FBI May Be Hoarding a Firefox Zero-Day

An anonymous reader writes: Vice reported at the end of March that the FBI and the U.S. Department of Justice are fighting tooth and nail to keep a Tor Browser exploit hidden from the public eye. Computer experts were quick to point out that this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform. Taking into account that Firefox follows open-source philosophy and reveals all security flaws reported, the effort which the FBI puts into restricting access to its exploit leads to only one conclusion, and that is that the FBI is hoarding a Firefox zero-day, currently unpatched in the browser's core -- something it hopes to use once again.

well, how many does the FBI have?

[turkeydance]

hoarders don't just have ONE.

Re:well, how many does the FBI have?

[Narcocide]

hoarders don't just have ONE.

came here to post basically this sentiment, you beat me to it; I was gonna say I'd wager they have at least two.

Re:well, how many does the FBI have?

NSA just buys them all the time on the black market.
FBI could do the same, it wouldn't even be that expensive.

Protip: All malware writers are hoarding exploits -- and even selling them on the blackhat market.

Re: well, how many does the FBI have?

That was the old days, now they just pay developers to submit underhanded code in new builds.

Re:well, how many does the FBI have?

I came to post that there are countless unpatched negative-day holes... and upon seeing that someone else already had, I was going to post that I was going to post that, but upon seeing that you have posted that you were going to post that, I have instead posted this.

Re: well, how many does the FBI have?

Well played...

Re: well, how many does the FBI have?

That was the old days.

All days are old days.

Re:well, how many does the FBI have?

[rtb61]

I would wager the stupid burns because they would need to believe that they are the only group hoarding those zero day faults or that their knowledge has not leaked or sold. That is the real problem with hoarding zero day flaws, the kind of stupid ego that pre-posits they are the only people who are smart enough to find it and all the other espionage groups are just script kiddies. In reality hoarders will find that those they are meant to be protecting end up being attacked by others and as they watch it unfold, they just sit them, thumb in bum, mind in neutral as they desperately try to pretend they had nothing to do with that attack or those victims.

This has been covered before, can never use a zero day flaw because once it is detected it is gone (so major effort little to no reward), hoard a zero day flaw only to see someone else use it whilst you are still hoarding it (those victims, your fault and you are now an accessory before the fact and guilty of criminal negligence), hoard a zero day only to find others had already found it and are working on a fix and that fix is implemented before you can claim credit and earn kudos for you efforts (major effort expended and no respect gained for your agency or the support from the public that the gained respect would earn) and of course get busted hoarding an exploit and expect resounding condemnation from every one and a desire to by the public to expose the dick heads involved and a desire to see them prosecuted for criminal negligence because they have a duty of care and a duty of law to protect the public from harm.

Re:well, how many does the FBI have?

[phantomfive]

Given that it's Firefox, they probably have as many zero-days as they want. Firefox doesn't seem to take security seriously, for whatever reason.

Re:well, how many does the FBI have?

[tlhIngan]

Why bother?

Consider Pwn2Own removed Firefox from a contenders list for being "too easy" I hope the FBI didn't pay more than a few bucks for the one. I'm sure if they paid a few more bucks they could've had 10, 100, 1000 or more.

Heck, there's tons of bugs that are reported and haven't been fixed at all...

Re:well, how many does the FBI have?

You try building something as complex as a modern web browser, and snap your fingers and make it secure. If it's that easy.

Okay, seriously, if they stopped trying to cram whatever-the-standards-author-de-jour-dreams-of-today into next month's release, and slowed down their release schedule to something reasonable (major release once per 6-18 months), they'd probably end up with a much more secure browser.

Re:well, how many does the FBI have?

That headline is a half-truth. It doesn't mean that Firefox has a lot of holes.

As explained in the comments, they chose to remove it because Mozilla had not recently implemented new features intended to bolster security, while the other browsers had done so in the same timeframe.

Re:well, how many does the FBI have?

In the case of Firefox that may not be true though. It has previously been banned from Pwn2Own for being "too easy" (not my words – theirs) so I'd wager various government organisations have gathered dozens of zero days. So when you can e.g. crack a big case or unmask a high-ranking double-agent, the original investment may be considered moderate compared to the pay off. And you'll still have dozens more left and we can assume Firefox's developers will add more as time goes on.

Re:well, how many does the FBI have?

[phantomfive]

You try building something as complex as a modern web browser, and snap your fingers and make it secure. If it's that easy.

It's a matter of priorities. If they spent more time clearing out their bug list, and less time building new features that no one wants (like pocket, or weird UI changes), the browser would be much more secure. In fact, if I were in charge at Mozilla, that would be the first thing I would do: allocate several months to fixing the most serious bugs, and then allocate enough time each month thereafter that bug count is reduced each month, instead of going up.

Re:well, how many does the FBI have?

[SuricouRaven]

It's not just firefox - browsers in general have a poor history of security, because they have grown over the years from simple page-rendering engines to instruments of almost unmanageable complexity. The more complex the program, the more flaws it will contain. This is why Lynx so rarely has security issues - because it doesn't actually do very much.

Re:well, how many does the FBI have?

[phantomfive]

That's true, but Firefox has reached next-level on the insecurity metrics.

Re:well, how many does the FBI have?

I like your idea, and I hope that's what Mr Eich would've done had he had the chance.

Bugfixing is so rarely given priority when you've got features to chase.

Re:well, how many does the FBI have?

If I could send a meme to the FBI, it would be of the nazi-cat meme: "What do you think this is? A game?"

https://s-media-cache-ak0.pinimg.com/736x/27/22/a5/2722a54b7dc04714eebf43b739082be6.jpg

Cross out grammar and put "programming bugs".

Re:well, how many does the FBI have?

[phantomfive]

You can always try this browser.

Re:well, how many does the FBI have?

Oh, I use Privoxy already. My privacy is not restricted to a browser that way.

Reasonable solution

[SultanCemil]

It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data. If we (the tech community) don't come up with a solution, at some point an inferior one might be forced on us. Imagine a significant (nuclear) terrorist threat that could be averted if the government could access X or Y. In the aftermath of such a threat (or, in the worst case, attack), public opinion will force a change. Let's find a solution. Perhaps we need a new way of encrypting things that allows a third "government" key? I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

Re:Reasonable solution

[SultanCemil]

---edit for formatting--- *why doesn't slashdot have a WYSIWYG editor yet? grumble, grumble*

It feels like we're coming to a head here with regards to the government and technology.

At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

If we (the tech community) don't come up with a solution, at some point an inferior one might be forced on us. Imagine a significant (nuclear) terrorist threat that could be averted if the government could access X or Y. In the aftermath of such a threat (or, in the worst case, attack), public opinion will force a change.

Let's find a solution. Perhaps we need a new way of encrypting things that allows a third "government" key? I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

Re: Reasonable solution

With the known government lack of security how can it be? Online banking would have to vanish overnight.

Re:Reasonable solution

public opinion will force a change. Let's find a solution. Perhaps we need a new way of encrypting things that allows a third "government" key? I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

Well see there's a problem. Public opinion or government officials could scream and cry all they want, but we can't make 1 + 1 = 3 or Pi equal exactly 3 with any amount of legal or social pressure. This is why it's not just anti-government sentiment here. It's cold hard mathematics. Nothing can change that and nothing will. Any attempts at forcing the issue will cause it to go underground and then this will become the new "War on X" that we waste fruitless millions and billions of dollars on. This is simply not an option here.

Re:Reasonable solution

[JustAnotherOldGuy]

---edit for formatting--- *why doesn't slashdot have a WYSIWYG editor yet? grumble, grumble*

Oh you dreamer...we can't even edit our own posts, a WYSIWYG editor is so far beyond that capability that you may as well wish for your own Martian Moonbase stocked with 19-year old nymphomaniacs with a Beer Generator powered by perpetual motion.

Re:Reasonable solution

[Zuriel]

A new way of encrypting things that has a third key? Sure, but why not wish for world peace and a Star Trek style warp drive while you're at it?

Things that don't currently exist aren't a reasonable solution, either. No matter how often Congress demands them.

Re:Reasonable solution

[Kjella]

I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

It's a bit like asking if you want digital cameras that won't produce kiddie porn. While you might score brownie points with the technically clueless, no engineer will think that's a sane idea.

a) Stealing the decryption key is a huge goldmine
b) There's more than one government with conflicting interests
c) There's open source and you can encrypt more than once
d) Nobody will know if you've tampered with it until they try

All of these means you're asking for magic. Say you want Apple to hold the device keys for all the iPhones (which is better than one key to rule them all, at least). That means there must be a database somewhere in Apple HQ that Chinese hackers or the NSA with a National Security Letter can steal. Or you must install them with a country-specific key on sale, but what happens if I bring my phone from Norway to the US? It'd have the Norwegian government's key, not the US. Unless you want China to be able to decrypt all US phones. And it'd only move the master key problem somewhere else.

Nobody can stop me from encrypting with GPG inside any crypto-crippled channel, just like you can with regular email. Or how about a Linux system with full disk encryption using LUKS, you going to outlaw that too? And finally, even if there's a backdoor key for anything stored on a regular disk you can probably just overwrite the area of the key and nobody will discover it until the government tries to decrypt and fails. In short, it's such an unworkable idea due to premises that won't change that there is no point in trying.

P.S. What you ask for already exists, many company encryption solutions have your key and the company's spare key. It only works because they control the whole system.

Re:Reasonable solution

[spire3661]

NO, there is no compromise. I am within my rights to make an unbreakable lock. The government has to learn to accept that. Warrants can be abused like any other power, the idea that everyone has to roll over at the sight of any warrant is flat out wrong. I get what you are saying, due process, i get it, but there are limits to what the government can ask. we are now at the stopping point.

Re:Reasonable solution

What, no Blackjack?

Re:Reasonable solution

[Antique+Geekmeister]

It can be difficult to sell, especially to export. Encryption has long been treated as a munition, a material of war.

Re:Reasonable solution

We're reaching a point (especially with the new anti-encryption bill that's been reduced) that I'm more worried of a significant (nuclear) terrorist threat that IS POSSIBLE because the government could access X or Y. Government backdoors won't stay government only for long. Because if we cave to allow the US government a backdoor, Japan might request a backdoor in too. And England. And Germany. And countless others. At that point everything that ever was encrypted just becomes swiss cheese.

Re:Reasonable solution

And that was basically pissed on SCotUS when they said a book of the source code to encryption is protected under the 1st.

Re:Reasonable solution

[guruevi]

Yes, it is unreasonable. First of all it's unconstitutional, second of all you can not 'solve' the problem without also giving access to pretty much every other entity in the world.

Re:Reasonable solution

[dissy]

At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

and

I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

Well, let's examine some history here and see if it is unreasonable or not.

Of all the terrorist attacks on US soil, encryption was only involved in one, and once decrypted had no data within at all.

Of all terrorist attacks on US soil, the FBI already knew about the planned attacks weeks to many months in advance. They knew who would be performing the attack, where they would be attacking, and when the attack would take place.

Yet even with knowing most of the details of the attacks ahead of time, they stopped exactly zero of them from happening. Zero.

If you already know the who, when, where, and occasionally the how and can't stop the attacks, how exactly is compromising every Americans personal safety to provide them... what useful info again exactly?

I also don't see how the 'why' would even help in the goal of stopping them. Obviously the 'why' would be nice to know, but that seems like a thing to do after stopping their attack and not exactly a priority before.

OK the 'how' may be useful, but if you already have the who, when, and where then you have everything needed to prevent every terrorist attack carried out so far, and again they failed to do so each and every time.
I very much call into question that them knowing the 'how' would aid them anymore than the information they already have.

It doesn't matter if the guy has a gun or is carrying a bomb or even uses your hypothetical nuclear device. The fact is if you know who has it, where they are, and when they plan to use it, you have everything needed to stop that guy from doing anything.

That is why I don't feel it is reasonable to give the government so much more additional power that literally will not be used for the stated purpose and isn't required for the stated purpose.
But all of the many many unstated purposes for them having such power are beyond frightening in how far the government can abuse them and how much damage and harm they can cause with it.

I firmly reconfirm that such an unbalanced trade is unreasonable, and the practically no benefit is not at all worth such an extremely high price.

Re:Reasonable solution

It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

But why?

There are all kinds of things that a warrant can never uncover: A private conversation that happened three weeks ago. Things that were planned in a meeting between terrorists in a private residence. A stack of papers with evidence of crime that was burned to ashes.

We don't think of closing every warrant accessible interaction and record in everyday activity because it's ridiculous. It requires a complete loss of privacy, of monitoring and storing absolutely everything. Why do people look at relatively new technology like it's the culprit here and not the remaining privacy that humanity has really had from the start?

Re:Reasonable solution

The main threat these agencies are trying to protect against is democracy. Power is protecting itself, the citizens are the culprits. No amounts of votes are going to remove property from the 1%.
Political scandals are gold, for the right people. Keeping tabs on everybody East Germany style is the current flavor. Anybody that can become a political threat will have to deal with being exposed, and there is where data-mining everybody as a safeguard is looked as a necessity. The real threat to everybody’s welfare has to be looked at statistically. Absolute safety for everyone is not possible. What are the main causes for premature death? The real data is boring and lacks news sizzle. The "news" media are busy writing interesting and cute stories, they are not obligated to serve up relevant and useful data. That is not how they get paid.
Don't get sucked in.

Re:Reasonable solution

[phantomfive]

At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data

The solution is here: Apple can no longer decrypt random iphones. That's it. There are bills that have been written to change that, but none are expected to even show up on the floor of the house of congress or the senate.

Re:Reasonable solution

[fustakrakich]

with a warrant, is this so unreasonable?

Yes...

Re:Reasonable solution

[fustakrakich]

none are expected to even show up on the floor of the house of congress or the senate.

Certainly not before the election.

Re:Reasonable solution

[th3rmite]

All of you arguing with SultanCemil are pretty much idiots who don't understand what he is trying to say and definitely don't understand American culture. What he is trying to say is that like it or not the government IS going to do something about not being able to decrypt phones used in criminal acts. All it takes is one major event whether it's a mass shooting or a terrorist attack that "might have been prevented if we only were able to get into so and so's phone" and the population at large will support the one of many bills that I'm sure are being drafted right now. I don't agree with it, I'm sure most of you on this site don't agree with it and understand it won't solve anything. BUT the US Government is power hungry and WILL find a way to force this issue sometime in the future. We can pretend it won't happen because of our nerdy righteous indignation, but it won't. We will have to come up with some sort of compromise or before you know it all encryption will be made illegal and all us nerds will get sent straight to the pen. And believe me most of us will not like it there.

Re:Reasonable solution

[linuxrocks123]

So surrender because we might be defeated? I don't think so. We can win this issue because Google + Apple + Microsoft + many others will join the EFF and all our traditional allies in lobbying against any backdoor proposal. Who will lobby on the other side? Law enforcement? Our allies have both deeper pockets and by far the better policy argument.

Re:Reasonable solution

With the recent attacks in Brussels where the government failed to catch the terrorists that where using unencrypted messaging. (plain pre-paid phones)

Giving access to *everything* will not increase your safety but may actually put quite big risks on you.

Imagine you have a laptop with a encrypted HDD today. You throw that in the clauset and forget about it... 10 years later you find it and are taking it to the dump but being stopped on the way there.. They ask for access to it and you have no clue about the passphrase -- suddenly you are a criminal.

Keeping company secrets becomes a thing of the past..... If NSA does this http://www.theregister.co.uk/2... then imagine what all other countries do?

And just because encryption is outlawed does not make criminals stop using it.. It makes law-abiding people to stop using it allowing access to their data while allowing criminals to continue hiding in the dark.. Secure encryption is already out there and new schemes are being developed far away from the US. This law does nothing more than criminalize normal, currently, law abiding citizens and perhaps be able to grab a few thugs without any tech-knowledge..

If you have a terrorist with something as huge as a nuclear device they will most likely start with getting a security-expert to set up their encrypted communications without any snooping backdoors available..

Re:Reasonable solution

You are the one not understanding what we are saying.
Encryption is math. There is nothing anyone can do to change math.
The government can do what it wants, but people will still be able to encrypt anything and everything they want.
The best they could do is throw you in jail for possessing suspected encrypted material, but that would be hard to prove.

Re:Reasonable solution

[slashrio]

I totally agree with all your points.
It will be the law abiding civilians that will be under full government surveillance, and the criminals will just add a layer of strong encryption with their own key sets.
More than 90% (this was a guesstimate) of gun crimes are carried out with unregistered guns. Same story.

Re:Reasonable solution

[drinkypoo]

A WYSIWYG editor is potentially desirable, and could be got from someone else. Post-editing is not desirable, except by people who can't let their mistakes go because their asshole is so tight that it can make diamonds. Learn to use preview, no problem.

Re:Reasonable solution

[JustAnotherOldGuy]

A WYSIWYG editor is potentially desirable, and could be got from someone else. Post-editing is not desirable, except by people who can't let their mistakes go because their asshole is so tight that it can make diamonds. Learn to use preview, no problem.

That's just like, your opinion, man. Try this on for size:

"A WYSIWYG editor is only desirable by weenies who want to use emoticons and who are at their core, attention whores. Post-editing is desirable, except by people who NEVER make mistakes and who think their shit don't stink. Someday you'll grow up and be able to understand other people's viewpoints, and then it will be no problem."

See how easy it is to dismiss what other people want, while retaining your own gun-slit view of the world?

Virtually every message board and forum in existence allows post editing, often within a short grace period to prevent abuse.

If you're that anal about being made to look like a fool by someone fixing a typo or changing the content of their post, perhaps you're a little too tightly-wound for healthy participation in a discussion forum.

Re:Reasonable solution

> if we cave to allow the US government a backdoor, Japan might request a backdoor in too.
> And England. And Germany. And countless others.

That's precisely what's happening!

> At that point everything that ever was encrypted just becomes swiss cheese.

That's precisely what's intended!

Re:Reasonable solution

[drinkypoo]

Virtually every message board and forum in existence allows post editing, often within a short grace period to prevent abuse.

Yes, and that is often stupid. It's good for forums where people are providing information. It's bad for forums where people are arguing. Slashdot is all about arguing, and therefore it would be bad here.

If you're that anal about being made to look like a fool by someone fixing a typo or changing the content of their post, perhaps you're a little too tightly-wound for healthy participation in a discussion forum.

This isn't about my asshole, this is about your lack of competence.

Re:Reasonable solution

[JustAnotherOldGuy]

Slashdot is all about arguing, and therefore it would be bad here.

It's a shame that you view slashdot this way (just another way for you to vent your spleen), but I think that says a lot more about you than it does about slashdot.

-

This isn't about my asshole, this is about your lack of competence.

No, it's about you being an asshole, and your inability to understand that different people want different things. Your opinion isn't the gold standard, and with any luck you'll learn about that in High School.

Re:Reasonable solution

[drinkypoo]

No, it's about you being an asshole, and your inability to understand that different people want different things. Your opinion isn't the gold standard,

Ah, irony. You're being precisely the kind of asshole you're accusing me of being. This has been argued out over and over again here on Slashdot, and I'm doing you the courtesy of revisiting those dumber times to explain to you why you're wrong. It's not just my idea. It is, in fact, the will of the people.

Re:Reasonable solution

[JustAnotherOldGuy]

It's not just my idea. It is, in fact, the will of the people.

Actually, quite a few people* have expressed a desire for post editing, but as long as you're speaking for the will of the people I guess we'll all just fall in line, Herr Drinkypoo.

-

*Indeed, Whipslash had mentioned at one point that "it was coming", so maybe your the will of the people isn't all it's cracked up to be.

Re: Reasonable solution

Yes, let's do away with our right to peaceably assemble, because the FBI can't easily listen in on a conversation between you and me.

Re:Reasonable solution

How do you inform encryption or security aspects that you have "an appropriate warrant" and that you are an appropriate Government agency rather than, say, just a hacker? It's simply not going to happen and neither is "at some point an inferior one might be forced on us" as the encryption genie is out of the bottle in so many unregulateable forms it cannot be put back in no matter who thinks they can stop the tide.

Re:Reasonable solution

" If we (the tech community) don't come up with a solution, at some point an inferior one might be forced on us. Imagine a significant (nuclear) terrorist threat that could be averted if the government could access X or Y. In the aftermath of such a threat (or, in the worst case, attack), public opinion will force a change. Let's find a solution."

In life, there are two choices, and only two; love or fear. you choose to love your neighbor or you choose to fear your neighbor. you sir have chosen fear and i wish to convey my deepest condolences to you for your loss.

You fight the kind of terrorism by simply ignoring it and living to a higher standard and encouraging everyone else to live at that higher standard. Funny enough that is where the police are also supposed to get their power from, by holding them to a higher standard and showing everyone else how to do it.. unfortunately that isn't the case and hence why we live in a time of inverted totalitarianism.

Re:Reasonable solution

[peawormsworth]

Government should protect its citizens. It would be ideal if the people we appoint and pay to solutions us, worked hard to find the best encryption to protect secure our digital assets. Instead, the officials work to weaken us so they can claim more reason to protect us. Every citizens should be armed with strong computing environments possible to protect us from digital attacks from those who want to do us harm (everyone else).

I hope nothing happens to our country. But when a country is invaded, the first thing to go is the government. I don't want to be weak so big government needs to protect me. I want to be strong (with the help of my government) so that I do not need further protections.

That's not proven

[CAOgdin]

Nor is it proven that the problem is within Firefox...it could as well be in the Tor modifications to Firefox...if, indeed, there is such a problem at all.

Wild speculation, whether here at /., or at Motherboard, is absent evidence. If I were an agent of the FBI and I DIDN'T know ANYTHING about some putative "back door" into Tor, I'd claim I did, to scare the #$&*%^ out of people who DO use Tor. They can, apparently, legally do that with impunity as officers for the law.

Until there's evidence to support this idle speculation, it is bunkum.

Re:That's not proven

Nor is it proven that the problem is within Firefox...it could as well be in the Tor modifications to Firefox...if, indeed, there is such a problem at all.

Wild speculation, whether here at /., or at Motherboard, is absent evidence. If I were an agent of the FBI and I DIDN'T know ANYTHING about some putative "back door" into Tor, I'd claim I did, to scare the #$&*%^ out of people who DO use Tor. They can, apparently, legally do that with impunity as officers for the law.

Until there's evidence to support this idle speculation, it is bunkum.

According to the linked article, that is exactly what the defense attorney is after: proof. Society can not allow a prosecutor to claim, in court, that a 'magical black box' tells them the defendant is guilty.

Re:That's not proven

[SuricouRaven]

It doesn't need to be a security hole. It just needs to be some way, any way, to make Firefox connect without using the Tor proxy. All it takes is one obscure call in javascript somewhere that ignores the proxy settings.

I think I can speak for most of the internet

[inode_buddha]

I think I can speak for most of the internet in saying "Oh, shit!"

A search warrant is not a find warrant.

[BitterOak]

It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

This statement seems to be based on a common misinterpretation of what a warrant is. Search warrants allow the police to search for things, but they do not necessarily guarantee that they will find what they're looking for, and most importantly, the existence of warrants does NOT incur an obligation on the public to live their day-to-day lives in such a way that future searches (with warrants) will be successful. Requiring computer users to use weakened or backdoored software for the simple reason that a warrant might be issued at some future time turns the Fourth Amendment to the Constitution entirely on its head

Re:A search warrant is not a find warrant.

You're deliberately misstating what he said. What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly. It's much better to design a legal system that allows both devices and society a reasonable level of security.

Worst case is a society and legal system in which large evil corporations get to decide what laws they follow and can unliaterally chose to tell the government to fuck off. Apple saying "We're just going to tell a federal judge to fuck off because we want to advertise our system to criminals" is not a good thing.

Re:A search warrant is not a find warrant.

[BitterOak]

You're deliberately misstating what he said. What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly. It's much better to design a legal system that allows both devices and society a reasonable level of security.

But this very statement seems to suggest a belief that in order for a society to be secure, the devices can't be. What is a "reasonable level of security" for a device? The maximum technology allows, or something else?

Re:A search warrant is not a find warrant.

and most importantly, the existence of warrants does NOT incur an obligation on the public to live their day-to-day lives in such a way that future searches (with warrants) will be successful. Requiring computer users to use weakened or backdoored software for the simple reason that a warrant might be issued at some future time turns the Fourth Amendment to the Constitution entirely on its head

You seem to have forgotten that in the US we now live in an age where the government can mandate that every citizen enter into a relationship with a commercial entity, simply for being present here in the US, even if they don't want to (i.e., the Affordable Care Act individual mandate) and assess hefty penalties for failure to comply. Ordinarily I would agree with you that individual citizens would not be required to modify their day-to-day behavior simply to accommodate the government, but times are clearly changing.

If the government can force everyone to buy something whether or not they want it, then what is stopping them from forcing everyone to (fill in the blank)?

Re:A search warrant is not a find warrant.

Fair, but then how do you deal with the externalized costs of the uninsured? We're far past letting people die without at least some semblance of care, so now who pays?

If you increase taxes and have the government pay, you get howls of socialized medicine and perverse incentives to move most people to being uninsured. If you force business to absorb the cost, you have increased costs for private parties.

I'm not a fan of the Affordable Care Act, but thus far I haven't heard of any good alternatives.

Re:A search warrant is not a find warrant.

How do you deal with the cost of Apple advertising the iPhone as a way to defeat law enforcement? It's a cost.

Re:A search warrant is not a find warrant.

[Frank+Burly]

But this very statement seems to suggest a belief that in order for a society to be secure, the devices can't be. What is a "reasonable level of security" for a device? The maximum technology allows, or something else?

You asked what a reasonable level of security is and society is trying to figure that out right now—both with regard to device encryption and mass collection of what was once thought of as trivial and non-private data..

Society can never be absolutely secure, but (going back to your original statement regarding warrants) the fact that search warrants can be issued on relatively meager evidence shows that the right to privacy was never seen as absolute either.

Re: A search warrant is not a find warrant.

You don't, because they're not

Re:A search warrant is not a find warrant.

[fustakrakich]

then what is stopping them from forcing everyone to (fill in the blank)?

The voters. If they don't do it, nobody will

Re:A search warrant is not a find warrant.

[NormalVisual]

What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly.

They're not being designed "to defeat LEO". They're being designed to be as secure as possible against anyone who may wish to take the data on the device without the owner's permission. The fact that it becomes more difficult for law enforcement to get to the data is merely incidental, and I have very little sympathy for their problems in light of the fact that it's becoming more and more likely for innocent people to suffer loss of life or property at the hands of the government than from terrorists, child molesters, or whoever the public enemy du jour is.

Re:A search warrant is not a find warrant.

[linuxrocks123]

"Hefty penalty"? It's either a 1% tax rate increase or $95. Whine much?

Re:A search warrant is not a find warrant.

...If the government can force everyone to buy something whether or not they want it, then what is stopping them from forcing everyone to (fill in the blank)?....

You can say the same thing about every one of the millions of tax exemptions, deductions, credits, loopholes, etc in the US income tax code. The government doesn't "force" you to have a mortgage and pay interest, they just have a tax-deduction to let you deduct that interest from your taxes if you 'claim' it on your tax forms. The government doesn't "force" you to have children, they just have personal tax-exemptions and other deductions & credits if you do have kids (and you 'claim' them on your tax forms).

Same reasoning with the ACA:

The government doesn't "force" you to have health insurance, they just have a tax penalty if you fail to 'claim' it on your tax forms.

And yes, I do see that this is just social-engineering via the tax-code -- but the ACA is no different than all the rest. I'm in favor of eliminating all forms of tax deductions, credits, exemptions, loopholes, etc. A tax loophole only works if someone _else_ can not claim it -- otherwise what is the point of them.

Re:A search warrant is not a find warrant.

[drinkypoo]

What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly. It's much better to design a legal system that allows both devices and society a reasonable level of security.

But this very statement seems to suggest a belief that in order for a society to be secure, the devices can't be. What is a "reasonable level of security" for a device? The maximum technology allows, or something else?

No, you are missing the point completely. You can't fix this problem technically. Setting people up to defeat law enforcement is bad. But it's a situation created by setting law enforcement up to defeat people. We have a nation of shit laws. It's no wonder that people do their best to get around them. If we fix the law, we'll have less offenders. Now, quick quiz, what percentage of the people in prison are nonviolent offenders?

Re:A search warrant is not a find warrant.

What you're saying, though, is that it's OK to write software with deliberately built-in security holes. If this were to become the norm, the government will NOT be the only ones that use those holes.

This would be made even worse if it's done with open source software for obvious reasons.

Re:A search warrant is not a find warrant.

[SuricouRaven]

Or another question worth asking: What percentage of the population can get through a typical week without committing a crime?

When the law reaches a level of complexity such that it's impossible not to break it, and we're relying on police to make the call of which crimes are worth the cost of investigating and prosecuting, it's not surprising that many people lose all respect for the law and come to regard law enforcement not as their protectors, but as a potential threat.

Re:A search warrant is not a find warrant.

[lgw]

as long as companies continue to create devices designed to defeat LEO

There's not an important difference between a phone and a safe. You can buy a safe that the government would find nigh impossible to extract paper documents from (because paper burns, and will if enough energy is directed into the safe). The only difference is cost.

Hyperbole much?

>Since the US DoJ is mounting an all-out assault to keep the Tor Browser exploit out of the public eye, common sense dictates that this is a previously unknown issue, otherwise, why bother.

Must every story on Slashdot about data security, privacy and the law be linked to articles that are so fucking hysterical in tone, so lacking in facts but so plentiful in speculation, and written so amateurishly (read: like a blog)?

I think I found an FBI safe house.

[dsmatthews9379]

http://imgur.com/uomFe7A

Re:I think I found an FBI safe house.

[ThatTreeOverThere]

Hey, me too! http://i.imgur.com/phA10Vy.jpg

Re:I think I found an FBI safe house.

[inode_buddha]

I'm disappointed in you guys. Neither of those links led to a goatse.

Why wouldn't they?

They have no respect for anything in the US anymore. Citizens, the Constitution, the Bill of Rights and anything else that gets in their way. Regardless if that way is against the very principles of the founding fathers or anybody's father.

The FBI has at least one zero-day exploit for Firefox. The thought that they wouldn't is just a flight of fantasy. The FBI is crooked, it has been for much longer than we thought sad to say. At least the current director doesn't wear dresses. Nothing to see here, move on, move on.

hihihi ^^

Do You know what is wrong in the world? What's the color of the panties of the president of Germany? If You use exploits to know that, that's a crime.
(I know this isn't funny, but that's the difference between European women and Amerian woman - American men doesn't respect American women like European men respect European woman, because Angry Bird (yes, that's was her MSN nick once) would just punch the guy who disrespects her. An women CAN be president, making things better to woman (what a hell am I talking about???) but rich men - basicaly the patriarc stereotypes, like the that enemy of Deadpool, Pope Francis - will not play by her rules... So, what are You gong to do? HUH? You're so much of a cunt, that You have a pregnant pussy full of pussies inside your pussy. Meh.

Re:hihihi ^^

Do You know what is wrong in the world? What's the color of the panties of the president of Germany? If You use exploits to know that, that's a crime.
(I know this isn't funny, but that's the difference between European women and Amerian woman - American men doesn't respect American women like European men respect European woman, because Angry Bird (yes, that's was her MSN nick once) would just punch the guy who disrespects her. An women CAN be president, making things better to woman (what a hell am I talking about???) but rich men - basicaly the patriarc stereotypes, like the that enemy of Deadpool, Pope Francis - will not play by her rules... So, what are You gong to do? HUH? You're so much of a cunt, that You have a pregnant pussy full of pussies inside your pussy. Meh.

dude your brain has a buffer overflow

Logic fail

... this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform.

Not necessarily. This could be an exploit introduced in the code specific to the Tor Browser. There's no reason to believe it must also be present in the ESR platform.

What is the FBI's mission?

[physicsphairy]

According to their website

The National Security Branch carries out the FBI’s responsibilities as the lead intelligence and law enforcement agency in the nation to detect, deter, and disrupt national security threats to the United States and its interests. Our goal is to collect, analyze, and share intelligence to develop a comprehensive understanding of—and to defeat—national security threats directed against the United States while preserving civil liberties.

We continue to refine our intelligence capabilities to position ourselves to stay ahead of the evolving threats our nation faces. Intelligence directs how we understand threats, how we prioritize and investigate these threats, and how we target our resources to address them.

To ensure success, we continue to integrate our intelligence and law enforcement capabilities in every operational program. The traditional distinction between national security and criminal matters is increasingly blurred as terrorists commit crimes to finance their activities and computer hackers create vulnerabilities that can be exploited. The integration of intelligence and investigations makes the FBI uniquely situated to address these threats and vulnerabilities across programs. The FBI draws on both intelligence and law enforcement tools to determine strategically where and when to disrupt threats.

Is it just me or does a reasonable reading of this statement imply that a big part of the FBI's mission is to help eliminate vulnerabilities in software used by American citizens and companies? Is there an interpretation in which they are credibly following their own mission statement?

Re:What is the FBI's mission?

[Narcocide]

Is there an interpretation in which they are credibly following their own mission statement?

An incredible one?

Re:What is the FBI's mission?

The prime driving force in any organization is to continue it's own existence.

Allowing crime to happen such that there is someone to prosecute is necessary for the continuation of FBI's budget. They have more incentive to not defend than to do what is best for the people they serve.

Intolerant Mozilla

After the level of intolerance displayed at their former CEO, does anyone still use Firefox?

Re:Intolerant Mozilla

Yeah, blame it on Eich.... You forget that while he was running the company Mozilla was actually doing a good job, not the Chrome handjob is doing today.

I tend to agree with the FBI on this one

[BlueCoder]

But let me point out the remotest possibility that the IP address tracked down wouldn't necessarily prove a particular person was involved.

Theoretically the best way for person to hide would be to hide behind and implicate another person. (Seriously watch more Columbo.) You would have to show that a computer wasn't infected in such a way as to secretly relay traffic. One would have to assume the software was designed to erase itself if discovered.

But I have to make the point. Getting an IP address is only the first step. I suggest that is enough information to get a warrant and then do a real investigation such as physically bugging their computer and gathering keystrokes and mousestrokes and possibly video evidence of his activity at the computer.

To prove a person was downloading child porn you would need a complete tap of their internet connection checking for relayed transmission. Then check that no one hacked into their wireless network from outside their home. Then finally show that that person was home when no one else was.

And a pedophile wouldn't require vast technical knowledge. Just like everything else you can buy expertise. To another hacker it would look like a noob buying help to get started being a hacker.

In general hacking into at least one neighbors WIFI is something any hacker should easily be able to do.

So to sum it up. Stock slacking off on your job. Get the warrant and catch him jerking off on his computer to what is obviously child porn.

I'm sure they're hoarding plenty

Firefox is a fucking SIEVE

Well since Firefox is too easy to pwn? (pwn2own)

[burni2]

the tor project should shy away from Firefox (ESR)?

https://it.slashdot.org/story/...

http://www.eweek.com/security/...

Re:we want to advertise to criminals

[slashrio]

...because we want to advertise our system to criminals...

I don't think this is Apple's intention.
It's not the criminals that sent a message that they don't want government to snoop in all their communications at will, but ordinary users like... me, and others.
Apple doesn't want to loose its market share because of the common knowledge that their devices are open to any government that likes to have a look (of course they are, but they like to pretend they're not) and so they are opposing government intrusion at this level. On a higher level of course they will fully cooperate, don't worry.

Re:Well since Firefox is too easy to pwn? (pwn2own

As I posted elsewhere, that headline is a half-truth. It doesn't mean that Firefox has a lot of holes.

They 'disqualified' it because Mozilla had not recently implemented new features intended to bolster security, while the other browsers had done so in the same timeframe.

Whether those security features actually harden the browser, make it more difficult to exploit, is a different question.

HotJava

[DivineKnight]

And people wonder why I run the HotJava program as my main browser...;-)

Since 2014 at least, used in Colorado.

[haxorhelo]

As an uberhaxor, I had UNSUCCESSFUL malicious attempts made on my self-compiled Linux platform in 2014 that subsequently led to another 2 remote exploit attempts in the days after and then surveillance activities on the ground as I traveled several times between a pot growing agricultural area of Colorado (visiting friends) and a resort area (where I live). My laptop in question may have been later compromised by more advanced techniques. I still write code on it, though

Malicious code can be injected at ISP level much like ISP-based warning popups and other messages. I'm certain this is how it works from how I was targeted.

No idea on details of targetted flaw, but Firefox very much dumped core for no reproducible reason after logging on to internet from a new wifi AP in a small town that only has 1 physical network pipeline. Easily targetted by the feds in a long-standing area of interest for DEA investigations.. w00t w00t. 0x1deadfed.

I've had previous electronic encounters with FBI in '03-'04, at that time it was AOL IM linux client 0day. And yes, it was the FBI 100%. I had downloaded/copied (hacked?) a government voter database at the time for a political group that needed to verify voter petition validity (NORML/MPP). There was also ground activity surveillance from that, and it's public record FBI sent _hundreds_ of field agents to the college town I was in the summer this went down. At the time I couldn't believe it, but now I know it's how they roll when they get motivated to leave the office.

This is not for troll, wake up and realize that Americans really are targeted without warrants. You'd be insane to think I'm not on a few watchlists. -helo

Stop this U.S. vs Perfect nonsense

No doubt that China, Russia and others are hoarding zero-days, but we wouldn't have any data to even suggest such a thing because those countries lack an open court system. These discussions about the limitations of law enforcement and intelligence do not occur there because the conversations are censored, the bloggers are jailed, and the dissidents are executed. Compared to your idea of perfect (whatever it happens to be at this particular self-serving moment), the U.S. looks bad, with all its dirty laundry aired daily. But compared to the rest of the world, the U.S. is doing quite well when it comes to individual freedom. Even the liberal countries of western Europe censor these discussions and keep their intelligence authorities under wraps. I'd rather live in a country where the dirt is out there for debate, than one where its buried by a carefully honed propaganda machine (or worse, a closed tyranny) where there's nothing to complain about because the dirt is keep well concealed beneath the rug. And if you think that the U.S. government has a propaganda machine, then you live in Fantasy Land and know nothing about the deliberately designed dysfunctional system that is the U.S. government. One U.S. agency's secret is another agency's weapon against it. The fact that you're even talking about this is a positive mark for the U.S. system, not another sign of doom. I was once asked by an Iranian academic the process that I needed to go through in the U.S. to publish a research paper. He didn't believe me when I said that I don't need to tell them anything, and would revolt if such a demand were made. USA: Openly imperfect, but better than the polished turds. Welcome to Earth.

Should work two ways...

[martinfb]

If (you - the FBI, NSA, etc...) think it is okay to have access to ALL my (i.e. our) stuff, then WE require access to ALL of your stuff!