Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Government Crime Privacy The Internet

FBI Dismisses Child Porn Case Rather Than Reveal Their Tor Browser Exploit (arstechnica.com) 244

An anonymous reader writes: Federal prosecutors just dropped charges against a child pornography suspect rather than reveal the source code for their Tor exploit. Of the 200 cases they're prosecuting nationwide, this is only the second one where the FBI has asked that the case be dismissed. "Disclosure is not currently an option," federal prosecutors wrote in a court ruling Friday. The Department of Justice is still prosecuting 135 different people believed to have accessed an illegal child pornography web site. Before shutting it down, the FBI seized the site and operated it themselves for 13 more days, which allowed them to deploy malware to expose the users' real IP addresses.
This discussion has been archived. No new comments can be posted.

FBI Dismisses Child Porn Case Rather Than Reveal Their Tor Browser Exploit

Comments Filter:
  • by Anonymous Coward on Sunday March 05, 2017 @07:51PM (#53982021)

    Secrecy or Child Pornography...

    We report, you decide.

    • by PoopJuggler ( 688445 ) on Sunday March 05, 2017 @08:19PM (#53982145)
      I posit that it's unethical and treasonous to not disclose the vulnerabilities because those exact same vulnerabilities can be used against our own citizens and government agencies by foreign agents. Imagine if foreign hackers brought down the banking industry causing massive economic devastation using an exploit that the FBI knew about but didn't tell the banks?
      • by ShanghaiBill ( 739463 ) on Sunday March 05, 2017 @08:37PM (#53982223)

        using an exploit that the FBI knew about but didn't tell the banks?

        How many banks rely on Tor?

        • by Pseudonym ( 62607 ) on Sunday March 05, 2017 @08:54PM (#53982281)

          Bank infrastructure is typically less secure than Tor.

          • by lucm ( 889690 ) on Sunday March 05, 2017 @11:08PM (#53982739)

            Bank infrastructure is typically less secure than Tor.

            Bullshit. I have worked for three banks and they all had the best IT security money can buy. One of my current clients has a core switch that's worth more than your house, it's crammed with IDS and IPS modules and whatnot.

            Meanwhile Tor has been the source of many incidents, especially once people started putting up fake nodes.

            • Bank infrastructure is typically less secure than Tor.

              Bullshit. I have worked for three banks and they all had the best IT security money can buy. One of my current clients has a core switch that's worth more than your house, it's crammed with IDS and IPS modules and whatnot.

              Meanwhile Tor has been the source of many incidents, especially once people started putting up fake nodes.

              And yet with all that technology, Tor can't even hold a fucking candle to the global impact Greed and Corruption have caused in the banking industry.

              You can stop your bragging now, since it's clear no amount of security can detect or prevent that insider threat.

            • by AmiMoJo ( 196126 )

              The exploit doesn't target Tor though, it targets the Tor Browser, which is a fork of Firefox. So it is very likely that the exploit exists in Firefox too. We don't know how severe it is, but potentially some bank employee could be compromised by it.

              It's easy to imagine hospitals or air traffic control being hit by ransomware, or foreign powers gaining access to high ranking members government's computers this way. It's unlikely that they would have the kind of extreme IT security in place to avert that kin

            • by Arkham ( 10779 )

              Bank infrastructure is typically less secure than Tor.

              Bullshit. I have worked for three banks and they all had the best IT security money can buy.

              When we are interviewing mobile developers, the ones that come from banks are the worst. They never know how anything works, they have no concept of security, certificate pinning, encryption, buffer overflows or at-rest protection of data. Inevitably the explanation is that they are given a library which "does all that for us". I am not sure what this magical library does, but blind faith is not security and doesn't lead to security. I'm very wary of mobile banking apps as a result. Ever tried to MITM

        • by Anonymous Coward on Sunday March 05, 2017 @09:12PM (#53982337)

          I'll counter, how many CIA agents rely on TOR? "The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997."

        • It's likely a exploit with Firefox, not your specifically that they don't want patched

        • by gweihir ( 88907 ) on Sunday March 05, 2017 @09:16PM (#53982361)

          This is not a "Tor" exploit. It is a Firefox exploit against the version of Firefox used in the Tor browser bundle. It may well still be exploitable in current Firefox versions, including the one used in the current Tor browser bundle versions. Otherwise there really would be no point in keeping it secret.

          Hence the FBI is actively and knowingly endangering anybody using Firefox. That seems to be legal, but it is hugely unethical.

          • by spineboy ( 22918 )

            I guess the exploit is not too well known, or someone else would have found it, and possibly reported it.

            So if it's not very well known, I guess the FBI feels that the information it can obtain is worth the risk to others who might possibly be exploited by it.

            • by gweihir ( 88907 )

              It may also be known to criminals that use it sparingly and carefully. Or to foreign intelligence agencies that are allowed to do industrial espionage (for example, the French). It may also be become widely known but patching it may require a few weeks. And so on. I think the FBI just does not care.

        • It's not just about Tor; if they won't disclose the Tor exploit they're using, there are certainly others they're holding on to, as well. How many do you think they're keeping to themselves that affect services you use every day? I'll tell you with absolute certainty that the number is not zero.
      • Be fair, there aren't going to be more than a few banks operating on Tor. They will likely be operating bitCoin to real cash services, be somewhat less law abiding than average and charge exorbitant fees.

        At least a decent sized minority part of government would actually be for taking those banks down, with exceptions of course.

      • Government Agencies? Banks? really? since when the fuck did they start using Tor for Business?
        • by lucm ( 889690 )

          Government Agencies? Banks? really? since when the fuck did they start using Tor for Business?

          Since never. This was complete bullshit coming from someone with obviously no experience in this industry.

          Blockchain is getting traction in big business. It's even available on the IBM cloud platform (Bluemix). But this has nothing to do with Tor; for secure networking IBM is working on their own protected network, which will be similar to good old VAN for EDI.

      • by gweihir ( 88907 ) on Sunday March 05, 2017 @09:13PM (#53982351)

        The FBI does not care about prevention. They care about locking up people. Hence this is exactly as they want it.

        • "They care about locking up people"
          This is the FBI organizational mandate and their reason for existing.

        • They care about locking people up so much that they're willing to drop a case rather than present evidence?
          • Perhaps FBI are not that greedy to win one case to loose evidence gathering tool, that can win them many more. Fixing a vulnerability will not limit crime done, so there is little incentive for them to disclose it.
      • I'd argue the misuse of the term "treason" is a sign of mental health issues.

      • I posit that it's unethical and treasonous to not disclose the vulnerabilities

        You posit wrong. Treason is defined in the Constitution, and the legal barrier for treason is so high that only 13 people have ever been so convicted, and two of those were pardoned by the Pres later....

    • by guruevi ( 827432 )

      You mean, which is more important: being allowed to manufacture allegations or being exposed for manufacturing evidence.

      I hope the judge and the defendant doesn't just let this go, you can't just go around accusing people of doing CP and then totally drop it when you have to come up with the evidence.

      In other news: Obama and the FBI also say they never wiretapped US citizens using FISA courts.

      • by spineboy ( 22918 )

        I'll take the optimistic route here and say that the FBI isn't using this on people without cause - e.g. they've found people with CP and are bringing them to court. That should scare them hopefully into stopping. Yes - I'd prefer that they were punished.

        Call me naive, but I don't think they are using this as a smear/insinuation tactic against those who aren't looking at child porn.

    • by mykepredko ( 40154 ) on Sunday March 05, 2017 @10:55PM (#53982707) Homepage

      Where is the point where the crime is so egregious that the FBI is willing to publish the exploit? I presume their keeping the exploit secret because once it's known, it will be fixed and they will no longer be able to monitor the "deep, dark, black, web"?

      What if there was a terrorist attack and the FBI knew about it and sat on it because they thought the expected value of the property and lives lost was less than the value of the exploit and the intelligence received from it?

      Would the FBI (and the US government) be liable for damages because they could have prevented the crime?

      • "Where is the point where the crime is so egregious that the FBI is willing to publish the exploit? "

        Probably prosecution of a live, thwarted US citizen terrorist that they couldn't deport to Gitmo or rendition and could only deal with in US courts.

        They probably looked at the kiddie porn guy and decided he wasn't a high threat based on a propensity of evidence. It makes sense to save this exploit (which all the CIA/US assets already probably have a workaround for) and keep using it against significant crim

      • by Imrik ( 148191 )

        Or rather, does that point even exist? They may feel that it is worthwhile to keep using it to catch as many as they can and just dismiss the cases with competent defense.

      • There is another explanation. They might not want to release it because it might not stand up in court. If it gives them the ability to run arbitrary code on the target machine, if they can places files on that machine, the defendant will claim that the FBI planted those images. I'm no expert on US law but it seems like there would be some issue with the evidence being tainted too, and then everything else i s fruit of the poisoned tree.

      • by johanw ( 1001493 )

        There is a well-known historical case where this decision was made: https://en.wikipedia.org/wiki/... [wikipedia.org]

  • by Anonymous Coward on Sunday March 05, 2017 @07:57PM (#53982041)

    Sounds like there is a very simple formula for defense now and forever for any of their tor tapping. Smart, very smart.

  • by MrCodswallop ( 4739399 ) on Sunday March 05, 2017 @08:02PM (#53982061)
    Interesting, albeit disturbing, insight into the moral compass of the FBI. Secrecy trumps child pornography.
    • Or catching 10 trumps catching 1.

      • by rtb61 ( 674572 ) on Sunday March 05, 2017 @08:16PM (#53982123) Homepage

        Or letting one more child be raped and murder equals what the fuck exactly? Those child porn rings require content and every time a content producer is exposed, an arrest and rescue should immediately occur, 'IMMEDIATELY', fuck future prosecutions.

        • by ShanghaiBill ( 739463 ) on Sunday March 05, 2017 @08:54PM (#53982279)

          Or letting one more child be raped and murder equals what the fuck exactly?

          There are many myths about "snuff films" that record actual murders, but none have ever been verified. In the most famous case Ruggero Deodato [wikipedia.org] was prosecuted for murder, but was acquitted when the actors and actresses that he had allegedly murdered showed up to testify in his defense. It is hard to imagine how some scenes in his films could have been made without killing someone, but they obviously were, since the people "killed" were still alive and healthy.

        • by Harlequin80 ( 1671040 ) on Sunday March 05, 2017 @10:29PM (#53982627)

          This guy was charged with accessing and possession, not creation. If he had been a content creator then prosecution would not have been stopped.

          Lets put this a different way. Would you grant pardon to a person who viewed child porn if it meant you could catch someone who made it? It's the same as offering deals to a street drug dealer to catch their supplier.

          • Even better would be to stop the victimization happening in the first place. The only way to do that, which was suggested in the UK recently and shot down by the majority of reactionary commentators, is to decriminalize viewing such images. Instead focus on helping people who feel attracted to children to get help, discreetly and without threat of prosecution or persecution, to prevent the future crimes they might otherwise commit.

            In the current atmosphere, if someone did feel that way, what are the chances they would go to their doctor and ask for help with a mental illness? No, more likely they will turn to the internet, where there are sites normalizing and justifying their feelings and where the community of fellow paedophiles will accept them.

            The way to protect children is not to catch the offender after they already hurt them, it's to stop them breaking the law in the first place.

            • I agree whole heartedly with this. But I think we are a long long way away from that kind of rational discourse.

              I have 2 young kids and so am involved in lots of conversations around safety, paedophiles and murderers from other parents and their compass for risk assessment is so far off it's scary. They genuinely believe that every public toilet has a child molester waiting inside for the chance to grab their kid. The fact that where I live there are almost no cases of strangers attacking children (it's

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      There's also a possibility that they haven't got anything as much to disclose as they'd like us to believe. Maybe some of the evidence supposedly gathered through the exploit, was instead obtained through another, possibly illegal, method or fabricated.

    • Of course it does, even if consider child porn the worst crime imaginable (I would consider going around killing children worse), disclosing this would mean the vulnerability would be fixed and they would no longer be able to use it to find more offenders. You could still identify them this way and then gather other evidence.8

    • by Gravis Zero ( 934156 ) on Sunday March 05, 2017 @08:24PM (#53982169)

      If you look at it rationally, you will see it's the best approach for getting the highest quantity of jailings versus the highest quality of cases. That seems like the most likely justification. This doesn't address whether they are doing more or less harm than good by withholding the information but I think their view should be obvious.

    • A moral compass that begs realignment. Is the FBI capable of sustaining a fifth amendment plea? If not, then burn them at the stake.
    • I think it is more of a case that they realise the information they have access to is far more valuable than prosecuting one pervert and losing that access to prosecute just one is not a good use of that resource, at least I HOPE that is the reasoning.
    • by gweihir ( 88907 ) on Sunday March 05, 2017 @09:19PM (#53982373)

      Or rather locking people up trumps protecting children. That is also why they kept running the site for 13 days. By the very definition of the DoJ, they committed child abuse for 13 days. Seems to me the FBI is part of the problem now.

      • by joe_frisch ( 1366229 ) on Sunday March 05, 2017 @09:40PM (#53982453)

        Considering that the argument for why distributing and owning (as opposed to producing) child porn is that the images actively harm children, I do not think there is any way to justify the FBI's behavior. I think its been generally established that law enforcement cannot commit felonies in order to gather evidence. Otherwise we could have police informants carrying out gang hits in order to capture higher level crime bosses. This is not the start of a slippery slope, it is well down the slope.

        They can't have it both ways. If the images don't do actual harm to children, the people who posses the images are only guilty of a minor crime. If the images do harm children, then the FBI should destroy them as soon as they are discovered to prevent continuing harm .

        On the central topic there need to be clear rules about what capabilities we want law enforcement to have. It is probably technologically possible for law enforcement to scan all of the records of the great majority of citizens to look for criminal activity. Is that what we want?

        Personally I would vote to reduce surveillance and accept a higher rate of criminal activity.

        • by gweihir ( 88907 ) on Sunday March 05, 2017 @10:38PM (#53982661)

          Exactly. Freedom always includes the freedom to do wrong and a realistic chance to get away with it (depending on the magnitude of the crime). I believe freedom is of critical importance and the only purpose of law-enforcement is to keep crime at a level that society continues to function reasonably well. They are clearly not doing that, or the banksters would all be in prison now for a long, long time. Nobody on recent memory did this much damage to society and individuals.

    • by Ramze ( 640788 ) on Sunday March 05, 2017 @10:50PM (#53982695)

      Maybe, maybe not. Having charges dropped doesn't mean they can't file charges again later as long as it wasn't dismissed with prejudice.

      I think either they are currently using this exploit for other active investigations or they used an illegal exploit and don't want to implicate themselves.

      More likely they're still using the exploit and don't want to tip their hand. They could be monitoring another ring, terrorists, etc. If they give up the code, Tor would release a patch, and they'd be done. Stating that they can't offer up the code "at this time" is their key phrasing... as if there's something important riding on this code remaining a useful tool. Or, I could be wrong and they just want to keep using the tool when and where they can and manufacture alternate evidence to point the finger to the bad guys without disclosing the true source of intel.

    • by Zocalo ( 252965 )
      That was the first thought I had after reading the headline too. I hope everyone keeps that in mind the next time the FBI trots out some variation of the "Won't somebody think of the children..." line to justify some over-reaching surveillance programme they are pushing, because they clearly don't believe it themselves.
    • by houghi ( 78078 )

      Comer on. This has nothing to do with Trump or any other president. This has to do with how policing worksa. They want to have as high numbers as possible and this is not just for the FBI.

      I live in Belgium and I saw some childporn. I reported it to both the provider and the police.
      After a few weeks, nothing had happened, so I informed a newspaper. That day the childporn was gone. So good, so far,

      Well, that is what I thought. I had done this at work. So suddenly the COO stands at my desk and asks me why the

  • Wrong focus. (Score:5, Interesting)

    by Gravis Zero ( 934156 ) on Sunday March 05, 2017 @08:06PM (#53982075)

    The question is if the FBI is actively seeking the child abusing producers of child pornography or if they are really only interested in catching the people who download it. It's all very distasteful but I'm more interested ending the abuse than throwing every twisted individual in jail for a period of time. I understand that it's a global problem which is why governments should work together to stop the madness.

    • by oic0 ( 1864384 )
      Their logic is that the people who pay to view it incentivise its creation. They aren't wrong. It doesn't incentivise it here so much, but in foreign countries where enforcement is null and money is scarce. Honestly though, they need to do research and come up with a real strategy if they want to have an impact. While they're at it, they need to stop publishing names before they have convictions. That's total BS.
      • Re:Wrong focus. (Score:4, Interesting)

        by gweihir ( 88907 ) on Sunday March 05, 2017 @09:40PM (#53982455)

        Actually, it seems that they are wrong. First, most child abuse obviously does not end up on film. That part they are completely ignoring. Second, even if they are not saying it loudly, there are statements by law-enforcement in different countries that there is no "industry" behind child abuse, it is mostly amateur stuff and it is mostly traded without money involved. Incidentally, follow-the-money is something law-enforcement is very, very good at, so if this really was mostly commercial, they would long since have stopped the whole thing with ease.

    • Re:Wrong focus. (Score:5, Interesting)

      by gweihir ( 88907 ) on Sunday March 05, 2017 @09:34PM (#53982419)

      Well, judging from their tactics in "fighting terrorism", they would produce child pornography themselves, if they legally could. They have been producing "terrorists" for a while now. Hence my take would be they have zero interest in in actually doing anything real about the problem because that could dry up the ready supply of downloaders that they can catch and prosecute easily. And with that supply drying up, their funding and power would get reduced. If that is not a perfectly fine motive explaining what they are doing, then I do not know what is.

  • Ran it for 13 days (Score:3, Insightful)

    by Anonymous Coward on Sunday March 05, 2017 @08:18PM (#53982141)

    First I heard it was a month.
    But anyways, they got zero producers.
    Distributed over a million images, which means they revictimized children over a million times. This is their own logic on sharing these images btw.
    None of this is effective. None of this is okay. Get the producers FFS or keep the op going until you do.
    This doesn't feel right at all.

    • by gweihir ( 88907 )

      Indeed. But if they go after the producers (which I have no doubt they could do), they would stop the ready supply of easily identified consumers. And that would cut into their convictions, and hence into their funding and power. It is rather obvious why they do not do that.

  • by rsilvergun ( 571051 ) on Sunday March 05, 2017 @08:37PM (#53982225)
    to get these cases dismissed now? I suppose there's lots of folks that can't afford the lawyer needed to file the motions to request the information correctly (two-tiered justice system for the win). But assuming you're not just bullied into a confession you'll be able to use this to get off scot-free...
  • by Anonymous Coward

    Simply dropping the charges is not enough. The only exception for not divulging method to the courts is National Security. The accused, even if charges dropped, should be able to pursue disclosure of methods. The government should not be able to pick and choose after filing charges unless a valid national security claim.

    • by gweihir ( 88907 ) on Sunday March 05, 2017 @09:50PM (#53982505)

      Child abuse, horrible as it is, does not qualify as "National Security". Also, because they did disclose the name of the accused, they should be sued into the ground after dropping the charges. While it is not pretty, civil liberties need to be defended, even if it means defending scumbags. Otherwise they can just destroy anybody in the future by first publicly accusing them and then dropping the charges, possibly without ever providing any evidence or only fake evidence they then withdraw when asked to prove that it is genuine and how they obtained it. Not good at all.

  • by Anonymous Coward on Sunday March 05, 2017 @10:41PM (#53982677)

    https://arstechnica.com/tech-policy/2015/04/fbi-would-rather-prosecutors-drop-cases-than-disclose-stingray-details/ April 7, 2015

    The FBI actually has a policy to drop cases instead of revealing their detection (spying) methods, to avoid public scrutiny of what they're doing.

    The new document, which was released Tuesday by the New York Civil Liberties Union (NYCLU) in response to its March 2015 victory in a lawsuit filed against the Erie County Sheriff’s Office (ECSO) in Northwestern New York, includes this paragraph: "In order to ensure that such wireless collection equipment/technology continues to be available for use by the law enforcement community, the equipment/technology and any information related to its functions, operation and use shall be protected from potential compromise by precluding disclosure of this information to the public in any manner including but not limited to: press releases, in court documents, during judicial hearings, or during other public forums or proceedings."

    That has to do with their 'Stingray' technology, but I'm sure it applies to any kind of digital surveillance.

    Besides, if they didn't drop the case the court would have probably ruled against them, like what happened in a case that slashdot mentioned last year: https://yro.slashdot.org/story/16/07/13/0411255/us-judge-throws-out-cell-phone-stingray-evidence-for-the-first-time

  • by GuB-42 ( 2483988 ) on Sunday March 05, 2017 @11:04PM (#53982731)

    It's funny how often child porn is used as a justification for more spying.
    But when actually dealing with child porn goes against more spying, well, fuck children, literally.

  • Odd (Score:5, Interesting)

    by Archfeld ( 6757 ) <treboreel@live.com> on Monday March 06, 2017 @01:02AM (#53983015) Journal

    Should the FBI have the ability to not prosecute in a child porn case ? In California there are several types of cases that failure to pursue result in criminal liabilities for the prosecutor's, among them spousal abuse, child abuse, child porn. It is one thing to lack the evidence or documentation to pursue, or to continue to investigate but to dismiss with jeopardy attached should be a crime in itself.

  • Screw Child Porn (Score:2, Insightful)

    by retroworks ( 652802 )
    And anyone here defending it. Most of the arguments against the FBI that I see here follow the logic that "if FBI does X to stop a crime, FBI or some other person might do X for bad reason". So no one can own a software exploit, a gun, or a computer, or a sandwich, if it sets a 'precedent' that someone else could posses such an exploit, gun, computer, etc. Seems to me FBI is making a judgement call, how much they can damage the child porn industry through the prosecution and disclosure of method, and how

Truth is free, but information costs.

Working...