-
33C3 preroll music
-
Herald: The talk is gonna be called
“Law Enforcement Are Hacking the Planet”
-
by Joseph Cox. Joseph is an investigative
journalist for Vice’s Motherboard,
-
covering hackers, data breaches
and digital security. When I went
-
to check him out and looked at his Twitter
account I discovered I already follow him.
-
Which is funny, or it was for me
a little anecdote about the modern world.
-
I recognized his avatar immediately
but not his name.
-
I guess that's just something
about how we live these days.
-
So then with no further ado, Joseph,
I’d like to give it over to you.
-
applause
-
Joseph Cox: Hello, hello hello.
-
How would you react if the FBI
came over from the United States,
-
came into Germany, went to an apartment
in, say, Hamburg, kicked down the door
-
and then started searching the apartment?
-
They haven’t been invited
by German law enforcement,
-
they’re acting on their own accord.
They then seize a load of evidence
-
and go back to the States.
-
You might think this isn’t a great thing,
I mean what does the FBI have to do
-
coming in to another country and then
-
searching buildings or arresting suspects?
-
But the searching is essentially
what the FBI is doing, but digitally
-
with malware and hacking tools. Breaching
into computers in other countries,
-
extracting evidence from them
and then sending them back to
-
a government server in Virginia,
or wherever it may be.
-
To clear, we’re not talking
about a normal intelligence agency here
-
like the NSA or GCHQ. They’re
gonna hack computers internationally
-
all the time as part of espionage,
we expect that, maybe that’s a good thing.
-
Here we’re talking about
an agency that’s predominantly
-
focused with the law enforcement
hacking to computers in other countries
-
as part of criminal investigations.
-
I’m gonna talk about one FBI case in
particular, briefly touch upon another one
-
and then just explain an operation
that was led by local Australian
-
law enforcement which hacked
computers in the United States.
-
At the moment, typically, these sort of
investigations are done to counter
-
child sexual exploitation
or child abuse on the Darkweb.
-
Just about me, briefly:
Journalist for Motherboard as mentioned,
-
which is the Technology and Science
part of Vice. Hackers, cybercrime,
-
the Darkweb drug trades or
stuff like Silk Road or the usual stuff.
-
But for the past year I’ve been really
interested in law enforcement’s
-
international use of malware.
Which brings us to
-
“Operation Pacifier”.
The FBI is not very good at naming
-
its child sexual exploitation
investigations.
-
So in August 2014 a new Darkweb child
abuse site was launched, called “Playpen”.
-
It was a Tor hidden service,
meaning that the majority of people
-
who connect to it would do so
over the Tor anonymity network,
-
masking their real IP address.
But because it ran as a hidden service
-
the physical location of the server itself
was also protected.
-
Meaning that the FBI couldn’t just go and
immediately subpoena the hosting company
-
or seize the server whatever may be,
because they didn’t know where it was.
-
A few months passed and Playpen is a
really, really big deal. It’s the largest
-
child pornography site on the Darkweb.
215.000 members,
-
117.000 posts, and an average
11.000 unique people
-
were visiting every week.
-
The FBI was trying to find a way in,
they were acting in an undercover capacity
-
on the site as law enforcement often do
with these sorts of hidden services.
-
But at one point a foreign law enforcement
agency, and we don’t know which one,
-
provided the real IP address
of the Playpen server to the FBI.
-
It turned out that Playpen’s administrator
who’s now been convicted, Steven Chase,
-
he’d misconfigured his server
so the real IP address was exposed
-
in the normal internet.
So in February 2015
-
the FBI go to the North Carolina
Data Centre, they seize the server
-
and they take control of Playpen.
-
Just as a side note:
Steven Chase, the administrator,
-
he had paid for the hosting via a Paypal
account in his own name.
-
So it was incredibly easy to convict him.
If you’re gonna run
-
an illegal Tor hidden service,
don’t use Paypal!
-
And this is where the hacking comes in.
-
Even though the FBI is in control of the
site – they can see what people are doing,
-
what videos they’re watching,
as mentioned – they can’t see
-
where these people are coming from
and they can’t identify them.
-
So they need another way,
and what they decided to do
-
is hack the computers of individual users.
-
Very, very shortly after the FBI seized
the server they started to run it
-
from a government facility in Virginia.
So the site is fully functioning,
-
except one section that encourages people
-
to produce more child porn. It’s still
a fully functional website, though.
-
They run that and the FBI deploys what
it calls a “Network Investigative Technique”,
-
an NIT or nit or what we would probably
just call “a piece of malware”.
-
In short, and this is a really, really basic
overview the nit just did several things.
-
First somebody would log in to Playpen
and then go visit a specific
-
child porn related forum.
The exploit is then automatically
-
delivered to that computer.
This exploit certainly affected…
-
and the underlying vulnerability
certainly affected the Tor browser.
-
We don’t know if it affected Mozilla
Firefox. As many of you will know,
-
Tor browsers are oftenly based on Firefox,
and they share much of the same code base.
-
But we don’t actually know
much about the vulnerability
-
or the exploit at all.
All that we know is that they used
-
a non publicly known vulnerability.
-
And then when the exploit is delivered the
rest of the code causes the target machine
-
to phone home outside of the Tor network
to a government server, and now the FBI
-
has a real IP address.
-
Armed with that the FBI just goes to the
ISP, Comcast, Verizon, gets a name,
-
subscriber details and address,
kicks down a door, arrests the person
-
– if there’s enough evidence – and
presumably, and in many many of the cases
-
if not all of them, find a lot of child
porn on the suspect’s machine.
-
But that’s not everything
the FBI collected with a nit,
-
it also got the username,
the host name, the MAC address.
-
And it also generated a unique code
per unique infection, I think
-
that you could then use to correlate
activity on the site with an IP address.
-
And just remember this whole time
the FBI could see what people
-
were doing on the site, so “user Jimmy
went onto this section of the site
-
and looked at this thread,
now we have his IP address,
-
we can link it to that”.
-
So the FBI deploys its malware,
-
for 13 days it runs the site.
Over that amount of time,
-
100.000 users log into Playpen,
which as you’ll notice
-
is a lot more than 11.000, which
was apparently the average login rate.
-
For some reason the site became a lot more
popular when the FBI was running it.
-
You can hear whatever you want from that. (?)
-
So in the U.S. the FBI gets around 1300
IP addresses of U.S. users of the site.
-
Europol say they generated 3229 cases
-
– I haven’t highlighted it, but it’s
in the middle column at the bottom –
-
and 34 of those were in Denmark.
This is a presentation I just found online
-
when I found out it was called
“Pacifier”.
-
I searched that, filetype:pdf and
someone from law enforcement had
-
left this online, so that was convenient.
laughter
-
Austria, staying with this
part of the world,
-
I think this is a letter from an MP
to a group of politicians
-
just talking about the country’s
child porn investigations
-
and it mentions Operation Pacifier
and 50 IP addresses so the FBI hacked
-
at least 50 computers in Austria.
Latin America as well.
-
Again, this is another presentation
that I found online,
-
law enforcement are really, really sloppy
-
with just leaving all this stuff
online, which is great.
-
And you can just see Operation Pacifier
there. As for Chile it was
-
local media reports that just said
‘Pacifier’, ‘Playpen’, ‘child porn arrests’
-
so it was pretty easy to infer that
computers were hacked there as well.
-
Australia – this is part of a
freedom of information request
-
I made with the Australian federal police,
asking for documents and communications
-
about Operation Pacifier. This isn’t
actually the result of the request
-
this is them saying “Hey, we have
too much stuff on Operation Pacifier,
-
so we can’t give it to you” which
obviously already gave me
-
enough information to confirm that
Pacifier hit Australia as well.
-
Anyway, you get the idea. I’m not
just gonna list all these countries
-
apart from them. The U.K. and Turkey
were probably hacked as well.
-
But it turns out the FBI hacked computers
in many, many more countries.
-
And this just came out
end of last month, I think.
-
In total the FBI hacked
8.700 computers in 120 countries.
-
8.700 in 120 countries with one warrant.
-
And arguably that warrant was illegal.
-
But we have to back up a little bit,
just to see what that is.
-
Right, okay.
So the U.S. has something called Rule 41,
-
which dictates when a judge
can authorize searches
-
including remote searches, so hacking.
-
A judge can only authorize a search
within his or her own district.
-
So if the judge is in the
western district of Washington,
-
he or she can only sign a warrant
that’s gonna search stuff
-
within that district. With a few
exceptions. I think, terrorism,
-
and if there’s a tracking device
and then the person moves out of state
-
it’s still okay.
In the case of Playpen,
-
Judge Theresa Buchanan
was in the Eastern district of Virginia,
-
as you can see at the top.
Clearly, the vast majority of computers
-
were not in the Eastern
district of Virginia.
-
The search warrant application which is
that document that the FBI presents
-
to a judge, and say “Here’s our reasons,
please sign our search warrant!”,
-
it said that what was gonna be searched
was computers logging into Playpen,
-
wherever located. It’s pretty
debatable how explicit that is.
-
I mean, the FBI did not write “Hey we’re
gonna hack into computers no matter
-
what state they’re in, what country
they’re in, anything like that, and
-
we’re gonna hack into them”. The word
‘hack’ is obviously never ever used in the
-
search warrant application.
So with that in mind it’s kind of unclear
-
if Judge Theresa Buchanan would have
actually understood that she was signing
-
a global hacking warrant. And this isn’t
castaging the judge, at all. It’s more
-
that these warrants applications aren’t
very explicit. And it’s still unclear
-
because Judge Buchanan won’t respond
to my requests for comment.
-
So wherever operation Pacifier violated
rule 41 has probably been the central
-
component of all the legal cases that came
out after the FBI started dusting people.
-
Defense lawyers have brought it up, saying
“Hey, this judge did not have authority,
-
you now need to throw out all the
evidence against my client”.
-
According to the most recent figures, and
this might be very, very slightly out-of-date
-
21 decisions have found the operation
did violate rule 41. Out of those,
-
judges in four cases have thrown out all
evidence obtained by the FBI’s malware.
-
So that obviously includes the main bit
of evidence which to the IP address
-
but then also everything that came after
that. I mean the only reason the FBI
-
found child porn on people’s devices is
because the IP address led them there.
-
So all of that child porn is also struck
from the record as well.
-
And those people are essentially free,
by DOJ appeals which are ongoing.
-
Whether people based outside the United
States will have a similar sort of defense
-
is kind of unclear at the moment. The
IP address could fall under something
-
like the Third-Party Doctrine, whereas in:
if there’s a German suspect,
-
and they tried to challenge the legality
of the search the German police may say:
-
“Hey, look, we didn’t do the hacking,
we just got given this IP address
-
by third party”. And then the defense
might not have much like to stand on.
-
But I do know of one lawyer in a country
outside the U.S. who is going to challenge
-
the legality of that hacking operation.
I can’t really say where he is right now
-
because I think that’s still sourcing out (?)
but that’s gonna be really, really interesting
-
when that happens, hopefully in the new
year. So forget everything I just told you
-
about Rule 41 because it doesn’t matter
any more. Earlier this month changes
-
to Rule 41 came into place. Meaning that
judges now can authorize searches
-
outside of their district. So if the Playpen
warrant was signed today it probably
-
would not violate Rule 41, and the FBI
wouldn’t have done anything wrong.
-
Or the DOJ wouldn’t have done anything
wrong. And I just wanna emphasize that
-
these changes to Rule 41 came about
in part, specifically because of
-
the problem that anonymity networks and
Tor present to law enforcement.
-
It’s not like Operation Pacifier was over
here, FBI doing its thing, and the DOJ
-
was sorting out these Rule 41 changes. The
changes have come specifically in response
-
to criminal investigations
on the so-called “Darkweb”.
-
And that’s just this Department quote
here: “We believe technology should
-
not create a law-less zone merely because
a procedure rule has not kept up
-
with the times”. Their argument is that
the Rule 41 is basically an antique,
-
and they need to change the rules to keep
up with criminals that are using stuff
-
like Tor or VPNs. So that was Pacifier.
-
That’s the largest law enforcement hacking
operation to date that we know about.
-
Just very, very briefly I’m gonna talk
about another FBI one where they likely
-
hacked into computers abroad. This one
is called “Torpedo” which is even worse
-
than Operation Pacifier when it comes
to child porn names.
-
In 2012 or 2013 the FBI take over
Freedom Hosting which is
-
sort of a turnkey hosting provider.
You sign up to the service
-
that hosts your Darkweb site. It doesn’t
matter if it’s legal or not, whatever.
-
The FBI sees it, they deploy an NIT
again, a piece of malware.
-
And this time the FBI trying (?) identify
users of 23 different child pornography sites.
-
In the warrant application there’s
a section specifically about
-
a Hungarian language site.
I mean even the FBI officer
-
– I think it’s the FBI writing it – says:
“Oh, if you put this into Google Translate
-
it means this, it’s Hungarian, blablabla”.
As I mentioned in the Playpen example
-
the FBI did not know where the computers
that they were going to hack
-
were located. This is an interesting case
because I’m going to guess
-
that a lot of the users of a Hungarian
language site are probably in Hungary.
-
So the FBI might have had some idea
that they were gonna hack computers there.
-
Did the FBI warn Hungarian law
enforcement? Did they get permission
-
of the Hungarian authorities to hack
computers in their country?
-
We don’t know yet.
And I somehow doubt it.
-
And then just finally it’s – excuse me –
it’s not just the FBI
-
that’s using hacking tools
to target suspects overseas.
-
A local Australian police department,
Queensland Police,
-
has a specialized task force
for child sexual exploitation,
-
Taskforce Argos.
-
And they were the ones that led this
operation. There wasn’t any sort of
-
an official statement from Queensland
Police saying: “Hey look, we unmasked
-
all of these criminals in the U.S.”.
It was only by piecing together
-
pretty spread-out (?) U.S. court documents
that I could map the contours of this
-
hacking operation that everyone
kind of wants to keep quiet about.
-
So in 2014 Taskforce Argos take over
another Darkweb child porn site
-
called ‘The Love Zone’. They run it – not
for 13 days like the FBI but for 6 months,
-
posing as the site’s administrator
who they’d already arrested.
-
According to one document – not this one –
the Australians obtained at least
-
30 IP addresses of U.S. based
users of the site. I don’t know
-
about other countries yet, it’s only
through these U.S. court documents
-
that we’ve been able to figure this out.
And the way they did it was
-
pretty different to the FBI. What they
would do is they would send a link
-
to a suspect, for a video file.
The suspect would click the link,
-
they will get a warning, saying: “Warning,
you’re opening a file on an external site,
-
do you want to continue?” Something to
that effect. If the person ignored
-
the warning and clicked “Yes”
a video of real child pornography
-
played on the supect’s machine,
and then that video phoned home
-
to an Australian server. I mean, you can
debate whether this is hacking or not.
-
I mean the FBI weren’t clearly delivering
a Tor browser exploit with malware etc.
-
Is this hacking? I would say so. If we
think the phishing for Government e-mails
-
is hacking – sure. But that’s kind of the
trivial debate, anyway. The real debate
-
is: was this a search in illegal sense of
the word? Did the Australians obtain
-
information from a private place, namely
a private computer, in a private residence,
-
and did they get a search warrant to do
that? And again, we don’t know,
-
because they wont't talk to me.
-
So clearly, that was all about child abuse
and child pornography investigations.
-
Insofar this sort of international hacking,
as far as we know, as far as I know,
-
has only been used for those sorts of
investigations. But as for the future
-
with Rule 41, the changes there, we could
presumably see it to go to other types
-
of investigations, maybe Darkweb drug
markets. Plenty of these markets have
-
dedicated vendor-only sections that you
can only login to if you are a drug dealer
-
on the site. I mean here, this isn’t from
NIT or a malware investigation.
-
This is when Carnegie Mellon University
attacked the Tor network, obtained
-
IP addresses, and then gave those – well,
was subpoenaed for those and gave them
-
to the FBI. But the key part is that in
this search warrant it’s saying: “Hey look,
-
there’s probable cause because this
suspect was logging in to the
-
drug dealer-only section of Silk Road 2.0
so we have reason to raid his house”.
-
I can easily see this sort of section
being in a malware warrant or an NIT
-
warrant, as well. And then I suppose the
other more obvious example
-
– if that hasn’t happened already –
is putting a piece of malware to hack
-
suspects internationally on a Jihadi
forum. Maybe in administrator or moderator
-
sections, so you know you’re gonna be
targeting high-ranking members of the forum.
-
I mean I personally don’t know if that
would be the FBI or another agency
-
doing that. But that’s clearly somewhere
where malware can be useful
-
in international context. But apart from
predicting where this might go, I mean,
-
clearly this is gonna continue, just a few
weeks ago there was a Firefox zeroday
-
out in the wild. Me and my colleague
Lorenzo tracked it back to a specific
-
child porn site in the Darkweb where
that 0-day had been deployed.
-
So this is an active thing.
This is still going on.
-
And that’s it. But… just a last thing
if you have any documents, data,
-
information, tips on FBI malware,
law enforcement malware, who is using it,
-
who is buying it, how they’re using it –
these are my various contact channels.
-
Thanks a lot!
applause
-
ongoing applause
-
Herald: Thank you, Joseph.
Thank you.
-
Any questions from the audience?
-
Oh, we got one on [microphone] 4.
-
Question: Thanks for the talk.
Really nice. Quick question,
-
you’ve presented
some pretty illegal things.
-
On both sides.
On child pornography,
-
and all of those things.
And on the law enforcer’s side.
-
Now my question is, did you intentionally
mention those really illegal aspects
-
like child pornography to justify the
actions of the FBI in any way?
-
Joseph: You mean, did I specifically
speak about child pornography
-
to justify the FBI’s actions?
Question: Yes.
-
Joseph: No. This is just… I mean child
pornography and child sexual exploitation
-
is where law enforcement are using the
really cool stuff. This is where they’re
-
using their Tor Browser exploits. This is
where they’re using their Firefox zerodays.
-
And I’m just attracted to where the cops
are doing interesting things.
-
So, if it was on drug markets I’d cover
that as well. But at the moment,
-
at least to my knowledge, it’s just
localized to the child pornography
-
investigations. Presumably, because law
enforcement feel like not many people
-
are going to argue with them with maybe
doing illegal search for child porn
-
because everybody finds that crime
abhorrent. But, no, that’s just
-
how it is at the moment.
-
Question: Okay, let me rephrase that.
Do you feel it’s justified for them
-
to use exploits?
-
Joseph: Do I feel it’s justified for
them to use exploits? I don’t think
-
it’s anything intrinsically wrong
with law enforcement hacking.
-
But even though child pornography is
an absolutely disgusting crime
-
and I can’t find it, obviously, any way
to justify it I also want law enforcement
-
to follow the law.
And to respect the law as well.
-
applause
-
Question: Thank you.
ongoing applause
-
Herald: Any other questions?
Anybody from IRC?
-
The (?) on 5, go ahead.
-
Question: Well, I wanted to ask probably
the same question whether it’s dubious
-
from the moral point of view?
And you already answered it.
-
You don’t see it dubious as I understand,
right? As the legislation can be questioned,
-
and should be rearranged there is not much
ethical discussion whether this should be
-
done or not. But while you were at the
topic for a while: do you have any other
-
proposals how to resolve this issue,
maybe? Technically,
-
from the technical point of view.
-
Joseph: Sure. So I mean, just before
I answer that I just wanna make clear
-
that I’m, like a journalist,
not an activist or a technologist.
-
I don’t think it will be right for me to
say this is how we should combat this.
-
I’m just saying, hey, that’s what
the FBI did. That sort of thing.
-
But to answer the question, I think
Mozilla and Tor have been working
-
on a way to stop this sort of
de-anonymization attack, that,
-
when the FBI would hit a computer with
their exploits and then the NIT code
-
would deploy, that’s not enough. I really
can’t remember the technical details
-
off the top (?) in my head, but there is an
article online that I wrote.
-
But then they would have
to break out of the sandbox as well.
-
But more to answer your question
generally: there are technological solutions
-
that people are making here. And they
could be live pretty soon. But then
-
what is the FBI gonna do after that?
They’re not gonna stop making malware.
-
They’re gonna… they’ll deploy a nit that
will then rummage through your computer
-
and find incriminating documents and then
phone home. If they can’t get your real
-
IP address they’re gonna
get evidence somehow.
-
Herald: No.1 was up next.
-
Question: Hi Joseph. In your background
research on law enforcement
-
using technology like this to target child
porn sites. So you profiled the FBI
-
on how they may have (?)(?) around
some of the letter of the law
-
in order to get done the job they needed
to get done. Are the other law enforcement
-
agencies you found that are kind of like
a gold standard in their approach
-
to solving this problem that abide
by the rules, and maybe
-
solve this problem in a different way?
-
Joseph: When you say… so the question
was, are there other law enforcement
-
agencies who may be better or the same
sort of standard (?) as the FBI this problem.
-
When you say “this problem” you mean
“combating child porn on the Darkweb”?
-
Question: Yeah, clearly something needs to
be done about these sites. And there’s
-
a limited number of options available.
So the FBI is kind of busted out (?)
-
in trying every single piece of technology
they can to solve it. But are there others
-
that maybe take a more restraint approach
but still solve the problem?
-
Joseph: When it specifically comes
to malware I haven’t seen much
-
in the wild or publicly but in the U.K.
GCHQ, the country’s
-
signals intelligence agency has said,
or a report said, it is using
-
bulk interception, so GCHQ’s mass
surveillance capabilities, to do
-
traffic correlation attacks, and they
can then unmask Darkweb users
-
and hidden service IP addresses.
That’s not malware but that is
-
an extreme use of technological
capability, I guess.
-
And yeah, we could definitely see
more of that. I think in the report
-
the Home Office said the GCHQ had got
something like 50 individuals
-
in the past 18 months through bulk traffic
analysis. That’s not malware,
-
but yeah, that’s where stuff could go,
definitely.
-
Question: Cool. Thanks.
-
Herald: I give you one last question,
it will be number 4, over here.
-
Question: Hi, I was wondering, because you
mentioned bulk analysis which I considered
-
to be significantly worse than targeted
analysis, in the way that it violates
-
everybody’s liberties rather than specific
individuals who are definitely engaging
-
in criminal activity.
-
So why is it you feel that there’s
some kind of violation,
-
like these people they need to find
these criminals, and the jurisdiction
-
needs to be significantly wider,
and I understand that it’s terrible
-
that they’re hacking us. But at the same
time they need to be caught. So how
-
can they make legislation that’s
able to find these people legally
-
when it’s outside of their jurisdiction,
and they might be targeting people,
-
if they’re doing a dragnet on a website,
like you’re example. And they’re gonna be
-
hacking people that are not in their
country. They can’t limit it to the people
-
that are in that country. And only hack
those people. It’s technically impossible.
-
So what’s the solution for this?
-
Joseph: I mean, some senators in the US
did propose a Stop Mass Hacking Act
-
which would have blocked the Rule 41
changes. It was unsuccessful, and
-
in part – this is just my personal
opinion – I think it’s because they
-
didn’t present a viable alternative.
I mean, as you say, these people
-
need to be caught, I mean, that sort of
thing, but when these senators said:
-
“Yeah, we need to stop all this global
hacking” there was no alternative presented,
-
so we don’t know, basically.
As for legislative changes
-
I think it’s more… it’s less the
“Hey, here’s a concrete law or rule
-
that we need to fix right now”, it’s more
like there’s a looming issue of
-
“What happens when the FBI hacks a child
pornographer in Russia, or one who happens
-
to be a politician in another country?”
Are they still gonna go, and then go
-
to local law enforcement, “Hey, we got
this IP address of one of your senior
-
politicians who happens to be looking at
child porn”. I mean what are the ramifications
-
of that gonna be? But to answer your
question: we don’t really know.
-
It’s more of just this looming issue that
law enforcements are firing malware
-
and asking questions later.
-
Herald: Thank you so much. If you got
a round of applause for Joseph Cox!
-
applause
-
postroll music
-
Subtitles created by c3subtitles.de
in the year 2017. Join, and help us!
