Say That Again

by Tim Cushing


Filed Under:
evidence, fbi, malware, nit



Agent's Testimony Shows FBI Not All That Interested In Ensuring The Integrity Of Its Forensic Evidence

from the bad-things-are-good-if-done-for-the-'right'-reasons dept

Security researcher Jonathan Zdziarski has been picking apart the FBI's oral testimony on the NIT it deployed in the Matish/Playpen case. The judge presiding over that case denied Matish's suppression request for a number of reasons -- including the fact that Matish's residence in Virginia meant that Rule 41 jurisdiction rules weren't violated by the FBI's NIT warrant. Judge Morgan Jr. then went off script and suggested the FBI didn't even need to obtain a warrant to deploy a hacking tool that exposed end user computer info because computers get hacked all the time.

He equated this to police peering through broken blinds and seeing something illegal inside a house, while failing to recognize that his analogy meant the FBI could let themselves inside the house first to break the blinds, then peer in from the outside and claim "plain sight."

The oral arguments [PDF] -- using FBI Special Agent Daniel Alfin's testimony -- were submitted in yet another case tied to the seizure of a child porn website, this one also taking place in Virginia and where the presiding judge has similarly denied the defendant's motion to suppress. The DOJ has added the transcript of the agent's oral testimony in the Matish prosecution as an exhibit to this case, presumably to help thwart the defendant's motion to compel the FBI to turn over the NIT's source code.

Many assertions are made by Agent Alfin in support of the FBI's claim that its hacking tool -- which strips away any anonymity-protecting efforts put into place by the end user and sends this information to a remote computer -- is not malware. And many of them verge on laughable. Or would be laughable, if Alfin wasn't in the position of collecting and submitting forensic evidence.

There's so much wrong in here, it's probably best to just start at the top.

1. A MAC address is a unique identifier that can never be altered.

THE WITNESS: Yes, Your Honor. MAC is an acronym that stands for media address control.

THE COURT: Is that different than IP address?

THE WITNESS: Yes, Your Honor. A MAC address is unique and does not change. So you can look at the MAC address in the matter at hand from Mr. Matish's computer, and that MAC address is always the same. It is the one that was identified by the government. It was also the one that was seized by the government. A MAC address is hard-wired or burned into the card.

[Compared with this, from the same agent, roughly 30 pages later…]

Q. Are any of those items -- I believe you testified to the MAC address. Can that be changed?

A. It can be --

2. The FBI didn't need to encrypt the data collected by the NIT because, hey, Tor is secure and can't be compromised.

Q: In one of the declarations that was submitted on behalf of Mr. Matish by Dr. Soghoian, it is alleged that because the NIT sent data over the regular Internet and not encrypted that the authenticity of the data could not be verified.

A: This is incorrect. It also fails to acknowledge that the NIT was, in fact, sent to Mr. Matish's computer over the Tor network, which is encrypted.

3. Encryption would ruin the integrity of the collected evidence.

Q. Would encryption of the data as it was transmitted from the computer to the government -- what effect, if any, would that have had on the utility of the data going forward?

A. It would have not completely made the network data useless, but it would have hurt it from an evidentiary standpoint. Because the FBI collected the data in a clear text, unencrypted format, it shows the communication directly from Mr. Matish's computer to the government. It can be read; it can be analyzed. It was collected and provided to defense today, and they can review exactly what the FBI collected.

Had it been encrypted, it would not have been of the same value, because the encrypted data stream itself could not be read. In order to read that encrypted data stream, it would have to first be decrypted by the government, which would fundamentally alter the data. It would still be valid, it still would have been accurate data; however, it would not have been as forensically sound as being able to turn over exactly what the government collected.

4. The FBI's malware is not malware because "mal" means "bad" and "FBI" means "good."

Q. And, finally, would you describe the NIT as malware?

A. No. The declaration of Dr. Soghoian disputes my point from my declaration that I do not believe the NIT should be considered malware, but he fails to address the important word that makes up malware, which is "malicious."

"Malicious" in criminal proceedings and in the legal world has very direct implications, and a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious. And for that reason I do not believe that the NIT utilized in this case pursuant to a court order should be considered to be malware.

5. The defense has all the data it needs to examine the FBI's NIT.

Q. Okay. And you're aware that the first time that the government agreed to produce that particular data was in its response to this motion to compel?

A. I assume that's the case. I don't know exactly what date it was provided on, but I know it was turned over.

Q. And then you talked about a data stream being made available, right?

A. Yes.

Q: And you're aware that the first time that the government agreed to produce that data was in its surreply to the motion to compel.

A. I don't recall the first time that that data was made available, but I know it has been made available and has been turned over.

Q. As of --

A. As of today.

Q. -- 20 minutes ago, correct?

A. Yes. To the best of my knowledge, it was not turned over prior to that.

7. The NIT is like a set of burglar's tools...

Q. You say the exploit would shed no light on what the government did. The government deployed this exploit, correct?

A. The government used the exploit to deploy the NIT.

Q. And I believe you used the analogy that this exploit is like a way of picking a lock, right?

8. … except that sounds really bad and not something the "good" FBI should be doing. So, now it's an open window.

A. Yes. A more accurate analogy may be going in through an open window. As I've stated in my declaration, there was a vulnerability on Mr. Matish's computer. The FBI did not create that vulnerability. That vulnerability can be thought of as an open window. So we went in through that open window, the NIT collected evidence, and then left. We made no change to the window.

There's plenty more to read through and Zdziarski's Twitter stream contains several highlights and some incisive analysis. Matish's lawyer also makes a very good point about the problems with using insecure data -- transmitted in unencrypted form -- as forensic evidence.

To prevent tampering with the evidence. I mean, this is analogous to -- I mean, there's a crime scene. Certain evidence is collected, and rather than bagging and labeling it and following established techniques for how evidence is to be collected and transferred back to, you know, the server, which is like an evidence locker, they just threw everything in the back seat of the cruiser and drove back. Oh, and, by the way, they won't tell us whether on the way back they also picked up someone else who rode in the back of the cruiser.

Or as Zdziarski puts it:

He also points out that the FBI's refusal to allow Matish to examine the NIT is not at all aligned with normal evidentiary practices.

We've set out through our expert declarations exactly why this information is critical, and the government is saying, no, we've looked at it, we've analyzed it; our experts say you wouldn't be able to make a meaningful trial defense based on this information. But in some ways, Your Honor, that's the same as saying, we're not telling you who our confidential informant is. You don't need to talk to him, because we're telling you he's believable and everything he's saying is true. You don't need to look at the DNA tests from the lab, because we're telling you it's a match, and we're telling you the tests were fine.

Despite this, the court decided to deny the motion to suppress and Matish will be dealing with the evidence collected against him. According to this testimony, it isn't much -- some images found in unallocated space, suggesting they had been deleted. That's not much but it may be enough to secure a conviction.

But the testimony gives us greater insight into the FBI's handling of forensic evidence and its perception of the exploits at its disposal. And what's on display here is far from encouraging.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    John Fenderson (profile), 13 Jul 2016 @ 1:21pm

    Stunning

    That's a stunning bit of testimony, right there. It leaves me with the same question I've been asking every single time an FBI "expert" talks on these issues:

    Is he incompetent, or is he lying?

    "Both" is a possible answer, but "neither" is not.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jul 2016 @ 2:09pm

      Re: Stunning

      This is why I think anyone believing anything the government says is a fucking fool!

      People erroneously think that the government has no reason to lie, but the people that work in law enforcement have their own ego's, motivations, and reasons to lie to put people behind bars. A persons innocence means fucking shit to them!

      As long as they get their pound of flesh they are happy, it matters not if it comes off a hardened criminal (bonus) or an innocent child.

      reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 13 Jul 2016 @ 4:35pm

      Re: Stunning

      does it matter when the judge decides to ignore the law and allow the government to get away with blatant illegal measures.

      In a equal justice for all system it would make a difference but here the citizen always loses even when the law should be on their side.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2016 @ 12:40am

      Re: Stunning

      As always the answer is: They are a little of both.
      But the real reason is they are strongly biased, coupled with the mind-set that they are the good guys and can do no wrong. I would compare them with a criminal insane person that sees no error in his doing and rationalises everything he did as good and correct. He is simply asking himself why nobody can see it correctly, they must all be crazy.

      reply to this | link to this | view in chronology ]

  • identicon
    Alhena, 13 Jul 2016 @ 1:29pm

    Like an open window

    After you've thrown a brick through it.
    "Oh, look, the window's open now!"

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 13 Jul 2016 @ 2:13pm

      Re: Like an open window

      A better analogy would perhaps be that it's like looking through an open window after you send someone to break in and open the window first.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Jul 2016 @ 3:26pm

        Re: Re: Like an open window

        Not in the least. Vulnerabilities are flaws in design that permit unintended use or access. Exploits are the code or techniques to leverage the vulnerability. Burglar tools are the right analogy.

        A window left unlocked is an error or a choice, not a vulnerability. No exploit required. This is the same as leaving a password on a sticky note. You still have access, but you did not use an exploit.

        A window that is locked, but there is a way to unlock it from the outside has a vulnerability. A piece of metal fashioned to fit that vulnerability is an exploit.

        The FBI didn't go through an open window. They used a tool (exploit) to gain access to the computer by means of a vulnerability. "Burglar tools" may not sound so good because they are the 'Good Guys', but they still used custom tools to gain surreptitious access to a computer that the user reasonably believed to be private and secured against unauthorized use.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonmylous, 13 Jul 2016 @ 4:51pm

          Re: Re: Re: Like an open window

          Exactly, they are like burglar's tools in that sense.

          now, since the FBI has proven that his computer had vulnerabilities, and was using a TOR network.... well, seems like maybe those deleted files might not have been put there by him. Just sayin.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 1:29pm

    3. Encryption would ruin the integrity of the collected evidence.

    Why are they in court then, as the evidence went through multiple layersof encryption traversing the TOR network.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 1:37pm

    Number 4 seems pretty egregious. They're literally admitting that they can intentionally use words in ways that are not intended in their common usage and pretend that that's what others are saying.

    "When you say you're innocent, we hear you saying you're guilty, so we're just going to skip the trial and go straight to the sentencing, because...words!"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 1:57pm

    a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious
    So all those times that the police wrecked a property (sometimes even the wrong property!) because they were executing a court order were not malicious. They could not possibly have conducted the search in a less destructive manner. They wrecked the property because they cared so much about the property owner that they just had to destroy the property so that it could be rebuilt, at the owner's expense, of course.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 13 Jul 2016 @ 3:49pm

      Re:

      We don't even have to go that far to shoot down that statement, because the statement is literally nothing more than word games.

      In the computer security world, something is "malicious" if it is attempting to bypass your security measures. The ultimate intent, and whether or not the people doing it are "bad guys" is irrelevant to the meaning of the term.

      But the government and large corporations had started playing that particular word game many years ago. It certainly didn't start here. Avoiding that game is one of the major reasons why security companies started preferring the term "PUP" (potentially unwanted program) instead of "malware" -- it's a weird kind of political correctness.

      reply to this | link to this | view in chronology ]

    • identicon
      Cephei, 13 Jul 2016 @ 6:49pm

      Re:

      So all those times that the police wrecked a property (sometimes even the wrong property!) because they were executing a court order were not malicious.

      Of course not, because the police can do no wrong! Don't you know anything?

      /s

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 2:03pm

    My ironclad defence.

    I'm gonna go and empty my neighbors house now. It's okay, the window is open.

    reply to this | link to this | view in chronology ]

  • icon
    Paul Renault (profile), 13 Jul 2016 @ 2:04pm

    The sloppiness was designed in, it wasn't a bug.

    Considering how they used to 'record' interrogations, I'm not surprised, one bit: one agent would ask the questions, the other would hand write down questions and your answers.

    No possibility of abuse there, eh.

    Quoting from a May 2014 AZCentral article:
    http://www.azcentral.com/story/news/politics/2014/05/21/fbi-reverses-recording-policy-interr ogations/9379211/
    Put simply, in the absence of recorded interviews, defense lawyers have been able to undermine honest testimony by some FBI agents while, in other cases, agents misremembered, distorted or lied about suspect statements.
    ...
    In 2006, the New York Times uncovered another explanation for the DOJ policy, spelled out in an internal FBI memorandum. Basically, it argued that jurors might be offended, possibly to the point of acquitting defendants, if they observed the deceit and psychological trickery legally employed by agents to obtain information and confessions.


    The 2006 FBI memorandum below - relevant section page 4, item 3).
    http://www.nytimes.com/packages/pdf/national/20070402_FBI_Memo.pdf

    reply to this | link to this | view in chronology ]

  • icon
    Groaker (profile), 13 Jul 2016 @ 2:05pm

    The FBI laboratories have always been held up as a shining example of outstanding forensic work. Having spent my career in the sciences, I am ashamed of what these mendacious reprobates do in the pursuit of convictions. Time after time their methods and "invented" tests could not survive a Daubert challenge were it not for the FBIs ability to force publication in journals.

    Their perjuries at trial are pathological, and performed even when there was no reason to add to the mountain of evidence. The FBI claimed that its laboratories could discriminate between fertilizer lots at the trial of McVeigh. And that analysis of the residuals found at the scene tied to the lot that was purchased. Yet the test that was used could not distinguish between urine and fertilizer, nevermind lots of fertilizer.

    Other tests have been "invented" and used at trial, when at least one of then could have been refuted by a high school algebra student a month or two into the course.

    reply to this | link to this | view in chronology ]

    • icon
      Matthew Cline (profile), 13 Jul 2016 @ 4:25pm

      Forced publication...

      Time after time their methods and "invented" tests could not survive a Daubert challenge were it not for the FBIs ability to force publication in journals.
      Wait, what?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 2:06pm

    The NIT put the images there

    Since the defense can't even get access to the NIT to verify what it can and can't do, we have to assume it loaded the images onto the computer in the first place. That would be like the FBI walking into someones home after they picked the lock and searched it. No warrant specifying who or where this would take place.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 13 Jul 2016 @ 2:18pm

    And this is why we need Judges who have some knowledge of the subjects. While each side can put on experts, it seems that Judges go with the offical narrative even as everyone else is staring at them going WTF are you saying you moron.

    This is another case where it appears the ends, busting CP weirdos, justified the means, deploying malware - violating rights - lying in court.

    Everyone wants those who traffic in CP to end up away from children before bad things happen, but if we keep turning a blind eye to them being screwed over the odds of it happening to a 'Good Person (tm)' tick up to 100%.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jul 2016 @ 6:38pm

      Re:

      ...Judges go with the offical narrative even as everyone else is staring at them going WTF are you saying you moron.

      Hey, they're part of the same government. What do you expect?

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 13 Jul 2016 @ 2:20pm

    Bad and worse

    While it's bad enough that the FBI's agent feels confident in lying and/or making misleading statements to the court, it's perhaps even more worrying that the judge seems willing to buy those lies and absurd claims.

    Expecting honesty from the FBI is like expecting honesty from a politician; sure you might get it, but only rarely, and only when it serves their interests. However you'd like to think that a judge would be a little more practiced at spotting rubbish like that, and willing to call the one making it out for presenting conflicting or flat out wrong assertions. That they seem willing to just accept the FBI's testimony at face value is troubling to say the least.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 2:28pm

    MAC randomization on iOS, Win10, etc.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 13 Jul 2016 @ 3:53pm

      Re: MAC randomization on iOS, Win10, etc.

      There is no standard way of changing the MAC, but it's been possible to do it on every piece of equipment I've touched since MACs became a thing.

      There probably does exist equipment where the MAC is unchangeable, but it's certain a small percentage.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 2:58pm

    7. The NIT is like a set of burglar's tools...

    Q. You say the exploit would shed no light on what the government did. The government deployed this exploit, correct?

    A. The government used the exploit to deploy the NIT.

    Q. And I believe you used the analogy that this exploit is like a way of picking a lock, right?
    This is putting words into the mouth of the FBI agent. A much better quote would be to include the earlier lock picking analogy that the questioner is referring to.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jul 2016 @ 3:01pm

      Re:

      > 8. … except that sounds really bad and not something the "good" FBI should be doing. So, now it's an open window.

      ... except that calling it [like] an open window doesn't help for warrant purposes. And that analogy makes it a black bag operation, instead of a legal search.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jul 2016 @ 6:45pm

      Re:

      This is putting words into the mouth of the FBI agent.

      The hell it is. Recalling someone's own words is not putting words into their mouth.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jul 2016 @ 3:06pm

    > some images found in unallocated space, suggesting they had been deleted.

    ... like would happen if someone encountered an image through their browser, then deleted the browser history?

    So... someone can, with a drive-by image load, put evidence on your computer sufficient to get you convicted of child porn.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jul 2016 @ 3:28pm

      Re:

      Exactly what I was thinking too.

      The guy maybe went to the site by accident or didn't know what it was beforehand. Course if that was the situation I'm sure he would have raised it by now.

      Still the presence of the image can be explained both for or against the plaintiff so far.

      reply to this | link to this | view in chronology ]

    • identicon
      Richard Robertson, 15 Jul 2016 @ 10:29am

      Re:

      Sadly this has happened. I'm directly familiar with a case where a guy had a relative using his computer. The relative downloaded CP through some form of automated means. The original person got hit with an electronic search of a file-sharing programming running on his system. He was about to do a virus check on suspicious activity on his system when the cops came knocking. The relative actually admitted to doing the deed later but the guy still took a plea deal on a misdemeanor. I saw much the same lies by a state level cop as here and actually wrote up an expert analysis for his public defender. Actual innocence is apparantly not a defense on CP any more. God help you if you get a machine as a rental!

      reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 13 Jul 2016 @ 4:20pm

    Far as I have seen the only thing the FBI is interested in is abusing the power they have to ruin the lives of law abiding citizens.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Jul 2016 @ 4:19am

    These guys testifying for the FBI sound about as competent as the ones pushing for magic back doors built into encryption that only the good guys can use cause they'll have a magic unicorn with a golden key and all it'll take to make it all happen is for the tech guys to just nerd harder.

    reply to this | link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 14 Jul 2016 @ 7:16am

    I think the bigger issue is that the US govt can do no wrong, it is a god.

    It *claims* to be good, without looking to see if what it is, truly is, good. For some unfathomable reason, it thinks that it cannot be corrupt, with all that money pouring into it. Point is, it derides nations that do THE EXACT SAME THING, WITH THE EXACT SAME REASONS, but no, it is good because.... US govt is good(?)

    so I asked in a chat i frequent, and "Sounds like the FBI has a case of the stupid" - German citizen.

    A question though, why in the hell does this NOT run afoul of the CFAA?!? It DID access a computer without the user... owner's permission. That should carry a minimum of 20 years in prison.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 14 Jul 2016 @ 7:59am

      Re:

      "why in the hell does this NOT run afoul of the CFAA?"

      Because the CFAA provides specific exceptions for law enforcement.

      reply to this | link to this | view in chronology ]

      • identicon
        Rana, 14 Jul 2016 @ 10:36am

        Re: Re:

        Because the CFAA provides specific exceptions for law enforcement.

        Yeah, because as I said in another comment, it's only at when other people do it.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Jul 2016 @ 10:35am

      Re:

      Point is, it derides nations that do THE EXACT SAME THING, WITH THE EXACT SAME REASONS, but no, it is good because.... US govt is good(?)

      It's only bad when other people do it.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.