« Your Tax Dollars Imprudently at Work | Main | Another Day, Another Facebook Privacy Lapse »

March 24, 2008

FBI Pioneers "Guilty by Reason of Clicking"

This is appalling:

"Everyone has had it happen to them: a 'friend' sends you a link in IM or over IRC that purports to be something like a cat in an awkward position with a hilarious caption. Soon, however, you discover that the link wasn't to a lolcat at all; instead, you've been Rick Rolled—or even worse, sent to 2girls1cup (find it on your own, but be warned: it may scar you for life). These pranks are commonplace now, but be careful of what you click on and from whom. If that link points to anything even pretending to be child porn, that's enough evidence for the FBI of intent to download it. The authorities could then raid your home and possibly throw you in jail. No joke, it just takes one click and you're under intense suspicion.

"Such is the case with Temple University doctoral student Roderick Vosburgh, who apparently clicked on an FBI-planted hyperlink somewhere on the Internet. The link pointed to a file on an FBI server that contained no porn, but logged the IP addresses of everyone attempting to access it. Vosburgh's IP was one of those, and the FBI came knockin' on his door early one morning, arrested him, and searched his home.

"In fact, this didn't just happen to Vosburgh—the FBI has been using this click-and-be-owned tactic for a few years now, using logged IP addresses as a way to get warrants and charge people with intent to download child porn (a federal crime). The FBI has been planting links to these bogus files on message boards that are known to attract child predators, but even the log files don't take into account the referrer—any IP address that shows up is automatically assumed to be guilty, and assumed to be coming in from one of the FBI's planted links. This means that if your drunk friends think it's funny to IM you a link to something that turns out to be to the FBI's planted link, you could be in trouble."

It's not hard to anticipate the rationale for this sort of thing: Someone thinks it's a great way to "go after the demand end of the market." In a world where Web client security was perfect and where there were no malicious people to exploit things you can't program a Web client to avoid, that might make a modicum of sense.

Some time back, Linux Today had a policy of disabling anchor tags in its comment section, forcing people to just paste a URL in and let other people copy and paste it into their own browsers. I don't think it was a good policy, but Slashdot had not yet invented "add the target domain of this link in brackets behind the link" technology, and there was another mentality driving the policy anyhow. But a recalcitrant Web developer questioned why he was supposed to disable live links. I told him to grep the site comments database for goatse.cx where it was a. enclosed in an anchor tag as the href and b. not to be found in the inner text of the tag. It wasn't much of a reason, but it was the only one I was given that I agreed with.

One mistake I made, which probably only helped underscore the lesson, was assuming that he'd ever even been to goatse.cx. So he did his grep and found a few dozen links that fit the criteria, then he wondered to himself what all the fuss about that particular URL was and decided to pay it a visit. He got right to work on filtering link markup from comments.

Now, does the FBI apply some sort of "likely suspect" heuristic to this stuff? If a popular site like, say, Metafilter, had someone pay the $5 on a throwaway site membership and spend their post on a link to an FBI honeypot, you might think it wouldn't take long to straighten the matter out. In his coverage, Declan McCullagh says that probably isn't the case:

When anyone visited the upload.sytes.net site, the FBI recorded the Internet Protocol address of the remote computer. There's no evidence the referring site was recorded as well, meaning the FBI couldn't tell if the visitor found the links through Ranchi or another source such as an e-mail message.

But even if it did, that doesn't do anything to mitigate against the many other ways one could draw the FBI's attention to just about anybody given either some level of trust or momentary access to a computer with a browser and in the obvious possession of the victim.

Worse, despite the many, many ways the FBI's own Internet crime experts could tell you people find their machines exploited by malware daily, the FBI apparently takes as "evidence" the existence of any illegal content on the arrest target's computer.

This is a repulsive strategy. I'd like to say "I'm sure it won't stand in court," but McCullagh also notes that it has on at least a few occasions.

(Link)

E-mail   0 Comments    Digg This    add to del.icio.us

Posted by mhall at 8:31 PM | Add Comment

Leave a comment










 




JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
Solutions
Whitepapers and eBooks
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
Avaya Article: How to Begin Developing with Avaya's Event Processing Language
Avaya Article: Deep Dive--Event Processor Offers Familiar Tools for Creating Event-Driven SOA Apps
Intel Whitepaper: A Methodology for Threading Serial Applications (PDF)
HP eBook: Storage Networking , Part 1
ServerWatch.com Article: Tip of the Trade--IP Address Management
ITChannelPlanet.com Article: Enterprise Fixed-Mobile Convergence Can Be Lucrative
 Intel Article: Transitioning Software to Future Generations of Multi-Core
Hoovers Article: Boost Employee Morale without Breaking the Bank
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
Internet.com eBook: All About Botnets
Intel Article: 8 Simple Rules for Designing Threaded Applications
Intel Whitepaper: Best Practices for Developing and Optimizing Threaded Applications
Intel Article: The Challenges of Developing Multithreaded Processing Pipelines
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Foundations of Parallel Programming, Part One
HP Video: Page Cost Calculator
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Intel Video: Three Must-Knows for Parallelism
Microsoft Partner Program Video: The Secrets to Partner Success
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
 Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
How-to-Article: How to Market Your Technology Solutions
IBM Article: Collaborating in the High-Performance Workplace
 HP Demo: StorageWorks EVA4400
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES