Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Is Classifying Its Tor Browser Exploit Because 'National Security' (vice.com)

Posted by msmash on from the law-and-disorder dept.

Joseph Cox, reporting for Motherboard:Defense teams across the US have been trying to get access to a piece of malware the FBI used to hack visitors of a child pornography site. None have been successful at obtaining all of the malware's code, and the government appears to have no intention of handing it over. Now, the FBI is classifying the Tor Browser exploit for reasons of national security, despite the exploit already being used in normal criminal investigations well over a year ago. Experts say it indicates a lack of organization or technical capabilities within the FBI. "The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," government attorneys wrote in a filing earlier this month. It came in response to the defense of Gerald Andrew Darby, who is charged with child pornography offenses.

81 comments

  1. Javascript exploit by Anonymous Coward · · Score: 2, Insightful

    This a JS exploit, not a Tor problem. It really doesn't matter what this exploit does or how it works. If you have JS enabled in Tor, you're already pwn3d.

    1. Re:Javascript exploit by Cafe+Alpha · · Score: 1, Troll

      How would you know that?

    2. Re:Javascript exploit by fustakrakich · · Score: 0

      Javascript and Tor, now there's a match made in heaven... Does it have Flash too? Plus Tor itself is a shining beacon to draw attention. Hardly seems like a secure way to communicate.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Javascript exploit by Anonymous Coward · · Score: 0

      Well in "Operation Torpedo", the FBI's operation against cp producers and consumers in 2012, they used an NIT that was a flash exploit in order to get the real IP, mac addy, and other computer identifying information. Since the legal docs associated with this story and the other one yesterday reference a "single component" NIT, I assume its that or a vulnerability in html5 vid is what's being used now. Remember from yesterday's Slashdot story that the NIT only became active when the degenerate downloaded and viewed an actual cp video from the site.

    4. Re:Javascript exploit by tnk1 · · Score: 4, Informative

      Tor can only protect you if your machine can't be made to report back information about it. It doesn't help you very much to have an anonymous end point if the server on the other end can simply ask your browser to fetch the actual IP address of your host and other information about it.

      Javascript allows calls like that to make your browser turn over that information. The reliable only way to prevent those calls is to turn JS off totally in your browser that is being used for Tor.

      And the way you know that is by installing Tor and running tests against a site created to test those vulnerabilities. Or you could simply heed all of the giant warnings that Tor tends to have about turning off Javascript and just trusting them on that.

    5. Re:Javascript exploit by Kjella · · Score: 2

      Tor can only protect you if your machine can't be made to report back information about it. It doesn't help you very much to have an anonymous end point if the server on the other end can simply ask your browser to fetch the actual IP address of your host and other information about it. Javascript allows calls like that to make your browser turn over that information.

      No it doesn't. If you use a proxy there's no supported way to get your real IP via Javascript. But Javascript is a huge scripting engine, it has a much bigger exploit potential than a rendering engine. That happens too, I think a while back there was a bug in a font handling library but much less often.

      --
      Live today, because you never know what tomorrow brings
    6. Re:Javascript exploit by Anonymous Coward · · Score: 0

      Except that in the current version of the Tor Browser Bundle, JavaScript is enabled by default, and there is no warnings about it at all. You have to know to go and manually push the security slider up to Maximum.

    7. Re: Javascript exploit by Anonymous Coward · · Score: 0

      The only real way to ensure safety is to have your computer transparently route ALL traffic through separate gateway. That gateway would route all request through tor. No proxy required. No tor browser required (but still recommended).

      Linux can easily be setup to act as a tor gateway.

    8. Re:Javascript exploit by evolutionary · · Score: 3, Informative

      Problem is, many websites are designed to not function/give content without it. I've always been against this, but in attempt to sell to marketers, JS is all the rage. At the expensive of security, which most people don't seem to pay much mind anyway at least until they become a victim.

      --
      "Imagination is more important than knowledge" - Einstein
    9. Re:Javascript exploit by Anonymous Coward · · Score: 0

      "No it doesn't. If you use a proxy there's no supported way to get your real IP via Javascript. "

      Well, just last year Firefox and Chrome with WebRTC enabled were susceptible to local IP leakage even if using a proxy or vpn and the information was available through javascript.

    10. Re:Javascript exploit by tnk1 · · Score: 1

      I admit, I am not a regular user of Tor, but I recall the times I have played around with it, the warnings were pretty explicit everywhere I went about JS. Its odd that leaving it on is the default in the bundle, although technically you don't have to turn it off to actually use Tor, it's just a really, really good idea.

    11. Re: Javascript exploit by NotInHere · · Score: 1

      That is a nice idea, but the moment your OS phones home, or any other application on your desktop, you can already be identified. Same goes if you use your everyday browser for accessing the tor network. That one is usually customized, with lots of custom add-ons, and even more ways of fingerprinting.

      The tor browser has removed many ways to do fingerprinting.

      Really, use the tor browser.

    12. Re:Javascript exploit by NotInHere · · Score: 1

      And obviously, the tor browser has disabled it.

    13. Re:Javascript exploit by Anonymous Coward · · Score: 0

      Yes. And it got that way because people didn't have the spine to push back.

      It wasn't *that* long ago that Javascript was unheard of on the web. When it started appearing, not for stuff you could argue needed it but for stupid reasons like tracking and "rich experiences" and disabling back buttons, people could have pushed back. They could have refused to use those sites. Those sites would then have fixed their gratuitous use of JS, or died.

      But of course, nobody did that. Everyone went, "hey, capital idea there chaps!" and now JS is neigh well inescapable because we allowed it to metastasize.

    14. Re:Javascript exploit by Khopesh · · Score: 1

      I'm not sure how knowing your LAN IP is 192.168.0.101 is going to identify you. The only way to make that a viable attack would be to pwn another system on the LAN (such as the router) and phone home through it. At that point, you don't even need WebRTC, just a JS-based port scanner.

      --
      Use my userscript to add story images to Slashdot. There's no going back.
    15. Re:Javascript exploit by Sperbels · · Score: 1

      If you use a proxy there's no supported way to get your real IP via Javascript.

      This is all pointless. I bet I can guess the first three numbers of your home computer's IP: 192...168....0...

    16. Re:Javascript exploit by Anonymous Coward · · Score: 0

      The exploit didn't just return a local IP address. It also returned other unique identifiers on the system such as mac address, cpu serial, etc. The FBI will go as far the IP address takes it (such as who own the nat router) and then go from there. May take longer, but it all can be traced eventually.

    17. Re:Javascript exploit by Anonymous Coward · · Score: 0

      The point isn't that Tor was vulnerable to webrtc hole, the point was to say that if there is local ip leakage from the browser sometimes it can be accessible from javascript.

    18. Re:Javascript exploit by Anonymous Coward · · Score: 0

      If you use a proxy there's no supported way to get your real IP via Javascript.

      This is all pointless. I bet I can guess the first three numbers of your home computer's IP: 192...168....0...

      Ha ha, wrong! It's actually 172.22.144

    19. Re:Javascript exploit by downright · · Score: 1

      Then how does this WebRTC know your intranet IP even when you are behind a firewall?

      http://www.browserleaks.com/we...

    20. Re:Javascript exploit by Anonymous Coward · · Score: 0

      > Javascript allows calls like that to make your browser turn over that information.

      No, not typically. For one of the Tor Browser sploits the issue was with WebRTC. WebRTC could be tricked into revealing the un-tunneled IPs on the machine.

      The Tor Browser folks try to be one step ahead of the Web Platform folks, but it's hard when the WP guys don't care about security.

    21. Re:Javascript exploit by Anonymous Coward · · Score: 0

      > JavaScript is enabled by default

      Only for whitelisted sites. NoScript is installed and a whitelist is installed. This makes a lot of sense to do, as there are known-good actors out there that make heavy use of JS.

    22. Re:Javascript exploit by evolutionary · · Score: 1

      I'm a software/web developer architect. I get into discussions about how to implement things on websites a lot and it's a lot scarier than many might think. Just a few weeks ago I was looking at anti-fraud solutions which use something called "digital fingerprinting" which basically means tagging you in semi permanent fashion to verify you are actually "you". These solutions all rely on Javascript which my client couldn't use because they managed other external sites as well so it was too big a hassle. But if you go to many sights (forbes.com for example), try to use it without Javascript and see how far you get. BTW: for security I believe NoScript on Firefox or Umatrix on Chrome/Vivaldi are VITAL plugins to keep people from being the victim of malicious javascript routines, particularly from websites exploiting from popular typos. These things can potentially carry viruses as well and your antivirus may or may not protect you. Javascript is the black hole of security on the Internet these days in my opinion.

      --
      "Imagination is more important than knowledge" - Einstein
  2. Tell me again why you still use TOR? by gestalt_n_pepper · · Score: 0, Troll

    Funded originally be DARPA, as I recall. Because how could you not trust DARPA?

    --
    Please do not read this sig. Thank you.
    1. Re:Tell me again why you still use TOR? by Anonymous Coward · · Score: 0

      So have you moved off of this here INTERNET PROTOCOL thingy yet? Oh, that's different? Then how about this here ADVANCED ENCRYPTION STANDARD and friends? NIST is in cahoots with NSA which in turn is a DoD agency, just like DARPA.

    2. Re:Tell me again why you still use TOR? by gestalt_n_pepper · · Score: 2

      As a practical matter, I just assume that any encryption, cloaking, etc. has already been broken and that you can be seen if certain people at the NSA, CIA. etc. can read your communication if they're interested enough.

      It's not a big deal to me personally. I'm not political, which is the real criteria for whether you're monitored or not (not the drugs or kiddy porn smokescreen reason). Political folks know better. They use old fashioned ciphers, red herrings, paper and face-to-face.

      --
      Please do not read this sig. Thank you.
    3. Re:Tell me again why you still use TOR? by rahvin112 · · Score: 0

      It was funded by the DOD and CIA as a method for spies to reliably communicate with their handlers without any way for the hosting state to intercept or read the communications.It was opened to the public so that the use of this network wouldn't be justification in itself to investigate.

  3. Classifying is fun... by __aaclcg7560 · · Score: 1

    The CIA classified my grocery list. Never mind that the information on the grocery list came from the weekly flyer that came in the mail. Never mind that the neighbors up and down the street may have a similar grocery list. Never mind that the CIA has no business classifying my grocery list in the first place.

    1. Re: Classifying is fun... by Anonymous Coward · · Score: 0

      What you just revealed may or may not be classified in no uncertain terms certainly. Please turn yourself in to your local friendly FBI agent, you rebel terrorist scum!

    2. Re: Classifying is fun... by __aaclcg7560 · · Score: 2

      Not my fault that the postal service left classified information in everyone's mailbox.

  4. Isn't that the reason they classify ANYTHING? by Anonymous Coward · · Score: 0

    Isn't national security the reason for classification in the first place?

    1. Re: Isn't that the reason they classify ANYTHING? by Anonymous Coward · · Score: 0

      Not the only reason. Some things are classified to avoid embarrassment when the govt (read: indivuals in power) does something it shouldn't have done.

  5. Probably because... by gatfirls · · Score: 4, Insightful

    ....It's a laughably silly exploit that anyone can do and they paid 10 million dollars to get.

    1. Re:Probably because... by Anonymous Coward · · Score: 0

      No, its because there is no exploit and to state that would mean that they would have to admit to parallel construction which is illegal. Never ask to see the man behind the curtain.

    2. Re:Probably because... by Anonymous Coward · · Score: 0

      Yes, the FBI is indeed that retarded, paying 10,000,000 for something I could write in an afternoon

      This is what happens when you let a homosexual agency (Not kidding, look up it's founder) with no technical ability run "cybersecurity"

  6. All Exploits Are Fixable by Anonymous Coward · · Score: 0

    Do they fear that someone might use the exploit against themselves?
    Nonsense. They fear that it will be fixed. All exploits are fixable.
    They deny the right of the browser developers to fix it.

    1. Re: All Exploits Are Fixable by Anonymous Coward · · Score: 0

      They're not denying them the right to anything. If another researcher discovers the bug and reports it, the bug will be fixed and there's not much the FBI could do about it besides obtain another.

    2. Re: All Exploits Are Fixable by Anonymous Coward · · Score: 0

      There is no right to fix anything. I'm not saying the FBI is right here, just that you are also wrong.

  7. A possible compromise by Anonymous Coward · · Score: 2, Interesting

    I was LinuxFest Northwest earlier this year and had in interesting conversation with a lawyer from ACLU of Washington who gave a talk on cryptography and fearmongering. It was interesting because he advocated a position that the law should compel the government to publicly reveal any exploit gained or utilized by the government. I pointed out that this would be difficult to support for many people who believe in strong national defense (and foreign intelligence as a key aspect of that). The suggestion I made was to moderate his position as follows: if an exploit is developed (or purchased) by the US government for foreign intelligence purposes, then the government can decide to withhold the exploit on national security grounds, but as soon as it is employed for any domestic law enforcement purpose (surveillance, intelligence gathering, criminal investigation/prosecution) then the release would be compelled.

    I think the idea has possibilities, but after the slew of stories I've seen here on /. and in other media about our rights constantly and quickly being eroded in more fundamental ways, I'm wondering if efforts are best focused elsewhere.

    1. Re:A possible compromise by Ormy · · Score: 1

      if an exploit is developed (or purchased) by the US government for foreign intelligence purposes, then the government can decide to withhold the exploit on national security grounds, but as soon as it is employed for any domestic law enforcement purpose (surveillance, intelligence gathering, criminal investigation/prosecution) then the release would be compelled.

      Sounds ideal in principle, but whats to stop them just 'saying' they only use the exploit for foreign intelligence. All laws should expect and account for human greed and the 'power corrupts' factor.

    2. Re:A possible compromise by Anonymous Coward · · Score: 0

      "account for human greed and the 'power corrupts" This is an unreachable standard. Humans make the law and humans break the law. All you can do is hope for the best while promoting a justice system that can address the abuses.

    3. Re:A possible compromise by EndlessNameless · · Score: 2

      but whats to stop them just 'saying' they only use the exploit for foreign intelligence

      That's simple, if the law is written properly.

      When it's used for law enforcement purposes, it must be disclosed during that case---whenever the law dictates. E.g., when it is developed, after the investigation concludes, during the trial, after any appeals relevant to the exploit are decided, etc.

      If they totally swear that the intelligence community is using some other exploit, they don't have to talk about that supposed exploit. We don't care at that point.

      Either a particular exploit is unique to the intelligence community (and thus protected from disclosure), or else it is disclosed by law enforcement (and thus there is nothing else to tell us).

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    4. Re:A possible compromise by Anonymous Coward · · Score: 0

      When it's used for law enforcement purposes, it must be disclosed during that case---whenever the law dictates. E.g., when it is developed, after the investigation concludes, during the trial, after any appeals relevant to the exploit are decided, etc.

      Um, no. It's up to the judge of whether it's material to the defense.

      As the government's response points out:

      In the event the Court were to determine that the NIT
      programming code is material to DARBY’s defense, however, then the requested information
      pertaining to that code is nevertheless subject to a qualified law enforcement privilege, as its
      disclosure would be harmful to the public interest. 8 Specifically, disclosure could diminish the
      future value of important investigative techniques, allow individuals to devise measures to
      counteract these techniques in order to evade detection, discourage cooperation from third parties
      and other governmental agencies who rely on these techniques in critical situations, and possibly
      lead to other harmful consequences not suitable for inclusion in this response. Ex. B, Affidavit
      of Robert Stone (filed under seal) (hereinafter Stone Aff.) 9 5. As explained below, courts have
      generally recognized that, because of the sensitivity of information that may support this type of
      privilege claim, it is appropriate to consider a submission from the government ex parte and in
      camera. Accordingly, in the event it determines the defendant’s request for programming code
      is material, the United States accordingly requests that the Court permit the United States to offer
      evidence in support of its privilege claim ex parte and in camera. 10
      The privilege has its roots in United States v. Roviaro, where the Supreme Court first
      recognized a qualified “informer’s privilege” that protects the identity of government informants.
      353 U.S. 53, 59 (1957). Courts have since extended the qualified privilege in Roviaro to cover
      other investigative techniques, including traditional and electronic surveillance      .

    5. Re: A possible compromise by Anonymous Coward · · Score: 0

      > and possibly
      lead to other harmful consequences not suitable for inclusion in this response.

      WTF? Hey kids, let the grown ups handle this, and don't worry about that national security thing, we'll make sure that we'll connected people have security and hopefully their shadow will be big enough to protect you too. Back to bed!

  8. Criminality by Anonymous Coward · · Score: 0

    Mis-use of classification is a Federal felony crime.

  9. Wait a second... by Anonymous Coward · · Score: 0

    Does that mean that if I independently discover said exploit and report it via accepted responsible disclosure mechanisms that I none-the-less commit a felony?

    1. Re:Wait a second... by EndlessNameless · · Score: 1

      If you know it is classified and disclose it anyway, that is a felony. It doesn't matter if you figured out how they did it from their own classified documents or not.

      If you don't know whether it's classified and cannot reasonably be expected to know, then you're fine. If they decide to classify it after the fact, they will tell you the information is classified and that you're no longer allowed to discuss it.

      There have been a few cases where this occurred, and the creator of the documents in questions was approached in person by federal agents.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  10. So nice to see by jarablue · · Score: 1

    J.Edgar Hoover is alive and well. Why stop here? Who needs evidence anymore? For fucks sake just plant what you need and come in guns blazing. But yet police officers can have relationships with high school students and prosecutors turn a blind eye. What scum.

    1. Re:So nice to see by bluefoxlucid · · Score: 4, Insightful

      The best bit is he's definitely guilty, and trying to get off on a technicality. The argument is the entire body of evidence collected since this whole thing started is tainted, and they have no valid reason to search him (knowing that his house is still full of child pornography because they already did an *illegal* search isn't a justifiable cause), so he gets away scot free because the authorities fucked up.

      This is *exactly* what we want. We want the authorities to follow the rules, and we want people who can hide in the rules to get away with it. We don't need the FBI searching you because they feel like it, finding evidence for an unpredicted crime, then charging you for it based on an illegal search. That leads to all kinds of vindictive political control, turning political opponents and other undesirables into targets to be ground away at by government overreach.

      The biggest danger is the public realizing what just happened and crying out against a child porn hoarder getting off free, and then demanding the repeal of the fourth and fifth amendments immediately. The second biggest danger is the FBI succeeding with their bluff, either having no evidence to present ("we used a thing that got us information, but we won't show you that thing, so just trust us about the evidence chain") or being forced to present and being called on performing an illegal search (hacked your computer) and then *not* penalized for it ("this is all technically inadmissible, but we'll allow it anyway").

      The neutral state is the FBI being forced to present and arguing (successfully and correctly) the defendant was *not* subject to an illegal search because the FBI had ample reason to believe the target site *was* doing illegal things and that its visitors were engaging in illegal activities (similar to a sting on a whore house). The outcome of being forced to present is the public can examine the code used to break Tor, then counteract it (technical arms race); Darby goes to jail; and the case sets no legal precedents weakening constitutional law.

      --
      Support my political activism on Patreon.
    2. Re:So nice to see by Anonymous Coward · · Score: 1

      Who needs evidence anymore?

      Indeed.

      But how does our government get away with it? Because the People let it. Why do they let it? Because they have a steady diet of mindless cop porn where the cops are all honest hardworking and never take shortcuts or make mistakes; while the "bad guys" who get away do so because the saintly cops are shackled by these ridiculous Civil Rights that do nothing but keep really bad people from paying for their crimes.

    3. Re: So nice to see by Anonymous Coward · · Score: 0

      Exactly this. After 9/11 happened I predicted the networks were going to start producing bunches of cop worship shows exactly for the purpose of brainwashing the public. Look at the result:

      - You basically can't be an unescorted male in this country now without some soccer mommy accusing you of things simply because you exist.

      - Those same hypersensitive mommies believe there's a predator behind every tree even though instances of violent crime are way down.

      - In the 'didn't see this coming' department, actual criminals are being let off by jurors who can't comprehend why the cops can't produce a neat tidy stream of high tech evidence like they do in CSI (complete, no doubt, with magic photo enhancing)

    4. Re:So nice to see by Anonymous Coward · · Score: 0

      Who needs evidence anymore?

      There's plenty of evidence. This whole thing is just a desperate gambit by the guy who got caught's legal team trying to poke holes in the FBI's methodology of collecting evidence. They're also counting on that the FBI is so protective of their NIT, that they'll let a case tank before giving up the source code to the defence. It's kinda like the way some police jurisdictions have let cases tank when their use of Stingrays was in jeopardy of being exposed in court.

    5. Re:So nice to see by Anonymous Coward · · Score: 0

      I have serious doubts that any good will come of this case.

      Personally, I believe that there needs to be a new federal court created with the sole purpose of having nationwide jurisdiction for issuing nationally-scoped warrants for the purpose of dealing with John Doe suspects, with the provision that when the subject of the warrant becomes known, the warrant must be reissued in an appropriate district court (based on the jurisdiction of the subject) within a certain time period. Much like retroactive FISA warrants (like them or not) the district-issued warrant would then be retroactive to the date of the initial nationwide warrant. Such a court should resolve the juris-my-diction crap that is the first loose nail in this case that needs to be hammered down.

      Secondly, as I understand it, the exploit used in this case was analyzed and fixed (a funny thing happens when you send malicious code to a client... the client gets a copy of the malicious code). The only thing the FBI has to gain from this posturing is the hopes that they will get a precedent that they can stand up in court and say "I have proof that Mr. So-and-so is a pedo but I cannot show it to you because NASHUNAL SEKOORITY" and that this cannot be challenged by the defendant. This seems to be the nail the FBI is pounding their head on the hardest now.

    6. Re:So nice to see by jarablue · · Score: 2

      There's plenty of evidence? I just can't wait for the day I am labeled a "child predator" because my neighbors heard me playing pornhub while my wife was on the rag. How many Traci Lords videos have I watched and who the fuck knows if one of them she was 17 in? So basically the fact that I have never remotely been interested in teenagers for sex, I am all of sudden the horrible child molestor the Feds and cunt of a prosecutor want me to be? Guess what? How many people have seen the Vanessa Hudgens leaked nude photo? Let me guess. All of them are hard core sexual predators? I have seen worse in company emails. Oh what's that you say? World War II veteran who raised a healthy honest hardworking society value adding family is a fucking monster because he dated Grandma who was 16? I'm sorry, daddy has to go to jail because we though him looking at a Tracy Lords video was "predatory" and have his career taken from him because you see, the prosecutor who let officer Johnson bang away on high school seniors, needed a career boost and news grabbing headline generated. No one here is saying that the guy wasn't guilty. But make not one fucking mistake, what constitutes as real predators and child molestor scum are grouped today with people who are not. Just for the simple fact that they can bullshit their way through court and nab a nice toasty conviction win to their record. They are just waiting to throw your ass in jail. Remember people, the law isn't applied equally to everyone. And prosecutors can be just as much a predator to certain people as predators are to prey. Who gives a fuck. They'll do what they want, whenever they want. I think the law actually gets in their way. On top of all this shit? I appreciate hard work. But fucking really?

    7. Re:So nice to see by jarablue · · Score: 1

      In no way am I defending this guy. I am just sick of how the law can be twisted for one parties interest then another. I look at 2 leaked celebrity photos in 26 years of being online, I go to jail do not pass go. A cop who is having a relationship with a 17 year high school senior get's a career boost. Just sick of the bullshit.

    8. Re:So nice to see by Anonymous Coward · · Score: 0

      LOL, relax and put away your strawmen. Really. Just for your edification and reduction of mental anxiety, maybe you should read up on the kind of cp that existed on that playpen site that these fuckers were downloading, uploading and trading amongst themselves. Unless you're looking at pre-pubescent children being raped in your porn viewing, you and your fap folder full of vanessa hudgens teenage nudies is safe. Afterall, she never went to jail for producing cp, (which it technically was since she was under 18 when she snapped her nude selfies), so it's unlikely the FBI will be busting your door down. Same goes for Traci Lords.

    9. Re: So nice to see by EndlessNameless · · Score: 1

      You basically can't be an unescorted male in this country now without some soccer mommy accusing you of things simply because you exist.

      I have no problems with this. No one I know has had problems with this.

      Perhaps you need to review your dress, hygiene, and behavior.

      Those same hypersensitive mommies believe there's a predator behind every tree even though instances of violent crime are way down.

      Every generation has its bed-wetters.

      actual criminals are being let off by jurors who can't comprehend why the cops can't produce a neat tidy stream of high tech evidence like they do in CSI

      Prosecutors got convictions under the same "beyond a reasonable doubt" standard before high tech evidence existed. If they are having problems now, maybe it is not the jurors' tech fantasies that are to blame.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    10. Re:So nice to see by Anonymous Coward · · Score: 0

      Having the sites of purveyors of cp shutdown with them and their customers walking free because the feds make up bullshit is not good?

      Of course, the alternative is

      Having the sites of purveyors of cp shutdown with them and people the FBI claims were their customers going to jail despite the FBI making up bullshit is not good?

      I proposed a way to resolve things without the feds lying in court and/or judges inventing new warrantless seizure powers. Feel free to comment on those instead of insulting our intelligence with a misguided and baseless appear to emotion.

    11. Re:So nice to see by jarablue · · Score: 1

      Cmon AC! Do you think a prosecutor gives a flying fuck what you looked at if she knows she can get a conviction on the charge? God forbid that I work for any inkling of a named institution! That is like a honeypot to them! No one is talking about a folder either. At least that would be something. The law is being bent further and further to benefit whoever needs whenever they need it. I don't want to talk shit, believe me but be honest with yourself. If they can crack the door open, they wield a nuke in court. And it doesn't fucking matter because it's your word vs "theirs". It isn't a strawmen, I hope you realize what I am trying to convey.

    12. Re:So nice to see by Anonymous Coward · · Score: 0

      "Having the sites of purveyors of cp shutdown with them and people the FBI claims were their customers going to jail despite the FBI making up bullshit is not good?"

      Where is the evidence of the FBI "making up bullshit"? Everyone that was arrested based on search warrants of their devices at home were found to be storing cp. The FBI hasn't lied about anything, but please AC, cite something to prove me wrong.

    13. Re:So nice to see by Anonymous Coward · · Score: 0

      >I have serious doubts that any good will come of this case.

      Having the sites of purveyors of cp shutdown with them and their customers going to jail is not good?

      Wow, just wow.

      -1 for being shocked that AC thinks that cp producers are being arrested isn't a good thing?

      WOW, JUST WOW

    14. Re:So nice to see by Type44Q · · Score: 1

      Where is the evidence of the FBI "making up bullshit"?

      It's recursive, AC; your post itself clearly constitutes such evidence. Bet you didn't know that was going to happen. ;)

    15. Re:So nice to see by Type44Q · · Score: 1

      ...while my wife was on the rag

      Seriously?? Just admit that you're into women, for fuck's sake.

    16. Re:So nice to see by Type44Q · · Score: 1
      ack, that should've read "Just admit that you're NOT into women"

      Seriously, though... guess we've got at least one guy here who's not earned his "red wings." :p

    17. Re:So nice to see by Type44Q · · Score: 1

      Crickets chirping. Seriously; do we expect anything else from these fucking establishment shills?

    18. Re:So nice to see by Anonymous Coward · · Score: 0

      Also, parallel construction.

      "We have a very reliable source, honest. We just can't tell you who they are."

    19. Re:So nice to see by Anonymous Coward · · Score: 0

      The outcome of being forced to present is the public can examine the code used to break Tor, then counteract it (technical arms race); Darby goes to jail; and the case sets no legal precedents weakening constitutional law.

      The requirement to present is actually a Constitutional one, arising under the 9th Amendment. Public oversight over government is a fundamental right retained by the people. In some cases, it is reasonable for that oversight to be a long term variety, such as some situations involving military security, or identities of US agents. However, none of those exceptions can apply in a criminal law matter.

      Hence, the position of the FBI in this matter is an illegal one - not for the first time. If a legal professional working for the FBI made this argument, then that person is in violation of their oath to uphold the Bill of Rights. The same applies if the person is a law enforcement officer. In any case, that person is disqualified from holding any position of public trust or responsibility, as are the executives and legal staff of the FBI if they permit this illegal matter to continue (accessories after the fact).

      Of course, violations of the Bill of Rights seemingly happen on a daily basis in the USA, at all levels of government, and it may be that nothing can or will be done with respect to this one, like so many others. Welcome to the Brave New World.

  11. No by Anonymous Coward · · Score: 0

    I doubt they came up with it themselves, they probably bought it from someone that does not have a security clearance and in that case it should not be classifiable.

  12. Only if you know that it's used by NSA, CIA by raymorris · · Score: 2

    18 U.S. Code  798 - Disclosure of classified information:
    (a) Whoever knowingly and willfully communicates ...
    prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified informationâ"
    (1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government;

    You would have to know that it is a government secret.

    Note nothing it in the statute says that removing the classification label makes it okay. If you know it is secret and you willfully communicate it to an authorized person, that's a felony.

    1. Re:Only if you know that it's used by NSA, CIA by Anonymous Coward · · Score: 0

      I only say this because I know it is an angle they would try to play, but... you can knowingly and willfully communicate classified information without knowing that it was classified. The "knowingly and willfully" part would seem to apply to the "communication" aspect, not to the "classified" aspect.

      Again, not my personal opinion. I simply know it is an angle they would try to play.

    2. Re:Only if you know that it's used by NSA, CIA by flink · · Score: 1

      18 U.S. Code  798 - Disclosure of classified information:
      (a) Whoever knowingly and willfully communicates ...
      prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified informationâ"
      (1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government;

      You would have to know that it is a government secret.

      Note nothing it in the statute says that removing the classification label makes it okay. If you know it is secret and you willfully communicate it to an authorized person, that's a felony.

      798 is concerned with intercepting and decoding encrypted communications -- i.e. deliberate acts of espionage. 793 is the chapter more broadly concerned with deliberately disclosing classified information to the detriment of national security interests. However, this mostly only applies to individuals that have obtained a clearance. When you are granted a clearance you essentially sign an NDA that has not just civil, but criminal penalties bound to it, and 793 provides most of the teeth. See SF-312 for a more exhaustive list.

      In general, if you are a non-cleared average citizen, and are not deliberately gathering privileged information and conveying it to a foreign government, you are probably not breaking the law if you disclose any classified information that lands in your lap. This is why reporters don't usually go to jail for printing classified documents. This doesn't mean that the government might not try to make your life difficult, and you could still end up in contempt of court for refusing to cooperate with an investigation or prosecution subsequent to the leak. The courts are usually reluctant to go there in the case of reporters protecting their sources, but see the Valery Plame case.

      If you independently discover something that is classified, you are almost certainly not in any trouble. There are certain circumstances where the government might have the power to gag you. For example, the DoD has the power to retroactively classify patents that duplicate military secrets. In those cases they may also issue a gag order to the applicant.

      So, to the GP's point, were you to duplicate the FBIs exploit, unless you had privileged knowledge of what exactly it was, you are not under any obligation to keep their secrets for them.

      IANAL, etc

  13. Fuck you, FBI by Anonymous Coward · · Score: 0

    I'd say not revealing the exploit hurts national security because that's just one more unpatched vulnerability which can be exploited to hack US citizens/companies/agencies. Does the FBI really think they're the only ones who know of the exploit?

  14. The passkey is.. by evolutionary · · Score: 1

    national security: you can use that reason to justify just about anything. there seems to be no limit, including ignoring/undermining the constitution in the name of national security. Of course B.J. Franklin said it best.

    --
    "Imagination is more important than knowledge" - Einstein
  15. National Security? by Anonymous Coward · · Score: 0

    The NIT should not be used in civilian criminal court if the government wishes to protect it under a national security designation. Many decades ago in Butte County California, information from a U2 spy photo was used to secure a search warrant for a back yard marijuana grow operation. The government refused to provide the U2 photo for a probable cause hearing--case dismissed. I believe attorney Jerry Kenkel from Latimer & Kenkel, Chico California handled the case. The first and only known use of a U2 spy photo in an American civilian court. Beside the disturbing unanswered questions concerning U2 spy photos of American's back yards and subsequent analysis, if the government wishes to protect the NIT under a national security designation they need to reserve such spy technology for nation state spying and keep it out of civilian courts.

    1. Re:National Security? by Anonymous Coward · · Score: 0

      The NIT should not be used in civilian criminal court if the government wishes to protect it under a national security designation.

      But what if the NIT can be used in criminal and national security matters?
      Here's the classification categories that the NIT would have to fall under if the FBI succeeds in getting it classified:

      Executive Order 13526- Classified National Security Information

      Sec. 1.4. Classification Categories. Information shall not be considered for classification unless its unauthorized disclosure could reasonably be expected to cause identifiable or describable damage to the national security in accordance with section 1.2 of this order, and it pertains to one or more of the following:

      (a) military plans, weapons systems, or operations;
      (b) foreign government information;
      (c) intelligence activities (including covert action), intelligence sources or methods, or cryptology;
      (d) foreign relations or foreign activities of the United States, including confidential sources;
      (e) scientific, technological, or economic matters relating to the national security;
      (f) United States Government programs for safeguarding nuclear materials or facilities;
      (g) vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security; or
      (h) the development, production, or use of weapons of mass destruction.

      My guess is that the FBI can get the NIT classified under the clauses (c), (e) and (g)

  16. Gov. taking over!!! by jraff2 · · Score: 1

    One can guarantee if anyone attempts to secure or harden TOR or any other onion product enough to ensue the TLAs can't gain access they will be visited by some "Men in Black" with some NSLs to hand out. Never to be seen again! The TOR site need to have a Warrant canary "https://en.wikipedia.org/wiki/Warrant_canary" specific to this situation, unless they already have been issued NSL or other mandates, then all bets are off, probably the latter! It's a shame the Gov. thinks it's the boss, the people are the boss, the constitution clearly says so! This is not for our own good, it's for the Gov. spying operations, and we already have way too much of that!

    1. Re:Gov. taking over!!! by Anonymous Coward · · Score: 0

      Warrant canaries seemed like a nice idea, until Reddit's warrant canary disappeared at the end of March 2016. Okay, it's gone. Now what?

      [crickets]

  17. EXCUSE ME WHILE I SHIT ON THIS MYTH by Anonymous Coward · · Score: 0

    The FBI have more moles and holes than all of the cheese in Switzerland. Never trust their press, never trust them face to face. Never trust what you hear of them. They are a multi-national spy agency.

    http://thenextweb.com/insider/2016/01/28/how-the-fbi-became-the-worlds-largest-distributor-of-child-sex-abuse-imagery/

    That explains that.

    Tor is a potentially very large honeypot itself if you don't change your PC clock and/or time zone. Also, every version of Tails after 1.4.1 is exploitable by the CIA.

    This is only part of that story.
    https://www.techdirt.com/articles/20140124/10564825981/nsa-interception-action-tor-developers-computer-gets-mysteriously-re-routed-to-virginia.shtml

    One safe copy of Tails exists unless somebody uploads a torrent with the same SHA as this one. The rest are compromised.
    https://kat.cr/tails-1-4-1-i386-iso-multilang-tntvillage-t10922671.html

    See this: http://i.imgur.com/QLGyQYf.jpg

    CHANGE YOUR PC CLOCK NO MATTER WHAT YOU ARE USING TO INACCURATE EVERYTHING WHILE REGULAR SURFING
    IT DESTROYS THE CIA/FBI METHOD OF TRACKING VIA TIME LOGGING @ GOOGLE

    MOD THIS UP TO +2 TO GET IT SCRAPED BY GOOGLE, IF YOU EVEN CAN.

  18. They claim security but they have none by baxiehaven · · Score: 1

    I know the US Government computers and websites have already been hacked but they think they are gods... Well for gods it was funny that in Ottawa, Ontario the US embassy tried to tap the local cell phone of all the visiting diplomats to Parliament hill but they were caught and the cell phone sniffers they used were blocks to not to interfere with the cell phone in the Elgin Hotel

  19. Thanks for the info by raymorris · · Score: 1

    Thanks for that.