The FBI is running a new entrapment operation. It's designed to bait Internet users into following links to supposed child pornography sites. The idea seems to be that recording the IP addresses of users clicking on those links, and then acquiring the identity of the addresses' owners from ISPs will allow them to know whose doors heavily-armed law enforcement should go kick down.
This is so appallingly stupid for so many reasons that it's difficult to even know where to begin. But let me grab a second cup of coffee and give it my best shot.
UPDATE: Please see addendum.
Let's start with the original report, courtesy of Declan McCullagh over at CNet News: FBI posts fake hyperlinks to snare child porn suspects. Declan writes (in part):
The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.
Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.
A CNET News.com review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who's using an open wireless connection--and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police.
Declan goes on to explain how this works -- and his explanation is well worth reading, so I ask that you please do so. But the gist, if you don't have time, is that they're putting up bait, promoting the URL where it lives, and then waiting for something like this to show up in the web server logs:
1.2.3.4 - - [24/Mar/2008:11:10:23 -0400] "GET /foo HTTP/1.1" 206 1809
That's an Apache web server log entry showing that made-up IP address 1.2.3.4 retrieved the page named foo from the site in question, that is the URL http://www.example.com/foo. So with that in hand, if I were the feds, I could track down the owner of the network that 1.2.3.4 resides in, serve them with a subpoena compelling them to reveal what customer is at that address and where they live, and then send in the jack-booted gun-waving stormtroopers, all the while waving the "we must do it for the chillllldrunnnnnnnnn" flag and claiming that any who object are slavering kiddie-porn supporters.
Except...this is all completely worthless.
There are many reasons why; here's the first ten that I thought of -- and no doubt I'm overlooking many, probably even some more noteworthy than these:
-
- Malware. Nothing stops the virus or worm du jour, if you're on a system vulnerable to those sorts of things, from infecting your system and then issuing an HTTP request for the boobytrapped link.
-
- Dynamic IP addresses. On many networks (especially dialup, DSL, cable, and wireless plus many university and corporate subnets) computers don't have a fixed IP address. They have a dynamic one, that's assigned out of a pool every time they connect. So "the person who was at 1.2.3.4 at 10 AM EDT" may not be "the person who was at 1.2.3.4 at 11 AM EDT". Some networks try to track this, some don't; some do a reasonably good job, some don't; but the bottom line is that trying to backtrack through dynamic allocation records requires excruciating attention to detail before and after the fact, and almost nobody gets it right.
-
- Proxies/firewalls. Some sites route all HTTP requests through a proxy or firewall, in order to better manage their network or secure it or use censorware. So there might be 50 people behind the requests that are coming from 1.2.3.4.
-
- Open wireless connections. Many people deliberately or accidentally leave their wireless connections open in order to share them. So an HTTP request from 1.2.3.4 might not come from its owner, but from a guest.
-
- Spoofed URLs/link names. It's not hard to disguise http://www.example.com/... as something else, for instance http://www.example.com/... is a rudimentary attempt in that direction. (Yes, you can safely click on that one, and yes, it's entirely SFW despite the title, and yes, if you like books, you really should although you're going to spend the next 10 minutes staring at it and not paying any attention to me.)
-
- Link pre-fetching in browsers. Some web browsers have a feature that switches this on. What it means is that when you go to a given web page, the browser automatically, in the background, begins fetching everything pointed to by any link on that page. The idea is that you're somewhat likely to follow one of those links anyway, so pre-fetching them will subjectively speed up the browsing experience.
-
- NAT (network address translation). Many networks only have a limited number of IP adddresses, or don't wish to make their internal network numbering visible publicly. They may use NAT to cause the outside world to see only the address 1.2.3.4, while internally they're using all or some of the 254 available addresses in the network 192.168.0.0/24 (192.168.0.1-192.168.0.254).
-
- Web crawlers (spiders) and other bots. Anything automated that's just blindly working its way through a list of URLs -- perhaps a list derived from a web cache or similar -- will follow the link if it's referenced in anything it's already got.
-
- Invisible framing. It's possible to use this technique to set up an innocuous web site which will -- when accessed -- silently and invisibly access the target URL in the background.
-
- URL shorteners (e.g. TinyURL). Many people use these (although they shouldn't) to reduce lengthy URLs to something much shorter. This conceals the actual destination of the link, which means anyone following it won't know what they're done until they've done it.
I could add still more: hijacked systems (covered in my diary entry How Room 641A proves you're a terrorist), text-only browsers, HTTP redirectors, blog comments, open proxies, and I'm sure many of you could too. Heck, I could just view the link (not its contents), write it down, and then go around typing it into any computers I walk by that don't have the screen locked and have a web browser installed. But the bottom line is that there are so many blindingly obvious ways for this to go horribly wrong that it has absolutely zero evidentiary value.
Yet we know things like this will be used to threaten and arrest the innocent:
Well, all said and done, apparently someone accessed an IRC server/channel
that was distributing CP. The department of Emmigration and Internal
Customs busted in 3 months later while my wife (gf then) and I were
asleep. Pistols in the face, flashlights, the whole nine yards. They
confinscated all of my computer equipment, my cat5s, my cds, my wife's
home videos, my camera, and my hub. Yep, they even took my hub.
It took us almost 11 months and tons of paperwork to get our stuff back,
even after proving there was no way in hell we were home when the
supposed infraction occurred. No charges were ever pressed, but it cost
me $7,000 in lawyer fees [...]
He's describing an incident in which someone took advantage of a wide-open household network -- and left the consequences for the residents. (Note that EIC took everything remotely related to computing, including network cables ("cat5s") and held it for months despite the fact that no charges were ever filed. This is a recurring pattern in these kinds of raids: those conducting them don't seem to able to tell the difference between a disk and a wire. This doesn't augur well for their ability to grasp more complex concepts, such as "not everything on a computer system's disk was put there via deliberate actions of its owner".) Another Slashdot commentator astutely supplies the reason why things like this keep happening:
While this particular investigation may not raise many eyebrows,
this could be a very bad precedent for future investigations.
Once courts and juries routinely accept that clicking on links believed to
be child porn=being a child pornographer=molesting children, anything
goes. Literally anyone could be tricked into being directed to such a link.
[...]
A search warrant based on clicking links is very troubling. Before
obtaining the warrant there was no evidence whatsoever that the suspect
had ever even viewed child pornography, and of course the link the Feds
provided didn't actually link to any.
The war on child pornography is expanding every year. More police are
hired to investigate it, more funds are allocated for it, and penalties
are made ever-harsher.
[...]
At some point you have to wonder whether the damage this zealousness
causes (throwing college students in jail for decades for possessing
some pictures) is worth the benefits. The argument that child porn
possessors are creating a market for the material grows ever more
tenuous, as fewer investigations seem to be centered around people who
pay or provide other compensation for child pornography, but rather
are focused on downloaders and traders. Unfortunately, it seems there
will be no rational discussion about these investigation techniques or
the laws themselves anytime soon, since it seems that there is an army
of millions who froth at the mouth anytime they hear the words "child
pornography" and cannot or will not draw distinctions between viewing
pictures and videos and actually committing sexual abuse.
"Literally anyone could be tricked into being directed to such a link."
You. Me. Politicians, activists, your Aunt Beatrice, your kid.
And the last paragraph of those remarks captures it in a nutshell: anyone who questions whether this should be a priority, or whether the investigative techniques are valid, or whether oft-asserted links between actual child abusers and child pornography are what they're claimed to be, or pretty much anything that even gets near this will be instantly demonized as a supporter of kiddie porn, and that's the end of the conversation. Forget race, or entitlements, or anything else as the supposed "third rail" of political discourse: this trumps them all, which is why few, if any, politicians want to be anywhere near it. Unless they're pronouncing their unswerving allegiance to anything and everything that supposedly has value in "fighting kiddie porn", no matter how incredibly stupid, illegal or unconstitutional it is.
I hope it's not necessary for me to state at this point that I strongly oppose the exploitation, abuse or mistreatment of children. The fact that I feel compelled to type that out and stick it in here is probably an apt reflection of the current environment. This no doubt also explains why I've cut-and-pasted this paragraph several times while vacillating between leaving this disclaimer in or leaving it out. So please be assured: as some of you have no doubt surmised by now if you've read my other diaries, a large part of my work involves tracking down the scum of the Internet. However, I believe it's not only possible to do so without harassing the innocent, but that it's the obligation of every anti-spammer, anti-phisher, anti-CP, etc. and of course every law enforcement officer to do exactly that.
Anyway, let's step back for a moment: don't you think the feds know all of this? That (a) this investigative technique is hopelessly broken and (b) it can be used to entrap anyone at any time and (c) that anyone who points out (a) or (b) can easily be marginalized by beating the "we must do it for the chillllldrunnnnnnnnn" drum as loudly as is necessary to drown out their voice?
If that's true, then the question "So why are they doing it anyway?" really needs to be asked. And not here: it needs to be asked live on network news (with appropriate accompanying demonstration), and not by someone who will meekly accept the claim that it works -- because we all know it doesn't, it won't, and it can't.
ADDENDUM: The full impact of points 1-10 plus the others I laundry-listed just after those plus others I didn't mention doesn't seem to be clear. So let me try to clarify: these techniques allow me or any other sufficiently-clueful person to not only cause YOUR computer to hit the links in question, they'll also allow me plant evidence on your system so that when they use the hit on the link as probable cause, get a warrant, and come after you, they'll find exactly what they expect to find. How difficult it would be for me to do this to YOUR computer depends, of course, on how well-defended it is. If you're running Windows then chances are good that your system is already compromised, so most of the work has been done for me. (If you're running IE or Outlook, then those chances get much better. For me.) If you're running FreeBSD with the firewall turned on, using Firefox with scripting turned off, etc., then I'll have a much more difficult time of it.
How much help I'd need from you in pulling this off ranges from "absolutely none" (system already compromised and access rights available for purchase on the open market, or system vulnerable to well-known easy-to-launch remote attack) to "trivial" (I use social engineering techniques to get you to do something different from what you think you're doing). Like most people who work in the security/privacy field, I've seen thousands of system/network/human exploits -- and I only need one to work.
There are (depending on whose estimate you like) something between 100M and 320M already-compromised systems on the Internet today. That means 12% to 40% of all connected systems have already been taken over by someone other than the people who still labor under the delusion that they own them. Many of the rest are equally-vulnerable and just haven't been compromised. Yet. That in turn means that if someone wishes to occupy law enforcement with pointless misdirected raid after raid, it will be trivially easy for them to do so. It also means that if someone wishes to target a specific person -- say, over a personal grudge -- there's a decent chance they can do it. Not only will this wreck some number of completely innocent lives, but every dollar, every minute spent on this fool's errand is a dollar or a minute NOT spent pursuing actual CP traffickers. Which is why the only people who support this are either (a) lazy law enforcement who favor newsworthy busts even if they're complete fabrications with no basis in reality and (b) child pornographers, who know their chances of getting away with it are far better when ersatz "suspects" can be manufactured at will. (And who, by the way, are mostly technologically sophisticated enough to completely evade this, so they will be among the last to be caught this way.)
One commmenter has imagined that this means I'm opposed to law enforcement. Given what my work entails, that'd be pretty ironic. I'm not opposed to law enforcement. I'm opposed to stupid law enforcement, and this is a canonical example.