0:00:00.000,0:00:14.490
<i>33C3 preroll music</i>

0:00:14.490,0:00:18.480
Herald: The talk is gonna be called[br]“Law Enforcement Are Hacking the Planet”

0:00:18.480,0:00:24.270
by Joseph Cox. Joseph is an investigative[br]journalist for Vice’s Motherboard,

0:00:24.270,0:00:28.050
covering hackers, data breaches[br]and digital security. When I went

0:00:28.050,0:00:32.890
to check him out and looked at his Twitter[br]account I discovered I already follow him.

0:00:32.890,0:00:36.320
Which is funny, or it was for me[br]a little anecdote about the modern world.

0:00:36.320,0:00:41.219
I recognized his avatar immediately[br]but not his name.

0:00:41.219,0:00:44.500
I guess that's just something[br]about how we live these days.

0:00:44.500,0:00:50.010
So then with no further ado, Joseph,[br]I’d like to give it over to you.

0:00:50.010,0:00:56.740
<i>applause</i>

0:00:56.740,0:01:00.590
Joseph Cox: Hello, hello hello.

0:01:00.590,0:01:05.680
How would you react if the FBI[br]came over from the United States,

0:01:05.680,0:01:11.600
came into Germany, went to an apartment[br]in, say, Hamburg, kicked down the door

0:01:11.600,0:01:15.490
and then started searching the apartment?

0:01:15.490,0:01:18.679
They haven’t been invited[br]by German law enforcement,

0:01:18.679,0:01:24.289
they’re acting on their own accord.[br]They then seize a load of evidence

0:01:24.289,0:01:26.979
and go back to the States.

0:01:26.979,0:01:32.310
You might think this isn’t a great thing,[br]I mean what does the FBI have to do

0:01:32.310,0:01:35.360
coming in to another country and then

0:01:35.360,0:01:39.479
searching buildings or arresting suspects?

0:01:39.479,0:01:43.500
But the searching is essentially[br]what the FBI is doing, but digitally

0:01:43.500,0:01:49.180
with malware and hacking tools. Breaching[br]into computers in other countries,

0:01:49.180,0:01:51.800
extracting evidence from them[br]and then sending them back to

0:01:51.800,0:01:56.290
a government server in Virginia,[br]or wherever it may be.

0:01:56.290,0:02:00.649
To clear, we’re not talking[br]about a normal intelligence agency here

0:02:00.649,0:02:04.789
like the NSA or GCHQ. They’re[br]gonna hack computers internationally

0:02:04.789,0:02:10.090
all the time as part of espionage,[br]we expect that, maybe that’s a good thing.

0:02:10.090,0:02:14.720
Here we’re talking about[br]an agency that’s predominantly

0:02:14.720,0:02:20.030
focused with the law enforcement[br]hacking to computers in other countries

0:02:20.030,0:02:25.779
as part of criminal investigations.

0:02:25.779,0:02:31.900
I’m gonna talk about one FBI case in[br]particular, briefly touch upon another one

0:02:31.900,0:02:36.209
and then just explain an operation[br]that was led by local Australian

0:02:36.209,0:02:41.799
law enforcement which hacked[br]computers in the United States.

0:02:41.799,0:02:46.659
At the moment, typically, these sort of[br]investigations are done to counter

0:02:46.659,0:02:53.409
child sexual exploitation[br]or child abuse on the Darkweb.

0:02:53.409,0:02:57.370
Just about me, briefly:[br]Journalist for Motherboard as mentioned,

0:02:57.370,0:03:03.090
which is the Technology and Science[br]part of Vice. Hackers, cybercrime,

0:03:03.090,0:03:08.310
the Darkweb drug trades or[br]stuff like Silk Road or the usual stuff.

0:03:08.310,0:03:12.269
But for the past year I’ve been really[br]interested in law enforcement’s

0:03:12.269,0:03:17.519
international use of malware.[br]Which brings us to

0:03:17.519,0:03:21.120
“Operation Pacifier”.[br]The FBI is not very good at naming

0:03:21.120,0:03:26.720
its child sexual exploitation[br]investigations.

0:03:26.720,0:03:33.010
So in August 2014 a new Darkweb child[br]abuse site was launched, called “Playpen”.

0:03:33.010,0:03:36.139
It was a Tor hidden service,[br]meaning that the majority of people

0:03:36.139,0:03:40.749
who connect to it would do so[br]over the Tor anonymity network,

0:03:40.749,0:03:47.040
masking their real IP address.[br]But because it ran as a hidden service

0:03:47.040,0:03:51.029
the physical location of the server itself[br]was also protected.

0:03:51.029,0:03:55.519
Meaning that the FBI couldn’t just go and[br]immediately subpoena the hosting company

0:03:55.519,0:04:00.239
or seize the server whatever may be,[br]because they didn’t know where it was.

0:04:00.239,0:04:05.170
A few months passed and Playpen is a[br]really, really big deal. It’s the largest

0:04:05.170,0:04:10.780
child pornography site on the Darkweb.[br]215.000 members,

0:04:10.780,0:04:17.879
117.000 posts, and an average[br]11.000 unique people

0:04:17.879,0:04:22.108
were visiting every week.

0:04:22.108,0:04:25.850
The FBI was trying to find a way in,[br]they were acting in an undercover capacity

0:04:25.850,0:04:30.560
on the site as law enforcement often do[br]with these sorts of hidden services.

0:04:30.560,0:04:36.430
But at one point a foreign law enforcement[br]agency, and we don’t know which one,

0:04:36.430,0:04:42.250
provided the real IP address[br]of the Playpen server to the FBI.

0:04:42.250,0:04:46.950
It turned out that Playpen’s administrator[br]who’s now been convicted, Steven Chase,

0:04:46.950,0:04:51.750
he’d misconfigured his server[br]so the real IP address was exposed

0:04:51.750,0:04:55.700
in the normal internet.[br]So in February 2015

0:04:55.700,0:04:59.320
the FBI go to the North Carolina[br]Data Centre, they seize the server

0:04:59.320,0:05:02.540
and they take control of Playpen.

0:05:02.540,0:05:05.420
Just as a side note:[br]Steven Chase, the administrator,

0:05:05.420,0:05:10.840
he had paid for the hosting via a Paypal[br]account in his own name.

0:05:10.840,0:05:14.650
So it was incredibly easy to convict him.[br]If you’re gonna run

0:05:14.650,0:05:19.030
an illegal Tor hidden service,[br]don’t use Paypal!

0:05:19.030,0:05:23.320
And this is where the hacking comes in.

0:05:23.320,0:05:27.940
Even though the FBI is in control of the[br]site – they can see what people are doing,

0:05:27.940,0:05:30.980
what videos they’re watching,[br]as mentioned – they can’t see

0:05:30.980,0:05:34.260
where these people are coming from[br]and they can’t identify them.

0:05:34.260,0:05:37.420
So they need another way,[br]and what they decided to do

0:05:37.420,0:05:42.520
is hack the computers of individual users.

0:05:42.520,0:05:45.650
Very, very shortly after the FBI seized[br]the server they started to run it

0:05:45.650,0:05:50.680
from a government facility in Virginia.[br]So the site is fully functioning,

0:05:50.680,0:05:55.000
except one section that encourages people

0:05:55.000,0:05:58.860
to produce more child porn. It’s still[br]a fully functional website, though.

0:05:58.860,0:06:04.140
They run that and the FBI deploys what[br]it calls a “Network Investigative Technique”,

0:06:04.140,0:06:10.060
an NIT or nit or what we would probably[br]just call “a piece of malware”.

0:06:10.060,0:06:15.910
In short, and this is a really, really basic[br]overview the nit just did several things.

0:06:15.910,0:06:20.490
First somebody would log in to Playpen[br]and then go visit a specific

0:06:20.490,0:06:24.870
child porn related forum.[br]The exploit is then automatically

0:06:24.870,0:06:29.150
delivered to that computer.[br]This exploit certainly affected…

0:06:29.150,0:06:32.650
and the underlying vulnerability[br]certainly affected the Tor browser.

0:06:32.650,0:06:38.622
We don’t know if it affected Mozilla[br]Firefox. As many of you will know,

0:06:38.622,0:06:42.330
Tor browsers are oftenly based on Firefox,[br]and they share much of the same code base.

0:06:42.330,0:06:45.230
But we don’t actually know[br]much about the vulnerability

0:06:45.230,0:06:49.820
or the exploit at all.[br]All that we know is that they used

0:06:49.820,0:06:55.390
a non publicly known vulnerability.

0:06:55.390,0:06:59.910
And then when the exploit is delivered the[br]rest of the code causes the target machine

0:06:59.910,0:07:04.470
to phone home outside of the Tor network[br]to a government server, and now the FBI

0:07:04.470,0:07:08.080
has a real IP address.

0:07:08.080,0:07:14.500
Armed with that the FBI just goes to the[br]ISP, Comcast, Verizon, gets a name,

0:07:14.500,0:07:18.960
subscriber details and address,[br]kicks down a door, arrests the person

0:07:18.960,0:07:22.630
– if there’s enough evidence – and[br]presumably, and in many many of the cases

0:07:22.630,0:07:28.470
if not all of them, find a lot of child[br]porn on the suspect’s machine.

0:07:28.470,0:07:33.450
But that’s not everything[br]the FBI collected with a nit,

0:07:33.450,0:07:38.520
it also got the username,[br]the host name, the MAC address.

0:07:38.520,0:07:42.750
And it also generated a unique code[br]per unique infection, I think

0:07:42.750,0:07:49.710
that you could then use to correlate[br]activity on the site with an IP address.

0:07:49.710,0:07:54.340
And just remember this whole time[br]the FBI could see what people

0:07:54.340,0:07:59.540
were doing on the site, so “user Jimmy[br]went onto this section of the site

0:07:59.540,0:08:02.830
and looked at this thread,[br]now we have his IP address,

0:08:02.830,0:08:07.700
we can link it to that”.

0:08:07.700,0:08:11.890
So the FBI deploys its malware,

0:08:11.890,0:08:15.810
for 13 days it runs the site.[br]Over that amount of time,

0:08:15.810,0:08:19.330
100.000 users log into Playpen,[br]which as you’ll notice

0:08:19.330,0:08:23.490
is a lot more than 11.000, which[br]was apparently the average login rate.

0:08:23.490,0:08:30.420
For some reason the site became a lot more[br]popular when the FBI was running it.

0:08:30.420,0:08:33.309
You can hear whatever you want from that. (?)

0:08:33.309,0:08:40.250
So in the U.S. the FBI gets around 1300[br]IP addresses of U.S. users of the site.

0:08:40.250,0:08:45.770
Europol say they generated 3229 cases

0:08:45.770,0:08:49.570
– I haven’t highlighted it, but it’s[br]in the middle column at the bottom –

0:08:49.570,0:08:54.430
and 34 of those were in Denmark.[br]This is a presentation I just found online

0:08:54.430,0:08:57.069
when I found out it was called[br]“Pacifier”.

0:08:57.069,0:09:01.161
I searched that, filetype:pdf and[br]someone from law enforcement had

0:09:01.161,0:09:05.909
left this online, so that was convenient.[br]<i>laughter</i>

0:09:05.909,0:09:08.599
Austria, staying with this[br]part of the world,

0:09:08.599,0:09:12.819
I think this is a letter from an MP[br]to a group of politicians

0:09:12.819,0:09:16.259
just talking about the country’s[br]child porn investigations

0:09:16.259,0:09:21.810
and it mentions Operation Pacifier[br]and 50 IP addresses so the FBI hacked

0:09:21.810,0:09:27.180
at least 50 computers in Austria.[br]Latin America as well.

0:09:27.180,0:09:29.910
Again, this is another presentation[br]that I found online,

0:09:29.910,0:09:32.480
law enforcement are really, really sloppy

0:09:32.480,0:09:35.889
with just leaving all this stuff[br]online, which is great.

0:09:35.889,0:09:40.750
And you can just see Operation Pacifier[br]there. As for Chile it was

0:09:40.750,0:09:46.140
local media reports that just said[br]‘Pacifier’, ‘Playpen’, ‘child porn arrests’

0:09:46.140,0:09:52.279
so it was pretty easy to infer that[br]computers were hacked there as well.

0:09:52.279,0:09:56.529
Australia – this is part of a[br]freedom of information request

0:09:56.529,0:10:02.399
I made with the Australian federal police,[br]asking for documents and communications

0:10:02.399,0:10:07.240
about Operation Pacifier. This isn’t[br]actually the result of the request

0:10:07.240,0:10:09.810
this is them saying “Hey, we have[br]too much stuff on Operation Pacifier,

0:10:09.810,0:10:13.630
so we can’t give it to you” which[br]obviously already gave me

0:10:13.630,0:10:18.669
enough information to confirm that[br]Pacifier hit Australia as well.

0:10:18.669,0:10:21.379
Anyway, you get the idea. I’m not[br]just gonna list all these countries

0:10:21.379,0:10:26.790
apart from them. The U.K. and Turkey[br]were probably hacked as well.

0:10:26.790,0:10:32.209
But it turns out the FBI hacked computers[br]in many, many more countries.

0:10:32.209,0:10:35.859
And this just came out[br]end of last month, I think.

0:10:35.859,0:10:43.790
In total the FBI hacked[br]8.700 computers in 120 countries.

0:10:43.790,0:10:49.740
8.700 in 120 countries with one warrant.

0:10:49.740,0:10:52.699
And arguably that warrant was illegal.

0:10:52.699,0:10:56.970
But we have to back up a little bit,[br]just to see what that is.

0:10:56.970,0:11:01.389
Right, okay.[br]So the U.S. has something called Rule 41,

0:11:01.389,0:11:05.290
which dictates when a judge[br]can authorize searches

0:11:05.290,0:11:08.859
including remote searches, so hacking.

0:11:08.859,0:11:13.269
A judge can only authorize a search[br]within his or her own district.

0:11:13.269,0:11:16.330
So if the judge is in the[br]western district of Washington,

0:11:16.330,0:11:19.350
he or she can only sign a warrant[br]that’s gonna search stuff

0:11:19.350,0:11:24.270
within that district. With a few[br]exceptions. I think, terrorism,

0:11:24.270,0:11:27.949
and if there’s a tracking device[br]and then the person moves out of state

0:11:27.949,0:11:32.319
it’s still okay.[br]In the case of Playpen,

0:11:32.319,0:11:35.970
Judge Theresa Buchanan[br]was in the Eastern district of Virginia,

0:11:35.970,0:11:41.740
as you can see at the top.[br]Clearly, the vast majority of computers

0:11:41.740,0:11:46.519
were not in the Eastern[br]district of Virginia.

0:11:46.519,0:11:50.240
The search warrant application which is[br]that document that the FBI presents

0:11:50.240,0:11:54.149
to a judge, and say “Here’s our reasons,[br]please sign our search warrant!”,

0:11:54.149,0:11:59.029
it said that what was gonna be searched[br]was computers logging into Playpen,

0:11:59.029,0:12:04.630
wherever located. It’s pretty[br]debatable how explicit that is.

0:12:04.630,0:12:09.860
I mean, the FBI did not write “Hey we’re[br]gonna hack into computers no matter

0:12:09.860,0:12:12.880
what state they’re in, what country[br]they’re in, anything like that, and

0:12:12.880,0:12:16.430
we’re gonna hack into them”. The word[br]‘hack’ is obviously never ever used in the

0:12:16.430,0:12:21.399
search warrant application.[br]So with that in mind it’s kind of unclear

0:12:21.399,0:12:26.369
if Judge Theresa Buchanan would have[br]actually understood that she was signing

0:12:26.369,0:12:32.779
a global hacking warrant. And this isn’t[br]castaging the judge, at all. It’s more

0:12:32.779,0:12:38.220
that these warrants applications aren’t[br]very explicit. And it’s still unclear

0:12:38.220,0:12:47.690
because Judge Buchanan won’t respond[br]to my requests for comment.

0:12:47.690,0:12:54.160
So wherever operation Pacifier violated[br]rule 41 has probably been the central

0:12:54.160,0:12:59.769
component of all the legal cases that came[br]out after the FBI started dusting people.

0:12:59.769,0:13:03.360
Defense lawyers have brought it up, saying[br]“Hey, this judge did not have authority,

0:13:03.360,0:13:06.959
you now need to throw out all the[br]evidence against my client”.

0:13:06.959,0:13:11.509
According to the most recent figures, and[br]this might be very, very slightly out-of-date

0:13:11.509,0:13:18.890
21 decisions have found the operation[br]did violate rule 41. Out of those,

0:13:18.890,0:13:23.399
judges in four cases have thrown out all[br]evidence obtained by the FBI’s malware.

0:13:23.399,0:13:27.410
So that obviously includes the main bit[br]of evidence which to the IP address

0:13:27.410,0:13:31.040
but then also everything that came after[br]that. I mean the only reason the FBI

0:13:31.040,0:13:34.730
found child porn on people’s devices is[br]because the IP address led them there.

0:13:34.730,0:13:38.749
So all of that child porn is also struck[br]from the record as well.

0:13:38.749,0:13:49.070
And those people are essentially free,[br]by DOJ appeals which are ongoing.

0:13:49.070,0:13:54.600
Whether people based outside the United[br]States will have a similar sort of defense

0:13:54.600,0:13:59.119
is kind of unclear at the moment. The[br]IP address could fall under something

0:13:59.119,0:14:05.550
like the Third-Party Doctrine, whereas in:[br]if there’s a German suspect,

0:14:05.550,0:14:10.329
and they tried to challenge the legality[br]of the search the German police may say:

0:14:10.329,0:14:13.120
“Hey, look, we didn’t do the hacking,[br]we just got given this IP address

0:14:13.120,0:14:19.600
by third party”. And then the defense[br]might not have much like to stand on.

0:14:19.600,0:14:25.200
But I do know of one lawyer in a country[br]outside the U.S. who is going to challenge

0:14:25.200,0:14:29.220
the legality of that hacking operation.[br]I can’t really say where he is right now

0:14:29.220,0:14:34.089
because I think that’s still sourcing out (?)[br]but that’s gonna be really, really interesting

0:14:34.089,0:14:39.089
when that happens, hopefully in the new[br]year. So forget everything I just told you

0:14:39.089,0:14:43.749
about Rule 41 because it doesn’t matter[br]any more. Earlier this month changes

0:14:43.749,0:14:49.930
to Rule 41 came into place. Meaning that[br]judges now can authorize searches

0:14:49.930,0:14:56.149
outside of their district. So if the Playpen[br]warrant was signed today it probably

0:14:56.149,0:14:59.110
would not violate Rule 41, and the FBI[br]wouldn’t have done anything wrong.

0:14:59.110,0:15:04.360
Or the DOJ wouldn’t have done anything[br]wrong. And I just wanna emphasize that

0:15:04.360,0:15:09.940
these changes to Rule 41 came about[br]in part, specifically because of

0:15:09.940,0:15:14.060
the problem that anonymity networks and[br]Tor present to law enforcement.

0:15:14.060,0:15:18.399
It’s not like Operation Pacifier was over[br]here, FBI doing its thing, and the DOJ

0:15:18.399,0:15:24.079
was sorting out these Rule 41 changes. The[br]changes have come specifically in response

0:15:24.079,0:15:30.539
to criminal investigations[br]on the so-called “Darkweb”.

0:15:30.539,0:15:35.269
And that’s just this Department quote[br]here: “We believe technology should

0:15:35.269,0:15:39.660
not create a law-less zone merely because[br]a procedure rule has not kept up

0:15:39.660,0:15:45.200
with the times”. Their argument is that[br]the Rule 41 is basically an antique,

0:15:45.200,0:15:48.829
and they need to change the rules to keep[br]up with criminals that are using stuff

0:15:48.829,0:15:53.819
like Tor or VPNs. So that was Pacifier.

0:15:53.819,0:15:58.769
That’s the largest law enforcement hacking[br]operation to date that we know about.

0:15:58.769,0:16:02.220
Just very, very briefly I’m gonna talk[br]about another FBI one where they likely

0:16:02.220,0:16:07.089
hacked into computers abroad. This one[br]is called “Torpedo” which is even worse

0:16:07.089,0:16:12.480
than Operation Pacifier when it comes[br]to child porn names.

0:16:12.480,0:16:17.300
In 2012 or 2013 the FBI take over[br]Freedom Hosting which is

0:16:17.300,0:16:22.970
sort of a turnkey hosting provider.[br]You sign up to the service

0:16:22.970,0:16:27.939
that hosts your Darkweb site. It doesn’t[br]matter if it’s legal or not, whatever.

0:16:27.939,0:16:33.149
The FBI sees it, they deploy an NIT[br]again, a piece of malware.

0:16:33.149,0:16:41.699
And this time the FBI trying (?) identify[br]users of 23 different child pornography sites.

0:16:41.699,0:16:44.920
In the warrant application there’s[br]a section specifically about

0:16:44.920,0:16:49.369
a Hungarian language site.[br]I mean even the FBI officer

0:16:49.369,0:16:53.509
– I think it’s the FBI writing it – says:[br]“Oh, if you put this into Google Translate

0:16:53.509,0:16:59.939
it means this, it’s Hungarian, blablabla”.[br]As I mentioned in the Playpen example

0:16:59.939,0:17:03.370
the FBI did not know where the computers[br]that they were going to hack

0:17:03.370,0:17:07.410
were located. This is an interesting case[br]because I’m going to guess

0:17:07.410,0:17:13.220
that a lot of the users of a Hungarian[br]language site are probably in Hungary.

0:17:13.220,0:17:16.760
So the FBI might have had some idea[br]that they were gonna hack computers there.

0:17:16.760,0:17:20.659
Did the FBI warn Hungarian law[br]enforcement? Did they get permission

0:17:20.659,0:17:24.400
of the Hungarian authorities to hack[br]computers in their country?

0:17:24.400,0:17:30.519
We don’t know yet.[br]And I somehow doubt it.

0:17:30.519,0:17:36.829
And then just finally it’s – excuse me –[br]it’s not just the FBI

0:17:36.829,0:17:40.419
that’s using hacking tools[br]to target suspects overseas.

0:17:40.419,0:17:45.120
A local Australian police department,[br]Queensland Police,

0:17:45.120,0:17:49.510
has a specialized task force[br]for child sexual exploitation,

0:17:49.510,0:17:52.529
Taskforce Argos.

0:17:52.529,0:17:56.750
And they were the ones that led this[br]operation. There wasn’t any sort of

0:17:56.750,0:18:00.740
an official statement from Queensland[br]Police saying: “Hey look, we unmasked

0:18:00.740,0:18:05.860
all of these criminals in the U.S.”.[br]It was only by piecing together

0:18:05.860,0:18:11.760
pretty spread-out (?) U.S. court documents[br]that I could map the contours of this

0:18:11.760,0:18:15.830
hacking operation that everyone[br]kind of wants to keep quiet about.

0:18:15.830,0:18:21.520
So in 2014 Taskforce Argos take over[br]another Darkweb child porn site

0:18:21.520,0:18:28.640
called ‘The Love Zone’. They run it – not[br]for 13 days like the FBI but for 6 months,

0:18:28.640,0:18:34.760
posing as the site’s administrator[br]who they’d already arrested.

0:18:34.760,0:18:39.279
According to one document – not this one –[br]the Australians obtained at least

0:18:39.279,0:18:45.490
30 IP addresses of U.S. based[br]users of the site. I don’t know

0:18:45.490,0:18:48.419
about other countries yet, it’s only[br]through these U.S. court documents

0:18:48.419,0:18:54.100
that we’ve been able to figure this out.[br]And the way they did it was

0:18:54.100,0:18:57.779
pretty different to the FBI. What they[br]would do is they would send a link

0:18:57.779,0:19:05.350
to a suspect, for a video file.[br]The suspect would click the link,

0:19:05.350,0:19:09.919
they will get a warning, saying: “Warning,[br]you’re opening a file on an external site,

0:19:09.919,0:19:14.110
do you want to continue?” Something to[br]that effect. If the person ignored

0:19:14.110,0:19:19.240
the warning and clicked “Yes”[br]a video of real child pornography

0:19:19.240,0:19:22.590
played on the supect’s machine,[br]and then that video phoned home

0:19:22.590,0:19:28.539
to an Australian server. I mean, you can[br]debate whether this is hacking or not.

0:19:28.539,0:19:34.130
I mean the FBI weren’t clearly delivering[br]a Tor browser exploit with malware etc.

0:19:34.130,0:19:38.380
Is this hacking? I would say so. If we[br]think the phishing for Government e-mails

0:19:38.380,0:19:43.740
is hacking – sure. But that’s kind of the[br]trivial debate, anyway. The real debate

0:19:43.740,0:19:49.240
is: was this a search in illegal sense of[br]the word? Did the Australians obtain

0:19:49.240,0:19:54.429
information from a private place, namely[br]a private computer, in a private residence,

0:19:54.429,0:19:58.299
and did they get a search warrant to do[br]that? And again, we don’t know,

0:19:58.299,0:20:03.550
because they wont't talk to me.

0:20:03.550,0:20:08.590
So clearly, that was all about child abuse[br]and child pornography investigations.

0:20:08.590,0:20:13.190
Insofar this sort of international hacking,[br]as far as we know, as far as I know,

0:20:13.190,0:20:18.149
has only been used for those sorts of[br]investigations. But as for the future

0:20:18.149,0:20:25.100
with Rule 41, the changes there, we could[br]presumably see it to go to other types

0:20:25.100,0:20:30.399
of investigations, maybe Darkweb drug[br]markets. Plenty of these markets have

0:20:30.399,0:20:35.159
dedicated vendor-only sections that you[br]can only login to if you are a drug dealer

0:20:35.159,0:20:41.090
on the site. I mean here, this isn’t from[br]NIT or a malware investigation.

0:20:41.090,0:20:45.300
This is when Carnegie Mellon University[br]attacked the Tor network, obtained

0:20:45.300,0:20:49.360
IP addresses, and then gave those – well,[br]was subpoenaed for those and gave them

0:20:49.360,0:20:55.490
to the FBI. But the key part is that in[br]this search warrant it’s saying: “Hey look,

0:20:55.490,0:20:58.370
there’s probable cause because this[br]suspect was logging in to the

0:20:58.370,0:21:03.570
drug dealer-only section of Silk Road 2.0[br]so we have reason to raid his house”.

0:21:03.570,0:21:07.890
I can easily see this sort of section[br]being in a malware warrant or an NIT

0:21:07.890,0:21:14.240
warrant, as well. And then I suppose the[br]other more obvious example

0:21:14.240,0:21:18.529
– if that hasn’t happened already –[br]is putting a piece of malware to hack

0:21:18.529,0:21:23.440
suspects internationally on a Jihadi[br]forum. Maybe in administrator or moderator

0:21:23.440,0:21:28.549
sections, so you know you’re gonna be[br]targeting high-ranking members of the forum.

0:21:28.549,0:21:31.330
I mean I personally don’t know if that[br]would be the FBI or another agency

0:21:31.330,0:21:35.530
doing that. But that’s clearly somewhere[br]where malware can be useful

0:21:35.530,0:21:42.510
in international context. But apart from[br]predicting where this might go, I mean,

0:21:42.510,0:21:47.330
clearly this is gonna continue, just a few[br]weeks ago there was a Firefox zeroday

0:21:47.330,0:21:52.720
out in the wild. Me and my colleague[br]Lorenzo tracked it back to a specific

0:21:52.720,0:21:57.020
child porn site in the Darkweb where[br]that 0-day had been deployed.

0:21:57.020,0:22:02.010
So this is an active thing.[br]This is still going on.

0:22:02.010,0:22:07.399
And that’s it. But… just a last thing[br]if you have any documents, data,

0:22:07.399,0:22:12.460
information, tips on FBI malware,[br]law enforcement malware, who is using it,

0:22:12.460,0:22:17.609
who is buying it, how they’re using it –[br]these are my various contact channels.

0:22:17.609,0:22:19.070
Thanks a lot![br]<i>applause</i>

0:22:19.070,0:22:29.580
<i>ongoing applause</i>

0:22:29.580,0:22:35.450
Herald: Thank you, Joseph.[br]Thank you.

0:22:35.450,0:22:41.890
Any questions from the audience?

0:22:41.890,0:22:45.599
Oh, we got one on [microphone] 4.

0:22:45.599,0:22:49.480
Question: Thanks for the talk.[br]Really nice. Quick question,

0:22:49.480,0:22:54.360
you’ve presented[br]some pretty illegal things.

0:22:54.360,0:22:59.480
On both sides.[br]On child pornography,

0:22:59.480,0:23:03.520
and all of those things.[br]And on the law enforcer’s side.

0:23:03.520,0:23:09.720
Now my question is, did you intentionally[br]mention those really illegal aspects

0:23:09.720,0:23:16.310
like child pornography to justify the[br]actions of the FBI in any way?

0:23:16.310,0:23:19.830
Joseph: You mean, did I specifically[br]speak about child pornography

0:23:19.830,0:23:22.370
to justify the FBI’s actions?[br]Question: Yes.

0:23:22.370,0:23:28.080
Joseph: No. This is just… I mean child[br]pornography and child sexual exploitation

0:23:28.080,0:23:32.449
is where law enforcement are using the[br]really cool stuff. This is where they’re

0:23:32.449,0:23:37.219
using their Tor Browser exploits. This is[br]where they’re using their Firefox zerodays.

0:23:37.219,0:23:41.330
And I’m just attracted to where the cops[br]are doing interesting things.

0:23:41.330,0:23:47.220
So, if it was on drug markets I’d cover[br]that as well. But at the moment,

0:23:47.220,0:23:52.190
at least to my knowledge, it’s just[br]localized to the child pornography

0:23:52.190,0:23:55.730
investigations. Presumably, because law[br]enforcement feel like not many people

0:23:55.730,0:23:59.620
are going to argue with them with maybe[br]doing illegal search for child porn

0:23:59.620,0:24:03.889
because everybody finds that crime[br]abhorrent. But, no, that’s just

0:24:03.889,0:24:05.179
how it is at the moment.

0:24:05.179,0:24:08.840
Question: Okay, let me rephrase that.[br]Do you feel it’s justified for them

0:24:08.840,0:24:10.999
to use exploits?

0:24:10.999,0:24:13.429
Joseph: Do I feel it’s justified for[br]them to use exploits? I don’t think

0:24:13.429,0:24:19.400
it’s anything intrinsically wrong[br]with law enforcement hacking.

0:24:19.400,0:24:24.549
But even though child pornography is[br]an absolutely disgusting crime

0:24:24.549,0:24:29.110
and I can’t find it, obviously, any way[br]to justify it I also want law enforcement

0:24:29.110,0:24:32.419
to follow the law.[br]And to respect the law as well.

0:24:32.419,0:24:37.499
<i>applause</i>

0:24:37.499,0:24:43.489
Question: Thank you.[br]<i>ongoing applause</i>

0:24:43.489,0:24:49.779
Herald: Any other questions?[br]Anybody from IRC?

0:24:49.779,0:24:52.779
The (?) on 5, go ahead.

0:24:52.779,0:24:56.560
Question: Well, I wanted to ask probably[br]the same question whether it’s dubious

0:24:56.560,0:25:00.570
from the moral point of view?[br]And you already answered it.

0:25:00.570,0:25:05.240
You don’t see it dubious as I understand,[br]right? As the legislation can be questioned,

0:25:05.240,0:25:11.160
and should be rearranged there is not much[br]ethical discussion whether this should be

0:25:11.160,0:25:16.070
done or not. But while you were at the[br]topic for a while: do you have any other

0:25:16.070,0:25:20.309
proposals how to resolve this issue,[br]maybe? Technically,

0:25:20.309,0:25:22.159
from the technical point of view.

0:25:22.159,0:25:25.029
Joseph: Sure. So I mean, just before[br]I answer that I just wanna make clear

0:25:25.029,0:25:30.230
that I’m, like a journalist,[br]not an activist or a technologist.

0:25:30.230,0:25:34.049
I don’t think it will be right for me to[br]say this is how we should combat this.

0:25:34.049,0:25:38.350
I’m just saying, hey, that’s what[br]the FBI did. That sort of thing.

0:25:38.350,0:25:45.269
But to answer the question, I think[br]Mozilla and Tor have been working

0:25:45.269,0:25:50.539
on a way to stop this sort of[br]de-anonymization attack, that,

0:25:50.539,0:25:55.799
when the FBI would hit a computer with[br]their exploits and then the NIT code

0:25:55.799,0:26:00.690
would deploy, that’s not enough. I really[br]can’t remember the technical details

0:26:00.690,0:26:04.970
off the top (?) in my head, but there is an[br]article online that I wrote.

0:26:04.970,0:26:08.279
But then they would have[br]to break out of the sandbox as well.

0:26:08.279,0:26:11.840
But more to answer your question[br]generally: there are technological solutions

0:26:11.840,0:26:16.800
that people are making here. And they[br]could be live pretty soon. But then

0:26:16.800,0:26:20.200
what is the FBI gonna do after that?[br]They’re not gonna stop making malware.

0:26:20.200,0:26:25.099
They’re gonna… they’ll deploy a nit that[br]will then rummage through your computer

0:26:25.099,0:26:28.629
and find incriminating documents and then[br]phone home. If they can’t get your real

0:26:28.629,0:26:33.980
IP address they’re gonna[br]get evidence somehow.

0:26:33.980,0:26:36.010
Herald: No.1 was up next.

0:26:36.010,0:26:40.779
Question: Hi Joseph. In your background[br]research on law enforcement

0:26:40.779,0:26:45.659
using technology like this to target child[br]porn sites. So you profiled the FBI

0:26:45.659,0:26:49.480
on how they may have (?)(?) around[br]some of the letter of the law

0:26:49.480,0:26:53.100
in order to get done the job they needed[br]to get done. Are the other law enforcement

0:26:53.100,0:26:57.690
agencies you found that are kind of like[br]a gold standard in their approach

0:26:57.690,0:27:01.831
to solving this problem that abide[br]by the rules, and maybe

0:27:01.831,0:27:03.810
solve this problem in a different way?

0:27:03.810,0:27:06.900
Joseph: When you say… so the question[br]was, are there other law enforcement

0:27:06.900,0:27:11.530
agencies who may be better or the same[br]sort of standard (?) as the FBI this problem.

0:27:11.530,0:27:15.129
When you say “this problem” you mean[br]“combating child porn on the Darkweb”?

0:27:15.129,0:27:17.890
Question: Yeah, clearly something needs to[br]be done about these sites. And there’s

0:27:17.890,0:27:23.500
a limited number of options available.[br]So the FBI is kind of busted out (?)

0:27:23.500,0:27:26.810
in trying every single piece of technology[br]they can to solve it. But are there others

0:27:26.810,0:27:31.900
that maybe take a more restraint approach[br]but still solve the problem?

0:27:31.900,0:27:37.710
Joseph: When it specifically comes[br]to malware I haven’t seen much

0:27:37.710,0:27:44.450
in the wild or publicly but in the U.K.[br]GCHQ, the country’s

0:27:44.450,0:27:51.259
signals intelligence agency has said,[br]or a report said, it is using

0:27:51.259,0:27:57.039
bulk interception, so GCHQ’s mass[br]surveillance capabilities, to do

0:27:57.039,0:28:00.580
traffic correlation attacks, and they[br]can then unmask Darkweb users

0:28:00.580,0:28:05.639
and hidden service IP addresses.[br]That’s not malware but that is

0:28:05.639,0:28:11.450
an extreme use of technological[br]capability, I guess.

0:28:11.450,0:28:17.029
And yeah, we could definitely see[br]more of that. I think in the report

0:28:17.029,0:28:21.130
the Home Office said the GCHQ had got[br]something like 50 individuals

0:28:21.130,0:28:26.379
in the past 18 months through bulk traffic[br]analysis. That’s not malware,

0:28:26.379,0:28:28.450
but yeah, that’s where stuff could go,[br]definitely.

0:28:28.450,0:28:30.450
Question: Cool. Thanks.

0:28:30.450,0:28:33.680
Herald: I give you one last question,[br]it will be number 4, over here.

0:28:33.680,0:28:38.580
Question: Hi, I was wondering, because you[br]mentioned bulk analysis which I considered

0:28:38.580,0:28:44.320
to be significantly worse than targeted[br]analysis, in the way that it violates

0:28:44.320,0:28:47.940
everybody’s liberties rather than specific[br]individuals who are definitely engaging

0:28:47.940,0:28:52.779
in criminal activity.

0:28:52.779,0:28:57.419
So why is it you feel that there’s[br]some kind of violation,

0:28:57.419,0:29:02.169
like these people they need to find[br]these criminals, and the jurisdiction

0:29:02.169,0:29:05.509
needs to be significantly wider,[br]and I understand that it’s terrible

0:29:05.509,0:29:09.280
that they’re hacking us. But at the same[br]time they need to be caught. So how

0:29:09.280,0:29:16.789
can they make legislation that’s[br]able to find these people legally

0:29:16.789,0:29:20.520
when it’s outside of their jurisdiction,[br]and they might be targeting people,

0:29:20.520,0:29:24.759
if they’re doing a dragnet on a website,[br]like you’re example. And they’re gonna be

0:29:24.759,0:29:27.380
hacking people that are not in their[br]country. They can’t limit it to the people

0:29:27.380,0:29:32.290
that are in that country. And only hack[br]those people. It’s technically impossible.

0:29:32.290,0:29:36.870
So what’s the solution for this?

0:29:36.870,0:29:41.490
Joseph: I mean, some senators in the US[br]did propose a Stop Mass Hacking Act

0:29:41.490,0:29:46.500
which would have blocked the Rule 41[br]changes. It was unsuccessful, and

0:29:46.500,0:29:50.129
in part – this is just my personal[br]opinion – I think it’s because they

0:29:50.129,0:29:55.470
didn’t present a viable alternative.[br]I mean, as you say, these people

0:29:55.470,0:30:01.140
need to be caught, I mean, that sort of[br]thing, but when these senators said:

0:30:01.140,0:30:05.340
“Yeah, we need to stop all this global[br]hacking” there was no alternative presented,

0:30:05.340,0:30:10.889
so we don’t know, basically.[br]As for legislative changes

0:30:10.889,0:30:16.409
I think it’s more… it’s less the[br]“Hey, here’s a concrete law or rule

0:30:16.409,0:30:21.280
that we need to fix right now”, it’s more[br]like there’s a looming issue of

0:30:21.280,0:30:26.539
“What happens when the FBI hacks a child[br]pornographer in Russia, or one who happens

0:30:26.539,0:30:30.409
to be a politician in another country?”[br]Are they still gonna go, and then go

0:30:30.409,0:30:34.059
to local law enforcement, “Hey, we got[br]this IP address of one of your senior

0:30:34.059,0:30:37.990
politicians who happens to be looking at[br]child porn”. I mean what are the ramifications

0:30:37.990,0:30:42.029
of that gonna be? But to answer your[br]question: we don’t really know.

0:30:42.029,0:30:46.570
It’s more of just this looming issue that[br]law enforcements are firing malware

0:30:46.570,0:30:51.990
and asking questions later.

0:30:51.990,0:30:54.609
Herald: Thank you so much. If you got[br]a round of applause for Joseph Cox!

0:30:54.609,0:30:58.999
<i>applause</i>

0:30:58.999,0:31:02.359
<i>postroll music</i>

0:31:02.359,0:31:22.879
<i>Subtitles created by c3subtitles.de[br]in the year 2017. Join, and help us!</i>