FBI Agent Testifies That The Agency's Tor-Exploiting Malware Isn't Actually Malware
from the just-a-tool-that-does-things-to-people's-computer-w/o-their-knowledge-or-per dept
It wasn’t supposed to go this way. The same tactics that are causing the FBI problems now — running a child porn website, using local warrants to deploy its spyware to thousands of computers around the US (and the world!) — slipped by almost unnoticed in 2012. In a post-Snowden 2016, the FBI can hardly catch a break.
Just recently, a judge presiding over one of its child porn cases agreed the FBI should not be forced to hand over details on its Network Investigative Technique to the defendant. Simultaneously, the judge noted the defendant had several good reasons to have access to this information. While this conundrum spares the FBI the indignity of the indefinite confinement it’s perfectly willing to see applied to others, it doesn’t exactly salvage this case, which could be on the verge of dismissal.
In related cases, judges have declared the warrant used to deploy the NIT is invalid, thanks to Rule 41’s jurisdictional limits. If a warrant is issued in Virginia (as this one was), the search is supposed to be performed in Virginia, not in Kansas or Oklahoma or Massachusetts.
While the larger issue of whether the evidence can be used against Jay Michaud continues to be discussed, the FBI is spending its time officially expressing its displeasure with its NIT being referred to disparagingly as “malware.”
In a testimony earlier this week in the case of US vs. Jay Michaud, FBI special agent Daniel Alfin argued that the hacking tool used to identify Michaud and thousands of other Playpen users—which the FBI euphemistically calls a “Network Investigative Technique” or “NIT”—isn’t malware because it was authorized by a court and didn’t damage the security of Michaud’s computer.
According to the FBI agent, this software isn’t malware because it doesn’t do any permanent damage.
I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.
In a very limited sense, Agent Alfin is correct. The tool left no residual damage, nor did it alter settings on the end users’ computers. However, it did do something most computer users would consider malicious: it stripped them of their anonymity. The people visiting this site used Tor to obscure their identifying info. They did this on purpose, most likely because they were seeking illegal content. But the fact that the tool removes protections users consciously deployed makes it malicious.
Child porn enthusiasts and other criminals aren’t the only people who take active steps to obscure their connection points. Journalists do it. Activists do it. Citizens of oppressive government do it. The FBI doesn’t restrict itself to only deploying its surveillance tools against the worst of the worst. It has a long, troubling history of deploying its surveillance tools against people engaged in activities protected by the First Amendment. Anything that undoes something the recipient has proactively done is by definition unwanted, if not simply malicious.
As regular Techdirt commenter That Anonymous Coward pointed out on Twitter, the FBI sure as hell would find this tool “malicious” if it were directed at its computers and devices by someone outside of the agency. This would definitely fit under the CFAA’s broad definition of “unauthorized access.” Deploying this NIT via a compromised FBI server would make it a lot easier to locate agents working in the field. I don’t think the FBI would be OK with this despite there being no “residual malware” left behind after field devices had been identified and located.
Comments on “FBI Agent Testifies That The Agency's Tor-Exploiting Malware Isn't Actually Malware”
New hacking safe harbor: no permanent damage
“According to the FBI agent, this software isn’t malware because it doesn’t do any permanent damage.”
Re: New hacking safe harbor: no permanent damage
I was thinking precisely this. If this definition is allowed to stand then there’s a whole load of improperly adjudicated defendants that have been found guilty of some form of hacking.
The agent’s declaration asserts that he has been through various FBI training classes and has been assigned to look for malware in past cases. That is better than assigning an agent from a non-computer specialty, but the declaration completely fails to mention the rather substantial class of malware known as rootkits. Additionally, most quality rootkits will make at least some effort to conceal themselves from an informed observer who is actively trying to detect the rootkit. Given the number of ways that a computer can be subtly compromised, I have difficulty accepting the assurance that the computer was no more vulnerable afterward than it was before. Given the lack of mention of rootkits, I have difficulty believing that his assertion that he found nothing is equivalent to stating that there is definitely nothing present.
Re: Re:
The agent’s declaration asserts that he has been through various FBI training classes and has been assigned to look for malware in past cases. That is better than assigning an agent from a non-computer specialty, but the declaration completely fails to mention the rather substantial class of malware known as rootkits.
Agreed. Taking various first aid classes does not make one a brain surgeon. Nor does taking “various FBI training classes” make one a forensic computer scientist.
Re: Re:
Rather than Google it, I think it’d be more fun for me to ask a question here, where the tech is thick and the engineers roam free:
What constitutes a ‘University Degree in Information Technology’?
It isn’t CS, it’s not Information Science, don’t think it could be EE, really doubt it’s Mathematics. Is this perhaps like the ‘DB Administration’ stuff offered by various Schools of Business?
Maybe I’ve been out of school too long, but something sounds odd about his, uh, [Somekindofa] degree in IT.
Anyone else think it sounds odd?
Re: Re: Re:
What constitutes a ‘University Degree in Information Technology’?
“Technology” programs are for training technologists and as such are not usually as long or rigorous as related professional programs. For example, Medical Technologists do not receive the same education as Medical Doctors. The professional programs related to Information Technology have traditionally been Electrical Engineering and Computer Science.
Sorry, Agent Alfin, but that’s not what malware means. Malware is software that takes control of a computer away from the owner/user and causes the computer to act against their interests.
and perjury isn’t illegal when a government official does it.
Just ask Eric holder
Re: Re:
Judge Orders “Intentionally Deceptive” DOJ Lawyers To Take Remedial Ethics Classes
http://www.washingtontimes.com/news/2016/may/19/judge-orders-doj-lawyers-remedial-ethics-classes/?page=all
http://www.zerohedge.com/news/2016-05-20/texas-judge-orders-intentionally-deceptive-doj-lawyers-take-remedial-ethics-classes
http://dailycaller.com/2016/05/19/judge-in-obamas-amnesty-case-orders-every-lawyer-involved-to-take-ethics-class/
Judge Hanen’s order reads, in part:
In a footnote, Judge Hanen noted this was not the first time the DoJ has faced such an issue:
Just recently, the Sixth Circuit expressed a similar conclusion. It wrote:
Concluding the order, Judge Hanen wrote, “This Court would be remiss if it left such unseemly and unprofessional conduct unaddressed.”
Similarly, enhanced interrogation isn’t torture because it doesn’t do any permanent damage.
Nice way to divert from the fact that there was harm, rather than on how long the harm lasts. While the harm may or may not be permanent, which can be debated, the fact is that harm WAS DONE. The computer has malware, a rootkit, of some sort installed on it.
Does the FBI do anything to remove this malware?
What makes the FBI so sure that without any updates, their brand of malware will not actually make the computer more vulnerable to other hacking efforts? They seem awfully confident of this.
This is just bullshit. People consider PUPs to be malware. FBI software is definitely a PUP, or in really just an UP.
Catching pedophiles might be a worthy cause, but you should be honest about the means you use to catch them or else due process goes out the window and the innocent accused will get railroaded in order to get a conviction to boost a career.
Re: Re:
Indeed, and to hide behind the utter vileness of the alleged offence is the deepest depth of sleaze, in my opinion. Due process for all!
Re: Re: @Wendy Cockcroft
Yeah, bad guy to the prison. But who know that you are ok? If FBI wan’t now to remove somebody, then this software will do it for them. Even people don’t realize that "pedophile" is new weapon to remove some good people. In this 135 there will be 20 journalist that are good for people – not for government. Do you ok with that? Are you serious?
Technically speaking he is right… It’s spyware.
Re: Re:
No, he’s not. Spyware is a subspecies of malware.
than it already was
than it already was
four key words.
six key words: it’s ok if we do it.
“Sure we’d absolutely consider it malware if someone else used it, and assuming they didn’t have the protection of important friends or a bank account that would allow a sufficient defense you can be sure that we’d come down hard on anyone doing something like this, but when we do it I can assure you that it’s not malware.”
Given the government is well known to redefine the meanings of words, with the intent to deceive, I have problems with this response.
The agent says he observed no changes on his computer. He does not state that for other computers that may have received that NIT. As such it is a very limited snapshot that could easily be another intent to deceive.
True Litmus Test
In the most realistic of tests, the absolute golden benchmark that ALL COURTS should use on such invasive techniques, is to throw this back on the surveillance agency and ask them ‘if your target-perpetrator had silently did this to your computers, and then attempted to use their unwarranted information gathering against you’, would you find this illegal? If the answer they replied was ‘YES’, then this should demand that a conventional warrant be signed and issued by a judge. PLAIN AND SIMPLE!
The problem with Federal Laws and related Enforcement, seems to now consistently be associated with the fact that they think they get to play by rules and laws as they deem fit, not as is actually written FOR ALL. Isn’t it about time that the courts stopped, thought about this for a second, and used actual fairness and common sense to shut this circus down for good?
right?
The judge forgot one important part to go with this. If they could load the program on the private computer, it invalidates the person’s control. What else was loaded, or indexed on the private computer? Is this now a set-up? Judge should have slapped the agent for lying to the court.
Color me surprised
How surprised am I that the FBI has no idea what “malware” is?
Not at all.
Re: Color me surprised
(Fairly sure your comment was meant to be taken as implied sarcasm, but just in case…)
I’d say it’s more likely that they know full well what counts as malware and are just lying about it in an attempt to bolster their case. As Skeeter pointed out above, if someone had done the same thing they did but to them you can be sure that they’d be screaming about malware loud enough to be heard for miles.
Re: Re: Color me surprised
Yes, I’m absolutely sure that they’re straight-up lying. My point was really aimed at people who assume that the feds are honest and virtuous. If you assume that they are, then their statement means that they’re dangerously incompetent.
Re: Re: Re: Color me surprised
Dishonest enough to lie to a judge, or incompetent enough not to know what malware is… yeah, they don’t come out looking good no matter which is true.
FBI logic
By the FBI’s logic, disk-encrypting ransomware isn’t malware, because if you pay, no lasting damage is done.
Y'all know the drill...
NEED TO KNOW ONLY.
It was OFF!