Facebook Helped the FBI Hack a Child Predator (opens in new tab)

(vice.com)

49 pointssagarun5y ago13 comments

13 comments

It's hard to tell from the article whether Facebook was an agent of the FBI or not in delivering the exploit, which has legal implications for this case.

What Facebook could have done to avoid that issue is to enforce their ToS to get his IP address, then contact and hand those logs to LEO. (A company can follow its own processes as far as possible before contacting LEO, but once they start working together, they become an agent and the process is changed into something with less independence.)

The idea of creating a new OS to trap an end-user is one of the weirdest things I've ever heard of, on several levels, frankly.

Source: previously the LEO contact at a large Silicon Valley company. Typically you meet with them quarterly or as necessary, but you don't casually "work together" on cases to avoid the appearance of being their agent instead of a company representative.

htfu5y ago

FB procured the exploit, LEO executed it. There are no legal implications, only moral ones, and I'd say the only debate there is over lack of disclosure _after_ use. That's really sketchy.

But developing it in the first place, handing it to those legally authorized to use it, and catching someone like this - I don't understand how anyone could be against that... again, as long as the exploit is burned afterwards.

RcouF1uZ4gsC5y ago

> For years, a California man systematically harassed and terrorized young girls using chat apps, email, and Facebook. He extorted them for their nude pictures and videos, and threatened to kill and rape them. He also sent graphic and specific threats to carry out mass shootings and bombings at the girls' schools if they didn't send him sexually explicit photos and videos.

> raises difficult ethical questions about when—if ever—it is appropriate for private companies to assist in the hacking of their users.

I am happy Facebook did this. They made the world a better place.

kristianp5y ago

The exploit used a modified video which caused Tails' video player to reveal the user's real IP address. Does anyone know how that could be done? Does the video contain a redirect of some kind to an url that causes a bypass?

sheenobu5y ago

Caveat: I'm not a security researcher just have a basic knowledge of the terms and techniques you would find in a beginner exploit tutorial.

These types of exploits are usually specially crafted files that trick the code responsible for parsing and displaying the video file into running whatever the creator wants. The terms "buffer overflow/underflow+" and "shellcode" might help narrow down a definition for you. Below is an overly simplistic version .

The video might contain, inside of it, a specially written computer program that sends the IP address of the current computer to whatever location the attacker wants. (This is the shellcode). This code could be really simple.

The video could also have parts in it that do not make sense. the video player code makes assumptions about the video that the video purposefully violates. When the video is processed by the computer, the video player code misunderstands what it needs to do and will accidently treat the video as code. (this is the buffer overflow). Since parts of the video are actually special shellcode, the computer has been tricked into running code hidden inside the video.

The article below implies that is what this was https://www.vice.com/en_us/article/gyyxb3/the-fbi-booby-trap...

+Buffer overflows / underflows are just one of many techniques for exploiting a program. it's the main one I know in passing.

ghostpepper5y ago

Maybe I missed it in the article but I am curious whether the guy was using Facebook's opt-in E2E encryption.

suyula5y ago

The FBI got the help of the guy's contact, so E2E encryption wouldn't have been a factor.

beerdoggie5y ago

This is a scary 0day. Glad they got the guy though.

jbirer5y ago

"First they came for the communists..."

krapp5y ago

Won't someone please think of the pedophiles?!

jbirer5y ago

You missed the point. They will use pedophiles first as a rationale and after some time they will not even bother to give you an excuse as to why they broke into your e2e communication.

1 more reply

j / k navigate · click thread line to collapse

13 comments

redis_mlc5y ago

It's hard to tell from the article whether Facebook was an agent of the FBI or not in delivering the exploit, which has legal implications for this case.

The idea of creating a new OS to trap an end-user is one of the weirdest things I've ever heard of, on several levels, frankly.

htfu5y ago

FB procured the exploit, LEO executed it. There are no legal implications, only moral ones, and I'd say the only debate there is over lack of disclosure _after_ use. That's really sketchy.

RcouF1uZ4gsC5y ago

> raises difficult ethical questions about when—if ever—it is appropriate for private companies to assist in the hacking of their users.

I am happy Facebook did this. They made the world a better place.

kristianp5y ago

sheenobu5y ago

Caveat: I'm not a security researcher just have a basic knowledge of the terms and techniques you would find in a beginner exploit tutorial.

The article below implies that is what this was https://www.vice.com/en_us/article/gyyxb3/the-fbi-booby-trap...

+Buffer overflows / underflows are just one of many techniques for exploiting a program. it's the main one I know in passing.

ghostpepper5y ago

Maybe I missed it in the article but I am curious whether the guy was using Facebook's opt-in E2E encryption.

suyula5y ago

The FBI got the help of the guy's contact, so E2E encryption wouldn't have been a factor.

beerdoggie5y ago

This is a scary 0day. Glad they got the guy though.

jbirer5y ago

"First they came for the communists..."

krapp5y ago

Won't someone please think of the pedophiles?!

jbirer5y ago

You missed the point. They will use pedophiles first as a rationale and after some time they will not even bother to give you an excuse as to why they broke into your e2e communication.

1 more reply

j / k navigate · click thread line to collapse