Section 12.3. Getting in Over Your Head

12.3. Getting in Over Your Head

The forensic techniques that I have described can be applied to any email message or web site. My focus has been on Internet fraud and spam but there are many other targets in which you might be interested. You might be curious about how a legitimate web site is set up or you might want to ensure that your own site is not inadvertently disclosing confidential information. It is my hope that readers will find new ways in which to use the techniques, and by doing so, advance the field of study. But I want to caution you in regard to two specific areaschild pornography web sites and those of extremist political or paramilitary groups.

12.3.1. Child Pornography Sites

The Internet has made child pornography more available than ever before. It represents a terrible exploitation of the children that are involved in the production of the material, and it puts countless more at a greatly increased risk of sexual assault. Anyone that has witnessed the effect of child sexual abuse on their family or friends will know the all-consuming desire to do something to stop it ever happening to anyone again.

Uncovering information about child pornography web sites would seem to be a worthwhile use of the techniques described here. Indeed, the most widespread and successful application of Internet forensics thus far has been the investigation of these sites by the law enforcement agencies around the world. But while there is the potential for non-professionals to assist in this effort, I would strongly caution readers to leave this area of investigation to the authorities.

The problem is not so much the difficulty of tracking these sites, or even the emotional distress that you might put yourself through investigating their contents, although that should not be underestimated.

The issue is that your activities might be monitored and misinterpreted. A tactic that is widely used by law enforcement is to create fake child pornography sites, which they use to track and identify people that seek out and download that type of material. The fake sites are termed honeypots for their ability to attract and snare specific types of visitor. The web servers record detailed information about every visit to the site. Law enforcement personnel will then contact the ISP associated with each visitor and attempt to identify the individual involved. The approach has proven very successful in recent years. Law enforcement agencies in multiple countries have been able to combine their efforts to shut down large organized child pornography operations. Prosecutors have been vigorous and effective in convicting both the purveyors and consumers of the material.

In visiting a child pornography site, with the sole intent of uncovering its operation, you run the risk that it is actually one of these honeypots and that your pattern of browsing may identify you as a suspect. Not only would this divert law enforcement resources away from the real targets, but it could involve you in a world of trouble.

This is not a hypothetical concern. In January 2003, Pete Townsend, the rock musician and guitarist with The Who, was arrested in the United Kingdom as part of a very large international investigation called Operation Ore. He was one of 1,600 people arrested in the United Kingdom alone as part of that crackdown. He admitted using a credit card to access images on a pedophile web site but insisted that he was researching the issue as part of a campaign against child abuse.

A four-month long police investigation concluded with him being cautioned and placed on the Sex Offenders Register for five years. While the police accepted his explanation, they issued a clear statement, "It is not a defence to access these images for research or out of curiosity." The publicity surrounding the case was extremely damaging to Townsend. While his personal reputation led many people to give him the benefit of the doubt, the same consideration would not be given to an ordinary citizen.

This is an area that should be left in the hands of law enforcement and I caution you strongly against investigating these sites.

12.3.2. Extremist Web Sites and Vigilantes

Since its inception, the Internet has provided a way for people around the world to voice their opinions and ideas, some of which other people find deeply offensive. This freedom of expression is viewed by many of us as a triumph for the technology, but others view it as a threat.

Most reasonable people view web sites that take a political stance on an issue as a valuable contribution to the overall debate, whether or not they agree with that position. But where those sites promote extremist views, we may find ourselves weighing freedom of expression against a profound personal discomfort with those opinions.

There are countless of examples of this dilemma. In the United States, those of neo-Nazi and white supremacist groups are perhaps the best known. That notoriety has been challenged by a new class of web site that has emerged from the aftermath of the Iraq war and the subsequent insurgency. Pro-insurgency groups have made extensive use of web sites to promote their cause, most notably by posting video clips that are subsequently picked up by television news organizations. Although few of us seek out these sites, most of us are familiar with, and have been repulsed by, video clips that show car bomb explosions and the barbaric execution of civilian hostages.

The response of some people is to seek the removal of these sites. Their argument is that by allowing their expression we passively support the violence that they promote. At least one group is already using the techniques of Internet forensics to uncover details about the sites it views as offensive. Internet Haganah (http://haganah.org.il) is a web site based in Illinois, which describes itself thus:

Internet Haganah is a global open-source intelligence network dedicated to confronting internet use by Islamist terrorist organizations, their supporters, enablers and apologists.

The site and its creator, Aaron Weisburd, were profiled in the Washington Post in April 2005 (http://www.washingtonpost.com/wp-dyn/content/article/2005/04/24/AR2005042401062.html). Using the same sorts of techniques that I have described here, Weisburd and colleagues track down the ISPs that host sites they deem to be offensive and seek to have them shut down. Visitors to the site are encouraged to contact these ISPs themselves to help in their effort to rid the Web of such sites. They claim to have shut down more than 600 sites.

For me, this use of Internet forensics crosses the line into vigilantism, and I find that deeply troubling. There are several reasons for this. First is my personal view on freedom of expression. I follow the famous quote that is often attributed to Voltaire, apparently incorrectly, which goes something like, "I despise your views but I will die for your right to express them." Shutting down these sites is a form of censorship and I am fundamentally opposed to that.

Sites that may be committing a criminal offense, such as raising funds for a terrorist group, require careful evaluation and action by law enforcement. Individuals trying to get these sites shut down run the real risk of derailing criminal investigations and thereby aiding the very people they wish to defeat. The Washington Post profile includes two quotes echoing that concern, one of which is from the FBI.

Perhaps most troubling is that the operator of this site is making unilateral judgments about the nature and intent of other web sites and then acting on that in order to silence them. There is no opportunity for review or appeal against that assessment. In marked contrast, operators of spam blacklists such as Spamhaus go to great lengths to ensure their actions are correct, and even they occasionally make mistakes. While some sites may be clearly breaking the law in promoting terrorism, others may be much more equivocal. The range of sites that Internet Haganah goes after appears to be much wider than that. I use the term "appears to be" because I cannot read Arabic and cannot assess the content of these sites. Unfortunately, according to the Washington Post article, neither can Weisburd.

Although Internet Haganah operates completely within the law, there is a risk that its readers may take things one step further and actively try to disrupt the operation of a target site. This could be achieved by breaking into the server and defacing the home page or by overloading the server using a denial of service attack. In the latter, one or more client machines submit large numbers of simultaneous requests for web pages to the extent that the server is unable to service all of them. A legitimate user is unable to access the site because of all this activity. The Washington Post article describes one incident where a web hosting company in California fell victim to this sort of attack after a site that it hosted was identified by Internet Haganah.

I understand the concerns that motivate this site, but to me the mandate that it has given itself goes too far. Working to shut down criminal activity is one thing, suppressing legitimate political dissent is quite another. Internet Haganah appears to lack a clear distinction between these two, which I find very troubling.

As you apply the techniques that you learn from this book, you need to consider the issues that arise from their use and draw your own conclusions. Technology is only part of the big picture.