Privacy

by Tim Cushing


Filed Under:
doj, fbi, malware, nit, playpen, tor

Companies:
mozilla



Mozilla Asks Court To Force FBI To Turn Over Information On Hacking Tool It Used In Child Porn Case

from the only-criminals-use-patched-browsers-amirite? dept

An indirectly-involved party in the FBI's Playpen case has waded into the fray and is demanding answers. Mozilla wants to know about the security flaw the FBI exploited so it can fix it. (h/t Brad Heath, Nate Cardozo)

Mozilla now seeks to intervene in relation to the Government’s pending Motion to request modification of the Order, or in the alternative, to participate in the development of this issue as amicus curiae in favor of neither party, for the purpose of requesting that the Court modify its Order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the Defendant. Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well. Firefox is released under an open source license. This means that as Firefox source code is continuously developed, it is publicly available for developers to view, modify, share, and reuse to make other products, like the Tor Browser. The Tor Browser comprises a version of Firefox with some minor modifications to add additional privacy features, plus the Tor proxy software that makes the browser’s Internet connection more anonymous.
With the Tor browser being built on the Firefox framework, any exploit of Tor could affect vanilla Firefox users. Not only that, but the FBI is apparently sitting on another Firefox vulnerability it used in a previous investigation to unmask Tor users. (This refers to the FBI's 2012 child porn sting, which also used a NIT to obtain information about visitors to a seized website.) The filing notes the FBI has been less than helpful when approached for info about this Firefox/Tor-exploiting NIT.
Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products. Accordingly, Mozilla requests that the Court modify its order to take into account how such disclosure may affect Mozilla and the safety of the several hundred million users who rely on Firefox.
Mozilla wants to see this information two weeks before it's disclosed to the defendant so it can patch the hole. While it's not unopposed to the information being turned over to the defendant, this headstart would allow it to fix the vulnerability before it becomes public knowledge and turned into a weapon to be wielded against millions of Firefox users.

There's a Fifth Amendment implication here as well: the due process right of third parties to act on behalf of properties or interests affected by criminal investigations or court decisions.
To consider the weight of Mozilla’s interests, this Court must determine whether the Exploit to be disclosed takes advantage of an unfixed Firefox vulnerability. If it does, Mozilla will suffer harm if the Court orders the government to disclose the vulnerability to the Defendant under the existing protective order. Likewise, Mozilla continues to suffer harm by the Government’s refusal to confirm at this point whether Firefox is the target of the vulnerability. [...] Due process compels this Court to hear Mozilla’s arguments and consider its interests before rendering a decision.
The proposed protective order doesn't do enough to prevent discovery of the vulnerability, according to Mozilla.
The protective order does not contain restrictions on disclosing knowledge learned through examining NIT Protected Material. This alone marks a serious deficiency in the Protective Order as the damaging information about the vulnerability is likely something that someone can easily remember. Rather, the Protective Order’s disclosure restrictions are limited to the further distribution of the copies of information the defense receives from the government. Without more restrictive provisions, the protective order relies too heavily on the Defendant’s representations he and his defense team will not share copies, but not on any explicit agreement that they will not share or use information learned or that they will put security safeguards in place
Not that the NIT's specifics are necessarily secure if the court refuses to order disclosure to Michaud or Mozilla. The declaration entered by defendant Jay Michaud's expert witness points out that the previous use of the NIT in the 2012 case resulted in the FBI turning over information about the exploit to the defendant. So, there's precedent for disclosure, which is what Michaud's lawyer is demanding. But there's also evidence the FBI is hardly the best repository for exploits and vulnerabilities.
The Cottom case, which also involved an FBI NIT, provides a helpful comparison. In Cottom, the government agreed to cooperate with the defense's discovery requests. However, the FBI later reported to the Nebraska court that it had lost part of the NIT source code. Given the potential harms and security issues the government has raised in connection with the disclosure information, the FBI's loss of NIT code in Cottom is still hard to understand. But there at least the government did not dispute the defense's need to analyze all of the available components and code to prepare pre-trial motions, a Daubert challenge, and potential trial defenses.
Hard to understand, indeed. How does someone lose "part" of an exploit's code, especially considering the FBI's obvious interest in deploying it in other investigations? Might just be stupidity, but considering its evidentiary implications and the FBI's extreme reluctance to expose "means and methods," it also smells a bit of maliciousness.

While Mozilla's attempted intervention may force the FBI to turn over information on its NIT, it's unlikely to be much of a direct benefit to Michaud. His lawyer is opposed to Mozilla's request for exploit info and its offer to appear as an amicus in support of Michaud's motion to compel. His filing notes that while Mozilla is not opposed to the FBI also turning over this information to Michaud, he and his client have no interest in returning the favor should the court side with Michaud, rather than Mozilla.
Mr. Michaud has no stake in Mozilla’s dispute with the Government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances. To the extent that Mozilla is concerned that the existing NIT protective order does not provide “adequate safeguards” (dkt. 195 at 12), the defense has stated that it is amenable to any and all additional security measures and modifications to the existing NIT protective order that the Court deems appropriate.
Not an unreasonable response, as Michaud's lawyer's ultimate duty is to serve his client, not millions of Firefox/Tor users. As for the government, it's likely incredibly irritated that its super-secret tool is gaining it no traction in supposedly open-and-shut child porn prosecutions. Not only are courts finding the warrants used to perform this extrajurisdictional searches invalid from word one, but defendants are pushing back hard against the FBI's "investigative methods" secrecy and dismissive attitude towards the Fourth Amendment. I'm sure it had no idea it would be 198 documents deep into a single child porn case at this point -- much less being nowhere closer than day one to securing a conviction.






Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    FBI, 12 May 2016 @ 11:48am

    We can't. Think of the abused children.

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 12 May 2016 @ 11:57am

    Double negative alert

    While it's not unopposed to the information being turned over to the defendant

    I assume you mean "not opposed" here?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 May 2016 @ 12:22pm

    Typical Government

    We cannot or will not provide you with the methods processes or tools used to gather evidence that can put people away for years.

    You just have to trust us because... that's right! Nation Security!

    Any juror that convicts someone based on parallel construction or with a piece of evidence that does not have a very clear chain of custody and explanation of how it was procured is a failure of a citizen and a scumbag human fucking being!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 May 2016 @ 8:53pm

      Re: Typical Government

      Any juror that convicts someone based on parallel construction or with a piece of evidence that does not have a very clear chain of custody and explanation of how it was procured is a failure of a citizen and a scumbag human fucking being!

      Umm, so?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 May 2016 @ 9:14pm

      Re: Typical Government

      That's a tyranny

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 May 2016 @ 12:36pm

    It's rather interesting to see what happens when the government is required to follow the law just like it expects citizens to do so.

    Maybe next time it will not perform evidence-laundering to make a case.

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 12 May 2016 @ 12:46pm

      Re:

      Evidence Laundering needs to be the term used instead of Parallel Construction.

      Evidence Laundering is what it really is. Parallel Construction is the euphamism to make it sound nice.

      Just as "enhanced interrogation" is the euphemism to make "torture" sound nice.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 May 2016 @ 12:59pm

        Re: Re:

        I agree, accurate terminology is better.

        The whole "Undocumented" immigrants term is another victim of whitewashing terrible shit!

        reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 12 May 2016 @ 12:54pm

    Golden Exploit instead of a Golden Key

    Dear James Comey,

    It seems you're faced with a dilemma here.

    Should you:
    (A) hand over the exploit so that Mozilla (and other software projects) can make everyone safe
    (B) keep the exploit to yourself because you don't want bad guys to know about it

    How about you take the same advice that you give to the 'nerds' and 'geeks' who should work out how to build your mythical Golden Key?

    A Golden Exploit. It works for the government to hack into people's systems and perform your NIT (network investigative technique), but it doesn't work for hackers and bad guys that would make everyone less safe.

    C'mon, you can do it. Just as you think silicon valley can do it.

    Oh, wait. Maybe the government is part of 'the bad guys'? Maybe that's why we have the 4th, 5th and other amendments.

    Maybe the court should order the FBI to produce such a magical Golden Exploit?

    reply to this | link to this | view in chronology ]

  • icon
    David (profile), 12 May 2016 @ 4:14pm

    Again, the FBI talks with lips that lie.

    Lost the code, ah no. Misplaced is more like it. Thus it can be used again while not being shared with the defense.

    To any other legal team trying this method it is merely lies and more lies. With the FBI it's ... well it's the same.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 May 2016 @ 9:17pm

    Even if the court agreed with Mozilla and ordered the government to disclose it it won't do them any good since the govt will just defy the courts order anyway and keep it secret. They may have to drop some cases letting actual bad guys go free but hey, who wants to put bad guys away if we actually have to disclose how we found them and got the evidence.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 May 2016 @ 1:00am

    As was already mentioned here, the FBI has already replied:
    Here, the Government has already signaled its decision. It has stated that the FBI will not comply with the Court’s discovery order under any circumstances…

    So, in what way will the judge compel the FBI to comply, eh? Summon Comey, and charge him with contempt if he doesn't cough up?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 May 2016 @ 1:49pm

    What part of Firefox isn't a vulnerability?

    I think you misunderstand Mozilla's inquiry. This is clearly an attempt at humor.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Jun 2016 @ 3:47am

    "Not an unreasonable response, as Michaud's lawyer's ultimate duty is to serve his client, not millions of Firefox/Tor users."

    Yes, he is just doing his job. If it is at the rest of the worlds expense, too fucking bad, he is being reasonable.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.