
Facebook Helped FBI Exploit Vulnerability in Linux for Child Predator Sting - ashitlerferad
https://gizmodo.com/report-facebook-helped-the-fbi-exploit-vulnerability-i-1843988377
======
cameron_b
So we're cool with it if the ends justify the means?

I'm glad big guns were brought to this, and that theoretically it was a narrow
window of possibility for the exploit to work, but the FBI and FB getting
together to play vigilante is not quite how the Robin Hood story goes

~~~
ebb_earl_co
Previously in life I would be completely on the side of the ends _not_
justifying the means, especially with respect to Tails of all things;
precisely because it is billed as a tool for whistleblowers and others trying
to extend/preserve democracy.

However, recent episodes of Sam Harris' podcast, Making Sense, especially
those with Paul Bloom, have changed my mind. The thrust of the argument is
that exploiting (especially sexually!) minors is so outrageously heinous that
arguments to protect bad actors in situations like this (as a subset of
protecting all actors in all situations which is what Tails aims to do) ring
hollow.

I have almost zero goodwill for Facebook, so with a half-trillion market cap,
this is something I would expect from such a company in light of the ethical
consideration above:

> other companies would not be willing to “[spend] the amount of time and
> resources to try to limit damage caused by one evil guy.”

The takeaway from this for me was what Senator Wyden is quoted as saying to
Vice later down:

> Did it [the FBI] submit the zero-day for review by the inter-agency
> Vulnerabilities Equity Processes?

If the answer is no, which is how it sounds based on the way he responded,
then I agree with you that the FBI-Facebook in cahoots, with the latter's
resistance to going after political advertising AT ALL, is worrying.

------
themacguffinman
> since an upcoming Tails update was slated to strip the vulnerable code,
> Facebook didn’t bother to do so, though the social media company had no
> reason to believe Tails developers had ever discovered the bug.

Quite bizarre for Facebook to pay for a zero-day exploit to go after a
criminal, but the only problem I have with the scenario is that Facebook
didn't eventually disclose the vulnerability to the Tails team. The article
notes that the Facebook team saw an upcoming update that strips the vulnerable
code, but what if the Tails team reverted or delayed the update? The exploit
should have been disclosed to the Tails team eventually so they can prioritize
accordingly.

If the exploit was eventually disclosed, it's hard to distinguish this from
white-hat security research. In both cases, you have a legitimate organization
discovering exploits that are responsibly disclosed, just with the added bonus
of pursuing a criminal in a short time window before disclosure.

------
l2dy
"in Linux" is not "in a Secure Linux Distro", please correct the title.

