Re: William was raided for running a Tor exit node. Please help if you can.

[Jeroen Massar <jeroen () unfix org>]

On 2012-11-30 13:51 , Joakim Aronius wrote:
> * Will Hargrave (will () harg net) wrote:
> > On 29 Nov 2012, at 20:53, George Herbert <george.herbert () gmail com>
> > wrote:
> >
> > > The assertion being made here, that it's somehow illegal (or
> > > immoral, or scary) for there to be not-completely-traceable
> > > internet access in the US, is absurd.
> >
> > The real issue here is *not* the legality of the act of providing a
> > Tor exit node, or an open access point, or anything else. In
> > sensible countries that is perfectly legal. The problem here is the
> > reality of undergoing a criminal investigation.
>
> It could also be the case that they think the person running the Tor
> exit node is the actual perpetrator, i.e. its needed to seize all HW
> to get the kiddie pr0n. Is it even possible for a network sniffer to
> distinguish between Tor exit traffic and his own traffic?

Not easily, this as TCP connections originate from the box itself.

> Hopefully he will get it all back but it will most liklely cost both
> time and money to explain Tor to the Austrian judical system.

According to http://raided4tor.cryto.net/ he at least got a full list of
what was confiscated including the various weapons in his possession,
that in combo with the owning of a safe deposit box (which was not
searched) with amongst others cash is an interesting part in personal
security IMHO though ;)

> > Think carefully about the impact of having everything in your life
> > which runs an operating system taken away. Phones. Tablet. Laptop.
> > Servers. All portable drives, data. If you rely on that hardware
> > for your income (and who doesn't?) you're going to have to buy all
> > of that again. And restore your data, if you are able.

Actually they did not take anything away that was really related to the
what was detected.

The IP that the connection to the (apparently monitored or owned by the
$investigators) CP website came from was a rented server in Poland.
He apparently was notified that that exit node was being used for abuse
and thus 'closed it because of the hacking through it' (which really is
not helping when you still run others and looks a lot like you have
something to hide to me...)

All the other servers he apparently runs in the US and Hong Kong etc are
still up and running too.

Thus the computer things confiscated where effectively unrelated to the
IP that triggered them to look at it.

On 2012-11-30 13:58 , Rich Kulawiec wrote:> On Thu, Nov 29, 2012 at
08:04:02AM -0500, Chris quoted (William):
> > Yes, it happened to me now as well - Yesterday i got raided for
> > someone sharing child pornography over one of my Tor exits.
>
> Question: what evidence has been published -- that is, placed somewhere
> that we can all see it -- that substantiates the claim that child porn
> traversed the node in question?

The moment you can see that it is real CP you have seen CP.

Do not ask for that. There are special people who have legally signed
documents and agreements that investigate this.


> Followup question 1: if no such evidence has been produced, then
> why should we believe that it exists?  Extraordinary claims require
> extraordinary proof.

What likely is the case, from what I understand, is that the server
hosting the CP was being either monitored or operated by $investigators.

> Followup question 2: if the goal is to identify and apprehend the
> perpetrators of child porn (and that's a good goal) then why would
> the police raid this operation?

Because they maybe think he originated it, see also the note above of
closing the Tor exit that (allegedly) sourced the request(s).

> Would it not make far more sense to
> take advantage of the operator's knowledge and experience and quietly
> ask for his/her cooperation *while leaving the node running*?

He already closed the node, apparently due to hacking happening through it.

But that would not help anyway, as it is Tor, thus unless you are really
really good there is nothing to see there as you'll never find out who
originated the connection through Tor.

> Followup question 3: what evidence in front of us allows us to clearly
> discern that this is what it purports to be and not simply an attempt
> to shut down a Tor node (and intimidate the operators of others)
> by using a plausible excuse based on a universal hot-button issue?

The owner (the William person this is about) shut it down himself.

See the blog mentioned above for more details from his side.

Greets,
 Jeroen