FBI Is Classifying Its Tor Browser Exploit Because 'National Security'

Joseph Cox, reporting for Motherboard:Defense teams across the US have been trying to get access to a piece of malware the FBI used to hack visitors of a child pornography site. None have been successful at obtaining all of the malware's code, and the government appears to have no intention of handing it over. Now, the FBI is classifying the Tor Browser exploit for reasons of national security, despite the exploit already being used in normal criminal investigations well over a year ago. Experts say it indicates a lack of organization or technical capabilities within the FBI. "The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," government attorneys wrote in a filing earlier this month. It came in response to the defense of Gerald Andrew Darby, who is charged with child pornography offenses.

Javascript exploit

[Anonymous Coward]

This a JS exploit, not a Tor problem. It really doesn't matter what this exploit does or how it works. If you have JS enabled in Tor, you're already pwn3d.

Re:

[Cafe Alpha]

How would you know that?

Re:Javascript exploit

[tnk1]

Tor can only protect you if your machine can't be made to report back information about it. It doesn't help you very much to have an anonymous end point if the server on the other end can simply ask your browser to fetch the actual IP address of your host and other information about it.

Javascript allows calls like that to make your browser turn over that information. The reliable only way to prevent those calls is to turn JS off totally in your browser that is being used for Tor.

And the way you know that is by installing Tor and running tests against a site created to test those vulnerabilities. Or you could simply heed all of the giant warnings that Tor tends to have about turning off Javascript and just trusting them on that.

Re:

[Kjella]

Tor can only protect you if your machine can't be made to report back information about it. It doesn't help you very much to have an anonymous end point if the server on the other end can simply ask your browser to fetch the actual IP address of your host and other information about it. Javascript allows calls like that to make your browser turn over that information.

No it doesn't. If you use a proxy there's no supported way to get your real IP via Javascript. But Javascript is a huge scripting engine, it has a much bigger exploit potential than a rendering engine. That happens too, I think a while back there was a bug in a font handling library but much less often.

Re:

[NotInHere]

That is a nice idea, but the moment your OS phones home, or any other application on your desktop, you can already be identified. Same goes if you use your everyday browser for accessing the tor network. That one is usually customized, with lots of custom add-ons, and even more ways of fingerprinting.

The tor browser has removed many ways to do fingerprinting.

Really, use the tor browser.

Re:

[NotInHere]

And obviously, the tor browser has disabled it.

Re:

[Khopesh]

I'm not sure how knowing your LAN IP is 192.168.0.101 is going to identify you. The only way to make that a viable attack would be to pwn another system on the LAN [stackexchange.com] (such as the router) and phone home through it. At that point, you don't even need WebRTC, just a JS-based port scanner.

Re:

[Sperbels]

If you use a proxy there's no supported way to get your real IP via Javascript.

This is all pointless. I bet I can guess the first three numbers of your home computer's IP: 192...168....0...

Re:

[downright]

Then how does this WebRTC know your intranet IP even when you are behind a firewall?

http://www.browserleaks.com/we... [browserleaks.com]

Re:

[tnk1]

I admit, I am not a regular user of Tor, but I recall the times I have played around with it, the warnings were pretty explicit everywhere I went about JS. Its odd that leaving it on is the default in the bundle, although technically you don't have to turn it off to actually use Tor, it's just a really, really good idea.

Re:Javascript exploit

[evolutionary]

Problem is, many websites are designed to not function/give content without it. I've always been against this, but in attempt to sell to marketers, JS is all the rage. At the expensive of security, which most people don't seem to pay much mind anyway at least until they become a victim.

Re:

[evolutionary]

I'm a software/web developer architect. I get into discussions about how to implement things on websites a lot and it's a lot scarier than many might think. Just a few weeks ago I was looking at anti-fraud solutions which use something called "digital fingerprinting" which basically means tagging you in semi permanent fashion to verify you are actually "you". These solutions all rely on Javascript which my client couldn't use because they managed other external sites as well so it was too big a hassle. But

Tell me again why you still use TOR?

[gestalt_n_pepper]

Funded originally be DARPA, as I recall. Because how could you not trust DARPA?

Re:

[gestalt_n_pepper]

As a practical matter, I just assume that any encryption, cloaking, etc. has already been broken and that you can be seen if certain people at the NSA, CIA. etc. can read your communication if they're interested enough.

It's not a big deal to me personally. I'm not political, which is the real criteria for whether you're monitored or not (not the drugs or kiddy porn smokescreen reason). Political folks know better. They use old fashioned ciphers, red herrings, paper and face-to-face.

Re:

[rahvin112]

It was funded by the DOD and CIA as a method for spies to reliably communicate with their handlers without any way for the hosting state to intercept or read the communications.It was opened to the public so that the use of this network wouldn't be justification in itself to investigate.

Classifying is fun...

[__aaclcg7560]

The CIA classified my grocery list. Never mind that the information on the grocery list came from the weekly flyer that came in the mail. Never mind that the neighbors up and down the street may have a similar grocery list. Never mind that the CIA has no business classifying my grocery list in the first place.

Re:

[__aaclcg7560]

Not my fault that the postal service left classified information in everyone's mailbox.

Probably because...

[gatfirls]

....It's a laughably silly exploit that anyone can do and they paid 10 million dollars to get.

A possible compromise

[Anonymous Coward]

I was LinuxFest Northwest earlier this year and had in interesting conversation with a lawyer from ACLU of Washington who gave a talk on cryptography and fearmongering. It was interesting because he advocated a position that the law should compel the government to publicly reveal any exploit gained or utilized by the government. I pointed out that this would be difficult to support for many people who believe in strong national defense (and foreign intelligence as a key aspect of that). The suggestion I m

Re:

[Ormy]

if an exploit is developed (or purchased) by the US government for foreign intelligence purposes, then the government can decide to withhold the exploit on national security grounds, but as soon as it is employed for any domestic law enforcement purpose (surveillance, intelligence gathering, criminal investigation/prosecution) then the release would be compelled.

Sounds ideal in principle, but whats to stop them just 'saying' they only use the exploit for foreign intelligence. All laws should expect and account for human greed and the 'power corrupts' factor.

Re:

[EndlessNameless]

but whats to stop them just 'saying' they only use the exploit for foreign intelligence

That's simple, if the law is written properly.

When it's used for law enforcement purposes, it must be disclosed during that case---whenever the law dictates. E.g., when it is developed, after the investigation concludes, during the trial, after any appeals relevant to the exploit are decided, etc.

If they totally swear that the intelligence community is using some other exploit, they don't have to talk about that supposed exploit. We don't care at that point.

Either a particular exploit is unique to the intel

Only if you know that it's used by NSA, CIA

[raymorris]

18 U.S. Code  798 - Disclosure of classified information:
(a) Whoever knowingly and willfully communicates ...
prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified informationâ"
(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government;

You would have to know that it is a government secret.

Note nothing it in the statut

Re:

[flink]

18 U.S. Code  798 - Disclosure of classified information:
(a) Whoever knowingly and willfully communicates ...
prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified informationâ"
(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government;

You would have to know that it is a government secret.

Note nothing it in the statute says that removing the classification label makes it okay. If you know it is secret and you willfully communicate it to an authorized person, that's a felony.

798 is concerned with intercepting and decoding encrypted communications -- i.e. deliberate acts of espionage. 793 is the chapter more broadly concerned with deliberately disclosing classified information to the detriment of national security interests. However, this mostly only applies to individuals that have obtained a clearance. When you are granted a clearance you essentially sign an NDA that has not just civil, but criminal penalties bound to it, and 793 provides most of the teeth. See SF-312 [archives.gov] for

Thanks for the info

[raymorris]

Thanks for that.

Re:

[EndlessNameless]

If you know it is classified and disclose it anyway, that is a felony. It doesn't matter if you figured out how they did it from their own classified documents or not.

If you don't know whether it's classified and cannot reasonably be expected to know, then you're fine. If they decide to classify it after the fact, they will tell you the information is classified and that you're no longer allowed to discuss it.

There have been a few cases where this occurred, and the creator of the documents in questions was

So nice to see

[jarablue]

J.Edgar Hoover is alive and well. Why stop here? Who needs evidence anymore? For fucks sake just plant what you need and come in guns blazing. But yet police officers can have relationships with high school students and prosecutors turn a blind eye. What scum.

Re:So nice to see

[bluefoxlucid]

The best bit is he's definitely guilty, and trying to get off on a technicality. The argument is the entire body of evidence collected since this whole thing started is tainted, and they have no valid reason to search him (knowing that his house is still full of child pornography because they already did an *illegal* search isn't a justifiable cause), so he gets away scot free because the authorities fucked up.

This is *exactly* what we want. We want the authorities to follow the rules, and we want people who can hide in the rules to get away with it. We don't need the FBI searching you because they feel like it, finding evidence for an unpredicted crime, then charging you for it based on an illegal search. That leads to all kinds of vindictive political control, turning political opponents and other undesirables into targets to be ground away at by government overreach.

The biggest danger is the public realizing what just happened and crying out against a child porn hoarder getting off free, and then demanding the repeal of the fourth and fifth amendments immediately. The second biggest danger is the FBI succeeding with their bluff, either having no evidence to present ("we used a thing that got us information, but we won't show you that thing, so just trust us about the evidence chain") or being forced to present and being called on performing an illegal search (hacked your computer) and then *not* penalized for it ("this is all technically inadmissible, but we'll allow it anyway").

The neutral state is the FBI being forced to present and arguing (successfully and correctly) the defendant was *not* subject to an illegal search because the FBI had ample reason to believe the target site *was* doing illegal things and that its visitors were engaging in illegal activities (similar to a sting on a whore house). The outcome of being forced to present is the public can examine the code used to break Tor, then counteract it (technical arms race); Darby goes to jail; and the case sets no legal precedents weakening constitutional law.

Re:

[Type44Q]

Where is the evidence of the FBI "making up bullshit"?

It's recursive, AC; your post itself clearly constitutes such evidence. Bet you didn't know that was going to happen. ;)

Re:

[Anonymous Coward]

Who needs evidence anymore?

Indeed.

But how does our government get away with it? Because the People let it. Why do they let it? Because they have a steady diet of mindless cop porn where the cops are all honest hardworking and never take shortcuts or make mistakes; while the "bad guys" who get away do so because the saintly cops are shackled by these ridiculous Civil Rights that do nothing but keep really bad people from paying for their crimes.

Re:

[EndlessNameless]

You basically can't be an unescorted male in this country now without some soccer mommy accusing you of things simply because you exist.

I have no problems with this. No one I know has had problems with this.

Perhaps you need to review your dress, hygiene, and behavior.

Those same hypersensitive mommies believe there's a predator behind every tree even though instances of violent crime are way down.

Every generation has its bed-wetters.

actual criminals are being let off by jurors who can't comprehend why the cops can't produce a neat tidy stream of high tech evidence like they do in CSI

Prosecutors got convictions under the same "beyond a reasonable doubt" standard before high tech evidence existed. If they are having problems now, maybe it is not the jurors' tech fantasies that are to blame.

Re:

[jarablue]

There's plenty of evidence? I just can't wait for the day I am labeled a "child predator" because my neighbors heard me playing pornhub while my wife was on the rag. How many Traci Lords videos have I watched and who the fuck knows if one of them she was 17 in? So basically the fact that I have never remotely been interested in teenagers for sex, I am all of sudden the horrible child molestor the Feds and cunt of a prosecutor want me to be? Guess what? How many people have seen the Vanessa Hudgens leaked n

Re:

[jarablue]

In no way am I defending this guy. I am just sick of how the law can be twisted for one parties interest then another. I look at 2 leaked celebrity photos in 26 years of being online, I go to jail do not pass go. A cop who is having a relationship with a 17 year high school senior get's a career boost. Just sick of the bullshit.

Re:

[jarablue]

Cmon AC! Do you think a prosecutor gives a flying fuck what you looked at if she knows she can get a conviction on the charge? God forbid that I work for any inkling of a named institution! That is like a honeypot to them! No one is talking about a folder either. At least that would be something. The law is being bent further and further to benefit whoever needs whenever they need it. I don't want to talk shit, believe me but be honest with yourself. If they can crack the door open, they wield a nuke in c

Re:

[Type44Q]

Crickets chirping. Seriously; do we expect anything else from these fucking establishment shills?

Re:

[Type44Q]

...while my wife was on the rag

Seriously?? Just admit that you're into women, for fuck's sake.

Re:

[Type44Q]

ack, that should've read "Just admit that you're NOT into women"

Seriously, though... guess we've got at least one guy here who's not earned his "red wings." :p

The passkey is..

[evolutionary]

national security: you can use that reason to justify just about anything. there seems to be no limit, including ignoring/undermining the constitution in the name of national security. Of course B.J. Franklin said it best.

Gov. taking over!!!

[jraff2]

One can guarantee if anyone attempts to secure or harden TOR or any other onion product enough to ensue the TLAs can't gain access they will be visited by some "Men in Black" with some NSLs to hand out. Never to be seen again! The TOR site need to have a Warrant canary "https://en.wikipedia.org/wiki/Warrant_canary" specific to this situation, unless they already have been issued NSL or other mandates, then all bets are off, probably the latter! It's a shame the Gov. thinks it's the boss, the people are the

They claim security but they have none

[baxiehaven]

I know the US Government computers and websites have already been hacked but they think they are gods... Well for gods it was funny that in Ottawa, Ontario the US embassy tried to tap the local cell phone of all the visiting diplomats to Parliament hill but they were caught and the cell phone sniffers they used were blocks to not to interfere with the cell phone in the Elgin Hotel