Paid Advertising
web application security lab

Surfing the Web Can Make You a Sex Offender

This is a really upsetting story about how a teenager was infected by a trojan, used as a fileserver for child pornography, and then attempted to be prosecuted as a sex offender. The sex offender charge was based off of a plea charge after admitting to showing other teenaged boys a playboy magazine. The circumstances are so ridiculous it’s just painful to read. The jist is the boy went to visit a porn site that infected his computer, and then the police detected the computer uploading child pornography.

I was asked after being sent this if having a firewall and anti-virus is enough to protect your computer. Unfortunately the answer is no. Let’s think about session riding for a second. It is trivial to get any user to download images from any website that doesn’t protect itself with a simple IMG tag. In this way a user can visit an otherwise benign site, and be forced to download child pornography or perform attacks on servers or whatever the attacker wants by proxy. Very scary.

12 Responses to “Surfing the Web Can Make You a Sex Offender”

  1. Legionnaire Says:

    I’ve read about this too. It’s so ridiculous! I mean, using the same logic, authorities should track and prosecute all people’s “zombies” which were used in a DDOS attack or any other malicious activity.

    I guess it’s because “pornography” is something the average non-tech-savvy person can understand and judge. Every time I hear that someone, using computers for malicious purposes, was arrested, the reporter attaches the usual tags “software piracy” and “pornography”. Maybe he/she had such activities, maybe not. The public doesn’t care. It simply needs something it can understand and condemn because accusing him/her of “exploiting buffer overflows to establish an army of zombies for DDOS attacks” will leave them with their mouth open :P

    And if we decide that people should be considered liable for their computer’s actions, what about the software vendors who supplied a faulty/buggy/vulnerable program/OS which enabled the attack in the first place? In my opinion such companies should be held responsible for (indirectly) opening back doors in people’s systems, instead of focusing on isolated cases from time to time just to suppress public concern around the security of the Internet.

  2. Sylvan von Stuppe Says:

    This kid visited pr0n sites. But as you say, RSnake, he didn’t really even have to do that. And to boot, there have been arrests made on people who run Tor servers - because in those cases, you ARE serving what comes through your pipe.

    We’ve discussed the idea that just like a business having consequences of keeping their environment unsafe, home users will have actual consequences for keeping their networks unsafe. But that really only applied in our conversations to open WAP’s where your IP address ends up truly being used as the service point because your next-door neighbor uses your connection to serve stuff.

    This is a scary story. While the home machine prolly got pwned from visiting pr0n sites, it could’ve been infected from browsing this blog. And I suspect in most states where child pr0n laws are so strict, real computer forensics evidence may not be admissible.

    For practical protection, (nobody’s 100% safe), keep your system patched. A (admittedly Microsoft) study showed that a completely patched Windows machine didn’t get infected unless the user clicked a confirmation. So the other rule is, don’t click a confirmation. Don’t click a link in an email, and don’t visit pr0n, gambling, or war3z sites. But that still might not be enough - at least you did your part.

  3. Legionnaire Says:

    @Sylvan, how sure are you about the Tor arrests? As far as I know Tor uses something called Onion-Routing which uses intermediates nodes (like my PC and yours) for third-party data forwarding but that data is encrypted! So a node never knows what it is transferring and to where.

    The only claim that one can make is that Tor, among other things, offers anonymity for illegal and malicious activities but this is something stupid to say and won’t hold in any court of a civilized country. (Nevertheless it wouldn’t surprise me a bit if someone has already tried to say such thing.)

    Now, on the last thing about keeping your system patched. I do agree. Studies have showed that many worms have propagated through the Internet due to unpatched (to known vulnerabilities) Systems. But unfortunately there are cases where you don’t have to click on anything to get infected. For example javascript is something your browser automatically trusts and runs when in a site. In general the Internet is designed to trust its content. HTTP is insecure, DNS is insecure, scripting languages are insecure. And of course there are unpatched vulnerabilities where we are talking about buffer overflows, meaning that your browser and/or System may be compromised with no visible signs and of course without asking you about anything.

  4. RSnake Says:

    Posting this comment on digi7al64’s behalf:

    This is becoming scary.

    Recently, a close (online) friend of mine was picked up off the street by the FBI, his home searched and computers seized.

    The charges were serious (think cc # blackmail etc). Anyways after extensive questioning and a full audit of his computers it was found out the he was in fact “owned” and the bad guys had been using his computer to commit their crimes, send emails and pretty much anything else they wanted.

    Thankfully, the FBI where smart enough to figure out it wasn’t him, but I do feel sorry for (a lot) people who are going to go down this route in the future without an experienced agency performing the forensics.

  5. Edward Z. Yang Says:

    @Legionnaire: What you have said is correct for intermediate Tor nodes, but is not for exit Tor nodes. After all, traffic has to exit into the Wild World Wide Web, and an exit Tor node is how it gets there after having been bounced around the Tor network for anonymity. Operating an exit node is extremely high risk, and websites like Wikipedia have blocked them permanently.

  6. Sylvan von Stuppe Says:

    @Legionaire: take the Tor bit with a grain of salt - I recall the cases being in Germany in a data center, so they were a) prolly exit nodes, and b) they were _arrested_ and their hardware confiscated, that doesn’t mean they were actually prosecuted, and c) it’s been a long time since I read the story, so I could be wrong about all of it. In fact, I googled for +tor +germany +arrested +pornography and all the news is about hardware being confiscated - haven’t seen anything yet that charges were filed.

    And concerning patched machines - I agree totally - patching doesn’t protect you 100% - but it goes a long, long, long way. Avoiding pr0n, gambling, and war3z sites doesn’t protect you 100%, either, but that seems to be where a large chunk of this stuff comes from. Is more of a pr0n site or a gambling site?

  7. PHPhreak Says:

    The last paragraph of the whole three pages:

    “The judge couldn’t believe the prosecution was insisting on sex offender status and invited Matthew to appeal. ‘20/20′ was there when two years of fear and misery finally ended. A message arrived from the judge, ironically on the computer, informing them that Matthew would not be labeled a sex offender. Matt and his parents had won his life back.”

    Whatever happened to the burden of proof being on the state? It’s called “not guilty” instead of “innocent” for a reason. Just the fact that he has over 200 backdoors (and he’s only 16) should be enough to get him cleared of almost anything. Sex criminal laws are fucked up in this country. One small mistake and *bam* your life is gone. Some of the stuff they do to sex offenders (even the guilty ones) is seriously cruel and unusual.

    I’ve always had a lot of respect towards judges. They seem to be some of the most level-headed people in this society. Prosecutors and defense attorneys are so caught up in winning they forget justice. Which is exactly how the legal system here is designed, but still it kinda sucks.

    I read that article and felt much empathy towards him. My biggest fear probably is my life getting screwed up by the internet somehow. The internet has never been some place for me to be afraid of being arrested or anything, it’s just always been to me a place I can go on, relax, and have fun doing almost anything.

  8. Max Says:

    Damn Man, This is really very scary story…. Some computer forensic experts should demonstrate in front of Jury, that how such data can be downloaded without the knowledge of users.

    Having the porn stuff should not be treated as evidence….

  9. Jungsonn Says:

    But, I thought it trough a little more for myself and what about this:

    1. take a real kiddieporn surfer.
    2. he downloads that stuff.
    3. then claim he did not downloaded it, it was a trojan.
    4. by seeing this story, his claim can be true. cause it happened.

    Is this realistic? it is obvious a danger for real surfers, but maybe a tool for the real offenders?

  10. Jungsonn Says:

    Which points me to RSnake’s comment on the ownage of ones PC;

    What if you fakely let your PC being (pseudo) owned? and commit crimes through it anyway? If they found out it was owned, you go free. how are you to prove or disprove that? signal to noise, noise to signal.

  11. RSnake Says:

    Most of the people here probably don’t recall but I started EHAP (ethical hackers against pedophilia) many years ago. It’s long gone now, but at the time it was huge. A few years ago (and well after EHAP had disbanded) I got a call from a fed working in Homeland Security who had busted some guy claiming that I had told him that I wanted him to download and index child pornography. Later he changed his story once he found out that I was still around and the fed had gotten in touch with me. His other story was that he was inserting viruses in the images using the GDI+ exploit. He didn’t do his homework, because I found that the GDI+ exploit came out after he had been busted, not before. So with that information he plead guilty.

    I think in the extraordinary case of the 16 year old the court realized that he was not a risk to society. In most other cases I think they would be far more lenient and a jury would have a much easier time convincing him, regardless of how many trojans he has. That means that if you have trojan horses on your system that doesn’t make you safe, or even give you plausible deniability. You have to win over the court too.

  12. lgg Says:

    I know someone (call him bob) who was placed in a semi-similar position to this.

    He had a ‘friend’ round, who, for some unknown reason, had a thing against bob.
    This ‘friend’ had, from somewhere, aquired a downloader / trojan that downloaded child pornography to the computer (I don’t know the exact details). When Bob went to the bathroom, a quick slip of a usb key later and the damage was done.
    A call to crimestoppers (an anonymous crime tip line in the UK) later, and Bob had a search warrant and some explaining to do to his parents.

    Rumours, spread by Bob’s ‘friend’ lead to Bob getting chased out of his school never to return, and the senior managment of the school issued a very rushed yet inadequate statement on the events.

    A year of harassment, not being able to go into his home town centre, embarassing threads about him in the school myspace page, depression, high lawyer’s fees and drugs later, and he was eventually cleared of all charges by the court (after first having been found guilty and forced to sign the sexual offenders register, later to appeal and have it removed. He also had quite a lot of jumps to get the cops to remove his DNA and fingerprint records from the system).
    Forensics identifying that it was very likely that the downloader had caused the images to be on his harddrive, along with good words from the school etc led to this.

    No charges were ever made against his ‘friend’.

    So thats how his life was ruined for a year, and he can’t go anywhere in his home town ever again without risk of abuse or violence. He was actually given a direct line to the police in the event of violence or insults, after a couple of almost-incidents.

    Things like this really do need to be handled far more gently until a suspect is actually found guilty, rather than, while technically treating a suspect as innocent as proved guilty in court, ruining their life before any verdict becuase of simply being charged with the offences.