
Facebook Helped the FBI Hack a Child Predator - sagarun
https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez
======
redis_mlc
It's hard to tell from the article whether Facebook was an agent of the FBI or
not in delivering the exploit, which has legal implications for this case.

What Facebook could have done to avoid that issue is to enforce their ToS to
get his IP address, then contact and hand those logs to LEO. (A company can
follow its own processes as far as possible before contacting LEO, but once
they start working together, they become an agent and the process is changed
into something with less independence.)

The idea of creating a new OS to trap an end-user is one of the weirdest
things I've ever heard of, on several levels, frankly.

Source: previously the LEO contact at a large Silicon Valley company.
Typically you meet with them quarterly or as necessary, but you don't casually
"work together" on cases to avoid the appearance of being their agent instead
of a company representative.

~~~
htfu
FB procured the exploit, LEO executed it. There are no legal implications,
only moral ones, and I'd say the only debate there is over lack of disclosure
_after_ use. That's really sketchy.

But developing it in the first place, handing it to those legally authorized
to use it, and catching someone like this - I don't understand how anyone
could be against that... again, as long as the exploit is burned afterwards.

------
RcouF1uZ4gsC
> For years, a California man systematically harassed and terrorized young
> girls using chat apps, email, and Facebook. He extorted them for their nude
> pictures and videos, and threatened to kill and rape them. He also sent
> graphic and specific threats to carry out mass shootings and bombings at the
> girls' schools if they didn't send him sexually explicit photos and videos.

> raises difficult ethical questions about when—if ever—it is appropriate for
> private companies to assist in the hacking of their users.

I am happy Facebook did this. They made the world a better place.

------
kristianp
The exploit used a modified video which caused Tails' video player to reveal
the user's real IP address. Does anyone know how that could be done? Does the
video contain a redirect of some kind to an url that causes a bypass?

~~~
sheenobu
Caveat: I'm not a security researcher just have a basic knowledge of the terms
and techniques you would find in a beginner exploit tutorial.

These types of exploits are usually specially crafted files that trick the
code responsible for parsing and displaying the video file into running
whatever the creator wants. The terms "buffer overflow/underflow+" and
"shellcode" might help narrow down a definition for you. Below is an overly
simplistic version .

The video might contain, inside of it, a specially written computer program
that sends the IP address of the current computer to whatever location the
attacker wants. (This is the shellcode). This code could be really simple.

The video could also have parts in it that do not make sense. the video player
code makes assumptions about the video that the video purposefully violates.
When the video is processed by the computer, the video player code
misunderstands what it needs to do and will accidently treat the video as
code. (this is the buffer overflow). Since parts of the video are actually
special shellcode, the computer has been tricked into running code hidden
inside the video.

The article below implies that is what this was
[https://www.vice.com/en_us/article/gyyxb3/the-fbi-booby-
trap...](https://www.vice.com/en_us/article/gyyxb3/the-fbi-booby-trapped-a-
video-to-catch-a-suspected-tor-sextortionist)

+Buffer overflows / underflows are just one of many techniques for exploiting
a program. it's the main one I know in passing.

------
ghostpepper
Maybe I missed it in the article but I am curious whether the guy was using
Facebook's opt-in E2E encryption.

~~~
suyula
The FBI got the help of the guy's contact, so E2E encryption wouldn't have
been a factor.

------
beerdoggie
This is a scary 0day. Glad they got the guy though.

------
jbirer
"First they came for the communists..."

~~~
krapp
Won't someone please think of the pedophiles?!

~~~
jbirer
You missed the point. They will use pedophiles first as a rationale and after
some time they will not even bother to give you an excuse as to why they broke
into your e2e communication.

~~~
krapp
Yes, yes, I know, everything is a slippery slope towards the Orwellian
dystopian nightmare and the boot stomping on our heads forever.

Pseudointellectual quips like that have become such trite and banal cliches at
this point there's nothing left to do but laugh at them. Throw the one by
Voltaire onto the pile too, or the one about trading security for liberty.

~~~
jbirer
You are using a bunch of emotional non-arguments like "trite and banal" while
not addressing the validity of these slippery slopes, on top of lacking
history knowledge (for example check how blanket arrests for suspected FETO
supporters extended to arresting opposition under the same name in Turkey).
Makes me think your reply is more about helping yourself feel safe and secure
rather than arguing.

