appearing in log files.

Anonymous March 28, 2008 7:32 AM

Excuse me:

“there is more evidence”

should read

“there is more cause”

Bruce, edit mode, please!

Anonymous March 28, 2008 7:33 AM

You people should read some of the mainstream publishers’ books about Ruby Ridge and Waco before you support anything the FBI does. (I really wanted to say “idiots” rather than “people”, but most of you are probably just ignorant and misled rather than actually stupid (I hope).)

Jeremy Duffy March 28, 2008 7:51 AM

So….. Why couldn’t I set up a website or series of websites that promise one thing but link to the FBI trap instead?

With all the false positives, it would render the whole thing useless.

Alternatively, I could target an individual I know that I wanted to mess up by convincing them to go to a certain site to play a “game” while the “game” opened a bunch of 1 pixel Iframes to a series of the FBI links.

Crikey. I wonder how many other ways I could think of to attack this if I spent more then 2 minutes on it.

Anonymous March 28, 2008 8:06 AM

@Bilim Haberleri

“Mere clicking isn’t the justification.”

Did you read all that stuff about link pre-fetch? It’s right here, on the page you are reading right now. Just scroll up.

“Its also the context of the link.”

No, it’s the context of the IP number in a log file. And the FBI failed to record any of it … even though they could.

Philippe Bastien March 28, 2008 8:23 AM

Bruce, Would this alter your views on not securing your home wifi access point?

Anonymous March 28, 2008 8:55 AM

http://www.madison.com/tct/news/stories/278693

So, DBH, what do you think? Does the child “protection” service, the police, or the government in general care about the other children in this home? Which do you think is a greater cause of action: negligent homicide — a real, dead, body — or the parents clicking on a link to child pornography that never existed in the first place?

SteveJ March 28, 2008 9:53 AM

@Anonymous:

“When an operation like this results in technically-ignorant judge or magistrate mindlessly approving a no-knock warrant, then you’re going to get someone killed.”

Oh, was the warrant for Vosburgh no-knock? The article said that the officers knocked, lured him to his door at 7am on a pretext and cuffed him – that’s significantly less risky than, say, kicking down the door unannounced at 3am armed with shotguns.

No-knock entries are dangerous, and courts ought to take that into account when issuing warrants, whatever the supposed crime. In a case like this, with no indication of particular preparedness to destroy evidence, I think that a no-knock approach by law enforcers could increase the risk of harm above what is justified by the strength of evidence and the crime in question.

If judges do award warrants “mindlessly”, then that’s a much bigger problem than whether warrants are justified for particular behaviour around particular offences.

“should people be expected to turn [prefetching] off while visiting Google?”

No, but Vosburgh might have had a stronger defence if the link he is said to have followed had showed up in innocuous Google searches (and if his lawyer had found out, of course).

I wonder whether the FBI are still raiding the homes of every American hitting that URL, now that it has been published on non-paedophile sites. I’m going to take a wild guess that they aren’t.

Possibly I am being unreasonable. Certainly the FBI look at best clueless here, and the judge under-informed. Vosburgh has an appeal outstanding and might be innocent. Certainly no porn stash was found, which I confidently guess is what the FBI were expecting. So perhaps I should be more condemning of this particular case, but I reckon others have that covered.

I don’t think the principle is wholly unsound: whatever the possibilities, the fact is that there weren’t any pranksters rick-rolling that URL. And even if there had been, the FBI could cut out a lot of false positives by logging the http-referer. Perhaps the balance should be struck higher, though, so that only multiple pieces of such evidence justify a search. Of course if the FBI started building profiles of visits to particular material by particular IPs, we’d then have the question of whether that level of surveillance is justified.

I still say the basic tactic is sound, but I do agree that this first attempt at it has been faulty, and that reproducing that unchanged on a wide scale would cause serious problems. But I don’t believe the courts are terribly interested in convicting people at random based on single sting downloads, and most prosecutors aren’t either.

rai March 28, 2008 10:25 AM

A number of years ago, in the 90’s the St Paul police set up a sting shop on the east side, they were selling what they told the customers were cloned,stolen phones, and you could make calls on them cheap or whatever,
Then they had a sting where they invited all the customers and then arrested them.
They were acting with the cooperation of sprint.
I had a hard time understanding this, if the property belongs to sprint and they approve this way of selling it. it is not stolen at all, they are just useing JOE ISUZU type of sales, provided by the confused SPPD

Anonymous March 28, 2008 11:09 AM

“Oh, was the warrant for Vosburgh no-knock? The article said that the officers knocked, lured him to his door at 7am on a pretext and cuffed him – that’s significantly less risky than, say, kicking down the door unannounced at 3am armed with shotguns.”

@SteveJ

My understanding, from the McCullagh article, is that in in count 3, Vosburgh was charged with “obstructing an FBI investigation by destroying the devices”, but that charge did not make it to the jury. Further, in count 3, Vosburg was charged with “knowingly destroying a hard drive and a thumb drive by physically damaging them when the FBI agents were outside his home.” He was acquitted of that charge.

These facts lead me to the “bare suspicion” that in the future, the government intends to cite a risk of destruction of evidence as a basis for, in future raids, “kicking down the door unannounced at 3am armed with shotguns”.

Perhaps my “bare suspicion” on this point is less than reasonable here. The administration of this government may firmly believe that no-knock warrants are wholly unsupportable under similar circumstances. I certainly would find them unjustifiable.

As far as logging the referrer goes, referrer spoofing is almost as common as useragent spoofing. Some webmasters may find referrer spoofing wrong, but they’ve been outvoted by ordinary webusers. All in all, once a url has been published, you can’t predict when it will be crawled, copied and republished. And it can be very difficult to determine how a particular GET request was sent–whether by specific human act or by automaton.

Bode March 28, 2008 11:17 AM

Regarding the person who asked how the search warrant would be different, it would not. The difference would be that you would not be convicted, because there would be no evidence that you, or your agent, attempted to download the file.

I understand the great potential for abuse, but what it sounds like what everyone objects to is the fact that “attempting to download child pornography” is illegal. I suspect there are few other situations in which “attempting to download” something is illegal, and so everyone’s real beef is with the law. If the law instead required that you possess child porn to be convicted, we wouldn’t be having this discussion. That is, if any of these defendants had other child porn on their computer (and we have no ability to know right now if that is the case, but I’m sure there are other guilty please out there from this sting) then this thread and the tinfoil hat nonsense wouldn’t be going on.

As far as the guy who said child exploitation isn’t a big deal because it doesn’t really affect too many people, wow. I suppose by that logic you can substitute “rape” for “child rape,” since this is a specialized case of rape (an even worse one, of course). So I assume you’re going to advance those same arguments? This isn’t some dumb 14 year old having sex with a guy she met on myspace, this is absolutely destroying some poor kids life.

Anyway, I want the FBI to follow good rules, and the courts to be sane about this stuff. I don’t see anything that worries me in the way this case was handled — the only charge he appears to have been convicted of is one that we all can agree is the problem. Attempting to download child pr0n is illegal.

bob March 28, 2008 11:24 AM

This is bullshit. Clicking on a link does not make one a pedophile! No one knows what goes on behind server doors, it could have been spoofed 20 ways.

Now, actually downloading a substantial sized photo (20kB+?, as opposed to a thumbnail) might define someone as a pedophile, but it would depend on the photo.

But the actual criminal activity, to me at least, is TAKING PHOTOS OF A CHILD BEING ABUSED, not downloading a picture that already exists and may indeed be fake. If they are actually trying to make the world a better place they should go after people with CAMERAS (defined here as a device for recording visual information) not COMPUTERS (defined as a device for downloading or viewing pre-existing information).

As a side note, I am now glad that I have kept my last 6 computers and 10+ hard drives when I upgraded just to annoy the FBI with having to schlep them all away and examine them if I inadvertently get sucked into into one of these black holes.

derf March 28, 2008 11:33 AM

@Bode
You’re talking about yesterday. Tomorrow, there will be hidden frames on vulnerable websites attempting to download every “4yo anal” link available. Do you really want your name associated with kiddie porn by the FBI simply because your bank’s web application security sucks?

The problem here is intent. Yes, the example guy the FBI caught appears to have intended to look at kiddie porn. However, with a very little malicious help, the “net” the FBI is using could easily have caught an 80 year old grandmother (or anyone else using a browser on the internet) that had no intention of viewing kiddie porn.

dragonfrog March 28, 2008 11:47 AM

@Bode

As Prof. Kerr says, the strength of the case is where the links were located. They weren’t sent out as email, and they weren’t sent out as spam. The posting was completely offensive, on a child pr0n board, and someone clicked. The defendant did not get rickrolled, and the the link did not say “hot britney pics.” Instead, it said “rape of a 4yo, anal and oral.”

Problem is, Prof. Kerr has exactly no way of knowing that’s what happened; even less than the FBI do.

The FBI could easily set up such a link, and one rogue agent also posts an embedded image, i.e. one that gets loaded without clicking, on a site known to be visited by their target (obscure low-traffic message board, anyone?). Lots of message boards allow you to edit your posts after the fact, so hiding the evidence would be easy.

Remember, the FBI has no evidence that the user clicked a link. All they know is that a computer at an IP address initiated a connection to a computer at another IP address. Even the discussions of spoofing this discuss sending a link in a spam message that the victim would have to click on. Even that is being naive – it’s stupidly easy to make the browser load the link without user interaction. How many connections do you think your browser makes without your intervention, when you load a single web page?

There’s not even a mention of their having checked the “Referer:” header of the request, which should be the absolute minimum to establish that there is even a possibility that the connection came via the link the FBI planted.

Note that it would still be easy to fake out the Referrer (e.g. by placing a simple flash or Java applet that sends a request with a spoofed referer, on a site the target visits – this is a technique that’s been seen in the wild by malware authors for a few years now).

AV March 28, 2008 2:14 PM

There are some people posting here who just don’t get it. Don’t you understand that someone malicious can now get people thrown in jail? All they need is one of these urls – they can convince your browser to ‘click’ on it, prefetching or not, via CSRF and/or XSS. And no – you don’t need to be on a kiddie port site, or even a porn site, or anything close to a porn site. This could happen on facebook, or myspace, or slashdot, or CNN.com, or…. here? It’s really not that difficult.

The point is ‘clicking’ on a URL (http get) doesn’t in the least way prove you actually clicked on it, or was even on or near the site that hosted the link. Pack your bags we’re all going to jail.

Anonymous March 28, 2008 2:26 PM

I’m less concerned about SDRF/XSS than I am about the fact that IPs are being used as a 1:1 mapping to a person, more and more as time goes on. Especially in urban areas, what ne’er do well wouldn’t piggyback on a neighbor’s WiFi if it means all suspicion is off of them? And that’s assuming malicious intent to use someone else’s WiFi. Most people with routers I’ve known leave them open (non-techies go with the default settings, always), and when you have multiple open networks your PC will not necessarily connect to your own (“just connect me to a wireless network, I don’t care which” being another paraphrased default setting).

PFilter March 28, 2008 3:23 PM

We just have to trust that those reviewing the ‘evidence’ will realize that Bruce’s site is a shining example of proper nettiquette and good behavior. If you were to be caught in a dragnet because everyone here prefetched some nasty kiddie pr0n, the FBI would be all “Hey, this guys was just browsing security sites. He didn’t really mean to download the kiddie pr0n”.

There is absolutely no chance the FBI would prosecute you on those grounds, right? Since you were browsing a ‘good not evil’ site?

Right?

Right???

Trust in the system.

RAI March 29, 2008 10:03 AM

Pfilter, “trust the system” hell no. The system has been proven to be corrupt when allowed to be the tool of a clique like the JUST US department is now. In a democracy, the people are a branch of government, your duty is to pay taxes, vote for the candidate of someone elses choice, and watch the elected powers and make sure they are not making secret energy deals to raise the price of oil over $100 for thier cronies.

it is not your duty to trust the system, its your duty to check and balance it.

The system as currently run by the undemocratic party will not tell you what they are doing because they are corrupt and they know it.
Time for real and deep change, and only one person is leading that way. the undemocratic party is never going to be competent to solve the troubles it constantly creates.

elegie March 31, 2008 12:45 AM

In 2005, a British individual was convicted under the Computer Misuse Act. From what some have said, the individual carried out two unauthorized security tests on a Web site. According to a Channel Register article, at least one of the tests involved accessing a URL that contained the “../../../” sequence.

http://www.channelregister.co.uk/2005/10/11/tsunami_hacker_followup/

Supposedly, the other test involved a Web form. Specifically, the credit card field had a single quote character entered.

http://www.boingboing.net/2005/10/06/guy-who-was-busted-f.html

(According to another article, the individual had previously given an untrue story regarding their actions. This untruthfulness, which caused difficulty for others, may have significantly contributed to the finding of guilt. Please see http://news.zdnet.co.uk/security/0,1000000189,39226979,00.htm )

Markiy March 31, 2008 10:12 PM

If you bother to read the source articles you’ll see that nobody was convicted from clicking on anything. The clicks were just to establish probable cause for a search warrant.

The contents of the gentleman’s computer was what convicted him. And, no, it wasn’t just stray cache files that could be explained away as inadvertent

Anonymous April 1, 2008 7:42 AM

@Markiy

“If you bother to read the source articles you’ll see that nobody was convicted from clicking on anything. The clicks were just to establish probable cause for a search warrant.”

Well, Markiy, the “source articles” are written in plain, easy to understand, English. Said language includes sentences like this:

“Vosburgh was charged with violating federal law, which criminalizes “attempts” to download child pornography with up to 10 years in prison. Last November, a jury found Vosburgh guilty on that count, and a sentencing hearing is scheduled for April 22, at which point Vosburgh could face three to four years in prison.”

I’ll give you the benefit of the doubt and suggest you different articles. If so, you’ll have to identify them and argue their relevance.

Anonymous April 1, 2008 8:07 AM

Do you know how the Google-bot works?

Let me tell you… There’s this little tiny gnome. In fact, it’s the Google-gnome. And it rides along on little tiny mouse: The Google-mouse!

The Google-gnome rides on the Google-mouse and they drag the Google-bot behind.

The Google-gnome steers the Google-mouse by clicking! “Click. Click. Click” goes the Google-gnome. Right on the Google-mouse’s ears!

And that’s how the Google-bot crawls over the vast world of the wild, wild web. It’s steered by the tiny little Google-gnome clicking the Google-mouse on the ears!

“Click. Click. Click.”

Bet you didn’t know that, huh?

Of course, teh FIBers know that. And that’s why they won’t get a warrant for Google Images.

SynApse April 2, 2008 3:35 PM

What a completely legitimate and effictive way of catching these deviants. Bravo FBI!!!
<img sc=”Kiddiepornsite.com height=1 width=1>

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.