Mozilla Fights FBI In Court For Details On Tor Browser Hack (helpnetsecurity.com) 58
An anonymous reader writes from a report on Help Net Security: Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser hack with them, before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public. The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web. The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser. Why does Mozilla care to learn about the vulnerability? "The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser," Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.
Abolish the FBI (Score:1, Insightful)
We don't need the FBI. Their only apparent functions are to reduce privacy and falsely accuse people of terrorism. Abolish the FBI and other three letter federal agencies like the CIA and NSA.
Re: (Score:1)
We don't need the FBI. Their only apparent functions are to reduce privacy and falsely accuse people of terrorism. Abolish the FBI and other three letter federal agencies like the CIA and NSA.
You're on the list.
Re:Abolish the FBI (Score:4, Funny)
Re: (Score:2)
/sarcasm But think of the ... < insert inanimate object > !
[ ] Terrorism
[ ] War
[ ] Socialism
[ ] Drugs
[ ] Countries that don't agree with us
Re: (Score:2)
Re: (Score:1)
kneejerk response... (Score:5, Insightful)
The FBI is indeed needed. While they do regularly exceed the scope of their mission, there is a great need for a law enforcement program that exceeds each individual state and can facilitate interstate investigations. Without them large criminal organizations, AKA the Mafia would operate with impunity crossing state lines, and avoiding prosecution by fleeing state jurisdictions. We could never rely on the states individual laws to stop kidnappings, mail fraud, gambling and other such violations that spanned several jurisdictions.
Re: (Score:2)
Re: (Score:3)
The U.S. Marshals are responsible for securing Federal Courthouses, acting on arrest warrants, and retrieving fugitives. They're not detectives, responsible for building a case, like the FBI.
Re: (Score:2)
I agree or can't argue most of your point but I do think that having one agency handle those tasks will lessen the inevitable inter-branch competition that occurs any time 2 or more entities get involved in some investigation that might cross one or more of those boundaries. That one dept. could be the Marshals, the FBI, or even DHS. It just seems that segmenting 'intelligence' gathering and workforce pools seems to over complicate things and create a lesser efficient organization, especially in governmenta
Re: (Score:2)
Re: Whatever, Firefox is all but dead anyway (Score:1, Offtopic)
Re: (Score:1)
If you want close-to-perfect integration with OSX, and thus probably the best battery life and such, use Safari. If you want better standards-compliance or regular updates, use a better browser instead.
Besides, I get the distinct feeling that even if Firefox was Safari, you'd still find a reason to pretend it was crap. People just want to do that recently.
Irony... (Score:4, Insightful)
Re: (Score:1)
The US Navy Research Labs did indeed developer Tor and the Onion implementations before turning it all over to the public foundation. And they handed it over because they decided the system would not meet their requirements. And it may be ironic but both the government and public sectors are all vulnerable. The government may try to spy on it's citizens but the citizens can spy right back. But everyone seems to think the government and all it's 3 letter agencies are actually competent in the first place and
Re: (Score:2)
Re: used a "network investigative technique" (NIT (Score:4, Funny)
Re: (Score:2, Insightful)
It's Fedspeak for "malware" or "exploit." But you can't call it that because it won't sound good in front of a judge. They're not trying to play it up as something super-awesome-hackerish. They're trying to play it down as something normal and official and businesslike. It's nothing special, it's just a t
I think this is a bad idea. (Score:5, Interesting)
Re:I think this is a bad idea. (Score:4, Insightful)
Here's the difference: At least in theory, the government is supposed to be transparent; that's where the term "public official" comes from. Part of that is transparency about how they conduct their investigations. On the other hand, no such rules apply to corporations ("private company"). If we can't know the FBI's secrets, we can't trust that they're acting in the best interest of the general population; but there's no reason the FBI needs to know secrets about companies, since companies are by definition not in the best interests of the people; they are only in the interests of themselves.
Re: (Score:1)
Here's the difference: At least in theory, the government is supposed to be transparent ...
I was HOPING that would CHANGE, but I was lied to.
WTF FF? (Score:1)
Kiddie porn perps get outed. FF reaction is to close the loopholes.
Their CEO is illegally outed for supported the popular Prop 8. FF reaction is to burn the witch.
I still use FF, often as Palemoon, and have used Moz since before Phoenix, but they've turned into complete jackasses in the last few years.
Maybe a civil suit (Score:5, Insightful)
Re:Maybe a civil suit (Score:4, Informative)
It's probably sitting in their security Bugzilla, to be honest. Firefox is a security nightmare - so much so that Pwn2Own this year decided to not accept Firefox flaws anymore - Firefox is too easy a target [slashdot.org].
The major web browsers have all started shedding privileges when they run - especially on Windows with its low integrity mode where it's restricted in its interactions with users and other windows and even the filesystem (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process. Any drive-by downloads are stuck in the temporary location, and any regular download triggers the high integrity process which cannot be interacted with by the low integrity process.).
Firefox doesn't exploit those features at all. Chrome does as well.
Re: (Score:2)
(it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process.
Do you have any links on that? That is interesting. I'm running process explorer now to try and see how that works...
Re: (Score:2)
The developer documentation on low integrity IE is at https://msdn.microsoft.com/en-... [microsoft.com]
More details on process explor
Re: (Score:2)
Fascinating links, thanks.
Vulnerabilities Don't Disciminate (Score:4, Interesting)
The FBI's stance in this case seems to be another aspect of their world-view on encryption. Just as they believe that it's possible to create a "secure front door" in existing cryptographic algorithms (and thus give them a Master key that doesn't fatally flaw the encryption system), so they seem to be saying here that it is possible to distinguish between a vulnerability used to detect criminals (in this case, an alleged paedophile) and a vulnerability that could compromise the computer of a legitimate, law-abiding end user. Unfortunately, vulnerabilities don't discriminate: they'll work for anyone, for any purpose.
Sadly, proving the FBI's view is wrong would be virtually impossible unless the specific vulnerability was disclosed.
However, imagine a scenario in which the same vulnerability is subsequently identified by criminals and used to build malware that defrauds large numbers of citizens by compromising the security of their on-line banking. Tens, hundreds or thousands of people could be defrauded by hundreds, thousands or millions of dollars. In this scenario we have to ask if, on balance, it is acceptable for the FBI to remain silent in the hope that they might be able to use the same flaw to catch another alleged paedophile in the future or if, on balance, it is wiser to declare the vulnerability and have Mozilla patch it for the security of all.
The FBI, like any law enforcement agency of any western democracy, must themselves abide by the law - since, after all, the salary of every single law enforcement officer employed today is paid for by the tax contributions of the people they are paid to *protect*. As stated above, vulnerabilities don't discriminate and will work for anyone who finds and tries to exploit them. Given that anyone who does exploit a vulnerability is a criminal, the FBI surely have a duty to protect honest citizens against such future criminal exploits. If they don't, then what is the difference between the FBI and a criminal gang?
Consider a scenario [and, yes, this is highly contrived and completely unlikely] in which the vulnerability being exploited by the FBI in this case had at it's heart a mechanism that could be used to readily defeat encryption schemes such as BluRay encryption. Imagine that a criminal finds the vulnerability, spots a similar version in BluRay's implementation of encryption and uses it to produce a widely-available hack that can crack all BluRay disks wide open, regardless of the specific keys being used. Now imagine that the MPAA discover that the FBI had known about the hack for years and stayed silent.
Do you think that the MPAA would say, "Oh, heck, it's the FBI. Stand down, guys - we can't go to court to sue the FBI for beellions [sic] because they've been using this exploit to catch bad guys, which makes this OK..." ???
What this illustration is trying to show is that the moment one applies different "use cases" to the scenario, the "right answer" changes. When that happens in law, it is an example of the law being wrong, because, to be just, the law must be universal and straightforward in it's application.
There are many reasons that the Mozilla Foundation should prevail here. Let's hope that common sense wins the day and that the FBI collaborate and disclose the vulnerability.
Flash (Score:2)
To my understanding the feds used a flashed-based exploit based on the decloak module in metasploit
"It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address."
https://www.wired.com/2014/12/... [wired.com]
Is this still the case? What other ways could the feds have used to decloak a Tor session?