Agent's Testimony Shows FBI Not All That Interested In Ensuring The Integrity Of Its Forensic Evidence
from the bad-things-are-good-if-done-for-the-'right'-reasons dept
Security researcher Jonathan Zdziarski has been picking apart the FBI's oral testimony on the NIT it deployed in the Matish/Playpen case. The judge presiding over that case denied Matish's suppression request for a number of reasons -- including the fact that Matish's residence in Virginia meant that Rule 41 jurisdiction rules weren't violated by the FBI's NIT warrant. Judge Morgan Jr. then went off script and suggested the FBI didn't even need to obtain a warrant to deploy a hacking tool that exposed end user computer info because computers get hacked all the time.
He equated this to police peering through broken blinds and seeing something illegal inside a house, while failing to recognize that his analogy meant the FBI could let themselves inside the house first to break the blinds, then peer in from the outside and claim "plain sight."
The oral arguments [PDF] -- using FBI Special Agent Daniel Alfin's testimony -- were submitted in yet another case tied to the seizure of a child porn website, this one also taking place in Virginia and where the presiding judge has similarly denied the defendant's motion to suppress. The DOJ has added the transcript of the agent's oral testimony in the Matish prosecution as an exhibit to this case, presumably to help thwart the defendant's motion to compel the FBI to turn over the NIT's source code.
Many assertions are made by Agent Alfin in support of the FBI's claim that its hacking tool -- which strips away any anonymity-protecting efforts put into place by the end user and sends this information to a remote computer -- is not malware. And many of them verge on laughable. Or would be laughable, if Alfin wasn't in the position of collecting and submitting forensic evidence.
There's so much wrong in here, it's probably best to just start at the top.
1. A MAC address is a unique identifier that can never be altered.
THE WITNESS: Yes, Your Honor. MAC is an acronym that stands for media address control.
THE COURT: Is that different than IP address?
THE WITNESS: Yes, Your Honor. A MAC address is unique and does not change. So you can look at the MAC address in the matter at hand from Mr. Matish's computer, and that MAC address is always the same. It is the one that was identified by the government. It was also the one that was seized by the government. A MAC address is hard-wired or burned into the card.
[Compared with this, from the same agent, roughly 30 pages later…]
Q. Are any of those items -- I believe you testified to the MAC address. Can that be changed?
A. It can be --
2. The FBI didn't need to encrypt the data collected by the NIT because, hey, Tor is secure and can't be compromised.
Q: In one of the declarations that was submitted on behalf of Mr. Matish by Dr. Soghoian, it is alleged that because the NIT sent data over the regular Internet and not encrypted that the authenticity of the data could not be verified.
A: This is incorrect. It also fails to acknowledge that the NIT was, in fact, sent to Mr. Matish's computer over the Tor network, which is encrypted.
3. Encryption would ruin the integrity of the collected evidence.
Q. Would encryption of the data as it was transmitted from the computer to the government -- what effect, if any, would that have had on the utility of the data going forward?
A. It would have not completely made the network data useless, but it would have hurt it from an evidentiary standpoint. Because the FBI collected the data in a clear text, unencrypted format, it shows the communication directly from Mr. Matish's computer to the government. It can be read; it can be analyzed. It was collected and provided to defense today, and they can review exactly what the FBI collected.
Had it been encrypted, it would not have been of the same value, because the encrypted data stream itself could not be read. In order to read that encrypted data stream, it would have to first be decrypted by the government, which would fundamentally alter the data. It would still be valid, it still would have been accurate data; however, it would not have been as forensically sound as being able to turn over exactly what the government collected.
4. The FBI's malware is not malware because "mal" means "bad" and "FBI" means "good."
Q. And, finally, would you describe the NIT as malware?
A. No. The declaration of Dr. Soghoian disputes my point from my declaration that I do not believe the NIT should be considered malware, but he fails to address the important word that makes up malware, which is "malicious."
"Malicious" in criminal proceedings and in the legal world has very direct implications, and a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious. And for that reason I do not believe that the NIT utilized in this case pursuant to a court order should be considered to be malware.
5. The defense has all the data it needs to examine the FBI's NIT.
Q. Okay. And you're aware that the first time that the government agreed to produce that particular data was in its response to this motion to compel?
A. I assume that's the case. I don't know exactly what date it was provided on, but I know it was turned over.
Q. And then you talked about a data stream being made available, right?
A. Yes.
Q: And you're aware that the first time that the government agreed to produce that data was in its surreply to the motion to compel.
A. I don't recall the first time that that data was made available, but I know it has been made available and has been turned over.
Q. As of --
A. As of today.
Q. -- 20 minutes ago, correct?
A. Yes. To the best of my knowledge, it was not turned over prior to that.
7. The NIT is like a set of burglar's tools...
Q. You say the exploit would shed no light on what the government did. The government deployed this exploit, correct?
A. The government used the exploit to deploy the NIT.
Q. And I believe you used the analogy that this exploit is like a way of picking a lock, right?
8. … except that sounds really bad and not something the "good" FBI should be doing. So, now it's an open window.
A. Yes. A more accurate analogy may be going in through an open window. As I've stated in my declaration, there was a vulnerability on Mr. Matish's computer. The FBI did not create that vulnerability. That vulnerability can be thought of as an open window. So we went in through that open window, the NIT collected evidence, and then left. We made no change to the window.
There's plenty more to read through and Zdziarski's Twitter stream contains several highlights and some incisive analysis. Matish's lawyer also makes a very good point about the problems with using insecure data -- transmitted in unencrypted form -- as forensic evidence.
To prevent tampering with the evidence. I mean, this is analogous to -- I mean, there's a crime scene. Certain evidence is collected, and rather than bagging and labeling it and following established techniques for how evidence is to be collected and transferred back to, you know, the server, which is like an evidence locker, they just threw everything in the back seat of the cruiser and drove back. Oh, and, by the way, they won't tell us whether on the way back they also picked up someone else who rode in the back of the cruiser.
Or as Zdziarski puts it:
FBI’s argument against encryption being forensically sound is like arguing that evidence becomes invalid if you put it into a sealed box.
— Jonathan Zdziarski (@JZdziarski) July 12, 2016
He also points out that the FBI's refusal to allow Matish to examine the NIT is not at all aligned with normal evidentiary practices.
We've set out through our expert declarations exactly why this information is critical, and the government is saying, no, we've looked at it, we've analyzed it; our experts say you wouldn't be able to make a meaningful trial defense based on this information. But in some ways, Your Honor, that's the same as saying, we're not telling you who our confidential informant is. You don't need to talk to him, because we're telling you he's believable and everything he's saying is true. You don't need to look at the DNA tests from the lab, because we're telling you it's a match, and we're telling you the tests were fine.
Despite this, the court decided to deny the motion to suppress and Matish will be dealing with the evidence collected against him. According to this testimony, it isn't much -- some images found in unallocated space, suggesting they had been deleted. That's not much but it may be enough to secure a conviction.
But the testimony gives us greater insight into the FBI's handling of forensic evidence and its perception of the exploits at its disposal. And what's on display here is far from encouraging.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Stunning
Is he incompetent, or is he lying?
"Both" is a possible answer, but "neither" is not.
[ link to this | view in chronology ]
Re: Stunning
People erroneously think that the government has no reason to lie, but the people that work in law enforcement have their own ego's, motivations, and reasons to lie to put people behind bars. A persons innocence means fucking shit to them!
As long as they get their pound of flesh they are happy, it matters not if it comes off a hardened criminal (bonus) or an innocent child.
[ link to this | view in chronology ]
Re: Stunning
In a equal justice for all system it would make a difference but here the citizen always loses even when the law should be on their side.
[ link to this | view in chronology ]
Re: Stunning
But the real reason is they are strongly biased, coupled with the mind-set that they are the good guys and can do no wrong. I would compare them with a criminal insane person that sees no error in his doing and rationalises everything he did as good and correct. He is simply asking himself why nobody can see it correctly, they must all be crazy.
[ link to this | view in chronology ]
Re: Re: Stunning
Except I don't know if I'd use the word "little".
[ link to this | view in chronology ]
Like an open window
"Oh, look, the window's open now!"
[ link to this | view in chronology ]
Re: Like an open window
[ link to this | view in chronology ]
Re: Re: Like an open window
A window left unlocked is an error or a choice, not a vulnerability. No exploit required. This is the same as leaving a password on a sticky note. You still have access, but you did not use an exploit.
A window that is locked, but there is a way to unlock it from the outside has a vulnerability. A piece of metal fashioned to fit that vulnerability is an exploit.
The FBI didn't go through an open window. They used a tool (exploit) to gain access to the computer by means of a vulnerability. "Burglar tools" may not sound so good because they are the 'Good Guys', but they still used custom tools to gain surreptitious access to a computer that the user reasonably believed to be private and secured against unauthorized use.
[ link to this | view in chronology ]
Re: Re: Re: Like an open window
now, since the FBI has proven that his computer had vulnerabilities, and was using a TOR network.... well, seems like maybe those deleted files might not have been put there by him. Just sayin.
[ link to this | view in chronology ]
Why are they in court then, as the evidence went through multiple layersof encryption traversing the TOR network.
[ link to this | view in chronology ]
"When you say you're innocent, we hear you saying you're guilty, so we're just going to skip the trial and go straight to the sentencing, because...words!"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
In the computer security world, something is "malicious" if it is attempting to bypass your security measures. The ultimate intent, and whether or not the people doing it are "bad guys" is irrelevant to the meaning of the term.
But the government and large corporations had started playing that particular word game many years ago. It certainly didn't start here. Avoiding that game is one of the major reasons why security companies started preferring the term "PUP" (potentially unwanted program) instead of "malware" -- it's a weird kind of political correctness.
[ link to this | view in chronology ]
Re:
Of course not, because the police can do no wrong! Don't you know anything?
/s
[ link to this | view in chronology ]
My ironclad defence.
[ link to this | view in chronology ]
The sloppiness was designed in, it wasn't a bug.
No possibility of abuse there, eh.
Quoting from a May 2014 AZCentral article:
http://www.azcentral.com/story/news/politics/2014/05/21/fbi-reverses-recording-policy-interr ogations/9379211/
Put simply, in the absence of recorded interviews, defense lawyers have been able to undermine honest testimony by some FBI agents while, in other cases, agents misremembered, distorted or lied about suspect statements.
...
In 2006, the New York Times uncovered another explanation for the DOJ policy, spelled out in an internal FBI memorandum. Basically, it argued that jurors might be offended, possibly to the point of acquitting defendants, if they observed the deceit and psychological trickery legally employed by agents to obtain information and confessions.
The 2006 FBI memorandum below - relevant section page 4, item 3).
http://www.nytimes.com/packages/pdf/national/20070402_FBI_Memo.pdf
[ link to this | view in chronology ]
Their perjuries at trial are pathological, and performed even when there was no reason to add to the mountain of evidence. The FBI claimed that its laboratories could discriminate between fertilizer lots at the trial of McVeigh. And that analysis of the residuals found at the scene tied to the lot that was purchased. Yet the test that was used could not distinguish between urine and fertilizer, nevermind lots of fertilizer.
Other tests have been "invented" and used at trial, when at least one of then could have been refuted by a high school algebra student a month or two into the course.
[ link to this | view in chronology ]
Forced publication...
[ link to this | view in chronology ]
The NIT put the images there
[ link to this | view in chronology ]
This is another case where it appears the ends, busting CP weirdos, justified the means, deploying malware - violating rights - lying in court.
Everyone wants those who traffic in CP to end up away from children before bad things happen, but if we keep turning a blind eye to them being screwed over the odds of it happening to a 'Good Person (tm)' tick up to 100%.
[ link to this | view in chronology ]
Re:
Hey, they're part of the same government. What do you expect?
[ link to this | view in chronology ]
Bad and worse
Expecting honesty from the FBI is like expecting honesty from a politician; sure you might get it, but only rarely, and only when it serves their interests. However you'd like to think that a judge would be a little more practiced at spotting rubbish like that, and willing to call the one making it out for presenting conflicting or flat out wrong assertions. That they seem willing to just accept the FBI's testimony at face value is troubling to say the least.
[ link to this | view in chronology ]
MAC randomization on iOS, Win10, etc.
MAC randomization already exists, but not in a standard
...
The feature exists for some time for Linux, Windows, OS X, iOS and Android, but currently it is not included in IEEE’s 802 standards.
http://appleinsider.com/articles/14/06/09/mac-address-randomization-joins-apples-heap-of-i os-8-privacy-improvements
http://www.mathyvanhoef.com/2016/03/how-mac-address-randomization-works-on. html
[ link to this | view in chronology ]
Re: MAC randomization on iOS, Win10, etc.
There probably does exist equipment where the MAC is unchangeable, but it's certain a small percentage.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
... except that calling it [like] an open window doesn't help for warrant purposes. And that analogy makes it a black bag operation, instead of a legal search.
[ link to this | view in chronology ]
Re:
The hell it is. Recalling someone's own words is not putting words into their mouth.
[ link to this | view in chronology ]
... like would happen if someone encountered an image through their browser, then deleted the browser history?
So... someone can, with a drive-by image load, put evidence on your computer sufficient to get you convicted of child porn.
[ link to this | view in chronology ]
Re:
The guy maybe went to the site by accident or didn't know what it was beforehand. Course if that was the situation I'm sure he would have raised it by now.
Still the presence of the image can be explained both for or against the plaintiff so far.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It *claims* to be good, without looking to see if what it is, truly is, good. For some unfathomable reason, it thinks that it cannot be corrupt, with all that money pouring into it. Point is, it derides nations that do THE EXACT SAME THING, WITH THE EXACT SAME REASONS, but no, it is good because.... US govt is good(?)
so I asked in a chat i frequent, and "Sounds like the FBI has a case of the stupid" - German citizen.
A question though, why in the hell does this NOT run afoul of the CFAA?!? It DID access a computer without the user... owner's permission. That should carry a minimum of 20 years in prison.
[ link to this | view in chronology ]
Re:
Because the CFAA provides specific exceptions for law enforcement.
[ link to this | view in chronology ]
Re: Re:
Yeah, because as I said in another comment, it's only at when other people do it.
[ link to this | view in chronology ]
Re:
It's only bad when other people do it.
[ link to this | view in chronology ]