Say That Again

by Tim Cushing


Filed Under:
doj, fbi, hacking, malware, nit, trojan



FBI Agent Testifies That The Agency's Tor-Exploiting Malware Isn't Actually Malware

from the just-a-tool-that-does-things-to-people's-computer-w/o-their-knowledge-or-per dept

It wasn't supposed to go this way. The same tactics that are causing the FBI problems now -- running a child porn website, using local warrants to deploy its spyware to thousands of computers around the US (and the world!) -- slipped by almost unnoticed in 2012. In a post-Snowden 2016, the FBI can hardly catch a break.

Just recently, a judge presiding over one of its child porn cases agreed the FBI should not be forced to hand over details on its Network Investigative Technique to the defendant. Simultaneously, the judge noted the defendant had several good reasons to have access to this information. While this conundrum spares the FBI the indignity of the indefinite confinement it's perfectly willing to see applied to others, it doesn't exactly salvage this case, which could be on the verge of dismissal.

In related cases, judges have declared the warrant used to deploy the NIT is invalid, thanks to Rule 41's jurisdictional limits. If a warrant is issued in Virginia (as this one was), the search is supposed to be performed in Virginia, not in Kansas or Oklahoma or Massachusetts.

While the larger issue of whether the evidence can be used against Jay Michaud continues to be discussed, the FBI is spending its time officially expressing its displeasure with its NIT being referred to disparagingly as "malware."

In a testimony earlier this week in the case of US vs. Jay Michaud, FBI special agent Daniel Alfin argued that the hacking tool used to identify Michaud and thousands of other Playpen users—which the FBI euphemistically calls a “Network Investigative Technique” or “NIT”—isn't malware because it was authorized by a court and didn't damage the security of Michaud's computer.

According to the FBI agent, this software isn't malware because it doesn't do any permanent damage.

I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.

In a very limited sense, Agent Alfin is correct. The tool left no residual damage, nor did it alter settings on the end users' computers. However, it did do something most computer users would consider malicious: it stripped them of their anonymity. The people visiting this site used Tor to obscure their identifying info. They did this on purpose, most likely because they were seeking illegal content. But the fact that the tool removes protections users consciously deployed makes it malicious.

Child porn enthusiasts and other criminals aren't the only people who take active steps to obscure their connection points. Journalists do it. Activists do it. Citizens of oppressive government do it. The FBI doesn't restrict itself to only deploying its surveillance tools against the worst of the worst. It has a long, troubling history of deploying its surveillance tools against people engaged in activities protected by the First Amendment. Anything that undoes something the recipient has proactively done is by definition unwanted, if not simply malicious.

As regular Techdirt commenter That Anonymous Coward pointed out on Twitter, the FBI sure as hell would find this tool "malicious" if it were directed at its computers and devices by someone outside of the agency. This would definitely fit under the CFAA's broad definition of "unauthorized access." Deploying this NIT via a compromised FBI server would make it a lot easier to locate agents working in the field. I don't think the FBI would be OK with this despite there being no "residual malware" left behind after field devices had been identified and located.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 May 2016 @ 11:51am

    New hacking safe harbor: no permanent damage

    "According to the FBI agent, this software isn't malware because it doesn't do any permanent damage."

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 May 2016 @ 2:41pm

      Re: New hacking safe harbor: no permanent damage

      I was thinking precisely this. If this definition is allowed to stand then there's a whole load of improperly adjudicated defendants that have been found guilty of some form of hacking.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 May 2016 @ 11:55am

    I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was.
    The agent's declaration asserts that he has been through various FBI training classes and has been assigned to look for malware in past cases. That is better than assigning an agent from a non-computer specialty, but the declaration completely fails to mention the rather substantial class of malware known as rootkits. Additionally, most quality rootkits will make at least some effort to conceal themselves from an informed observer who is actively trying to detect the rootkit. Given the number of ways that a computer can be subtly compromised, I have difficulty accepting the assurance that the computer was no more vulnerable afterward than it was before. Given the lack of mention of rootkits, I have difficulty believing that his assertion that he found nothing is equivalent to stating that there is definitely nothing present.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 May 2016 @ 12:25pm

      Re:

      The agent's declaration asserts that he has been through various FBI training classes and has been assigned to look for malware in past cases. That is better than assigning an agent from a non-computer specialty, but the declaration completely fails to mention the rather substantial class of malware known as rootkits.

      Agreed. Taking various first aid classes does not make one a brain surgeon. Nor does taking "various FBI training classes" make one a forensic computer scientist.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 May 2016 @ 7:44am

      Re:

      Rather than Google it, I think it'd be more fun for me to ask a question here, where the tech is thick and the engineers roam free:

      What constitutes a 'University Degree in Information Technology'?

      It isn't CS, it's not Information Science, don't think it could be EE, really doubt it's Mathematics. Is this perhaps like the 'DB Administration' stuff offered by various Schools of Business?

      Maybe I've been out of school too long, but something sounds odd about his, uh, [Somekindofa] degree in IT.
      Anyone else think it sounds odd?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 May 2016 @ 4:35pm

        Re: Re:

        What constitutes a 'University Degree in Information Technology'?

        "Technology" programs are for training technologists and as such are not usually as long or rigorous as related professional programs. For example, Medical Technologists do not receive the same education as Medical Doctors. The professional programs related to Information Technology have traditionally been Electrical Engineering and Computer Science.

        reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 23 May 2016 @ 11:57am

    I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.

    Sorry, Agent Alfin, but that's not what malware means. Malware is software that takes control of a computer away from the owner/user and causes the computer to act against their interests.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 May 2016 @ 12:11pm

    and perjury isn't illegal when a government official does it.

    Just ask Eric holder

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 23 May 2016 @ 12:18pm

      Re:

      Judge Orders "Intentionally Deceptive" DOJ Lawyers To Take Remedial Ethics Classes

      http://www.washingtontimes.com/news/2016/may/19/judge-orders-doj-lawyers-remedial-ethics-clas ses/?page=all

      http://www.zerohedge.com/news/2016-05-20/texas-judge-orders-intentionally-deceptive-doj -lawyers-take-remedial-ethics-classes

      http://dailycaller.com/2016/05/19/judge-in-obamas-amnesty-case- orders-every-lawyer-involved-to-take-ethics-class/

      Judge Hanen’s order reads, in part:
      Therefore, this Court, in an effort to ensure that all Justice Department attorneys who appear in the courts of the Plaintiff States that have been harmed by this misconduct are aware of and comply with their ethical duties, hereby orders that any attorney employed at the Justice Department in Washington, D.C. who appears, or seeks to appear, in a court (state or federal) in any of the 26 Plaintiff States annually attend a legal ethics course. It shall be taught by at least one recognized ethics expert who is unaffiliated with the Justice Department. At a minimum, this course (or courses) shall total at least three hours of ethics training per year. The subject matter shall include a discussion of the ethical codes of conduct (which will include candor to the court and truthfulness to third parties) applicable in that jurisdiction.”

      In a footnote, Judge Hanen noted this was not the first time the DoJ has faced such an issue:

      Just recently, the Sixth Circuit expressed a similar conclusion. It wrote:

      In closing, we echo the district court’s observations about this case. The lawyers in the Department of Justice have a long and storied tradition of defending the nation’s interests and enforcing its laws—all of them, not just selective ones—in a manner worthy of the Department’s name. The conduct of the IRS’s attorneys in the district court [like the attorneys representing the DHS in this Court] falls outside that tradition. We expect that the IRS will do better going forward. And we order that the IRS comply with the district court’s discovery orders of April 1 and June 16, 2015—without redactions, and without further delay.

      Concluding the order, Judge Hanen wrote, “This Court would be remiss if it left such unseemly and unprofessional conduct unaddressed.”

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 23 May 2016 @ 12:14pm

    According to the FBI agent, this software isn't malware because it doesn't do any permanent damage.
    Similarly, enhanced interrogation isn't torture because it doesn't do any permanent damage.

    Nice way to divert from the fact that there was harm, rather than on how long the harm lasts. While the harm may or may not be permanent, which can be debated, the fact is that harm WAS DONE. The computer has malware, a rootkit, of some sort installed on it.

    Does the FBI do anything to remove this malware?

    What makes the FBI so sure that without any updates, their brand of malware will not actually make the computer more vulnerable to other hacking efforts? They seem awfully confident of this.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 May 2016 @ 12:20pm

    This is just bullshit. People consider PUPs to be malware. FBI software is definitely a PUP, or in really just an UP.

    Catching pedophiles might be a worthy cause, but you should be honest about the means you use to catch them or else due process goes out the window and the innocent accused will get railroaded in order to get a conviction to boost a career.

    reply to this | link to this | view in chronology ]

  • identicon
    I.T. Guy, 23 May 2016 @ 12:21pm

    Technically speaking he is right... It's spyware.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 May 2016 @ 12:48pm

    than it already was

    than it already was

    four key words.

    six key words: it's ok if we do it.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 23 May 2016 @ 12:59pm

    "Sure we'd absolutely consider it malware if someone else used it, and assuming they didn't have the protection of important friends or a bank account that would allow a sufficient defense you can be sure that we'd come down hard on anyone doing something like this, but when we do it I can assure you that it's not malware."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 May 2016 @ 3:11pm

    I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was.


    Given the government is well known to redefine the meanings of words, with the intent to deceive, I have problems with this response.

    The agent says he observed no changes on his computer. He does not state that for other computers that may have received that NIT. As such it is a very limited snapshot that could easily be another intent to deceive.

    reply to this | link to this | view in chronology ]

  • identicon
    Skeeter, 23 May 2016 @ 3:30pm

    True Litmus Test

    In the most realistic of tests, the absolute golden benchmark that ALL COURTS should use on such invasive techniques, is to throw this back on the surveillance agency and ask them 'if your target-perpetrator had silently did this to your computers, and then attempted to use their unwarranted information gathering against you', would you find this illegal? If the answer they replied was 'YES', then this should demand that a conventional warrant be signed and issued by a judge. PLAIN AND SIMPLE!

    The problem with Federal Laws and related Enforcement, seems to now consistently be associated with the fact that they think they get to play by rules and laws as they deem fit, not as is actually written FOR ALL. Isn't it about time that the courts stopped, thought about this for a second, and used actual fairness and common sense to shut this circus down for good?

    reply to this | link to this | view in chronology ]

  • identicon
    jim, 23 May 2016 @ 4:46pm

    right?

    The judge forgot one important part to go with this. If they could load the program on the private computer, it invalidates the person's control. What else was loaded, or indexed on the private computer? Is this now a set-up? Judge should have slapped the agent for lying to the court.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 23 May 2016 @ 7:25pm

    Color me surprised

    How surprised am I that the FBI has no idea what "malware" is?

    Not at all.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 23 May 2016 @ 11:15pm

      Re: Color me surprised

      (Fairly sure your comment was meant to be taken as implied sarcasm, but just in case...)

      I'd say it's more likely that they know full well what counts as malware and are just lying about it in an attempt to bolster their case. As Skeeter pointed out above, if someone had done the same thing they did but to them you can be sure that they'd be screaming about malware loud enough to be heard for miles.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 24 May 2016 @ 6:36am

        Re: Re: Color me surprised

        Yes, I'm absolutely sure that they're straight-up lying. My point was really aimed at people who assume that the feds are honest and virtuous. If you assume that they are, then their statement means that they're dangerously incompetent.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 24 May 2016 @ 4:06pm

          Re: Re: Re: Color me surprised

          Dishonest enough to lie to a judge, or incompetent enough not to know what malware is... yeah, they don't come out looking good no matter which is true.

          reply to this | link to this | view in chronology ]

  • icon
    Seegras (profile), 23 May 2016 @ 10:18pm

    FBI logic

    By the FBI's logic, disk-encrypting ransomware isn't malware, because if you pay, no lasting damage is done.

    reply to this | link to this | view in chronology ]

  • icon
    Monday (profile), 24 May 2016 @ 9:14am

    Y'all know the drill...

    NEED TO KNOW ONLY.
    I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.

    It was OFF!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.