FBI Agent Testifies That The Agency's Tor-Exploiting Malware Isn't Actually Malware

from the just-a-tool-that-does-things-to-people's-computer-w/o-their-knowledge-or-per dept

Mon, May 23rd 2016 11:39am — Tim Cushing

It wasn't supposed to go this way. The same tactics that are causing the FBI problems now -- running a child porn website, using local warrants to deploy its spyware to thousands of computers around the US (and the world!) -- slipped by almost unnoticed in 2012. In a post-Snowden 2016, the FBI can hardly catch a break.

Just recently, a judge presiding over one of its child porn cases agreed the FBI should not be forced to hand over details on its Network Investigative Technique to the defendant. Simultaneously, the judge noted the defendant had several good reasons to have access to this information. While this conundrum spares the FBI the indignity of the indefinite confinement it's perfectly willing to see applied to others, it doesn't exactly salvage this case, which could be on the verge of dismissal.

In related cases, judges have declared the warrant used to deploy the NIT is invalid, thanks to Rule 41's jurisdictional limits. If a warrant is issued in Virginia (as this one was), the search is supposed to be performed in Virginia, not in Kansas or Oklahoma or Massachusetts.

While the larger issue of whether the evidence can be used against Jay Michaud continues to be discussed, the FBI is spending its time officially expressing its displeasure with its NIT being referred to disparagingly as "malware."

In a testimony earlier this week in the case of US vs. Jay Michaud, FBI special agent Daniel Alfin argued that the hacking tool used to identify Michaud and thousands of other Playpen users—which the FBI euphemistically calls a “Network Investigative Technique” or “NIT”—isn't malware because it was authorized by a court and didn't damage the security of Michaud's computer.

According to the FBI agent, this software isn't malware because it doesn't do any permanent damage.

I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.

In a very limited sense, Agent Alfin is correct. The tool left no residual damage, nor did it alter settings on the end users' computers. However, it did do something most computer users would consider malicious: it stripped them of their anonymity. The people visiting this site used Tor to obscure their identifying info. They did this on purpose, most likely because they were seeking illegal content. But the fact that the tool removes protections users consciously deployed makes it malicious.

Child porn enthusiasts and other criminals aren't the only people who take active steps to obscure their connection points. Journalists do it. Activists do it. Citizens of oppressive government do it. The FBI doesn't restrict itself to only deploying its surveillance tools against the worst of the worst. It has a long, troubling history of deploying its surveillance tools against people engaged in activities protected by the First Amendment. Anything that undoes something the recipient has proactively done is by definition unwanted, if not simply malicious.

As regular Techdirt commenter That Anonymous Coward pointed out on Twitter, the FBI sure as hell would find this tool "malicious" if it were directed at its computers and devices by someone outside of the agency. This would definitely fit under the CFAA's broad definition of "unauthorized access." Deploying this NIT via a compromised FBI server would make it a lot easier to locate agents working in the field. I don't think the FBI would be OK with this despite there being no "residual malware" left behind after field devices had been identified and located.

FBI-SA-ALFIN-DEC (PDF)FBI-SA-ALFIN-DEC (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, fbi, hacking, malware, nit, trojan

26 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 23 May 2016 @ 11:51am

New hacking safe harbor: no permanent damage
"According to the FBI agent, this software isn't malware because it doesn't do any permanent damage."
[ link to this | view in chronology ]
- Anonymous Coward, 25 May 2016 @ 2:41pm
  
  Re: New hacking safe harbor: no permanent damage
  I was thinking precisely this. If this definition is allowed to stand then there's a whole load of improperly adjudicated defendants that have been found guilty of some form of hacking.
  [ link to this | view in chronology ]
Anonymous Coward, 23 May 2016 @ 11:55am

I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was.
The agent's declaration asserts that he has been through various FBI training classes and has been assigned to look for malware in past cases. That is better than assigning an agent from a non-computer specialty, but the declaration completely fails to mention the rather substantial class of malware known as rootkits. Additionally, most quality rootkits will make at least some effort to conceal themselves from an informed observer who is actively trying to detect the rootkit. Given the number of ways that a computer can be subtly compromised, I have difficulty accepting the assurance that the computer was no more vulnerable afterward than it was before. Given the lack of mention of rootkits, I have difficulty believing that his assertion that he found nothing is equivalent to stating that there is definitely nothing present.
[ link to this | view in chronology ]
- Anonymous Coward, 23 May 2016 @ 12:25pm
  
  Re:
  The agent's declaration asserts that he has been through various FBI training classes and has been assigned to look for malware in past cases. That is better than assigning an agent from a non-computer specialty, but the declaration completely fails to mention the rather substantial class of malware known as rootkits.
  
  Agreed. Taking various first aid classes does not make one a brain surgeon. Nor does taking "various FBI training classes" make one a forensic computer scientist.
  [ link to this | view in chronology ]
- Anonymous Coward, 24 May 2016 @ 7:44am
  
  Re:
  Rather than Google it, I think it'd be more fun for me to ask a question here, where the tech is thick and the engineers roam free:
  
  What constitutes a 'University Degree in Information Technology'?
  
  It isn't CS, it's not Information Science, don't think it could be EE, really doubt it's Mathematics. Is this perhaps like the 'DB Administration' stuff offered by various Schools of Business?
  
  Maybe I've been out of school too long, but something sounds odd about his, uh, [Somekindofa] degree in IT.
  Anyone else think it sounds odd?
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 May 2016 @ 4:35pm
    
    Re: Re:
    What constitutes a 'University Degree in Information Technology'?
    
    "Technology" programs are for training technologists and as such are not usually as long or rigorous as related professional programs. For example, Medical Technologists do not receive the same education as Medical Doctors. The professional programs related to Information Technology have traditionally been Electrical Engineering and Computer Science.
    [ link to this | view in chronology ]
Mason Wheeler (profile), 23 May 2016 @ 11:57am

I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.

Sorry, Agent Alfin, but that's not what malware means. Malware is software that takes control of a computer away from the owner/user and causes the computer to act against their interests.
[ link to this | view in chronology ]
Anonymous Coward, 23 May 2016 @ 12:11pm

and perjury isn't illegal when a government official does it.

Just ask Eric holder
[ link to this | view in chronology ]
- DannyB (profile), 23 May 2016 @ 12:18pm
  
  Re:
  Judge Orders "Intentionally Deceptive" DOJ Lawyers To Take Remedial Ethics Classes
  
  http://www.washingtontimes.com/news/2016/may/19/judge-orders-doj-lawyers-remedial-ethics-clas ses/?page=all
  
  http://www.zerohedge.com/news/2016-05-20/texas-judge-orders-intentionally-deceptive-doj -lawyers-take-remedial-ethics-classes
  
  http://dailycaller.com/2016/05/19/judge-in-obamas-amnesty-case- orders-every-lawyer-involved-to-take-ethics-class/
  
  Judge Hanen’s order reads, in part:
  Therefore, this Court, in an effort to ensure that all Justice Department attorneys who appear in the courts of the Plaintiff States that have been harmed by this misconduct are aware of and comply with their ethical duties, hereby orders that any attorney employed at the Justice Department in Washington, D.C. who appears, or seeks to appear, in a court (state or federal) in any of the 26 Plaintiff States annually attend a legal ethics course. It shall be taught by at least one recognized ethics expert who is unaffiliated with the Justice Department. At a minimum, this course (or courses) shall total at least three hours of ethics training per year. The subject matter shall include a discussion of the ethical codes of conduct (which will include candor to the court and truthfulness to third parties) applicable in that jurisdiction.”
  
  In a footnote, Judge Hanen noted this was not the first time the DoJ has faced such an issue:
  
  Just recently, the Sixth Circuit expressed a similar conclusion. It wrote:
  
  In closing, we echo the district court’s observations about this case. The lawyers in the Department of Justice have a long and storied tradition of defending the nation’s interests and enforcing its laws—all of them, not just selective ones—in a manner worthy of the Department’s name. The conduct of the IRS’s attorneys in the district court [like the attorneys representing the DHS in this Court] falls outside that tradition. We expect that the IRS will do better going forward. And we order that the IRS comply with the district court’s discovery orders of April 1 and June 16, 2015—without redactions, and without further delay.
  
  Concluding the order, Judge Hanen wrote, “This Court would be remiss if it left such unseemly and unprofessional conduct unaddressed.”
  [ link to this | view in chronology ]
DannyB (profile), 23 May 2016 @ 12:14pm

According to the FBI agent, this software isn't malware because it doesn't do any permanent damage.
Similarly, enhanced interrogation isn't torture because it doesn't do any permanent damage.

Nice way to divert from the fact that there was harm, rather than on how long the harm lasts. While the harm may or may not be permanent, which can be debated, the fact is that harm WAS DONE. The computer has malware, a rootkit, of some sort installed on it.

Does the FBI do anything to remove this malware?

What makes the FBI so sure that without any updates, their brand of malware will not actually make the computer more vulnerable to other hacking efforts? They seem awfully confident of this.
[ link to this | view in chronology ]
Anonymous Coward, 23 May 2016 @ 12:20pm

This is just bullshit. People consider PUPs to be malware. FBI software is definitely a PUP, or in really just an UP.

Catching pedophiles might be a worthy cause, but you should be honest about the means you use to catch them or else due process goes out the window and the innocent accused will get railroaded in order to get a conviction to boost a career.
[ link to this | view in chronology ]
- Wendy Cockcroft, 24 May 2016 @ 6:02am
  
  Re:
  Indeed, and to hide behind the utter vileness of the alleged offence is the deepest depth of sleaze, in my opinion. Due process for all!
  [ link to this | view in chronology ]
  - We will send you some child porn and remove from s, 5 Aug 2019 @ 5:03pm
    
    Re: Re: @Wendy Cockcroft
    Yeah, bad guy to the prison. But who know that you are ok? If FBI wan't now to remove somebody, then this software will do it for them. Even people don't realize that "pedophile" is new weapon to remove some good people. In this 135 there will be 20 journalist that are good for people - not for government. Do you ok with that? Are you serious?
    [ link to this | view in chronology ]
I.T. Guy, 23 May 2016 @ 12:21pm

Technically speaking he is right... It's spyware.
[ link to this | view in chronology ]
- John Fenderson (profile), 23 May 2016 @ 7:26pm
  
  Re:
  No, he's not. Spyware is a subspecies of malware.
  [ link to this | view in chronology ]
Anonymous Coward, 23 May 2016 @ 12:48pm

than it already was

than it already was

four key words.

six key words: it's ok if we do it.
[ link to this | view in chronology ]
That One Guy (profile), 23 May 2016 @ 12:59pm

"Sure we'd absolutely consider it malware if someone else used it, and assuming they didn't have the protection of important friends or a bank account that would allow a sufficient defense you can be sure that we'd come down hard on anyone doing something like this, but when we do it I can assure you that it's not malware."
[ link to this | view in chronology ]
Anonymous Coward, 23 May 2016 @ 3:11pm

I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was.

Given the government is well known to redefine the meanings of words, with the intent to deceive, I have problems with this response.

The agent says he observed no changes on his computer. He does not state that for other computers that may have received that NIT. As such it is a very limited snapshot that could easily be another intent to deceive.
[ link to this | view in chronology ]
Skeeter, 23 May 2016 @ 3:30pm

True Litmus Test
In the most realistic of tests, the absolute golden benchmark that ALL COURTS should use on such invasive techniques, is to throw this back on the surveillance agency and ask them 'if your target-perpetrator had silently did this to your computers, and then attempted to use their unwarranted information gathering against you', would you find this illegal? If the answer they replied was 'YES', then this should demand that a conventional warrant be signed and issued by a judge. PLAIN AND SIMPLE!

The problem with Federal Laws and related Enforcement, seems to now consistently be associated with the fact that they think they get to play by rules and laws as they deem fit, not as is actually written FOR ALL. Isn't it about time that the courts stopped, thought about this for a second, and used actual fairness and common sense to shut this circus down for good?
[ link to this | view in chronology ]
jim, 23 May 2016 @ 4:46pm

right?
The judge forgot one important part to go with this. If they could load the program on the private computer, it invalidates the person's control. What else was loaded, or indexed on the private computer? Is this now a set-up? Judge should have slapped the agent for lying to the court.
[ link to this | view in chronology ]
John Fenderson (profile), 23 May 2016 @ 7:25pm

Color me surprised
How surprised am I that the FBI has no idea what "malware" is?

Not at all.
[ link to this | view in chronology ]
- That One Guy (profile), 23 May 2016 @ 11:15pm
  
  Re: Color me surprised
  (Fairly sure your comment was meant to be taken as implied sarcasm, but just in case...)
  
  I'd say it's more likely that they know full well what counts as malware and are just lying about it in an attempt to bolster their case. As Skeeter pointed out above, if someone had done the same thing they did but to them you can be sure that they'd be screaming about malware loud enough to be heard for miles.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 24 May 2016 @ 6:36am
    
    Re: Re: Color me surprised
    Yes, I'm absolutely sure that they're straight-up lying. My point was really aimed at people who assume that the feds are honest and virtuous. If you assume that they are, then their statement means that they're dangerously incompetent.
    [ link to this | view in chronology ]
    - That One Guy (profile), 24 May 2016 @ 4:06pm
      
      Re: Re: Re: Color me surprised
      Dishonest enough to lie to a judge, or incompetent enough not to know what malware is... yeah, they don't come out looking good no matter which is true.
      [ link to this | view in chronology ]
Seegras (profile), 23 May 2016 @ 10:18pm

FBI logic
By the FBI's logic, disk-encrypting ransomware isn't malware, because if you pay, no lasting damage is done.
[ link to this | view in chronology ]
Monday (profile), 24 May 2016 @ 9:14am

Y'all know the drill...
NEED TO KNOW ONLY.
I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.

It was OFF!
[ link to this | view in chronology ]