By Jacqui Cheng | Published: March 23, 2008 - 02:10PM CT
Everyone has had it happen to them: a "friend" sends you a link in IM or over IRC that purports to be something like a cat in an awkward position with a hilarious caption. Soon, however, you discover that the link wasn't to a lolcat at all; instead, you've been Rick Rolled—or even worse, sent to 2girls1cup (find it on your own, but be warned: it may scar you for life). These pranks are commonplace now, but be careful of what you click on and from whom. If that link points to anything even pretending to be child porn, that's enough evidence for the FBI of intent to download it. The authorities could then raid your home and possibly throw you in jail. No joke, it just takes one click and you're under intense suspicion.
Such is the case with Temple University doctoral student Roderick Vosburgh, who apparently clicked on an FBI-planted hyperlink somewhere on the Internet. The link pointed to a file on an FBI server that contained no porn, but logged the IP addresses of everyone attempting to access it. Vosburgh's IP was one of those, and the FBI came knockin' on his door early one morning, arrested him, and searched his home.
In fact, this didn't just happen to Vosburgh—the FBI has been using this click-and-be-owned tactic for a few years now, using logged IP addresses as a way to get warrants and charge people with intent to download child porn (a federal crime). The FBI has been planting links to these bogus files on message boards that are known to attract child predators, but even the log files don't take into account the referrer—any IP address that shows up is automatically assumed to be guilty, and assumed to be coming in from one of the FBI's planted links. This means that if your drunk friends think it's funny to IM you a link to something that turns out to be to the FBI's planted link, you could be in trouble.
Don't believe that's all it takes? The FBI admitted that there was apparently no evidence that Vosburgh had ever accessed the forum where the links were originally planted, according to court documents seen by Ars Technica. Vosburgh's attorney also pointed out that the affidavit that was used to charge Vosburgh provided no probable cause to believe that any criminal activity had taken place, that he was home at the time that the file was allegedly accessed, or even that there was a computer with an Internet connection in Vosburgh's apartment.
Vosburgh eventually went to trial and was convicted of clicking on an illegal link and possession of child porn due to two tiny thumbnails that the FBI believes depict underage females—this is despite the testimony from multiple computer experts saying that the cache was created automatically and Vosburgh had no idea how or where to find these thumbnails on his machine. He now faces sentencing on April 22 while his attorney attempts to have the verdict overturned. Vosburgh was caught trying to destroy a hard drive and a flash drive, however, and this surely didn't help his case.
Brilliant honey pot scheme or horribly flawed perversion of justice? The lack of other evidence pointing to this man's guilt places the onus of this man's conviction on the FBI's phishing practices, which from our point of view leave much to be desired.
(Click a Link)
Editor's note: Have you ever clicked on a link on a website, hoping to see the latest sports headlines or watch the new James Bond trailer, only to be confronted by a video of 1980s pop sensation Rick Astley? If so, then you've officially been "Rick Rolled". A huge internet phenomenon earlier this year, victims of "Rick Rolls" had inadvertently clicked on false links that took them through to a music video of Rick Astley singing Never Gonna Give You Up. A poll by SurveyUSA in April this year estimated that at least 18 million Americans had been "Rick Rolled."
The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.
Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.
A CNET News.com review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who's using an open wireless connection--and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police.
Roderick Vosburgh, a doctoral student at Temple University who also taught history at La Salle University, was raided at home in February 2007 after he allegedly clicked on the FBI's hyperlink. Federal agents knocked on the door around 7 a.m., falsely claiming they wanted to talk to Vosburgh about his car. Once he opened the door, they threw him to the ground outside his house and handcuffed him.
Vosburgh was charged with violating federal law, which criminalizes "attempts" to download child pornography with up to 10 years in prison. Last November, a jury found Vosburgh guilty on that count, and a sentencing hearing is scheduled for April 22, at which point Vosburgh could face three to four years in prison.
The implications of the FBI's hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography--and raid people who click on the links embedded in the spam messages. The bureau could register the "unlawfulimages.com" domain name and prosecute intentional visitors. And so on.
"The evidence was insufficient for a reasonable jury to find that Mr. Vosburgh specifically intended to download child pornography, a necessary element of any 'attempt' offense," Vosburgh's attorney, Anna Durbin of Ardmore, Penn., wrote in a court filing that is attempting to overturn the jury verdict before her client is sentenced.
In a telephone conversation on Wednesday, Durbin added: "I thought it was scary that they could do this. This whole idea that the FBI can put a honeypot out there to attract people is kind of sad. It seems to me that they've brought a lot of cases without having to stoop to this."
Durbin did not want to be interviewed more extensively about the case because it is still pending; she's waiting for U.S. District Judge Timothy Savage to rule on her motion. Unless he agrees with her and overturns the jury verdict, Vosburgh--who has no prior criminal record--will be required to register as a sex offender for 15 years and will be effectively barred from continuing his work as a college instructor after his prison sentence ends.
How the hyperlink sting operation worked
The government's hyperlink sting operation worked like this: FBI Special Agent Wade Luders disseminated links to the supposedly illicit porn on an online discussion forum called Ranchi, which Luders believed was frequented by people who traded underage images. One server allegedly associated with the Ranchi forum was rangate.da.ru, which is now offline with a message attributing the closure to "non-ethical" activity.
In October 2006, Luders posted a number of links purporting to point to videos of child pornography, and then followed up with a second, supposedly correct link 40 minutes later. All the links pointed to, according to a bureau affidavit, a "covert FBI computer in San Jose, California, and the file located therein was encrypted and non-pornographic."
Excerpt from an FBI affidavit filed in the Nevada case showing how the hyperlink-sting was conducted.
Some of the links, including the supposedly correct one, included the hostname uploader.sytes.net. Sytes.net is hosted by no-ip.com, which provides dynamic domain name service to customers for $15 a year.
When anyone visited the upload.sytes.net site, the FBI recorded the Internet Protocol address of the remote computer. There's no evidence the referring site was recorded as well, meaning the FBI couldn't tell if the visitor found the links through Ranchi or another source such as an e-mail message.
With the logs revealing those allegedly incriminating IP addresses in hand, the FBI sent administrative subpoenas to the relevant Internet service provider to learn the identity of the person whose name was on the account--and then obtained search warrants for dawn raids.
Excerpt from FBI affidavit in Nevada case that shows visits to the hyperlink-sting site.
The search warrants authorized FBI agents to seize and remove any "computer-related" equipment, utility bills, telephone bills, any "addressed correspondence" sent through the U.S. mail, video gear, camera equipment, checkbooks, bank statements, and credit card statements.
While it might seem that merely clicking on a link wouldn't be enough to justify a search warrant, courts have ruled otherwise. On March 6, U.S. District Judge Roger Hunt in Nevada agreed with a magistrate judge that the hyperlink-sting operation constituted sufficient probable cause to justify giving the FBI its search warrant.
The defendant in that case, Travis Carter, suggested that any of the neighbors could be using his wireless network. (The public defender's office even sent out an investigator who confirmed that dozens of homes were within Wi-Fi range.)
But the magistrate judge ruled that even the possibilities of spoofing or other users of an open Wi-Fi connection "would not have negated a substantial basis for concluding that there was probable cause to believe that evidence of child pornography would be found on the premises to be searched." Translated, that means the search warrant was valid.
Entrapment: Not a defense
So far, at least, attorneys defending the hyperlink-sting cases do not appear to have raised unlawful entrapment as a defense.
"Claims of entrapment have been made in similar cases, but usually do not get very far," said Stephen Saltzburg, a professor at George Washington University's law school. "The individuals who chose to log into the FBI sites appear to have had no pressure put upon them by the government...It is doubtful that the individuals could claim the government made them do something they weren't predisposed to doing or that the government overreached."
The outcome may be different, Saltzburg said, if the FBI had tried to encourage people to click on the link by including misleading statements suggesting the videos were legal or approved.
In the case of Vosburgh, the college instructor who lived in Media, Penn., his attorney has been left to argue that "no reasonable jury could have found beyond a reasonable doubt that Mr. Vosburgh himself attempted to download child pornography."
Vosburgh faced four charges: clicking on an illegal hyperlink; knowingly destroying a hard drive and a thumb drive by physically damaging them when the FBI agents were outside his home; obstructing an FBI investigation by destroying the devices; and possessing a hard drive with two grainy thumbnail images of naked female minors (the youths weren't having sex, but their genitalia were visible).
The judge threw out the third count and the jury found him not guilty of the second. But Vosburgh was convicted of the first and last counts, which included clicking on the FBI's illicit hyperlink.
In a legal brief filed on March 6, his attorney argued that the two thumbnails were in a hidden "thumbs.db" file automatically created by the Windows operating system. The brief said that there was no evidence that Vosburgh ever viewed the full-size images--which were not found on his hard drive--and the thumbnails could have been created by receiving an e-mail message, copying files, or innocently visiting a Web page.
From the FBI's perspective, clicking on the illicit hyperlink and having a thumbs.db file with illicit images are both serious crimes. Federal prosecutors wrote: "The jury found that defendant knew exactly what he was trying to obtain when he downloaded the hyperlinks on Agent Luder's Ranchi post. At trial, defendant suggested unrealistic, unlikely explanations as to how his computer was linked to the post. The jury saw through the smokes (sic) and mirrors, as should the court."
The first image depicted a pre-pubescent girl, fully naked, standing on one leg while the other leg was fully extended leaning on a desk, exposing her genitalia... The other image depicted four pre-pubescent fully naked girls sitting on a couch, with their legs spread apart, exposing their genitalia. Viewing this image, the jury could reasonably conclude that the four girls were posed in unnatural positions and the focal point of this picture was on their genitalia.... And, based on all this evidence, the jury found that the images were of minors engaged in sexually explicit conduct, and certainly did not require a crystal clear resolution that defendant now claims was necessary, yet lacking.
Prosecutors also highlighted the fact that Vosburgh visited the "loli-chan" site, which has in the past featured a teenage Webcam girl holding up provocative signs (but without any nudity).
Civil libertarians warn that anyone who clicks on a hyperlink advertising something illegal--perhaps found while Web browsing or received through e-mail--could face the same fate.
When asked what would stop the FBI from expanding its hyperlink sting operation, Harvey Silverglate, a longtime criminal defense lawyer in Cambridge, Mass. and author of a forthcoming book on the Justice Department, replied: "Because the courts have been so narrow in their definition of 'entrapment,' and so expansive in their definition of 'probable cause,' there is nothing to stop the Feds from acting as you posit.
Editors note: Since 2005, I have received a number of SPAM messages regarding contraband images, which have been reported to the authorities. This one e-mail points to a site in Alabama, not the Ukraine and has been redacted accordingly, pursuant to the Adam Walsh Act. Since notifying the FBI and DHS/ICE, I haven't been receiving as much SPAM of this nature, in my e-mail.
On 26 July 2007 the Adam Walsh Act was signed into law by President George W. Bush. Although I believe that John Walsh is an outstanding person and should be commended for "America's Most Wanted" series and his acting career, the Act is inherently defective in many parts. Specifically speaking the denial of allowing independent computer forensics personnel to perform an adequate analysis in determining the evidence contained within a computer's hard-drive and denying defense counsel to remove copies of the data for the "ample opportunity" in the preparation of a defense.
On 25 January 2007, in the matter of US V Knellinger (3:06cr126), Judge Robert Payne of the Eastern District, Richmond Virginia set aside the Adam Walsh Act, since "ample opportunity" to examine the evidence was not afforded to the defense experts or counsel.
About one year ago, I came into contact with a group known as the Internet Crimes Against Children or ICAC, which consisted of local law enforcement officers performing computer forensics work. Frankly, I believe that this type of work should be left to professionals who understand the concept of computers, not "newbies", who would probably have problems standing muster under the Daubert or Kumho standards. In the same vein, I would not expect computer professionals to understand the laws appertaining to traffic control or responding to a domestic dispute. Personally, with the shortage of officers in our respective communities, they belong on the street, investigating crime, not sitting at a desk, eating doghnuts and drinking coffee while a computer's hard-drive is being mirrored and analyzed. This should be performed by non-sworn personnel, be it an contracted independent lab or internal personnel.
In the People v. Rando matter, one of the software tools that was used was developed (but formally un-tested) software, by a member of ICAC, Agent Flint Waters of the Wyoming ICAC. In contacting the developer, I was referred to an individual at Fox Valley Technical College, in Wisconsin, which begged the question, "Why Wisconsin?" In reviewing the Adam Walsh Act, et.seq., I noticed a large appropriation of money going to ICAC and Fox Valley Technical College, located at 1825 North Bluemound Dr. Appleton, WIsconsin 54913-2277. Fox Valley Technical College has an extensive ICAC Program, which makes Alaska's "Bridge to Nowhere" project look like a pittance.
So what's going on here? It turns out that the sponsor of this bill was none other than Rep. F. James Sensenbrenner, Jr., of Wisconsin. Now how much money do you think has been authorized? According to Sec. 706 (b), it states:
Authorization of Appropriations- There are authorized to be appropriated to the Administrator of the Office of Juvenile Justice and Delinquency Prevention for fiscal year 2007 such sums as may be necessary to carry out this section.
Can someone say "Blank Check?" (Okay, $1.5 Billion through FY 2011, per the CBO) I would suggest that Contractors, who do not have a bias or prejudice when examining a computer, should be retained instead of utilizing local law enforcement. Local law enforcement is already on a bare budget and let's focus the money where it is needed, the retention of credible and capable Contractors. Pork projects, like these have to go and Rep. Sensenbrenner needs to have a reality check when it comes to the legislative branch overreaching their powers when it comes to matters of due-process.
Mo' Money, Mo' Money, Mo' Money... Sen. Biden want to spend Mo' Money. Background checks are the responsibility of the employer, not the US Taxpayer. Where does this money plan on going? "The pilot program worked and the program needs to be expanded," said Ernie Allen, CEO and President of the National Center for Missing and Exploited Children. Way to go Ernie!!! I hope that the "Taj Mahal" in Alexandria adds an exercise room or more marble to the palace!
There is an old trick used by salesmen who work for Japanese trading houses: Use twelve industry-specific technical terms in a conversation and you can pass as an expert in that industry. Given how much stuff Japan has been able to sell to the rest of the world, this method seems quite sound.
I've gotten an average of one message every two months from different people requesting a real good, comprehensive dictionary of computer-related technical terms because they want to sound like, be, or test an expert. Sorry I put the question off for so long. Here's making up for lost time: Although not formally a computer-term dictionary, Newton's Telecom Dictionary, published by Telecom Books of New York, can easily be called one because of the blurring line between a computer and a telecommunications device. It is easy to read, informative, funny, and - an important feature of a reference book - complete (the 15th edition is more than 900 pages long). I could go on and on about it, but I think the words of author Harry Newton that appear on the back cover of the 14th edition say it all:
I wrote this book for those of us new and old to the world's most exciting industry. I deliberately didn't write a technical book. I wrote a business book. I explain technical concepts in non-technical, business language. Some of my definitions are short. Some are encyclopedic. My focus is totally practical. How you can benefit. Pitfalls to watch out for. Use this book in your day-to-day business life. Dip into it before a meeting with a vendor, a customer or a boss. Dip into it as you write or read a sales proposal. I've got 18 years in this book. It better be good.
Newton's Telecom Dictionary can be had through any decent-sized bookstore, Internet book seller, or the Telecom Books website (http://www.telecombooks.com). Mr. Newton is also blessed with a wonderful sense of humor. After you've obtained a copy, be sure to look up his definition of the term "telephone."
The purpose of the article is merely an illustration of what the title entails. It is not reflective upon the hard working computer forensic examiner or a computer forensics expert witness, who has demonstrated their expertise in the field, the laboratory or within the civilian or military judicial systems, respectively.