Facebook Helped the FBI Hack a Child Predator
vice.comIt's hard to tell from the article whether Facebook was an agent of the FBI or not in delivering the exploit, which has legal implications for this case.
What Facebook could have done to avoid that issue is to enforce their ToS to get his IP address, then contact and hand those logs to LEO. (A company can follow its own processes as far as possible before contacting LEO, but once they start working together, they become an agent and the process is changed into something with less independence.)
The idea of creating a new OS to trap an end-user is one of the weirdest things I've ever heard of, on several levels, frankly.
Source: previously the LEO contact at a large Silicon Valley company. Typically you meet with them quarterly or as necessary, but you don't casually "work together" on cases to avoid the appearance of being their agent instead of a company representative.
FB procured the exploit, LEO executed it. There are no legal implications, only moral ones, and I'd say the only debate there is over lack of disclosure _after_ use. That's really sketchy.
But developing it in the first place, handing it to those legally authorized to use it, and catching someone like this - I don't understand how anyone could be against that... again, as long as the exploit is burned afterwards.
> For years, a California man systematically harassed and terrorized young girls using chat apps, email, and Facebook. He extorted them for their nude pictures and videos, and threatened to kill and rape them. He also sent graphic and specific threats to carry out mass shootings and bombings at the girls' schools if they didn't send him sexually explicit photos and videos.
> raises difficult ethical questions about when—if ever—it is appropriate for private companies to assist in the hacking of their users.
I am happy Facebook did this. They made the world a better place.
The exploit used a modified video which caused Tails' video player to reveal the user's real IP address. Does anyone know how that could be done? Does the video contain a redirect of some kind to an url that causes a bypass?
Caveat: I'm not a security researcher just have a basic knowledge of the terms and techniques you would find in a beginner exploit tutorial.
These types of exploits are usually specially crafted files that trick the code responsible for parsing and displaying the video file into running whatever the creator wants. The terms "buffer overflow/underflow+" and "shellcode" might help narrow down a definition for you. Below is an overly simplistic version .
The video might contain, inside of it, a specially written computer program that sends the IP address of the current computer to whatever location the attacker wants. (This is the shellcode). This code could be really simple.
The video could also have parts in it that do not make sense. the video player code makes assumptions about the video that the video purposefully violates. When the video is processed by the computer, the video player code misunderstands what it needs to do and will accidently treat the video as code. (this is the buffer overflow). Since parts of the video are actually special shellcode, the computer has been tricked into running code hidden inside the video.
The article below implies that is what this was https://www.vice.com/en_us/article/gyyxb3/the-fbi-booby-trap...
+Buffer overflows / underflows are just one of many techniques for exploiting a program. it's the main one I know in passing.
Maybe I missed it in the article but I am curious whether the guy was using Facebook's opt-in E2E encryption.
The FBI got the help of the guy's contact, so E2E encryption wouldn't have been a factor.
This is a scary 0day. Glad they got the guy though.
"First they came for the communists..."
Won't someone please think of the pedophiles?!
You missed the point. They will use pedophiles first as a rationale and after some time they will not even bother to give you an excuse as to why they broke into your e2e communication.
Yes, yes, I know, everything is a slippery slope towards the Orwellian dystopian nightmare and the boot stomping on our heads forever.
Pseudointellectual quips like that have become such trite and banal cliches at this point there's nothing left to do but laugh at them. Throw the one by Voltaire onto the pile too, or the one about trading security for liberty.
You are using a bunch of emotional non-arguments like "trite and banal" while not addressing the validity of these slippery slopes, on top of lacking history knowledge (for example check how blanket arrests for suspected FETO supporters extended to arresting opposition under the same name in Turkey). Makes me think your reply is more about helping yourself feel safe and secure rather than arguing.