All the recent dark net arrests seem to be pretty vague on how the big bad was caught (except the IM admin’s silly opsec errors) In the article they say he clicked on a honeypot link, but how was his ip or any other identifier identified, why didnt tor protect him.

Obviously this guy in question was a pedophile and an active danger, but recently in my country a state passed a law that can get you arrested if you post anything the government doesnt like, so these tools are important and need to be bulletproof.

  • governorkeagan@lemdro.id
    link
    fedilink
    English
    arrow-up
    81
    ·
    3 months ago

    He most likely had bad OPSEC.

    Secondly, he took this imagery he had created and then “turned to AI chatbots to ensure these minor victims would be depicted as if they had engaged in the type of sexual contact he wanted to see.” In other words, he created fake AI CSAM—but using imagery of real kids.

    This probably didn’t help much either.

    • CosmicTurtle0@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      26
      ·
      3 months ago

      The government is cagey about how, exactly, this criminal activity was unearthed, noting only that Herrera “tried to access a link containing apparent CSAM.” Presumably, this “apparent” CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it.

      It looks like a combination of bad opsec and clicking on a download link.

      I know there has been some back and forth whether it’s good to use a VPN with tor and feel like this is just going to open up that conversation again.

        • CosmicTurtle0@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          3 months ago

          It might depend on the VPN provider. If it’s someone like Google, no way.

          But Mullivad that has a proven track record of not keeping logs, that might be worth it.

          I’ve also heard tor over i2p but don’t know enough about the latter to have an opinion

          • governorkeagan@lemdro.id
            link
            fedilink
            English
            arrow-up
            4
            ·
            3 months ago

            I think the other aspect is that you could be adding more things to make you stand out amongst other tor users.

            there’s a more technical term for all this but I can’t recall what it is

            • CosmicTurtle0@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              6
              ·
              3 months ago

              Differentiators? The idea behind the tor browser specifically is to make it harder to fingerprint you by giving trackers the exact same information for each browser session across all its users, making it harder to differentiate between one user and another.

        • quant
          link
          fedilink
          English
          arrow-up
          4
          ·
          3 months ago

          Bad opsec and illusion of anonymity will likely render all the extra steps null, most likely. Case in point, we’ve been reminding people not to torrent through Tor for years.

      • The Doctor@beehaw.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        LEOs using what amount to phishing attacks to grab folks looking for CSAM has a long and storied history behind it.

  • gencha@lemm.ee
    link
    fedilink
    arrow-up
    62
    arrow-down
    2
    ·
    3 months ago

    There are many ways your real IP can leak, even if you are currently using Tor somehow. If I control the DNS infrastructure of a domain, I can create an arbitrary name in that domain. Like artemis.phishinsite.org, nobody in the world will know that this name exists, the DNS service has never seen a query asking for the IP of that name. Now I send you any link including that domain. You click the link and your OS will query that name through it’s network stack. If your network stack is not configured to handle DNS anonymously, this query will leak your real IP, or that of your DNS resolver, which might be your ISP.

    Going further, don’t deliver an A record on that name. Only deliver a AAAA to force the client down an IPv6 path, revealing a potentially local address.

    Just some thoughts. Not sure any of this was applicable to the case.

    There are many ways to set up something that could lead to information leakage and people are rarely prepared for it.

    • tetris11@lemmy.ml
      link
      fedilink
      arrow-up
      29
      ·
      3 months ago

      Mullvad is pretty good in this regard by forcing you to use their DNS. Though of course, you have to trust them.

    • Artemis_Mystique@lemmy.mlOP
      link
      fedilink
      arrow-up
      10
      ·
      3 months ago

      Does Tor have no protection against such a simple attack? I always thought any clearnet address i type in the browser (along with the dns query) hops 3 times.

      • mox@lemmy.sdf.org
        link
        fedilink
        arrow-up
        13
        ·
        edit-2
        3 months ago

        The Tor network cannot protect against that, because the attack circumvents it. Certain tools, like the Tor browser, do have protection against it (as much as they can) when you use them correctly, but they cannot keep users from inadvertently opening a link in some other tool. Nor can they protect against other software on a user’s device, like a spyware keyboard or the OS provider working with law enforcement.

      • orcrist@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        You can do DNS in multiple ways. The question is what you try to do, or what your software tries to do.

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        It’s unlikely that the Tor browser is configured as the default browser, so when you click the link, it will open in something else

      • gencha@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        I can’t answer this with confidence, but I was thinking the link in the email opened in the default browser, which wasn’t Tor in their case. Or something in the email client perhaps. Ultimately, I have no idea what happened and I was just speculating

      • Todd Bonzalez@lemm.ee
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        3 months ago

        Hopefully it will be asked by the very smart people who actually develop TOR, and not just paranoid Internet randos like OP.

        • DigitalDilemma@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          True - although just because you are paranoid, that doesn’t mean they aren’t out to get you…

        • Artemis_Mystique@lemmy.mlOP
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          3 months ago

          Honestly i believe there is no point in speculating whether there are backdoors installed in popular privacy and encryption apps; for all we know, the powers that are may already have a digital fortress’esque quantum computer decrypting everything from your signal messages to onion sites in a matter of seconds.

          I think(my personal headcanon) that there probably was a Manhattan project like top secret research project that has yielded some very fruitful results, now i guess we have to just wait for some whistleblower or a disgruntled employee to feed it a file that blows it up.

            • Artemis_Mystique@lemmy.mlOP
              link
              fedilink
              arrow-up
              3
              ·
              edit-2
              3 months ago

              I didn’t deny it; its akin to a first year med student reading about all the subtle little ways that the body hints something is majorly wrong and noticing symptoms exhibit in them, I guess i am just not jaded enough to accept that online anons can just send a swat team to my house if i comment on the local weather online.

      • IphtashuFitz@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        Well OPSEC is the stated cause. Who knows how the person was initially identified and tracked. For all we know he was quickly identified through some sort of Tor backdoor that the feds have figured out, but they used that to watch for an unrelated OPSEC mistake they could take advantage of. That way the Tor backdoor remains protected.

  • MalReynolds@slrpnk.net
    link
    fedilink
    English
    arrow-up
    33
    ·
    3 months ago

    Compromised ? Maybe, but this guy doesn’t provide any evidence one way or the other. He’s using at least 7 other possible vectors (apparently Calculator Photo Vault just hides the gallery, no encryption, so it’s over right there) which is way too many for good opsec.

    With Tor the question has always been compromised exit nodes as I understand it.

    • nnullzz@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      edit-2
      3 months ago

      In that article they provide a list of steps to follow to be safer on Tor. Is that a good list or is there anything else one can do to maintain their privacy?

      • MalReynolds@slrpnk.net
        link
        fedilink
        English
        arrow-up
        5
        ·
        3 months ago

        No idea, I was just using it to illustrate the existence of compromised exit nodes, which to my mind are a pretty fatal flaw in TOR, perhaps someone knowledgeable can chime in.

      • mox@lemmy.sdf.org
        link
        fedilink
        arrow-up
        11
        ·
        edit-2
        3 months ago

        Not against a government that can compel the organizations who issue the https certificates and run the https servers. And not against leaks that occur outside of https.

      • refalo@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        3 months ago

        I wouldn’t be surprised if more than one root CA was compromised… especially the free ones.

  • Todd Bonzalez@lemm.ee
    link
    fedilink
    arrow-up
    18
    ·
    3 months ago

    I went one step further than OP and actually read the article.

    Web-based generative AI tools/chatbots

    he created fake AI CSAM—but using imagery of real kids.

    All the privacy apps in the world won’t save you if you’re uploading pics to a subscription cloud service.

  • CheeseNoodle@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    3 months ago

    Tor was always comrpomised, the point has never been to be uncrackable, the point is that tracking down an induvidual user is enough effort that it can’t just be done on mass like with normal internet traffic. If you draw direct attention to yourself then it isn’t going to save you.

    • IphtashuFitz@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      3 months ago

      Exactly. Tor was originally created so that people in repressive countries could access otherwise blocked content in a way it couldn’t be easily traced back to them.

      It wasn’t designed to protect the illegal activities of people in first world countries that have teams of computer forensics experts at dozens of law enforcement agencies that have demonstrated experience in tracking down users of services like Tor, bitcoin, etc.

      • Artemis_Mystique@lemmy.mlOP
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        Welp repressive countries have more stringent teams of computer forensics experts now. Though compared to our neighbours i wouldn’t call my country repressive(yet)

  • SirEDCaLot@lemmy.today
    link
    fedilink
    arrow-up
    16
    arrow-down
    2
    ·
    3 months ago

    All the crypto in the world won’t help if you do stupid stuff and have crap OPSEC.

    A big part of that is stay under the radar. If I were NSA I’d be running a great many TOR nodes (both relay nodes and exit nodes) in the hope of generating some correlations. Remember, you don’t need to prove in order to raise suspicion.

    So for example if you have an exit node so you can see the request is CSAM related, and you run a bunch of intermediate nodes and your exit nodes will prefer routing traffic through your intermediate nodes (which also prefer routing traffic through your other intermediate nodes), you can guess that wherever the traffic goes after one or two relay hops through your nodes is whoever requested it.
    If you find a specific IP address frequently relaying CSAM traffic to the public Internet, that doesn’t actually prove anything but it does give you a suspicion ‘maybe the guy who owns that address likes kiddy porn, we should look into him’.

    Doing CSAM with AI tools on the public Internet is pretty stupid. Storing his stash on cell phones was even more stupid. Sharing any of it with anyone was monumentally stupid. All the hard crypto in the world won’t protect you if you do stupid stuff.


    So speaking to OP- First, I’d encourage you to consider moving to a country that has better free speech protections. Or advocate for change in your own country. It’s not always easy though, because sadly it’s the unpopular speech that needs protecting; if you don’t protect the unpopular stuff you jump down a very slippery slope. We figured that out in the USA but we seem to be forgetting it lately (always in the name of ‘protecting kids’ of course).

    That said, OP you should decide what exactly you want to accomplish. Chances are your nation’s shitty law is aimed at public participation type websites / social media. If it’s important for you to participate in those websites, you need to sort of pull an Ender’s Game type strategy (from the beginning of the book)- create an online-only persona, totally separate from your public identity. Only use it from devices you know are secure (and are protected with a lot of crypto). Only connect via TOR or similar privacy techniques (although for merely unpopular political speech, a VPN from a different country should suffice). NEVER use or allude to your real identity from the online persona. Create details about your persona that are different from your own- what city you’re in, what your age and gender are, what your background is, etc. NEVER use any of your real contact info or identity info.

    • Artemis_Mystique@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      Feasibility aside, the shitty laws in question attacks content hosting platforms first(safe harbor laws). So no matter how many vpns i hop through, the site would simply limit the visibility of my post in the region and go about their day.

      • SirEDCaLot@lemmy.today
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        3 months ago

        Yes exactly. This is a big part of why some repressive countries are starting to require identity registration in order to participate in social media. Arresting people is unnecessary if you can simply stamp out non-preferred speech at the point of discussion.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    2
    ·
    3 months ago

    No

    Any even if it were what else would you use? There is no other software that comes close

  • The Doctor@beehaw.org
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    3 months ago

    Let’s see here…

    Potato Chat - This is the first I’ve heard of it so I can’t speak to it one way or another. A cursory glance suggests that it’s had no security reviews.

    Enigma - Same. The privacy policy talks about cloud storage, so there’s that. The following is also in their privacy policy:

    A super group can hold up to 100,000 people, and it is not technically suitable for end-to-end encryption. You will get this prompt when you set up a group chat. Our global communication with the server is based on TLS encryption, which prevents your chat data from being eavesdropped or tampered with by others… The server will index the chat data of the super large group so that you can use the complete message search function when the local message is incomplete, and it is only valid for chat participants… we will record the ID, mobile phone number, IP location information, login time and other information of the users we have processed.

    So, plaintext abounds. Definite OPSEC problem.

    nandbox - No idea, but the service offers a webapp client as a first class citizen to users. This makes me wonder about their security profile.

    Telegram - Lol. And I really wish they hadn’t mentioned that hidden API

    Tor - No reason to re-litigate this argument that happens once a year, every year ever since the very beginning. Suffice it to say that it has a threat model that defines what it can and cannot defend against, and attacks that deanonymize users are well known, documented, and uses by law enforcement.

    mega.nz - I don’t use it, I haven’t looked into it, so I’m not going to run my mouth (fingers? keyboard?) about it.

    Web-based generative AI tools/chatbots - Depending on which ones, there might be checks and traps for stuff like this that could have twigged him.

    This bit is doing a lot of heavy lifting in the article: “…created his own public Telegram group to store his CSAM.”

    Stop and think about that for a second.

  • Empricorn@feddit.nl
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    3 months ago

    In this comment section: S P E C U L A T I O N, presented as fact. The truth is no one really knows, at least not yet…

    • foremanguy@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      3 months ago

      It could, but even without it’s very dumb to do such thing and think that you are safe

  • pudcollar [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    6
    ·
    edit-2
    3 months ago

    NSA in Amerikkka has been targeting the tor browser and flagging tor traffic for a long time. They will toss intercepts to law enforcement occasionally to be used through parallel construction. They’re fond of backdooring security software and hardware and sneaking it into the supply chain.