Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Government Mozilla Communications Firefox Network Networking Open Source Privacy Security The Courts The Internet News Technology

Mozilla Fights FBI In Court For Details On Tor Browser Hack (helpnetsecurity.com) 58

An anonymous reader writes from a report on Help Net Security: Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser hack with them, before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public. The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web. The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser. Why does Mozilla care to learn about the vulnerability? "The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser," Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.
This discussion has been archived. No new comments can be posted.

Mozilla Fights FBI In Court For Details On Tor Browser Hack

Comments Filter:
  • Abolish the FBI (Score:1, Insightful)

    by Anonymous Coward

    We don't need the FBI. Their only apparent functions are to reduce privacy and falsely accuse people of terrorism. Abolish the FBI and other three letter federal agencies like the CIA and NSA.

    • by Anonymous Coward

      We don't need the FBI. Their only apparent functions are to reduce privacy and falsely accuse people of terrorism. Abolish the FBI and other three letter federal agencies like the CIA and NSA.

      You're on the list.

    • /sarcasm But think of the ... < insert inanimate object > !

      [ ] Terrorism
      [ ] War
      [ ] Socialism
      [ ] Drugs
      [ ] Countries that don't agree with us

    • by Archfeld ( 6757 ) <treboreel@live.com> on Friday May 13, 2016 @12:08AM (#52102731) Journal

      The FBI is indeed needed. While they do regularly exceed the scope of their mission, there is a great need for a law enforcement program that exceeds each individual state and can facilitate interstate investigations. Without them large criminal organizations, AKA the Mafia would operate with impunity crossing state lines, and avoiding prosecution by fleeing state jurisdictions. We could never rely on the states individual laws to stop kidnappings, mail fraud, gambling and other such violations that spanned several jurisdictions.

      • You mean the US Marshals? They used to do what the FBI did until it's mission became large enough to spin off, but here's something that makes Marshals better than other federal law agencies: they can enforce all local laws as well as federal. Just re-expand the Marshals and get rid of the FBI. Also mail fraud is investigated by the US Postal Inspection Service and gambling would easily be switched to the ATFE or the Secret Service since gambling is legal under federal law it usually involves tax dodging.
        • The U.S. Marshals are responsible for securing Federal Courthouses, acting on arrest warrants, and retrieving fugitives. They're not detectives, responsible for building a case, like the FBI.

        • by Archfeld ( 6757 )

          I agree or can't argue most of your point but I do think that having one agency handle those tasks will lessen the inevitable inter-branch competition that occurs any time 2 or more entities get involved in some investigation that might cross one or more of those boundaries. That one dept. could be the Marshals, the FBI, or even DHS. It just seems that segmenting 'intelligence' gathering and workforce pools seems to over complicate things and create a lesser efficient organization, especially in governmenta

  • Irony... (Score:4, Insightful)

    by Anonymous Coward on Thursday May 12, 2016 @07:07PM (#52101887)
    There is a delicious irony in the fact that the US Government developed Tor to safeguard their intelligence traffic but is now busy trying to crack Tor in an effort to monitory the activities on it's own citizens.
    • by Anonymous Coward

      The US Navy Research Labs did indeed developer Tor and the Onion implementations before turning it all over to the public foundation. And they handed it over because they decided the system would not meet their requirements. And it may be ironic but both the government and public sectors are all vulnerable. The government may try to spy on it's citizens but the citizens can spy right back. But everyone seems to think the government and all it's 3 letter agencies are actually competent in the first place and

      • The NSA does a lot more domestic spying than you think. Also the RoE for US troops is to keep us from being the bad guys or shooting the wrong people.
  • by BitterOak ( 537666 ) on Thursday May 12, 2016 @08:06PM (#52102057)
    If private companies can compel the FBI to disclose their secrets, the FBI could turn that around and say that turnabout is fair play and private companies should be compelled to disclose their secrets to the FBI. Best just to keep a respectful distance.
    • by Anonymous Coward on Thursday May 12, 2016 @10:02PM (#52102405)

      Here's the difference: At least in theory, the government is supposed to be transparent; that's where the term "public official" comes from. Part of that is transparency about how they conduct their investigations. On the other hand, no such rules apply to corporations ("private company"). If we can't know the FBI's secrets, we can't trust that they're acting in the best interest of the general population; but there's no reason the FBI needs to know secrets about companies, since companies are by definition not in the best interests of the people; they are only in the interests of themselves.

      • by Anonymous Coward

        Here's the difference: At least in theory, the government is supposed to be transparent ...

        I was HOPING that would CHANGE, but I was lied to.

  • Kiddie porn perps get outed. FF reaction is to close the loopholes.

    Their CEO is illegally outed for supported the popular Prop 8. FF reaction is to burn the witch.

    I still use FF, often as Palemoon, and have used Moz since before Phoenix, but they've turned into complete jackasses in the last few years.

  • Maybe a civil suit (Score:5, Insightful)

    by pellik ( 193063 ) on Thursday May 12, 2016 @08:27PM (#52102125)
    The FBI is saying they actively exploit a flaw in Firefox but won't say what that flaw is. This course of action actively deters people from using firefox. Mozilla can't dispute the FBIs claim since there is no evidence given. If the FBI won't disclose the vulnerability I sure hope they can sued for libel since that's exactly what is left.
    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Friday May 13, 2016 @12:59AM (#52102867)

      The FBI is saying they actively exploit a flaw in Firefox but won't say what that flaw is. This course of action actively deters people from using firefox. Mozilla can't dispute the FBIs claim since there is no evidence given. If the FBI won't disclose the vulnerability I sure hope they can sued for libel since that's exactly what is left.

      It's probably sitting in their security Bugzilla, to be honest. Firefox is a security nightmare - so much so that Pwn2Own this year decided to not accept Firefox flaws anymore - Firefox is too easy a target [slashdot.org].

      The major web browsers have all started shedding privileges when they run - especially on Windows with its low integrity mode where it's restricted in its interactions with users and other windows and even the filesystem (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process. Any drive-by downloads are stuck in the temporary location, and any regular download triggers the high integrity process which cannot be interacted with by the low integrity process.).

      Firefox doesn't exploit those features at all. Chrome does as well.

      • by MobyDisk ( 75490 )

        (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process.

        Do you have any links on that? That is interesting. I'm running process explorer now to try and see how that works...

        • by tlhIngan ( 30335 )

          (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process.

          Do you have any links on that? That is interesting. I'm running process explorer now to try and see how that works...

          The developer documentation on low integrity IE is at https://msdn.microsoft.com/en-... [microsoft.com]

          More details on process explor

  • by ytene ( 4376651 ) on Friday May 13, 2016 @02:01AM (#52102991)

    The FBI's stance in this case seems to be another aspect of their world-view on encryption. Just as they believe that it's possible to create a "secure front door" in existing cryptographic algorithms (and thus give them a Master key that doesn't fatally flaw the encryption system), so they seem to be saying here that it is possible to distinguish between a vulnerability used to detect criminals (in this case, an alleged paedophile) and a vulnerability that could compromise the computer of a legitimate, law-abiding end user. Unfortunately, vulnerabilities don't discriminate: they'll work for anyone, for any purpose.

    Sadly, proving the FBI's view is wrong would be virtually impossible unless the specific vulnerability was disclosed.

    However, imagine a scenario in which the same vulnerability is subsequently identified by criminals and used to build malware that defrauds large numbers of citizens by compromising the security of their on-line banking. Tens, hundreds or thousands of people could be defrauded by hundreds, thousands or millions of dollars. In this scenario we have to ask if, on balance, it is acceptable for the FBI to remain silent in the hope that they might be able to use the same flaw to catch another alleged paedophile in the future or if, on balance, it is wiser to declare the vulnerability and have Mozilla patch it for the security of all.

    The FBI, like any law enforcement agency of any western democracy, must themselves abide by the law - since, after all, the salary of every single law enforcement officer employed today is paid for by the tax contributions of the people they are paid to *protect*. As stated above, vulnerabilities don't discriminate and will work for anyone who finds and tries to exploit them. Given that anyone who does exploit a vulnerability is a criminal, the FBI surely have a duty to protect honest citizens against such future criminal exploits. If they don't, then what is the difference between the FBI and a criminal gang?

    Consider a scenario [and, yes, this is highly contrived and completely unlikely] in which the vulnerability being exploited by the FBI in this case had at it's heart a mechanism that could be used to readily defeat encryption schemes such as BluRay encryption. Imagine that a criminal finds the vulnerability, spots a similar version in BluRay's implementation of encryption and uses it to produce a widely-available hack that can crack all BluRay disks wide open, regardless of the specific keys being used. Now imagine that the MPAA discover that the FBI had known about the hack for years and stayed silent.

    Do you think that the MPAA would say, "Oh, heck, it's the FBI. Stand down, guys - we can't go to court to sue the FBI for beellions [sic] because they've been using this exploit to catch bad guys, which makes this OK..." ???

    What this illustration is trying to show is that the moment one applies different "use cases" to the scenario, the "right answer" changes. When that happens in law, it is an example of the law being wrong, because, to be just, the law must be universal and straightforward in it's application.

    There are many reasons that the Mozilla Foundation should prevail here. Let's hope that common sense wins the day and that the FBI collaborate and disclose the vulnerability.

  • To my understanding the feds used a flashed-based exploit based on the decloak module in metasploit

    "It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address."
    https://www.wired.com/2014/12/... [wired.com]

    Is this still the case? What other ways could the feds have used to decloak a Tor session?

You know you've landed gear-up when it takes full power to taxi.

Working...