I have given 20 presentations this year and that was only in the first half of 2016 (although, I have not scheduled anything for the remainder of the year to finish some projects).

In each of the presentations, whether the attendees were parents, children, law enforcement, or digital forensics analysts, I have always been able to give really good examples of compromises.  On the day of the presentation or day before, I search for a recent breach and will most always find a good one.  If I search a day after the presentation, I sometimes find a new breach that would have also been a good example of a hacking incident.

So for the cybercrime preventation talks, I tell everyone that anyone can be a victim no matter what you do.  Sometimes you are specifically targeted and other times, you fall into a group of victims from a third party breach.  And the more 'third party' accounts you have, the more risk of having your personal data exposed.  For example, if you have a T-Mobile phone, Premera for health insurance, applied for a government security clearance, shop at Home Depot, and ate at Wendy's, you potentially have had your personal data or credit card information compromised five times by doing absolutely nothing wrong.

Never thought I would still see this happening…

http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-who-maintain-tor-anonymity-network-node-1552524

I have personally seen warrants served on the wrong address on two occasions.  The first was a drug investigation where the lead detective went to the wrong door to an apartment.   The warrant was correct in having the correct address, but the detective didn’t take the time to check the numbers on the door…

The second time I witnessed a wrong door entry was when the lead detective had the wrong address on both the search warrant and affidavit.  The detective never even corroborated the information to find the right address.  Basically, the detective looked down the street and picked the house she thought was the drug dealer’s house.  After SWAT kicked in the door and broke a few things in the process, it took all of 5 minutes to realize that it was the wrong house.  The drug dealer was on the next street over…the victim house got a new door from Home Depot and carpet cleaning paid for by the task force.  

Both of these warrants taught me something that I will never forget.  Before you kick in the door, make sure you got the right door.  After you make sure you got the right door, make sure again.  Then ask your partner to double-check that you got the right door. Then get a warrant and kick it in if the suspect doesn’t open it for you.

After investigating drug crimes, I went into cyber cases.  The same fear of entering the wrong house became even more worrisome since relying on IP addresses is not the same as relying on your eyes. You have to rely upon a fax from an Internet service provider for the address.  In an investigation case of following a suspect to his home, it is easy to physically see the house for which you plan to swear to in an affidavit.  But with an IP address, you have to rely on some third party service provider to give you the subscriber at the physical address where the IP address exists and trust that the information is accurate. That is at least one step before swearing to an affidavit to ask for authority to force your way into someone's home.  Investigators must still confirm that their suspect and/or evidence is at that particular and specific address, which requires at least some legwork to confirm the physical address.

When Tor is used by a criminal, relying on the IP address is worse than a bad idea, especially since it is so common knowledge that an exit node on the Tor network has nothing to do with the origin of any data that flows through it, other than the data flows through it.  I have taught and wrote about Tor as it relates to criminal/civil investigations for several years now, each time repeating:

IP address ≠ a person

MAC address ≠ a person

Email address ≠ a person

Tor IP address ≠ the address you want

CSI Cyber regularly does one thing right…whenever the cybercriminal uses Tor (proxies) on the show, the Hollywood FBI hackers don’t even try to trace it because they know that a proxy is not going to lead back to the cybercriminal.   They then resort to other means to find the cybercriminal before the hour ends.  Not that any of their other methods are realistic, but at least they got Tor right.  Anyone watching CSI Cyber even one time is exposed to explanations that tracing cybercriminals using Tor is virtually impossible.  This is the “CSI effect” in reverse.

Since TV show viewers can figure it out, you can imagine my surprise seeing this tweet today:

Rousted 6 am naked out of bed by @SeattlePD. Warrant to search for child porn. They knew the IP address was a #Tor exit, came in anyway.

— David W. Robinson (@jdormansteele) March 30, 2016

I don’t have access to the case reports, nor know anyone involved, but the one thing I can tell is that if this case was based on an IP address alone, I cannot fathom why no one checked to see if the IP address was a Tor exit node.  Checking a Tor exit node takes about 10 seconds.  The Tor Project even helps and provides everything you need.

https://check.torproject.org/cgi-bin/TorBulkExitList.py

Certainly, there are probably other details that could have led to going to the ‘wrong’ house, but running a Tor relay should not be one of those details.  At least currently, it is not illegal to run a Tor exit node.

The best analogy I can give to how relying on a Tor exit node to accurately reflect the physical address is that using an envelope.  Consider a criminal committing a crime through the mail (mailing drugs or something like that).  Instead of putting his address as a return address, he puts your address as the return address, drives to another city, and drops the package in a mail box on the side of the street.  Let’s say the police seize the package of drugs at its destination and then kick down your door because your return address was on the package.  Any investigator charged with tracking criminals online must (not should) be aware of how Tor works.  Even in the private sector investigating employee misconduct, or IP theft, knowing how Tor works is mandatory when IP addresses are involved.  You just can't get around knowing it unless you don't mind kicking down the wrong door one day..

https://www.torproject.org/about/overview.html.en

On side note, I am one of the biggest advocates of those who have the job of tracking, investigating, arresting, charging, prosecuting, convicting, and incarcerating predators of children.  I have not a bit of compassion for these criminals and I cannot imagine anyone feeling any different.

Coincidently, I gave a presentation on this very topic at an ICAC conference in the Seattle area last year…oh well.

UPDATE: APRIL 8, 2016

Link to the search warrant affidavit:  AFFIDAVIT

There always comes a time when an obscure, yet important concept, leaves the technical world and enters the main stream.  Recovering deleted files was one of those where we pretty much knew all along not only that it can be done, but that we have been doing it all along. The Snowden releases were another aspect of ‘yeah, we knew this all along, but the GFP (general f’ing public) was oblivious.

Encryption is just the most current ‘old’ thing to make the limelight.  Whenever something like this happens, there are ton of people ringing the end-of-the-world bells, clamoring that national security will be lost, and personal freedoms take a back seat to everything.  It happens all the time and when it happens, there is a fire to make new laws on top of thousands of other laws, in which the promise of better safety and security is as strong as a wet paper bag holding your groceries on a windy and rainy day.

Legally, it is super easy to ban, control, and/or regulate encryption. A stroke of the pen with or without citizen oversight can make it happen quickly and painlessly.  One signature on the last page of a law that is a ream in size is all it takes.

Practically, it is impossible to completely eliminate or control or regulate encryption.  The only thing laws will do is restrict the sale of encryption products by corporations.  Encryption exists in the minds of mathematical practitioners and can be recreated over and over again. You can't blank out someone’s brain (I hope not…).  Encryption is available everywhere on the Internet, from software programs that are FREE and OPEN SOURCE to download and even in TOYS that can be bought off Amazon.com.  These 'toys' work by the way.

Go ahead and ban encryption and people will just buy a $10 toy to create cipher text for emails.  Tor use will skyrocket as will third party online privacy providers operating in safe harbors overseas.  Banning encryption or breaking the trust of companies like Apple will only result in loss of business for corporations and (more) loss of trust by consumers of both corporations and government.  Even if encryption is not banned, but under the complete control of any government, that particular piece of technology won’t be used for anything other than entertainment. No business is going to transmit sensitive intellectual property data through an insecure system.  No government is going to use a system that can be more easily compromised by enemies or hackers.

The end result of banning encryption is creating a whole new class of “criminals” who just want to protect their private communications.  “Private” does not mean “illegal”.  Controlling the source code of Apple is only going to cause Apple to end up with 3 employees who will their only customers.  Not even the government will use Apple if they know the source code has been compromised...especially if compromised by the government itself.

Not long ago, I gave a presentation on Internet investigations to a group of law enforcement investigators.  One of the first questions I asked was 'Given authority and ability, what would like to see done in regards to the Internet?".  Most answers were to 'lock it down', 'watch everything', 'control it all', and "give government complete control".  At the end of the presentation, no one felt that way after I explained how that will negatively affect everyone down to the individual person business, including the government.  Ignorance may be bliss, but that doesn't make ignorance a good idea.

If this 'ban encryption bandwagon' keeps going, the next thing we will see is envelope regulations requiring the paper to be transparent, just in case the government needs to read your mail without opening it.