Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Is Classifying Its Tor Browser Exploit Because 'National Security' (vice.com)

Posted by msmash on from the law-and-disorder dept.

Joseph Cox, reporting for Motherboard:Defense teams across the US have been trying to get access to a piece of malware the FBI used to hack visitors of a child pornography site. None have been successful at obtaining all of the malware's code, and the government appears to have no intention of handing it over. Now, the FBI is classifying the Tor Browser exploit for reasons of national security, despite the exploit already being used in normal criminal investigations well over a year ago. Experts say it indicates a lack of organization or technical capabilities within the FBI. "The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," government attorneys wrote in a filing earlier this month. It came in response to the defense of Gerald Andrew Darby, who is charged with child pornography offenses.

37 of 81 comments (clear)

  1. Javascript exploit by Anonymous Coward · · Score: 2, Insightful

    This a JS exploit, not a Tor problem. It really doesn't matter what this exploit does or how it works. If you have JS enabled in Tor, you're already pwn3d.

    1. Re:Javascript exploit by Cafe+Alpha · · Score: 1, Troll

      How would you know that?

    2. Re:Javascript exploit by tnk1 · · Score: 4, Informative

      Tor can only protect you if your machine can't be made to report back information about it. It doesn't help you very much to have an anonymous end point if the server on the other end can simply ask your browser to fetch the actual IP address of your host and other information about it.

      Javascript allows calls like that to make your browser turn over that information. The reliable only way to prevent those calls is to turn JS off totally in your browser that is being used for Tor.

      And the way you know that is by installing Tor and running tests against a site created to test those vulnerabilities. Or you could simply heed all of the giant warnings that Tor tends to have about turning off Javascript and just trusting them on that.

    3. Re:Javascript exploit by Kjella · · Score: 2

      Tor can only protect you if your machine can't be made to report back information about it. It doesn't help you very much to have an anonymous end point if the server on the other end can simply ask your browser to fetch the actual IP address of your host and other information about it. Javascript allows calls like that to make your browser turn over that information.

      No it doesn't. If you use a proxy there's no supported way to get your real IP via Javascript. But Javascript is a huge scripting engine, it has a much bigger exploit potential than a rendering engine. That happens too, I think a while back there was a bug in a font handling library but much less often.

      --
      Live today, because you never know what tomorrow brings
    4. Re:Javascript exploit by evolutionary · · Score: 3, Informative

      Problem is, many websites are designed to not function/give content without it. I've always been against this, but in attempt to sell to marketers, JS is all the rage. At the expensive of security, which most people don't seem to pay much mind anyway at least until they become a victim.

      --
      "Imagination is more important than knowledge" - Einstein
    5. Re:Javascript exploit by tnk1 · · Score: 1

      I admit, I am not a regular user of Tor, but I recall the times I have played around with it, the warnings were pretty explicit everywhere I went about JS. Its odd that leaving it on is the default in the bundle, although technically you don't have to turn it off to actually use Tor, it's just a really, really good idea.

    6. Re: Javascript exploit by NotInHere · · Score: 1

      That is a nice idea, but the moment your OS phones home, or any other application on your desktop, you can already be identified. Same goes if you use your everyday browser for accessing the tor network. That one is usually customized, with lots of custom add-ons, and even more ways of fingerprinting.

      The tor browser has removed many ways to do fingerprinting.

      Really, use the tor browser.

    7. Re:Javascript exploit by NotInHere · · Score: 1

      And obviously, the tor browser has disabled it.

    8. Re:Javascript exploit by Khopesh · · Score: 1

      I'm not sure how knowing your LAN IP is 192.168.0.101 is going to identify you. The only way to make that a viable attack would be to pwn another system on the LAN (such as the router) and phone home through it. At that point, you don't even need WebRTC, just a JS-based port scanner.

      --
      Use my userscript to add story images to Slashdot. There's no going back.
    9. Re:Javascript exploit by Sperbels · · Score: 1

      If you use a proxy there's no supported way to get your real IP via Javascript.

      This is all pointless. I bet I can guess the first three numbers of your home computer's IP: 192...168....0...

    10. Re:Javascript exploit by downright · · Score: 1

      Then how does this WebRTC know your intranet IP even when you are behind a firewall?

      http://www.browserleaks.com/we...

    11. Re:Javascript exploit by evolutionary · · Score: 1

      I'm a software/web developer architect. I get into discussions about how to implement things on websites a lot and it's a lot scarier than many might think. Just a few weeks ago I was looking at anti-fraud solutions which use something called "digital fingerprinting" which basically means tagging you in semi permanent fashion to verify you are actually "you". These solutions all rely on Javascript which my client couldn't use because they managed other external sites as well so it was too big a hassle. But if you go to many sights (forbes.com for example), try to use it without Javascript and see how far you get. BTW: for security I believe NoScript on Firefox or Umatrix on Chrome/Vivaldi are VITAL plugins to keep people from being the victim of malicious javascript routines, particularly from websites exploiting from popular typos. These things can potentially carry viruses as well and your antivirus may or may not protect you. Javascript is the black hole of security on the Internet these days in my opinion.

      --
      "Imagination is more important than knowledge" - Einstein
  2. Classifying is fun... by __aaclcg7560 · · Score: 1

    The CIA classified my grocery list. Never mind that the information on the grocery list came from the weekly flyer that came in the mail. Never mind that the neighbors up and down the street may have a similar grocery list. Never mind that the CIA has no business classifying my grocery list in the first place.

    1. Re: Classifying is fun... by __aaclcg7560 · · Score: 2

      Not my fault that the postal service left classified information in everyone's mailbox.

  3. Probably because... by gatfirls · · Score: 4, Insightful

    ....It's a laughably silly exploit that anyone can do and they paid 10 million dollars to get.

  4. A possible compromise by Anonymous Coward · · Score: 2, Interesting

    I was LinuxFest Northwest earlier this year and had in interesting conversation with a lawyer from ACLU of Washington who gave a talk on cryptography and fearmongering. It was interesting because he advocated a position that the law should compel the government to publicly reveal any exploit gained or utilized by the government. I pointed out that this would be difficult to support for many people who believe in strong national defense (and foreign intelligence as a key aspect of that). The suggestion I made was to moderate his position as follows: if an exploit is developed (or purchased) by the US government for foreign intelligence purposes, then the government can decide to withhold the exploit on national security grounds, but as soon as it is employed for any domestic law enforcement purpose (surveillance, intelligence gathering, criminal investigation/prosecution) then the release would be compelled.

    I think the idea has possibilities, but after the slew of stories I've seen here on /. and in other media about our rights constantly and quickly being eroded in more fundamental ways, I'm wondering if efforts are best focused elsewhere.

    1. Re:A possible compromise by Ormy · · Score: 1

      if an exploit is developed (or purchased) by the US government for foreign intelligence purposes, then the government can decide to withhold the exploit on national security grounds, but as soon as it is employed for any domestic law enforcement purpose (surveillance, intelligence gathering, criminal investigation/prosecution) then the release would be compelled.

      Sounds ideal in principle, but whats to stop them just 'saying' they only use the exploit for foreign intelligence. All laws should expect and account for human greed and the 'power corrupts' factor.

    2. Re:A possible compromise by EndlessNameless · · Score: 2

      but whats to stop them just 'saying' they only use the exploit for foreign intelligence

      That's simple, if the law is written properly.

      When it's used for law enforcement purposes, it must be disclosed during that case---whenever the law dictates. E.g., when it is developed, after the investigation concludes, during the trial, after any appeals relevant to the exploit are decided, etc.

      If they totally swear that the intelligence community is using some other exploit, they don't have to talk about that supposed exploit. We don't care at that point.

      Either a particular exploit is unique to the intelligence community (and thus protected from disclosure), or else it is disclosed by law enforcement (and thus there is nothing else to tell us).

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  5. So nice to see by jarablue · · Score: 1

    J.Edgar Hoover is alive and well. Why stop here? Who needs evidence anymore? For fucks sake just plant what you need and come in guns blazing. But yet police officers can have relationships with high school students and prosecutors turn a blind eye. What scum.

    1. Re:So nice to see by bluefoxlucid · · Score: 4, Insightful

      The best bit is he's definitely guilty, and trying to get off on a technicality. The argument is the entire body of evidence collected since this whole thing started is tainted, and they have no valid reason to search him (knowing that his house is still full of child pornography because they already did an *illegal* search isn't a justifiable cause), so he gets away scot free because the authorities fucked up.

      This is *exactly* what we want. We want the authorities to follow the rules, and we want people who can hide in the rules to get away with it. We don't need the FBI searching you because they feel like it, finding evidence for an unpredicted crime, then charging you for it based on an illegal search. That leads to all kinds of vindictive political control, turning political opponents and other undesirables into targets to be ground away at by government overreach.

      The biggest danger is the public realizing what just happened and crying out against a child porn hoarder getting off free, and then demanding the repeal of the fourth and fifth amendments immediately. The second biggest danger is the FBI succeeding with their bluff, either having no evidence to present ("we used a thing that got us information, but we won't show you that thing, so just trust us about the evidence chain") or being forced to present and being called on performing an illegal search (hacked your computer) and then *not* penalized for it ("this is all technically inadmissible, but we'll allow it anyway").

      The neutral state is the FBI being forced to present and arguing (successfully and correctly) the defendant was *not* subject to an illegal search because the FBI had ample reason to believe the target site *was* doing illegal things and that its visitors were engaging in illegal activities (similar to a sting on a whore house). The outcome of being forced to present is the public can examine the code used to break Tor, then counteract it (technical arms race); Darby goes to jail; and the case sets no legal precedents weakening constitutional law.

      --
      Support my political activism on Patreon.
    2. Re:So nice to see by Anonymous Coward · · Score: 1

      Who needs evidence anymore?

      Indeed.

      But how does our government get away with it? Because the People let it. Why do they let it? Because they have a steady diet of mindless cop porn where the cops are all honest hardworking and never take shortcuts or make mistakes; while the "bad guys" who get away do so because the saintly cops are shackled by these ridiculous Civil Rights that do nothing but keep really bad people from paying for their crimes.

    3. Re:So nice to see by jarablue · · Score: 2

      There's plenty of evidence? I just can't wait for the day I am labeled a "child predator" because my neighbors heard me playing pornhub while my wife was on the rag. How many Traci Lords videos have I watched and who the fuck knows if one of them she was 17 in? So basically the fact that I have never remotely been interested in teenagers for sex, I am all of sudden the horrible child molestor the Feds and cunt of a prosecutor want me to be? Guess what? How many people have seen the Vanessa Hudgens leaked nude photo? Let me guess. All of them are hard core sexual predators? I have seen worse in company emails. Oh what's that you say? World War II veteran who raised a healthy honest hardworking society value adding family is a fucking monster because he dated Grandma who was 16? I'm sorry, daddy has to go to jail because we though him looking at a Tracy Lords video was "predatory" and have his career taken from him because you see, the prosecutor who let officer Johnson bang away on high school seniors, needed a career boost and news grabbing headline generated. No one here is saying that the guy wasn't guilty. But make not one fucking mistake, what constitutes as real predators and child molestor scum are grouped today with people who are not. Just for the simple fact that they can bullshit their way through court and nab a nice toasty conviction win to their record. They are just waiting to throw your ass in jail. Remember people, the law isn't applied equally to everyone. And prosecutors can be just as much a predator to certain people as predators are to prey. Who gives a fuck. They'll do what they want, whenever they want. I think the law actually gets in their way. On top of all this shit? I appreciate hard work. But fucking really?

    4. Re:So nice to see by jarablue · · Score: 1

      In no way am I defending this guy. I am just sick of how the law can be twisted for one parties interest then another. I look at 2 leaked celebrity photos in 26 years of being online, I go to jail do not pass go. A cop who is having a relationship with a 17 year high school senior get's a career boost. Just sick of the bullshit.

    5. Re: So nice to see by EndlessNameless · · Score: 1

      You basically can't be an unescorted male in this country now without some soccer mommy accusing you of things simply because you exist.

      I have no problems with this. No one I know has had problems with this.

      Perhaps you need to review your dress, hygiene, and behavior.

      Those same hypersensitive mommies believe there's a predator behind every tree even though instances of violent crime are way down.

      Every generation has its bed-wetters.

      actual criminals are being let off by jurors who can't comprehend why the cops can't produce a neat tidy stream of high tech evidence like they do in CSI

      Prosecutors got convictions under the same "beyond a reasonable doubt" standard before high tech evidence existed. If they are having problems now, maybe it is not the jurors' tech fantasies that are to blame.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    6. Re:So nice to see by jarablue · · Score: 1

      Cmon AC! Do you think a prosecutor gives a flying fuck what you looked at if she knows she can get a conviction on the charge? God forbid that I work for any inkling of a named institution! That is like a honeypot to them! No one is talking about a folder either. At least that would be something. The law is being bent further and further to benefit whoever needs whenever they need it. I don't want to talk shit, believe me but be honest with yourself. If they can crack the door open, they wield a nuke in court. And it doesn't fucking matter because it's your word vs "theirs". It isn't a strawmen, I hope you realize what I am trying to convey.

    7. Re:So nice to see by Type44Q · · Score: 1

      Where is the evidence of the FBI "making up bullshit"?

      It's recursive, AC; your post itself clearly constitutes such evidence. Bet you didn't know that was going to happen. ;)

    8. Re:So nice to see by Type44Q · · Score: 1

      ...while my wife was on the rag

      Seriously?? Just admit that you're into women, for fuck's sake.

    9. Re:So nice to see by Type44Q · · Score: 1
      ack, that should've read "Just admit that you're NOT into women"

      Seriously, though... guess we've got at least one guy here who's not earned his "red wings." :p

    10. Re:So nice to see by Type44Q · · Score: 1

      Crickets chirping. Seriously; do we expect anything else from these fucking establishment shills?

  6. Only if you know that it's used by NSA, CIA by raymorris · · Score: 2

    18 U.S. Code  798 - Disclosure of classified information:
    (a) Whoever knowingly and willfully communicates ...
    prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified informationâ"
    (1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government;

    You would have to know that it is a government secret.

    Note nothing it in the statute says that removing the classification label makes it okay. If you know it is secret and you willfully communicate it to an authorized person, that's a felony.

    1. Re:Only if you know that it's used by NSA, CIA by flink · · Score: 1

      18 U.S. Code  798 - Disclosure of classified information:
      (a) Whoever knowingly and willfully communicates ...
      prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified informationâ"
      (1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government;

      You would have to know that it is a government secret.

      Note nothing it in the statute says that removing the classification label makes it okay. If you know it is secret and you willfully communicate it to an authorized person, that's a felony.

      798 is concerned with intercepting and decoding encrypted communications -- i.e. deliberate acts of espionage. 793 is the chapter more broadly concerned with deliberately disclosing classified information to the detriment of national security interests. However, this mostly only applies to individuals that have obtained a clearance. When you are granted a clearance you essentially sign an NDA that has not just civil, but criminal penalties bound to it, and 793 provides most of the teeth. See SF-312 for a more exhaustive list.

      In general, if you are a non-cleared average citizen, and are not deliberately gathering privileged information and conveying it to a foreign government, you are probably not breaking the law if you disclose any classified information that lands in your lap. This is why reporters don't usually go to jail for printing classified documents. This doesn't mean that the government might not try to make your life difficult, and you could still end up in contempt of court for refusing to cooperate with an investigation or prosecution subsequent to the leak. The courts are usually reluctant to go there in the case of reporters protecting their sources, but see the Valery Plame case.

      If you independently discover something that is classified, you are almost certainly not in any trouble. There are certain circumstances where the government might have the power to gag you. For example, the DoD has the power to retroactively classify patents that duplicate military secrets. In those cases they may also issue a gag order to the applicant.

      So, to the GP's point, were you to duplicate the FBIs exploit, unless you had privileged knowledge of what exactly it was, you are not under any obligation to keep their secrets for them.

      IANAL, etc

  7. The passkey is.. by evolutionary · · Score: 1

    national security: you can use that reason to justify just about anything. there seems to be no limit, including ignoring/undermining the constitution in the name of national security. Of course B.J. Franklin said it best.

    --
    "Imagination is more important than knowledge" - Einstein
  8. Re:Tell me again why you still use TOR? by gestalt_n_pepper · · Score: 2

    As a practical matter, I just assume that any encryption, cloaking, etc. has already been broken and that you can be seen if certain people at the NSA, CIA. etc. can read your communication if they're interested enough.

    It's not a big deal to me personally. I'm not political, which is the real criteria for whether you're monitored or not (not the drugs or kiddy porn smokescreen reason). Political folks know better. They use old fashioned ciphers, red herrings, paper and face-to-face.

    --
    Please do not read this sig. Thank you.
  9. Re:Wait a second... by EndlessNameless · · Score: 1

    If you know it is classified and disclose it anyway, that is a felony. It doesn't matter if you figured out how they did it from their own classified documents or not.

    If you don't know whether it's classified and cannot reasonably be expected to know, then you're fine. If they decide to classify it after the fact, they will tell you the information is classified and that you're no longer allowed to discuss it.

    There have been a few cases where this occurred, and the creator of the documents in questions was approached in person by federal agents.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  10. Gov. taking over!!! by jraff2 · · Score: 1

    One can guarantee if anyone attempts to secure or harden TOR or any other onion product enough to ensue the TLAs can't gain access they will be visited by some "Men in Black" with some NSLs to hand out. Never to be seen again! The TOR site need to have a Warrant canary "https://en.wikipedia.org/wiki/Warrant_canary" specific to this situation, unless they already have been issued NSL or other mandates, then all bets are off, probably the latter! It's a shame the Gov. thinks it's the boss, the people are the boss, the constitution clearly says so! This is not for our own good, it's for the Gov. spying operations, and we already have way too much of that!

  11. They claim security but they have none by baxiehaven · · Score: 1

    I know the US Government computers and websites have already been hacked but they think they are gods... Well for gods it was funny that in Ottawa, Ontario the US embassy tried to tap the local cell phone of all the visiting diplomats to Parliament hill but they were caught and the cell phone sniffers they used were blocks to not to interfere with the cell phone in the Elgin Hotel

  12. Thanks for the info by raymorris · · Score: 1

    Thanks for that.