Mozilla Fights FBI In Court For Details On Tor Browser Hack (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Mozilla Fights FBI In Court For Details On Tor Browser Hack (helpnetsecurity.com)

Posted by BeauHD on Thursday May 12, 2016 @11:50AM from the help-me-Obi-Wan-Kanobi dept.

An anonymous reader writes from a report on Help Net Security: Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser hack with them, before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public. The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web. The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser. Why does Mozilla care to learn about the vulnerability? "The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser," Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.

58 comments

Min score:

Reason:

Sort:

Abolish the FBI by Anonymous Coward · 2016-05-12 11:54 · Score: 1, Insightful

We don't need the FBI. Their only apparent functions are to reduce privacy and falsely accuse people of terrorism. Abolish the FBI and other three letter federal agencies like the CIA and NSA.
1. Re:Abolish the FBI by Anonymous Coward · 2016-05-12 11:57 · Score: 1
  
  We don't need the FBI. Their only apparent functions are to reduce privacy and falsely accuse people of terrorism. Abolish the FBI and other three letter federal agencies like the CIA and NSA.
  You're on the list.
2. Re:Abolish the FBI by hcs_$reboot · 2016-05-12 12:07 · Score: 3, Funny
  
  He's an AC on /. and, thus, is completely safe.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
3. Re:Abolish the FBI by UnknownSoldier · 2016-05-12 12:24 · Score: 1
  
  /sarcasm But think of the ... < insert inanimate object > !
  [ ] Terrorism
  [ ] War
  [ ] Socialism
  [ ] Drugs
  [ ] Countries that don't agree with us
4. Re:Abolish the FBI by matchhead650 · 2016-05-13 00:57 · Score: 2
  
  you are forgetting [ ] Children
5. Re:Abolish the FBI by clubby · 2016-05-13 06:47 · Score: 1
  
  If the children in question qualify as "inanimate objects," you're probably too late to save them.
6. Re:Abolish the FBI by Anonymous Coward · 2016-05-13 10:31 · Score: 0
  
  FBI could have prevented 9/11 by searching Moussaoui's computer, but FISA got in the way.
  FBI is incredibly worthwhile, at least the portion that sticks to the mission.
7. Re:Abolish the FBI by Anonymous Coward · 2016-05-14 00:38 · Score: 0
  
  Although, to be fair, only one of the other things listed by Unknown Soldier qualify as an inanimate object.
Whatever, Firefox is all but dead anyway by Anonymous Coward · 2016-05-12 11:58 · Score: 0, Troll

Now they are the new IE.
1. Re:Whatever, Firefox is all but dead anyway by hcs_$reboot · 2016-05-12 12:08 · Score: 1
  
  FF is not that bad, please!
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
2. Re:Whatever, Firefox is all but dead anyway by Anonymous Coward · 2016-05-12 12:19 · Score: 0
  
  I think you're thinking about Safari, the browser that updates the least frequently and is the furthest behind on web standards (even Edge is poised to leapfrog it in that regard, and that's just terribly sad).
3. Re:Whatever, Firefox is all but dead anyway by Anonymous Coward · 2016-05-12 12:22 · Score: 0
  
  I believe you mean Chrome is the new IE.
4. Re: Whatever, Firefox is all but dead anyway by bursch-X · 2016-05-12 12:48 · Score: 0, Offtopic
  
  Mozilla is fighting a lot of important fights for the open web, now if they could pay as much attention to their main product Firefox, I'd be the first to use it again. I just switched back to Safari, it runs circles around even Chrome and hogs the CPU much less. I'd love to love Firefox on OS X but it just zero integrates with anything, the UI is alien and sluggish as fuck, page rendering, too, is slow. I don't care if JS execution is zippy if it takes ages to display whatever it has oh so quickly executed.
  
  --
  There are two rules for success:
  1. Never tell everything you know.
5. Re: Whatever, Firefox is all but dead anyway by Anonymous Coward · 2016-05-12 14:22 · Score: 1
  
  If you want close-to-perfect integration with OSX, and thus probably the best battery life and such, use Safari. If you want better standards-compliance or regular updates, use a better browser instead.
  Besides, I get the distinct feeling that even if Firefox was Safari, you'd still find a reason to pretend it was crap. People just want to do that recently.
Irony... by Anonymous Coward · 2016-05-12 12:07 · Score: 4, Insightful

There is a delicious irony in the fact that the US Government developed Tor to safeguard their intelligence traffic but is now busy trying to crack Tor in an effort to monitory the activities on it's own citizens.
1. Re:Irony... by Anonymous Coward · 2016-05-12 12:15 · Score: 0
  
  There is a delicious irony in the fact that the US Government developed Tor to safeguard their intelligence traffic but is now busy trying to crack Tor in an effort to monitory the activities on it's own citizens.
  Meh. I'd say the irony is okay, not delicious...
2. Re:Irony... by Anonymous Coward · 2016-05-12 13:10 · Score: 1
  
  The US Navy Research Labs did indeed developer Tor and the Onion implementations before turning it all over to the public foundation. And they handed it over because they decided the system would not meet their requirements. And it may be ironic but both the government and public sectors are all vulnerable. The government may try to spy on it's citizens but the citizens can spy right back. But everyone seems to think the government and all it's 3 letter agencies are actually competent in the first place and there is plenty of supporting evidence to hold such a view. The NSA, CIA, and FBI have been described as omnipotent and their abilities blown out of proportion it is mind blowing. All of these agencies do not have unlimited resources. While the FBI operates on the domestic front the CIA and NSA have their hands full running foreign operations. And remember that the US Constitution and Bill of Rights are suicide pacts. US enemies actually use these principles when fighting against the US. They use the US ROE's when they attack the US. The ROE's get created by politicians and citizens who actually think the US Constitution or Bill of Rights mean anything outside of the US.
3. Re:Irony... by TheCastro1689 · 2016-05-13 06:07 · Score: 1
  
  The NSA does a lot more domestic spying than you think. Also the RoE for US troops is to keep us from being the bad guys or shooting the wrong people.
Fight or Clickbait? by Anonymous Coward · 2016-05-12 12:29 · Score: 0

So are they fighting or just asking nicely given that they both likely share an interest to insure more aggressive folks out there don't get the vulnerability? And did they use a browser vulnerability or just scan the endpoints given they're hooked right in? lol
used a "network investigative technique" (NIT) by Anonymous Coward · 2016-05-12 12:33 · Score: 0

Come on. How many acronyms do we need. NIT?????
FBI, you lose. This is not some super awesome software skill you have.
You have a one time a one time usage, if the lawyer you are up against is clueless.
1. Re: used a "network investigative technique" (NIT) by Anonymous Coward · 2016-05-13 03:21 · Score: 2, Insightful
  
  Come on. How many acronyms do we need. NIT????? FBI, you lose. This is not some super awesome software skill you have. You have a one time a one time usage, if the lawyer you are up against is clueless.
  
  It's Fedspeak for "malware" or "exploit." But you can't call it that because it won't sound good in front of a judge. They're not trying to play it up as something super-awesome-hackerish. They're trying to play it down as something normal and official and businesslike. It's nothing special, it's just a technique. For investigating. Over a network. We're not into malware or cracking, those are things that cyber-criminals do. I mean, there's a crime, there's a network, and we're in the business of investigation. What did you expect us to do, Your Honor?
  Just like enhanced interrogation procedures aren't torture; torture is bad. What we're doing are just enhancements of existing techniques. They're better ways to use the interrogation techniques - just techniques, mind you, not torture - that we've always done.
  Recommended reading from 1946 :Politics and the English Language
Re:Secret Service investigates Trump's former butl by Anonymous Coward · 2016-05-12 12:33 · Score: 0

he called Sasha and Malia pickaninnies
Re:Secret Service investigates Trump's former butl by Anonymous Coward · 2016-05-12 12:38 · Score: 0

he's a lifelong republican
Re: used a "network investigative technique" (NIT by bursch-X · 2016-05-12 12:49 · Score: 3, Funny

Stop the NIT picking

--
There are two rules for success:
1. Never tell everything you know.
Re:Secret Service investigates Trump's former butl by Anonymous Coward · 2016-05-12 12:57 · Score: 0

the party of lincoln hates niggers
Re:Secret Service investigates Trump's former butl by Anonymous Coward · 2016-05-12 13:04 · Score: 0

and other brown folk
Re:Secret Service investigates Trump's former butl by Anonymous Coward · 2016-05-12 13:05 · Score: 0

and people with vaginas
I think this is a bad idea. by BitterOak · 2016-05-12 13:06 · Score: 5, Interesting

If private companies can compel the FBI to disclose their secrets, the FBI could turn that around and say that turnabout is fair play and private companies should be compelled to disclose their secrets to the FBI. Best just to keep a respectful distance.

--
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
1. Re:I think this is a bad idea. by Anonymous Coward · 2016-05-12 13:27 · Score: 0
  
  They already can and do. That is what subpoenas and warrants are for.
2. Re:I think this is a bad idea. by Anonymous Coward · 2016-05-12 15:02 · Score: 4, Insightful
  
  Here's the difference: At least in theory, the government is supposed to be transparent; that's where the term "public official" comes from. Part of that is transparency about how they conduct their investigations. On the other hand, no such rules apply to corporations ("private company"). If we can't know the FBI's secrets, we can't trust that they're acting in the best interest of the general population; but there's no reason the FBI needs to know secrets about companies, since companies are by definition not in the best interests of the people; they are only in the interests of themselves.
3. Re:I think this is a bad idea. by Anonymous Coward · 2016-05-12 21:56 · Score: 1
  
  Here's the difference: At least in theory, the government is supposed to be transparent ...
  I was HOPING that would CHANGE, but I was lied to.
4. Re:I think this is a bad idea. by Anonymous Coward · 2016-05-13 00:19 · Score: 0
  
  the mozilla guys wont keep a distance, in fact i bet they would love to live inside the fbi rectum, that sounds like the ultimate
  SAFE SPACE
WTF FF? by gerf · 2016-05-12 13:20 · Score: 0

Kiddie porn perps get outed. FF reaction is to close the loopholes.
Their CEO is illegally outed for supported the popular Prop 8. FF reaction is to burn the witch.
I still use FF, often as Palemoon, and have used Moz since before Phoenix, but they've turned into complete jackasses in the last few years.
1. Re:WTF FF? by Anonymous Coward · 2016-05-12 14:04 · Score: 0
  
  That's because you're putting your own negative spin on things. Sure is easy to be down on Mozilla when you're trying to consider them jackasses. Wish more people would do that with worse companies.
2. Re:WTF FF? by Anonymous Coward · 2016-05-12 19:59 · Score: 0
  
  Their browser is shit, though. So there is no way to put a positive spin on their asshatery.
3. Re:WTF FF? by Anonymous Coward · 2016-05-12 22:31 · Score: 0
  
  Kiddie porn perps get outed.
  That's a good thing
  
  FF reaction is to close the loopholes.
  
  That's also a good thing
  
  Their CEO is illegally outed for supported the popular Prop 8. FF reaction is to burn the witch.
  
  That's pure conjecture.
  What exactly are you complaining about?
4. Re:WTF FF? by Anonymous Coward · 2016-05-14 00:57 · Score: 0
  
  Kiddie porn perps get outed.
  That's a good thing
  That's debatable, if they are just jacking off to some pictures, then they aren't doing harm.
  The harm comes from those that abuse kids, those are the ones that need to be locked up. I'd rather a pedophile sate their desires by wanking to some child porn, rather than them actually go looking for kids to abuse because they can't get child porn to look at.
5. Re:WTF FF? by Anonymous Coward · 2016-05-17 23:20 · Score: 0
  
  I do not think it is as straight forward as this. Even if they "are just jacking off to some pictures" they are creating a demand in the market for those who abuse the kids.
  I believe (read: hope) that not all pedophiles are abusers, and would refrain from abusing kids even if they were not able to buy images/videos of children being abused.
Maybe a civil suit by pellik · 2016-05-12 13:27 · Score: 4, Insightful

The FBI is saying they actively exploit a flaw in Firefox but won't say what that flaw is. This course of action actively deters people from using firefox. Mozilla can't dispute the FBIs claim since there is no evidence given. If the FBI won't disclose the vulnerability I sure hope they can sued for libel since that's exactly what is left.
1. Re:Maybe a civil suit by tlhIngan · 2016-05-12 17:59 · Score: 3, Informative
  
  The FBI is saying they actively exploit a flaw in Firefox but won't say what that flaw is. This course of action actively deters people from using firefox. Mozilla can't dispute the FBIs claim since there is no evidence given. If the FBI won't disclose the vulnerability I sure hope they can sued for libel since that's exactly what is left.
  It's probably sitting in their security Bugzilla, to be honest. Firefox is a security nightmare - so much so that Pwn2Own this year decided to not accept Firefox flaws anymore - Firefox is too easy a target.
  The major web browsers have all started shedding privileges when they run - especially on Windows with its low integrity mode where it's restricted in its interactions with users and other windows and even the filesystem (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process. Any drive-by downloads are stuck in the temporary location, and any regular download triggers the high integrity process which cannot be interacted with by the low integrity process.).
  Firefox doesn't exploit those features at all. Chrome does as well.
2. Re:Maybe a civil suit by MobyDisk · 2016-05-13 01:59 · Score: 1
  
  (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process.
  Do you have any links on that? That is interesting. I'm running process explorer now to try and see how that works...
3. Re:Maybe a civil suit by Anonymous Coward · 2016-05-13 03:52 · Score: 0
  
  Firefox is hardly the security nightmare people like to act like it is. It actually uses the same process sandbox on Windows that Chromium does. They just haven't fully dropped its privileges as much as Chromium yet. It's the process separation they're struggling with, because their old addon model doesn't work well in a multi-process world. They also have their own set of security measures that other browsers don't use yet (W^X and such). It's honestly getting tiring to hear people spread this kind of FUD about Firefox security when every major browser engine has serious security problems that are routinely found, and Firefox's biggest problem is its userbase's addiction to ancient addons they knew were insecure.
4. Re:Maybe a civil suit by tlhIngan · 2016-05-13 04:24 · Score: 1
  
  (it's why IE always has to move files when its done downloading - the file save dialog is done by a higher integrity process, and the file is downloaded to a temporary location first (the only writable area a low integrity process has) and moved by the higher integrity process.
  Do you have any links on that? That is interesting. I'm running process explorer now to try and see how that works...
  The developer documentation on low integrity IE is at https://msdn.microsoft.com/en-...
  More details on process explorer seeing IE - https://msdn.microsoft.com/en-...
  It's not perfect - there are known escape mechanisms, but the idea is pretty sound.
  https://www.blackhat.com/docs/...
  https://www.blackhat.com/docs/...
  I believe Chrome also uses this mechanism when available (for Chrome, now always since XP support is dropped).
5. Re:Maybe a civil suit by MobyDisk · 2016-05-17 09:45 · Score: 1
  
  Fascinating links, thanks.
Using Tor insecurely is not a vulnerability by Anonymous Coward · 2016-05-12 13:58 · Score: 0

"The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser."
Uh, no, there doesn't have to be a vulnerability in the Tor browser in order to discover the IP behind the Tor network. Many people think that just by using Tor their privacy is protected, but that protection doesn't mean jackshit if a user purposely compromises their browser by installing and enabling a plugin like flash just so they can watch videos. In which case, the vulnerability isn't within the browser, but within the plugin.
1. Re:Using Tor insecurely is not a vulnerability by Anonymous Coward · 2016-05-12 16:58 · Score: 0
  
  I can't substantiate this but an earlier story on /. seemed to indicate that this was how it was done; a Flash plugin.
kneejerk response... by Archfeld · 2016-05-12 17:08 · Score: 4, Insightful

The FBI is indeed needed. While they do regularly exceed the scope of their mission, there is a great need for a law enforcement program that exceeds each individual state and can facilitate interstate investigations. Without them large criminal organizations, AKA the Mafia would operate with impunity crossing state lines, and avoiding prosecution by fleeing state jurisdictions. We could never rely on the states individual laws to stop kidnappings, mail fraud, gambling and other such violations that spanned several jurisdictions.

--
errr....umm...*whooosh* *whoosh* Is this thing on ?
1. Re:kneejerk response... by TheCastro1689 · 2016-05-13 06:05 · Score: 1
  
  You mean the US Marshals? They used to do what the FBI did until it's mission became large enough to spin off, but here's something that makes Marshals better than other federal law agencies: they can enforce all local laws as well as federal. Just re-expand the Marshals and get rid of the FBI. Also mail fraud is investigated by the US Postal Inspection Service and gambling would easily be switched to the ATFE or the Secret Service since gambling is legal under federal law it usually involves tax dodging.
2. Re:kneejerk response... by gizmo2199 · 2016-05-13 06:22 · Score: 2
  
  The U.S. Marshals are responsible for securing Federal Courthouses, acting on arrest warrants, and retrieving fugitives. They're not detectives, responsible for building a case, like the FBI.
  
  --
  This Sig does not Exist.
3. Re:kneejerk response... by Archfeld · 2016-05-13 06:32 · Score: 1
  
  I agree or can't argue most of your point but I do think that having one agency handle those tasks will lessen the inevitable inter-branch competition that occurs any time 2 or more entities get involved in some investigation that might cross one or more of those boundaries. That one dept. could be the Marshals, the FBI, or even DHS. It just seems that segmenting 'intelligence' gathering and workforce pools seems to over complicate things and create a lesser efficient organization, especially in governmental areas that already suffer from 'bureaucractitus'. I guess as long as the RICO act exists whatever federal agency is charge can use it.
  
  --
  errr....umm...*whooosh* *whoosh* Is this thing on ?
Vulnerabilities Don't Disciminate by ytene · 2016-05-12 19:01 · Score: 3, Interesting

The FBI's stance in this case seems to be another aspect of their world-view on encryption. Just as they believe that it's possible to create a "secure front door" in existing cryptographic algorithms (and thus give them a Master key that doesn't fatally flaw the encryption system), so they seem to be saying here that it is possible to distinguish between a vulnerability used to detect criminals (in this case, an alleged paedophile) and a vulnerability that could compromise the computer of a legitimate, law-abiding end user. Unfortunately, vulnerabilities don't discriminate: they'll work for anyone, for any purpose.
Sadly, proving the FBI's view is wrong would be virtually impossible unless the specific vulnerability was disclosed.
However, imagine a scenario in which the same vulnerability is subsequently identified by criminals and used to build malware that defrauds large numbers of citizens by compromising the security of their on-line banking. Tens, hundreds or thousands of people could be defrauded by hundreds, thousands or millions of dollars. In this scenario we have to ask if, on balance, it is acceptable for the FBI to remain silent in the hope that they might be able to use the same flaw to catch another alleged paedophile in the future or if, on balance, it is wiser to declare the vulnerability and have Mozilla patch it for the security of all.
The FBI, like any law enforcement agency of any western democracy, must themselves abide by the law - since, after all, the salary of every single law enforcement officer employed today is paid for by the tax contributions of the people they are paid to *protect*. As stated above, vulnerabilities don't discriminate and will work for anyone who finds and tries to exploit them. Given that anyone who does exploit a vulnerability is a criminal, the FBI surely have a duty to protect honest citizens against such future criminal exploits. If they don't, then what is the difference between the FBI and a criminal gang?
Consider a scenario [and, yes, this is highly contrived and completely unlikely] in which the vulnerability being exploited by the FBI in this case had at it's heart a mechanism that could be used to readily defeat encryption schemes such as BluRay encryption. Imagine that a criminal finds the vulnerability, spots a similar version in BluRay's implementation of encryption and uses it to produce a widely-available hack that can crack all BluRay disks wide open, regardless of the specific keys being used. Now imagine that the MPAA discover that the FBI had known about the hack for years and stayed silent.
Do you think that the MPAA would say, "Oh, heck, it's the FBI. Stand down, guys - we can't go to court to sue the FBI for beellions [sic] because they've been using this exploit to catch bad guys, which makes this OK..." ???
What this illustration is trying to show is that the moment one applies different "use cases" to the scenario, the "right answer" changes. When that happens in law, it is an example of the law being wrong, because, to be just, the law must be universal and straightforward in it's application.
There are many reasons that the Mozilla Foundation should prevail here. Let's hope that common sense wins the day and that the FBI collaborate and disclose the vulnerability.
1. Re:Vulnerabilities Don't Disciminate by Anonymous Coward · 2016-05-13 02:56 · Score: 0
  
  Well, in the summary Mozilla is just asking for an advance on the knowledge before it is spilled to the court (and public at large), hopefully the FBI recognizes that is a problem*.
  * assuming the FBI doesn't think it can prosecute this guy without disclosing how they caught him.
Flash by gizmo2199 · 2016-05-13 06:19 · Score: 1

To my understanding the feds used a flashed-based exploit based on the decloak module in metasploit
"It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address."
https://www.wired.com/2014/12/...
Is this still the case? What other ways could the feds have used to decloak a Tor session?

--
This Sig does not Exist.
Re: Secret Service investigates Trump's former but by Anonymous Coward · 2016-05-13 07:36 · Score: 0

That's how they b, they hate dumbakrats. Dey tewk errr jerbzzzzz
FBI hacks by Anonymous Coward · 2016-05-13 10:49 · Score: 0

Well if your child was involved I'm sure you would want the FBI then. FBI should be able to trace TOR users, don't need pedos using this...
1. Re:FBI hacks by Anonymous Coward · 2016-05-13 19:15 · Score: 0
  
  Sod off.
Hacker by Anonymous Coward · 2016-05-14 12:25 · Score: 0

Do you require the services of a hacker for your ethical/unethical hacks? or feel the need to spy on employees,spouse or kids,change school grades,e.t.c..contact leehacks92@gmail.com,he’s time conscious and reliable,he’s the best i’ve worked with so far..check him out and you won’t be disappointed..serious enquiries only!!