Skip to content

Anonymous Zombie: IP spoofing defense fails – 15 months jail for child porn link

March 7, 2012

“Roderick Vosburgh appeals his conviction for possession of child pornography in violation of 18 U.S.C. § 2252(a)(4)(B) and attempted possession of child pornography in violation of 18 U.S.C. § 2252(b)(2).” “At the center of this case is an underground Internet message board known as Ranchi. Ranchi allows users to post links to images and videos of child pornography.” Vosburgh’s primary defense was “a computer becomes a ‘zombie’ when it is remotely and surreptitiously hijacked by another user and used to do things that the owner does not know that it is doing.” The appellate court opinion, filed April 20, 2010, written by Judge Smith, affirmed the convictions.


602 F.3d 512

At trial, Dr. Rebecca Mercuri “was Vosburgh’s forensic computer expert, and her testimony formed the bulk of Vosburgh’s defense … Mercuri offered her own theory about how the thumbs.db file containing the pornographic images could have gotten onto Vosburgh’s hard drive without the corresponding .jpegs for those pictures doing the same.” And “Mercuri offered several theories as to how Vosburgh’s IP address could appear to have attempted to access the Link without Vosburgh himself knowingly doing so. Mercuri speculated that an unknown user could have “spoofed” Vosburgh’s IP address, or that Vosburgh’s computer could have been infected with malicious software that turned it into a “zombie.”

– – – – – – – – – – – – – Footnote – – – – – – – – – – – – – –
Mercuri testified that “spoofing is a way of making it appear as though the IP address is from one user when in fact it is coming from another.” She explained that “people are instructed if they are going to download illicit materials, . . . not to use their own IP address, they have to use some other IP address.” She further testified that a computer becomes a “zombie” when it is remotely and surreptitiously hijacked by another user and used to do things that the owner does not know that it is doing. Hackers may use computers that have been turned into zombies to send spam emails, or as a place to store files they do not want to store on their own computers. The malicious programs used to perform these activities can be planted on the computer through websites, through email, or even through an idle Internet connection.

Despite having “no evidence that such mischief had actually occurred”,

Vosburgh emphasized Mercuri’s testimony that the existence of Exhibits 14 and 15 in the thumbs.db file did not prove that Vosburgh ever knowingly possessed the full-sized originals on his hard drive. He also reiterated his spoofing and zombie theories for why someone using his IP address appeared to have accessed the Link.

“Vosburgh was sentenced to 15 months of imprisonment and three years of supervised release.”

It is worth examining this case in more detail.

Particularly in light of the concurrence filed by Judge Barry, who concurs in affirming the convictions but with seemingly strong reservations about the government’s process. Specifically, he worries about the catch-all boilerplate search warrant application that allowed the FBI to get a warrant based on very few facts. Judge Barry wrote:

It is not disputed that when it applied for the search warrant, the government had no idea, much less evidence, that Vosburgh had ever possessed child pornography. All it knew was that during a two-minute period of time on one day in Vosburgh’s life, he attempted to access the Link, and was unsuccessful. That’s it. Paltry as that was, I agree with my colleagues that it was nonetheless “fairly probable” that evidence of that attempt would be found in Vosburgh’s apartment, that the information in the warrant application describing that attempt was not stale, and that Vosburgh’s motion to suppress was properly denied.

I write, however, to note my disappointment that, given how little the government knew about Vosburgh, it somehow believed it appropriate to spend the first fifteen pages of the eighteen-page affidavit supporting the warrant application with what it conceded was “boilerplate” — boilerplate which anything but subtly suggested that Vosburgh, whose name was never mentioned, was someone the government had no reason to believe that he was — a “collector” of child pornography, a child pornographer, and perhaps even a pedophile. Moreover, the boilerplate went into considerable detail describing, for example, the “collection” of the “collector” as revealing his “private sexual desires and intent” and representing his “most cherished sexual fantasies involving children,” and into graphic detail describing the numerous ways in which those fantasies can be turned into reality, including the sexual gratification a collector may derive from actual physical contact with children.

The only purpose of those many pages of boilerplate was, at least in my view, to assure that the warrant issued, which assuredly it did. Indeed, the affidavit apparently convinced my colleagues that, although there was not even an allegation that Vosburgh ever possessed child pornography, there was reason to believe he was nonetheless a “collector” or, at least, he “could be.” (Slip Op. at 35.)

I have nothing against boilerplate per se. But I am deeply concerned when information and innuendo as serious as that seen here is used so inappropriately. Surely the government wants to win, but it must never forget its obligation to win fairly.

It is perhaps a scary world when the mere entering of a URL address into a web browser can result in a search warrant being issued for your home and computer files. Vosburgh was convicted based solely on evidence obtained because he, or someone using his IP address “attempted to download the Link [a fake link entitled “4yo_suck” placed on Ranchi by the FBI as a trap] three times in a two-minute period”. As Judge Barry wrote: “That’s it.” And so even if there was no evidence that Vosburgh’s computer was made zombie, that very possibility combined with the ease with which the government obtained a search warrant is somewhat disconcerting.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: