[DreamSpinner]

It's interesting, the article discusses that the request is for a relatively short period of time (35 minutes) - however for a popular website that could still be thousands of viewers.

It suggests that there's something they're specifically looking to match against - but if that was the case, I would think that specific IP addresses could be provided in the request - e.g. Did any one of these 10 IP addresses view the article in the time period. Much more specific and likely easier to justify.

I'd rampantly speculate that perhaps that time matches to the link being posted in a pedophilia related forum (with the forum behind TOR) - and the FBI would like to get a list of who might have followed it there.

[2cb]

I agree with your speculation, this looks like a timing attack regarding a Tor or VPN server.

That said, while catching pedos is a good thing, their methods are still concerning for regular law abiding citizens. The road to hell is paved with good intentions…

[athms]

>while catching pedos is a good thing

Catching them? Pedophilia isn't illegal.

[dragonwriter]

A lot of people use “pedophilia” to mean “sexual abuse of children” and “pedophile” or “pedo” to mean “sexual abuser of children”. (E.g., RMS’s infamous defense of “consensual pedophilia” which, merits of the intended sentiment to the side, isn’t even a coherent thing to defend or oppose except under the misuse of “pedophilia” to refer to an act and not an inclination.)

[athms]

>A lot of people use...

I know and they are wrong. Words have meaning and it is difficult to communicate effectively if people use words incorrectly.

[curryst]

> Did any one of these 10 IP addresses view the article in the time period. Much more specific and likely easier to justify.

It is, but it also leaks information. Now people know you're looking at those IP addresses. If you were going to leak that, a major news outlet is probably not the place you want it to leak to.

You might be right and it might be an easy cover for a fishing expedition, but it doesn't seem inherently malicious on its face.

[weird-eye-issue]

They could hash them if that really was the problem.

[nucleardog]

That's only 4 billion hashes to search the entire IPv4 address space. I don't think the entire search space is big enough for that really to provide much privacy while still being functional. Whatever you put in the way, that's somewhere in the neighbourhood of cracking a 6 character lowercase+number password.

[happytoexplain]

But this is a rare case where you can use a derivation-extension function like PBKDF2 to make the hashing take practically any amount of time you want. You could probably make each run take a full minute on USA Today's hardware and still have your results in a reasonable amount of time.

[zapdrive]

How about adding a salt? Check your records and if sha256([salt] + ipaddress]) matches this hash, let us know. Where salt is a long random string.

[vardump]

You could still enumerate every option in practically no time.

[zapdrive]

Oh yes, you are right. Obviously, do not hire me for any kind of information security. Lol.

[alisonkisk]

Subpoenas leak IP addresses all the time. It's not a big deal if the org being subpoenaed isn't a suspect.

[nashalo_nighly]

Maybe a technique like « give us the IPs that start with xxxxx » be a compromise between the two?

[the_biot]

That is not a compromise, it's giving away information about people who read an article.

[habibur]

> with the forum behind TOR

TOR users clicking on a news link will take him to the news site through the TOR network. Thus rendering his IP useless.

[vinni2]

Tor is vulnerable to statistical analysis with which if you time it perfectly you can link exit nodes with specific user. [1] The fact that FBI is asking for those specific 35 minutes suggests that they are onto something like this.

[1] https://blog.torproject.org/one-cell-enough-break-tors-anony...

[DreamSpinner]

Entirely likely, though possibly there are potentially flaws that could allow people to identify it through other means.

I've never used TOR so I didn't realise that this would apply (and it makes perfect sense it would work that way).

It may be that whoever requested the data knows as little about it as I do (or more likely, they know a lot more about what they want and my speculation is completely wrong).

[jmkni]

TOR is clunky and slow, it’s not outside the realm of possibility that someone would visit a dodgy forum over TOR, and use their regular browser for other web browsing.

Some sites can be difficult to even access over TOR, especially ones that are very JavaScript heavy or sit behind something like Cloudflare.

[2cb]

Not if you also have ISP records. Look up “timing attack.”

[unishark]

Or perhaps they know for a fact someone read the article using Tor or a VPN, and want to go after the server next. Still seems pretty far out there.

[trhway]

>I'd rampantly speculate that perhaps that time matches to the link being posted in a pedophilia related forum (with the forum behind TOR) - and the FBI would like to get a list of who might have followed it there.

now cue in all those stories of how people have been getting in trouble only because their ISP was using the same IP to NAT a crowd of customers.