from the only-criminals-use-patched-browsers-amirite? dept
An indirectly-involved party in the FBI's Playpen case has waded into the fray and is demanding answers. Mozilla wants to know about the security flaw the FBI exploited so it can fix it. (h/t Brad Heath, Nate Cardozo)
Mozilla now seeks to intervene in relation to the Government’s pending Motion to request modification of the Order, or in the alternative, to participate in the development of this issue as amicus curiae in favor of neither party, for the purpose of requesting that the Court modify its Order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the Defendant. Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability. This risk could impact other products as well. Firefox is released under an open source license. This means that as Firefox source code is continuously developed, it is publicly available for developers to view, modify, share, and reuse to make other products, like the Tor Browser. The Tor Browser comprises a version of Firefox with some minor modifications to add additional privacy features, plus the Tor proxy software that makes the browser’s Internet connection more anonymous.With the Tor browser being built on the Firefox framework, any exploit of Tor could affect vanilla Firefox users. Not only that, but the FBI is apparently sitting on another Firefox vulnerability it used in a previous investigation to unmask Tor users. (This refers to the FBI's 2012 child porn sting, which also used a NIT to obtain information about visitors to a seized website.) The filing notes the FBI has been less than helpful when approached for info about this Firefox/Tor-exploiting NIT.
Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products. Accordingly, Mozilla requests that the Court modify its order to take into account how such disclosure may affect Mozilla and the safety of the several hundred million users who rely on Firefox.Mozilla wants to see this information two weeks before it's disclosed to the defendant so it can patch the hole. While it's not unopposed to the information being turned over to the defendant, this headstart would allow it to fix the vulnerability before it becomes public knowledge and turned into a weapon to be wielded against millions of Firefox users.
There's a Fifth Amendment implication here as well: the due process right of third parties to act on behalf of properties or interests affected by criminal investigations or court decisions.
To consider the weight of Mozilla’s interests, this Court must determine whether the Exploit to be disclosed takes advantage of an unfixed Firefox vulnerability. If it does, Mozilla will suffer harm if the Court orders the government to disclose the vulnerability to the Defendant under the existing protective order. Likewise, Mozilla continues to suffer harm by the Government’s refusal to confirm at this point whether Firefox is the target of the vulnerability. [...] Due process compels this Court to hear Mozilla’s arguments and consider its interests before rendering a decision.The proposed protective order doesn't do enough to prevent discovery of the vulnerability, according to Mozilla.
The protective order does not contain restrictions on disclosing knowledge learned through examining NIT Protected Material. This alone marks a serious deficiency in the Protective Order as the damaging information about the vulnerability is likely something that someone can easily remember. Rather, the Protective Order’s disclosure restrictions are limited to the further distribution of the copies of information the defense receives from the government. Without more restrictive provisions, the protective order relies too heavily on the Defendant’s representations he and his defense team will not share copies, but not on any explicit agreement that they will not share or use information learned or that they will put security safeguards in placeNot that the NIT's specifics are necessarily secure if the court refuses to order disclosure to Michaud or Mozilla. The declaration entered by defendant Jay Michaud's expert witness points out that the previous use of the NIT in the 2012 case resulted in the FBI turning over information about the exploit to the defendant. So, there's precedent for disclosure, which is what Michaud's lawyer is demanding. But there's also evidence the FBI is hardly the best repository for exploits and vulnerabilities.
The Cottom case, which also involved an FBI NIT, provides a helpful comparison. In Cottom, the government agreed to cooperate with the defense's discovery requests. However, the FBI later reported to the Nebraska court that it had lost part of the NIT source code. Given the potential harms and security issues the government has raised in connection with the disclosure information, the FBI's loss of NIT code in Cottom is still hard to understand. But there at least the government did not dispute the defense's need to analyze all of the available components and code to prepare pre-trial motions, a Daubert challenge, and potential trial defenses.Hard to understand, indeed. How does someone lose "part" of an exploit's code, especially considering the FBI's obvious interest in deploying it in other investigations? Might just be stupidity, but considering its evidentiary implications and the FBI's extreme reluctance to expose "means and methods," it also smells a bit of maliciousness.
While Mozilla's attempted intervention may force the FBI to turn over information on its NIT, it's unlikely to be much of a direct benefit to Michaud. His lawyer is opposed to Mozilla's request for exploit info and its offer to appear as an amicus in support of Michaud's motion to compel. His filing notes that while Mozilla is not opposed to the FBI also turning over this information to Michaud, he and his client have no interest in returning the favor should the court side with Michaud, rather than Mozilla.
Mr. Michaud has no stake in Mozilla’s dispute with the Government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances. To the extent that Mozilla is concerned that the existing NIT protective order does not provide “adequate safeguards” (dkt. 195 at 12), the defense has stated that it is amenable to any and all additional security measures and modifications to the existing NIT protective order that the Court deems appropriate.Not an unreasonable response, as Michaud's lawyer's ultimate duty is to serve his client, not millions of Firefox/Tor users. As for the government, it's likely incredibly irritated that its super-secret tool is gaining it no traction in supposedly open-and-shut child porn prosecutions. Not only are courts finding the warrants used to perform this extrajurisdictional searches invalid from word one, but defendants are pushing back hard against the FBI's "investigative methods" secrecy and dismissive attitude towards the Fourth Amendment. I'm sure it had no idea it would be 198 documents deep into a single child porn case at this point -- much less being nowhere closer than day one to securing a conviction.