Monday, January 15, 2007

You could be next! What was done to Matthew Bandy can happen to you.

The article we wrote about Matthew Bandy has spread far and wide on the internet. It generates a large number of hits per day and I have found it being debated on numerous web sites. Most people seem to believe Bandy but a few die-hards are pro police on this matter. So I am starting to look into the issues a bit more deeply.

Here are a few points to consider. At no point did the prosecutor describe the images. We don’t know what they contained. Some individuals have thought that since there were only nine images there that they were not of sufficient quantity to have been planted there by a commercial distributor of such images looking for a safe place to hide them. But then we don’t know if the distributor is using a hundred different computers where each stores a few images. Diffusion of inventory means that unless something happens there is no obvious anomalies that the computer’s owner is likely to notice.

It could well be that they sell the photos to a client and then send a message to their hosts computers, each of which send the few images they store to the client. If it detected then only one storage computer is compromised and they can continue to work with the others. And with hundreds of computers infected then police resources are wasted investigating victims of this sort of activity and not perpetrators.

But I have sent my story to an expert on computer security and asked him to appraise it and, if he consents, will post his comments here. But I have done some looking into this issue.

Here is an article from CastleCops on “child porn planting spyware” from 2005. They report that one companies forensics service grew by 70% in one year because of “viruses and spyware which can download pornography and other inappropriate material without users being aware of it.” Such things can change your bookmarks, steal information from your system, or download images onto your hard drive. They claim that 90% of Windows computer “harbour an average of 28 malicious programs” and that an audit of 1.5 million computers found “more than 41 million instances of spyware, Trojans and other malicious programs.”

The article notes that more and more private business is realizing that inappropriate images on a computer may not be the work of an employee at all but because the computer was infected. In other words the private sector is catching on but the police are still light-years behind the times. The tell of a school computer that was found with many such images. And no one was sure who to blame. It could be staff, teachers or students. In the end it turned out to be none of them.

The Criminal Intelligence Service Canada reports that organized criminals “are forming more and larger botnets, or networks of computers with broadband Internet connections that are compromised by malware and are thus “software robots or zombies. ”These remotely-controlled attack networks undertake a variety of crimes: sending spam or phishing e-mails, hosting spoofed web sites for pharming scams, and distributing viruses or trojan horse software to facilitate on-line extortion or compromise more home computers for larger botnets.”

And not even Apple Macs are immune anymore.

Spamhouse has listed the 10 worst spammers around. And what is interesting is that several are involved with using botnets to send out porn spam and child porn spam. They give you names, and in some cases the photos of the culprits. Six of them are in Russia or the Ukraine, one in Hong Kong, one in Israel and two in the US.

Now if there was a child porn spam operation using a botnet going around then it is entirely possible that Matthew Bandy’s computer was hijacked for that purpose. The zombie computers would be told to send the images along with a solicitation to purchase them to the spam list. There would not necessarily be a large number of images required for this. In fact the only images that “subscribers” might ever receive would be those in the spam.

Consider this possibility. A Russian gangster runs a scam with computers. Using malware he hijacks control of thousands of computers. On those computers he stores a few images. He then contacts those computers with a list of names to receive e-mails containing those images. No one computer is given too many names as that triggers spam blocks. Bandy’s computer could have been one of them. It may have sent out the images to 100 names and then stopped sending the message until told to do so again with other names.

Recipients get this e-mail with 9 illicit photos and a solicitation to subscribe by credit card. Most people throw it away fearful that having these images would make them vulnerable to police investigation (and they would be correct). Some of the people would report it. But investigations don’t lead to the original source but to individuals who didn’t know they were involved in the process of spamming.

The few people who subscribe find money being taken out of their account, maybe repeatedly and in sums higher than they agreed upon. They may cancel their card but they won’t go to the police. They can’t without incriminating themselves. The Russian gangster is able to pull in money, delivers no product at all, and used a network of zombie computers to send out his solicitations. The funds vanish quickly. Accounts used for this purpose get closed. Names turn out to be bogus. And the operation continues under a different name with a different account. In Russia violence and bribery are a very powerful force (just ask Putin) and the gangster now control the country.

One expert on the subject, James Coombs, says that anyone convicted of child pornography solely on the presence of items on their computer hard drive should be released from jail immediately. He says: “There is simply no way for law enforcement to know the difference between innocent and guilty persons based on hard drive data circumstantial evidence."

One botnet operator can control hundred of thousands of computers without the knowledge of the owners. Jeanson Ancheta was just 20 years old but in his first year of operating a botnet he pulled in over $60,000. The U.S. Attorneys office said: “Ancheta admitted... directing more than 400,000 infected computers that were part of his botnet armies to other computer servers he controlled where adware he had modified would surreptitiously download onto the zombies.” Included in Ancheta’s army of zombies were computers owned by the US military.

Others have been able to do the same thing for their own personal use. Adrian Ringland would hang out in chat rooms and text teenage girls while pretending to be a boy of a similar age. He would then trick them into downloading some malware, “which surrendered their PCs to his control. He subsequently swiped personal information from compromised PCs. Ringland then attempted to intimidate the youngsters into sending revealing pictures by exercising his control over their PCs to perform functions such as opening and closing disc drive. Using threats that he'd send this embarrassing material to girls' parents or friends, Ringland blackmailed his victims into sending more and more explicit pictures of themselves.”

He was caught. But this also seems to indicate another way in which Matthew Bandy could have been used. There may be no criminal gang selling or pretending to sell child porn. There could be one individual who managed to get control of the Bandy computer and used it to store the nine images he actually owned. Now and then the actual owner might view the images and then put them back into storage removing them from his system. It could be one individual wanting to find a safe place to store illegal images where he would not be directly implicated.

I don’t pretend to be an expert but it seems to me that there are many legitimate reasons why Matthew Bandy may have had no knowledge of the nine images found on his computer. Most of us who use computers are not knowledgeable enough to prevent having our system hijacked and turned into a zombie. And few of us would notice if this happened.

That your hard drive can so easily be hijacked, and that millions have been, seems to indicate that the laws on possession of illicit images turn innocent people into criminals without their knowledge. Instead of concentrating on possession, which is what law enforcement is doing -- because it is easier -- their emphasis ought to be on production. The criminals who produce the material ought to be the targets here. Possession on a hard drive indicates very little. Yet in many places, especially the United States where many Constitutional protections have been eroded, possession is flimsy evidence on which to hang a conviction especially when so many U.S. states send people to prison for such long terms. Remember Matthew Bandy was being charged with nine counts each worth a 10 years consecutive sentence. Had he been convicted he could be held in prison until he was 106 years old.

There is also something worrisome unless you are someone who has total trust in the government. It is relatively easy to target individuals who are troublesome to you, plant images on their computer without their knowledge, then arrest them and send them to prison based on the contents of their hard drive. And it need not be just the government doing this as part of some campaign against dissidents. Anyone who might have access to your computer for more than a minute or two could do the same thing. One anonymous phone call later and you could find yourself facing life in prison.

UPDATE: A computer security expert has confirmed for us the reasonableness of Matt Bandy's defense. You can read his report to us here.

Labels: , ,