FBI trapping downloaders of illegal porn
This is slightly disturbing. Apparently, the FBI posted fake links advertising child pornography and recorded all of the IP addresses that access those links. And then when around raiding houses.
slashdot link:
http://yro.slashdot.org/article.pl?sid=08/03/20/2323247&from=rss
Responses by some security guys:
http://www.grumpysecurityguy.com/fbi-csrf-and-jail-how-to-get-someone-raided/
Original news article:
http://www.news.com/8301-13578_3-9899151-38.html?tag=nefd.lede
Why is it disturbing? As the article states: "The implications of the FBI's hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography--and raid people who click on the links embedded in the spam messages. The bureau could register the "unlawfulimages.com" domain name and prosecute intentional visitors. And so on."
And also, there are ways to trick a browser into loading images and links. If I can control content on a page, I can easily use all sorts of ways to force your browser to load another site. http://en.wikipedia.org/wiki/Cross-site_request_forgery, http://en.wikipedia.org/wiki/Cross-site_scripting, and basic head/meta-redirects would work. So essentially, if I knew about the FBI site, and I had an enemy, I could make a webpage that would automatically redirect their browser to load from the FBI honeypot link. And then said enemy would get a lovely visit from the FBI. So while said target did not intentionally click the link, they still get into trouble . . . .
===
In other tech news:
http://hardware.slashdot.org/article.pl?sid=08/03/20/1620204&from=rss
MD wants to make it a crime carrying up to 3 years imprisonment and a $1000 fine for using someone else's wireless connection.
The best slashdot comment is as follows:
I will never, EVER understand how the following counts as "stealing wireless access":
1) I broadcast my SSID. (Here's a wireless connection world! LOOK OVER HERE FOR IT!!!)
2) User asks, "Can I connect?" (IP address requested.)
3) I say, "Sure you can connect." (IP address loaned.)
4) YOU STEAL MY WIRELESS!!!!!!!
Ok, I guess I should do it as a car analogy:
1) I put out a sign, "I will let you borrow my car."
2) You ask, "Can I borrow your car?"
3) I say, "Yes, and here are the keys."
4) YOU STOLE MY CAR!!!!!
slashdot link:
http://yro.slashdot.org/article.pl?sid=08/03/20/2323247&from=rss
Responses by some security guys:
http://www.grumpysecurityguy.com/fbi-csrf-and-jail-how-to-get-someone-raided/
Original news article:
http://www.news.com/8301-13578_3-9899151-38.html?tag=nefd.lede
Why is it disturbing? As the article states: "The implications of the FBI's hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography--and raid people who click on the links embedded in the spam messages. The bureau could register the "unlawfulimages.com" domain name and prosecute intentional visitors. And so on."
And also, there are ways to trick a browser into loading images and links. If I can control content on a page, I can easily use all sorts of ways to force your browser to load another site. http://en.wikipedia.org/wiki/Cross-site_request_forgery, http://en.wikipedia.org/wiki/Cross-site_scripting, and basic head/meta-redirects would work. So essentially, if I knew about the FBI site, and I had an enemy, I could make a webpage that would automatically redirect their browser to load from the FBI honeypot link. And then said enemy would get a lovely visit from the FBI. So while said target did not intentionally click the link, they still get into trouble . . . .
===
In other tech news:
http://hardware.slashdot.org/article.pl?sid=08/03/20/1620204&from=rss
MD wants to make it a crime carrying up to 3 years imprisonment and a $1000 fine for using someone else's wireless connection.
The best slashdot comment is as follows:
I will never, EVER understand how the following counts as "stealing wireless access":
1) I broadcast my SSID. (Here's a wireless connection world! LOOK OVER HERE FOR IT!!!)
2) User asks, "Can I connect?" (IP address requested.)
3) I say, "Sure you can connect." (IP address loaned.)
4) YOU STEAL MY WIRELESS!!!!!!!
Ok, I guess I should do it as a car analogy:
1) I put out a sign, "I will let you borrow my car."
2) You ask, "Can I borrow your car?"
3) I say, "Yes, and here are the keys."
4) YOU STOLE MY CAR!!!!!