This guy deserves what was coming to him, I can understand how it would be very tiresome to deal with a pest like this who keeps coming back, but breaking norms about reporting bugs to vendors like this sets a very nasty precedent.
As does a company like Facebook spending large sums of money to narrow down on specific people, it could be someone you hate today and an activist the next.
> it could be someone you hate today and an activist the next
Facebook had no control over the exploit once it was handed over to the FBI. It could have been simultaneously used on the child predator and 100 activists at the same time.
Disclosure: Throwaway as I am a former employee. No inside knowledge in this case.
> This guy deserves what was coming to him,
I agree.
And on the scale of users FB has, he is most assuredly not the only one like him on Facebook.
I wonder how many there are that the company has no idea about, that perhaps are in countries that are not so well connected that they will get a dedicated FB employee to look into, who frankly FB does not and will not give a shit about.
I am therefore having some trouble believing they did this entirely in good faith. How many others are there that they will do absolutely nothing about?
Facebook are masters when it comes to controlling the narrative (damage control is their expertise). There is almost certainly something else under the surface.
I find it implausible that Facebook would care enough to go after a single individual. No matter how bad that individual was. If they did this for every criminal of that level who uses Facebook, they'd run out of money.
They simply cannot do this. Whenever the media or a big company focuses on a single individual, it's never actually about that individual. It's either about some higher social concept or it's simply a PR stunt to control the narrative.
I think anything of this sort which comes out of Facebook is more likely to be damage control. They probably came up with the narrative before they even implemented this backdoor.
Facebook has teams of people whose entire job is covering Facebook's ass. Before Facebook even does something bad, they already figured out an excuse for it before they even started doing it.
If they didn't have an alibi, they wouldn't even do the crime. That's the kind of operation they run. They preemptively create the narrative, then they act. Why do people treat Facebook as if it were a conscientious person?
The only reason the world isn't hating on them as much is because people need the platform to stay in touch during covid.
They carry far less info about people than google, google literally are funnelling data to all sorts of shady companies, and yet people trust google more.
Google literally tracks you across all of the internet, meatspace and beyond. Facebook can't do anywhere near as much (yet, ar glasses might change that)
Zuckerburg's utter inability to deal with trump effectively is symptomatic of the PR incompetence at the top. They have no idea that the outside world might think ill of actions. They are continually surprised when shit blows up in thier faces.
In short, no, FB are utterly terrible at controlling the narrative.
I think stories like these reinforce the idea that it's okay to develop certain technologies or adopt certain policies or create infrastructure to stop the bad guys.
For example, there's a reason most justifications we've seen regarding mass surveillance or automatic recognition systems are boiled down to two things:
stopping harmful material
terrorism
Of course, they take a topic that you wouldn't even dream or arguing against and using that against you.
If they wanted to erode our freedoms to stop harmful material I'm sure most would likely accept that outcome as I feel they have done (AI/facial tech)
«They also paid a third party contractor "six figures" to help develop a zero-day exploit in Tails: a bug in its video player that enabled them to retrieve the real I.P. address of a person viewing a clip.»
Other than webRTC being related to video playing, i dont see the connection. They don't really describe the exploit, so hard to say, but the webrtc leak isn't really in the video player part, its super well known (literally a feature not a bug) so i dont think you would need to pay six figures for it, and tails uses tor browser which doesn't support webrtc.
The article specificly says the issue was in code that used to be in tails and isnt anymore. Additionally, the motherboard article describes the payload as a video file uploaded to dropbox, which doesnt sound like webrtc.
Yes, I doubt that it's WebRTC. Or at least, I recall similar vulnerabilities in video player code that predated WebRTC. There used to be a Metasploit leak-testing site (Metasploit Decloaking Engine) which checked for IP leaks via video, PDFs, etc. And it included an early version of the NIT that the FBI has used since ~2011.[0]
Well yes, but the fact that it was already patched in the next Tails release, and that was the reason they pulled the trigger when they did, makes even that concern less of a practical problem. It was basically going to get fixed in short order no matter what they did.
Since they never released the exploit, in reality we have no way of verifying this is actually true. It very well could be the case Tails still has this vulnerability.
In my opinion, Hernandez screwed up by not appreciating the risk profiles for Tails and Whonix. Tails is a LiveOS, which doesn't leave traces in RAM or on disk. Whonix is a pair of VMs, one with the Tor process, and the other with user apps. Using Whonix, exploits like this are impossible, because the apps VM has no public IP address, and can hit the Internet only via Tor.
True. However, such high-value targets would be isolating the Tor process and apps at the hardware level. It's over my head, but I can imagine elements from Tinfoil Chat and Qubes Air.
And yes, vulnerabilities in Tor have been exploited. So it's prudent to hit Tor via nested VPN chains, just in case.
Could you use a ring of VPSs spawning independent VM sessions, which are randomly connected to as needed, and puppeted by scripts or ML, used by others in the meantime, and torn down randomly and on a schedule. Cloud hop in the noise.
> For years, a California man harassed and terrorized young girls, extorting them for nude photos and videos and threatening to kill and rape them or shoot up their schools. Much of this abuse took place on Facebook, and now, months after the man, Buster Hernandez or “Brian Kil,” pleaded guilty,
From Engadget coverage [1], I feel a bit of context is missing in TFA.
In my apparent ignorance, when I first read the title I actually imagined Facebook developing a backdoor of some kind into Tails, given that Tails is open source.
Then I understood that "developing" an exploit means taking advantage of existing properties/vulnerabilities.
"develop" here refers to the process of (potentially) researching and then subsequently writing the software that exploits a vulnerability (an 'exploit'). It's used in the same sense as any other software development.
The process of discovering a vulnerability is called 'vulnerability research'.
So when Schneier says Facebook paid for an exploit to be developed, it means they paid for software that exploits a vulnerability.
In the case of paying for such exploits, it's not always clear who exactly did the research. Often the research comes from a third party who put together a simple proof of concept that demonstrates only that the security control can be breached (the PoC) -- then, a contractor may buy this vulnerability ('0day') from e.g. zerodium and develop an exploit for it, which will usually be pretty much point and shoot so you don't need an exploit dev team to leverage it.
Yes. There is a large industry that develops products for law enforcement and intelligence agencies focused on "exploit development," which is largely focused on developing exploits for zero day vulnerabilities in widely used software.
According to this article [1] the code involved with this exploit should be removed at some point.
" A factor that convinced Facebook’s security team that this was appropriate, sources said, was that there was an upcoming release of Tails where the vulnerable code had been removed. Effectively, this put an expiration date on the exploit, according to two sources with knowledge of the tool.
As far as the Facebook team knew, Tails developers were not aware of the flaw, despite removing the affected code. One of the former Facebook employees who worked on this project said the plan was to eventually report the zero-day flaw to Tails, but they realized there was no need to because the code was naturally patched out. "
> As far as the Facebook team knew, Tails developers were not aware of the flaw, despite removing the affected code. One of the former Facebook employees who worked on this project said the plan was to eventually report the zero-day flaw to Tails, but they realized there was no need to because the code was naturally patched out. "
So there's no way for anybody to verify that the code is actually being removed, or that the exploit won't crop up again in the future. I don't trust them or the FBI at all in this.
That would also be the perfect way to avoid disclosing the vulnerability so they could keep using it.
Not saying that’s what is happening here, but it’s not like Facebook has a glowing reputation to begin with. Telling the vendor that a future release will patch the bug gets everyone to stop asking questions without really knowing if it’s true.
If you have need for Tails and you continue to use old versions of it out of laziness, then you really are just begging to be pwned. We're not talking about consumer-grade Ubuntu here.
By telling Tails that the vulnerability will be patched in a future release without disclosing the details of the vulnerability, Tails has no way of knowing if this is actually true.
It’s easy to be a little skeptical when a company spends 6 figures to develop an exploit and then state publicly “we can verify that the issue will be patched in a future Tails release, but we’re not going to tell them or anyone else what the exploit was in the first place.”
If you wanted to keep using that exploit, or sell it, the easiest way to do so would be to tell Tails that it’s going to be fixed without actually giving them any details about it.
I think the parent is saying that Facebook could have been lying about the exploit being patched away, in order to keep the exploit available and have an excuse as to why they didn't reveal how they did it.
There's a clear downside that this can't be used against the next kid-molestor.
But then, this also can't be used against every other human being who needs privacy either. E.g.: Journalists, activists, anyone who disagrees with a large government, etc,
This is in line with the arguments for/against Tor in general. I believe if you agree with Tor as a principle, then you should agree that making this exploit known is better overall.
As an aside, I believe everyone needs privacy, so I'd rather say that everyone benefits from it, not just the usual journalists, activists, whistleblowers, etc...
Given their track record, I don't really trust Facebook, but if I take this at it's face, reporting the exploit could get it patched faster and may help in finding similar issues in the code.
True. Also this information, if true, could help locate the vulnerable code. I'm not sure if it would be worth it however, it depends on how many outdated tails are in the wild and the exploit complexity.
Fascinating part in the story about his arrest (first link in the vice article) is that the FBI set up cameras outside his home to correlate his physical presence with internet activity from the IP address.
You frequently get people on the internet saying "Your IP address doesn't prove anything", but I was always curious how that worked in the real world.
IIRC the authorities did something similar to bust one of the LulzSec members in Chicago. Once they identified a suspect, they surveilled his residence and correlated his physical presence with online chat logs despite his use of tor.
I don't know about the US, but it is generally very easy: go to the ISP with the IP+date and an order from a judge and they'll tell you who was using it.
IP only tells the investigator whose name is on the ISP account, not which person was at the keyboard. Your recommendation only helps the police know where to set up the surveillance, not who to bring charges against.
They'll tell you who pays for the connection. They can't reliably tell you who uses it. Maybe it was a family member, roommate or anybody who knows the wifi password.
This is something to consider in the recent development of Amazon and Microsoft saying they won't sell facial recognition to law enforcement. I expect police will approach this minor inconvenience by outsourcing to a private company who will do the face scanning for them.
Government contractors like General Dynamics are already all over facial and license plate recognition. AMZN and MSFT not getting on board isn't going to slow it down, just delay it from landing in consumer software.
This is why I think we need to be careful when considering a ban on facial recognition. Pandora's box is open.
Even if we do decide on some kind of ban, we need to assume facial recognition will always be used by someone, somewhere, and design our social systems to account for that fact.
Seems like the lede is buried -- what is the video player exploit? Is there really a way to modify video files such that playing them locally can broadcast an IP address?
Think this is less about Tails and more about this "video-tagging" tech.
Without a zero day in the actual decoder (which is probably a possibility given the resources they poured into this), one way would be to send someone a playlist file that tells the player to fetch the video from some URL. Does the player on Tails obey proxy settings when playing URLs from an m3u? Maybe it was that easy or maybe they had to abuse something like fragmented nature of Linux media playback to find a neglected component that carelessly makes network connections, or find a way to call youtube-dl which is often integrated with these players.
To deepen the ethical quandary: what if Facebook had developed the exploit for this case, and then the FBI used it for an unrelated, not-child-molesty case?
At some point you have to wrestle with the fact that law enforcement is predicated upon having strong tools with which to deal with law breakers of all kinds, not just the few you find particularly onerous. They're going to need to perform ethical hacking to prosecute people under laws or circumstances you disagree with. And it would probably be better for us if they didn't always have to hack to get the information.
I think we need to work much more closely with law enforcement, not just technically on being able to lawfully intercept private communications, but in what laws and what cases its use is allowed. Nobody trusts the government in this age, but I think that needs to change, and it's the people that need to step up to reign in their government, not vice versa. That means more oversight, restrictions on when and how powerful tools can be used, periodic review, input into the design phase of new technologies, and so on.
We can use our brains to both make it more difficult for them to abuse advanced tools, and also make it more convenient to use them to solve serious crimes. We don't have to live in a black and white world where we either allow everything or allow nothing. We can live in a world of gray, but we have to step up to create that world; we can't just expect to keep saying 'no' to law enforcement and them being able to do their jobs, which is keeping our people safe.
There's an easy way to fix the Web RTC Leak issue network wide: Use a VPN on your Router so your network clients literally don't know their "real" ip and therefore can't leak it. Same thing works for TOR. In my experience OpenWRT and an Wireguard VPN Provider works best
The point is that you can't have the Tails machine decide what connections are proxied through Tor and which are not. If you have an external device like a router or a Raspberry that transparently tunnels the data, a compromise of the Tails machine can't trivially expose your real network connection.
One thing that I've thought about this is that whether you do the firewalling on the end-user device or on another device, the firewall will normally permit connections to every Tor guard. That means that if an attacker can make the device make a "special" TCP connection of any kind (e.g. just an HTTP request) to an arbitrary IP address and port number, it could make that connection to an actual Tor guard node run by an affiliate of the attacker. Then the attacker can distinguish that connection from other Tor activity because it isn't Tor traffic.
The point of that is to say that "only allowing the machine to talk to Tor nodes" wouldn't stop an exploit from effectively bypassing Tor—by talking in a slightly unusual way to an adversary-controlled Tor node!
If they're not already doing it, it might be safer for Tails to learn the specific guard that its copy of Tor is using at a particular time, and only allow outbound traffic to that guard rather than to any Tor node. (Another precaution which they might already be taking: only the Tor daemon process should be able to open remote sockets at all.)
Ideally Tor users should use something like the Whonix approach: two VMs are set up, a gateway for connecting to the internet and a workstation the user browses from. The gateway sets up the Tor connection, and the workstation is on a restricted virtual network that can only connect to the gateway.
Thats always the, excuse my french, bullshit reaction i see here and is ignoring several important facts:
1. Since you share your vpn exit IP with several users, sometimes hundreds, it becomes harder for any website or service you use to track you by IP alone.
2. My ISP is mandated by law to save all my browsing data (germany here, this law changes every two month but you can assume they all log anyway). My VPN Provider is not mandated and has at least some incentive to not log any data. Cost and Reputation beeing the main ones.
3. I can for example have all my torrents exit in a country where filesharing is not illegal, making any persecution much less likely, same for other laws that are not the same everywhere.
Yes it increases the $$$ barrier to get you, but when your this level of criminal where they make custom 0days just for you, it's doubtful they would find subpoenaing the VPN providers to find out which customer they are much of a barrier too. Many paid VPN providers in the past have also shown no problem secretly selling out their customers too.
That is why I say rotating botnet, because there is nobody to subpoena and it would require even more $$$. When your that level of criminal, might as well go all the way.
if you're dealing with a major corporation paying six figures for a novel exploit to be developed specifically so a national intelligence agency can catch you, i think going to all the effort of preventing disclosure of your IP address by this method is somewhat plugging a hole in a sieve
> The firm worked with a Facebook engineer and wrote a program that would attach an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video.
Doesn't Tails route all traffic through Tor by default?
Stopping random strangers from talking to kids over TOR could help to stop pests like this as-well and it wouldn't cost six figures or undermine privacy.
And paid six figures for outside help. The FBI's approach "was not tailored for Tails" - surely if they had any approach that would work they would use it.
If the government couldn't break in to Tails and required the outside help of two well-resourced organisations to find (and burn) a single exploit then overall that seems a pretty good endorsement of the security of a volunteer open-source project.
Thats 100k for Facebook. They have the ability to find these white- or black-hat folks, and pay them. For you, random dude or dudette on the street, that might be a little more expensive.
I would assume a huge, IT-focused org like FB already has 3-4 high-end security orgs doing pen-testing and digging for zero-days in their code; they just poured a little sugar on top of an existing contract to help squash this one online predator douche.
Speaking of, I always find it very telling that the knee-jerk reaction is to blame a dependency or subcontractor. That's the same mentality that says "paid for code must be better" when, last I checked, there aren't any more Windows phones, are there?
But there was a Windows password hash method in the early 2000s that could be brute forced on a single consumer grade CPU in less than 24 hours on their current-at-the-time flagship network server OS. So there's that...
The nature/architecture of tails means this kind of attack is possible. Apps that can "break through" the OS networking, get access to the "real connection". Excuse my non-technical language.
Disclosure/ad: I work on Whonix, which is, uh, tails in VM essentially (to the person who only knows tails and not whonix). In Whonix, the desktop is in an VM, separate from another OS in another VM running the networking. No program in the desktop VM can reveal the public IP. On top of that, for advanced users, the desktop hardware itself might be separate from the hardware connected to the public internet.
The VM (virtualbox, kvm, whatever) is the single (practical) attack service, which is safer than ensuring every program the user may run is patched. Excuse the rant/ad/competition-bashing.
Other articles on this topic described that they had hired at least one full time employee just to track this one malicious user. I'm sure they also have additional fractional costs for legal, moderation, administration, PR, government oversight, and lobbying. They might even have legal liabilities to the victims (not sure).
They previously worked with the FBI to try and trap this malicious user with a TOR exploit that didn't work against Tails where the malicious user saw the effect and mocked his investigators.
The $0.5million reportedly spent for the Tails 0day seems like it might actually be proportionate (perhaps even affordable) to the costs they incurred. I'm typically pretty skeptical of the costs the FBI and large corporations assign to corporate hacks or copyright theft, but this seems like it carries legit risk if FB doesn't try to do alot to disable these malicious actions on their platform.
I'm sure it was proportionate to the costs they incurred, but I doubt it's really necessary to spend so much money to find an exploit in Tails, I imagine a single good hacker would be able to find another one at most in few weeks of dedicated work
> Several FBI field offices were involved in the hunt, and the FBI made a first attempt to hack and deanonymize him, but failed, as the hacking tool they used was not tailored for Tails. Hernandez noticed the attempted hack and taunted the FBI about it, according to the two former employees.
No evidence that it was a TOR exploit, but I interpreted it that way because they FBI and Facebook would most certainly have known he was using TOR from his exit IP rotating frequently and FB explicitly supports a TOR server hostname.
I think it's more likely that they used something targeting the browsers, maybe with 0-days maybe not.
But it doesn't seem to me that the FBI put much effort into this whole thing, maybe it was more a concern for Facebook than for them.
As I understand it knowing that someone is using Tor is usually trivial, the exit nodes normally set a reverse DNS record that signals it and there are exit nodes blacklists
> As I understand it knowing that someone is using Tor is usually trivial
Yeah, Facebook almost certainly receives a lot of attempted traffic from those relatively few TOR exit node IPs, so I'm sure part of their system is aware that they are effectively proxy IPs.
Where did you get that they used a Tor 0day? I don't see it in the vice or schneier articles, I only see mentions of a "Tails exploit"...
Anyway, of course it isn't proven, but I would be extremely surprised if said 3-letter agencies even needed a 0-day exploit to identify a Tor user...
Needing Facebook and a consulting firm to find a vulnerability in a video player? Come on, I would find more credible that they used a consulting firm to choose which exploit to use, if they could use all those available to the various agencies... :)
You are correct. I have no evidence of a TOR 0day.
I think I inferred what I said from this quote:
> Several FBI field offices were involved in the hunt, and the FBI made a first attempt to hack and deanonymize him, but failed, as the hacking tool they used was not tailored for Tails. Hernandez noticed the attempted hack and taunted the FBI about it, according to the two former employees.
https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fb...