On Sat, Dec 01, 2012 at 10:36:56AM -0600, Joe Greco wrote:
Even if we were to assume that there are no "bad actors" in law enforcement, what happens when someone is simply faced with something so complex that they don't really understand it? The conventional wisdom is to seize it and let experts work it out.
There is another problem with that approach. Actually, two, one that affects us, one that bears on the root cause. We all know, or should know, that there are a couple hundred million zombies (aka bots) out there. Nobody knows exactly how many, of course, because it's impossible to know. But any estimate under 100M should be discarded immediately, and I think numbers in the 200M to 300M are at least plausible, if not probable. Those systems are pretty much EVERYWHERE. The thing is, we don't know specifically where until either (a) they do something that's externally observable that indicates they're zombies AND someone in a position to observe it makes the observation or (b) someone does a forensic-grade examination of them -- which is often what it takes to find some of the more devious malware. There is nothing at all that stops child porn types from leasing zombies or creating their own. There is also nothing stopping them from setting those systems up to transmit/receive child porn via HTTP/S or SMTP or FTP or any other protocol. Or through a VPN or whatever. No Tor required. So -- five minutes from now -- you (generic you) could suddenly be in a position where what happened to this guy is happening to you, because 7 zombies on your network just went active and started shovelling child porn. And you probably won't know it because the traffic will be noise buried in all the other noise. That is, until the authorities, whoever they are wherever you are, show up and confiscate everything, including desktops, laptops, servers, tablets, phones, printers, everything with a CPU. And why shouldn't they? Do you think you're immune to this? Why should you be? Because you're an ISP? A Fortune 500 company? A major university? Joe's Donut Shop? Why should *you* get a pass from this treatment? My point, which I suppose I should get to, is this: This tactic (confiscating everything) is simply not a sensible response by any law enforcement agency. It's bad police work. It's lazy. It's stupid. And worse than any of THAT, it *helps* the child porn types do their thing. (Why? Because it clearly signals the nature and location and time of a security breach. This helps them avoid capture and provides useful intelligence that can be used to design the next operation.) The right tactic is to keep all that gear exactly where it is and doing exactly what it's doing. The children who have already been horribly, tragically exploited will not be any more so if those systems keep running: that damage is done and unplugging computers won't fix it. But keeping that stuff in place and figuring how to start tracing the purveyors and producers, THAT will attack the root cause of the problem, so that maybe other children will be spared, and the people responsible brought to justice. I know it's unfashionable for police to, you know, actually engage in police work any more. It's tedious, boring, and doesn't make headlines. It's much easier to hold self-congratulory press conferences, torture helpless people with tasers, and try to out-do Stasi by setting up a surveillance state. But it would be nice if someone with a clue got them to stop supporting child porn by virtue of being so damn lazy, ignorant and incompetent. TL;DR: try a rapier rather than a bludgeon. ---rsk