Slashdot Mirror
Mozilla Fights FBI In Court For Details On Tor Browser Hack (helpnetsecurity.com)
An anonymous reader writes from a report on Help Net Security: Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser hack with them, before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public. The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web. The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser. Why does Mozilla care to learn about the vulnerability? "The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser," Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.
We don't need the FBI. Their only apparent functions are to reduce privacy and falsely accuse people of terrorism. Abolish the FBI and other three letter federal agencies like the CIA and NSA.
There is a delicious irony in the fact that the US Government developed Tor to safeguard their intelligence traffic but is now busy trying to crack Tor in an effort to monitory the activities on it's own citizens.
FF is not that bad, please!
Slashdot, fix the reply notifications... You won't get away with it...
Stop the NIT picking
There are two rules for success:
1. Never tell everything you know.
If private companies can compel the FBI to disclose their secrets, the FBI could turn that around and say that turnabout is fair play and private companies should be compelled to disclose their secrets to the FBI. Best just to keep a respectful distance.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
The FBI is saying they actively exploit a flaw in Firefox but won't say what that flaw is. This course of action actively deters people from using firefox. Mozilla can't dispute the FBIs claim since there is no evidence given. If the FBI won't disclose the vulnerability I sure hope they can sued for libel since that's exactly what is left.
If you want close-to-perfect integration with OSX, and thus probably the best battery life and such, use Safari. If you want better standards-compliance or regular updates, use a better browser instead.
Besides, I get the distinct feeling that even if Firefox was Safari, you'd still find a reason to pretend it was crap. People just want to do that recently.
The FBI is indeed needed. While they do regularly exceed the scope of their mission, there is a great need for a law enforcement program that exceeds each individual state and can facilitate interstate investigations. Without them large criminal organizations, AKA the Mafia would operate with impunity crossing state lines, and avoiding prosecution by fleeing state jurisdictions. We could never rely on the states individual laws to stop kidnappings, mail fraud, gambling and other such violations that spanned several jurisdictions.
errr....umm...*whooosh* *whoosh* Is this thing on ?
The FBI's stance in this case seems to be another aspect of their world-view on encryption. Just as they believe that it's possible to create a "secure front door" in existing cryptographic algorithms (and thus give them a Master key that doesn't fatally flaw the encryption system), so they seem to be saying here that it is possible to distinguish between a vulnerability used to detect criminals (in this case, an alleged paedophile) and a vulnerability that could compromise the computer of a legitimate, law-abiding end user. Unfortunately, vulnerabilities don't discriminate: they'll work for anyone, for any purpose.
Sadly, proving the FBI's view is wrong would be virtually impossible unless the specific vulnerability was disclosed.
However, imagine a scenario in which the same vulnerability is subsequently identified by criminals and used to build malware that defrauds large numbers of citizens by compromising the security of their on-line banking. Tens, hundreds or thousands of people could be defrauded by hundreds, thousands or millions of dollars. In this scenario we have to ask if, on balance, it is acceptable for the FBI to remain silent in the hope that they might be able to use the same flaw to catch another alleged paedophile in the future or if, on balance, it is wiser to declare the vulnerability and have Mozilla patch it for the security of all.
The FBI, like any law enforcement agency of any western democracy, must themselves abide by the law - since, after all, the salary of every single law enforcement officer employed today is paid for by the tax contributions of the people they are paid to *protect*. As stated above, vulnerabilities don't discriminate and will work for anyone who finds and tries to exploit them. Given that anyone who does exploit a vulnerability is a criminal, the FBI surely have a duty to protect honest citizens against such future criminal exploits. If they don't, then what is the difference between the FBI and a criminal gang?
Consider a scenario [and, yes, this is highly contrived and completely unlikely] in which the vulnerability being exploited by the FBI in this case had at it's heart a mechanism that could be used to readily defeat encryption schemes such as BluRay encryption. Imagine that a criminal finds the vulnerability, spots a similar version in BluRay's implementation of encryption and uses it to produce a widely-available hack that can crack all BluRay disks wide open, regardless of the specific keys being used. Now imagine that the MPAA discover that the FBI had known about the hack for years and stayed silent.
Do you think that the MPAA would say, "Oh, heck, it's the FBI. Stand down, guys - we can't go to court to sue the FBI for beellions [sic] because they've been using this exploit to catch bad guys, which makes this OK..." ???
What this illustration is trying to show is that the moment one applies different "use cases" to the scenario, the "right answer" changes. When that happens in law, it is an example of the law being wrong, because, to be just, the law must be universal and straightforward in it's application.
There are many reasons that the Mozilla Foundation should prevail here. Let's hope that common sense wins the day and that the FBI collaborate and disclose the vulnerability.
It's Fedspeak for "malware" or "exploit." But you can't call it that because it won't sound good in front of a judge. They're not trying to play it up as something super-awesome-hackerish. They're trying to play it down as something normal and official and businesslike. It's nothing special, it's just a technique. For investigating. Over a network. We're not into malware or cracking, those are things that cyber-criminals do. I mean, there's a crime, there's a network, and we're in the business of investigation. What did you expect us to do, Your Honor?
Just like enhanced interrogation procedures aren't torture; torture is bad. What we're doing are just enhancements of existing techniques. They're better ways to use the interrogation techniques - just techniques, mind you, not torture - that we've always done.
Recommended reading from 1946 :Politics and the English Language
To my understanding the feds used a flashed-based exploit based on the decloak module in metasploit
"It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address."
https://www.wired.com/2014/12/...
Is this still the case? What other ways could the feds have used to decloak a Tor session?
This Sig does not Exist.