
Facebook Helped Develop a Tails Exploit - 1cvmask
https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez
======
hoistbypetard
It's worth reading the original article in full. I simultaneously understand
why they did it and am deeply uncomfortable with the tactic.

[https://www.vice.com/en_us/article/v7gd9b/facebook-helped-
fb...](https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-
child-predator-buster-hernandez)

~~~
dang
Url changed to that from
[https://www.schneier.com/blog/archives/2020/06/facebook_help...](https://www.schneier.com/blog/archives/2020/06/facebook_helped.html).
Thanks!

------
suizi
This guy deserves what was coming to him, I can understand how it would be
very tiresome to deal with a pest like this who keeps coming back, but
breaking norms about reporting bugs to vendors like this sets a very nasty
precedent.

As does a company like Facebook spending large sums of money to narrow down on
specific people, it could be someone you hate today and an activist the next.

~~~
cryptica
Facebook are masters when it comes to controlling the narrative (damage
control is their expertise). There is almost certainly something else under
the surface. I find it implausible that Facebook would care enough to go after
a single individual. No matter how bad that individual was. If they did this
for every criminal of that level who uses Facebook, they'd run out of money.
They simply cannot do this. Whenever the media or a big company focuses on a
single individual, it's never actually about that individual. It's either
about some higher social concept or it's simply a PR stunt to control the
narrative. I think anything of this sort which comes out of Facebook is more
likely to be damage control. They probably came up with the narrative before
they even implemented this backdoor.

Facebook has teams of people whose entire job is covering Facebook's ass.
Before Facebook even does something bad, they already figured out an excuse
for it before they even started doing it. If they didn't have an alibi, they
wouldn't even do the crime. That's the kind of operation they run. They
preemptively create the narrative, then they act. Why do people treat Facebook
as if it were a conscientious person?

~~~
WhyNotHugo
Well, Facebook actively campaigns against privacy, and the FBI actively
campaigns against encryption.

This is great PR for themm to say that both privacy and encryption are bad and
should be outlawed.

Wouldn't be surprising at all if that's how they spin it.

~~~
TheMblabla
>Facebook actively campaigns against privacy

Source? I know FB is pretty bad with the privacy of users of it's own
services, but I'd be curious to see how they've campaigned against privacy.

------
mrb
« _They also paid a third party contractor "six figures" to help develop a
zero-day exploit in Tails: a bug in its video player that enabled them to
retrieve the real I.P. address of a person viewing a clip._»

This sounds like they describe the well-known WebRTC leak:
[https://restoreprivacy.com/webrtc-leaks/](https://restoreprivacy.com/webrtc-
leaks/)

~~~
bawolff
Other than webRTC being related to video playing, i dont see the connection.
They don't really describe the exploit, so hard to say, but the webrtc leak
isn't really in the video player part, its super well known (literally a
feature not a bug) so i dont think you would need to pay six figures for it,
and tails uses tor browser which doesn't support webrtc.

~~~
marci
But you can install WebRTC enabled browsers in tails. Depending on how tech-
savvy someone is, they could be motivated to install one of them.

~~~
bawolff
The article specificly says the issue was in code that used to be in tails and
isnt anymore. Additionally, the motherboard article describes the payload as a
video file uploaded to dropbox, which doesnt sound like webrtc.

~~~
mirimir
Yes, I doubt that it's WebRTC. Or at least, I recall similar vulnerabilities
in video player code that predated WebRTC. There used to be a Metasploit leak-
testing site (Metasploit Decloaking Engine) which checked for IP leaks via
video, PDFs, etc. And it included an early version of the NIT that the FBI has
used since ~2011.[0]

0) [https://securityaffairs.co/wordpress/43442/cyber-
crime/fbi-u...](https://securityaffairs.co/wordpress/43442/cyber-crime/fbi-
used-nit-against-pedo.html)

------
seek3r00
The vulnerability should have been disclosed to Tails developers as soon as
Hernandez was arrested.

~~~
andrewflnr
Well yes, but the fact that it was already patched in the next Tails release,
and that was the reason they pulled the trigger when they did, makes even that
concern less of a practical problem. It was basically going to get fixed in
short order no matter what they did.

~~~
rsanek
Since they never released the exploit, in reality we have no way of verifying
this is actually true. It very well could be the case Tails still has this
vulnerability.

~~~
mirimir
In my opinion, Hernandez screwed up by not appreciating the risk profiles for
Tails and Whonix. Tails is a LiveOS, which doesn't leave traces in RAM or on
disk. Whonix is a pair of VMs, one with the Tor process, and the other with
user apps. Using Whonix, exploits like this are impossible, because the apps
VM has no public IP address, and can hit the Internet _only_ via Tor.

~~~
coolspot
I can imagine for high-value target there are stacking exploits:

1) escape from browser into VM

2) escape from VM into host

3) run exploit on host

~~~
mirimir
True. However, such high-value targets would be isolating the Tor process and
apps at the hardware level. It's over my head, but I can imagine elements from
Tinfoil Chat and Qubes Air.

And yes, vulnerabilities in Tor have been exploited. So it's prudent to hit
Tor via nested VPN chains, just in case.

------
wodenokoto
> For years, a California man harassed and terrorized young girls, extorting
> them for nude photos and videos and threatening to kill and rape them or
> shoot up their schools. Much of this abuse took place on Facebook, and now,
> months after the man, Buster Hernandez or “Brian Kil,” pleaded guilty,

From Engadget coverage [1], I feel a bit of context is missing in TFA.

[1] [https://www.engadget.com/facebook-fbi-hacking-tool-
targeted-...](https://www.engadget.com/facebook-fbi-hacking-tool-targeted-
child-abuser-171753372.html)

------
627467
In my apparent ignorance, when I first read the title I actually imagined
Facebook developing a backdoor of some kind into Tails, given that Tails is
open source.

Then I understood that "developing" an exploit means taking advantage of
existing properties/vulnerabilities.

Is this standard wording in security circles?

~~~
zemnmez
"develop" here refers to the process of (potentially) researching and then
subsequently writing the software that exploits a vulnerability (an
'exploit'). It's used in the same sense as any other software development.

The process of discovering a vulnerability is called 'vulnerability research'.

So when Schneier says Facebook paid for an exploit to be developed, it means
they paid for software that exploits a vulnerability.

In the case of paying for such exploits, it's not always clear who exactly did
the research. Often the research comes from a third party who put together a
simple proof of concept that demonstrates only that the security control can
be breached (the PoC) -- then, a contractor may buy this vulnerability
('0day') from e.g. zerodium and develop an exploit for it, which will usually
be pretty much point and shoot so you don't need an exploit dev team to
leverage it.

Hope that makes sense.

------
suizi
Facebook could at-least have had the decency to report the bug after they were
done, who knows what the FBI / NSA are using it for now.

~~~
ivann
According to this article [1] the code involved with this exploit should be
removed at some point.

" A factor that convinced Facebook’s security team that this was appropriate,
sources said, was that there was an upcoming release of Tails where the
vulnerable code had been removed. Effectively, this put an expiration date on
the exploit, according to two sources with knowledge of the tool.

As far as the Facebook team knew, Tails developers were not aware of the flaw,
despite removing the affected code. One of the former Facebook employees who
worked on this project said the plan was to eventually report the zero-day
flaw to Tails, but they realized there was no need to because the code was
naturally patched out. "

[1] [https://www.vice.com/en_us/article/v7gd9b/facebook-helped-
fb...](https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-
child-predator-buster-hernandez)

~~~
save_ferris
That would also be the perfect way to avoid disclosing the vulnerability so
they could keep using it.

Not saying that’s what is happening here, but it’s not like Facebook has a
glowing reputation to begin with. Telling the vendor that a future release
will patch the bug gets everyone to stop asking questions without really
knowing if it’s true.

~~~
vinceguidry
If you have need for Tails and you continue to use old versions of it out of
laziness, then you really are just begging to be pwned. We're not talking
about consumer-grade Ubuntu here.

~~~
save_ferris
I think you misunderstand me.

By telling Tails that the vulnerability will be patched in a future release
without disclosing the details of the vulnerability, Tails has no way of
knowing if this is actually true.

It’s easy to be a little skeptical when a company spends 6 figures to develop
an exploit and then state publicly “we can verify that the issue will be
patched in a future Tails release, but we’re not going to tell them or anyone
else what the exploit was in the first place.”

If you wanted to keep using that exploit, or sell it, the easiest way to do so
would be to tell Tails that it’s going to be fixed without actually giving
them any details about it.

------
muststopmyths
Fascinating part in the story about his arrest (first link in the vice
article) is that the FBI set up cameras outside his home to correlate his
physical presence with internet activity from the IP address.

You frequently get people on the internet saying "Your IP address doesn't
prove anything", but I was always curious how that worked in the real world.

~~~
wratz
I don't know about the US, but it is generally very easy: go to the ISP with
the IP+date and an order from a judge and they'll tell you who was using it.

~~~
thephyber
> they'll tell you who was using it

IP only tells the investigator whose name is on the ISP account, not which
person was at the keyboard. Your recommendation only helps the police know
where to set up the surveillance, not who to bring charges against.

------
whoopdedo
This is something to consider in the recent development of Amazon and
Microsoft saying they won't sell facial recognition to law enforcement. I
expect police will approach this minor inconvenience by outsourcing to a
private company who will do the face scanning for them.

~~~
blaser-waffle
Government contractors like General Dynamics are already all over facial and
license plate recognition. AMZN and MSFT not getting on board isn't going to
slow it down, just delay it from landing in consumer software.

------
forgingahead
Seems like the lede is buried -- what is the video player exploit? Is there
really a way to modify video files such that playing them locally can
broadcast an IP address?

Think this is less about Tails and more about this "video-tagging" tech.

~~~
resfirestar
Without a zero day in the actual decoder (which is probably a possibility
given the resources they poured into this), one way would be to send someone a
playlist file that tells the player to fetch the video from some URL. Does the
player on Tails obey proxy settings when playing URLs from an m3u? Maybe it
was that easy or maybe they had to abuse something like fragmented nature of
Linux media playback to find a neglected component that carelessly makes
network connections, or find a way to call youtube-dl which is often
integrated with these players.

------
mindslight
Facebook also doesn't report the browser exploits they use to track people,
nor the wetware exploits they use to drive engagement. Just sayin'.

------
peterwwillis
To deepen the ethical quandary: what if Facebook had developed the exploit for
this case, and then the FBI used it for an unrelated, not-child-molesty case?

At some point you have to wrestle with the fact that law enforcement is
predicated upon having strong tools with which to deal with law breakers of
all kinds, not just the few you find particularly onerous. They're going to
need to perform ethical hacking to prosecute people under laws or
circumstances you disagree with. And it would probably be better for us if
they didn't always have to hack to get the information.

I think we need to work much more closely with law enforcement, not just
technically on being able to lawfully intercept private communications, but in
what laws and what cases its use is allowed. Nobody trusts the government in
this age, but I think that needs to change, and it's the people that need to
step up to reign in their government, not vice versa. That means more
oversight, restrictions on when and how powerful tools can be used, periodic
review, input into the design phase of new technologies, and so on.

We can use our brains to both make it more difficult for them to abuse
advanced tools, and also make it more convenient to use them to solve serious
crimes. We don't have to live in a black and white world where we either allow
everything or allow nothing. We can live in a world of gray, but we have to
step up to create that world; we can't just expect to keep saying 'no' to law
enforcement and them being able to do their jobs, which is keeping our people
safe.

~~~
thephyber
> and then the FBI used it for an unrelated, not-child-molesty case?

You _must_ assume this is the case. The FBI isn't going to stop using a tool
just because they caught one suspect in once case.

------
dtx1
There's an easy way to fix the Web RTC Leak issue network wide: Use a VPN on
your Router so your network clients literally don't know their "real" ip and
therefore can't leak it. Same thing works for TOR. In my experience OpenWRT
and an Wireguard VPN Provider works best

~~~
alex_duf
I don't think it was a WebRTC issue, I think they crafted a video such that
the decoder would end up executing code.

Similar to what happen to Jeff Bezos.

~~~
stefan_
The point is that you can't have the Tails machine decide what connections are
proxied through Tor and which are not. If you have an external device like a
router or a Raspberry that _transparently_ tunnels the data, a compromise of
the Tails machine can't trivially expose your real network connection.

~~~
schoen
One thing that I've thought about this is that whether you do the firewalling
on the end-user device or on another device, the firewall will normally permit
connections to _every Tor guard_. That means that if an attacker can make the
device make a "special" TCP connection of any kind (e.g. just an HTTP request)
to an arbitrary IP address and port number, it could make that connection to
_an actual Tor guard node_ run by an affiliate of the attacker. Then the
attacker can distinguish that connection from other Tor activity because it
isn't Tor traffic.

The point of that is to say that "only allowing the machine to talk to Tor
nodes" wouldn't stop an exploit from effectively bypassing Tor—by talking in a
slightly unusual way to an adversary-controlled Tor node!

If they're not already doing it, it might be safer for Tails to learn _the
specific guard_ that its copy of Tor is using at a particular time, and only
allow outbound traffic _to that guard_ rather than to any Tor node. (Another
precaution which they might already be taking: only the Tor daemon process
should be able to open remote sockets at all.)

------
torified
I don't believe most of the technical details of this story and it sounds like
parallel construction created to avoid revealing the technique.

How would they know he was running tails particularly?

And what a happy coincidence that the 0day was patched before they even had a
moral obligation to notify anyone about it. _Quelle chance!_

------
jsploit
> The firm worked with a Facebook engineer and wrote a program that would
> attach an exploit taking advantage of a flaw in Tails’ video player to
> reveal the real IP address of the person viewing the video.

Doesn't Tails route all traffic through Tor by default?

~~~
wolco
The video player must not use the default protocols.

------
abotsis
“The FBI then got a warrant and the help of a victim who sent a booby-trapped
video to Hernandez”

Seriously, Vice, “booby-trapped”..? It’d be funny if it wasn’t minors.
Actually, it’s still kind of funny.

------
suizi
Stopping random strangers from talking to kids over TOR could help to stop
pests like this as-well and it wouldn't cost six figures or undermine privacy.

------
Lineup
Or a widely publicized and plausible parallel construction.

------
paddlepop
I will admit to not being a fan of FB also, but discouraged by the number of
Slippery Slope arguments on this piece.

------
uinerimak
The fact that it took thousands of dollars and an entire company to write an
exploit shows how secure Tails really is.

~~~
akerro
Looks like the bug wasn't really in Talis but in other software they use,
Firefox/Tor-Browser?

~~~
ChrisMarshallNY
Weakest link.

That’s one of the issues an aggregate system (which describes any system of
meaningful size, these days) has to deal with.

How many of the massive breaches we hear about, originate with dependencies or
subcontractors?

~~~
RNCTX
Speaking of, I always find it very telling that the knee-jerk reaction is to
blame a dependency or subcontractor. That's the same mentality that says "paid
for code must be better" when, last I checked, there aren't any more Windows
phones, are there?

But there was a Windows password hash method in the early 2000s that could be
brute forced on a single consumer grade CPU in less than 24 hours on their
current-at-the-time flagship network server OS. So there's that...

~~~
ChrisMarshallNY
I have no idea why you made that post.

------
quotz
Its so uncomfortable that they also hold all our data too

------
wolco
"We knew it was gonna be used for bad guys,”

And everyone else.

Facebook is a honeypot.

