William was raided for running a Tor exit node. Please help if

Rich Kulawiec rsk at gsp.org
Sat Dec 1 16:50:26 UTC 2012

On Sat, Dec 01, 2012 at 10:36:56AM -0600, Joe Greco wrote:
> Even if we were to assume that there are no "bad actors" in law
> enforcement, what happens when someone is simply faced with something
> so complex that they don't really understand it?  The conventional
> wisdom is to seize it and let experts work it out.

There is another problem with that approach.  Actually, two, one
that affects us, one that bears on the root cause.

We all know, or should know, that there are a couple hundred million
zombies (aka bots) out there.  Nobody knows exactly how many, of course,
because it's impossible to know.  But any estimate under 100M should be
discarded immediately, and I think numbers in the 200M to 300M are at
least plausible, if not probable.

Those systems are pretty much EVERYWHERE.  The thing is, we don't know
specifically where until either (a) they do something that's externally
observable that indicates they're zombies AND someone in a position
to observe it makes the observation or (b) someone does a forensic-grade
examination of them -- which is often what it takes to find some of
the more devious malware.

There is nothing at all that stops child porn types from leasing zombies
or creating their own.  There is also nothing stopping them from setting
those systems up to transmit/receive child porn via HTTP/S or SMTP or FTP
or any other protocol.  Or through a VPN or whatever.  No Tor required.

So -- five minutes from now -- you (generic you) could suddenly be in
a position where what happened to this guy is happening to you, because
7 zombies on your network just went active and started shovelling child
porn.  And you probably won't know it because the traffic will be noise
buried in all the other noise.

That is, until the authorities, whoever they are wherever you are,
show up and confiscate everything, including desktops, laptops, servers,
tablets, phones, printers, everything with a CPU.  And why shouldn't they?
Do you think you're immune to this?  Why should you be?  Because you're
an ISP?  A Fortune 500 company?  A major university?  Joe's Donut Shop?
Why should *you* get a pass from this treatment?

My point, which I suppose I should get to, is this:

This tactic (confiscating everything) is simply not a sensible response
by any law enforcement agency.  It's bad police work.  It's lazy. It's
stupid.  And worse than any of THAT, it *helps* the child porn types do
their thing.  (Why?  Because it clearly signals the nature and location
and time of a security breach.  This helps them avoid capture and provides
useful intelligence that can be used to design the next operation.)

The right tactic is to keep all that gear exactly where it is and doing
exactly what it's doing.  The children who have already been horribly,
tragically exploited will not be any more so if those systems keep
running: that damage is done and unplugging computers won't fix it.
But keeping that stuff in place and figuring how to start tracing the
purveyors and producers, THAT will attack the root cause of the problem,
so that maybe other children will be spared, and the people responsible
brought to justice.

I know it's unfashionable for police to, you know, actually engage in
police work any more.  It's tedious, boring, and doesn't make headlines.
It's much easier to hold self-congratulory press conferences, torture
helpless people with tasers, and try to out-do Stasi by setting up a
surveillance state.  But it would be nice if someone with a clue got
them to stop supporting child porn by virtue of being so damn lazy,
ignorant and incompetent.

TL;DR: try a rapier rather than a bludgeon.


More information about the NANOG mailing list