[News] The Fall of PTasseater

[Chairman]

I can see three major errors made by PTasseater, now unmasked as Timothy DeFoggi of the United States.  See if you can spot them all.  He was busted, ultimately, because of using Aaron McGrath's family of services (PedoBoard & PedoBook, at the very least) during the period where drive-by downloads had been implemented (though they all required Javascript to use) (whoops, there's the first of his errors!).

Clearnet link, fulltext follows: http://www.wired.com/2014/08/federal-cybersecurity-director-guilty-child-porn-charges/

As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images.

But DeFoggi—convicted today in Maryland on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of the Tor anonymizing network shielded him from federal investigators.

He's the sixth suspect to make this mistake in Operation Torpedo, an FBI operation that targeted three Tor-based child porn sites and that used controversial methods to unmask anonymized users.

But DeFoggi's conviction is perhaps more surprising than others owing to the fact that he worked at one time as the acting cybersecurity director of the U.S. Department of Health and Human Services. DeFoggi worked for the department from 2008 until January this year. A department official told Business Insider that DeFoggi worked in the office of the assistant secretary for administration as lead IT specialist but a government budget document for the department from this year (.pdf) identifies a Tim DeFoggi as head of OS IT security operations, reporting to the department's chief information security officer.

The porn sites he's accused of using—including one called PedoBook—were hosted on servers in Nebraska and run by Aaron McGrath, who has already been convicted for his role in the sites. The sites operated as Tor hidden services—sites that have special .onion URLs and that cannot normally be traced to the physical location where they are hosted.

Although anyone could use the sites, registered users like DeFoggi—who was known online under the user names "fuckchrist" and "PTasseater"—could set up profile pages with an avatar, often child porn images, and personal information and upload files. The site archived more than 100 videos and more than 17,000 child porn and child erotica images, many of them depicting infants and toddlers being sexually abused by adults.

The FBI seized the sites in late 2012, after McGrath failed to secure his administrative account with a password. Agents were able to log in and uncover the IP address of the Nebraska server where he was hosting two of them. McGrath worked at the server farm, and hosted the third site from his home. The FBI monitored him for a year and after arresting him in November 2012 continued to operate his child porn sites secretly from a federal facility in Omaha for several weeks before shutting them down. During this time, they monitored the private communications of DeFoggi and others and engaged in "various investigative techniques...to defeat the anonymous browsing technology afford by the Tor network" and identify the real IP addresses of users.

These techniques "successfully revealed the true IP addresses of approximately 25 domestic users who accessed the sites (a small handful of domestic suspects were identified through other means, and numerous foreign-based suspect IPs were also identified)," prosecutors wrote in a court document. In March 2013, twenty suspects were indicted in Nebraska; followed by two others who were indicted the following August.

One of these techniques involved the used drive-by downloads to infect the computers of anyone who visited McGrath's web sites. The FBI has been using malicious downloads in this way since 2002, but focused on targeting users of Tor-based sites only in the last two years.

Tor is free software that lets users surf the web anonymously. Using the Tor browser, the traffic of users is encrypted and bounced through a network of computers hosted by volunteers around the world before it arrives at its destination, thus masking the IP address from which the visitor originates.

The malware that investigators installed remotely on the machines of visitors to PedoBook and McGrath's other sites was designed to identify the computer's IP address as well as its MAC address and other identifiers. The results were coordinated raids in April 2013 that swept up more than a dozen suspects.

DeFoggi became part of that sting after becoming a registered member of PedoBook in March 2012 where he remained active until December that year. During this time DeFoggi, who described himself as "having many perversions," solicited child porn images from other members, viewed images and exchanged private messages with other members expressing interest in raping, beating and murdering infants and toddlers.

Among those with whom he corresponded was an FBI undercover employee. During chats DeFoggi described using Tor to access PedoBook early in the morning hours and between 4 and 6 pm. Among the evidence seized against him was pen register/trap trace data obtained from Verizon showing someone at his Maryland residence using Tor during these hours as well as the IP addresses used by an AOL account under the username "ptasseater," which pointed to DeFoggi's home.

When agents arrived at his home early one morning to execute a search warrant, they had to pry him from his laptop, which was in the process of downloading a child porn video from a Tor web site called OPVA, or Onion Pedo Video Archive. In addition to child porn images stored on his computer, authorities also found evidence of his Tor browser history, showing some of his activity at PedoBook and OPVA.

DeFoggi received many commendations during his government career, according to an exhibit list created by the government for his trial. The list includes several certificates of award from the U.S. Treasury, a certificate of appreciation from the State Department for his work on a Hurricane Katrina task force, several documents related to computer courses he attended and certifications he received.

DeFoggi is scheduled to be sentenced in November.

[AWAWAW]

Wow, scary stuff.

I think his other two errors were firstly using a username on TOR that also linked to him outside of TOR and discussing information that might pin down when he was accessing TOR, as in times of day. He should also have taken the extra precaution of using a VPN to hide his TOR usage as well, or taken steps to use a connection other than his own to access it.

Oh, and although it doesn't state it too clearly, I would imagine the pictures he had stored were not securely encrypted. Though it may be that they were, but the fact he was online and live meant he didn't have a chance to put them back into an encrypted state.

All in all, very sad.

[anonymous713]

I'd love to see a copy of those chat logs just see if the police egg him on to post about certain things.

an AOL account under the username "ptasseater," which pointed to DeFoggi's home.

Well that's was not too smart. I assume he either accessed or created (or both) this account outside of Tor.

[Sierra]

This is a (one of the 25?) follow-up to the article GLover posted about in the topic Operation Torpedo: FH and Pedoboard

[GLover]

Even if we ignore him giving away the times he logged on to Tor, and even if we ignore his using 'PTAsseater' on AOL of all places, he still royally screwed himself over by using javascript. Who would have thought an IT security professional with years of experience would have made such a fundamental security error? I am so glad I learned NEVER to use javascript with Tor when I first started using it all those years ago. Now more than ever it is fundamentally important to secure yourself in all arenas.

Yes it is, Sierra, and it provides a little more information too, such as the original Pedobook being one of the other two sites sistered with PedoBoard, and the fact it was a bad link which caught them out.

EDIT: I meant to say that I remember the username.

[Chairman]

PTasseater was a classic.  I remember the name, but potentially just because I thought it was at least somewhat humorous. 

[GLover]

PTasseater was a classic.  I remember the name, but potentially just because I thought it was at least somewhat humorous. 

Me too. I remember laughing at that.

[Neighbor]

Even if we ignore him giving away the times he logged on to Tor, and even if we ignore his using 'PTAsseater' on AOL of all places, he still royally screwed himself over by using javascript. Who would have thought an IT security professional with years of experience would have made such a fundamental security error?

I've been giving this some thought as well, and I think I know the answer.  For starters, my understanding is that DeFoggi was a high-level administrator, or in other words, a bureaucrat.  He likely spent the majority of his time on issues of policy, budgets, staffing allocations, in other words, typical administrative stuff versus day to day hands on in the trenches, so to speak. As a result, I suspect his technical skills were rather dated. Every single person on here knows how fast the technology changes... my impression is that he didn't keep up.

Second, the training/mindset in most security positions revolves around how to keep people out, as opposed to hiding one's identity. You would need a mindset more closely related to that of a hacker or an espionage agent, as opposed to a bureaucratic mindset or a defense-oriented mindset.

Neighbor

[GLover]

That may well be a very valid point. We all know how difficult it can be to keep up with the pace of technology, so maybe he didn't do this, instead being happy with the knowledge he'd gained a decade ago. Saying this, I would have thought keeping up with at least the gist of technological change would have been necessary for his job, or was he one of those bosses who know little to nothing about what goes on beneath their feet?

[gameover]

I can see three major errors made by PTasseater, now unmasked as Timothy DeFoggi of the United States.  See if you can spot them all.  He was busted, ultimately, because of using Aaron McGrath's family of services (PedoBoard & PedoBook, at the very least) during the period where drive-by downloads had been implemented (though they all required Javascript to use) (whoops, there's the first of his errors!).

Clearnet link, fulltext follows: http://www.wired.com/2014/08/federal-cybersecurity-director-guilty-child-porn-charges/

As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images.

But DeFoggi—convicted today in Maryland on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of the Tor anonymizing network shielded him from federal investigators.

He's the sixth suspect to make this mistake in Operation Torpedo, an FBI operation that targeted three Tor-based child porn sites and that used controversial methods to unmask anonymized users.

But DeFoggi's conviction is perhaps more surprising than others owing to the fact that he worked at one time as the acting cybersecurity director of the U.S. Department of Health and Human Services. DeFoggi worked for the department from 2008 until January this year. A department official told Business Insider that DeFoggi worked in the office of the assistant secretary for administration as lead IT specialist but a government budget document for the department from this year (.pdf) identifies a Tim DeFoggi as head of OS IT security operations, reporting to the department's chief information security officer.

The porn sites he's accused of using—including one called PedoBook—were hosted on servers in Nebraska and run by Aaron McGrath, who has already been convicted for his role in the sites. The sites operated as Tor hidden services—sites that have special .onion URLs and that cannot normally be traced to the physical location where they are hosted.

Although anyone could use the sites, registered users like DeFoggi—who was known online under the user names "fuckchrist" and "PTasseater"—could set up profile pages with an avatar, often child porn images, and personal information and upload files. The site archived more than 100 videos and more than 17,000 child porn and child erotica images, many of them depicting infants and toddlers being sexually abused by adults.

The FBI seized the sites in late 2012, after McGrath failed to secure his administrative account with a password. Agents were able to log in and uncover the IP address of the Nebraska server where he was hosting two of them. McGrath worked at the server farm, and hosted the third site from his home. The FBI monitored him for a year and after arresting him in November 2012 continued to operate his child porn sites secretly from a federal facility in Omaha for several weeks before shutting them down. During this time, they monitored the private communications of DeFoggi and others and engaged in "various investigative techniques...to defeat the anonymous browsing technology afford by the Tor network" and identify the real IP addresses of users.

These techniques "successfully revealed the true IP addresses of approximately 25 domestic users who accessed the sites (a small handful of domestic suspects were identified through other means, and numerous foreign-based suspect IPs were also identified)," prosecutors wrote in a court document. In March 2013, twenty suspects were indicted in Nebraska; followed by two others who were indicted the following August.

One of these techniques involved the used drive-by downloads to infect the computers of anyone who visited McGrath's web sites. The FBI has been using malicious downloads in this way since 2002, but focused on targeting users of Tor-based sites only in the last two years.

Tor is free software that lets users surf the web anonymously. Using the Tor browser, the traffic of users is encrypted and bounced through a network of computers hosted by volunteers around the world before it arrives at its destination, thus masking the IP address from which the visitor originates.

The malware that investigators installed remotely on the machines of visitors to PedoBook and McGrath's other sites was designed to identify the computer's IP address as well as its MAC address and other identifiers. The results were coordinated raids in April 2013 that swept up more than a dozen suspects.

DeFoggi became part of that sting after becoming a registered member of PedoBook in March 2012 where he remained active until December that year. During this time DeFoggi, who described himself as "having many perversions," solicited child porn images from other members, viewed images and exchanged private messages with other members expressing interest in raping, beating and murdering infants and toddlers.

Among those with whom he corresponded was an FBI undercover employee. During chats DeFoggi described using Tor to access PedoBook early in the morning hours and between 4 and 6 pm. Among the evidence seized against him was pen register/trap trace data obtained from Verizon showing someone at his Maryland residence using Tor during these hours as well as the IP addresses used by an AOL account under the username "ptasseater," which pointed to DeFoggi's home.

When agents arrived at his home early one morning to execute a search warrant, they had to pry him from his laptop, which was in the process of downloading a child porn video from a Tor web site called OPVA, or Onion Pedo Video Archive. In addition to child porn images stored on his computer, authorities also found evidence of his Tor browser history, showing some of his activity at PedoBook and OPVA.

DeFoggi received many commendations during his government career, according to an exhibit list created by the government for his trial. The list includes several certificates of award from the U.S. Treasury, a certificate of appreciation from the State Department for his work on a Hurricane Katrina task force, several documents related to computer courses he attended and certifications he received.

DeFoggi is scheduled to be sentenced in November.

The fact that he is an IT expert comes to no surprise to me. So am I, so is Mystique so is a lot of people here.  However. If the article is to believed and he wanted to hurt children, then I am glad that they caught this one.  He may of been a bureaucrat. Who knows.  Sometimes. Even with all of our knowledge it is easy to make a mistake and that is the mistake that may or may not get you. After all we are all human

[Neighbor]

[snip]

The fact that he is an IT expert comes to no surprise to me. So am I, so is Mystique so is a lot of people here.  However. If the article is to believed and he wanted to hurt children, then I am glad that they caught this one.  He may of been a bureaucrat. Who knows.  Sometimes. Even with all of our knowledge it is easy to make a mistake and that is the mistake that may or may not get you. After all we are all human

His ITskills are most certainly in doubt, as are the claims of his 'wanting to hurt children'.  It's pretty much standard for the authorities to characterize each offender they catch as 'scum of the earth' ... 'the worst offender we've ever seen' and similar perjoratives.  Any offender is pretty much demonized... it's standard operating procedure (SOP). 

With respect to making mistakes, there is no doubt, we all make them.  There are several things you can do to help avoid them, however.

You need to learn all you can about security, and use practices and procedures that provide you with the maximum security.

Furthermore, you need to have the mental discipline to not be in a hurry, to not to take shortcuts. Above all, you have to get into the habit of operating securely. Amateurs practice until they get it right; professionals practice until they cannot get it wrong. You should get in the habit of doing the right thing, each and every time. It should be practiced until it is automatic, to the point that you don't even have to think about it, you just do the right thing automatically.

Ideally, you should arrange your security in layers, so that if one layer is penetrated, you don't risk exposure.  The fact that PTAsseater was caught via this exploit indicates that he wasn't using best practices -- in order to be compromised, several things had to be in place:

1) You had to run Windows, so the exploit's payload could execute;

2) You had to have a vulnerable version of the Tor Browser Bundle (TBB) -- the hole the authorities used had been patched more than a month previously.

3) You had to have JavaScript enabled.

Another really bad practice was re-using an identity in several places (i.e. PedoBoard and an AOL username)

Even if he had only missed one of the above 3 items, he may have avoided apprehension.  Avoidance of ALL of these things I've listed above are considered best practices -- it would appear that, far from following best practices, he ignored ALL of them.  He was lax about security, in the extreme -- I'd love to know what his thought process was.

Neighbor

[Sierra]

in order to be compromised, several things had to be in place:

1) You had to run Windows, so the exploit's payload could execute;

2) You had to have a vulnerable version of the Tor Browser Bundle (TBB) -- the hole the authorities used had been patched more than a month previously.

3) You had to have JavaScript enabled.

You are here describing the Freedom Hosting exploit from 2013. I do not believe it is known what was exactly used for the 2012 Pedoboard/Pedobook/TB3 exploit.

[gameover]

[snip]

The fact that he is an IT expert comes to no surprise to me. So am I, so is Mystique so is a lot of people here.  However. If the article is to believed and he wanted to hurt children, then I am glad that they caught this one.  He may of been a bureaucrat. Who knows.  Sometimes. Even with all of our knowledge it is easy to make a mistake and that is the mistake that may or may not get you. After all we are all human

His ITskills are most certainly in doubt, as are the claims of his 'wanting to hurt children'.  It's pretty much standard for the authorities to characterize each offender they catch as 'scum of the earth' ... 'the worst offender we've ever seen' and similar perjoratives.  Any offender is pretty much demonized... it's standard operating procedure (SOP). 

With respect to making mistakes, there is no doubt, we all make them.  There are several things you can do to help avoid them, however.

You need to learn all you can about security, and use practices and procedures that provide you with the maximum security.

Furthermore, you need to have the mental discipline to not be in a hurry, to not to take shortcuts. Above all, you have to get into the habit of operating securely. Amateurs practice until they get it right; professionals practice until they cannot get it wrong. You should get in the habit of doing the right thing, each and every time. It should be practiced until it is automatic, to the point that you don't even have to think about it, you just do the right thing automatically.

Ideally, you should arrange your security in layers, so that if one layer is penetrated, you don't risk exposure.  The fact that PTAsseater was caught via this exploit indicates that he wasn't using best practices -- in order to be compromised, several things had to be in place:

1) You had to run Windows, so the exploit's payload could execute;

2) You had to have a vulnerable version of the Tor Browser Bundle (TBB) -- the hole the authorities used had been patched more than a month previously.

3) You had to have JavaScript enabled.

Another really bad practice was re-using an identity in several places (i.e. PedoBoard and an AOL username)

Even if he had only missed one of the above 3 items, he may have avoided apprehension.  Avoidance of ALL of these things I've listed above are considered best practices -- it would appear that, far from following best practices, he ignored ALL of them.  He was lax about security, in the extreme -- I'd love to know what his thought process was.

Neighbor

Oh you are so right about that, especially what you had to have to make the exploit effective.  I was thinking about my own past jurny to be here once again.  Of course, that may be on a whole other level. But still delt with private information

[MrHollywood]

Maybe he thought about security in terms of it being something that he implemented for others.