33C3 preroll music
Herald: The talk is gonna be called
“Law Enforcement Are Hacking the Planet”
by Joseph Cox. Joseph is an investigative
journalist for Vice’s Motherboard,
covering hackers, data breaches
and digital security. When I went
to check him out and looked at his Twitter
account I discovered I already follow him.
Which is funny, or it was for me
a little anecdote about the modern world.
I recognized his avatar immediately
but not his name.
I guess that's just something
about how we live these days.
So then with no further ado, Joseph,
I’d like to give it over to you.
applause
Joseph Cox: Hello, hello hello.
How would you react if the FBI
came over from the United States,
came into Germany, went to an apartment
in, say, Hamburg, kicked down the door
and then started searching the apartment?
They haven’t been invited
by German law enforcement,
they’re acting on their own accord.
They then seize a load of evidence
and go back to the States.
You might think this isn’t a great thing,
I mean what does the FBI have to do
coming in to another country and then
searching buildings or arresting suspects?
But the searching is essentially
what the FBI is doing, but digitally
with malware and hacking tools. Breaching
into computers in other countries,
extracting evidence from them
and then sending them back to
a government server in Virginia,
or wherever it may be.
To clear, we’re not talking
about a normal intelligence agency here
like the NSA or GCHQ. They’re
gonna hack computers internationally
all the time as part of espionage,
we expect that, maybe that’s a good thing.
Here we’re talking about
an agency that’s predominantly
focused with the law enforcement
hacking to computers in other countries
as part of criminal investigations.
I’m gonna talk about one FBI case in
particular, briefly touch upon another one
and then just explain an operation
that was led by local Australian
law enforcement which hacked
computers in the United States.
At the moment, typically, these sort of
investigations are done to counter
child sexual exploitation
or child abuse on the Darkweb.
Just about me, briefly:
Journalist for Motherboard as mentioned,
which is the Technology and Science
part of Vice. Hackers, cybercrime,
the Darkweb drug trades or
stuff like Silk Road or the usual stuff.
But for the past year I’ve been really
interested in law enforcement’s
international use of malware.
Which brings us to
“Operation Pacifier”.
The FBI is not very good at naming
its child sexual exploitation
investigations.
So in August 2014 a new Darkweb child
abuse site was launched, called “Playpen”.
It was a Tor hidden service,
meaning that the majority of people
who connect to it would do so
over the Tor anonymity network,
masking their real IP address.
But because it ran as a hidden service
the physical location of the server itself
was also protected.
Meaning that the FBI couldn’t just go and
immediately subpoena the hosting company
or seize the server whatever may be,
because they didn’t know where it was.
A few months passed and Playpen is a
really, really big deal. It’s the largest
child pornography site on the Darkweb.
215.000 members,
117.000 posts, and an average
11.000 unique people
were visiting every week.
The FBI was trying to find a way in,
they were acting in an undercover capacity
on the site as law enforcement often do
with these sorts of hidden services.
But at one point a foreign law enforcement
agency, and we don’t know which one,
provided the real IP address
of the Playpen server to the FBI.
It turned out that Playpen’s administrator
who’s now been convicted, Steven Chase,
he’d misconfigured his server
so the real IP address was exposed
in the normal internet.
So in February 2015
the FBI go to the North Carolina
Data Centre, they seize the server
and they take control of Playpen.
Just as a side note:
Steven Chase, the administrator,
he had paid for the hosting via a Paypal
account in his own name.
So it was incredibly easy to convict him.
If you’re gonna run
an illegal Tor hidden service,
don’t use Paypal!
And this is where the hacking comes in.
Even though the FBI is in control of the
site – they can see what people are doing,
what videos they’re watching,
as mentioned – they can’t see
where these people are coming from
and they can’t identify them.
So they need another way,
and what they decided to do
is hack the computers of individual users.
Very, very shortly after the FBI seized
the server they started to run it
from a government facility in Virginia.
So the site is fully functioning,
except one section that encourages people
to produce more child porn. It’s still
a fully functional website, though.
They run that and the FBI deploys what
it calls a “Network Investigative Technique”,
an NIT or nit or what we would probably
just call “a piece of malware”.
In short, and this is a really, really basic
overview the nit just did several things.
First somebody would log in to Playpen
and then go visit a specific
child porn related forum.
The exploit is then automatically
delivered to that computer.
This exploit certainly affected…
and the underlying vulnerability
certainly affected the Tor browser.
We don’t know if it affected Mozilla
Firefox. As many of you will know,
Tor browsers are oftenly based on Firefox,
and they share much of the same code base.
But we don’t actually know
much about the vulnerability
or the exploit at all.
All that we know is that they used
a non publicly known vulnerability.
And then when the exploit is delivered the
rest of the code causes the target machine
to phone home outside of the Tor network
to a government server, and now the FBI
has a real IP address.
Armed with that the FBI just goes to the
ISP, Comcast, Verizon, gets a name,
subscriber details and address,
kicks down a door, arrests the person
– if there’s enough evidence – and
presumably, and in many many of the cases
if not all of them, find a lot of child
porn on the suspect’s machine.
But that’s not everything
the FBI collected with a nit,
it also got the username,
the host name, the MAC address.
And it also generated a unique code
per unique infection, I think
that you could then use to correlate
activity on the site with an IP address.
And just remember this whole time
the FBI could see what people
were doing on the site, so “user Jimmy
went onto this section of the site
and looked at this thread,
now we have his IP address,
we can link it to that”.
So the FBI deploys its malware,
for 13 days it runs the site.
Over that amount of time,
100.000 users log into Playpen,
which as you’ll notice
is a lot more than 11.000, which
was apparently the average login rate.
For some reason the site became a lot more
popular when the FBI was running it.
You can hear whatever you want from that. (?)
So in the U.S. the FBI gets around 1300
IP addresses of U.S. users of the site.
Europol say they generated 3229 cases
– I haven’t highlighted it, but it’s
in the middle column at the bottom –
and 34 of those were in Denmark.
This is a presentation I just found online
when I found out it was called
“Pacifier”.
I searched that, filetype:pdf and
someone from law enforcement had
left this online, so that was convenient.
laughter
Austria, staying with this
part of the world,
I think this is a letter from an MP
to a group of politicians
just talking about the country’s
child porn investigations
and it mentions Operation Pacifier
and 50 IP addresses so the FBI hacked
at least 50 computers in Austria.
Latin America as well.
Again, this is another presentation
that I found online,
law enforcement are really, really sloppy
with just leaving all this stuff
online, which is great.
And you can just see Operation Pacifier
there. As for Chile it was
local media reports that just said
‘Pacifier’, ‘Playpen’, ‘child porn arrests’
so it was pretty easy to infer that
computers were hacked there as well.
Australia – this is part of a
freedom of information request
I made with the Australian federal police,
asking for documents and communications
about Operation Pacifier. This isn’t
actually the result of the request
this is them saying “Hey, we have
too much stuff on Operation Pacifier,
so we can’t give it to you” which
obviously already gave me
enough information to confirm that
Pacifier hit Australia as well.
Anyway, you get the idea. I’m not
just gonna list all these countries
apart from them. The U.K. and Turkey
were probably hacked as well.
But it turns out the FBI hacked computers
in many, many more countries.
And this just came out
end of last month, I think.
In total the FBI hacked
8.700 computers in 120 countries.
8.700 in 120 countries with one warrant.
And arguably that warrant was illegal.
But we have to back up a little bit,
just to see what that is.
Right, okay.
So the U.S. has something called Rule 41,
which dictates when a judge
can authorize searches
including remote searches, so hacking.
A judge can only authorize a search
within his or her own district.
So if the judge is in the
western district of Washington,
he or she can only sign a warrant
that’s gonna search stuff
within that district. With a few
exceptions. I think, terrorism,
and if there’s a tracking device
and then the person moves out of state
it’s still okay.
In the case of Playpen,
Judge Theresa Buchanan
was in the Eastern district of Virginia,
as you can see at the top.
Clearly, the vast majority of computers
were not in the Eastern
district of Virginia.
The search warrant application which is
that document that the FBI presents
to a judge, and say “Here’s our reasons,
please sign our search warrant!”,
it said that what was gonna be searched
was computers logging into Playpen,
wherever located. It’s pretty
debatable how explicit that is.
I mean, the FBI did not write “Hey we’re
gonna hack into computers no matter
what state they’re in, what country
they’re in, anything like that, and
we’re gonna hack into them”. The word
‘hack’ is obviously never ever used in the
search warrant application.
So with that in mind it’s kind of unclear
if Judge Theresa Buchanan would have
actually understood that she was signing
a global hacking warrant. And this isn’t
castaging the judge, at all. It’s more
that these warrants applications aren’t
very explicit. And it’s still unclear
because Judge Buchanan won’t respond
to my requests for comment.
So wherever operation Pacifier violated
rule 41 has probably been the central
component of all the legal cases that came
out after the FBI started dusting people.
Defense lawyers have brought it up, saying
“Hey, this judge did not have authority,
you now need to throw out all the
evidence against my client”.
According to the most recent figures, and
this might be very, very slightly out-of-date
21 decisions have found the operation
did violate rule 41. Out of those,
judges in four cases have thrown out all
evidence obtained by the FBI’s malware.
So that obviously includes the main bit
of evidence which to the IP address
but then also everything that came after
that. I mean the only reason the FBI
found child porn on people’s devices is
because the IP address led them there.
So all of that child porn is also struck
from the record as well.
And those people are essentially free,
by DOJ appeals which are ongoing.
Whether people based outside the United
States will have a similar sort of defense
is kind of unclear at the moment. The
IP address could fall under something
like the Third-Party Doctrine, whereas in:
if there’s a German suspect,
and they tried to challenge the legality
of the search the German police may say:
“Hey, look, we didn’t do the hacking,
we just got given this IP address
by third party”. And then the defense
might not have much like to stand on.
But I do know of one lawyer in a country
outside the U.S. who is going to challenge
the legality of that hacking operation.
I can’t really say where he is right now
because I think that’s still sourcing out (?)
but that’s gonna be really, really interesting
when that happens, hopefully in the new
year. So forget everything I just told you
about Rule 41 because it doesn’t matter
any more. Earlier this month changes
to Rule 41 came into place. Meaning that
judges now can authorize searches
outside of their district. So if the Playpen
warrant was signed today it probably
would not violate Rule 41, and the FBI
wouldn’t have done anything wrong.
Or the DOJ wouldn’t have done anything
wrong. And I just wanna emphasize that
these changes to Rule 41 came about
in part, specifically because of
the problem that anonymity networks and
Tor present to law enforcement.
It’s not like Operation Pacifier was over
here, FBI doing its thing, and the DOJ
was sorting out these Rule 41 changes. The
changes have come specifically in response
to criminal investigations
on the so-called “Darkweb”.
And that’s just this Department quote
here: “We believe technology should
not create a law-less zone merely because
a procedure rule has not kept up
with the times”. Their argument is that
the Rule 41 is basically an antique,
and they need to change the rules to keep
up with criminals that are using stuff
like Tor or VPNs. So that was Pacifier.
That’s the largest law enforcement hacking
operation to date that we know about.
Just very, very briefly I’m gonna talk
about another FBI one where they likely
hacked into computers abroad. This one
is called “Torpedo” which is even worse
than Operation Pacifier when it comes
to child porn names.
In 2012 or 2013 the FBI take over
Freedom Hosting which is
sort of a turnkey hosting provider.
You sign up to the service
that hosts your Darkweb site. It doesn’t
matter if it’s legal or not, whatever.
The FBI sees it, they deploy an NIT
again, a piece of malware.
And this time the FBI trying (?) identify
users of 23 different child pornography sites.
In the warrant application there’s
a section specifically about
a Hungarian language site.
I mean even the FBI officer
– I think it’s the FBI writing it – says:
“Oh, if you put this into Google Translate
it means this, it’s Hungarian, blablabla”.
As I mentioned in the Playpen example
the FBI did not know where the computers
that they were going to hack
were located. This is an interesting case
because I’m going to guess
that a lot of the users of a Hungarian
language site are probably in Hungary.
So the FBI might have had some idea
that they were gonna hack computers there.
Did the FBI warn Hungarian law
enforcement? Did they get permission
of the Hungarian authorities to hack
computers in their country?
We don’t know yet.
And I somehow doubt it.
And then just finally it’s – excuse me –
it’s not just the FBI
that’s using hacking tools
to target suspects overseas.
A local Australian police department,
Queensland Police,
has a specialized task force
for child sexual exploitation,
Taskforce Argos.
And they were the ones that led this
operation. There wasn’t any sort of
an official statement from Queensland
Police saying: “Hey look, we unmasked
all of these criminals in the U.S.”.
It was only by piecing together
pretty spread-out (?) U.S. court documents
that I could map the contours of this
hacking operation that everyone
kind of wants to keep quiet about.
So in 2014 Taskforce Argos take over
another Darkweb child porn site
called ‘The Love Zone’. They run it – not
for 13 days like the FBI but for 6 months,
posing as the site’s administrator
who they’d already arrested.
According to one document – not this one –
the Australians obtained at least
30 IP addresses of U.S. based
users of the site. I don’t know
about other countries yet, it’s only
through these U.S. court documents
that we’ve been able to figure this out.
And the way they did it was
pretty different to the FBI. What they
would do is they would send a link
to a suspect, for a video file.
The suspect would click the link,
they will get a warning, saying: “Warning,
you’re opening a file on an external site,
do you want to continue?” Something to
that effect. If the person ignored
the warning and clicked “Yes”
a video of real child pornography
played on the supect’s machine,
and then that video phoned home
to an Australian server. I mean, you can
debate whether this is hacking or not.
I mean the FBI weren’t clearly delivering
a Tor browser exploit with malware etc.
Is this hacking? I would say so. If we
think the phishing for Government e-mails
is hacking – sure. But that’s kind of the
trivial debate, anyway. The real debate
is: was this a search in illegal sense of
the word? Did the Australians obtain
information from a private place, namely
a private computer, in a private residence,
and did they get a search warrant to do
that? And again, we don’t know,
because they wont't talk to me.
So clearly, that was all about child abuse
and child pornography investigations.
Insofar this sort of international hacking,
as far as we know, as far as I know,
has only been used for those sorts of
investigations. But as for the future
with Rule 41, the changes there, we could
presumably see it to go to other types
of investigations, maybe Darkweb drug
markets. Plenty of these markets have
dedicated vendor-only sections that you
can only login to if you are a drug dealer
on the site. I mean here, this isn’t from
NIT or a malware investigation.
This is when Carnegie Mellon University
attacked the Tor network, obtained
IP addresses, and then gave those – well,
was subpoenaed for those and gave them
to the FBI. But the key part is that in
this search warrant it’s saying: “Hey look,
there’s probable cause because this
suspect was logging in to the
drug dealer-only section of Silk Road 2.0
so we have reason to raid his house”.
I can easily see this sort of section
being in a malware warrant or an NIT
warrant, as well. And then I suppose the
other more obvious example
– if that hasn’t happened already –
is putting a piece of malware to hack
suspects internationally on a Jihadi
forum. Maybe in administrator or moderator
sections, so you know you’re gonna be
targeting high-ranking members of the forum.
I mean I personally don’t know if that
would be the FBI or another agency
doing that. But that’s clearly somewhere
where malware can be useful
in international context. But apart from
predicting where this might go, I mean,
clearly this is gonna continue, just a few
weeks ago there was a Firefox zeroday
out in the wild. Me and my colleague
Lorenzo tracked it back to a specific
child porn site in the Darkweb where
that 0-day had been deployed.
So this is an active thing.
This is still going on.
And that’s it. But… just a last thing
if you have any documents, data,
information, tips on FBI malware,
law enforcement malware, who is using it,
who is buying it, how they’re using it –
these are my various contact channels.
Thanks a lot!
applause
ongoing applause
Herald: Thank you, Joseph.
Thank you.
Any questions from the audience?
Oh, we got one on [microphone] 4.
Question: Thanks for the talk.
Really nice. Quick question,
you’ve presented
some pretty illegal things.
On both sides.
On child pornography,
and all of those things.
And on the law enforcer’s side.
Now my question is, did you intentionally
mention those really illegal aspects
like child pornography to justify the
actions of the FBI in any way?
Joseph: You mean, did I specifically
speak about child pornography
to justify the FBI’s actions?
Question: Yes.
Joseph: No. This is just… I mean child
pornography and child sexual exploitation
is where law enforcement are using the
really cool stuff. This is where they’re
using their Tor Browser exploits. This is
where they’re using their Firefox zerodays.
And I’m just attracted to where the cops
are doing interesting things.
So, if it was on drug markets I’d cover
that as well. But at the moment,
at least to my knowledge, it’s just
localized to the child pornography
investigations. Presumably, because law
enforcement feel like not many people
are going to argue with them with maybe
doing illegal search for child porn
because everybody finds that crime
abhorrent. But, no, that’s just
how it is at the moment.
Question: Okay, let me rephrase that.
Do you feel it’s justified for them
to use exploits?
Joseph: Do I feel it’s justified for
them to use exploits? I don’t think
it’s anything intrinsically wrong
with law enforcement hacking.
But even though child pornography is
an absolutely disgusting crime
and I can’t find it, obviously, any way
to justify it I also want law enforcement
to follow the law.
And to respect the law as well.
applause
Question: Thank you.
ongoing applause
Herald: Any other questions?
Anybody from IRC?
The (?) on 5, go ahead.
Question: Well, I wanted to ask probably
the same question whether it’s dubious
from the moral point of view?
And you already answered it.
You don’t see it dubious as I understand,
right? As the legislation can be questioned,
and should be rearranged there is not much
ethical discussion whether this should be
done or not. But while you were at the
topic for a while: do you have any other
proposals how to resolve this issue,
maybe? Technically,
from the technical point of view.
Joseph: Sure. So I mean, just before
I answer that I just wanna make clear
that I’m, like a journalist,
not an activist or a technologist.
I don’t think it will be right for me to
say this is how we should combat this.
I’m just saying, hey, that’s what
the FBI did. That sort of thing.
But to answer the question, I think
Mozilla and Tor have been working
on a way to stop this sort of
de-anonymization attack, that,
when the FBI would hit a computer with
their exploits and then the NIT code
would deploy, that’s not enough. I really
can’t remember the technical details
off the top (?) in my head, but there is an
article online that I wrote.
But then they would have
to break out of the sandbox as well.
But more to answer your question
generally: there are technological solutions
that people are making here. And they
could be live pretty soon. But then
what is the FBI gonna do after that?
They’re not gonna stop making malware.
They’re gonna… they’ll deploy a nit that
will then rummage through your computer
and find incriminating documents and then
phone home. If they can’t get your real
IP address they’re gonna
get evidence somehow.
Herald: No.1 was up next.
Question: Hi Joseph. In your background
research on law enforcement
using technology like this to target child
porn sites. So you profiled the FBI
on how they may have (?)(?) around
some of the letter of the law
in order to get done the job they needed
to get done. Are the other law enforcement
agencies you found that are kind of like
a gold standard in their approach
to solving this problem that abide
by the rules, and maybe
solve this problem in a different way?
Joseph: When you say… so the question
was, are there other law enforcement
agencies who may be better or the same
sort of standard (?) as the FBI this problem.
When you say “this problem” you mean
“combating child porn on the Darkweb”?
Question: Yeah, clearly something needs to
be done about these sites. And there’s
a limited number of options available.
So the FBI is kind of busted out (?)
in trying every single piece of technology
they can to solve it. But are there others
that maybe take a more restraint approach
but still solve the problem?
Joseph: When it specifically comes
to malware I haven’t seen much
in the wild or publicly but in the U.K.
GCHQ, the country’s
signals intelligence agency has said,
or a report said, it is using
bulk interception, so GCHQ’s mass
surveillance capabilities, to do
traffic correlation attacks, and they
can then unmask Darkweb users
and hidden service IP addresses.
That’s not malware but that is
an extreme use of technological
capability, I guess.
And yeah, we could definitely see
more of that. I think in the report
the Home Office said the GCHQ had got
something like 50 individuals
in the past 18 months through bulk traffic
analysis. That’s not malware,
but yeah, that’s where stuff could go,
definitely.
Question: Cool. Thanks.
Herald: I give you one last question,
it will be number 4, over here.
Question: Hi, I was wondering, because you
mentioned bulk analysis which I considered
to be significantly worse than targeted
analysis, in the way that it violates
everybody’s liberties rather than specific
individuals who are definitely engaging
in criminal activity.
So why is it you feel that there’s
some kind of violation,
like these people they need to find
these criminals, and the jurisdiction
needs to be significantly wider,
and I understand that it’s terrible
that they’re hacking us. But at the same
time they need to be caught. So how
can they make legislation that’s
able to find these people legally
when it’s outside of their jurisdiction,
and they might be targeting people,
if they’re doing a dragnet on a website,
like you’re example. And they’re gonna be
hacking people that are not in their
country. They can’t limit it to the people
that are in that country. And only hack
those people. It’s technically impossible.
So what’s the solution for this?
Joseph: I mean, some senators in the US
did propose a Stop Mass Hacking Act
which would have blocked the Rule 41
changes. It was unsuccessful, and
in part – this is just my personal
opinion – I think it’s because they
didn’t present a viable alternative.
I mean, as you say, these people
need to be caught, I mean, that sort of
thing, but when these senators said:
“Yeah, we need to stop all this global
hacking” there was no alternative presented,
so we don’t know, basically.
As for legislative changes
I think it’s more… it’s less the
“Hey, here’s a concrete law or rule
that we need to fix right now”, it’s more
like there’s a looming issue of
“What happens when the FBI hacks a child
pornographer in Russia, or one who happens
to be a politician in another country?”
Are they still gonna go, and then go
to local law enforcement, “Hey, we got
this IP address of one of your senior
politicians who happens to be looking at
child porn”. I mean what are the ramifications
of that gonna be? But to answer your
question: we don’t really know.
It’s more of just this looming issue that
law enforcements are firing malware
and asking questions later.
Herald: Thank you so much. If you got
a round of applause for Joseph Cox!
applause
postroll music
Subtitles created by c3subtitles.de
in the year 2017. Join, and help us!