Kudos to Facebook for identifying a novel way to capture this criminal.
But every time I read these types of articles, I am not shocked to learn about the folks working at these tech companies seemingly against working with law enforcement whatsoever.
If it was your child, wouldn’t you want to help rather than stand on principles?
Please add a "(2020)" to the title, only noticed after reading this and looking for details about the actual vuln to check if I had something to update...
As usual, very hard to take a stance on that kind of stuff.
Yes, satisfactory to see the FBI being able to catch that type of scum.
But at the same time I can't help thinking that next, it's going to be the UK governement hacking distros to find out from which IP you posted a meme on Twitter.
Well as others have pointed out, it's one thing to deliberately engineer a backdoor, its another to find an exploit in an existing system and then use it to stop a scumbag from hurting people. One is a total violation of someone's privacy and expectation, another is simply good ol police work.
So I'm happy with this outcome and even not opposed to the procedure, but I'm very much against deliberately engineering backdoors in systems. I think that position is pretty consistent and sound.
For every feel good story we hear of the bad guys getting caught, you bet there are dozens of stories in that murky grey area where we really don’t think either side are the good guys.
> But they did so quietly and without notifying the developers of Tails afterwards of the major security flaw,
I don't immediately see an ethical problem with developing a zero-day exploit to catch a suspected/presumed very bad person like that, so long as: (1) it's used only for that one target; (2) you promptly start the responsible disclosure to upstream, and later public.
Unfortunately, the nice, clean ethics gets more complicated when that zero-day is temporarily in the hands of an organization that would presumably also use it for other targets.
Historically, some good and important government organizations have had complications, such as some personnel not believing in the rules and checks&balances under which they're supposed to operate, or personnel acting under direction of leadership or outside politicians who're misaligned with national laws and values.
If someone with the ability to develop a zero-day wanted to catch the very bad people, while not compromising all the lawful civil rights leaders and journalists who bother some questionable politician, how would they do that?
I should've clarified that I meant to ask a more general question.
Going back to a particular exploit, certainly it could be used against multiple targets, in a small time window.
There multiple potential targets (for various reasons) at any time.
And there's also the option of mass-compromising endpoints or servers of a platform, and adding new hidden backdoors/weaknesses that persist long after the initial vulnerability is removed (e.g., in various kinds of firmware).
Or even just mass-cataloging of one-time compromised identities.
I wonder how this is possible. As far as I understand, tails uses two VMs, so the entire VM uses tor without running the tor service. So how did it send the real IP if all the system's traffic is routed through an external Tor router? It's also quite surprising to me that the FBI spends so much resources on catching ordinary paedophiles, I'd expect such a high level of operations to be used to find high-level ransomware groups or something.
There’s a chance it became classified, if for example the exploit depends on the existence of FBI managed tor nodes, and we aren’t ready to let everyone know that the feds are all over the onion network infra.
There have been a number of very strange arrests of tor users by FBI and other western special services. The one I remember was when they took down the hydra's (basically russian silk road) and doxed it's creators. The idea of tor being infiltrated by feds seems very logical, considering that Tor got a good reputation, and is, basically, a great honeypot. I'd consider it a real threat if I were a criminal. But are there any networks that are resistant to malicious nodes?
Tails is a single machine that runs Tor you are mixing it up with Whonix which uses a gateway VM with Tor on it and a workstation VM that gets routed via the gateway.
27 comments
[ 3.1 ms ] story [ 85.3 ms ] threadBut every time I read these types of articles, I am not shocked to learn about the folks working at these tech companies seemingly against working with law enforcement whatsoever.
If it was your child, wouldn’t you want to help rather than stand on principles?
That’s what gets me every time.
- All of them?
- Just the US ones?
- What about employees who aren't US citizens?
- Which crimes are you happy to help enforce?
- To what extent are you happy to be used as a tool of the US criminal justice system?
- Do you want to enable the US government to have dragnet surveillance of the entire world?
Bear in mind, the US government is very keen on using it's power for economic advantage, and not just for criminal enforcement.
In some cases it's clear cut - it's clearly in Meta's interest to safeguard children on their platform.
In some cases it's clear that not co-operating is probably the right thing to do - e.g. protecting a journalist reporting on North Korea.
- see above
- see above
- what?
- any crimes that involve coercion of others and nothing else
- to the extent I can help stop coercion of others and nothing else
- no.
I think this is a better and easier way of finding these criminals then trying to pass laws to allow back-doors in the OS.
Interesting read
Yes, satisfactory to see the FBI being able to catch that type of scum.
But at the same time I can't help thinking that next, it's going to be the UK governement hacking distros to find out from which IP you posted a meme on Twitter.
So I'm happy with this outcome and even not opposed to the procedure, but I'm very much against deliberately engineering backdoors in systems. I think that position is pretty consistent and sound.
I don't immediately see an ethical problem with developing a zero-day exploit to catch a suspected/presumed very bad person like that, so long as: (1) it's used only for that one target; (2) you promptly start the responsible disclosure to upstream, and later public.
Unfortunately, the nice, clean ethics gets more complicated when that zero-day is temporarily in the hands of an organization that would presumably also use it for other targets.
Historically, some good and important government organizations have had complications, such as some personnel not believing in the rules and checks&balances under which they're supposed to operate, or personnel acting under direction of leadership or outside politicians who're misaligned with national laws and values.
If someone with the ability to develop a zero-day wanted to catch the very bad people, while not compromising all the lawful civil rights leaders and journalists who bother some questionable politician, how would they do that?
Going back to a particular exploit, certainly it could be used against multiple targets, in a small time window.
There multiple potential targets (for various reasons) at any time.
And there's also the option of mass-compromising endpoints or servers of a platform, and adding new hidden backdoors/weaknesses that persist long after the initial vulnerability is removed (e.g., in various kinds of firmware).
Or even just mass-cataloging of one-time compromised identities.
There’s a chance it became classified, if for example the exploit depends on the existence of FBI managed tor nodes, and we aren’t ready to let everyone know that the feds are all over the onion network infra.
There have been a number of very strange arrests of tor users by FBI and other western special services. The one I remember was when they took down the hydra's (basically russian silk road) and doxed it's creators. The idea of tor being infiltrated by feds seems very logical, considering that Tor got a good reputation, and is, basically, a great honeypot. I'd consider it a real threat if I were a criminal. But are there any networks that are resistant to malicious nodes?
All the major governments and the companies are known to have zero day exploits saved up for a rainy day.
Hence why countries like China ban Windows from government staff, and why USA ban Huwaei/hikvision etc in kind.