Many people say that the internet is almost synonymous to pornography. While that is indeed a bad reputation given to the World Wide Web, things get worse when seeing the Deep Web.
On average, the FBI concluded that at least one new website promoting child explicit materials are made every day. Once one site goes down, the demand is so high that the site is rapidly replaced. The new site that replaces the old one(s) is usually stronger and more secure.
This activity made the job of shutting it down more difficult.
When the Deep Web is once notably popular for drugs and murder, it has more nasty things hidden within the shadow.
A British study conducted in early 2015 claimed that up to 80 percent of Deep Web's "darknet" activity on Tor was related to child pornography. Greg Virgin, former NSA employee turned cyber security consultant is quoted as saying:
"We found sites where users openly advertise the age of the children they are interested in. The typical age range were girls 0 to 6 months, and boys being from 0 to 1 years old. The FBI has taken down multiple child abuse sites since 2013. Despite the efforts of the FBI and private hacking groups around the globe, it seems the demand for child pornography is only growing."
Recently Argo, the Queensland, Australia taskforce has finished its 10-month long operation targeting child abuse. Upon completion, a 25-year-old Queensland citizen was arrested for running a child abuse website on Tor with many more under investigation. The person was charged with multiple counts of child abuse and sentenced to 35 years in prison.
Here, the taskforce was exposing one of the largest and complicated pedophilia rings to date, potentially saving hundreds of children from sexual exploitation on the internet. and many more are still under investigation. The 25-year-old was charged with multiple counts of child abuse and sentenced to 35 years in prison.
The FBI used NIT attacks to bypass Tor's encryption all together. The attacks were camouflaged as Adobe's Flash download applications. With this method, the NIT captured actual IP addresses by bypassing Tor encryption as the Flash application was secretly loaded onto every system that visited the site during the 2-week operation launched by the FBI.
One the first day of operation, over 1,300 visitors were traced.
One of the largest CP board ever found on the Tor network to date was Playpen. With over 215,000 members and more than 117,000 posts, the site was the largest brought down ever. By seizing it, the taskforce obtained more than 11,000 unique IP addresses coming from many places around the world. With the ability to pinpoint each and everyone of them, the team using NIT started the takeover.
Read: The FBI Exploits Tor Web Browser's Weakness To Catch Pedophiles In The Deep Web
Threat To Some, Threats To Many
While shutting down CP sites and catching pedophiles are for the benefit for many, researchers concluded that the hackable activity can be hazardous to many other users.
This poses a warning to the computer security research community, proving that the FBI somehow learned of research intended to be openly shared with a community that would fix the security flaws it exposed, but instead they subpoenaed it to be used in secret to identify and arrest criminal suspects. And because the agents succeeded, they'll probably do it again.
"When you do experiments on a live network and keep the data, that data is a record that can be subpoenaed," said Matt Blaze, a computer scientist at the University of Pennsylvania. "As academics, we're not used to thinking about that. But it can happen, and it did happen."
This is an unexpected risk that security researchers on academic, corporate and independent need to consider before gathering private data on witting or unwitting subjects, even if they plan to keep that data unpublished to the public.
The FBI's subpoena could feasibly have even gone beyond private data to include the actual Tor-cracking technique, and it may seem like the FBI is needing this to run its surveillance techniques.
The strategy can be somehow traced to the Black Hat hacker conference in August 2014 where Carnegie Mellon researchers were planning to present their Tor-focused research. They described it as a serious vulnerability that would allow them to identify both Tor users and web servers that use Tor to hide their location, known as Tor hidden services.
"Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know, because we tested it, in the wild…" the abstract reads. The researchers promised to "dive into dozens of successful real-world de-anonymization case studies," including Tor-hidden drug markets and child pornography sites.
Not long after that abstract was posted, the talk was pulled from the Black Hat conference schedule for no apparent reason. Then in November 2014, the FBI and the Europol launched Operation Onymous to purge the Deep Web that took down dozens of Tor's hidden services, including Ross Ulbricht's Silk Road and other top drug markets.
At that time, the FBI agents who led that operation boasted that they possessed a new, secret technique for identifying Tor-hidden sites. To some, the list of IP addresses might have been collected by Carnegie Mellon's researchers.
"This is something we want to keep for ourselves," said the head of Europol's European Crime Center Troels Oerting at the time. "The way we do this, we can't share with the whole world, because we want to do it again and again and again."