FBI Sends Computer Information Collected By Its Hacking Tools In Unencrypted Form Over The Open Internet
from the the-(fraying)-ends-justify-the-(sloppy)-means dept
The FBI doesn’t want to talk about its secret malware, but with over 100 child porn prosecutions tied to it, it’s had to discuss at least a few aspects of its Network Investigative Technique (NIT).
In yet another prosecution — this one actually taking place in Virginia for a change — the FBI is once again struggling to withhold details of its NIT from the defense. Suppression of the evidence likely isn’t an option, as the warrant it obtained in Virginia was actually deployed in Virginia. I’m sure the FBI is as surprised as anybody by this fortuitous coincidence. But the defendant still wants access to more information, as he is looking to challenge the evidence the FBI collected with its Tor-defeating exploit.
The defendant, Edward Matish, has questions about the chain of custody. FBI Special agent Daniel Alfin, who has testified in other Playpen/NIT cases inadvertently admits there could be problems here, considering the FBI does nothing to protect the information it collects from suspect’s computers from being intercepted or altered. (h/t Chris Soghoian)
I have read the Defendant’s reply to the Government’s Response to the Motion to Compel dated May 23,2016. In the motion, Matish asserts that there are chain of custody problems caused by the fact that the NIT transmitted data “unencrypted over the traditional internet”. This assertion is further supported by the declaration of Matthew Miller who states “the IP address relayed to the FBI was unencrypted and subject to attack by hackers” Miller Dec.
So, the NIT the FBI says is so secret it won’t discuss it even if facing contempt orders apparently sends back info over the open internet. Agent Alfin plows past this admission, calling the defense expert “wrong” while refusing to discuss the possibility that unencrypted transmissions could be altered.
He is wrong. In fact, the network data stream that has been made available for defense review would be of no evidentiary value had it been transmitted in an encrypted format. Because the data is not encrypted, Matish can analyze the data stream and confirm that the data collected by the government is within the scope of the search warrant that authorized the use of the NIT. Had the data been transmitted in an encrypted format the data stream would be of no evidentiary value as it could not be analyzed.
This is absurd. If Alfin is to be believed, any communications/data sent utilizing end-to-end encryption would be nothing but useless, scrambled gibberish to recipients. The FBI didn’t encrypt these transmissions because it probably didn’t seem worth the effort… at least not at the time. The FBI could have encrypted the transmissions and delivered the decrypted results to defendants for them to examine. I’m sure it wishes it had done this, now that it’s being challenged in court.
This is one more example of the FBI’s overconfidence getting in the way of its better judgment. These were supposed to be open-and-shut child porn prosecutions — a repeat of its mostly under-the-radar use of the same tools and tactics in 2012. But they aren’t. They’re being challenged and the FBI is going from courtroom to courtroom, putting out fires. And all that scrambling is leading to half-assed explanations like this, which raises serious questions about the FBI’s investigative “techniques.”
Filed Under: daniel alfin, doj, edward matish, encryption, fbi, going dark, hacking, malware, nit, playpen
Comments on “FBI Sends Computer Information Collected By Its Hacking Tools In Unencrypted Form Over The Open Internet”
Suddenly, the FBI doesn’t care as much about its “operational secrets being learned by the bad guys”?
Ha! FBI’s “expert”, am I right?
Courts should limit expert testimony to actual experts, not “any dumb ass cops prosecutors choose.”
The FBI is Leading By Example
Nobody should be using encryption.
Encryption is causing everything to “go dark”.
The FBI is leading by example, showing you how to send (someone else’s) personal and private information over the internet without the need to use encryption.
Note to all Banking and Commerce sites: please follow the FBI’s lead!
Federal Bureau of Incompetence
But the FBI says:
This is an example of encryption causing data to ‘go dark’.
If data is encrypted, nobody can read it. Unless they are the holder of a magical Golden Key™ made from genuine Unicorn Horn and sprinkled with magic Pixle Dust.
Ordinary decryption keys won’t work on encrypted data. Thus a magical golden key is needed. And the FBI needs it now! Because terrorists. Oh, wait. Wrong TLA. Because pedophiles!
This seems perfectly consistent with the FBI’s talking points.
Re: Re: Re:
His statement is correct the stream before decryption is useless as evidence.
Re: Re: Re:
You mean I can’t just buy a Golden Key from Amazon?
Re: Re: Re: Re:
Sell it to Dianne Feinstein!
How about any computer system?
With different companies having what appears to be unfettered access to our systems to run ads, to install and remove software, etc… At what point do we no longer consider our computer systems to be “under our control”? If my house was wide open for thousands of strangers a day to walk thru it, how could I be held responsible for what a stranger drops there?
When others can display any photo they want on our computer whether it be an advertisement or inappropriate types of photos, how can we continue to be held responsible?
Our data travels unprotected, our computers are wide open to dozens of companies and government agencies and thousands of hackers to run their bots, yet we get held responsible for every piece of data on them.
There is a point where courts will have to say we can no longer be held responsible any more than if someone placed an inappropriate childs photo under the wiper of your car in a mall parking lot. It may be attached to something you own, but you have no way to stop it from being done to you and no knowledge of who did it.
Re: How about any computer system?
Just read this previous techdirt comment and you’ll feel safer!
Re: Re: How about any computer system?
Well, isnt that just dandy. I really wish I lived in the days of rotary phones, teletype, and black and white tv’s.
I would suspect people are going to snap soon and they wont be from other countries or the go to “enemy” religion. It really is a shame just how much damage a crooked few in charge can cause and how they can make entire organizations look bad. I knew people growing up who were fbi agents and maybe a was wearing rose colored glasses at the time, but they truly didnt seem to be as slimy as they are now days.
Re: Re: Re: How about any computer system?
No matter how sarcastic, however cynical, no matter how wildly and insanely paranoid that I try to write a post, it is either already, or very quickly becomes reality and out of date.
Re: How about any computer system?
@ anon cow 9:18
great points, thank you for that…
It is a dark day for justice when my default gut feeling is the desire for the FBI to fail in this case based on the over-reach, incompetence, and their lack of checks and balances that would have helped protect everyone’s interests.
It is a dark day indeed when I feel that the wrongs of the FBI are automatically greater than those of some guy committing thought crimes (I hope that is the actual extent).
The idea that the NET should be unencrypted..
The net should NOT require people to PROTECT themselves..
That Bots, and Malware, should not be around..
That Everyone and every corp should be truthful and Honest.
ANYONE want to run around, in real life, with his ID, and CC exposed to ANYONE??
WOW, lets just publish all the SS#, with names and addresses..
How many cyberterrorist alerts this thing sets of when that open and readable traffic is intercepted by the … ‘other agencies’?
There is a good reason for the FBI to not use encryption. Unlike other FBI computer systems, high quality encryption is available for mere thousands of dollars, not the billion+ it spent on its last failure. Once installed, encryption makes little or no further addition to the labor burden, thus not justifying more staff.
So… the FBI should be pushing for everyone to use encryption then, yes? Can’t have a terrorist plot when the terrorists only send each other gibberish, right?
“Had the data been transmitted in an encrypted format the data stream would be of no evidentiary value as it could not be analyzed.”
Does this suggest that the NIT they used required this data to be transmitted in the open so that they could intercept it at another point?
"Just how dumb do you think I am?"
Because the data is not encrypted, Matish can analyze the data stream and confirm that the data collected by the government is within the scope of the search warrant that authorized the use of the NIT. Had the data been transmitted in an encrypted format the data stream would be of no evidentiary value as it could not be analyzed.
Yeah, even without a lot of knowledge in the field of encryption I’m pretty sure I still know more than him. The only way encryption would make the data useless would be if the FBI lacked the keys to decrypt it on the other side, and given it was their malware sending it somehow I’m not seeing that as a real possibility.
Encryption means the data isn’t likely to be intercepted by a third-party and read/changed, making the ‘chain of custody’ secure, while non-encryption lacks those protections, and the chain of custody is extremely suspect as a result.
I can only guess that he’s hoping that the judge is technically incompetent to such a degree that even if the defense gets someone to point out how utterly wrong his argument is here that he’ll still accept the FBI’s version over the defense’s.
If this is from the 2013 Freedom Hosting incident, then the malware that the FBI handed out is very much publicly known. Vlad Tsyrklevich (@vlad902) provided an annotated disassembly.
FBI replies: “Hey! After all the encryption and system breaking; man in the middle attacks; and legal battles we had to go through to get that data: You have the nerve to expect us to take more effort to actually encrypt it?”
I dont care how they get these sickos off the street. If it were me they would all be tortured to death already.