Don't underestimate capabilities of tradtional police investigative techniques
Investigation of crime conducted under cover of obfuscation and encryption obviously must draw upon high level IT forensic skills. Yet the role of these ought be kept in proper perspective. They are akin to forensic scientists called in to examine physical evidence (e.g. tissue samples); they help build a case and may assist in suggesting further avenues of investigation. Police, and concerned citizens, of lesser IT skills (enough to find their way around Tor and its like) may identify sites to target. Perhaps surveillance experts are called in at an early stage to set traps but their success depends upon serendipity: the nature of many actual traps (e.g. flash vulnerabilities mentioned in the article) is widely known and general principles upon which more covert traps might operate have given rise to informed speculation which careful criminals engaged in activities with a long term Internet footprint (e.g. traditional web site and Tor site) would be aware of.
From that viewpoint it becomes plausible to consider human error by criminals as the major factor leading to arrest. We know human error by legitimate operators of web sites is often behind breaches of security so it takes little leap of imagination to believe criminal operators in the same boat.
Some illicit activities on, say, Tor have obvious weaknesses arising from need to interact with the physical world e.g. illegal drugs require paying for and delivering. Even use of Bitcoin leaves more of a trail than when cash is handed over in person to a drug dealer. Tor 'drug busts' appear to arise from careful consideration of delivery mechanisms after police officers set up 'deals'.
Similarly display/trade of illicit images has many points of potential human error leading to successful investigations. The case discussed here involved several individuals engaged in maintaining/running the site on presumably a long term basis. Those are the ones the FBI knows about. There may also have been a number of persistent visitors and/or contributors to site content at risk of identification through human error but not necessarily jeopardising the entire site.
Every criminal activity has vulnerability in some manner dependent upon the the number of regular key players. Vulnerability may increase more than linearly as numbers rise: potential connections between pairs of players from N such, and thus opportunities for error, are determined by the familiar expression ( N! divided by 2!(N-2)! ) where '!' denotes factorial.
Without labouring the point, interactions among people running and/or using a site may have connection to their activities, perhaps ones more open, on conventional web sites (as appears the case for one of the convicted). Gathering evidence of this nature to make links to real identities entails patience and traditional police investigative craft rather than IT derring-do.
Arising from this is a more general matter. The push for massive online surveillance may not be cost-effective because it plays down the role of traditional police/security methods and diverts resources better used elsewhere. Doubtless, empire builders within the FBI, NSA, GCHQ, and Mrs May's plaything the NCA, manage to pull wool over the eyes of political masters. More trust and credit ought be placed in people trained in painstaking search for human error by criminals. IT ought be handmaiden rather than master in this enterprise and its capabilities not exaggerated.
Biting the hand that feeds IT
