1 00:00:00,000 --> 00:00:14,490 *33C3 preroll music* 2 00:00:14,490 --> 00:00:18,480 Herald: The talk is gonna be called “Law Enforcement Are Hacking the Planet” 3 00:00:18,480 --> 00:00:24,270 by Joseph Cox. Joseph is an investigative journalist for Vice’s Motherboard, 4 00:00:24,270 --> 00:00:28,050 covering hackers, data breaches and digital security. When I went 5 00:00:28,050 --> 00:00:32,890 to check him out and looked at his Twitter account I discovered I already follow him. 6 00:00:32,890 --> 00:00:36,320 Which is funny, or it was for me a little anecdote about the modern world. 7 00:00:36,320 --> 00:00:41,219 I recognized his avatar immediately but not his name. 8 00:00:41,219 --> 00:00:44,500 I guess that's just something about how we live these days. 9 00:00:44,500 --> 00:00:50,010 So then with no further ado, Joseph, I’d like to give it over to you. 10 00:00:50,010 --> 00:00:56,740 *applause* 11 00:00:56,740 --> 00:01:00,590 Joseph Cox: Hello, hello hello. 12 00:01:00,590 --> 00:01:05,680 How would you react if the FBI came over from the United States, 13 00:01:05,680 --> 00:01:11,600 came into Germany, went to an apartment in, say, Hamburg, kicked down the door 14 00:01:11,600 --> 00:01:15,490 and then started searching the apartment? 15 00:01:15,490 --> 00:01:18,679 They haven’t been invited by German law enforcement, 16 00:01:18,679 --> 00:01:24,289 they’re acting on their own accord. They then seize a load of evidence 17 00:01:24,289 --> 00:01:26,979 and go back to the States. 18 00:01:26,979 --> 00:01:32,310 You might think this isn’t a great thing, I mean what does the FBI have to do 19 00:01:32,310 --> 00:01:35,360 coming in to another country and then 20 00:01:35,360 --> 00:01:39,479 searching buildings or arresting suspects? 21 00:01:39,479 --> 00:01:43,500 But the searching is essentially what the FBI is doing, but digitally 22 00:01:43,500 --> 00:01:49,180 with malware and hacking tools. Breaching into computers in other countries, 23 00:01:49,180 --> 00:01:51,800 extracting evidence from them and then sending them back to 24 00:01:51,800 --> 00:01:56,290 a government server in Virginia, or wherever it may be. 25 00:01:56,290 --> 00:02:00,649 To clear, we’re not talking about a normal intelligence agency here 26 00:02:00,649 --> 00:02:04,789 like the NSA or GCHQ. They’re gonna hack computers internationally 27 00:02:04,789 --> 00:02:10,090 all the time as part of espionage, we expect that, maybe that’s a good thing. 28 00:02:10,090 --> 00:02:14,720 Here we’re talking about an agency that’s predominantly 29 00:02:14,720 --> 00:02:20,030 focused with the law enforcement hacking to computers in other countries 30 00:02:20,030 --> 00:02:25,779 as part of criminal investigations. 31 00:02:25,779 --> 00:02:31,900 I’m gonna talk about one FBI case in particular, briefly touch upon another one 32 00:02:31,900 --> 00:02:36,209 and then just explain an operation that was led by local Australian 33 00:02:36,209 --> 00:02:41,799 law enforcement which hacked computers in the United States. 34 00:02:41,799 --> 00:02:46,659 At the moment, typically, these sort of investigations are done to counter 35 00:02:46,659 --> 00:02:53,409 child sexual exploitation or child abuse on the Darkweb. 36 00:02:53,409 --> 00:02:57,370 Just about me, briefly: Journalist for Motherboard as mentioned, 37 00:02:57,370 --> 00:03:03,090 which is the Technology and Science part of Vice. Hackers, cybercrime, 38 00:03:03,090 --> 00:03:08,310 the Darkweb drug trades or stuff like Silk Road or the usual stuff. 39 00:03:08,310 --> 00:03:12,269 But for the past year I’ve been really interested in law enforcement’s 40 00:03:12,269 --> 00:03:17,519 international use of malware. Which brings us to 41 00:03:17,519 --> 00:03:21,120 “Operation Pacifier”. The FBI is not very good at naming 42 00:03:21,120 --> 00:03:26,720 its child sexual exploitation investigations. 43 00:03:26,720 --> 00:03:33,010 So in August 2014 a new Darkweb child abuse site was launched, called “Playpen”. 44 00:03:33,010 --> 00:03:36,139 It was a Tor hidden service, meaning that the majority of people 45 00:03:36,139 --> 00:03:40,749 who connect to it would do so over the Tor anonymity network, 46 00:03:40,749 --> 00:03:47,040 masking their real IP address. But because it ran as a hidden service 47 00:03:47,040 --> 00:03:51,029 the physical location of the server itself was also protected. 48 00:03:51,029 --> 00:03:55,519 Meaning that the FBI couldn’t just go and immediately subpoena the hosting company 49 00:03:55,519 --> 00:04:00,239 or seize the server whatever may be, because they didn’t know where it was. 50 00:04:00,239 --> 00:04:05,170 A few months passed and Playpen is a really, really big deal. It’s the largest 51 00:04:05,170 --> 00:04:10,780 child pornography site on the Darkweb. 215.000 members, 52 00:04:10,780 --> 00:04:17,879 117.000 posts, and an average 11.000 unique people 53 00:04:17,879 --> 00:04:22,108 were visiting every week. 54 00:04:22,108 --> 00:04:25,850 The FBI was trying to find a way in, they were acting in an undercover capacity 55 00:04:25,850 --> 00:04:30,560 on the site as law enforcement often do with these sorts of hidden services. 56 00:04:30,560 --> 00:04:36,430 But at one point a foreign law enforcement agency, and we don’t know which one, 57 00:04:36,430 --> 00:04:42,250 provided the real IP address of the Playpen server to the FBI. 58 00:04:42,250 --> 00:04:46,950 It turned out that Playpen’s administrator who’s now been convicted, Steven Chase, 59 00:04:46,950 --> 00:04:51,750 he’d misconfigured his server so the real IP address was exposed 60 00:04:51,750 --> 00:04:55,700 in the normal internet. So in February 2015 61 00:04:55,700 --> 00:04:59,320 the FBI go to the North Carolina Data Centre, they seize the server 62 00:04:59,320 --> 00:05:02,540 and they take control of Playpen. 63 00:05:02,540 --> 00:05:05,420 Just as a side note: Steven Chase, the administrator, 64 00:05:05,420 --> 00:05:10,840 he had paid for the hosting via a Paypal account in his own name. 65 00:05:10,840 --> 00:05:14,650 So it was incredibly easy to convict him. If you’re gonna run 66 00:05:14,650 --> 00:05:19,030 an illegal Tor hidden service, don’t use Paypal! 67 00:05:19,030 --> 00:05:23,320 And this is where the hacking comes in. 68 00:05:23,320 --> 00:05:27,940 Even though the FBI is in control of the site – they can see what people are doing, 69 00:05:27,940 --> 00:05:30,980 what videos they’re watching, as mentioned – they can’t see 70 00:05:30,980 --> 00:05:34,260 where these people are coming from and they can’t identify them. 71 00:05:34,260 --> 00:05:37,420 So they need another way, and what they decided to do 72 00:05:37,420 --> 00:05:42,520 is hack the computers of individual users. 73 00:05:42,520 --> 00:05:45,650 Very, very shortly after the FBI seized the server they started to run it 74 00:05:45,650 --> 00:05:50,680 from a government facility in Virginia. So the site is fully functioning, 75 00:05:50,680 --> 00:05:55,000 except one section that encourages people 76 00:05:55,000 --> 00:05:58,860 to produce more child porn. It’s still a fully functional website, though. 77 00:05:58,860 --> 00:06:04,140 They run that and the FBI deploys what it calls a “Network Investigative Technique”, 78 00:06:04,140 --> 00:06:10,060 an NIT or nit or what we would probably just call “a piece of malware”. 79 00:06:10,060 --> 00:06:15,910 In short, and this is a really, really basic overview the nit just did several things. 80 00:06:15,910 --> 00:06:20,490 First somebody would log in to Playpen and then go visit a specific 81 00:06:20,490 --> 00:06:24,870 child porn related forum. The exploit is then automatically 82 00:06:24,870 --> 00:06:29,150 delivered to that computer. This exploit certainly affected… 83 00:06:29,150 --> 00:06:32,650 and the underlying vulnerability certainly affected the Tor browser. 84 00:06:32,650 --> 00:06:38,622 We don’t know if it affected Mozilla Firefox. As many of you will know, 85 00:06:38,622 --> 00:06:42,330 Tor browsers are oftenly based on Firefox, and they share much of the same code base. 86 00:06:42,330 --> 00:06:45,230 But we don’t actually know much about the vulnerability 87 00:06:45,230 --> 00:06:49,820 or the exploit at all. All that we know is that they used 88 00:06:49,820 --> 00:06:55,390 a non publicly known vulnerability. 89 00:06:55,390 --> 00:06:59,910 And then when the exploit is delivered the rest of the code causes the target machine 90 00:06:59,910 --> 00:07:04,470 to phone home outside of the Tor network to a government server, and now the FBI 91 00:07:04,470 --> 00:07:08,080 has a real IP address. 92 00:07:08,080 --> 00:07:14,500 Armed with that the FBI just goes to the ISP, Comcast, Verizon, gets a name, 93 00:07:14,500 --> 00:07:18,960 subscriber details and address, kicks down a door, arrests the person 94 00:07:18,960 --> 00:07:22,630 – if there’s enough evidence – and presumably, and in many many of the cases 95 00:07:22,630 --> 00:07:28,470 if not all of them, find a lot of child porn on the suspect’s machine. 96 00:07:28,470 --> 00:07:33,450 But that’s not everything the FBI collected with a nit, 97 00:07:33,450 --> 00:07:38,520 it also got the username, the host name, the MAC address. 98 00:07:38,520 --> 00:07:42,750 And it also generated a unique code per unique infection, I think 99 00:07:42,750 --> 00:07:49,710 that you could then use to correlate activity on the site with an IP address. 100 00:07:49,710 --> 00:07:54,340 And just remember this whole time the FBI could see what people 101 00:07:54,340 --> 00:07:59,540 were doing on the site, so “user Jimmy went onto this section of the site 102 00:07:59,540 --> 00:08:02,830 and looked at this thread, now we have his IP address, 103 00:08:02,830 --> 00:08:07,700 we can link it to that”. 104 00:08:07,700 --> 00:08:11,890 So the FBI deploys its malware, 105 00:08:11,890 --> 00:08:15,810 for 13 days it runs the site. Over that amount of time, 106 00:08:15,810 --> 00:08:19,330 100.000 users log into Playpen, which as you’ll notice 107 00:08:19,330 --> 00:08:23,490 is a lot more than 11.000, which was apparently the average login rate. 108 00:08:23,490 --> 00:08:30,420 For some reason the site became a lot more popular when the FBI was running it. 109 00:08:30,420 --> 00:08:33,309 You can hear whatever you want from that. (?) 110 00:08:33,309 --> 00:08:40,250 So in the U.S. the FBI gets around 1300 IP addresses of U.S. users of the site. 111 00:08:40,250 --> 00:08:45,770 Europol say they generated 3229 cases 112 00:08:45,770 --> 00:08:49,570 – I haven’t highlighted it, but it’s in the middle column at the bottom – 113 00:08:49,570 --> 00:08:54,430 and 34 of those were in Denmark. This is a presentation I just found online 114 00:08:54,430 --> 00:08:57,069 when I found out it was called “Pacifier”. 115 00:08:57,069 --> 00:09:01,161 I searched that, filetype:pdf and someone from law enforcement had 116 00:09:01,161 --> 00:09:05,909 left this online, so that was convenient. *laughter* 117 00:09:05,909 --> 00:09:08,599 Austria, staying with this part of the world, 118 00:09:08,599 --> 00:09:12,819 I think this is a letter from an MP to a group of politicians 119 00:09:12,819 --> 00:09:16,259 just talking about the country’s child porn investigations 120 00:09:16,259 --> 00:09:21,810 and it mentions Operation Pacifier and 50 IP addresses so the FBI hacked 121 00:09:21,810 --> 00:09:27,180 at least 50 computers in Austria. Latin America as well. 122 00:09:27,180 --> 00:09:29,910 Again, this is another presentation that I found online, 123 00:09:29,910 --> 00:09:32,480 law enforcement are really, really sloppy 124 00:09:32,480 --> 00:09:35,889 with just leaving all this stuff online, which is great. 125 00:09:35,889 --> 00:09:40,750 And you can just see Operation Pacifier there. As for Chile it was 126 00:09:40,750 --> 00:09:46,140 local media reports that just said ‘Pacifier’, ‘Playpen’, ‘child porn arrests’ 127 00:09:46,140 --> 00:09:52,279 so it was pretty easy to infer that computers were hacked there as well. 128 00:09:52,279 --> 00:09:56,529 Australia – this is part of a freedom of information request 129 00:09:56,529 --> 00:10:02,399 I made with the Australian federal police, asking for documents and communications 130 00:10:02,399 --> 00:10:07,240 about Operation Pacifier. This isn’t actually the result of the request 131 00:10:07,240 --> 00:10:09,810 this is them saying “Hey, we have too much stuff on Operation Pacifier, 132 00:10:09,810 --> 00:10:13,630 so we can’t give it to you” which obviously already gave me 133 00:10:13,630 --> 00:10:18,669 enough information to confirm that Pacifier hit Australia as well. 134 00:10:18,669 --> 00:10:21,379 Anyway, you get the idea. I’m not just gonna list all these countries 135 00:10:21,379 --> 00:10:26,790 apart from them. The U.K. and Turkey were probably hacked as well. 136 00:10:26,790 --> 00:10:32,209 But it turns out the FBI hacked computers in many, many more countries. 137 00:10:32,209 --> 00:10:35,859 And this just came out end of last month, I think. 138 00:10:35,859 --> 00:10:43,790 In total the FBI hacked 8.700 computers in 120 countries. 139 00:10:43,790 --> 00:10:49,740 8.700 in 120 countries with one warrant. 140 00:10:49,740 --> 00:10:52,699 And arguably that warrant was illegal. 141 00:10:52,699 --> 00:10:56,970 But we have to back up a little bit, just to see what that is. 142 00:10:56,970 --> 00:11:01,389 Right, okay. So the U.S. has something called Rule 41, 143 00:11:01,389 --> 00:11:05,290 which dictates when a judge can authorize searches 144 00:11:05,290 --> 00:11:08,859 including remote searches, so hacking. 145 00:11:08,859 --> 00:11:13,269 A judge can only authorize a search within his or her own district. 146 00:11:13,269 --> 00:11:16,330 So if the judge is in the western district of Washington, 147 00:11:16,330 --> 00:11:19,350 he or she can only sign a warrant that’s gonna search stuff 148 00:11:19,350 --> 00:11:24,270 within that district. With a few exceptions. I think, terrorism, 149 00:11:24,270 --> 00:11:27,949 and if there’s a tracking device and then the person moves out of state 150 00:11:27,949 --> 00:11:32,319 it’s still okay. In the case of Playpen, 151 00:11:32,319 --> 00:11:35,970 Judge Theresa Buchanan was in the Eastern district of Virginia, 152 00:11:35,970 --> 00:11:41,740 as you can see at the top. Clearly, the vast majority of computers 153 00:11:41,740 --> 00:11:46,519 were not in the Eastern district of Virginia. 154 00:11:46,519 --> 00:11:50,240 The search warrant application which is that document that the FBI presents 155 00:11:50,240 --> 00:11:54,149 to a judge, and say “Here’s our reasons, please sign our search warrant!”, 156 00:11:54,149 --> 00:11:59,029 it said that what was gonna be searched was computers logging into Playpen, 157 00:11:59,029 --> 00:12:04,630 wherever located. It’s pretty debatable how explicit that is. 158 00:12:04,630 --> 00:12:09,860 I mean, the FBI did not write “Hey we’re gonna hack into computers no matter 159 00:12:09,860 --> 00:12:12,880 what state they’re in, what country they’re in, anything like that, and 160 00:12:12,880 --> 00:12:16,430 we’re gonna hack into them”. The word ‘hack’ is obviously never ever used in the 161 00:12:16,430 --> 00:12:21,399 search warrant application. So with that in mind it’s kind of unclear 162 00:12:21,399 --> 00:12:26,369 if Judge Theresa Buchanan would have actually understood that she was signing 163 00:12:26,369 --> 00:12:32,779 a global hacking warrant. And this isn’t castaging the judge, at all. It’s more 164 00:12:32,779 --> 00:12:38,220 that these warrants applications aren’t very explicit. And it’s still unclear 165 00:12:38,220 --> 00:12:47,690 because Judge Buchanan won’t respond to my requests for comment. 166 00:12:47,690 --> 00:12:54,160 So wherever operation Pacifier violated rule 41 has probably been the central 167 00:12:54,160 --> 00:12:59,769 component of all the legal cases that came out after the FBI started dusting people. 168 00:12:59,769 --> 00:13:03,360 Defense lawyers have brought it up, saying “Hey, this judge did not have authority, 169 00:13:03,360 --> 00:13:06,959 you now need to throw out all the evidence against my client”. 170 00:13:06,959 --> 00:13:11,509 According to the most recent figures, and this might be very, very slightly out-of-date 171 00:13:11,509 --> 00:13:18,890 21 decisions have found the operation did violate rule 41. Out of those, 172 00:13:18,890 --> 00:13:23,399 judges in four cases have thrown out all evidence obtained by the FBI’s malware. 173 00:13:23,399 --> 00:13:27,410 So that obviously includes the main bit of evidence which to the IP address 174 00:13:27,410 --> 00:13:31,040 but then also everything that came after that. I mean the only reason the FBI 175 00:13:31,040 --> 00:13:34,730 found child porn on people’s devices is because the IP address led them there. 176 00:13:34,730 --> 00:13:38,749 So all of that child porn is also struck from the record as well. 177 00:13:38,749 --> 00:13:49,070 And those people are essentially free, by DOJ appeals which are ongoing. 178 00:13:49,070 --> 00:13:54,600 Whether people based outside the United States will have a similar sort of defense 179 00:13:54,600 --> 00:13:59,119 is kind of unclear at the moment. The IP address could fall under something 180 00:13:59,119 --> 00:14:05,550 like the Third-Party Doctrine, whereas in: if there’s a German suspect, 181 00:14:05,550 --> 00:14:10,329 and they tried to challenge the legality of the search the German police may say: 182 00:14:10,329 --> 00:14:13,120 “Hey, look, we didn’t do the hacking, we just got given this IP address 183 00:14:13,120 --> 00:14:19,600 by third party”. And then the defense might not have much like to stand on. 184 00:14:19,600 --> 00:14:25,200 But I do know of one lawyer in a country outside the U.S. who is going to challenge 185 00:14:25,200 --> 00:14:29,220 the legality of that hacking operation. I can’t really say where he is right now 186 00:14:29,220 --> 00:14:34,089 because I think that’s still sourcing out (?) but that’s gonna be really, really interesting 187 00:14:34,089 --> 00:14:39,089 when that happens, hopefully in the new year. So forget everything I just told you 188 00:14:39,089 --> 00:14:43,749 about Rule 41 because it doesn’t matter any more. Earlier this month changes 189 00:14:43,749 --> 00:14:49,930 to Rule 41 came into place. Meaning that judges now can authorize searches 190 00:14:49,930 --> 00:14:56,149 outside of their district. So if the Playpen warrant was signed today it probably 191 00:14:56,149 --> 00:14:59,110 would not violate Rule 41, and the FBI wouldn’t have done anything wrong. 192 00:14:59,110 --> 00:15:04,360 Or the DOJ wouldn’t have done anything wrong. And I just wanna emphasize that 193 00:15:04,360 --> 00:15:09,940 these changes to Rule 41 came about in part, specifically because of 194 00:15:09,940 --> 00:15:14,060 the problem that anonymity networks and Tor present to law enforcement. 195 00:15:14,060 --> 00:15:18,399 It’s not like Operation Pacifier was over here, FBI doing its thing, and the DOJ 196 00:15:18,399 --> 00:15:24,079 was sorting out these Rule 41 changes. The changes have come specifically in response 197 00:15:24,079 --> 00:15:30,539 to criminal investigations on the so-called “Darkweb”. 198 00:15:30,539 --> 00:15:35,269 And that’s just this Department quote here: “We believe technology should 199 00:15:35,269 --> 00:15:39,660 not create a law-less zone merely because a procedure rule has not kept up 200 00:15:39,660 --> 00:15:45,200 with the times”. Their argument is that the Rule 41 is basically an antique, 201 00:15:45,200 --> 00:15:48,829 and they need to change the rules to keep up with criminals that are using stuff 202 00:15:48,829 --> 00:15:53,819 like Tor or VPNs. So that was Pacifier. 203 00:15:53,819 --> 00:15:58,769 That’s the largest law enforcement hacking operation to date that we know about. 204 00:15:58,769 --> 00:16:02,220 Just very, very briefly I’m gonna talk about another FBI one where they likely 205 00:16:02,220 --> 00:16:07,089 hacked into computers abroad. This one is called “Torpedo” which is even worse 206 00:16:07,089 --> 00:16:12,480 than Operation Pacifier when it comes to child porn names. 207 00:16:12,480 --> 00:16:17,300 In 2012 or 2013 the FBI take over Freedom Hosting which is 208 00:16:17,300 --> 00:16:22,970 sort of a turnkey hosting provider. You sign up to the service 209 00:16:22,970 --> 00:16:27,939 that hosts your Darkweb site. It doesn’t matter if it’s legal or not, whatever. 210 00:16:27,939 --> 00:16:33,149 The FBI sees it, they deploy an NIT again, a piece of malware. 211 00:16:33,149 --> 00:16:41,699 And this time the FBI trying (?) identify users of 23 different child pornography sites. 212 00:16:41,699 --> 00:16:44,920 In the warrant application there’s a section specifically about 213 00:16:44,920 --> 00:16:49,369 a Hungarian language site. I mean even the FBI officer 214 00:16:49,369 --> 00:16:53,509 – I think it’s the FBI writing it – says: “Oh, if you put this into Google Translate 215 00:16:53,509 --> 00:16:59,939 it means this, it’s Hungarian, blablabla”. As I mentioned in the Playpen example 216 00:16:59,939 --> 00:17:03,370 the FBI did not know where the computers that they were going to hack 217 00:17:03,370 --> 00:17:07,410 were located. This is an interesting case because I’m going to guess 218 00:17:07,410 --> 00:17:13,220 that a lot of the users of a Hungarian language site are probably in Hungary. 219 00:17:13,220 --> 00:17:16,760 So the FBI might have had some idea that they were gonna hack computers there. 220 00:17:16,760 --> 00:17:20,659 Did the FBI warn Hungarian law enforcement? Did they get permission 221 00:17:20,659 --> 00:17:24,400 of the Hungarian authorities to hack computers in their country? 222 00:17:24,400 --> 00:17:30,519 We don’t know yet. And I somehow doubt it. 223 00:17:30,519 --> 00:17:36,829 And then just finally it’s – excuse me – it’s not just the FBI 224 00:17:36,829 --> 00:17:40,419 that’s using hacking tools to target suspects overseas. 225 00:17:40,419 --> 00:17:45,120 A local Australian police department, Queensland Police, 226 00:17:45,120 --> 00:17:49,510 has a specialized task force for child sexual exploitation, 227 00:17:49,510 --> 00:17:52,529 Taskforce Argos. 228 00:17:52,529 --> 00:17:56,750 And they were the ones that led this operation. There wasn’t any sort of 229 00:17:56,750 --> 00:18:00,740 an official statement from Queensland Police saying: “Hey look, we unmasked 230 00:18:00,740 --> 00:18:05,860 all of these criminals in the U.S.”. It was only by piecing together 231 00:18:05,860 --> 00:18:11,760 pretty spread-out (?) U.S. court documents that I could map the contours of this 232 00:18:11,760 --> 00:18:15,830 hacking operation that everyone kind of wants to keep quiet about. 233 00:18:15,830 --> 00:18:21,520 So in 2014 Taskforce Argos take over another Darkweb child porn site 234 00:18:21,520 --> 00:18:28,640 called ‘The Love Zone’. They run it – not for 13 days like the FBI but for 6 months, 235 00:18:28,640 --> 00:18:34,760 posing as the site’s administrator who they’d already arrested. 236 00:18:34,760 --> 00:18:39,279 According to one document – not this one – the Australians obtained at least 237 00:18:39,279 --> 00:18:45,490 30 IP addresses of U.S. based users of the site. I don’t know 238 00:18:45,490 --> 00:18:48,419 about other countries yet, it’s only through these U.S. court documents 239 00:18:48,419 --> 00:18:54,100 that we’ve been able to figure this out. And the way they did it was 240 00:18:54,100 --> 00:18:57,779 pretty different to the FBI. What they would do is they would send a link 241 00:18:57,779 --> 00:19:05,350 to a suspect, for a video file. The suspect would click the link, 242 00:19:05,350 --> 00:19:09,919 they will get a warning, saying: “Warning, you’re opening a file on an external site, 243 00:19:09,919 --> 00:19:14,110 do you want to continue?” Something to that effect. If the person ignored 244 00:19:14,110 --> 00:19:19,240 the warning and clicked “Yes” a video of real child pornography 245 00:19:19,240 --> 00:19:22,590 played on the supect’s machine, and then that video phoned home 246 00:19:22,590 --> 00:19:28,539 to an Australian server. I mean, you can debate whether this is hacking or not. 247 00:19:28,539 --> 00:19:34,130 I mean the FBI weren’t clearly delivering a Tor browser exploit with malware etc. 248 00:19:34,130 --> 00:19:38,380 Is this hacking? I would say so. If we think the phishing for Government e-mails 249 00:19:38,380 --> 00:19:43,740 is hacking – sure. But that’s kind of the trivial debate, anyway. The real debate 250 00:19:43,740 --> 00:19:49,240 is: was this a search in illegal sense of the word? Did the Australians obtain 251 00:19:49,240 --> 00:19:54,429 information from a private place, namely a private computer, in a private residence, 252 00:19:54,429 --> 00:19:58,299 and did they get a search warrant to do that? And again, we don’t know, 253 00:19:58,299 --> 00:20:03,550 because they wont't talk to me. 254 00:20:03,550 --> 00:20:08,590 So clearly, that was all about child abuse and child pornography investigations. 255 00:20:08,590 --> 00:20:13,190 Insofar this sort of international hacking, as far as we know, as far as I know, 256 00:20:13,190 --> 00:20:18,149 has only been used for those sorts of investigations. But as for the future 257 00:20:18,149 --> 00:20:25,100 with Rule 41, the changes there, we could presumably see it to go to other types 258 00:20:25,100 --> 00:20:30,399 of investigations, maybe Darkweb drug markets. Plenty of these markets have 259 00:20:30,399 --> 00:20:35,159 dedicated vendor-only sections that you can only login to if you are a drug dealer 260 00:20:35,159 --> 00:20:41,090 on the site. I mean here, this isn’t from NIT or a malware investigation. 261 00:20:41,090 --> 00:20:45,300 This is when Carnegie Mellon University attacked the Tor network, obtained 262 00:20:45,300 --> 00:20:49,360 IP addresses, and then gave those – well, was subpoenaed for those and gave them 263 00:20:49,360 --> 00:20:55,490 to the FBI. But the key part is that in this search warrant it’s saying: “Hey look, 264 00:20:55,490 --> 00:20:58,370 there’s probable cause because this suspect was logging in to the 265 00:20:58,370 --> 00:21:03,570 drug dealer-only section of Silk Road 2.0 so we have reason to raid his house”. 266 00:21:03,570 --> 00:21:07,890 I can easily see this sort of section being in a malware warrant or an NIT 267 00:21:07,890 --> 00:21:14,240 warrant, as well. And then I suppose the other more obvious example 268 00:21:14,240 --> 00:21:18,529 – if that hasn’t happened already – is putting a piece of malware to hack 269 00:21:18,529 --> 00:21:23,440 suspects internationally on a Jihadi forum. Maybe in administrator or moderator 270 00:21:23,440 --> 00:21:28,549 sections, so you know you’re gonna be targeting high-ranking members of the forum. 271 00:21:28,549 --> 00:21:31,330 I mean I personally don’t know if that would be the FBI or another agency 272 00:21:31,330 --> 00:21:35,530 doing that. But that’s clearly somewhere where malware can be useful 273 00:21:35,530 --> 00:21:42,510 in international context. But apart from predicting where this might go, I mean, 274 00:21:42,510 --> 00:21:47,330 clearly this is gonna continue, just a few weeks ago there was a Firefox zeroday 275 00:21:47,330 --> 00:21:52,720 out in the wild. Me and my colleague Lorenzo tracked it back to a specific 276 00:21:52,720 --> 00:21:57,020 child porn site in the Darkweb where that 0-day had been deployed. 277 00:21:57,020 --> 00:22:02,010 So this is an active thing. This is still going on. 278 00:22:02,010 --> 00:22:07,399 And that’s it. But… just a last thing if you have any documents, data, 279 00:22:07,399 --> 00:22:12,460 information, tips on FBI malware, law enforcement malware, who is using it, 280 00:22:12,460 --> 00:22:17,609 who is buying it, how they’re using it – these are my various contact channels. 281 00:22:17,609 --> 00:22:19,070 Thanks a lot! *applause* 282 00:22:19,070 --> 00:22:29,580 *ongoing applause* 283 00:22:29,580 --> 00:22:35,450 Herald: Thank you, Joseph. Thank you. 284 00:22:35,450 --> 00:22:41,890 Any questions from the audience? 285 00:22:41,890 --> 00:22:45,599 Oh, we got one on [microphone] 4. 286 00:22:45,599 --> 00:22:49,480 Question: Thanks for the talk. Really nice. Quick question, 287 00:22:49,480 --> 00:22:54,360 you’ve presented some pretty illegal things. 288 00:22:54,360 --> 00:22:59,480 On both sides. On child pornography, 289 00:22:59,480 --> 00:23:03,520 and all of those things. And on the law enforcer’s side. 290 00:23:03,520 --> 00:23:09,720 Now my question is, did you intentionally mention those really illegal aspects 291 00:23:09,720 --> 00:23:16,310 like child pornography to justify the actions of the FBI in any way? 292 00:23:16,310 --> 00:23:19,830 Joseph: You mean, did I specifically speak about child pornography 293 00:23:19,830 --> 00:23:22,370 to justify the FBI’s actions? Question: Yes. 294 00:23:22,370 --> 00:23:28,080 Joseph: No. This is just… I mean child pornography and child sexual exploitation 295 00:23:28,080 --> 00:23:32,449 is where law enforcement are using the really cool stuff. This is where they’re 296 00:23:32,449 --> 00:23:37,219 using their Tor Browser exploits. This is where they’re using their Firefox zerodays. 297 00:23:37,219 --> 00:23:41,330 And I’m just attracted to where the cops are doing interesting things. 298 00:23:41,330 --> 00:23:47,220 So, if it was on drug markets I’d cover that as well. But at the moment, 299 00:23:47,220 --> 00:23:52,190 at least to my knowledge, it’s just localized to the child pornography 300 00:23:52,190 --> 00:23:55,730 investigations. Presumably, because law enforcement feel like not many people 301 00:23:55,730 --> 00:23:59,620 are going to argue with them with maybe doing illegal search for child porn 302 00:23:59,620 --> 00:24:03,889 because everybody finds that crime abhorrent. But, no, that’s just 303 00:24:03,889 --> 00:24:05,179 how it is at the moment. 304 00:24:05,179 --> 00:24:08,840 Question: Okay, let me rephrase that. Do you feel it’s justified for them 305 00:24:08,840 --> 00:24:10,999 to use exploits? 306 00:24:10,999 --> 00:24:13,429 Joseph: Do I feel it’s justified for them to use exploits? I don’t think 307 00:24:13,429 --> 00:24:19,400 it’s anything intrinsically wrong with law enforcement hacking. 308 00:24:19,400 --> 00:24:24,549 But even though child pornography is an absolutely disgusting crime 309 00:24:24,549 --> 00:24:29,110 and I can’t find it, obviously, any way to justify it I also want law enforcement 310 00:24:29,110 --> 00:24:32,419 to follow the law. And to respect the law as well. 311 00:24:32,419 --> 00:24:37,499 *applause* 312 00:24:37,499 --> 00:24:43,489 Question: Thank you. *ongoing applause* 313 00:24:43,489 --> 00:24:49,779 Herald: Any other questions? Anybody from IRC? 314 00:24:49,779 --> 00:24:52,779 The (?) on 5, go ahead. 315 00:24:52,779 --> 00:24:56,560 Question: Well, I wanted to ask probably the same question whether it’s dubious 316 00:24:56,560 --> 00:25:00,570 from the moral point of view? And you already answered it. 317 00:25:00,570 --> 00:25:05,240 You don’t see it dubious as I understand, right? As the legislation can be questioned, 318 00:25:05,240 --> 00:25:11,160 and should be rearranged there is not much ethical discussion whether this should be 319 00:25:11,160 --> 00:25:16,070 done or not. But while you were at the topic for a while: do you have any other 320 00:25:16,070 --> 00:25:20,309 proposals how to resolve this issue, maybe? Technically, 321 00:25:20,309 --> 00:25:22,159 from the technical point of view. 322 00:25:22,159 --> 00:25:25,029 Joseph: Sure. So I mean, just before I answer that I just wanna make clear 323 00:25:25,029 --> 00:25:30,230 that I’m, like a journalist, not an activist or a technologist. 324 00:25:30,230 --> 00:25:34,049 I don’t think it will be right for me to say this is how we should combat this. 325 00:25:34,049 --> 00:25:38,350 I’m just saying, hey, that’s what the FBI did. That sort of thing. 326 00:25:38,350 --> 00:25:45,269 But to answer the question, I think Mozilla and Tor have been working 327 00:25:45,269 --> 00:25:50,539 on a way to stop this sort of de-anonymization attack, that, 328 00:25:50,539 --> 00:25:55,799 when the FBI would hit a computer with their exploits and then the NIT code 329 00:25:55,799 --> 00:26:00,690 would deploy, that’s not enough. I really can’t remember the technical details 330 00:26:00,690 --> 00:26:04,970 off the top (?) in my head, but there is an article online that I wrote. 331 00:26:04,970 --> 00:26:08,279 But then they would have to break out of the sandbox as well. 332 00:26:08,279 --> 00:26:11,840 But more to answer your question generally: there are technological solutions 333 00:26:11,840 --> 00:26:16,800 that people are making here. And they could be live pretty soon. But then 334 00:26:16,800 --> 00:26:20,200 what is the FBI gonna do after that? They’re not gonna stop making malware. 335 00:26:20,200 --> 00:26:25,099 They’re gonna… they’ll deploy a nit that will then rummage through your computer 336 00:26:25,099 --> 00:26:28,629 and find incriminating documents and then phone home. If they can’t get your real 337 00:26:28,629 --> 00:26:33,980 IP address they’re gonna get evidence somehow. 338 00:26:33,980 --> 00:26:36,010 Herald: No.1 was up next. 339 00:26:36,010 --> 00:26:40,779 Question: Hi Joseph. In your background research on law enforcement 340 00:26:40,779 --> 00:26:45,659 using technology like this to target child porn sites. So you profiled the FBI 341 00:26:45,659 --> 00:26:49,480 on how they may have (?)(?) around some of the letter of the law 342 00:26:49,480 --> 00:26:53,100 in order to get done the job they needed to get done. Are the other law enforcement 343 00:26:53,100 --> 00:26:57,690 agencies you found that are kind of like a gold standard in their approach 344 00:26:57,690 --> 00:27:01,831 to solving this problem that abide by the rules, and maybe 345 00:27:01,831 --> 00:27:03,810 solve this problem in a different way? 346 00:27:03,810 --> 00:27:06,900 Joseph: When you say… so the question was, are there other law enforcement 347 00:27:06,900 --> 00:27:11,530 agencies who may be better or the same sort of standard (?) as the FBI this problem. 348 00:27:11,530 --> 00:27:15,129 When you say “this problem” you mean “combating child porn on the Darkweb”? 349 00:27:15,129 --> 00:27:17,890 Question: Yeah, clearly something needs to be done about these sites. And there’s 350 00:27:17,890 --> 00:27:23,500 a limited number of options available. So the FBI is kind of busted out (?) 351 00:27:23,500 --> 00:27:26,810 in trying every single piece of technology they can to solve it. But are there others 352 00:27:26,810 --> 00:27:31,900 that maybe take a more restraint approach but still solve the problem? 353 00:27:31,900 --> 00:27:37,710 Joseph: When it specifically comes to malware I haven’t seen much 354 00:27:37,710 --> 00:27:44,450 in the wild or publicly but in the U.K. GCHQ, the country’s 355 00:27:44,450 --> 00:27:51,259 signals intelligence agency has said, or a report said, it is using 356 00:27:51,259 --> 00:27:57,039 bulk interception, so GCHQ’s mass surveillance capabilities, to do 357 00:27:57,039 --> 00:28:00,580 traffic correlation attacks, and they can then unmask Darkweb users 358 00:28:00,580 --> 00:28:05,639 and hidden service IP addresses. That’s not malware but that is 359 00:28:05,639 --> 00:28:11,450 an extreme use of technological capability, I guess. 360 00:28:11,450 --> 00:28:17,029 And yeah, we could definitely see more of that. I think in the report 361 00:28:17,029 --> 00:28:21,130 the Home Office said the GCHQ had got something like 50 individuals 362 00:28:21,130 --> 00:28:26,379 in the past 18 months through bulk traffic analysis. That’s not malware, 363 00:28:26,379 --> 00:28:28,450 but yeah, that’s where stuff could go, definitely. 364 00:28:28,450 --> 00:28:30,450 Question: Cool. Thanks. 365 00:28:30,450 --> 00:28:33,680 Herald: I give you one last question, it will be number 4, over here. 366 00:28:33,680 --> 00:28:38,580 Question: Hi, I was wondering, because you mentioned bulk analysis which I considered 367 00:28:38,580 --> 00:28:44,320 to be significantly worse than targeted analysis, in the way that it violates 368 00:28:44,320 --> 00:28:47,940 everybody’s liberties rather than specific individuals who are definitely engaging 369 00:28:47,940 --> 00:28:52,779 in criminal activity. 370 00:28:52,779 --> 00:28:57,419 So why is it you feel that there’s some kind of violation, 371 00:28:57,419 --> 00:29:02,169 like these people they need to find these criminals, and the jurisdiction 372 00:29:02,169 --> 00:29:05,509 needs to be significantly wider, and I understand that it’s terrible 373 00:29:05,509 --> 00:29:09,280 that they’re hacking us. But at the same time they need to be caught. So how 374 00:29:09,280 --> 00:29:16,789 can they make legislation that’s able to find these people legally 375 00:29:16,789 --> 00:29:20,520 when it’s outside of their jurisdiction, and they might be targeting people, 376 00:29:20,520 --> 00:29:24,759 if they’re doing a dragnet on a website, like you’re example. And they’re gonna be 377 00:29:24,759 --> 00:29:27,380 hacking people that are not in their country. They can’t limit it to the people 378 00:29:27,380 --> 00:29:32,290 that are in that country. And only hack those people. It’s technically impossible. 379 00:29:32,290 --> 00:29:36,870 So what’s the solution for this? 380 00:29:36,870 --> 00:29:41,490 Joseph: I mean, some senators in the US did propose a Stop Mass Hacking Act 381 00:29:41,490 --> 00:29:46,500 which would have blocked the Rule 41 changes. It was unsuccessful, and 382 00:29:46,500 --> 00:29:50,129 in part – this is just my personal opinion – I think it’s because they 383 00:29:50,129 --> 00:29:55,470 didn’t present a viable alternative. I mean, as you say, these people 384 00:29:55,470 --> 00:30:01,140 need to be caught, I mean, that sort of thing, but when these senators said: 385 00:30:01,140 --> 00:30:05,340 “Yeah, we need to stop all this global hacking” there was no alternative presented, 386 00:30:05,340 --> 00:30:10,889 so we don’t know, basically. As for legislative changes 387 00:30:10,889 --> 00:30:16,409 I think it’s more… it’s less the “Hey, here’s a concrete law or rule 388 00:30:16,409 --> 00:30:21,280 that we need to fix right now”, it’s more like there’s a looming issue of 389 00:30:21,280 --> 00:30:26,539 “What happens when the FBI hacks a child pornographer in Russia, or one who happens 390 00:30:26,539 --> 00:30:30,409 to be a politician in another country?” Are they still gonna go, and then go 391 00:30:30,409 --> 00:30:34,059 to local law enforcement, “Hey, we got this IP address of one of your senior 392 00:30:34,059 --> 00:30:37,990 politicians who happens to be looking at child porn”. I mean what are the ramifications 393 00:30:37,990 --> 00:30:42,029 of that gonna be? But to answer your question: we don’t really know. 394 00:30:42,029 --> 00:30:46,570 It’s more of just this looming issue that law enforcements are firing malware 395 00:30:46,570 --> 00:30:51,990 and asking questions later. 396 00:30:51,990 --> 00:30:54,609 Herald: Thank you so much. If you got a round of applause for Joseph Cox! 397 00:30:54,609 --> 00:30:58,999 *applause* 398 00:30:58,999 --> 00:31:02,359 *postroll music* 399 00:31:02,359 --> 00:31:22,879 *Subtitles created by c3subtitles.de in the year 2017. Join, and help us!*