FBI May Be Hoarding a Firefox Zero-Day

An anonymous reader writes: Vice reported at the end of March that the FBI and the U.S. Department of Justice are fighting tooth and nail to keep a Tor Browser exploit hidden from the public eye. Computer experts were quick to point out that this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform. Taking into account that Firefox follows open-source philosophy and reveals all security flaws reported, the effort which the FBI puts into restricting access to its exploit leads to only one conclusion, and that is that the FBI is hoarding a Firefox zero-day, currently unpatched in the browser's core -- something it hopes to use once again.

well, how many does the FBI have?

[turkeydance]

hoarders don't just have ONE.

Re:well, how many does the FBI have?

NSA just buys them all the time on the black market.
FBI could do the same, it wouldn't even be that expensive.

Protip: All malware writers are hoarding exploits -- and even selling them on the blackhat market.

Re:well, how many does the FBI have?

[rtb61]

I would wager the stupid burns because they would need to believe that they are the only group hoarding those zero day faults or that their knowledge has not leaked or sold. That is the real problem with hoarding zero day flaws, the kind of stupid ego that pre-posits they are the only people who are smart enough to find it and all the other espionage groups are just script kiddies. In reality hoarders will find that those they are meant to be protecting end up being attacked by others and as they watch it unfold, they just sit them, thumb in bum, mind in neutral as they desperately try to pretend they had nothing to do with that attack or those victims.

This has been covered before, can never use a zero day flaw because once it is detected it is gone (so major effort little to no reward), hoard a zero day flaw only to see someone else use it whilst you are still hoarding it (those victims, your fault and you are now an accessory before the fact and guilty of criminal negligence), hoard a zero day only to find others had already found it and are working on a fix and that fix is implemented before you can claim credit and earn kudos for you efforts (major effort expended and no respect gained for your agency or the support from the public that the gained respect would earn) and of course get busted hoarding an exploit and expect resounding condemnation from every one and a desire to by the public to expose the dick heads involved and a desire to see them prosecuted for criminal negligence because they have a duty of care and a duty of law to protect the public from harm.

Re:well, how many does the FBI have?

[phantomfive]

Given that it's Firefox, they probably have as many zero-days as they want. Firefox doesn't seem to take security seriously, for whatever reason.

Re:well, how many does the FBI have?

[tlhIngan]

Why bother?

Consider Pwn2Own removed Firefox from a contenders list for being "too easy" I hope the FBI didn't pay more than a few bucks for the one. I'm sure if they paid a few more bucks they could've had 10, 100, 1000 or more.

Heck, there's tons of bugs that are reported and haven't been fixed at all...

Re: Reasonable solution

With the known government lack of security how can it be? Online banking would have to vanish overnight.

A search warrant is not a find warrant.

[BitterOak]

It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

This statement seems to be based on a common misinterpretation of what a warrant is. Search warrants allow the police to search for things, but they do not necessarily guarantee that they will find what they're looking for, and most importantly, the existence of warrants does NOT incur an obligation on the public to live their day-to-day lives in such a way that future searches (with warrants) will be successful. Requiring computer users to use weakened or backdoored software for the simple reason that a warrant might be issued at some future time turns the Fourth Amendment to the Constitution entirely on its head

Re:A search warrant is not a find warrant.

[BitterOak]

You're deliberately misstating what he said. What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly. It's much better to design a legal system that allows both devices and society a reasonable level of security.

But this very statement seems to suggest a belief that in order for a society to be secure, the devices can't be. What is a "reasonable level of security" for a device? The maximum technology allows, or something else?

Re:A search warrant is not a find warrant.

[NormalVisual]

What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly.

They're not being designed "to defeat LEO". They're being designed to be as secure as possible against anyone who may wish to take the data on the device without the owner's permission. The fact that it becomes more difficult for law enforcement to get to the data is merely incidental, and I have very little sympathy for their problems in light of the fact that it's becoming more and more likely for innocent people to suffer loss of life or property at the hands of the government than from terrorists, child molesters, or whoever the public enemy du jour is.

Re:Reasonable solution

[JustAnotherOldGuy]

---edit for formatting--- *why doesn't slashdot have a WYSIWYG editor yet? grumble, grumble*

Oh you dreamer...we can't even edit our own posts, a WYSIWYG editor is so far beyond that capability that you may as well wish for your own Martian Moonbase stocked with 19-year old nymphomaniacs with a Beer Generator powered by perpetual motion.

Re:Reasonable solution

[Kjella]

I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?

It's a bit like asking if you want digital cameras that won't produce kiddie porn. While you might score brownie points with the technically clueless, no engineer will think that's a sane idea.

a) Stealing the decryption key is a huge goldmine
b) There's more than one government with conflicting interests
c) There's open source and you can encrypt more than once
d) Nobody will know if you've tampered with it until they try

All of these means you're asking for magic. Say you want Apple to hold the device keys for all the iPhones (which is better than one key to rule them all, at least). That means there must be a database somewhere in Apple HQ that Chinese hackers or the NSA with a National Security Letter can steal. Or you must install them with a country-specific key on sale, but what happens if I bring my phone from Norway to the US? It'd have the Norwegian government's key, not the US. Unless you want China to be able to decrypt all US phones. And it'd only move the master key problem somewhere else.

Nobody can stop me from encrypting with GPG inside any crypto-crippled channel, just like you can with regular email. Or how about a Linux system with full disk encryption using LUKS, you going to outlaw that too? And finally, even if there's a backdoor key for anything stored on a regular disk you can probably just overwrite the area of the key and nobody will discover it until the government tries to decrypt and fails. In short, it's such an unworkable idea due to premises that won't change that there is no point in trying.

P.S. What you ask for already exists, many company encryption solutions have your key and the company's spare key. It only works because they control the whole system.

Re:Reasonable solution

[spire3661]

NO, there is no compromise. I am within my rights to make an unbreakable lock. The government has to learn to accept that. Warrants can be abused like any other power, the idea that everyone has to roll over at the sight of any warrant is flat out wrong. I get what you are saying, due process, i get it, but there are limits to what the government can ask. we are now at the stopping point.

Re:Reasonable solution

[guruevi]

Yes, it is unreasonable. First of all it's unconstitutional, second of all you can not 'solve' the problem without also giving access to pretty much every other entity in the world.

Re:hihihi ^^

Do You know what is wrong in the world? What's the color of the panties of the president of Germany? If You use exploits to know that, that's a crime.
(I know this isn't funny, but that's the difference between European women and Amerian woman - American men doesn't respect American women like European men respect European woman, because Angry Bird (yes, that's was her MSN nick once) would just punch the guy who disrespects her. An women CAN be president, making things better to woman (what a hell am I talking about???) but rich men - basicaly the patriarc stereotypes, like the that enemy of Deadpool, Pope Francis - will not play by her rules... So, what are You gong to do? HUH? You're so much of a cunt, that You have a pregnant pussy full of pussies inside your pussy. Meh.

dude your brain has a buffer overflow

What is the FBI's mission?

[physicsphairy]

According to their website

The National Security Branch carries out the FBI’s responsibilities as the lead intelligence and law enforcement agency in the nation to detect, deter, and disrupt national security threats to the United States and its interests. Our goal is to collect, analyze, and share intelligence to develop a comprehensive understanding of—and to defeat—national security threats directed against the United States while preserving civil liberties.

We continue to refine our intelligence capabilities to position ourselves to stay ahead of the evolving threats our nation faces. Intelligence directs how we understand threats, how we prioritize and investigate these threats, and how we target our resources to address them.

To ensure success, we continue to integrate our intelligence and law enforcement capabilities in every operational program. The traditional distinction between national security and criminal matters is increasingly blurred as terrorists commit crimes to finance their activities and computer hackers create vulnerabilities that can be exploited. The integration of intelligence and investigations makes the FBI uniquely situated to address these threats and vulnerabilities across programs. The FBI draws on both intelligence and law enforcement tools to determine strategically where and when to disrupt threats.

Is it just me or does a reasonable reading of this statement imply that a big part of the FBI's mission is to help eliminate vulnerabilities in software used by American citizens and companies? Is there an interpretation in which they are credibly following their own mission statement?

Re:Reasonable solution

[phantomfive]

At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data

The solution is here: Apple can no longer decrypt random iphones. That's it. There are bills that have been written to change that, but none are expected to even show up on the floor of the house of congress or the senate.

Re:Reasonable solution

[fustakrakich]

with a warrant, is this so unreasonable?

Yes...

Re:Reasonable solution

[th3rmite]

All of you arguing with SultanCemil are pretty much idiots who don't understand what he is trying to say and definitely don't understand American culture. What he is trying to say is that like it or not the government IS going to do something about not being able to decrypt phones used in criminal acts. All it takes is one major event whether it's a mass shooting or a terrorist attack that "might have been prevented if we only were able to get into so and so's phone" and the population at large will support the one of many bills that I'm sure are being drafted right now. I don't agree with it, I'm sure most of you on this site don't agree with it and understand it won't solve anything. BUT the US Government is power hungry and WILL find a way to force this issue sometime in the future. We can pretend it won't happen because of our nerdy righteous indignation, but it won't. We will have to come up with some sort of compromise or before you know it all encryption will be made illegal and all us nerds will get sent straight to the pen. And believe me most of us will not like it there.

Re:Reasonable solution

[linuxrocks123]

So surrender because we might be defeated? I don't think so. We can win this issue because Google + Apple + Microsoft + many others will join the EFF and all our traditional allies in lobbying against any backdoor proposal. Who will lobby on the other side? Law enforcement? Our allies have both deeper pockets and by far the better policy argument.