1
00:00:00,000 --> 00:00:14,490
33C3 preroll music
2
00:00:14,490 --> 00:00:18,480
Herald: The talk is gonna be called
“Law Enforcement Are Hacking the Planet”
3
00:00:18,480 --> 00:00:24,270
by Joseph Cox. Joseph is an investigative
journalist for Vice’s Motherboard,
4
00:00:24,270 --> 00:00:28,050
covering hackers, data breaches
and digital security. When I went
5
00:00:28,050 --> 00:00:32,890
to check him out and looked at his Twitter
account I discovered I already follow him.
6
00:00:32,890 --> 00:00:36,320
Which is funny, or it was for me
a little anecdote about the modern world.
7
00:00:36,320 --> 00:00:41,219
I recognized his avatar immediately
but not his name.
8
00:00:41,219 --> 00:00:44,500
I guess that's just something
about how we live these days.
9
00:00:44,500 --> 00:00:50,010
So then with no further ado, Joseph,
I’d like to give it over to you.
10
00:00:50,010 --> 00:00:56,740
applause
11
00:00:56,740 --> 00:01:00,590
Joseph Cox: Hello, hello hello.
12
00:01:00,590 --> 00:01:05,680
How would you react if the FBI
came over from the United States,
13
00:01:05,680 --> 00:01:11,600
came into Germany, went to an apartment
in, say, Hamburg, kicked down the door
14
00:01:11,600 --> 00:01:15,490
and then started searching the apartment?
15
00:01:15,490 --> 00:01:18,679
They haven’t been invited
by German law enforcement,
16
00:01:18,679 --> 00:01:24,289
they’re acting on their own accord.
They then seize a load of evidence
17
00:01:24,289 --> 00:01:26,979
and go back to the States.
18
00:01:26,979 --> 00:01:32,310
You might think this isn’t a great thing,
I mean what does the FBI have to do
19
00:01:32,310 --> 00:01:35,360
coming in to another country and then
20
00:01:35,360 --> 00:01:39,479
searching buildings or arresting suspects?
21
00:01:39,479 --> 00:01:43,500
But the searching is essentially
what the FBI is doing, but digitally
22
00:01:43,500 --> 00:01:49,180
with malware and hacking tools. Breaching
into computers in other countries,
23
00:01:49,180 --> 00:01:51,800
extracting evidence from them
and then sending them back to
24
00:01:51,800 --> 00:01:56,290
a government server in Virginia,
or wherever it may be.
25
00:01:56,290 --> 00:02:00,649
To clear, we’re not talking
about a normal intelligence agency here
26
00:02:00,649 --> 00:02:04,789
like the NSA or GCHQ. They’re
gonna hack computers internationally
27
00:02:04,789 --> 00:02:10,090
all the time as part of espionage,
we expect that, maybe that’s a good thing.
28
00:02:10,090 --> 00:02:14,720
Here we’re talking about
an agency that’s predominantly
29
00:02:14,720 --> 00:02:20,030
focused with the law enforcement
hacking to computers in other countries
30
00:02:20,030 --> 00:02:25,779
as part of criminal investigations.
31
00:02:25,779 --> 00:02:31,900
I’m gonna talk about one FBI case in
particular, briefly touch upon another one
32
00:02:31,900 --> 00:02:36,209
and then just explain an operation
that was led by local Australian
33
00:02:36,209 --> 00:02:41,799
law enforcement which hacked
computers in the United States.
34
00:02:41,799 --> 00:02:46,659
At the moment, typically, these sort of
investigations are done to counter
35
00:02:46,659 --> 00:02:53,409
child sexual exploitation
or child abuse on the Darkweb.
36
00:02:53,409 --> 00:02:57,370
Just about me, briefly:
Journalist for Motherboard as mentioned,
37
00:02:57,370 --> 00:03:03,090
which is the Technology and Science
part of Vice. Hackers, cybercrime,
38
00:03:03,090 --> 00:03:08,310
the Darkweb drug trades or
stuff like Silk Road or the usual stuff.
39
00:03:08,310 --> 00:03:12,269
But for the past year I’ve been really
interested in law enforcement’s
40
00:03:12,269 --> 00:03:17,519
international use of malware.
Which brings us to
41
00:03:17,519 --> 00:03:21,120
“Operation Pacifier”.
The FBI is not very good at naming
42
00:03:21,120 --> 00:03:26,720
its child sexual exploitation
investigations.
43
00:03:26,720 --> 00:03:33,010
So in August 2014 a new Darkweb child
abuse site was launched, called “Playpen”.
44
00:03:33,010 --> 00:03:36,139
It was a Tor hidden service,
meaning that the majority of people
45
00:03:36,139 --> 00:03:40,749
who connect to it would do so
over the Tor anonymity network,
46
00:03:40,749 --> 00:03:47,040
masking their real IP address.
But because it ran as a hidden service
47
00:03:47,040 --> 00:03:51,029
the physical location of the server itself
was also protected.
48
00:03:51,029 --> 00:03:55,519
Meaning that the FBI couldn’t just go and
immediately subpoena the hosting company
49
00:03:55,519 --> 00:04:00,239
or seize the server whatever may be,
because they didn’t know where it was.
50
00:04:00,239 --> 00:04:05,170
A few months passed and Playpen is a
really, really big deal. It’s the largest
51
00:04:05,170 --> 00:04:10,780
child pornography site on the Darkweb.
215.000 members,
52
00:04:10,780 --> 00:04:17,879
117.000 posts, and an average
11.000 unique people
53
00:04:17,879 --> 00:04:22,108
were visiting every week.
54
00:04:22,108 --> 00:04:25,850
The FBI was trying to find a way in,
they were acting in an undercover capacity
55
00:04:25,850 --> 00:04:30,560
on the site as law enforcement often do
with these sorts of hidden services.
56
00:04:30,560 --> 00:04:36,430
But at one point a foreign law enforcement
agency, and we don’t know which one,
57
00:04:36,430 --> 00:04:42,250
provided the real IP address
of the Playpen server to the FBI.
58
00:04:42,250 --> 00:04:46,950
It turned out that Playpen’s administrator
who’s now been convicted, Steven Chase,
59
00:04:46,950 --> 00:04:51,750
he’d misconfigured his server
so the real IP address was exposed
60
00:04:51,750 --> 00:04:55,700
in the normal internet.
So in February 2015
61
00:04:55,700 --> 00:04:59,320
the FBI go to the North Carolina
Data Centre, they seize the server
62
00:04:59,320 --> 00:05:02,540
and they take control of Playpen.
63
00:05:02,540 --> 00:05:05,420
Just as a side note:
Steven Chase, the administrator,
64
00:05:05,420 --> 00:05:10,840
he had paid for the hosting via a Paypal
account in his own name.
65
00:05:10,840 --> 00:05:14,650
So it was incredibly easy to convict him.
If you’re gonna run
66
00:05:14,650 --> 00:05:19,030
an illegal Tor hidden service,
don’t use Paypal!
67
00:05:19,030 --> 00:05:23,320
And this is where the hacking comes in.
68
00:05:23,320 --> 00:05:27,940
Even though the FBI is in control of the
site – they can see what people are doing,
69
00:05:27,940 --> 00:05:30,980
what videos they’re watching,
as mentioned – they can’t see
70
00:05:30,980 --> 00:05:34,260
where these people are coming from
and they can’t identify them.
71
00:05:34,260 --> 00:05:37,420
So they need another way,
and what they decided to do
72
00:05:37,420 --> 00:05:42,520
is hack the computers of individual users.
73
00:05:42,520 --> 00:05:45,650
Very, very shortly after the FBI seized
the server they started to run it
74
00:05:45,650 --> 00:05:50,680
from a government facility in Virginia.
So the site is fully functioning,
75
00:05:50,680 --> 00:05:55,000
except one section that encourages people
76
00:05:55,000 --> 00:05:58,860
to produce more child porn. It’s still
a fully functional website, though.
77
00:05:58,860 --> 00:06:04,140
They run that and the FBI deploys what
it calls a “Network Investigative Technique”,
78
00:06:04,140 --> 00:06:10,060
an NIT or nit or what we would probably
just call “a piece of malware”.
79
00:06:10,060 --> 00:06:15,910
In short, and this is a really, really basic
overview the nit just did several things.
80
00:06:15,910 --> 00:06:20,490
First somebody would log in to Playpen
and then go visit a specific
81
00:06:20,490 --> 00:06:24,870
child porn related forum.
The exploit is then automatically
82
00:06:24,870 --> 00:06:29,150
delivered to that computer.
This exploit certainly affected…
83
00:06:29,150 --> 00:06:32,650
and the underlying vulnerability
certainly affected the Tor browser.
84
00:06:32,650 --> 00:06:38,622
We don’t know if it affected Mozilla
Firefox. As many of you will know,
85
00:06:38,622 --> 00:06:42,330
Tor browsers are oftenly based on Firefox,
and they share much of the same code base.
86
00:06:42,330 --> 00:06:45,230
But we don’t actually know
much about the vulnerability
87
00:06:45,230 --> 00:06:49,820
or the exploit at all.
All that we know is that they used
88
00:06:49,820 --> 00:06:55,390
a non publicly known vulnerability.
89
00:06:55,390 --> 00:06:59,910
And then when the exploit is delivered the
rest of the code causes the target machine
90
00:06:59,910 --> 00:07:04,470
to phone home outside of the Tor network
to a government server, and now the FBI
91
00:07:04,470 --> 00:07:08,080
has a real IP address.
92
00:07:08,080 --> 00:07:14,500
Armed with that the FBI just goes to the
ISP, Comcast, Verizon, gets a name,
93
00:07:14,500 --> 00:07:18,960
subscriber details and address,
kicks down a door, arrests the person
94
00:07:18,960 --> 00:07:22,630
– if there’s enough evidence – and
presumably, and in many many of the cases
95
00:07:22,630 --> 00:07:28,470
if not all of them, find a lot of child
porn on the suspect’s machine.
96
00:07:28,470 --> 00:07:33,450
But that’s not everything
the FBI collected with a nit,
97
00:07:33,450 --> 00:07:38,520
it also got the username,
the host name, the MAC address.
98
00:07:38,520 --> 00:07:42,750
And it also generated a unique code
per unique infection, I think
99
00:07:42,750 --> 00:07:49,710
that you could then use to correlate
activity on the site with an IP address.
100
00:07:49,710 --> 00:07:54,340
And just remember this whole time
the FBI could see what people
101
00:07:54,340 --> 00:07:59,540
were doing on the site, so “user Jimmy
went onto this section of the site
102
00:07:59,540 --> 00:08:02,830
and looked at this thread,
now we have his IP address,
103
00:08:02,830 --> 00:08:07,700
we can link it to that”.
104
00:08:07,700 --> 00:08:11,890
So the FBI deploys its malware,
105
00:08:11,890 --> 00:08:15,810
for 13 days it runs the site.
Over that amount of time,
106
00:08:15,810 --> 00:08:19,330
100.000 users log into Playpen,
which as you’ll notice
107
00:08:19,330 --> 00:08:23,490
is a lot more than 11.000, which
was apparently the average login rate.
108
00:08:23,490 --> 00:08:30,420
For some reason the site became a lot more
popular when the FBI was running it.
109
00:08:30,420 --> 00:08:33,309
You can hear whatever you want from that. (?)
110
00:08:33,309 --> 00:08:40,250
So in the U.S. the FBI gets around 1300
IP addresses of U.S. users of the site.
111
00:08:40,250 --> 00:08:45,770
Europol say they generated 3229 cases
112
00:08:45,770 --> 00:08:49,570
– I haven’t highlighted it, but it’s
in the middle column at the bottom –
113
00:08:49,570 --> 00:08:54,430
and 34 of those were in Denmark.
This is a presentation I just found online
114
00:08:54,430 --> 00:08:57,069
when I found out it was called
“Pacifier”.
115
00:08:57,069 --> 00:09:01,161
I searched that, filetype:pdf and
someone from law enforcement had
116
00:09:01,161 --> 00:09:05,909
left this online, so that was convenient.
laughter
117
00:09:05,909 --> 00:09:08,599
Austria, staying with this
part of the world,
118
00:09:08,599 --> 00:09:12,819
I think this is a letter from an MP
to a group of politicians
119
00:09:12,819 --> 00:09:16,259
just talking about the country’s
child porn investigations
120
00:09:16,259 --> 00:09:21,810
and it mentions Operation Pacifier
and 50 IP addresses so the FBI hacked
121
00:09:21,810 --> 00:09:27,180
at least 50 computers in Austria.
Latin America as well.
122
00:09:27,180 --> 00:09:29,910
Again, this is another presentation
that I found online,
123
00:09:29,910 --> 00:09:32,480
law enforcement are really, really sloppy
124
00:09:32,480 --> 00:09:35,889
with just leaving all this stuff
online, which is great.
125
00:09:35,889 --> 00:09:40,750
And you can just see Operation Pacifier
there. As for Chile it was
126
00:09:40,750 --> 00:09:46,140
local media reports that just said
‘Pacifier’, ‘Playpen’, ‘child porn arrests’
127
00:09:46,140 --> 00:09:52,279
so it was pretty easy to infer that
computers were hacked there as well.
128
00:09:52,279 --> 00:09:56,529
Australia – this is part of a
freedom of information request
129
00:09:56,529 --> 00:10:02,399
I made with the Australian federal police,
asking for documents and communications
130
00:10:02,399 --> 00:10:07,240
about Operation Pacifier. This isn’t
actually the result of the request
131
00:10:07,240 --> 00:10:09,810
this is them saying “Hey, we have
too much stuff on Operation Pacifier,
132
00:10:09,810 --> 00:10:13,630
so we can’t give it to you” which
obviously already gave me
133
00:10:13,630 --> 00:10:18,669
enough information to confirm that
Pacifier hit Australia as well.
134
00:10:18,669 --> 00:10:21,379
Anyway, you get the idea. I’m not
just gonna list all these countries
135
00:10:21,379 --> 00:10:26,790
apart from them. The U.K. and Turkey
were probably hacked as well.
136
00:10:26,790 --> 00:10:32,209
But it turns out the FBI hacked computers
in many, many more countries.
137
00:10:32,209 --> 00:10:35,859
And this just came out
end of last month, I think.
138
00:10:35,859 --> 00:10:43,790
In total the FBI hacked
8.700 computers in 120 countries.
139
00:10:43,790 --> 00:10:49,740
8.700 in 120 countries with one warrant.
140
00:10:49,740 --> 00:10:52,699
And arguably that warrant was illegal.
141
00:10:52,699 --> 00:10:56,970
But we have to back up a little bit,
just to see what that is.
142
00:10:56,970 --> 00:11:01,389
Right, okay.
So the U.S. has something called Rule 41,
143
00:11:01,389 --> 00:11:05,290
which dictates when a judge
can authorize searches
144
00:11:05,290 --> 00:11:08,859
including remote searches, so hacking.
145
00:11:08,859 --> 00:11:13,269
A judge can only authorize a search
within his or her own district.
146
00:11:13,269 --> 00:11:16,330
So if the judge is in the
western district of Washington,
147
00:11:16,330 --> 00:11:19,350
he or she can only sign a warrant
that’s gonna search stuff
148
00:11:19,350 --> 00:11:24,270
within that district. With a few
exceptions. I think, terrorism,
149
00:11:24,270 --> 00:11:27,949
and if there’s a tracking device
and then the person moves out of state
150
00:11:27,949 --> 00:11:32,319
it’s still okay.
In the case of Playpen,
151
00:11:32,319 --> 00:11:35,970
Judge Theresa Buchanan
was in the Eastern district of Virginia,
152
00:11:35,970 --> 00:11:41,740
as you can see at the top.
Clearly, the vast majority of computers
153
00:11:41,740 --> 00:11:46,519
were not in the Eastern
district of Virginia.
154
00:11:46,519 --> 00:11:50,240
The search warrant application which is
that document that the FBI presents
155
00:11:50,240 --> 00:11:54,149
to a judge, and say “Here’s our reasons,
please sign our search warrant!”,
156
00:11:54,149 --> 00:11:59,029
it said that what was gonna be searched
was computers logging into Playpen,
157
00:11:59,029 --> 00:12:04,630
wherever located. It’s pretty
debatable how explicit that is.
158
00:12:04,630 --> 00:12:09,860
I mean, the FBI did not write “Hey we’re
gonna hack into computers no matter
159
00:12:09,860 --> 00:12:12,880
what state they’re in, what country
they’re in, anything like that, and
160
00:12:12,880 --> 00:12:16,430
we’re gonna hack into them”. The word
‘hack’ is obviously never ever used in the
161
00:12:16,430 --> 00:12:21,399
search warrant application.
So with that in mind it’s kind of unclear
162
00:12:21,399 --> 00:12:26,369
if Judge Theresa Buchanan would have
actually understood that she was signing
163
00:12:26,369 --> 00:12:32,779
a global hacking warrant. And this isn’t
castaging the judge, at all. It’s more
164
00:12:32,779 --> 00:12:38,220
that these warrants applications aren’t
very explicit. And it’s still unclear
165
00:12:38,220 --> 00:12:47,690
because Judge Buchanan won’t respond
to my requests for comment.
166
00:12:47,690 --> 00:12:54,160
So wherever operation Pacifier violated
rule 41 has probably been the central
167
00:12:54,160 --> 00:12:59,769
component of all the legal cases that came
out after the FBI started dusting people.
168
00:12:59,769 --> 00:13:03,360
Defense lawyers have brought it up, saying
“Hey, this judge did not have authority,
169
00:13:03,360 --> 00:13:06,959
you now need to throw out all the
evidence against my client”.
170
00:13:06,959 --> 00:13:11,509
According to the most recent figures, and
this might be very, very slightly out-of-date
171
00:13:11,509 --> 00:13:18,890
21 decisions have found the operation
did violate rule 41. Out of those,
172
00:13:18,890 --> 00:13:23,399
judges in four cases have thrown out all
evidence obtained by the FBI’s malware.
173
00:13:23,399 --> 00:13:27,410
So that obviously includes the main bit
of evidence which to the IP address
174
00:13:27,410 --> 00:13:31,040
but then also everything that came after
that. I mean the only reason the FBI
175
00:13:31,040 --> 00:13:34,730
found child porn on people’s devices is
because the IP address led them there.
176
00:13:34,730 --> 00:13:38,749
So all of that child porn is also struck
from the record as well.
177
00:13:38,749 --> 00:13:49,070
And those people are essentially free,
by DOJ appeals which are ongoing.
178
00:13:49,070 --> 00:13:54,600
Whether people based outside the United
States will have a similar sort of defense
179
00:13:54,600 --> 00:13:59,119
is kind of unclear at the moment. The
IP address could fall under something
180
00:13:59,119 --> 00:14:05,550
like the Third-Party Doctrine, whereas in:
if there’s a German suspect,
181
00:14:05,550 --> 00:14:10,329
and they tried to challenge the legality
of the search the German police may say:
182
00:14:10,329 --> 00:14:13,120
“Hey, look, we didn’t do the hacking,
we just got given this IP address
183
00:14:13,120 --> 00:14:19,600
by third party”. And then the defense
might not have much like to stand on.
184
00:14:19,600 --> 00:14:25,200
But I do know of one lawyer in a country
outside the U.S. who is going to challenge
185
00:14:25,200 --> 00:14:29,220
the legality of that hacking operation.
I can’t really say where he is right now
186
00:14:29,220 --> 00:14:34,089
because I think that’s still sourcing out (?)
but that’s gonna be really, really interesting
187
00:14:34,089 --> 00:14:39,089
when that happens, hopefully in the new
year. So forget everything I just told you
188
00:14:39,089 --> 00:14:43,749
about Rule 41 because it doesn’t matter
any more. Earlier this month changes
189
00:14:43,749 --> 00:14:49,930
to Rule 41 came into place. Meaning that
judges now can authorize searches
190
00:14:49,930 --> 00:14:56,149
outside of their district. So if the Playpen
warrant was signed today it probably
191
00:14:56,149 --> 00:14:59,110
would not violate Rule 41, and the FBI
wouldn’t have done anything wrong.
192
00:14:59,110 --> 00:15:04,360
Or the DOJ wouldn’t have done anything
wrong. And I just wanna emphasize that
193
00:15:04,360 --> 00:15:09,940
these changes to Rule 41 came about
in part, specifically because of
194
00:15:09,940 --> 00:15:14,060
the problem that anonymity networks and
Tor present to law enforcement.
195
00:15:14,060 --> 00:15:18,399
It’s not like Operation Pacifier was over
here, FBI doing its thing, and the DOJ
196
00:15:18,399 --> 00:15:24,079
was sorting out these Rule 41 changes. The
changes have come specifically in response
197
00:15:24,079 --> 00:15:30,539
to criminal investigations
on the so-called “Darkweb”.
198
00:15:30,539 --> 00:15:35,269
And that’s just this Department quote
here: “We believe technology should
199
00:15:35,269 --> 00:15:39,660
not create a law-less zone merely because
a procedure rule has not kept up
200
00:15:39,660 --> 00:15:45,200
with the times”. Their argument is that
the Rule 41 is basically an antique,
201
00:15:45,200 --> 00:15:48,829
and they need to change the rules to keep
up with criminals that are using stuff
202
00:15:48,829 --> 00:15:53,819
like Tor or VPNs. So that was Pacifier.
203
00:15:53,819 --> 00:15:58,769
That’s the largest law enforcement hacking
operation to date that we know about.
204
00:15:58,769 --> 00:16:02,220
Just very, very briefly I’m gonna talk
about another FBI one where they likely
205
00:16:02,220 --> 00:16:07,089
hacked into computers abroad. This one
is called “Torpedo” which is even worse
206
00:16:07,089 --> 00:16:12,480
than Operation Pacifier when it comes
to child porn names.
207
00:16:12,480 --> 00:16:17,300
In 2012 or 2013 the FBI take over
Freedom Hosting which is
208
00:16:17,300 --> 00:16:22,970
sort of a turnkey hosting provider.
You sign up to the service
209
00:16:22,970 --> 00:16:27,939
that hosts your Darkweb site. It doesn’t
matter if it’s legal or not, whatever.
210
00:16:27,939 --> 00:16:33,149
The FBI sees it, they deploy an NIT
again, a piece of malware.
211
00:16:33,149 --> 00:16:41,699
And this time the FBI trying (?) identify
users of 23 different child pornography sites.
212
00:16:41,699 --> 00:16:44,920
In the warrant application there’s
a section specifically about
213
00:16:44,920 --> 00:16:49,369
a Hungarian language site.
I mean even the FBI officer
214
00:16:49,369 --> 00:16:53,509
– I think it’s the FBI writing it – says:
“Oh, if you put this into Google Translate
215
00:16:53,509 --> 00:16:59,939
it means this, it’s Hungarian, blablabla”.
As I mentioned in the Playpen example
216
00:16:59,939 --> 00:17:03,370
the FBI did not know where the computers
that they were going to hack
217
00:17:03,370 --> 00:17:07,410
were located. This is an interesting case
because I’m going to guess
218
00:17:07,410 --> 00:17:13,220
that a lot of the users of a Hungarian
language site are probably in Hungary.
219
00:17:13,220 --> 00:17:16,760
So the FBI might have had some idea
that they were gonna hack computers there.
220
00:17:16,760 --> 00:17:20,659
Did the FBI warn Hungarian law
enforcement? Did they get permission
221
00:17:20,659 --> 00:17:24,400
of the Hungarian authorities to hack
computers in their country?
222
00:17:24,400 --> 00:17:30,519
We don’t know yet.
And I somehow doubt it.
223
00:17:30,519 --> 00:17:36,829
And then just finally it’s – excuse me –
it’s not just the FBI
224
00:17:36,829 --> 00:17:40,419
that’s using hacking tools
to target suspects overseas.
225
00:17:40,419 --> 00:17:45,120
A local Australian police department,
Queensland Police,
226
00:17:45,120 --> 00:17:49,510
has a specialized task force
for child sexual exploitation,
227
00:17:49,510 --> 00:17:52,529
Taskforce Argos.
228
00:17:52,529 --> 00:17:56,750
And they were the ones that led this
operation. There wasn’t any sort of
229
00:17:56,750 --> 00:18:00,740
an official statement from Queensland
Police saying: “Hey look, we unmasked
230
00:18:00,740 --> 00:18:05,860
all of these criminals in the U.S.”.
It was only by piecing together
231
00:18:05,860 --> 00:18:11,760
pretty spread-out (?) U.S. court documents
that I could map the contours of this
232
00:18:11,760 --> 00:18:15,830
hacking operation that everyone
kind of wants to keep quiet about.
233
00:18:15,830 --> 00:18:21,520
So in 2014 Taskforce Argos take over
another Darkweb child porn site
234
00:18:21,520 --> 00:18:28,640
called ‘The Love Zone’. They run it – not
for 13 days like the FBI but for 6 months,
235
00:18:28,640 --> 00:18:34,760
posing as the site’s administrator
who they’d already arrested.
236
00:18:34,760 --> 00:18:39,279
According to one document – not this one –
the Australians obtained at least
237
00:18:39,279 --> 00:18:45,490
30 IP addresses of U.S. based
users of the site. I don’t know
238
00:18:45,490 --> 00:18:48,419
about other countries yet, it’s only
through these U.S. court documents
239
00:18:48,419 --> 00:18:54,100
that we’ve been able to figure this out.
And the way they did it was
240
00:18:54,100 --> 00:18:57,779
pretty different to the FBI. What they
would do is they would send a link
241
00:18:57,779 --> 00:19:05,350
to a suspect, for a video file.
The suspect would click the link,
242
00:19:05,350 --> 00:19:09,919
they will get a warning, saying: “Warning,
you’re opening a file on an external site,
243
00:19:09,919 --> 00:19:14,110
do you want to continue?” Something to
that effect. If the person ignored
244
00:19:14,110 --> 00:19:19,240
the warning and clicked “Yes”
a video of real child pornography
245
00:19:19,240 --> 00:19:22,590
played on the supect’s machine,
and then that video phoned home
246
00:19:22,590 --> 00:19:28,539
to an Australian server. I mean, you can
debate whether this is hacking or not.
247
00:19:28,539 --> 00:19:34,130
I mean the FBI weren’t clearly delivering
a Tor browser exploit with malware etc.
248
00:19:34,130 --> 00:19:38,380
Is this hacking? I would say so. If we
think the phishing for Government e-mails
249
00:19:38,380 --> 00:19:43,740
is hacking – sure. But that’s kind of the
trivial debate, anyway. The real debate
250
00:19:43,740 --> 00:19:49,240
is: was this a search in illegal sense of
the word? Did the Australians obtain
251
00:19:49,240 --> 00:19:54,429
information from a private place, namely
a private computer, in a private residence,
252
00:19:54,429 --> 00:19:58,299
and did they get a search warrant to do
that? And again, we don’t know,
253
00:19:58,299 --> 00:20:03,550
because they wont't talk to me.
254
00:20:03,550 --> 00:20:08,590
So clearly, that was all about child abuse
and child pornography investigations.
255
00:20:08,590 --> 00:20:13,190
Insofar this sort of international hacking,
as far as we know, as far as I know,
256
00:20:13,190 --> 00:20:18,149
has only been used for those sorts of
investigations. But as for the future
257
00:20:18,149 --> 00:20:25,100
with Rule 41, the changes there, we could
presumably see it to go to other types
258
00:20:25,100 --> 00:20:30,399
of investigations, maybe Darkweb drug
markets. Plenty of these markets have
259
00:20:30,399 --> 00:20:35,159
dedicated vendor-only sections that you
can only login to if you are a drug dealer
260
00:20:35,159 --> 00:20:41,090
on the site. I mean here, this isn’t from
NIT or a malware investigation.
261
00:20:41,090 --> 00:20:45,300
This is when Carnegie Mellon University
attacked the Tor network, obtained
262
00:20:45,300 --> 00:20:49,360
IP addresses, and then gave those – well,
was subpoenaed for those and gave them
263
00:20:49,360 --> 00:20:55,490
to the FBI. But the key part is that in
this search warrant it’s saying: “Hey look,
264
00:20:55,490 --> 00:20:58,370
there’s probable cause because this
suspect was logging in to the
265
00:20:58,370 --> 00:21:03,570
drug dealer-only section of Silk Road 2.0
so we have reason to raid his house”.
266
00:21:03,570 --> 00:21:07,890
I can easily see this sort of section
being in a malware warrant or an NIT
267
00:21:07,890 --> 00:21:14,240
warrant, as well. And then I suppose the
other more obvious example
268
00:21:14,240 --> 00:21:18,529
– if that hasn’t happened already –
is putting a piece of malware to hack
269
00:21:18,529 --> 00:21:23,440
suspects internationally on a Jihadi
forum. Maybe in administrator or moderator
270
00:21:23,440 --> 00:21:28,549
sections, so you know you’re gonna be
targeting high-ranking members of the forum.
271
00:21:28,549 --> 00:21:31,330
I mean I personally don’t know if that
would be the FBI or another agency
272
00:21:31,330 --> 00:21:35,530
doing that. But that’s clearly somewhere
where malware can be useful
273
00:21:35,530 --> 00:21:42,510
in international context. But apart from
predicting where this might go, I mean,
274
00:21:42,510 --> 00:21:47,330
clearly this is gonna continue, just a few
weeks ago there was a Firefox zeroday
275
00:21:47,330 --> 00:21:52,720
out in the wild. Me and my colleague
Lorenzo tracked it back to a specific
276
00:21:52,720 --> 00:21:57,020
child porn site in the Darkweb where
that 0-day had been deployed.
277
00:21:57,020 --> 00:22:02,010
So this is an active thing.
This is still going on.
278
00:22:02,010 --> 00:22:07,399
And that’s it. But… just a last thing
if you have any documents, data,
279
00:22:07,399 --> 00:22:12,460
information, tips on FBI malware,
law enforcement malware, who is using it,
280
00:22:12,460 --> 00:22:17,609
who is buying it, how they’re using it –
these are my various contact channels.
281
00:22:17,609 --> 00:22:19,070
Thanks a lot!
applause
282
00:22:19,070 --> 00:22:29,580
ongoing applause
283
00:22:29,580 --> 00:22:35,450
Herald: Thank you, Joseph.
Thank you.
284
00:22:35,450 --> 00:22:41,890
Any questions from the audience?
285
00:22:41,890 --> 00:22:45,599
Oh, we got one on [microphone] 4.
286
00:22:45,599 --> 00:22:49,480
Question: Thanks for the talk.
Really nice. Quick question,
287
00:22:49,480 --> 00:22:54,360
you’ve presented
some pretty illegal things.
288
00:22:54,360 --> 00:22:59,480
On both sides.
On child pornography,
289
00:22:59,480 --> 00:23:03,520
and all of those things.
And on the law enforcer’s side.
290
00:23:03,520 --> 00:23:09,720
Now my question is, did you intentionally
mention those really illegal aspects
291
00:23:09,720 --> 00:23:16,310
like child pornography to justify the
actions of the FBI in any way?
292
00:23:16,310 --> 00:23:19,830
Joseph: You mean, did I specifically
speak about child pornography
293
00:23:19,830 --> 00:23:22,370
to justify the FBI’s actions?
Question: Yes.
294
00:23:22,370 --> 00:23:28,080
Joseph: No. This is just… I mean child
pornography and child sexual exploitation
295
00:23:28,080 --> 00:23:32,449
is where law enforcement are using the
really cool stuff. This is where they’re
296
00:23:32,449 --> 00:23:37,219
using their Tor Browser exploits. This is
where they’re using their Firefox zerodays.
297
00:23:37,219 --> 00:23:41,330
And I’m just attracted to where the cops
are doing interesting things.
298
00:23:41,330 --> 00:23:47,220
So, if it was on drug markets I’d cover
that as well. But at the moment,
299
00:23:47,220 --> 00:23:52,190
at least to my knowledge, it’s just
localized to the child pornography
300
00:23:52,190 --> 00:23:55,730
investigations. Presumably, because law
enforcement feel like not many people
301
00:23:55,730 --> 00:23:59,620
are going to argue with them with maybe
doing illegal search for child porn
302
00:23:59,620 --> 00:24:03,889
because everybody finds that crime
abhorrent. But, no, that’s just
303
00:24:03,889 --> 00:24:05,179
how it is at the moment.
304
00:24:05,179 --> 00:24:08,840
Question: Okay, let me rephrase that.
Do you feel it’s justified for them
305
00:24:08,840 --> 00:24:10,999
to use exploits?
306
00:24:10,999 --> 00:24:13,429
Joseph: Do I feel it’s justified for
them to use exploits? I don’t think
307
00:24:13,429 --> 00:24:19,400
it’s anything intrinsically wrong
with law enforcement hacking.
308
00:24:19,400 --> 00:24:24,549
But even though child pornography is
an absolutely disgusting crime
309
00:24:24,549 --> 00:24:29,110
and I can’t find it, obviously, any way
to justify it I also want law enforcement
310
00:24:29,110 --> 00:24:32,419
to follow the law.
And to respect the law as well.
311
00:24:32,419 --> 00:24:37,499
applause
312
00:24:37,499 --> 00:24:43,489
Question: Thank you.
ongoing applause
313
00:24:43,489 --> 00:24:49,779
Herald: Any other questions?
Anybody from IRC?
314
00:24:49,779 --> 00:24:52,779
The (?) on 5, go ahead.
315
00:24:52,779 --> 00:24:56,560
Question: Well, I wanted to ask probably
the same question whether it’s dubious
316
00:24:56,560 --> 00:25:00,570
from the moral point of view?
And you already answered it.
317
00:25:00,570 --> 00:25:05,240
You don’t see it dubious as I understand,
right? As the legislation can be questioned,
318
00:25:05,240 --> 00:25:11,160
and should be rearranged there is not much
ethical discussion whether this should be
319
00:25:11,160 --> 00:25:16,070
done or not. But while you were at the
topic for a while: do you have any other
320
00:25:16,070 --> 00:25:20,309
proposals how to resolve this issue,
maybe? Technically,
321
00:25:20,309 --> 00:25:22,159
from the technical point of view.
322
00:25:22,159 --> 00:25:25,029
Joseph: Sure. So I mean, just before
I answer that I just wanna make clear
323
00:25:25,029 --> 00:25:30,230
that I’m, like a journalist,
not an activist or a technologist.
324
00:25:30,230 --> 00:25:34,049
I don’t think it will be right for me to
say this is how we should combat this.
325
00:25:34,049 --> 00:25:38,350
I’m just saying, hey, that’s what
the FBI did. That sort of thing.
326
00:25:38,350 --> 00:25:45,269
But to answer the question, I think
Mozilla and Tor have been working
327
00:25:45,269 --> 00:25:50,539
on a way to stop this sort of
de-anonymization attack, that,
328
00:25:50,539 --> 00:25:55,799
when the FBI would hit a computer with
their exploits and then the NIT code
329
00:25:55,799 --> 00:26:00,690
would deploy, that’s not enough. I really
can’t remember the technical details
330
00:26:00,690 --> 00:26:04,970
off the top (?) in my head, but there is an
article online that I wrote.
331
00:26:04,970 --> 00:26:08,279
But then they would have
to break out of the sandbox as well.
332
00:26:08,279 --> 00:26:11,840
But more to answer your question
generally: there are technological solutions
333
00:26:11,840 --> 00:26:16,800
that people are making here. And they
could be live pretty soon. But then
334
00:26:16,800 --> 00:26:20,200
what is the FBI gonna do after that?
They’re not gonna stop making malware.
335
00:26:20,200 --> 00:26:25,099
They’re gonna… they’ll deploy a nit that
will then rummage through your computer
336
00:26:25,099 --> 00:26:28,629
and find incriminating documents and then
phone home. If they can’t get your real
337
00:26:28,629 --> 00:26:33,980
IP address they’re gonna
get evidence somehow.
338
00:26:33,980 --> 00:26:36,010
Herald: No.1 was up next.
339
00:26:36,010 --> 00:26:40,779
Question: Hi Joseph. In your background
research on law enforcement
340
00:26:40,779 --> 00:26:45,659
using technology like this to target child
porn sites. So you profiled the FBI
341
00:26:45,659 --> 00:26:49,480
on how they may have (?)(?) around
some of the letter of the law
342
00:26:49,480 --> 00:26:53,100
in order to get done the job they needed
to get done. Are the other law enforcement
343
00:26:53,100 --> 00:26:57,690
agencies you found that are kind of like
a gold standard in their approach
344
00:26:57,690 --> 00:27:01,831
to solving this problem that abide
by the rules, and maybe
345
00:27:01,831 --> 00:27:03,810
solve this problem in a different way?
346
00:27:03,810 --> 00:27:06,900
Joseph: When you say… so the question
was, are there other law enforcement
347
00:27:06,900 --> 00:27:11,530
agencies who may be better or the same
sort of standard (?) as the FBI this problem.
348
00:27:11,530 --> 00:27:15,129
When you say “this problem” you mean
“combating child porn on the Darkweb”?
349
00:27:15,129 --> 00:27:17,890
Question: Yeah, clearly something needs to
be done about these sites. And there’s
350
00:27:17,890 --> 00:27:23,500
a limited number of options available.
So the FBI is kind of busted out (?)
351
00:27:23,500 --> 00:27:26,810
in trying every single piece of technology
they can to solve it. But are there others
352
00:27:26,810 --> 00:27:31,900
that maybe take a more restraint approach
but still solve the problem?
353
00:27:31,900 --> 00:27:37,710
Joseph: When it specifically comes
to malware I haven’t seen much
354
00:27:37,710 --> 00:27:44,450
in the wild or publicly but in the U.K.
GCHQ, the country’s
355
00:27:44,450 --> 00:27:51,259
signals intelligence agency has said,
or a report said, it is using
356
00:27:51,259 --> 00:27:57,039
bulk interception, so GCHQ’s mass
surveillance capabilities, to do
357
00:27:57,039 --> 00:28:00,580
traffic correlation attacks, and they
can then unmask Darkweb users
358
00:28:00,580 --> 00:28:05,639
and hidden service IP addresses.
That’s not malware but that is
359
00:28:05,639 --> 00:28:11,450
an extreme use of technological
capability, I guess.
360
00:28:11,450 --> 00:28:17,029
And yeah, we could definitely see
more of that. I think in the report
361
00:28:17,029 --> 00:28:21,130
the Home Office said the GCHQ had got
something like 50 individuals
362
00:28:21,130 --> 00:28:26,379
in the past 18 months through bulk traffic
analysis. That’s not malware,
363
00:28:26,379 --> 00:28:28,450
but yeah, that’s where stuff could go,
definitely.
364
00:28:28,450 --> 00:28:30,450
Question: Cool. Thanks.
365
00:28:30,450 --> 00:28:33,680
Herald: I give you one last question,
it will be number 4, over here.
366
00:28:33,680 --> 00:28:38,580
Question: Hi, I was wondering, because you
mentioned bulk analysis which I considered
367
00:28:38,580 --> 00:28:44,320
to be significantly worse than targeted
analysis, in the way that it violates
368
00:28:44,320 --> 00:28:47,940
everybody’s liberties rather than specific
individuals who are definitely engaging
369
00:28:47,940 --> 00:28:52,779
in criminal activity.
370
00:28:52,779 --> 00:28:57,419
So why is it you feel that there’s
some kind of violation,
371
00:28:57,419 --> 00:29:02,169
like these people they need to find
these criminals, and the jurisdiction
372
00:29:02,169 --> 00:29:05,509
needs to be significantly wider,
and I understand that it’s terrible
373
00:29:05,509 --> 00:29:09,280
that they’re hacking us. But at the same
time they need to be caught. So how
374
00:29:09,280 --> 00:29:16,789
can they make legislation that’s
able to find these people legally
375
00:29:16,789 --> 00:29:20,520
when it’s outside of their jurisdiction,
and they might be targeting people,
376
00:29:20,520 --> 00:29:24,759
if they’re doing a dragnet on a website,
like you’re example. And they’re gonna be
377
00:29:24,759 --> 00:29:27,380
hacking people that are not in their
country. They can’t limit it to the people
378
00:29:27,380 --> 00:29:32,290
that are in that country. And only hack
those people. It’s technically impossible.
379
00:29:32,290 --> 00:29:36,870
So what’s the solution for this?
380
00:29:36,870 --> 00:29:41,490
Joseph: I mean, some senators in the US
did propose a Stop Mass Hacking Act
381
00:29:41,490 --> 00:29:46,500
which would have blocked the Rule 41
changes. It was unsuccessful, and
382
00:29:46,500 --> 00:29:50,129
in part – this is just my personal
opinion – I think it’s because they
383
00:29:50,129 --> 00:29:55,470
didn’t present a viable alternative.
I mean, as you say, these people
384
00:29:55,470 --> 00:30:01,140
need to be caught, I mean, that sort of
thing, but when these senators said:
385
00:30:01,140 --> 00:30:05,340
“Yeah, we need to stop all this global
hacking” there was no alternative presented,
386
00:30:05,340 --> 00:30:10,889
so we don’t know, basically.
As for legislative changes
387
00:30:10,889 --> 00:30:16,409
I think it’s more… it’s less the
“Hey, here’s a concrete law or rule
388
00:30:16,409 --> 00:30:21,280
that we need to fix right now”, it’s more
like there’s a looming issue of
389
00:30:21,280 --> 00:30:26,539
“What happens when the FBI hacks a child
pornographer in Russia, or one who happens
390
00:30:26,539 --> 00:30:30,409
to be a politician in another country?”
Are they still gonna go, and then go
391
00:30:30,409 --> 00:30:34,059
to local law enforcement, “Hey, we got
this IP address of one of your senior
392
00:30:34,059 --> 00:30:37,990
politicians who happens to be looking at
child porn”. I mean what are the ramifications
393
00:30:37,990 --> 00:30:42,029
of that gonna be? But to answer your
question: we don’t really know.
394
00:30:42,029 --> 00:30:46,570
It’s more of just this looming issue that
law enforcements are firing malware
395
00:30:46,570 --> 00:30:51,990
and asking questions later.
396
00:30:51,990 --> 00:30:54,609
Herald: Thank you so much. If you got
a round of applause for Joseph Cox!
397
00:30:54,609 --> 00:30:58,999
applause
398
00:30:58,999 --> 00:31:02,359
postroll music
399
00:31:02,359 --> 00:31:22,879
Subtitles created by c3subtitles.de
in the year 2017. Join, and help us!