The FBI Hyperlink Honeypot, and what you can do to stay safe

This post is intended to help internet users who make legitimate, non-criminal use of the internet avoid being caught by the FBI’s hyperlink honeypot. While there are methods that can be used to cover deliberate criminal activity on the internet, I will not post them here.

Declan McCullagh brings scary news of the latest tactics from the FBI (via Instapundit, via Classical Values):

The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.

Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.

This is serious stuff, and not for the reasons you may think. The FBI is operating from the assumption that one IP address equals one household. It’s also operating from the assumption that all HTTP requests are user initiated. Both are wrong.

First, with NAT routing and WiFi, one IP address could be several houses, or even a sizeable chunk of an apartment building. The way most homes are set up with broadband and wireless is pretty simple and extremely open to abuse. The broadband connection comes in the home and has a single IP address. The device closest to the connection is a modem, which acts as a bridge between the home network and the broadband provider. The device after that is a wireless router, which takes traffic from all devices that connect to it and channels it to the modem.

This means that, to anyone on the other side of the modem, like web sites, your ISP, or the FBI, all the traffic looks like it’s coming from a single source. Since someone has to pay for that broadband connection, all the traffic is automatically assumed to come from that person. So, as a user, it’s in your best interest to be in control of all the traffic going over your internet connection, which leads us to…

TIP #1: Lock down your wireless network with WPA

In a utopian world, free love and free WiFi might seem like wonderful things. With creeps running around and the FBI trailing after them, not so much. Since people are actually getting jailed for clicking on hyperlinks based on their IP address, it’s time to get serious about making sure only the people you want get on your network. First and foremost, you can protect yourself by learning to hide your IP address on Mac for maximum security and protection against potential unjust legal repercussions in the future.

WPA stands for Wireless Protected Access, and it is the only secure way to prevent access to your wireless network. WPA works using a pre-shared key (PSK) of up to 63 characters to encrypt network traffic. This means that any device must have the key before any traffic can be sent or received on the wireless network.

(Don’t confuse this with WEP, which is so-called Wired Equivalent Protection. WEP has been thoroughly broken and can be cracked in less than 5 minutes.)

If you need a good, strong password, I highly recommend visiting GRC’s Perfect Passwords page. This page provides extremely secure pseudo-random passwords that make password attacks almost impossible.

If the FBI can’t tell what behind an IP address accessed a given URL, they probably can’t tell whether the user initiated the access or whether the machine did automatically. In addition to making sure that there aren’t machines on your network doing things out of your control, you have to make sure there aren’t things on your machine doing things outside your control. This brings us three more tips…

TIP #2: Scan your system for viruses and malware

Any software on your system can request any web address at any time. Well-behaved programs only do so at the user’s command. Malware, however, doesn’t. Most malware running today exists to use compromised machines as a platform to run the creator’s software on a mammoth scale, usually to generate spam. (You didn’t think there were actual people typing up those ads for Vi4g00, did ya?)

A piece of malware could very well access a honeypot link and get you, the user, into trouble. So, install that anti-virus software and run it, often.

For those who don’t want to load down their (Windows) systems with bloated software like Norton or McAfee, I personally recommend Avast‘s free anti-virus. It’s lightweight and does a good job of catching crud.

Also, no matter what anti-virus you use, be sure and keep your software up to date. Anti-virus software works best when it has the latest virus definitions.

TIP #3: Turn off the preview pane in your e-mail program.

This one’s an inconvenience, but it’s important. If your e-mail program is rendering e-mail without your specific instruction, it’s accessing addresses without your specific instruction.

Every time an e-mail has an image or other embedded content, your e-mail program has to fetch it from the internet. If the FBI were using a JPEG image as the honey pot, all it would take your e-mail program rendering an HTML e-mail with the image in it to make it look like an attempted access.

Once the preview pane is turned off, it’s still your responsibility to delete suspicious messages without opening them. (Hey, sometimes it’s tough to do. Personally, I’m always open to a little chuckle from the latest generic drug scams and variations on the always classic Nigerian money scam. Now, I’m going to behave myself.)

TIP #4: Turn off link prefetching

If you use Mozilla Firefox, iCab, or Google Web Accelerator, your computer is accessing links without your knowledge. This feature is called link prefetching. In a perfect world, this would be a good thing for the user. Not so when a person can be arrested for being associated with the IP that accessed a link.

Here are the directions for turning off link prefetching in Firefox. Google Web Accelerator should be completely uninstalled to prevent prefetching.

These are just the things I can come up with for preventing accidental ensnarement in this despicable FBI trap. I’d appreciate any more tips and tricks for preventing you might have.

Also, for those with a larger interest in security, I highly recommend Security Now! with Steve Gibson and Leo Laporte. It’s a weekly podcast that deals solely with security, and the archives are a wealth of information.

(If you have a few minutes, please come by and check out the new blog at

  • tarran

    I am surprised that they left out a very important part of wireless security: MAC address filtering – only permitting the access point to only communicate with specific wireless cards.

    Put this in place, and even your unencrypted network is safe from the dreaded war-driving pervert.

  • Quincy

    tarran –

    MAC address filtering is too easily defeated to be relied upon. All it takes is someone using a packet sniffer to find some ARP packets, which contain the MAC address, and then spoofing said MAC address to gain access.

    Like WEP, it does offer a layer of security, but only a trivial one. I absolutely don’t recommend that it be relied upon in place of WPA encryption.

  • Nitroadict

    This is exactly why WI-FI is not the smartest way to use @ home on a computer that’s constantly on. The only devices that I feel comfortable using WI-FI with is gaming consoles, as typically they are not fully fledged computers that house sensitive information.

    LAN is and always will be the best way to go; at least until something similar to LAN makes the rounds.

  • tarran

    MAC address filtering is too easily defeated to be relied upon.

    Damn, now I am really embarrassed. I should have known that…

  • Nitroadict

    Last I checked, LAN & a NAT worked pretty well. I don’t worry as much since switching to Ubuntu, but I should probably read up on making my own separate linux firewall box out of cheap parts…

  • Quincy

    Nitro –

    A hard-wired LAN and NAT router are absolutely the best way to go if you can run the cable, both in terms of security and performance. That said, a WiFi network with WPA and a strong key is plenty trustworthy.

    tarran –

    The weakness of MAC address filtering has not been widely publicized, as far as I know, though it certainly should be. A lot of people still believe MAC address filtering and turning off SSID broadcasting are adequate security measures.

    My first rule of security is always assume everyone has access to everything you’re sending and receiving. Address filtering never follows this rule because anyone who has access to your traffic can see the address. In the case of MAC address filtering, the combination of WiFi packet sniffers and MAC address spoofing lead to a trivial crack.

  • Scooby

    What about MAC filtering, no SSID broadcast, and WPA? Is that safe? I ask because that’s my setup at home.

  • Quincy

    Scooby –

    As long as the WPA network has a secure key, i.e. greater than 20 characters and not composed of dictionary words, you’ll be fine with that setup.