
FBI Is Pushing Back Against Judge's Order to Reveal Tor Browser Exploit - ashitlerferad
https://motherboard.vice.com/read/fbi-is-pushing-back-against-judges-order-to-reveal-tor-browser-exploit
======
pdkl95
Such arrogant hubris:

    
    
        Here, [Special Agent] Alfin starts an analogy for software
        vulnerabilities: that of a flaw in a lock.
    
        “In layman's terms, an ‘exploit’ could be thought of as a
        defect in a lock that would allow someone with the proper
        tool to unlock it without possessing the key,” he writes.
    

He admits that there is a flaw, but no mention _at all_ that the flaw should
be _fixed_? If one person found the exploit, someone else can as well.
Apparently fantasies about having a "nobus" tool are a higher priority than
protecting people.

~~~
d33
That's why I believe that there should be more energy put into genetic fuzzing
of Firefox. If we managed to attach AFL to its content sniffing engine for
example, I'm pretty sure it wouldn't take long to find something fun...

Google doesn't seem to say that anybody officially tried it so far:

[https://encrypted.google.com/search?hl=pl&q=afl-
fuzz%20firef...](https://encrypted.google.com/search?hl=pl&q=afl-
fuzz%20firefox)

------
deepnet
FBI broke into your house to prove you were commmiting a crime.

FBI broke into your firefox...

FBI keeps all citizens at risk because it is convenient to them that there is
a major flaw in the most common doorlocks.

Specific circumstances, proper oversight ?

Ripe for overreach these citizen unsafety programmes.

------
hvidgaard
I actually agree with the FBI here. I would love to see the vulnerability
fixed, but it is of little importance to the case. It's like asking what make
and model of lockpicking tools they used to pick a lock. If it is to verify
the legality of it, I'm sure that allowing only the judge and an expert to see
the exploit is enough.

~~~
woodman
> It's like asking what make and model of lockpicking tools they used to pick
> a lock.

It is more like asking for the technical specs of the teleportation equipment
they used. It needs to be established that they broke into the right house,
because there are all sorts of potential "mistakes" that can be hidden behind
secret magical investigative tools.

~~~
hvidgaard
Not at all. What they had was a lead, they got access and found the real
evidence. They wouldn't know if it was the right house or not, that is the
nature of a lead, and the person (hopefully a judge) that gave them green
light decided if the lead was substansial enough to warrent hacking a citezen
and break privacy.

The process from start to finish can be public. If they followed protocol and
found real evidence that is what matters. They can demand to see warrants and
the timeline of the process to determine the legality of what happened, but
the technical nature of the exploit adds no additional insight to this.

~~~
woodman
> If they followed protocol and found real evidence that is what matters.

That is what is yet to be determined. Trying to shield the process from public
scrutiny and justifying it with an appeal to authority is a pretty bad idea.
Imagine the same logic applied in the non-digital world: traffic stops
conducted with probable cause delivered by a black box and an authoritative
"Just trust me, I'm an expert."

~~~
hvidgaard
I agree, and if the defendant wants a judge and domain experts to go over it,
fine, but the public does not need to know for this particular case.

~~~
woodman
I'm not sure how that would work without more secrecy (FISA style courts) or
compelled silence (NSLs). Before we do that, maybe we should take a moment to
reevaluate the premise of state secrets, and the benefits they provide a free
society.

------
DominoTree
Pretty sure that just about everyone is hoarding Firefox 0days :P

~~~
unlinker
That's my thought too. I'm sure most of the so-called "security experts" who
like to talk about how important privacy and security are for the rest of us
are sitting on lots of 0-days.

~~~
wldcordeiro
Right? There are too many valuable bug bounties and interested parties for
people to divulge the best exploits. Those are all probably still in the wild
and will remain that way until the right buyer appears.

------
vox_mollis
May be? They almost certainly are stockpiling them.

------
anonnyj
"hoarding" "a" Does not compute...

~~~
wldcordeiro
Stowing away a better term for you? Yeah hoarding is usually a plural
reference but you know what the article meant.

~~~
plorg
More like "reserving". Clearly they're actually using the exploit in question.
I would associate "stowing away" or "hoarding" with hiding or putting a later
circumstance.

In any case, the original title ("FBI Is Pushing Back Against Judge's Order to
Reveal Tor Browser Exploit") is more informative and less click-baity. There's
a reason that's HN's preferred style.

