[tor-talk] William was raided for running a Tor exit node. Please help if you can.

Sat Dec 1 14:05:32 UTC 2012

On 1/12/2012 10:49 AM, Naslund, Steve wrote:
>
> If he is claiming that the traffic to the forum came through the Tor
> node, that IP would lead them to the hosting company of the Tor node.
> Not his residence.  If they had an IP that led to his home, that would
> have to mean that the traffic did not come from his Tor node at the ISP.
> I suppose you could get your own block of addresses and get the ISP to
> advertise them for you to host your server but I don't think you would.
>
>
> If they got his address from the hosting company, I suppose that might
> lead them to his house but it also would have told them that the Tor
> node was not AT his house.  Why go there?  I think they have something
> else.  There are lots of terabytes for them to look at.  Who wants to
> bet what is there?
>
>
> Steven Naslund

The only information I've read about the matter is what's on 
http://raided4tor.cryto.net/ , and it doesn't provide much regarding the 
length or complexity of the investigation. From that webpage, the 
information I find relevant is:

(1-1) the exit node was located in Poland, and therefore outside the 
jurisdiction of the LKA;
(1-2) William had already been questioned by Polish LEA about activities 
coming from the exit node;
(1-3) the exit node was moved to a different ISP after the troubles with 
the Polish LEA;
(1-4) the exit node wasn't turned back on.

What we _do_not_ know is:

(2-1) what country the clearnet forum (that the child porn was posted 
to) is located in;
(2-2) who reported the child porn to LEA, or if LEA was already 
monitoring for the child porn;
(2-3) if Polish and Austrian LEA are cooperating on the investigation;
(2-4) when the investigation was initiated;
(2-5) which LEA initiated the investigation.

Given the information above, it's a completely reasonable scenario that 
the child porn was reported by the clearnet forum owner, or discovered 
by some LEA, at which time the offending forum user's IP was determined 
to belong to the Polish host of the exit node. When compelled, the 
Polish host provided the details of William Weber. The LKA are then able 
to raid William on the suspicion of child porn distribution, and they 
seize everything that could be used to store the material.

You (Steven Naslund) question why no LEA seized the exit node. This is 
explained by the fact that the exit node was moved from the Polish host 
_after_ the child porn was posted to the clearnet forum. It's completely 
reasonable that LEA may not have been able to determine where the server 
was moved to.

You also question the reasons for the LKA to raid his private residence 
when the exit node's last known location was a Polish host. Surely you 
aren't suggesting that LEA shouldn't raid a suspect's private residence 
because the last known location of a (missing) server (that is confirmed 
to belong to the suspect) wasn't the same address?

Your opposition to this matter is moving into land of the crazy 
conspiracy-theorist. You're looking so hard for something more sinister 
to the story that you're ignoring reason. We should only take positions 
on the evidence we have, not the evidence we don't have.