WIkileaks: My Life In Child Porn

[Ehtyar]

An anonymous individual recently posted this account of his/her involvement in the child pornography industry to the public. The account was not in english, but has since been translated and posted to Wikileaks. It has revealed a wealth of information to the general public about the inner workings of child pornography as an industry/business model.

This thread should be about the technical aspects of this story only, with no political or personal undertones. As such, I've made quotes of the more technical portions below. It is a long account, but I encourage everyone to read the quotes made here (the 3rd one in particular), and those of you with stronger personal conviction to read the entire article (via: Schneier on Security).

As the Internet age in the '90s began, pictures were initially exchanged via specific NNTP newsgroups.
...
In addition to NNTP, forums emerged as a social meeting place and as a means to exchange plenty of files and links. From 2002 LS Studios was founded - a group of Ukrainian businessmen and professional photographers.
...
The models were even recruited through TV and newspaper ads. The photo quality and professionalism exceeded anything previously published. LS Studios published over half a million images and hundreds of videos on dozens of websites. In 2004, under the pressure of and with the help of the FBI, LS Studios was closed. The prosecution was discontinued and there was no one convicted.

As the real Internet business emerged in the late 90s, it was very easy to enter into this business. I remember the people of Site-Key.com from St. Petersburg that did much business in 2000. They had a Delaware Corporation in the United States, a Visa and MasterCard merchant account with Card Service International in California, and they ran all the payments via the U.S. through a gateway link from Linkpoint. But there were not only Site-Key but still a lot of other vendors. One of them provided services particularly for the distributors of hardcore child pornography.
...
This second company (IWest) had their headquarters in Israel and did their billing through Israeli banks which were aware of the scheme (until Visa withdrew the license from some Israeli banks, some have even settled for CCBill for whom it did not matter what was paid for, the main focus being that money was moving. Some Russian / Israeli citizens were never particularly choosy...). There was no problem to bill for any kind images, and the hosting of nude images was not a particular problem for these companies - let alone for the Non Nude Models. At this time almost 100% of the websites were hosted in the United States because it was the only place where it was affordable. The Web sites have generated such traffic, that a human being can hardly imagine how big the interest really is. I have the 2001 statistics of a website containing naked pictures of children and adolescents. During the month of June 2001, a total of 200 million visits to the site took place (this is not page views, but unique visitors but on a daily scale - it is likely that a good part of visitors this month visited the site on many days and have been counted multiple times. My estimate is that there were about 15 million unique visitors during this month). The ratio between visitors and buyers, however, is very small. The same site in June 2001 a turnover of approximately U.S. $ 60,000 made at a price of about $ 30 which is approximately 2000 customers.

An essential part of today's commercial child pornography is now hosted in Germany and distributed from Germany. If this is for you a shock, then I will explain how this works, and the authorities can do absolutely nothing except for the stupid ideas people muck:

Today's schemes are technologically very demanding and extremely complex. It starts with the renting of computer servers in several countries. First the Carders are active to obtain the credit cards and client identities wrongfully. These data are then passed to the falsifiers who manufacture wonderful official documents so that they can be used to identify oneself. These identities and credit card infos are then sold as credit card kits to operators. There is still an alternative where no credit card is needed: in the U.S. one can buy so-called Visa or MasterCard gift cards. However, these with a certain amount of money charged Visa or MasterCard cards usually only usable in the U.S.. Since this anonymous gift cards to buy, these are used to over the Internet with fake identities to pay. Using a false identity and well-functioning credit card servers are then rented and domains purchased as an existing, unsuspecting person. Most of the time an ID is required and in that case they will simply send a forged document. There is yet another alternative: a payment system called WebMoney (webmoney.ru) that is in Eastern Europe as widespread as PayPal in Western Europe. Again, accounts are opened with false identities. Then the business is very simple in Eastern Europe: one buys domains and rents servers via WebMoney and uses it to pay.

As soon as the server is available, a qualified server admin connects to it via a chain of servers in various countries with the help of SSH on the new server. Today complete partitions are encrypted with TrueCrypt and all of the operating system logs are turned off. Because people consider the servers in Germany very reliable, fast and inexpensive, these are usually configured as HIDDEN CONTENT SERVERS. In other words, all the illegal files such as pictures, videos, etc. are uploaded on these servers - naturally via various proxies (and since you are still wondering what these proxies can be - I'll explain that later). These servers are using firewalls, completely sealed and made inaccessible except by a few servers all over the world - so-called PROXY SERVERs or FORWARD SERVERs. If the server is shut down or Someone logs in from the console, the TrueCrypt partition is unmounted. Just as was done on the content servers, logs are turned off and TrueCrypt is installed on the so-called proxy servers or forward servers. The Russians have developed very clever software that can be used as a proxy server (in addition to the possibilities of SSL tunneling and IP Forwarding). These proxy servers accept incoming connections from the retail customers and route them to the content Servers in Germany - COMPLETELY ANONYMOUSLY AND UNIDENTIFIABLY. The communication link can even be configured to be encrypted. Result: the server in Germany ATTRACTS NO ATTENTION AND STAYS COMPLETELY ANONYMOUS because its IP is not used by anyone except for the proxy server that uses it to route the traffic back and forth through a tunnel - using similar technology as is used with large enterprise VPNs. I stress that these proxy servers are everywhere in the world and only consume a lot of traffic, have no special demands, and above all are completely empty.

Networks of servers around the world are also used at the DNS level. The DNS has many special features: the refresh times have a TTL (Time To Live) of approximately 10 minutes, the entries usually have multiple IP entries in the round robin procedure at each request and rotate the visitor to any of the forward proxy servers. But what is special are the different zones of the DNS linked with extensive GeoIP databases ... Way, there are pedophiles in authorities and hosting providers, allowing the Russian server administrators access to valuable information about IP blocks etc. that can be used in conjuction with the DNS. Each one who has little technical knowledge will understabd the importance and implications of this... But what I have to report to you is much more significant than this, and maybe they will finally understand to what extent the public is cheated by the greedy politicians who CANNOT DO ANYTHING against child pornography but use it as a means to justify total monitoring.

But how, specifically, child pornography is sold? As the operators cannot resort to door to door knocking and market their sites this way, they had to work out other ways to sell. There used to be links in forums, toplist, advertisements in newsgroups, etc. Today, the answer is SPAM. The revenue from the child porn business are divided into 40-60% for the payment processor and the bank (percentage rate will depend on how hard the material is), 20% of the operator and 20% of the marketers (in this case, spammers). Spammers use millions of email addresses of interested people - the lists of earlier payment processors they have. But hackers have also obtained huge client lists of large companies and sold the email addresses to spammers.In order to send spam trojan-infected (zombie) computers are used. But zombie computers have yet another use: it will be used in a targeted fashion to steal identities. They even use the computer of the user whose identity is stolen to conduct credible transactions such as purchase of domains, etc. But that is not everything: the installed Trojans are sometimes used as a SOCKS proxy to upload CP. The Russians have even worked out a schema to use infected computer as a network combing these infected computers (each computer would be part of a huge, redundant cluster) as a kind of huge, distributed and remote servers can be (a kind of Freenet Project, however, by using infected computers as the nodes). I want to make one thing clear: if you have an email address, there is a possibility that there is child pornography on your computer because you have received CP advertising. And if your computer is not 100% safe against Trojans, viruses and rootkits, there is the possibility that your computer is part of the vast child pornography network.

Same as for the content servers, logging is turned off on the proxy and forwarding servers, residing in Truecrypt containers. The Russians have developed very clever software for proxy servers (in addition to the possibility of SSL tunneling and IP Forwarding). This proxy accepts incoming connections from the customers which are then tunneled to the Content Server in Germany - completely anonymous and unidentifiable. The link can even be configured for encryption. Result: the server in Germany NEVER APPEARS PUBLICALLY AND STAYS completely anonymously because he never appears with its IP except to the proxy servers that are configured to send the traffic back and forth like through a tunnel - using similar technology like large enterprise VPNs. I stress that this proxy servers are installed everywhere in the world and only consume a lot of traffic, have no special demands, and above all are completely unused.

At the DNS level there also is a network of servers around the world. The DNS has many special features: the refresh times have a TTL (Time To Live) of approximately 10 minutes, the entries usually have multiple IP entries in a round robin procedure, and at each request rotates the visitor to any of the forward proxy server. But the real specials are the different zones of the DNS with extensive GeoIP databases linked to it ... Also, there are pedophiles in authorities and hosting providers, allowing the Russians server administrators access to valuable information about IP blocks that was built into the DNS database. For everyone with a little technical knowledge it is extremely important to understand the implications of this... But what I will have to report is much more significant than this, and maybe they will finally say to what extent the public is being twitted and cheated by the greedy politicians against child pornography that can not do anything about it, but make into the means to an end, justifying State surveillance.

...

In recent years I have watched as authorities - due to a lack of knowledge (and motivation) - and judges (due to ignorant shirtsigtedness) have wrongly suspected and very often also convicted thousands of people. There were fathers destroyed, families ruined, and people event committed suicide. Masses of accused people have even admitted guilt (although innocent) in order to avoid public humiliation in a court and additional damages resulting from it. One of the first big story was the alias of Landslide Operation Ore case. Allegedly 70,000 users had purchased child pornography from Landslide. The only ones that were really pleased were the Russians. Landslide had nothing to do with child pornography. But because Landslide developed a portal where also money was transferred, the Russian operators had opened accounts frequently and then tried to sell child pornography under these accounts. The manager of Landslide was extremely naive and did not have enough control over the accounts, payment processing and fraud. He did not notice that several credit cards were charged more than once, that client IPs did not match with the issuing bank, etc. - the CEO of Landslide was himself the victim of a gigantic fraud. The fact is that the CP operators had made a deal with the Russian Carders who got their credit cards and identities from the U.S. mafia (more specific information is given in the accompanying article from PC Pro). Under these CP accounts thousands of scammed and stolen (with the help of a trojan) credit cards were used so they brought the company Landslide insane revenues. But they were all stolen credit cards. Since it was already too late for Landslide and for thousands of innocent people, this meant the end of family life, loss of employment and even the end of any hope that led to a subsequent suicide. Much worse is that the U.S. police manipulated the website of Landslide AFTERWARDS (this is best described in PCPro).

But it gets worse: the New York state prosecutor Cuomo has started negotiations with the private company Media Defender (Anti-P2P Piracy Solutions) in California to look for people that exchange child pornography via the P2P networks. The aim, therefore, is to give the task of evidence collection and denunciation of Internet users to a company in the private sector. According to U.S. law, the company itself is not allowed to search specifically for child pornography, but this does not bother the U.S. prosecutor - ultimately it is for a good cause, isn't it? Media Defender is also a company with strong connections to film and music industry - it is the same company that pushed the conviction of children downloading music illegally on the Internet.

SOURCE: http://www.wired.com...mediadefender_police

Based on my descriptions so far it should be clear to anyone sensible reading this that filtering and censorship make absolutely no sense. The Russians are well-informed about countries such as Denmark and Sweden and know which sites are on the blacklists and how the filtering systems work. A few weeks ago, a strictly secret blocking list appeared on the Internet at: http://scusiblog.org...e_15012009txt.sorted

It is the blacklist of 15 January 2009 from Denmark. As you can see, these lists are very confidential ... If you are looking for child pornography is, you should send the Danish police a thank-you letter for the hot tips. But what is immediately obvious is that this list does not contain only illegal child pornography sites. I have not, of course, checked all domains. Most of these have been defunct since times immemorial (but they are still listed - this will surely make next owner of the domain happy if the domain is ever purchased again). It is worth noting that some sites with flat-chested adult models are blocked. Even some gay sites are listed, or sites that have adult models that look young (even sites participating in a proof-of-age program and operating within the EU). I wonder, therefore, on what legal basis these adult sites with verifiably adult (but young-looking) models are put on the blocklist and even more how the discrimination of these models as adults is justified. Since it is not justifiable, only mendacious arguments can be used: A job for the anti-constitutional Mrs. von der Leyen, Mr. Schaeuble or Schünemann. They use the tax money for this purpose and to pay themselves big fat pensions in the future.

As I have written so far, the whole promotion of child pornography is done via spam (or publisheded list of domains blocked by the police :-). The spam mails sometimes also come with images. Even if you do not read the emails and everything ends up in junk folders there is still the possibility that child pornography images are saved on the hard drive. A different situation is when the computer has become infected and is a zombie - then all doors are, so to speak, open and the computer can even be used for the active dissemination of child pornography. Those who buy child pornography find links in the spam ads - most of them will lead to portals. On these portals, but also in forums and newsgroups, there will be advertisements for security solutions that enable you to evade tracing AND FILTERING. There are commercial offerings for foreign, uncensored DNS servers but also for VPN solutions (eg www.strongvpn.com). In these VPN solutions an encrypted tunnel is established between the client and a server without logs, and under a false identity somewhere in the world - the connection may even go through more countries. Even if the (impossible) suggestion of Mr. Schünemann was implemented, there would be absolutely simple methods to circumvent it. Since Server 2008 Microsoft came out, there is virtualization. There are commercial offers where no child pornography is actually bought but a virtual workstation is a leased on which there is a great gift: a workstation full of videos and files ... The connection can be established very quietly via Windows Remote Desktop or VNC. No files are trasmitted between the computer of the customer and the server - only keyboard commands and screen content - usually in encrypted form and without the slightest trace about what you have viewed. Since the screen of a computer located e.g. in Russia can be displayed on a PC in germany, the customer will automatically bypass any filtering, censorship and surveillance by the German government. Well, the distributors of child pornography can even calmly sell virtual machines - against which Visa and MasterCard certainly will have nothing ... When the customer then connects to the virtual computer, he finds a nice file that is nothing else than a TrueCrypt Container for which he also received the password to open it. The container can also calmly sit on his home computer after transfer and because nobody knows what it is, he remains just a user like millions of others. The Russians have been producing complete solutions for about 4 years. In these case the business will not run dry. But the German government will spend the money of taxpayers and the economy for the irrational and expensive systems.

If you still haven't noticed: Technology is not the solution to child pornography. No filters, no censorship and no total monitoring can change this.

[ewemoa]

Some repeated text?

For example, a section starting:

But how, specifically,

[Ehtyar]

That repetition appears in the original article. It is only one paragraph (not an entire quote). I'll remove it. Thanks ewe.

Ehtyar.

[zridling]

So it's all VISA's fault!! 

Interesting report. And here I've always thought it was the FBI behind all child porn (or chris hansen).

[Edvard]

But that is not everything: the installed Trojans are sometimes used as a SOCKS proxy to upload CP. The Russians have even worked out a schema to use infected computer as a network combing these infected computers (each computer would be part of a huge, redundant cluster) as a kind of huge, distributed and remote servers can be (a kind of Freenet Project, however, by using infected computers as the nodes).

Sounds eerily similar to how the Conficker worm behaves.

And if your computer is not 100% safe against Trojans, viruses and rootkits, there is the possibility that your computer is part of the vast child pornography network.

Hell, maybe that IS what it's doing.

Evil. F'ing evil.

[nosh]

I finally read through the article, well... 90% of it. His take on the social aspect of this issue seems very self-serving and I took it with a fistful of salt (sorry, couldn't resist commenting. :p) - but the tech bits were fascinating.

Thanks for a very interesting read, Ehtyar.

*bump*

[Ehtyar]

You're most welcome nosh. Indeed the social parts of the text almost made him sound like a victim of an unfair system (I suppose you might've expected that given the subject matter), but I found the technical aspects intriguing. Makes you wonder where governments get off recommending Internet censorship.

Ehtyar.