Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI May Be Hoarding a Firefox Zero-Day (softpedia.com)

Posted by BeauHD on from the hide-and-seek dept.

An anonymous reader writes: Vice reported at the end of March that the FBI and the U.S. Department of Justice are fighting tooth and nail to keep a Tor Browser exploit hidden from the public eye. Computer experts were quick to point out that this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform. Taking into account that Firefox follows open-source philosophy and reveals all security flaws reported, the effort which the FBI puts into restricting access to its exploit leads to only one conclusion, and that is that the FBI is hoarding a Firefox zero-day, currently unpatched in the browser's core -- something it hopes to use once again.

11 of 99 comments (clear)

  1. well, how many does the FBI have? by turkeydance · · Score: 5, Insightful

    hoarders don't just have ONE.

    1. Re:well, how many does the FBI have? by Anonymous Coward · · Score: 3, Interesting

      NSA just buys them all the time on the black market.
      FBI could do the same, it wouldn't even be that expensive.

      Protip: All malware writers are hoarding exploits -- and even selling them on the blackhat market.

    2. Re:well, how many does the FBI have? by rtb61 · · Score: 3, Interesting

      I would wager the stupid burns because they would need to believe that they are the only group hoarding those zero day faults or that their knowledge has not leaked or sold. That is the real problem with hoarding zero day flaws, the kind of stupid ego that pre-posits they are the only people who are smart enough to find it and all the other espionage groups are just script kiddies. In reality hoarders will find that those they are meant to be protecting end up being attacked by others and as they watch it unfold, they just sit them, thumb in bum, mind in neutral as they desperately try to pretend they had nothing to do with that attack or those victims.

      This has been covered before, can never use a zero day flaw because once it is detected it is gone (so major effort little to no reward), hoard a zero day flaw only to see someone else use it whilst you are still hoarding it (those victims, your fault and you are now an accessory before the fact and guilty of criminal negligence), hoard a zero day only to find others had already found it and are working on a fix and that fix is implemented before you can claim credit and earn kudos for you efforts (major effort expended and no respect gained for your agency or the support from the public that the gained respect would earn) and of course get busted hoarding an exploit and expect resounding condemnation from every one and a desire to by the public to expose the dick heads involved and a desire to see them prosecuted for criminal negligence because they have a duty of care and a duty of law to protect the public from harm.

      --
      Chaos - everything, everywhere, everywhen
    3. Re:well, how many does the FBI have? by phantomfive · · Score: 3, Interesting

      Given that it's Firefox, they probably have as many zero-days as they want. Firefox doesn't seem to take security seriously, for whatever reason.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:well, how many does the FBI have? by tlhIngan · · Score: 3, Interesting

      Why bother?

      Consider Pwn2Own removed Firefox from a contenders list for being "too easy" I hope the FBI didn't pay more than a few bucks for the one. I'm sure if they paid a few more bucks they could've had 10, 100, 1000 or more.

      Heck, there's tons of bugs that are reported and haven't been fixed at all...

  2. Re: Reasonable solution by Anonymous Coward · · Score: 3, Insightful

    With the known government lack of security how can it be? Online banking would have to vanish overnight.

  3. A search warrant is not a find warrant. by BitterOak · · Score: 5, Insightful

    It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.

    This statement seems to be based on a common misinterpretation of what a warrant is. Search warrants allow the police to search for things, but they do not necessarily guarantee that they will find what they're looking for, and most importantly, the existence of warrants does NOT incur an obligation on the public to live their day-to-day lives in such a way that future searches (with warrants) will be successful. Requiring computer users to use weakened or backdoored software for the simple reason that a warrant might be issued at some future time turns the Fourth Amendment to the Constitution entirely on its head

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:A search warrant is not a find warrant. by NormalVisual · · Score: 3, Informative

      What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly.

      They're not being designed "to defeat LEO". They're being designed to be as secure as possible against anyone who may wish to take the data on the device without the owner's permission. The fact that it becomes more difficult for law enforcement to get to the data is merely incidental, and I have very little sympathy for their problems in light of the fact that it's becoming more and more likely for innocent people to suffer loss of life or property at the hands of the government than from terrorists, child molesters, or whoever the public enemy du jour is.

      --
      Please stand clear of the doors, por favor mantenganse alejado de las puertas
  4. Re:Reasonable solution by JustAnotherOldGuy · · Score: 3, Funny

    ---edit for formatting--- *why doesn't slashdot have a WYSIWYG editor yet? grumble, grumble*

    Oh you dreamer...we can't even edit our own posts, a WYSIWYG editor is so far beyond that capability that you may as well wish for your own Martian Moonbase stocked with 19-year old nymphomaniacs with a Beer Generator powered by perpetual motion.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  5. Re:Reasonable solution by spire3661 · · Score: 3, Insightful

    NO, there is no compromise. I am within my rights to make an unbreakable lock. The government has to learn to accept that. Warrants can be abused like any other power, the idea that everyone has to roll over at the sight of any warrant is flat out wrong. I get what you are saying, due process, i get it, but there are limits to what the government can ask. we are now at the stopping point.

    --
    Good-bye
  6. Re:hihihi ^^ by Anonymous Coward · · Score: 3, Funny

    Do You know what is wrong in the world? What's the color of the panties of the president of Germany? If You use exploits to know that, that's a crime.
    (I know this isn't funny, but that's the difference between European women and Amerian woman - American men doesn't respect American women like European men respect European woman, because Angry Bird (yes, that's was her MSN nick once) would just punch the guy who disrespects her. An women CAN be president, making things better to woman (what a hell am I talking about???) but rich men - basicaly the patriarc stereotypes, like the that enemy of Deadpool, Pope Francis - will not play by her rules... So, what are You gong to do? HUH? You're so much of a cunt, that You have a pregnant pussy full of pussies inside your pussy. Meh.

    dude your brain has a buffer overflow