This kind of scares me. I don't know much about the case, but the guy is an IT worker, and it's hard for me to believe he'd have such terrible opsec, and he says it wasn't him. I'm all for catching pedophiles and everything, but how did we know it was actually him behind the computer at the time the flash file was loaded? What if it were a friend at the house (maybe even someone intending to frame him), or a virus on a computer in his home using his computer like a VPN, or router malware, or even a passerby or neighbor hijacking his wifi? I give out my wifi password to guests all the time and never change it and might have to change that policy if you can be thrown in prison for years (not to mention irreversible reputational damage) if a request from your home IP hits the wrong server.
Regarding an IT worker making this mistake. The delta of one mistake separates a good opsec plan from one functionally identical to nothing. Even people who have a pretty good idea of what it takes to pull off opsec on the google-searchable web aren't necessarily interested in all of the hoop jumping to stay anonymous. Convenience is one hell of a sumbitch.
> This kind of scares me. I don't know much about the case, but the guy is an IT worker, and it's hard for me to believe he'd have such terrible opsec
There is a wide range of "IT workers". I would guess that 50% of them could easily make this mistake. Security is hard. Maintaining a bunch of computers with poor security is easy (ask sony).
I was wondering about this as well. Couldn't a nefarious Tor user install some sort of outgoing packet-cleaner, which would spoof their outgoing I.P. address for all packets unrelated to Tor?
I.e: because the flash exploit didn't establish two-way clearnet communication with the target computer, how can they prove that the outgoing clearnet I.P. was not spoofed?
EDIT: Nevermind, I was assuming too much about the operation of the exploit. More details, for those who are interested, can be found here:
>I.e: because the flash exploit didn't establish two-way clearnet communication with the target computer, how can they prove that the outgoing clearnet I.P. was not spoofed?
I'd assume that the flash snippet establishes a TCP connection, so it has to complete a handshake first. Those are fairly hard to spoof.
The exploit sent his MAC address to them; so barring the use of a VM or macchanger (doubtful if he was loading Flash against all advise) that would at very least identify the traffic as coming from his computer.
Whether that proves who was at the keyboard or not is an entirely different debate.
No, it didn't. Re-read the article. The sending of MAC addresses occurred in a different, later operation with a new method (custom Firefox exploit code), rather than the Flash based IP-only method that is the focus of this article.
