Dark-web pedo jailed after FBI and co use vid trick to beat privacy tech

Bloke thought he was safe on anonymizing network. Now he's in the cooler for 13 years

A US bloke was jailed for 13 years on Wednesday for sharing pictures and videos of child sex abuse on the dark web.

Despite using an anonymizing network, such as Tor, to hide his location and cover his tracks on the internet, he was eventually nabbed by pedo-hunting cops – after he watched a crafty video that, we're told, leaked his public IP address. That led the FBI to his front door – and through it.

Roy Harvender Jr was a member of, what is referred to as, Website 19, a site on the dark web that operated between early 2012 and December 2014. It had 105,651 registered users. Pervs had to provide fresh child pornography in order to maintain their access to the site. Under the username "ricenbeans," Harvender, 59, of New Castle County, Delaware, was an active member of Website 19, and posted indecent images of kids as young as four years old.

According to FBI Special Agent Michael Lipsner [PDF], in June 2014 an unidentified foreign law enforcement agency – codenamed FLA 1 – arrested a member of Website 19, and used his account details to identify the location of the server hosting the website. Police in a second country seized the site's machine, and cuffed the operator, who agreed to cooperate.

With the computer in their hands, the cops continued to run the underground Website 19 to snare other perverts.

"Acting independently and in accordance with its own national laws, FLA 1 assumed control of Website 19 in September, 2014 and began operating the site from a computer server in its own jurisdiction," Agent Lipsner told a Delaware court. "Website 19 operated under control of FLA 1 until the first week of December, 2014, when Website 19 ceased to operate."

There's nothing new in police operating these kinds of sites. The FBI briefly ran Playpen – practically the Facebook of pedos – and various other kiddie porn exchanges, after seizing the servers. The agents used their newly found administrator privileges on those boxes to infect visiting web browsers with NIT trackers: this spyware was designed to unmask people hiding behind Tor – a move that landed the Feds on shaky legal ground. Some suspected pedophiles walking free from court after defense lawyers challenged evidence gathered by NITs.

Video killed the anonymity star

Meanwhile, FLA 1 tried a different technique. In November 2014, the agency posted on the Website 19 forums a link to a specially crafted child abuse video. When users hit the URL, they were warned they were accessing stuff on another website: at least one person clicked through.

From what we can tell, when the video loaded up, it somehow automatically opened a second network connection, this time to a server monitored by the police. This secondary connection did not go through any anonymizing networks, and thus leaked the public IP address of the otherwise cloaked viewer.

We'd expect pedos to set up their computers so that all connections are routed through anonymizing networks, such as Tor, and therefore streaming this particular video, even on a separate site, should not reveal one's true IP address. However this video appears to have bypassed that. The Feds don't say which network was targeted – it could be Tor or I2P or similar – nor exactly how the unmasking mechanism worked.

"FLA 1 advised the FBI that in early November 2014, acting independently and according to its own national laws, FLA 1 uploaded a hyperlink to a file within a forum on Website 19 that was accessible only to registered members of Website 19," Agent Lipsner told the court.

"The hyperlink was advertised as a preview of a child pornography website with streaming video. When a Website 19 user clicked on that hyperlink, the user was advised that the user was attempting to open a video file from an external website. If the user chose to open the file, a video file containing images of child pornography began to play, and FLA 1 captured and recorded the IP address of the user accessing the file.

"FLA 1 configured the video file to open an internet connection outside of the [Tor] network software, thereby allowing FLA 1 to capture the user's actual IP address, as well as a session identifier to tie the IP address to the activity of a particular Website 19 user account."

It is certainly possible the video contained malicious code that exploited a security vulnerability to open an unprotected connection when the vid was played, thus ratting out the viewer – but this is perhaps a little too high risk and too unreliable for this operation. Instead, a URL embedded in the video metadata or its webpage, or something like that, may have been automatically fetched while the material was playing, spilling the public IP address to a web server controlled by the plod.

At least one of those leaked public IP addresses was located in the US, so FLA 1 got in touch with the FBI, who got an administrative subpoena requesting subscriber information from Comcast for that address. After a series of investigations, the FBI fingered Harvender as the source of the connection, and applied for a search warrant of his home.

Inside they found a laptop and two USB drives containing hundreds of images and videos of children being sexually abused. They arrested Harvender, who waived his Miranda rights and admitted being a member of the website, but denied knowing that possession of child pornography was illegal.

In October last year, Harvender pled guilty to one count of distribution of child pornography. On Wednesday he was sentenced to 13 years in prison, followed by 10 years' probation. He will have to pay $5,000 in restitution to each of his victims – if they can be found. ®

Similar topics

Other stories you might like

  • DigitalOcean sets sail for serverless seas with Functions feature
    Might be something for those who find AWS, Azure, GCP overly complex

    DigitalOcean dipped its toes in the serverless seas Tuesday with the launch of a Functions service it's positioning as a developer-friendly alternative to Amazon Web Services Lambda, Microsoft Azure Functions, and Google Cloud Functions.

    The platform enables developers to deploy blocks or snippets of code without concern for the underlying infrastructure, hence the name serverless. However, according to DigitalOcean Chief Product Officer Gabe Monroy, most serverless platforms are challenging to use and require developers to rewrite their apps for the new architecture. The ultimate goal being to structure, or restructure, an application into bits of code that only run when events occur, without having to provision servers and stand up and leave running a full stack.

    "Competing solutions are not doing a great job at meeting developers where they are with workloads that are already running today," Monroy told The Register.

    Continue reading
  • Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
    Google Project Zero blows lid off bug involving that old chestnut: XML parsing

    Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.

    The bug, tracked as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary remote-code-execution vulnerability.

    The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit involved, so crooks may not jump on it, but you should still update your app.

    Continue reading
  • Google says it would release its photorealistic DALL-E 2 rival – but this AI is too prejudiced for you to use
    It has this weird habit of drawing stereotyped White people, team admit

    DALL·E 2 may have to cede its throne as the most impressive image-generating AI to Google, which has revealed its own text-to-image model called Imagen.

    Like OpenAI's DALL·E 2, Google's system outputs images of stuff based on written prompts from users. Ask it for a vulture flying off with a laptop in its claws and you'll perhaps get just that, all generated on the fly.

    A quick glance at Imagen's website shows off some of the pictures it's created (and Google has carefully curated), such as a blue jay perched on a pile of macarons, a robot couple enjoying wine in front of the Eiffel Tower, or Imagen's own name sprouting from a book. According to the team, "human raters exceedingly prefer Imagen over all other models in both image-text alignment and image fidelity," but they would say that, wouldn't they.

    Continue reading

Biting the hand that feeds IT © 1998–2022