Become a fan of Slashdot on Facebook


Forgot your password?
Crime Government

An FBI Hacking Campaign Targeted Over a Thousand Computers ( 138

derekmead writes: In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved.

Just a month after launch, a bulletin board called Playpen had nearly 60,000 member accounts. By the following year, this number had ballooned to almost 215,000, with over 117,000 total posts, and an average of 11,000 unique visitors each week. Many of those posts, according to FBI testimony, contained some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could avoid detection online.

But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency's term for a hacking tool.

This discussion has been archived. No new comments can be posted.

An FBI Hacking Campaign Targeted Over a Thousand Computers

Comments Filter:
  • Not hacking (Score:5, Insightful)

    by 110010001000 ( 697113 ) on Wednesday January 06, 2016 @12:26PM (#51249015) Homepage Journal
    They weren't hacking. They were obtaining the IP address of connected machines who were using Tor to access child porn sites. I just call that good investigation. Your IP address isn't private information, just like your postal address isn't.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      They used some form of malware/trojan to extract certain information. That's the greypoint from the FA:

      “Basically, if you visited the homepage, and started to sign up for a membership, or started to log in, the warrant authorised deployment of the NIT,” Fieman said. From here, the NIT would send a target's IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same

      • Maybe I misunderstood, but I thought the NIT was placed on the servers hosting the sites (and maybe the Tor nodes) and used flaws in the connecting client computers browsers to get IP addresses, etc. Probably from the HTTP headers. I didn't think they installed NIT on the client computers themselves. I might we wrong. That is the problem with these sensationalist stories: you never know what they really did. In my opinion if you are just capturing information that the client machine is willing to send (even
        • by Anonymous Coward

          You can't extract certain details like the MAC Address, Computer hostname/username from HTTP traffic alone, unless you've got something running in the browser ex-filtrating that kind of information.

          It could be possible to extract most of that information via Javascript, but I'm assuming that most of their targets had NoScript or JS turned off in the Tor Browser (or whatever they used with Tor). I think that kind of information retrieval would fall into the category you're thinking off, active fingerprintin

          • would need a flaw in the browser that is going to send you that information. I'm not sure if that is "hacking", or just monitoring. After all, the client machine initiated the connection to the host machine, which then obtained the information. I doubt there is a law against this. If you connect to my machine why can't I obtain as much information about your machine as I can, using any means? I mean maybe it is hacking, but it isn't clear cut. There are no laws that I know of that says you can'
            • Re:Not hacking (Score:5, Informative)

              by RenderSeven ( 938535 ) on Wednesday January 06, 2016 @01:24PM (#51249493)
              They apparently had a warrant, so it probably doesnt matter if its hacking or not. However as to what they can collect without a warrant, IANAL but expectation of privacy would almost certainly be the litmus test or at least a factor. A conversation in public is fair game but a conversation in your home is privileged even though "flaws" in your home allow exploits like laser microphones to listen. Some of it comes down to deciding if consuming online media is "speech" and thus (arguably) protected (loss of anonymity can be considered "chilling effect"). Without SCOTUS guidelines it seems to depend on the judge, and what he had for breakfast.
              • If it was A warrant, that warrant is unconstitutional. A warrant has to be specific, and it needs to be supported by probable cause that someone swears is true. If somebody notices what looks like child porn, and is willing to swear to it, a warrant could be issued to search any computers in the house for child porn. A warrant that covers the whole country is not in any way specific.

            • by AHuxley ( 892839 )
              Re "If you connect to my machine why can't I obtain as much information about your machine as I can, using any means?"
              Senator: Let's monitor P2P for illegal files (April 17, 2008)
              "But in about half its cases, for purposes of longer-term tracking, the software captures "unique serial numbers" from the person's computer ... "
              It seems the get a unique "number" policy is an older method thats been used for a while now.
              Is the number created from a larger set of details abo
        • by gweihir ( 88907 )

          So you think all breaking into computers is legal? Because that is all "capturing information that the client machine is willing to send (even via a flaw)". That flaw might make it willing to send, say, 500'000 user data sets.

          If the FBI campaign against freedom hosting is an indicator (or if this is actually the same thing), then they sent malware to the target browser that compromised it via a JavaScript exploit. It then took over the client browser process to determine from the OS what the IP address of t

          • Sort of. A JavaScript-enabled exploit need not be present in some or most cases though. TOR is essentially a tunnel into your network to the destination computer. Its sort of like you had no router to proxy or masq your private ip. Using information from the tcp packet which is necessary to send results from a page view back, you can use simple network tool like angry ip scanner and Xprobe2 almost as if you were on the network.

            You can use different tools to discover the mac address and fingerprint the OS.

            • by gweihir ( 88907 )

              Sorry, but that is bullshit. Sure, it may work if somebody incompetent set up a normal browser to work over TOR, or actually is grossly stupid enough to really set up LAN tunneling over TOR (But to what end? It would not do anything useful...), but with a competent set-up or the TOR browser bundle, there is no way to do what the FBI did without compromising the browser process. And, incidentally, with the freedom-hosting attack, they did exactly this: They sent malcode to the browser and took it over. As fa

              • by gweihir ( 88907 )

                Actually, forget what I said about this being possible on misconfiguration. Your statements are so far removed from how TOR works that I got confused as to what you were saying.

                So: For a client TOR installation, this is impossible without compromising the target browser over an existing (!), client-initiated connection. You cannot initiate a connection, scan, ping or do anything else from the server side to a TOR client. The network will not route your packages. You cannot even address the target as you onl

                • How naive you are.

                  The tor routing has no clue to what or the size of the payload your browser requests. It will route anything sent in response to you connecting to my server. You can in fact run applications over TOR and if you can do that with ease you can also run network tools in response to connections to a server.

                  The browser generally has no firewalling to stop this.

                  • by gweihir ( 88907 )

                    I did say you can attack only within the context of an existing connection. But that is it. If you attempt send any other packets to the client they will a) be dropped by the TOR exit relay and b) will be dropped on client side, as a client does not open a server socket and hence does accept absolutely no connection requests. In addition, there is not even a way to address the client in these other packets, so the idea does not make any sense at all.

                    The thing is that you cannot "run network tools" against a

      • by kmoser ( 1469707 )

        From here, the NIT would send a target's IP address, a unique identifier generated by the NIT, the operating system running on the computer and its architecture, information about whether the NIT had already been deployed to the same computer, the computer's Host Name, operating system username, and the computer's MAC address."

        So, basically Windows 10 telemetry.

    • Re:Not hacking (Score:4, Informative)

      by gweihir ( 88907 ) on Wednesday January 06, 2016 @02:35PM (#51250161)

      Except when your software (TOR) does not give out your IP address willingly. Then some kind of hacking/cracking/compromise technique is used and that is highly problematic. In a sane legal system it would also compromise any and all evidence found on the target computers as it typically comes with the ability to change things on the target and do so without trace.

      This cure here may well be much, much worse than the disease. If the targeted group were a different one, this might be called "state-sponsored terrorism." Anybody that believes these techniques are only used against child pornographers is kidding themselves. Just have a look at the history of the FBI.

      • by AmiMoJo ( 196126 )

        It's worse than that. Imagine someone wrote a virus that set up a TOR connection and downloaded a few dodgy web pages into a Truecrypt container with disposable key. Really basic, script kiddie stuff. Now the FBI comes along and arrests everyone they can get an IP address for, and of course because the virus opens the page in a hidden IE window it gets hacked.

        Now imagine some enterprising paedophile writes such a virus and infects as many people as possible, and themselves. They get arrested, but go free be

        • by gweihir ( 88907 )

          Well, pedophile images are already used in scams and, get this, the police in some countries advises people to not tell them about these criminal acts as the very possession of these images is illegal. How completely broken must a law be to have the effect that innocent people cannot tell the police anymore about crimes committed against them? That is just pure evil.

          The scenarios you describe and others like it are actually something that is pretty sure to happen at some time and this is why making the poss

    • by HiThere ( 15173 )

      Not hacking, but it sounds like entrapment.

  • Slippery Slope (Score:5, Insightful)

    by duke_cheetah2003 ( 862933 ) on Wednesday January 06, 2016 @12:32PM (#51249063) Homepage

    Bit of a slippery slope when Law Enforcement is breaking laws to catch criminals. This is not good policing in my opinion. There should be no excuse for breaking the law, especially in an effort to enforce the law. Law enforcement should never be 'do as I say, not as I do.'

    A simple test is.. if a citizen did this to another citizen, would that be against the law? Last I checked, hacking your neighbors computer and collecting information from it is definitely against the law. (Unless you're Microsoft and say you're going to do it in your EULA, bit that's a different can of worms.)

    • by Anonymous Coward

      Police use military equipment and armored vehicles to selectively enforce laws around the US, the slope slipped a looong time ago

      • Police use military equipment and armored vehicles to selectively enforce laws around the US, the slope slipped a looong time ago

        Do you understand how silly you sound?

        How much metal is a vehicle allowed to have before you consider it illegal for a police department to use? Please be specific.

        • by JimMcc ( 31079 )

          How much metal is a vehicle allowed to have before you consider it illegal for a police department to use? Please be specific.

          To keep this on the subject matter I'll quote what Supreme Court Justice Potter Stewart said about porn, "I know it when I see it" []. Military grade vehicles look quite different than civilian vehicles. You certainly would notice if your local sheriff's deputy started patrolling your neighborhood in a HumVee instead of a Crown Vic.

    • If your neighbors computer connected to yours, and you collected information about it, is that against the law? If I understood it, they were gathering information of computers which were accessing the sites.
      • by Thaelon ( 250687 )

        What if the connection was accidental/unintentional? Or some rogue process did it?

        More a general question than this specific case, but just a thought.

        • by JimMcc ( 31079 )

          What if the connection was accidental/unintentional?

          According to the FA, the information was only captured when the user started the login process, or started the registration process. I don't know about you, but if I accidently landed on a child porn website the very first thing I would do would be to get out of it. I certainly wouldn't start to register as a user to the site.

          Or some rogue process did it?

          That's a different issue, but a highly unlikely event.

    • Re:Slippery Slope (Score:5, Insightful)

      by Penguinisto ( 415985 ) on Wednesday January 06, 2016 @12:41PM (#51249151) Journal

      As long as they got warrants (even if they're "John Doe" warrants), they're in the clear, methinks.

      I suspect that it would pretty much follow the same legal framework as wiretapping, albeit the 'tap' is put directly in the 'phone', without knowing fully who owns said phone.

      If this is indeed the case, I have zero problems with it - covertly swipe a website/host via legal means, and use it as a honeypot to catch/trap offenders, using a modified wiretap warrant/framework to 'tap' the computers that connect to said site. Assuming everything is properly documented and that the procedure is transparent enough to stand up in court, you then monitor that user's activities to not only collect evidence but to identify the user behind it.

      The only real problems would be with computers used by multiple individuals, in which case you'd have to suss out which user is responsible. Another problem would be to have a procedure (and malware) in place that doesn't give a defense attorney enough credible ammunition to claim his client was framed, or that evidence was 'planted'. This is why the procedure(s) would have to be transparent to all (it would become that way anyway come the first court case, if the prosecution wanted any hope of winning a conviction.)

      • This is why the procedure(s) would have to be transparent to all

        "In theory" ... they'd also obey their Constitutional restrictions. I the real world, they're lawless and get by on parallel construction []. The government was instituted to protect our liberties and now it's our greatest threat against them.

        "When you gaze long into an abyss the abyss also gazes into you."

        • I subscribe to the theory that when you break the laws of a country (i.e. by distributing child porn), you should forfeit the right to be protected by those same laws. I would like to think they got warrants for any intrusion into client computers. Yes, we need very clearly stated rules about what law enforcement is allowed to do, and those rules need to be updated increasingly frequently as technology changes.
          • Yeah I am all for what they did and the way they did it. Your comment however:
            I subscribe to the theory that when you break the laws of a country (i.e. by distributing child porn), you should forfeit the right to be protected by those same laws"

            is the definition of fascism. No one knows if you broke the law until a jury or judge says so. What you're saying is, let's have no laws set upon the police because they only go after people who are (suspected of) breaking the law. That makes zero sense.

            If we implem

          • Legal protections are for the innocent, yes, but people are innocent until proven guilty in a court of law. Removing protections from someone accused of a heinous crime makes it more likely that law-abiding citizens will be convicted once accused.

      • As long as they got warrants (even if they're "John Doe" warrants), they're in the clear, methinks.

        I suspect you are right but the problem I have is that the only information a judge receives when deciding whether to issue a warrant is provided soley by the LEO and the prosecution. There should be some mechanism for the accused to defend himself against malicious prosecution, IMHO.

        Given the opportunity to only present one side of the story I could paint anyone as a baby-shaking, dog-kicking, drug-dealing, devil-worshiping, child-molesting, panty-sniffing terrorist psychopathic monster.

        What judge is going

        • The warrant process is not a prosecution. It is a check on LEO in gathering evidence that they could not legally or constitutionally otherwise have done. The prosecution will only start after evidence of a crime is collected.

          What you are missing is that they are supposed to inform the judge that there is reason to believe baby-shaking, dog-kicking, drug-dealing, devil-worshiping, child-molesting, panty-sniffing terrorist psychopathic monster is or has participated in a specific crime.

        • I think you need to think through the consequences of giving all potential criminals advance notice of warrants that are going to be served against them.
        • Technically, the prosecution in a legal case should be required to show the entire chain of evidence, under actual rather than theoretical pan of perjury. At that point, the defense lawyer challenges evidence, usually in a pre-trial hearing. If the defense lawyer can show that evidence was gathered improperly, that evidence cannot be legally presented. There isn't currently a requirement to provide names, although the Constitution does say the defendant has the right to confront his accusers.

          That's no

    • Not really, this is the same as turning someone in the mob and using them against others.

      I am against government surveillance, but this seems to be just the government using an illegal site to figure out who is using it. They just kept the site running for a couple weeks to catch and track down its users, who were breaking the law by being on a child porn site.

    • A simple test is.. if a citizen did this to another citizen, would that be against the law?

      Then no one would ever get arrested and put into jail, for any reason whatsoever.

    • The FBI has also confessed to operating a web site that distributes extreme pedo-porn. When will the FBI director be doing a perp walk?
      • by gweihir ( 88907 )

        Indeed. This can only be justified by "regardless of what it is, if the FBI does it it is legal". That does not work with the rule of law and is only possible in a full-blown police-state. As soon as they had the possibility to switch it off, they had both a moral and a legal imperative to do so immediately. In a very real sense, they committed mass-child-abuse.

      • The Franklin Cover-up. The pretense that Government people are altruistic angels guarding over us all is idiotic. People really need to get a grasp of that fantasy and treat it for what it is.
      • I don't know the laws in question. It is possible that they explicitly allow for use by law enforcement for honeypots. There isn't anything automatically illegal about child porn, it's illegal because there are laws specifically against it.

    • by gweihir ( 88907 )

      There is also the little problem that by the way TOR works they have no idea where a target computer is before they break in. This makes what they did "state-sponsored organized crime" if they even caught one user not on US soil and may well make it "state-sponsored cyber-terrorism" in some countries. Not good at all. Just think of the same scenario but with the Chinese doing it (where all pornography is illegal) or the Iranians (where all non-Muslim religious writing is illegal). See the problem?

    • A simple test is.. if a citizen did this to another citizen, would that be against the law?

      I'm not sure that's a good test:

      1) If one citizen deprives another of his liberty, that's kidnapping. If the government does it, it's incarceration.

      2) If one citizen forcibly takes money from another, that's robbery. If the government does it, it's a fine.

      3) If one citizen kills another, that's murder. If the government does it, it's capital punishment.

      Why does this curious dichotomy exist? Because we elect people wh

  • by gQuigs ( 913879 ) on Wednesday January 06, 2016 @12:40PM (#51249135) Homepage

    The issue was did this one warrant let the government hack into everyone who tried to use Tor to connect this hidden site. Tor prevented the FBI from determining their IP address without further attacks on individual computers. The other issue is if the Judge knew they were authorizing this many computers to possibly be hacked.

    I believe they waited until the user tried to login, create an account, or something like that, so just accidentally browsing to the site shouldn't have triggered the attack.

    From the facts I have from this article, I think the FBI did the right thing.

    • The answer is yes, they did have a warrant, that allowed anyone who logged into the site to be hacked (according to the article).
    • by fermion ( 181285 )
      It did not seem to be a fishing expedition where everyone who passed by was targeted. This seemed to be good police work and shows we don't need to violate civil rights in order to protect the innocent. Creating an account on something like this is pretty much intent to commit a crime. And is no different than working on any other marginal website. When you go to a web site there are all sorts of crap that can be put onto your computer. It is why we have to run so protected now. Any website can be a vec
    • I'm not concerned with the hacking. What concerns me is they hosted a child pornography site. That's kind of like posing as a an assassin to catch people who hire hitmen yet carry out the assassination.
      • by Gr33nJ3ll0 ( 1367543 ) on Wednesday January 06, 2016 @01:56PM (#51249789)
        They took over a known child pornography site, and continued to operate it. They used an existing service (not set up a new one) and monitored existing users (nothing about enticing new ones). I don't see this as being hugely different from sitting outside an business known for selling drugs, and writing down the info of everybody who goes in, or tapping the lines, and recording phone numbers. Further they got a warrant to do exactly that.
        • by Anonymous Coward

          it is hugely different, what they did was take over the drug business and continued running it

    • Did they do the right thing by actively facilitating the mass distribution of child pornography?

  • by sgrover ( 1167171 ) on Wednesday January 06, 2016 @01:14PM (#51249427) Homepage

    I haven't seen it in the comments yet, but by seizing the site and NOT shutting it down, the government chose to run a child porn server. Does that not then put them under the same legal scrutiny as those they were investigating? Of course I did not read the article and may be missing a bunch of detail, but if the gov was actively serving child porn, then THAT is a crime in my eyes - regardless if it was a honeypot or not.

    • by guruevi ( 827432 ) <evi AT evcircuits DOT com> on Wednesday January 06, 2016 @01:58PM (#51249809) Homepage

      In the United States, the federal government has sovereign immunity and may not be sued unless it has waived its immunity or consented to suit; there are exceptions for tort and contract law.

      It's a very interesting legal stance if the government says it has sovereign immunity, they claim to have not committed any actions that would invoke the tort exceptions. Therefore, running a child porn website does, according to the government, not do any harm to any potential victims (which is what tort is) and thus dissemination of child porn which is 'illegal because it harms the children', may then fall under first amendment protections just like any other website.

      • by gweihir ( 88907 )

        This begs the question why possession of CP is illegal. The usual argument is that it continues to harm the victims.

  • Didn't the FBI already admit to this in the summer of 2014? Don't see any new information on this topic. I think they actually caught a man that made false bomb threats in Seattle in August 2015 using this very same method.
  • I wonder how many of those 11,000 unique visits were accidental or a product of phishing(
    Now granted I think this is deplorable and disgusting (think of the Children!)
    But I think they need to really scrutinize the data that they have so that innocent mistakes/typos/bad linkage are not falsely accused

    • I don't think many people end up on the legendary "dark web" by accident.
    • They won't reliably get convictions for just visiting a website. However, a visit is grounds for further investigation, probably leading to taking copies of all the hard disks in the house. If they find significant amounts of kiddie porn there, they've got a very good case.

  • I'm glad that the site was (eventually) shut down. The article didn't mention it, but I hope the kids in the pictures are all identified, located, rescued if they were still in an abusive situation, and offered a lifetime supply of mental-health help (yeah yeah, I know, some number > 0% of abused children don't need mental help later, but the offer should be there for those who do need it).

    I have little or no problem using these types of warrants if they are used to prevent crimes or identify victims, b

    • I'm talking about something I don't know about here, and will take steps not to know about, but some activities in child porn seem also likely to physically harm the victims as well as causing mental harm. We shouldn't forget about that.

      • by davidwr ( 791652 )

        I'm talking about something I don't know about here, and will take steps not to know about, but some activities in child porn seem also likely to physically harm the victims as well as causing mental harm. We shouldn't forget about that.

        By the time the photograph is taken, the physical harm has already been done (I'm not saying more physical harm won't happen in the moments after the camera is turned off, but it's not directly related to the child porn being created).

        The danger of distribution of child porn outside of controlled environments (law enforcement, clinical/therapeutic environments, etc.) is that it may create a demand for new child porn, which does mean kids getting hurt.

        Distribution of child porn of still-living victims (and w

        • I think we're in agreement here. People physically and mentally hurt by horrible crimes should get the care they need. Distribution of child porn can lead to further mental harm, and can encourage scum to make more such, causing more physical and mental harm.

  • One interpretation of this article is that FBI (or contractors) has non-public, zero-day, or old-but-unpatched vulnerabilities which it is using against client machines to collect information. We assume that only misconfigured machines are vulnerable.

    A benefit of this knowledge is that it may be possible collect these exploits with a REVERSE honeypot. Simply use a MORE secure browser (Tails in Tails + non-extradition origin + Tor Browser). Then spider the Dark Web but make sure your spider DOES follow post

Air is water with holes in it.