Hacker News new | past | comments | ask | show | jobs | submit login
Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers (vice.com)
234 points by 56k on Feb 20, 2016 | hide | past | favorite | 77 comments

The Justice Department contends that the act of viewing a child porn image revictimizes the child each time the view occurs and is the basis for arguing that viewing child porn is not a victimless crime. Yet the FBI seized a server and allows such images to be downloaded and viewed thousands of times over a 2 week period. This would be like seizing the operators of an underground rape dungeon where patrons pay to rape children - and allowing such an establishment to run for 2 extra weeks to catch the patrons, regardless of any collateral damage that occurs to innocent children as a result. People would be up in arms over this. So, does viewing an image of child porn cause additional harm to the child in the image or not? Which is it? (This of course excludes instances where the viewer is paying/supporting production of the material)

It's the FBI -- not just a law enforcement agency but a national security/counter terror agency. For such agencies the Constitution and the laws become vague and flexible. Under color of law, the FBI can essentially do anything they can present a plausible law-enforcement case for.

A few years ago we had a shitsplosion involving the BATF running illegal guns in order to "catch criminals", with the result that few if any criminals were caught and Mexican drug lords found themselves in possession of nifty new guns. AFAIR none of the major decision makers lost their jobs, let alone were prosecuted.

I wonder how much actual law enforcement purpose is behind these ops and how much of it is just a game of "let's see what we can get away with".

The dissonance is accepted in this case because of the repulsive nature of the crimes, as determined by our current social consensus.

Philosophical purity is very appealing, but ultimately the justifications we use for why the law is the way it is only have to stand up long enough to convince most interested parties that we're doing the right thing.

Stated another way, the law is being ignored because these particular criminal defendants' rights don't matter when they're inconvenient, based on the crime(s) they were accused of.

When the law is influenced by societal consensus the legal system becomes a farce.

Well, in this example the rights that are being ignored are not those of the defendants, but those of their victims to not be further victimized.

I think when the law is not influenced by societal consensus it becomes a farce. In many ways the societal consensus on morality is law wheather it maintained by the state, vigilantes or in this case a legal fiction which is some combination of both.

I think this quote by the recently passed Justice Scalia is appropriate here

"the Constitution, or any text, should be interpreted [n]either strictly [n]or sloppily; it should be interpreted reasonably"

The law is Societal Consensus.

Well biologically the person has inherited some genes that function in such a way as to lead to their obsession with young people. At the end of the day this is very much a mental problem that can be remedied with bioengineering. Not much else you can do for these people.

To criminalize it in all of its forms, is the same thing as criminalizing any sexuality. Perhaps one day we'll create an algorithm that can generate these images without anyone being involved -- does that sound distasteful as well.

At this point even artful depictions of a sexual nature are illegal, criminal offense.

Well biologically the person has inherited some genes that function in such a way as to lead to their obsession with younger people.

That includes everyone. Women with the most neotenous traits are considered the most attractive in every human society.

[*] https://en.wikipedia.org/wiki/Neoteny#In_humans

So is that to say that it's completely a choice and so we should treat these people as criminals and simply jail them with harsh sentences if they don't conform to our societal norms?

Has it been proven that Pedophilia is genetic, tho?

Has homosexuality? In general in many of these cases they is definitely some element of OCD involved, as in hoarding millions of images, and the criminal offenses are set up in a way to penalize for each image using the same sort of logic as above. But then that's common for other people with what are considered normal sexual orientations, having a huge porn collection.

I mean the deviant element of this is that it's all so taboo, I mean after all "think of the children" (tm). We should treat it as any other crime and try to do harm reduction.

There was an episode of radiolab or something where a guy had a brain injury and became an obsessive child porn collector. The DA argued that even if he had an illness, if he was cognizant enough to hide his activity from his spouse, he was cognizant enough to seek help instead of continuing his behavior in secret.

If you're looking for consistency in the US legal system you're going to be sorely disappointed

Moreover, if you create a legal system with perfect consistency, you'd going to be astounded by how much injustice it produces.

The law is not a programming language.

One noteworthy bastardization of modern justice is that our right to trial by a jury of our peers has long been infringed.

We are supposed to be judged by people of our approximate age, origin, location, background, etc, to allow for a greater understanding of context.

Random jury selection is an abomination.

I see what you're saying. A computer programmer accused of a hacking crime should only be judged by other computer programmers, since they understand the domain.

An artist accused of selling fake fraudulent paintings should be judged by a jury of artists, since these would best understand the techniques used to make paintings and could interpret the evidence to determine whether it was fraud.

Toyota cheating their emissions should only be judged by a jury made up of members of large car dealerships, mechanics, car repair services, etc. These would be best equipped to understand what exactly was done where in the pipeline, and interpret the evidence for or against them.

When a Goldman Sachs executive is accused of fraud, only other Wall Street investment bankers should be on the jury as these are his peers and the only ones who understand the complex financial instruments being used.

I honestly can't tell if you are being sincere or sarcastic.

Beautiful comment.

Jury randomisation has positives and negatives. Yes, it means that juries are unlikely to have the necessary context for a case. It's the job of the attorneys and expert witnesses to provide that context. This is not a good thing, and can cause miscarriages of justice. This is why appeals are a thing. On the other hand, you get a more statistically consistent justice system with jury randomisation. Not to mention that you immediately lose any bias during the jury selection (on which criteria should I pick a "peer"? random selection is much less prone to bias). The job of the justice system is to aim for consistency as well as justice (it would be unjust if the courts were not consistent -- yeah, yeah I know).

You are arbitrarily defining "peer".

Thank you. This has always been one of my biggest issue with sting operations. For most such operations, there is little to no collateral damage, but in this particular case, they support the same damage that makes the action a crime to begin with. Yet somehow most people seem to not care. I have my own theory on why, based not on just this, but on looking at how people treat all sorts of issues related to this subject, especially when dealing with someone who hasn't offended in any way (including not having viewed such material as mentioned here).

I think that, while people do care for the victims, their main driving force behind their interactions is hatred of the entire group (both those who commit crimes and those who don't). Hatred they justify by the damage some do, but hatred that does not originate there. It is almost like there is some need to have a group painted as evil beyond any consideration, some group you can openly hate regardless of anything else which fuels it. This is one reason why I think support for treatment of non-offenders is so lacking (other than 'lock them up and throw away the key') and why people tolerate the police engaging in abuse of the very same kind to catch them.

And then, the small piece of my mind which loves a good conspiracy begins to wonder if this wasn't engineered as an constant backdoor into digital rights/freedoms. One only needs to look at laws greater than 60 to 100 years ago to see how vastly different society reacted (often there wasn't much care even when a victim was being directly victimized, especially if they weren't the child of someone white and well off).

Even criminals themselves including rapists and murderers have a problem with child pornographers and child sex offenders.

It's kind of like how the CIA produces, sells, and profits from drugs so it can "catch the really bad guys".

Viewing the image also creates a market for it, since you'll get bored of it and will want another one, even if you'll not pay for it.

The same way downloading pirated material creates a market for it, even if you download it for free and the providers don't get money from it (but are rewarded with scene creds)

Unless this is different from the shellcode they used when taking down Freedom Hosting, I'm not sure what releasing it would do. There are already numerous analyses of the code:

- Vlad Tsyrklevich: http://tsyrklevich.net/tbb_payload.txt

- Gareth Owenson: http://owenson.me/fbi-tor-malware-analysis/

- My own analysis based on running it in PANDA: https://www.reddit.com/r/ReverseEngineering/comments/1jpln2/... (you can also get the recording of the shellcode executing and step through it here: http://www.rrshare.org/detail/26/ )

It's not big, and we have a pretty good idea what every piece of it does.

Of course, I suppose we don't know that the malware it used in this case is the same as the one in the Freedom Hosting case, so I guess it would be nice to compare and contrast them.

One benefit is to have documented evidence that FBI did release malware to the public. There has been little to no discussion on safeguards or liability when it comes to government published malware, and I wonder if a concrete example can enable such discussion.

Imagine a later hardline: "FBI Ordered to Reveal the Code Used to Backdoor San Bernadino Suspect's Phone"

The accused is conveniently dead in this case. In the next case, a defendant's lawyer would surely want to inspect the instruments used to gather evidence.

Maybe we should appoint public defenders for the conveniently dead.

If you are referring to the software Apple is building to circumvent their kill switch, I don't believe Apple is required to give the FBI access to the software.

The code being released wouldn't matter, because it can't be installed anywhere without Apple signing it. Presumably the keys wouldn't need to be released in any such order.

The code is only useful on the specific iPhone in question if it is in fact signed, and Apple does not have the technical capability to sign an update for a specific phone but not others; they all trust the same keys. And Apple would deliver it to the FBI with a signature, so there's a high risk that the signature wouldn't be redacted before being available to the public.

Are you sure that is the case? Or is that the Case for Iphone 5C and earlier? I remember listening to the Security now episode where they discuss the IOS Security model and it worked something like. 1)Apple Sends A notification that an update is available. 2) the Phone sends a request with certain identifiers for the update. 3) Witchcraft happens 4) Apple sends a update signed specifically for that device and it will work on no other device.

Like I said that might be for 5c and older or I might have completely invented that.

3GS and later introduced SHSH blobs. See sources I linked to in https://news.ycombinator.com/item?id=11141965

Every update is signed specifically to the device being updated.

But the version signed could check the id of the phone and shut down if not a hard coded id.

Yes, it could be installed on any phone, but it would be useless on any other phone. And in order to modify it to work on other phones (even with source code) you'd need Apple's keys.

It'd be easy for anyone to patch memory at runtime to skip over that `if` check on the phone's ID (or at least easier than hacking the phone without the backdoor code).

Once the backdoor/exploit is created and released, there's no securing it to where it will only be used on a single phone.

Patching memory at runtime on an iPhone is not in any sense "easy". If it were the FBI wouldn't need Apple's help right now at all; they could just NOP out the code that implements the increasing timeout and erase-on-too-many-failures code.

To put it another way – if it were in fact easy to patch memory at runtime, there would be no need for the jailbreak community to spend huge amounts of time and effort every new OS release.

If you could trivially patch memory at runtime, they wouldn't need this firmware in the first place -- they'd just patch out the lock-on-fail code. If you assume that the chain of trust is compromised such that memory changes can be made, you own the device.

You're right, that's a good point.

Also, Apple does have the ability to prevent signed updates from being installed on phones they don't want it to be. Every update must be signed by Apple specifically to the phone that's being updated, and this includes a nonce to prevent replay attacks. (I forgot about this in my reply above).

See https://en.wikipedia.org/wiki/SHSH_blob, https://www.theiphonewiki.com/wiki/SHSH, http://www.saurik.com/id/12

I am more concerned that there is no limits to what they can do in regards to a honeypot (trap/etc). You would think child porn would be one thing they would not go this far with.

Regardless, I think someone with expertise should be allowed to review any code developed by the government in such operations only to ensure it does not somehow violate the rights of innocents

Can't wait til they run an actual brothel this way. I mean, it is only a couple of throw away society doesn't care about and just imagine all the monsters we could catch doing so... :(

Well he is wrong then.

"Sure, here it is compiled to assembly and stripped of all comments." is sort of what I'd expect

If you analyze malware for a living, then the assembly is the source code. :)

It's really not that much of an issue. It makes things more fun.

I am curious about whether they developed the malware in-house or if they hired a contractor. Is there any information out there on this? I wouldn't be surprised if they cut out parts, which may hint at a particular contractor having developed the malware.

Also, I still do not understand why TOR Browser Bundle allows scripts by default.

> Also, I still do not understand why TOR Browser Bundle allows scripts by default.

The best diet is the one you can actually stick to. The best birth control is the one comfortable enough to use. The best anonymity software must be usable enough for Joe Average.

If the situation is high-stakes, TBB comes with NoScript installed. And you should probably get a burner laptop, do all your web browsing off TAILS, and randomly change your physical location.

> If the situation is high-stakes, TBB comes with NoScript installed. And you should probably get a burner laptop, do all your web browsing off TAILS, and randomly change your physical location.

You are absolutely correct about practicing good opsec, however I have to challenge the usability argument. TOR is already less usable due to many sites blacklisting TOR exits nodes and latency (although connecting to a hidden service is a better idea, and avoids the blacklisting issue. And yet hidden services tend to avoid the JS requirement as well). If Joe Average is willing to put up with that in order to stay anonymous, I'm sure Joe would be willing to disable scripts.

On the other hand, if Joe doesn't understand why having scripts enabled is a security risk, then this might be a better reason to have scripts off by default, anyway.

Average Joe probably worries about Average Hacker/Average Stalker

If he's up against the government, he's going down.

That's assuming that average hackers don't use script browser exploits...

And the FUD about there the government being so competent that it's impossible to hide from them has to stop. It's just so entirely useless and devoid of reality. If you were going down, for example Snowden would be an unknown name to us.

I remember reading on the Tor project blog that the malware was based on a reverse engineered security patch. The browser bundle was afterward changed to aggressively prompt the user to update when a new version is out in order to prevent a similar scenario.

So the headline uses the word "pedophiles", but in the article the word is nowhere to be found. Maybe that's because this sting isn't necessarily about pedophiles, but about people watching and trading child pornography. Using "pedophiles" only serves to reinforce the stigma of a already heavily stigmatized minority.

The word "pedophile" should be defined as someone with a sexual attraction towards children. It doesn't describe behavior: people can choose to not act on the attraction, and many, invisible as they are, in fact do not. Also, the people operating and visiting that hidden service could have had other reasons for visiting. They are not necessarily all pedophiles.

I feel that people who watch child porn and find it appealing rather than repulsive - qualifies you as a pedophile in my book. It's certainly a lesser crime than actual sexual assault of a child. But watching sexual assault for enjoyment and trading in these videos is still a crime. The term pedophile fits just fine as far as I'm concerned.

The distinction being made is the pedophiles which do not seek out those materials or participate at all in their distribution, not committing crimes.

It's an overgeneralization, it's like conflating straight males with people that watch a male raping a female.

I's say it would be more like comparing a male who rapes a female with a male who watches that rape.

Regardless, though, the term "pedophile" by definition is someone who is sexually attracted to children. There is no distinction about whether or not they actually committed a sexual act with a child. A person who commits a sexual act with a child is by definition a pedophile and a rapist, since children cannot legally give sexual consent.

A pedophile emotionally identifies with children. A perfect example of this was the guy in the movie Con-Air who sought out the little girl in the trailer park and sat with her to play at tea-time.

> Also, the people operating and visiting that hidden service could have had other reasons for visiting.

Such as?

To be clear, I meant other reasons than having a persistent sexual attraction towards children. Those other reasons can be: wanting to see physical abuse, seeing how abuse happens, finding a thrill in seeing something illegal, trying to see what gets you aroused, and many other reasons.

The Dutch rapporteur for sexual abuse summarized that it is estimated that about 20% of the people caught for possessing child pornography are actual pedophiles, meaning people with a persistent sexual attraction towards children: http://www.nationaalrapporteur.nl/Images/nationaal-rapporteu...



If nobody visited the hidden service, the operator would have no reason to keep it running. Watching child porn fuels its demand, and therefore encourages its distribution.

Are the viewers paying the operator? If not, I'm not sure you can really argue they're legally responsible for "encouraging" the operator. The operator could say, "I'm going to make another child abuse video for every million people that vote for Hillary Clinton", and no one would blame voters for "encouraging" him. Even if the operator has ads on the site, I don't think it's reasonable to call the viewers culpable--their financial contribution is unintentional, miniscule, and possibly negative if they used an ad-blocker.

For all we know, the "operator" was just showing a dump of things he found on an abandoned site five years ago, and was not involved at all in the production, and had no intention to be. Or perhaps he applied the principles of the MPAA and pirated for free as much material as he could, and put it on his website for free so as to try to get viewers to stop paying the producers and supporting their crimes.

(Which, by the way, is a strategy I would recommend law-enforcement pursue if they take their own arguments seriously. Spend federal money on servers hosting free, searchable torrents and direct downloads of CP; perhaps restrict it to material produced at least 20 years ago, and strip out or change any identifying metadata, so as to avoid any semblance of supporting or encouraging the producers of the materials.)

If you want to make the case that the viewers are liable for supporting the production of child abuse materials, that's a specific claim that you would have to prove in any individual case. By no means is it to be assumed.

What you mentioned was "encouraging its distribution", not "its production". Still, I can't imagine why the former would be rationally considered criminal except insofar as it contributes to the latter (notwithstanding rhetoric about "re-victimizing our children every time it is passed from one person to another"--which is completely absurd unless the viewers encounter the victims in real life and mistreat them in a way they wouldn't have if they didn't see the video, which seems outlandish--I doubt if it's even possible to track down the real-life identities of the victims most of the time).

Not everybody is motivated by money. Some people enjoy being rewarded with karma/lulz/creds/likes.

Is someone legally responsible for "liking" a child porn/terror/homeless beating video? Currently you are for the first case, sometime for the second.

Should "liking" or viewing criminal content be a crime? That's a tough question. It certainly encourages the production of such content (for money or karma).

So, then, what if:

  - the website is run by someone unconnected to the original
    producer of the videos, who doesn't know the website exists?
  - the person hosting the website got the content years in
    the past?
  - the original producer of the videos is no longer doing such
    things, perhaps is dead or has a life sentence in jail?
Also, if we allow motivations like, say, getting high ratings and prominence on a website (and, to be sure, I haven't heard that this website supported user ratings and stuff), how about things like fame and getting your name in the headlines? Even if you're presented in a negative light, I'm sure there's a fair number of criminals who enjoy the thought that many people are disgusted and horrified by them, because it makes them feel powerful to have affected them so. Therefore, should newspapers that publish stories about horrible criminals be considered liable for encouraging criminal behavior?

I think anytime that question has come up, the answer has generally been "no". An example comes to mind: whether newspapers should publish the names of kids who have committed suicide, for fear that it would encourage copycat behavior. I think most newspapers do avoid that, but that's as a voluntary policy they adopt, and something that other newspapers would look down on you for if you did it--nothing like criminal liability. Likewise, some have suggested that widely publicizing terrorist attacks is helping the terrorists achieve their goals; but as far as I know, the media continue to publicize it extensively because it attracts a (paying?) audience. Laws criminalizing these things would probably be seen as a violation of the First Amendment.

Why are the media allowed to give criminals and terrorists nationwide infamy and attention, while a pervert is not allowed to give a CP site operator pageviews? I expect someone would argue that the media being allowed to report on everything is important, while anything pedophiles want is not important, even if it may give them a way to get their jollies without going out and doing things to real children. I have a feeling it's more about the political position of journalists vs that of perverts.

I think the arguments in favor of the prohibition of the possession or consumption of child pornography are rationalizations made up after the fact for the laws that already exist; that these arguments tend to fall apart under serious scrutiny, or to, if consistently applied, justify a much more authoritarian society than we have; that people make these arguments to defend their position, which they've chosen because of their emotions about pedophiles, which are generally unreasoned fear or hatred of a greater or lesser degree; that you see such intense hate against pedophiles because they're a convenient, safe target for hate, and some people love to hate, especially if they're contemptible themselves[1];

that this is so unreasoned that both laws and actual prosecution have fallen upon (a) drawn art of non-real minors [the U.S. Supreme Court struck down a law of this sort; other countries like Australia have not] and (b) minors sexting pictures of themselves [so now the laws are harming children, whom the law was allegedly meant to protect]; that people have probably been slower to propose and pass laws that don't charge sexting teenagers with CP because that goes against the unreasoning-hatred flow; and that authoritarians find the irrationally anti-pedophile mob useful for achieving their political ends, be it passing laws requiring ISPs to start filtering their traffic, passing over-broad censorship laws that happen to cover adult pornography or other things they dislike as well, justifying more extensive surveillance, or smearing anyone who opposes the above as being "pro-pedophile".

In short, I have a bad feeling about anyone who advocates measures against anyone who has not been specifically shown to have either abused children or knowingly encouraged anyone else to do it.

[1] Elsewhere in this thread, people have mentioned sex offenders getting beaten and killed in prison, and I googled a bit: http://www.foxnews.com/us/2015/02/16/ap-exclusive-sex-offend...

In my 7 year experience in Federal prison, only one sex offender I knew of got jumped and injured near to death. However, it wasn't because he was a sex offender. It was because 1) he lied about what crime he had been convicted of, 2) he started hanging out with a white supremacist gang. Another guy I knew who was researching his own appeal case came across the sex offender's case in the law books and put out the word to the gang.

Because the idiot had chummed up with the gang, the gang was responsible for recovering their "respect" among the prison society by trying to kill the sex offender.

As long as a sex offender was an "independent" (not gang affiliated) and extremely respectful of everyone, most everyone would leave him alone.

Two exceptions to this rule (that I observed): Blacks and Hispanics. Black guys (and therefore gangs) tended to not see a sex charge as that big of a deal. Hispanics stuck together no matter what.

What's the better word?

I don't believe there is a specific term for someone who watches child pornography. Is there even a term for someone who watches legal consensual adult pornography?

Fan, consumer, or audience of U.S.-based porn. ;)

Paedophiles are attracted to pre-pubescent children. Hebophiles are attracted to post-pubescent children, but possibly under the age of consent.

I learned this from a Netflix documentary.


That's not specific to being legal, consensual, or adult.

Is there a better word, as easy to pronounce? "Pedoviewers"?

Yes. Changed from http://www.engadget.com/2016/02/19/fbi-reveal-code-lawsuit-d..., which points to this.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact