33C3 preroll music Herald: The talk is gonna be called “Law Enforcement Are Hacking the Planet” by Joseph Cox. Joseph is an investigative journalist for Vice’s Motherboard, covering hackers, data breaches and digital security. When I went to check him out and looked at his Twitter account I discovered I already follow him. Which is funny, or it was for me a little anecdote about the modern world. I recognized his avatar immediately but not his name. I guess that's just something about how we live these days. So then with no further ado, Joseph, I’d like to give it over to you. applause Joseph Cox: Hello, hello hello. How would you react if the FBI came over from the United States, came into Germany, went to an apartment in, say, Hamburg, kicked down the door and then started searching the apartment? They haven’t been invited by German law enforcement, they’re acting on their own accord. They then seize a load of evidence and go back to the States. You might think this isn’t a great thing, I mean what does the FBI have to do coming in to another country and then searching buildings or arresting suspects? But the searching is essentially what the FBI is doing, but digitally with malware and hacking tools. Breaching into computers in other countries, extracting evidence from them and then sending them back to a government server in Virginia, or wherever it may be. To clear, we’re not talking about a normal intelligence agency here like the NSA or GCHQ. They’re gonna hack computers internationally all the time as part of espionage, we expect that, maybe that’s a good thing. Here we’re talking about an agency that’s predominantly focused with the law enforcement hacking to computers in other countries as part of criminal investigations. I’m gonna talk about one FBI case in particular, briefly touch upon another one and then just explain an operation that was led by local Australian law enforcement which hacked computers in the United States. At the moment, typically, these sort of investigations are done to counter child sexual exploitation or child abuse on the Darkweb. Just about me, briefly: Journalist for Motherboard as mentioned, which is the Technology and Science part of Vice. Hackers, cybercrime, the Darkweb drug trades or stuff like Silk Road or the usual stuff. But for the past year I’ve been really interested in law enforcement’s international use of malware. Which brings us to “Operation Pacifier”. The FBI is not very good at naming its child sexual exploitation investigations. So in August 2014 a new Darkweb child abuse site was launched, called “Playpen”. It was a Tor hidden service, meaning that the majority of people who connect to it would do so over the Tor anonymity network, masking their real IP address. But because it ran as a hidden service the physical location of the server itself was also protected. Meaning that the FBI couldn’t just go and immediately subpoena the hosting company or seize the server whatever may be, because they didn’t know where it was. A few months passed and Playpen is a really, really big deal. It’s the largest child pornography site on the Darkweb. 215.000 members, 117.000 posts, and an average 11.000 unique people were visiting every week. The FBI was trying to find a way in, they were acting in an undercover capacity on the site as law enforcement often do with these sorts of hidden services. But at one point a foreign law enforcement agency, and we don’t know which one, provided the real IP address of the Playpen server to the FBI. It turned out that Playpen’s administrator who’s now been convicted, Steven Chase, he’d misconfigured his server so the real IP address was exposed in the normal internet. So in February 2015 the FBI go to the North Carolina Data Centre, they seize the server and they take control of Playpen. Just as a side note: Steven Chase, the administrator, he had paid for the hosting via a Paypal account in his own name. So it was incredibly easy to convict him. If you’re gonna run an illegal Tor hidden service, don’t use Paypal! And this is where the hacking comes in. Even though the FBI is in control of the site – they can see what people are doing, what videos they’re watching, as mentioned – they can’t see where these people are coming from and they can’t identify them. So they need another way, and what they decided to do is hack the computers of individual users. Very, very shortly after the FBI seized the server they started to run it from a government facility in Virginia. So the site is fully functioning, except one section that encourages people to produce more child porn. It’s still a fully functional website, though. They run that and the FBI deploys what it calls a “Network Investigative Technique”, an NIT or nit or what we would probably just call “a piece of malware”. In short, and this is a really, really basic overview the nit just did several things. First somebody would log in to Playpen and then go visit a specific child porn related forum. The exploit is then automatically delivered to that computer. This exploit certainly affected… and the underlying vulnerability certainly affected the Tor browser. We don’t know if it affected Mozilla Firefox. As many of you will know, Tor browsers are oftenly based on Firefox, and they share much of the same code base. But we don’t actually know much about the vulnerability or the exploit at all. All that we know is that they used a non publicly known vulnerability. And then when the exploit is delivered the rest of the code causes the target machine to phone home outside of the Tor network to a government server, and now the FBI has a real IP address. Armed with that the FBI just goes to the ISP, Comcast, Verizon, gets a name, subscriber details and address, kicks down a door, arrests the person – if there’s enough evidence – and presumably, and in many many of the cases if not all of them, find a lot of child porn on the suspect’s machine. But that’s not everything the FBI collected with a nit, it also got the username, the host name, the MAC address. And it also generated a unique code per unique infection, I think that you could then use to correlate activity on the site with an IP address. And just remember this whole time the FBI could see what people were doing on the site, so “user Jimmy went onto this section of the site and looked at this thread, now we have his IP address, we can link it to that”. So the FBI deploys its malware, for 13 days it runs the site. Over that amount of time, 100.000 users log into Playpen, which as you’ll notice is a lot more than 11.000, which was apparently the average login rate. For some reason the site became a lot more popular when the FBI was running it. You can hear whatever you want from that. (?) So in the U.S. the FBI gets around 1300 IP addresses of U.S. users of the site. Europol say they generated 3229 cases – I haven’t highlighted it, but it’s in the middle column at the bottom – and 34 of those were in Denmark. This is a presentation I just found online when I found out it was called “Pacifier”. I searched that, filetype:pdf and someone from law enforcement had left this online, so that was convenient. laughter Austria, staying with this part of the world, I think this is a letter from an MP to a group of politicians just talking about the country’s child porn investigations and it mentions Operation Pacifier and 50 IP addresses so the FBI hacked at least 50 computers in Austria. Latin America as well. Again, this is another presentation that I found online, law enforcement are really, really sloppy with just leaving all this stuff online, which is great. And you can just see Operation Pacifier there. As for Chile it was local media reports that just said ‘Pacifier’, ‘Playpen’, ‘child porn arrests’ so it was pretty easy to infer that computers were hacked there as well. Australia – this is part of a freedom of information request I made with the Australian federal police, asking for documents and communications about Operation Pacifier. This isn’t actually the result of the request this is them saying “Hey, we have too much stuff on Operation Pacifier, so we can’t give it to you” which obviously already gave me enough information to confirm that Pacifier hit Australia as well. Anyway, you get the idea. I’m not just gonna list all these countries apart from them. The U.K. and Turkey were probably hacked as well. But it turns out the FBI hacked computers in many, many more countries. And this just came out end of last month, I think. In total the FBI hacked 8.700 computers in 120 countries. 8.700 in 120 countries with one warrant. And arguably that warrant was illegal. But we have to back up a little bit, just to see what that is. Right, okay. So the U.S. has something called Rule 41, which dictates when a judge can authorize searches including remote searches, so hacking. A judge can only authorize a search within his or her own district. So if the judge is in the western district of Washington, he or she can only sign a warrant that’s gonna search stuff within that district. With a few exceptions. I think, terrorism, and if there’s a tracking device and then the person moves out of state it’s still okay. In the case of Playpen, Judge Theresa Buchanan was in the Eastern district of Virginia, as you can see at the top. Clearly, the vast majority of computers were not in the Eastern district of Virginia. The search warrant application which is that document that the FBI presents to a judge, and say “Here’s our reasons, please sign our search warrant!”, it said that what was gonna be searched was computers logging into Playpen, wherever located. It’s pretty debatable how explicit that is. I mean, the FBI did not write “Hey we’re gonna hack into computers no matter what state they’re in, what country they’re in, anything like that, and we’re gonna hack into them”. The word ‘hack’ is obviously never ever used in the search warrant application. So with that in mind it’s kind of unclear if Judge Theresa Buchanan would have actually understood that she was signing a global hacking warrant. And this isn’t castaging the judge, at all. It’s more that these warrants applications aren’t very explicit. And it’s still unclear because Judge Buchanan won’t respond to my requests for comment. So wherever operation Pacifier violated rule 41 has probably been the central component of all the legal cases that came out after the FBI started dusting people. Defense lawyers have brought it up, saying “Hey, this judge did not have authority, you now need to throw out all the evidence against my client”. According to the most recent figures, and this might be very, very slightly out-of-date 21 decisions have found the operation did violate rule 41. Out of those, judges in four cases have thrown out all evidence obtained by the FBI’s malware. So that obviously includes the main bit of evidence which to the IP address but then also everything that came after that. I mean the only reason the FBI found child porn on people’s devices is because the IP address led them there. So all of that child porn is also struck from the record as well. And those people are essentially free, by DOJ appeals which are ongoing. Whether people based outside the United States will have a similar sort of defense is kind of unclear at the moment. The IP address could fall under something like the Third-Party Doctrine, whereas in: if there’s a German suspect, and they tried to challenge the legality of the search the German police may say: “Hey, look, we didn’t do the hacking, we just got given this IP address by third party”. And then the defense might not have much like to stand on. But I do know of one lawyer in a country outside the U.S. who is going to challenge the legality of that hacking operation. I can’t really say where he is right now because I think that’s still sourcing out (?) but that’s gonna be really, really interesting when that happens, hopefully in the new year. So forget everything I just told you about Rule 41 because it doesn’t matter any more. Earlier this month changes to Rule 41 came into place. Meaning that judges now can authorize searches outside of their district. So if the Playpen warrant was signed today it probably would not violate Rule 41, and the FBI wouldn’t have done anything wrong. Or the DOJ wouldn’t have done anything wrong. And I just wanna emphasize that these changes to Rule 41 came about in part, specifically because of the problem that anonymity networks and Tor present to law enforcement. It’s not like Operation Pacifier was over here, FBI doing its thing, and the DOJ was sorting out these Rule 41 changes. The changes have come specifically in response to criminal investigations on the so-called “Darkweb”. And that’s just this Department quote here: “We believe technology should not create a law-less zone merely because a procedure rule has not kept up with the times”. Their argument is that the Rule 41 is basically an antique, and they need to change the rules to keep up with criminals that are using stuff like Tor or VPNs. So that was Pacifier. That’s the largest law enforcement hacking operation to date that we know about. Just very, very briefly I’m gonna talk about another FBI one where they likely hacked into computers abroad. This one is called “Torpedo” which is even worse than Operation Pacifier when it comes to child porn names. In 2012 or 2013 the FBI take over Freedom Hosting which is sort of a turnkey hosting provider. You sign up to the service that hosts your Darkweb site. It doesn’t matter if it’s legal or not, whatever. The FBI sees it, they deploy an NIT again, a piece of malware. And this time the FBI trying (?) identify users of 23 different child pornography sites. In the warrant application there’s a section specifically about a Hungarian language site. I mean even the FBI officer – I think it’s the FBI writing it – says: “Oh, if you put this into Google Translate it means this, it’s Hungarian, blablabla”. As I mentioned in the Playpen example the FBI did not know where the computers that they were going to hack were located. This is an interesting case because I’m going to guess that a lot of the users of a Hungarian language site are probably in Hungary. So the FBI might have had some idea that they were gonna hack computers there. Did the FBI warn Hungarian law enforcement? Did they get permission of the Hungarian authorities to hack computers in their country? We don’t know yet. And I somehow doubt it. And then just finally it’s – excuse me – it’s not just the FBI that’s using hacking tools to target suspects overseas. A local Australian police department, Queensland Police, has a specialized task force for child sexual exploitation, Taskforce Argos. And they were the ones that led this operation. There wasn’t any sort of an official statement from Queensland Police saying: “Hey look, we unmasked all of these criminals in the U.S.”. It was only by piecing together pretty spread-out (?) U.S. court documents that I could map the contours of this hacking operation that everyone kind of wants to keep quiet about. So in 2014 Taskforce Argos take over another Darkweb child porn site called ‘The Love Zone’. They run it – not for 13 days like the FBI but for 6 months, posing as the site’s administrator who they’d already arrested. According to one document – not this one – the Australians obtained at least 30 IP addresses of U.S. based users of the site. I don’t know about other countries yet, it’s only through these U.S. court documents that we’ve been able to figure this out. And the way they did it was pretty different to the FBI. What they would do is they would send a link to a suspect, for a video file. The suspect would click the link, they will get a warning, saying: “Warning, you’re opening a file on an external site, do you want to continue?” Something to that effect. If the person ignored the warning and clicked “Yes” a video of real child pornography played on the supect’s machine, and then that video phoned home to an Australian server. I mean, you can debate whether this is hacking or not. I mean the FBI weren’t clearly delivering a Tor browser exploit with malware etc. Is this hacking? I would say so. If we think the phishing for Government e-mails is hacking – sure. But that’s kind of the trivial debate, anyway. The real debate is: was this a search in illegal sense of the word? Did the Australians obtain information from a private place, namely a private computer, in a private residence, and did they get a search warrant to do that? And again, we don’t know, because they wont't talk to me. So clearly, that was all about child abuse and child pornography investigations. Insofar this sort of international hacking, as far as we know, as far as I know, has only been used for those sorts of investigations. But as for the future with Rule 41, the changes there, we could presumably see it to go to other types of investigations, maybe Darkweb drug markets. Plenty of these markets have dedicated vendor-only sections that you can only login to if you are a drug dealer on the site. I mean here, this isn’t from NIT or a malware investigation. This is when Carnegie Mellon University attacked the Tor network, obtained IP addresses, and then gave those – well, was subpoenaed for those and gave them to the FBI. But the key part is that in this search warrant it’s saying: “Hey look, there’s probable cause because this suspect was logging in to the drug dealer-only section of Silk Road 2.0 so we have reason to raid his house”. I can easily see this sort of section being in a malware warrant or an NIT warrant, as well. And then I suppose the other more obvious example – if that hasn’t happened already – is putting a piece of malware to hack suspects internationally on a Jihadi forum. Maybe in administrator or moderator sections, so you know you’re gonna be targeting high-ranking members of the forum. I mean I personally don’t know if that would be the FBI or another agency doing that. But that’s clearly somewhere where malware can be useful in international context. But apart from predicting where this might go, I mean, clearly this is gonna continue, just a few weeks ago there was a Firefox zeroday out in the wild. Me and my colleague Lorenzo tracked it back to a specific child porn site in the Darkweb where that 0-day had been deployed. So this is an active thing. This is still going on. And that’s it. But… just a last thing if you have any documents, data, information, tips on FBI malware, law enforcement malware, who is using it, who is buying it, how they’re using it – these are my various contact channels. Thanks a lot! applause ongoing applause Herald: Thank you, Joseph. Thank you. Any questions from the audience? Oh, we got one on [microphone] 4. Question: Thanks for the talk. Really nice. Quick question, you’ve presented some pretty illegal things. On both sides. On child pornography, and all of those things. And on the law enforcer’s side. Now my question is, did you intentionally mention those really illegal aspects like child pornography to justify the actions of the FBI in any way? Joseph: You mean, did I specifically speak about child pornography to justify the FBI’s actions? Question: Yes. Joseph: No. This is just… I mean child pornography and child sexual exploitation is where law enforcement are using the really cool stuff. This is where they’re using their Tor Browser exploits. This is where they’re using their Firefox zerodays. And I’m just attracted to where the cops are doing interesting things. So, if it was on drug markets I’d cover that as well. But at the moment, at least to my knowledge, it’s just localized to the child pornography investigations. Presumably, because law enforcement feel like not many people are going to argue with them with maybe doing illegal search for child porn because everybody finds that crime abhorrent. But, no, that’s just how it is at the moment. Question: Okay, let me rephrase that. Do you feel it’s justified for them to use exploits? Joseph: Do I feel it’s justified for them to use exploits? I don’t think it’s anything intrinsically wrong with law enforcement hacking. But even though child pornography is an absolutely disgusting crime and I can’t find it, obviously, any way to justify it I also want law enforcement to follow the law. And to respect the law as well. applause Question: Thank you. ongoing applause Herald: Any other questions? Anybody from IRC? The (?) on 5, go ahead. Question: Well, I wanted to ask probably the same question whether it’s dubious from the moral point of view? And you already answered it. You don’t see it dubious as I understand, right? As the legislation can be questioned, and should be rearranged there is not much ethical discussion whether this should be done or not. But while you were at the topic for a while: do you have any other proposals how to resolve this issue, maybe? Technically, from the technical point of view. Joseph: Sure. So I mean, just before I answer that I just wanna make clear that I’m, like a journalist, not an activist or a technologist. I don’t think it will be right for me to say this is how we should combat this. I’m just saying, hey, that’s what the FBI did. That sort of thing. But to answer the question, I think Mozilla and Tor have been working on a way to stop this sort of de-anonymization attack, that, when the FBI would hit a computer with their exploits and then the NIT code would deploy, that’s not enough. I really can’t remember the technical details off the top (?) in my head, but there is an article online that I wrote. But then they would have to break out of the sandbox as well. But more to answer your question generally: there are technological solutions that people are making here. And they could be live pretty soon. But then what is the FBI gonna do after that? They’re not gonna stop making malware. They’re gonna… they’ll deploy a nit that will then rummage through your computer and find incriminating documents and then phone home. If they can’t get your real IP address they’re gonna get evidence somehow. Herald: No.1 was up next. Question: Hi Joseph. In your background research on law enforcement using technology like this to target child porn sites. So you profiled the FBI on how they may have (?)(?) around some of the letter of the law in order to get done the job they needed to get done. Are the other law enforcement agencies you found that are kind of like a gold standard in their approach to solving this problem that abide by the rules, and maybe solve this problem in a different way? Joseph: When you say… so the question was, are there other law enforcement agencies who may be better or the same sort of standard (?) as the FBI this problem. When you say “this problem” you mean “combating child porn on the Darkweb”? Question: Yeah, clearly something needs to be done about these sites. And there’s a limited number of options available. So the FBI is kind of busted out (?) in trying every single piece of technology they can to solve it. But are there others that maybe take a more restraint approach but still solve the problem? Joseph: When it specifically comes to malware I haven’t seen much in the wild or publicly but in the U.K. GCHQ, the country’s signals intelligence agency has said, or a report said, it is using bulk interception, so GCHQ’s mass surveillance capabilities, to do traffic correlation attacks, and they can then unmask Darkweb users and hidden service IP addresses. That’s not malware but that is an extreme use of technological capability, I guess. And yeah, we could definitely see more of that. I think in the report the Home Office said the GCHQ had got something like 50 individuals in the past 18 months through bulk traffic analysis. That’s not malware, but yeah, that’s where stuff could go, definitely. Question: Cool. Thanks. Herald: I give you one last question, it will be number 4, over here. Question: Hi, I was wondering, because you mentioned bulk analysis which I considered to be significantly worse than targeted analysis, in the way that it violates everybody’s liberties rather than specific individuals who are definitely engaging in criminal activity. So why is it you feel that there’s some kind of violation, like these people they need to find these criminals, and the jurisdiction needs to be significantly wider, and I understand that it’s terrible that they’re hacking us. But at the same time they need to be caught. So how can they make legislation that’s able to find these people legally when it’s outside of their jurisdiction, and they might be targeting people, if they’re doing a dragnet on a website, like you’re example. And they’re gonna be hacking people that are not in their country. They can’t limit it to the people that are in that country. And only hack those people. It’s technically impossible. So what’s the solution for this? Joseph: I mean, some senators in the US did propose a Stop Mass Hacking Act which would have blocked the Rule 41 changes. It was unsuccessful, and in part – this is just my personal opinion – I think it’s because they didn’t present a viable alternative. I mean, as you say, these people need to be caught, I mean, that sort of thing, but when these senators said: “Yeah, we need to stop all this global hacking” there was no alternative presented, so we don’t know, basically. As for legislative changes I think it’s more… it’s less the “Hey, here’s a concrete law or rule that we need to fix right now”, it’s more like there’s a looming issue of “What happens when the FBI hacks a child pornographer in Russia, or one who happens to be a politician in another country?” Are they still gonna go, and then go to local law enforcement, “Hey, we got this IP address of one of your senior politicians who happens to be looking at child porn”. I mean what are the ramifications of that gonna be? But to answer your question: we don’t really know. It’s more of just this looming issue that law enforcements are firing malware and asking questions later. Herald: Thank you so much. If you got a round of applause for Joseph Cox! applause postroll music Subtitles created by c3subtitles.de in the year 2017. Join, and help us!