WEBVTT

00:00:00.000 --> 00:00:14.490
<i>33C3 preroll music</i>

00:00:14.490 --> 00:00:18.480
Herald: The talk is gonna be called
“Law Enforcement Are Hacking the Planet”

00:00:18.480 --> 00:00:24.270
by Joseph Cox. Joseph is an investigative
journalist for Vice’s Motherboard,

00:00:24.270 --> 00:00:28.050
covering hackers, data breaches
and digital security. When I went

00:00:28.050 --> 00:00:32.890
to check him out and looked at his Twitter
account I discovered I already follow him.

00:00:32.890 --> 00:00:36.320
Which is funny, or it was for me
a little anecdote about the modern world.

00:00:36.320 --> 00:00:41.219
I recognized his avatar immediately
but not his name.

00:00:41.219 --> 00:00:44.500
I guess that's just something
about how we live these days.

00:00:44.500 --> 00:00:50.010
So then with no further ado, Joseph,
I’d like to give it over to you.

00:00:50.010 --> 00:00:56.740
<i>applause</i>

00:00:56.740 --> 00:01:00.590
Joseph Cox: Hello, hello hello.

00:01:00.590 --> 00:01:05.680
How would you react if the FBI
came over from the United States,

00:01:05.680 --> 00:01:11.600
came into Germany, went to an apartment
in, say, Hamburg, kicked down the door

00:01:11.600 --> 00:01:15.490
and then started searching the apartment?

00:01:15.490 --> 00:01:18.679
They haven’t been invited
by German law enforcement,

00:01:18.679 --> 00:01:24.289
they’re acting on their own accord.
They then seize a load of evidence

00:01:24.289 --> 00:01:26.979
and go back to the States.

00:01:26.979 --> 00:01:32.310
You might think this isn’t a great thing,
I mean what does the FBI have to do

00:01:32.310 --> 00:01:35.360
coming in to another country and then

00:01:35.360 --> 00:01:39.479
searching buildings or arresting suspects?

00:01:39.479 --> 00:01:43.500
But the searching is essentially
what the FBI is doing, but digitally

00:01:43.500 --> 00:01:49.180
with malware and hacking tools. Breaching
into computers in other countries,

00:01:49.180 --> 00:01:51.800
extracting evidence from them
and then sending them back to

00:01:51.800 --> 00:01:56.290
a government server in Virginia,
or wherever it may be.

00:01:56.290 --> 00:02:00.649
To clear, we’re not talking
about a normal intelligence agency here

00:02:00.649 --> 00:02:04.789
like the NSA or GCHQ. They’re
gonna hack computers internationally

00:02:04.789 --> 00:02:10.090
all the time as part of espionage,
we expect that, maybe that’s a good thing.

00:02:10.090 --> 00:02:14.720
Here we’re talking about
an agency that’s predominantly

00:02:14.720 --> 00:02:20.030
focused with the law enforcement
hacking to computers in other countries

00:02:20.030 --> 00:02:25.779
as part of criminal investigations.

00:02:25.779 --> 00:02:31.900
I’m gonna talk about one FBI case in
particular, briefly touch upon another one

00:02:31.900 --> 00:02:36.209
and then just explain an operation
that was led by local Australian

00:02:36.209 --> 00:02:41.799
law enforcement which hacked
computers in the United States.

00:02:41.799 --> 00:02:46.659
At the moment, typically, these sort of
investigations are done to counter

00:02:46.659 --> 00:02:53.409
child sexual exploitation
or child abuse on the Darkweb.

00:02:53.409 --> 00:02:57.370
Just about me, briefly:
Journalist for Motherboard as mentioned,

00:02:57.370 --> 00:03:03.090
which is the Technology and Science
part of Vice. Hackers, cybercrime,

00:03:03.090 --> 00:03:08.310
the Darkweb drug trades or
stuff like Silk Road or the usual stuff.

00:03:08.310 --> 00:03:12.269
But for the past year I’ve been really
interested in law enforcement’s

00:03:12.269 --> 00:03:17.519
international use of malware.
Which brings us to

00:03:17.519 --> 00:03:21.120
“Operation Pacifier”.
The FBI is not very good at naming

00:03:21.120 --> 00:03:26.720
its child sexual exploitation
investigations.

00:03:26.720 --> 00:03:33.010
So in August 2014 a new Darkweb child
abuse site was launched, called “Playpen”.

00:03:33.010 --> 00:03:36.139
It was a Tor hidden service,
meaning that the majority of people

00:03:36.139 --> 00:03:40.749
who connect to it would do so
over the Tor anonymity network,

00:03:40.749 --> 00:03:47.040
masking their real IP address.
But because it ran as a hidden service

00:03:47.040 --> 00:03:51.029
the physical location of the server itself
was also protected.

00:03:51.029 --> 00:03:55.519
Meaning that the FBI couldn’t just go and
immediately subpoena the hosting company

00:03:55.519 --> 00:04:00.239
or seize the server whatever may be,
because they didn’t know where it was.

00:04:00.239 --> 00:04:05.170
A few months passed and Playpen is a
really, really big deal. It’s the largest

00:04:05.170 --> 00:04:10.780
child pornography site on the Darkweb.
215.000 members,

00:04:10.780 --> 00:04:17.879
117.000 posts, and an average
11.000 unique people

00:04:17.879 --> 00:04:22.108
were visiting every week.

00:04:22.108 --> 00:04:25.850
The FBI was trying to find a way in,
they were acting in an undercover capacity

00:04:25.850 --> 00:04:30.560
on the site as law enforcement often do
with these sorts of hidden services.

00:04:30.560 --> 00:04:36.430
But at one point a foreign law enforcement
agency, and we don’t know which one,

00:04:36.430 --> 00:04:42.250
provided the real IP address
of the Playpen server to the FBI.

00:04:42.250 --> 00:04:46.950
It turned out that Playpen’s administrator
who’s now been convicted, Steven Chase,

00:04:46.950 --> 00:04:51.750
he’d misconfigured his server
so the real IP address was exposed

00:04:51.750 --> 00:04:55.700
in the normal internet.
So in February 2015

00:04:55.700 --> 00:04:59.320
the FBI go to the North Carolina
Data Centre, they seize the server

00:04:59.320 --> 00:05:02.540
and they take control of Playpen.

00:05:02.540 --> 00:05:05.420
Just as a side note:
Steven Chase, the administrator,

00:05:05.420 --> 00:05:10.840
he had paid for the hosting via a Paypal
account in his own name.

00:05:10.840 --> 00:05:14.650
So it was incredibly easy to convict him.
If you’re gonna run

00:05:14.650 --> 00:05:19.030
an illegal Tor hidden service,
don’t use Paypal!

00:05:19.030 --> 00:05:23.320
And this is where the hacking comes in.

00:05:23.320 --> 00:05:27.940
Even though the FBI is in control of the
site – they can see what people are doing,

00:05:27.940 --> 00:05:30.980
what videos they’re watching,
as mentioned – they can’t see

00:05:30.980 --> 00:05:34.260
where these people are coming from
and they can’t identify them.

00:05:34.260 --> 00:05:37.420
So they need another way,
and what they decided to do

00:05:37.420 --> 00:05:42.520
is hack the computers of individual users.

00:05:42.520 --> 00:05:45.650
Very, very shortly after the FBI seized
the server they started to run it

00:05:45.650 --> 00:05:50.680
from a government facility in Virginia.
So the site is fully functioning,

00:05:50.680 --> 00:05:55.000
except one section that encourages people

00:05:55.000 --> 00:05:58.860
to produce more child porn. It’s still
a fully functional website, though.

00:05:58.860 --> 00:06:04.140
They run that and the FBI deploys what
it calls a “Network Investigative Technique”,

00:06:04.140 --> 00:06:10.060
an NIT or nit or what we would probably
just call “a piece of malware”.

00:06:10.060 --> 00:06:15.910
In short, and this is a really, really basic
overview the nit just did several things.

00:06:15.910 --> 00:06:20.490
First somebody would log in to Playpen
and then go visit a specific

00:06:20.490 --> 00:06:24.870
child porn related forum.
The exploit is then automatically

00:06:24.870 --> 00:06:29.150
delivered to that computer.
This exploit certainly affected…

00:06:29.150 --> 00:06:32.650
and the underlying vulnerability
certainly affected the Tor browser.

00:06:32.650 --> 00:06:38.622
We don’t know if it affected Mozilla
Firefox. As many of you will know,

00:06:38.622 --> 00:06:42.330
Tor browsers are oftenly based on Firefox,
and they share much of the same code base.

00:06:42.330 --> 00:06:45.230
But we don’t actually know
much about the vulnerability

00:06:45.230 --> 00:06:49.820
or the exploit at all.
All that we know is that they used

00:06:49.820 --> 00:06:55.390
a non publicly known vulnerability.

00:06:55.390 --> 00:06:59.910
And then when the exploit is delivered the
rest of the code causes the target machine

00:06:59.910 --> 00:07:04.470
to phone home outside of the Tor network
to a government server, and now the FBI

00:07:04.470 --> 00:07:08.080
has a real IP address.

00:07:08.080 --> 00:07:14.500
Armed with that the FBI just goes to the
ISP, Comcast, Verizon, gets a name,

00:07:14.500 --> 00:07:18.960
subscriber details and address,
kicks down a door, arrests the person

00:07:18.960 --> 00:07:22.630
– if there’s enough evidence – and
presumably, and in many many of the cases

00:07:22.630 --> 00:07:28.470
if not all of them, find a lot of child
porn on the suspect’s machine.

00:07:28.470 --> 00:07:33.450
But that’s not everything
the FBI collected with a nit,

00:07:33.450 --> 00:07:38.520
it also got the username,
the host name, the MAC address.

00:07:38.520 --> 00:07:42.750
And it also generated a unique code
per unique infection, I think

00:07:42.750 --> 00:07:49.710
that you could then use to correlate
activity on the site with an IP address.

00:07:49.710 --> 00:07:54.340
And just remember this whole time
the FBI could see what people

00:07:54.340 --> 00:07:59.540
were doing on the site, so “user Jimmy
went onto this section of the site

00:07:59.540 --> 00:08:02.830
and looked at this thread,
now we have his IP address,

00:08:02.830 --> 00:08:07.700
we can link it to that”.

00:08:07.700 --> 00:08:11.890
So the FBI deploys its malware,

00:08:11.890 --> 00:08:15.810
for 13 days it runs the site.
Over that amount of time,

00:08:15.810 --> 00:08:19.330
100.000 users log into Playpen,
which as you’ll notice

00:08:19.330 --> 00:08:23.490
is a lot more than 11.000, which
was apparently the average login rate.

00:08:23.490 --> 00:08:30.420
For some reason the site became a lot more
popular when the FBI was running it.

00:08:30.420 --> 00:08:33.309
You can hear whatever you want from that. (?)

00:08:33.309 --> 00:08:40.250
So in the U.S. the FBI gets around 1300
IP addresses of U.S. users of the site.

00:08:40.250 --> 00:08:45.770
Europol say they generated 3229 cases

00:08:45.770 --> 00:08:49.570
– I haven’t highlighted it, but it’s
in the middle column at the bottom –

00:08:49.570 --> 00:08:54.430
and 34 of those were in Denmark.
This is a presentation I just found online

00:08:54.430 --> 00:08:57.069
when I found out it was called
“Pacifier”.

00:08:57.069 --> 00:09:01.161
I searched that, filetype:pdf and
someone from law enforcement had

00:09:01.161 --> 00:09:05.909
left this online, so that was convenient.
<i>laughter</i>

00:09:05.909 --> 00:09:08.599
Austria, staying with this
part of the world,

00:09:08.599 --> 00:09:12.819
I think this is a letter from an MP
to a group of politicians

00:09:12.819 --> 00:09:16.259
just talking about the country’s
child porn investigations

00:09:16.259 --> 00:09:21.810
and it mentions Operation Pacifier
and 50 IP addresses so the FBI hacked

00:09:21.810 --> 00:09:27.180
at least 50 computers in Austria.
Latin America as well.

00:09:27.180 --> 00:09:29.910
Again, this is another presentation
that I found online,

00:09:29.910 --> 00:09:32.480
law enforcement are really, really sloppy

00:09:32.480 --> 00:09:35.889
with just leaving all this stuff
online, which is great.

00:09:35.889 --> 00:09:40.750
And you can just see Operation Pacifier
there. As for Chile it was

00:09:40.750 --> 00:09:46.140
local media reports that just said
‘Pacifier’, ‘Playpen’, ‘child porn arrests’

00:09:46.140 --> 00:09:52.279
so it was pretty easy to infer that
computers were hacked there as well.

00:09:52.279 --> 00:09:56.529
Australia – this is part of a
freedom of information request

00:09:56.529 --> 00:10:02.399
I made with the Australian federal police,
asking for documents and communications

00:10:02.399 --> 00:10:07.240
about Operation Pacifier. This isn’t
actually the result of the request

00:10:07.240 --> 00:10:09.810
this is them saying “Hey, we have
too much stuff on Operation Pacifier,

00:10:09.810 --> 00:10:13.630
so we can’t give it to you” which
obviously already gave me

00:10:13.630 --> 00:10:18.669
enough information to confirm that
Pacifier hit Australia as well.

00:10:18.669 --> 00:10:21.379
Anyway, you get the idea. I’m not
just gonna list all these countries

00:10:21.379 --> 00:10:26.790
apart from them. The U.K. and Turkey
were probably hacked as well.

00:10:26.790 --> 00:10:32.209
But it turns out the FBI hacked computers
in many, many more countries.

00:10:32.209 --> 00:10:35.859
And this just came out
end of last month, I think.

00:10:35.859 --> 00:10:43.790
In total the FBI hacked
8.700 computers in 120 countries.

00:10:43.790 --> 00:10:49.740
8.700 in 120 countries with one warrant.

00:10:49.740 --> 00:10:52.699
And arguably that warrant was illegal.

00:10:52.699 --> 00:10:56.970
But we have to back up a little bit,
just to see what that is.

00:10:56.970 --> 00:11:01.389
Right, okay.
So the U.S. has something called Rule 41,

00:11:01.389 --> 00:11:05.290
which dictates when a judge
can authorize searches

00:11:05.290 --> 00:11:08.859
including remote searches, so hacking.

00:11:08.859 --> 00:11:13.269
A judge can only authorize a search
within his or her own district.

00:11:13.269 --> 00:11:16.330
So if the judge is in the
western district of Washington,

00:11:16.330 --> 00:11:19.350
he or she can only sign a warrant
that’s gonna search stuff

00:11:19.350 --> 00:11:24.270
within that district. With a few
exceptions. I think, terrorism,

00:11:24.270 --> 00:11:27.949
and if there’s a tracking device
and then the person moves out of state

00:11:27.949 --> 00:11:32.319
it’s still okay.
In the case of Playpen,

00:11:32.319 --> 00:11:35.970
Judge Theresa Buchanan
was in the Eastern district of Virginia,

00:11:35.970 --> 00:11:41.740
as you can see at the top.
Clearly, the vast majority of computers

00:11:41.740 --> 00:11:46.519
were not in the Eastern
district of Virginia.

00:11:46.519 --> 00:11:50.240
The search warrant application which is
that document that the FBI presents

00:11:50.240 --> 00:11:54.149
to a judge, and say “Here’s our reasons,
please sign our search warrant!”,

00:11:54.149 --> 00:11:59.029
it said that what was gonna be searched
was computers logging into Playpen,

00:11:59.029 --> 00:12:04.630
wherever located. It’s pretty
debatable how explicit that is.

00:12:04.630 --> 00:12:09.860
I mean, the FBI did not write “Hey we’re
gonna hack into computers no matter

00:12:09.860 --> 00:12:12.880
what state they’re in, what country
they’re in, anything like that, and

00:12:12.880 --> 00:12:16.430
we’re gonna hack into them”. The word
‘hack’ is obviously never ever used in the

00:12:16.430 --> 00:12:21.399
search warrant application.
So with that in mind it’s kind of unclear

00:12:21.399 --> 00:12:26.369
if Judge Theresa Buchanan would have
actually understood that she was signing

00:12:26.369 --> 00:12:32.779
a global hacking warrant. And this isn’t
castaging the judge, at all. It’s more

00:12:32.779 --> 00:12:38.220
that these warrants applications aren’t
very explicit. And it’s still unclear

00:12:38.220 --> 00:12:47.690
because Judge Buchanan won’t respond
to my requests for comment.

00:12:47.690 --> 00:12:54.160
So wherever operation Pacifier violated
rule 41 has probably been the central

00:12:54.160 --> 00:12:59.769
component of all the legal cases that came
out after the FBI started dusting people.

00:12:59.769 --> 00:13:03.360
Defense lawyers have brought it up, saying
“Hey, this judge did not have authority,

00:13:03.360 --> 00:13:06.959
you now need to throw out all the
evidence against my client”.

00:13:06.959 --> 00:13:11.509
According to the most recent figures, and
this might be very, very slightly out-of-date

00:13:11.509 --> 00:13:18.890
21 decisions have found the operation
did violate rule 41. Out of those,

00:13:18.890 --> 00:13:23.399
judges in four cases have thrown out all
evidence obtained by the FBI’s malware.

00:13:23.399 --> 00:13:27.410
So that obviously includes the main bit
of evidence which to the IP address

00:13:27.410 --> 00:13:31.040
but then also everything that came after
that. I mean the only reason the FBI

00:13:31.040 --> 00:13:34.730
found child porn on people’s devices is
because the IP address led them there.

00:13:34.730 --> 00:13:38.749
So all of that child porn is also struck
from the record as well.

00:13:38.749 --> 00:13:49.070
And those people are essentially free,
by DOJ appeals which are ongoing.

00:13:49.070 --> 00:13:54.600
Whether people based outside the United
States will have a similar sort of defense

00:13:54.600 --> 00:13:59.119
is kind of unclear at the moment. The
IP address could fall under something

00:13:59.119 --> 00:14:05.550
like the Third-Party Doctrine, whereas in:
if there’s a German suspect,

00:14:05.550 --> 00:14:10.329
and they tried to challenge the legality
of the search the German police may say:

00:14:10.329 --> 00:14:13.120
“Hey, look, we didn’t do the hacking,
we just got given this IP address

00:14:13.120 --> 00:14:19.600
by third party”. And then the defense
might not have much like to stand on.

00:14:19.600 --> 00:14:25.200
But I do know of one lawyer in a country
outside the U.S. who is going to challenge

00:14:25.200 --> 00:14:29.220
the legality of that hacking operation.
I can’t really say where he is right now

00:14:29.220 --> 00:14:34.089
because I think that’s still sourcing out (?)
but that’s gonna be really, really interesting

00:14:34.089 --> 00:14:39.089
when that happens, hopefully in the new
year. So forget everything I just told you

00:14:39.089 --> 00:14:43.749
about Rule 41 because it doesn’t matter
any more. Earlier this month changes

00:14:43.749 --> 00:14:49.930
to Rule 41 came into place. Meaning that
judges now can authorize searches

00:14:49.930 --> 00:14:56.149
outside of their district. So if the Playpen
warrant was signed today it probably

00:14:56.149 --> 00:14:59.110
would not violate Rule 41, and the FBI
wouldn’t have done anything wrong.

00:14:59.110 --> 00:15:04.360
Or the DOJ wouldn’t have done anything
wrong. And I just wanna emphasize that

00:15:04.360 --> 00:15:09.940
these changes to Rule 41 came about
in part, specifically because of

00:15:09.940 --> 00:15:14.060
the problem that anonymity networks and
Tor present to law enforcement.

00:15:14.060 --> 00:15:18.399
It’s not like Operation Pacifier was over
here, FBI doing its thing, and the DOJ

00:15:18.399 --> 00:15:24.079
was sorting out these Rule 41 changes. The
changes have come specifically in response

00:15:24.079 --> 00:15:30.539
to criminal investigations
on the so-called “Darkweb”.

00:15:30.539 --> 00:15:35.269
And that’s just this Department quote
here: “We believe technology should

00:15:35.269 --> 00:15:39.660
not create a law-less zone merely because
a procedure rule has not kept up

00:15:39.660 --> 00:15:45.200
with the times”. Their argument is that
the Rule 41 is basically an antique,

00:15:45.200 --> 00:15:48.829
and they need to change the rules to keep
up with criminals that are using stuff

00:15:48.829 --> 00:15:53.819
like Tor or VPNs. So that was Pacifier.

00:15:53.819 --> 00:15:58.769
That’s the largest law enforcement hacking
operation to date that we know about.

00:15:58.769 --> 00:16:02.220
Just very, very briefly I’m gonna talk
about another FBI one where they likely

00:16:02.220 --> 00:16:07.089
hacked into computers abroad. This one
is called “Torpedo” which is even worse

00:16:07.089 --> 00:16:12.480
than Operation Pacifier when it comes
to child porn names.

00:16:12.480 --> 00:16:17.300
In 2012 or 2013 the FBI take over
Freedom Hosting which is

00:16:17.300 --> 00:16:22.970
sort of a turnkey hosting provider.
You sign up to the service

00:16:22.970 --> 00:16:27.939
that hosts your Darkweb site. It doesn’t
matter if it’s legal or not, whatever.

00:16:27.939 --> 00:16:33.149
The FBI sees it, they deploy an NIT
again, a piece of malware.

00:16:33.149 --> 00:16:41.699
And this time the FBI trying (?) identify
users of 23 different child pornography sites.

00:16:41.699 --> 00:16:44.920
In the warrant application there’s
a section specifically about

00:16:44.920 --> 00:16:49.369
a Hungarian language site.
I mean even the FBI officer

00:16:49.369 --> 00:16:53.509
– I think it’s the FBI writing it – says:
“Oh, if you put this into Google Translate

00:16:53.509 --> 00:16:59.939
it means this, it’s Hungarian, blablabla”.
As I mentioned in the Playpen example

00:16:59.939 --> 00:17:03.370
the FBI did not know where the computers
that they were going to hack

00:17:03.370 --> 00:17:07.410
were located. This is an interesting case
because I’m going to guess

00:17:07.410 --> 00:17:13.220
that a lot of the users of a Hungarian
language site are probably in Hungary.

00:17:13.220 --> 00:17:16.760
So the FBI might have had some idea
that they were gonna hack computers there.

00:17:16.760 --> 00:17:20.659
Did the FBI warn Hungarian law
enforcement? Did they get permission

00:17:20.659 --> 00:17:24.400
of the Hungarian authorities to hack
computers in their country?

00:17:24.400 --> 00:17:30.519
We don’t know yet.
And I somehow doubt it.

00:17:30.519 --> 00:17:36.829
And then just finally it’s – excuse me –
it’s not just the FBI

00:17:36.829 --> 00:17:40.419
that’s using hacking tools
to target suspects overseas.

00:17:40.419 --> 00:17:45.120
A local Australian police department,
Queensland Police,

00:17:45.120 --> 00:17:49.510
has a specialized task force
for child sexual exploitation,

00:17:49.510 --> 00:17:52.529
Taskforce Argos.

00:17:52.529 --> 00:17:56.750
And they were the ones that led this
operation. There wasn’t any sort of

00:17:56.750 --> 00:18:00.740
an official statement from Queensland
Police saying: “Hey look, we unmasked

00:18:00.740 --> 00:18:05.860
all of these criminals in the U.S.”.
It was only by piecing together

00:18:05.860 --> 00:18:11.760
pretty spread-out (?) U.S. court documents
that I could map the contours of this

00:18:11.760 --> 00:18:15.830
hacking operation that everyone
kind of wants to keep quiet about.

00:18:15.830 --> 00:18:21.520
So in 2014 Taskforce Argos take over
another Darkweb child porn site

00:18:21.520 --> 00:18:28.640
called ‘The Love Zone’. They run it – not
for 13 days like the FBI but for 6 months,

00:18:28.640 --> 00:18:34.760
posing as the site’s administrator
who they’d already arrested.

00:18:34.760 --> 00:18:39.279
According to one document – not this one –
the Australians obtained at least

00:18:39.279 --> 00:18:45.490
30 IP addresses of U.S. based
users of the site. I don’t know

00:18:45.490 --> 00:18:48.419
about other countries yet, it’s only
through these U.S. court documents

00:18:48.419 --> 00:18:54.100
that we’ve been able to figure this out.
And the way they did it was

00:18:54.100 --> 00:18:57.779
pretty different to the FBI. What they
would do is they would send a link

00:18:57.779 --> 00:19:05.350
to a suspect, for a video file.
The suspect would click the link,

00:19:05.350 --> 00:19:09.919
they will get a warning, saying: “Warning,
you’re opening a file on an external site,

00:19:09.919 --> 00:19:14.110
do you want to continue?” Something to
that effect. If the person ignored

00:19:14.110 --> 00:19:19.240
the warning and clicked “Yes”
a video of real child pornography

00:19:19.240 --> 00:19:22.590
played on the supect’s machine,
and then that video phoned home

00:19:22.590 --> 00:19:28.539
to an Australian server. I mean, you can
debate whether this is hacking or not.

00:19:28.539 --> 00:19:34.130
I mean the FBI weren’t clearly delivering
a Tor browser exploit with malware etc.

00:19:34.130 --> 00:19:38.380
Is this hacking? I would say so. If we
think the phishing for Government e-mails

00:19:38.380 --> 00:19:43.740
is hacking – sure. But that’s kind of the
trivial debate, anyway. The real debate

00:19:43.740 --> 00:19:49.240
is: was this a search in illegal sense of
the word? Did the Australians obtain

00:19:49.240 --> 00:19:54.429
information from a private place, namely
a private computer, in a private residence,

00:19:54.429 --> 00:19:58.299
and did they get a search warrant to do
that? And again, we don’t know,

00:19:58.299 --> 00:20:03.550
because they wont't talk to me.

00:20:03.550 --> 00:20:08.590
So clearly, that was all about child abuse
and child pornography investigations.

00:20:08.590 --> 00:20:13.190
Insofar this sort of international hacking,
as far as we know, as far as I know,

00:20:13.190 --> 00:20:18.149
has only been used for those sorts of
investigations. But as for the future

00:20:18.149 --> 00:20:25.100
with Rule 41, the changes there, we could
presumably see it to go to other types

00:20:25.100 --> 00:20:30.399
of investigations, maybe Darkweb drug
markets. Plenty of these markets have

00:20:30.399 --> 00:20:35.159
dedicated vendor-only sections that you
can only login to if you are a drug dealer

00:20:35.159 --> 00:20:41.090
on the site. I mean here, this isn’t from
NIT or a malware investigation.

00:20:41.090 --> 00:20:45.300
This is when Carnegie Mellon University
attacked the Tor network, obtained

00:20:45.300 --> 00:20:49.360
IP addresses, and then gave those – well,
was subpoenaed for those and gave them

00:20:49.360 --> 00:20:55.490
to the FBI. But the key part is that in
this search warrant it’s saying: “Hey look,

00:20:55.490 --> 00:20:58.370
there’s probable cause because this
suspect was logging in to the

00:20:58.370 --> 00:21:03.570
drug dealer-only section of Silk Road 2.0
so we have reason to raid his house”.

00:21:03.570 --> 00:21:07.890
I can easily see this sort of section
being in a malware warrant or an NIT

00:21:07.890 --> 00:21:14.240
warrant, as well. And then I suppose the
other more obvious example

00:21:14.240 --> 00:21:18.529
– if that hasn’t happened already –
is putting a piece of malware to hack

00:21:18.529 --> 00:21:23.440
suspects internationally on a Jihadi
forum. Maybe in administrator or moderator

00:21:23.440 --> 00:21:28.549
sections, so you know you’re gonna be
targeting high-ranking members of the forum.

00:21:28.549 --> 00:21:31.330
I mean I personally don’t know if that
would be the FBI or another agency

00:21:31.330 --> 00:21:35.530
doing that. But that’s clearly somewhere
where malware can be useful

00:21:35.530 --> 00:21:42.510
in international context. But apart from
predicting where this might go, I mean,

00:21:42.510 --> 00:21:47.330
clearly this is gonna continue, just a few
weeks ago there was a Firefox zeroday

00:21:47.330 --> 00:21:52.720
out in the wild. Me and my colleague
Lorenzo tracked it back to a specific

00:21:52.720 --> 00:21:57.020
child porn site in the Darkweb where
that 0-day had been deployed.

00:21:57.020 --> 00:22:02.010
So this is an active thing.
This is still going on.

00:22:02.010 --> 00:22:07.399
And that’s it. But… just a last thing
if you have any documents, data,

00:22:07.399 --> 00:22:12.460
information, tips on FBI malware,
law enforcement malware, who is using it,

00:22:12.460 --> 00:22:17.609
who is buying it, how they’re using it –
these are my various contact channels.

00:22:17.609 --> 00:22:19.070
Thanks a lot!
<i>applause</i>

00:22:19.070 --> 00:22:29.580
<i>ongoing applause</i>

00:22:29.580 --> 00:22:35.450
Herald: Thank you, Joseph.
Thank you.

00:22:35.450 --> 00:22:41.890
Any questions from the audience?

00:22:41.890 --> 00:22:45.599
Oh, we got one on [microphone] 4.

00:22:45.599 --> 00:22:49.480
Question: Thanks for the talk.
Really nice. Quick question,

00:22:49.480 --> 00:22:54.360
you’ve presented
some pretty illegal things.

00:22:54.360 --> 00:22:59.480
On both sides.
On child pornography,

00:22:59.480 --> 00:23:03.520
and all of those things.
And on the law enforcer’s side.

00:23:03.520 --> 00:23:09.720
Now my question is, did you intentionally
mention those really illegal aspects

00:23:09.720 --> 00:23:16.310
like child pornography to justify the
actions of the FBI in any way?

00:23:16.310 --> 00:23:19.830
Joseph: You mean, did I specifically
speak about child pornography

00:23:19.830 --> 00:23:22.370
to justify the FBI’s actions?
Question: Yes.

00:23:22.370 --> 00:23:28.080
Joseph: No. This is just… I mean child
pornography and child sexual exploitation

00:23:28.080 --> 00:23:32.449
is where law enforcement are using the
really cool stuff. This is where they’re

00:23:32.449 --> 00:23:37.219
using their Tor Browser exploits. This is
where they’re using their Firefox zerodays.

00:23:37.219 --> 00:23:41.330
And I’m just attracted to where the cops
are doing interesting things.

00:23:41.330 --> 00:23:47.220
So, if it was on drug markets I’d cover
that as well. But at the moment,

00:23:47.220 --> 00:23:52.190
at least to my knowledge, it’s just
localized to the child pornography

00:23:52.190 --> 00:23:55.730
investigations. Presumably, because law
enforcement feel like not many people

00:23:55.730 --> 00:23:59.620
are going to argue with them with maybe
doing illegal search for child porn

00:23:59.620 --> 00:24:03.889
because everybody finds that crime
abhorrent. But, no, that’s just

00:24:03.889 --> 00:24:05.179
how it is at the moment.

00:24:05.179 --> 00:24:08.840
Question: Okay, let me rephrase that.
Do you feel it’s justified for them

00:24:08.840 --> 00:24:10.999
to use exploits?

00:24:10.999 --> 00:24:13.429
Joseph: Do I feel it’s justified for
them to use exploits? I don’t think

00:24:13.429 --> 00:24:19.400
it’s anything intrinsically wrong
with law enforcement hacking.

00:24:19.400 --> 00:24:24.549
But even though child pornography is
an absolutely disgusting crime

00:24:24.549 --> 00:24:29.110
and I can’t find it, obviously, any way
to justify it I also want law enforcement

00:24:29.110 --> 00:24:32.419
to follow the law.
And to respect the law as well.

00:24:32.419 --> 00:24:37.499
<i>applause</i>

00:24:37.499 --> 00:24:43.489
Question: Thank you.
<i>ongoing applause</i>

00:24:43.489 --> 00:24:49.779
Herald: Any other questions?
Anybody from IRC?

00:24:49.779 --> 00:24:52.779
The (?) on 5, go ahead.

00:24:52.779 --> 00:24:56.560
Question: Well, I wanted to ask probably
the same question whether it’s dubious

00:24:56.560 --> 00:25:00.570
from the moral point of view?
And you already answered it.

00:25:00.570 --> 00:25:05.240
You don’t see it dubious as I understand,
right? As the legislation can be questioned,

00:25:05.240 --> 00:25:11.160
and should be rearranged there is not much
ethical discussion whether this should be

00:25:11.160 --> 00:25:16.070
done or not. But while you were at the
topic for a while: do you have any other

00:25:16.070 --> 00:25:20.309
proposals how to resolve this issue,
maybe? Technically,

00:25:20.309 --> 00:25:22.159
from the technical point of view.

00:25:22.159 --> 00:25:25.029
Joseph: Sure. So I mean, just before
I answer that I just wanna make clear

00:25:25.029 --> 00:25:30.230
that I’m, like a journalist,
not an activist or a technologist.

00:25:30.230 --> 00:25:34.049
I don’t think it will be right for me to
say this is how we should combat this.

00:25:34.049 --> 00:25:38.350
I’m just saying, hey, that’s what
the FBI did. That sort of thing.

00:25:38.350 --> 00:25:45.269
But to answer the question, I think
Mozilla and Tor have been working

00:25:45.269 --> 00:25:50.539
on a way to stop this sort of
de-anonymization attack, that,

00:25:50.539 --> 00:25:55.799
when the FBI would hit a computer with
their exploits and then the NIT code

00:25:55.799 --> 00:26:00.690
would deploy, that’s not enough. I really
can’t remember the technical details

00:26:00.690 --> 00:26:04.970
off the top (?) in my head, but there is an
article online that I wrote.

00:26:04.970 --> 00:26:08.279
But then they would have
to break out of the sandbox as well.

00:26:08.279 --> 00:26:11.840
But more to answer your question
generally: there are technological solutions

00:26:11.840 --> 00:26:16.800
that people are making here. And they
could be live pretty soon. But then

00:26:16.800 --> 00:26:20.200
what is the FBI gonna do after that?
They’re not gonna stop making malware.

00:26:20.200 --> 00:26:25.099
They’re gonna… they’ll deploy a nit that
will then rummage through your computer

00:26:25.099 --> 00:26:28.629
and find incriminating documents and then
phone home. If they can’t get your real

00:26:28.629 --> 00:26:33.980
IP address they’re gonna
get evidence somehow.

00:26:33.980 --> 00:26:36.010
Herald: No.1 was up next.

00:26:36.010 --> 00:26:40.779
Question: Hi Joseph. In your background
research on law enforcement

00:26:40.779 --> 00:26:45.659
using technology like this to target child
porn sites. So you profiled the FBI

00:26:45.659 --> 00:26:49.480
on how they may have (?)(?) around
some of the letter of the law

00:26:49.480 --> 00:26:53.100
in order to get done the job they needed
to get done. Are the other law enforcement

00:26:53.100 --> 00:26:57.690
agencies you found that are kind of like
a gold standard in their approach

00:26:57.690 --> 00:27:01.831
to solving this problem that abide
by the rules, and maybe

00:27:01.831 --> 00:27:03.810
solve this problem in a different way?

00:27:03.810 --> 00:27:06.900
Joseph: When you say… so the question
was, are there other law enforcement

00:27:06.900 --> 00:27:11.530
agencies who may be better or the same
sort of standard (?) as the FBI this problem.

00:27:11.530 --> 00:27:15.129
When you say “this problem” you mean
“combating child porn on the Darkweb”?

00:27:15.129 --> 00:27:17.890
Question: Yeah, clearly something needs to
be done about these sites. And there’s

00:27:17.890 --> 00:27:23.500
a limited number of options available.
So the FBI is kind of busted out (?)

00:27:23.500 --> 00:27:26.810
in trying every single piece of technology
they can to solve it. But are there others

00:27:26.810 --> 00:27:31.900
that maybe take a more restraint approach
but still solve the problem?

00:27:31.900 --> 00:27:37.710
Joseph: When it specifically comes
to malware I haven’t seen much

00:27:37.710 --> 00:27:44.450
in the wild or publicly but in the U.K.
GCHQ, the country’s

00:27:44.450 --> 00:27:51.259
signals intelligence agency has said,
or a report said, it is using

00:27:51.259 --> 00:27:57.039
bulk interception, so GCHQ’s mass
surveillance capabilities, to do

00:27:57.039 --> 00:28:00.580
traffic correlation attacks, and they
can then unmask Darkweb users

00:28:00.580 --> 00:28:05.639
and hidden service IP addresses.
That’s not malware but that is

00:28:05.639 --> 00:28:11.450
an extreme use of technological
capability, I guess.

00:28:11.450 --> 00:28:17.029
And yeah, we could definitely see
more of that. I think in the report

00:28:17.029 --> 00:28:21.130
the Home Office said the GCHQ had got
something like 50 individuals

00:28:21.130 --> 00:28:26.379
in the past 18 months through bulk traffic
analysis. That’s not malware,

00:28:26.379 --> 00:28:28.450
but yeah, that’s where stuff could go,
definitely.

00:28:28.450 --> 00:28:30.450
Question: Cool. Thanks.

00:28:30.450 --> 00:28:33.680
Herald: I give you one last question,
it will be number 4, over here.

00:28:33.680 --> 00:28:38.580
Question: Hi, I was wondering, because you
mentioned bulk analysis which I considered

00:28:38.580 --> 00:28:44.320
to be significantly worse than targeted
analysis, in the way that it violates

00:28:44.320 --> 00:28:47.940
everybody’s liberties rather than specific
individuals who are definitely engaging

00:28:47.940 --> 00:28:52.779
in criminal activity.

00:28:52.779 --> 00:28:57.419
So why is it you feel that there’s
some kind of violation,

00:28:57.419 --> 00:29:02.169
like these people they need to find
these criminals, and the jurisdiction

00:29:02.169 --> 00:29:05.509
needs to be significantly wider,
and I understand that it’s terrible

00:29:05.509 --> 00:29:09.280
that they’re hacking us. But at the same
time they need to be caught. So how

00:29:09.280 --> 00:29:16.789
can they make legislation that’s
able to find these people legally

00:29:16.789 --> 00:29:20.520
when it’s outside of their jurisdiction,
and they might be targeting people,

00:29:20.520 --> 00:29:24.759
if they’re doing a dragnet on a website,
like you’re example. And they’re gonna be

00:29:24.759 --> 00:29:27.380
hacking people that are not in their
country. They can’t limit it to the people

00:29:27.380 --> 00:29:32.290
that are in that country. And only hack
those people. It’s technically impossible.

00:29:32.290 --> 00:29:36.870
So what’s the solution for this?

00:29:36.870 --> 00:29:41.490
Joseph: I mean, some senators in the US
did propose a Stop Mass Hacking Act

00:29:41.490 --> 00:29:46.500
which would have blocked the Rule 41
changes. It was unsuccessful, and

00:29:46.500 --> 00:29:50.129
in part – this is just my personal
opinion – I think it’s because they

00:29:50.129 --> 00:29:55.470
didn’t present a viable alternative.
I mean, as you say, these people

00:29:55.470 --> 00:30:01.140
need to be caught, I mean, that sort of
thing, but when these senators said:

00:30:01.140 --> 00:30:05.340
“Yeah, we need to stop all this global
hacking” there was no alternative presented,

00:30:05.340 --> 00:30:10.889
so we don’t know, basically.
As for legislative changes

00:30:10.889 --> 00:30:16.409
I think it’s more… it’s less the
“Hey, here’s a concrete law or rule

00:30:16.409 --> 00:30:21.280
that we need to fix right now”, it’s more
like there’s a looming issue of

00:30:21.280 --> 00:30:26.539
“What happens when the FBI hacks a child
pornographer in Russia, or one who happens

00:30:26.539 --> 00:30:30.409
to be a politician in another country?”
Are they still gonna go, and then go

00:30:30.409 --> 00:30:34.059
to local law enforcement, “Hey, we got
this IP address of one of your senior

00:30:34.059 --> 00:30:37.990
politicians who happens to be looking at
child porn”. I mean what are the ramifications

00:30:37.990 --> 00:30:42.029
of that gonna be? But to answer your
question: we don’t really know.

00:30:42.029 --> 00:30:46.570
It’s more of just this looming issue that
law enforcements are firing malware

00:30:46.570 --> 00:30:51.990
and asking questions later.

00:30:51.990 --> 00:30:54.609
Herald: Thank you so much. If you got
a round of applause for Joseph Cox!

00:30:54.609 --> 00:30:58.999
<i>applause</i>

00:30:58.999 --> 00:31:02.359
<i>postroll music</i>

00:31:02.359 --> 00:31:22.879
<i>Subtitles created by c3subtitles.de
in the year 2017. Join, and help us!</i>