I'm not really convinced that gathering information about someone who has verifiably broken the law constitutes unreasonable search and seizure but w/e.
I don't like the way it's represented as "this is vulnerability with tor", especially in non-technical media. It was an issue with firefox that existed in like 5 versions of stable, it just happened to also exist in the version TBB bundled.
This is where I disagree. Your IP address registering on a CP site doesn't necessarily constitute verifiably "breaking the law." You've got to consider that people could go to a website like that accidentally (because onion links aren't exactly descriptive) for less than five seconds or might even have their wifi compromised. The issue is that an IP address is conflated with personhood and that this somehow justifies the police taking action to the point where someone has to prove their innocence (instead of their guilt being proven).
This is where I'm confused. The reports and official statements of the FBI are very ambiguous as to how people were caught and what they were doing. My impression is (from the statement of the FBI) that they injected the malware into the Tor Browser Bundle for anyone who visited the site at all. It's one thing if people are producing or sharing CP, it's a
totally unwarranted search and seizure to just load viruses on people's computers for visiting a link.
But even supposing that someone was in cyberspace sharing CP on a forum that was actually a compromised FBI server,
it's still unwarranted search and seizure without a warrant. You have to have a basic series of checks and balances between the executive and judicial branches, otherwise there's nothing stopping the police from just infecting this malware on anybody. Maybe they're suspicious of some niggasinspace?
I guess it would be one thing if this was like a brothel where you get invited to fuck kids and you physically have to walk into it. The issue being that, with technology, the boundaries of responsibility, ownership, "possession," and privacy are pretty nebulous. I'm not trying to go to bat to protect pedophiles or anything, I guess I'm just pretty blown away by the hypocrisy of the police and the alarming precedent set here.
Also, maybe I'm not understanding but how is this not a vulnerability of TOR? If visiting a link can put malware in your browser to find your MAC address, Operating system, Computer name, Location, and ISP even if you have noscript enabled and java blocked, it sure sounds like a vulnerability to me!
lol maybe you guys should cut back on the child pornography you watch on a daily basis. This is hardly "unprecedented"
This is unprecedented. The FBI has hosted child porn before in like 2012 as part of a a sting operation, but they haven't ever gathered this much information en masse without a warrant before on people for just visiting a website. Also, not all of us are pedos here, but you've got to realize they're talking about arresting potentially thousands of people over a span of like a year. I'm going to laugh when they break into some old lady's house to cuff and stuff her because her neighbor was using her wifi or something.
I can see the NSA doing something like this, but they're international. The FBI is domestic so this is a big deal.
SWIM was in semi-regular contact with the admin, usually to point out all the holes in his gameboy level security. There were no flash videos or streaming and users were encouraged to disable javascript, but this is a guy who didn't think he needed an IDS and was trying to write his own iptables rules with clearly no previous sysadmin experience, etc. while being one of the largest targets on the internet for both blackhats and LE.
When I heard it had been taken over by the FBI and turned into a honeypot I couldn't help but laugh.
So I guess my question is how did people get the malware if they had javascript disabled and there were no streaming flash videos?
I'm interested in this discussion both from a technical aspect and a legal one.
