FBI: Er, no, we won't reveal how we unmask and torpedo Tor pedos

No NIT software exploit code for you

The FBI is refusing to hand over details of the software it used to track and unmask anonymous viewers of a child sex abuse websites. The Feds said the details are irrelevant to the case.

In February of 2015, the FBI seized the servers running a dark-web pedophile website called Playpen, described as the largest archive of its kind. Rather than shut it down immediately, the FBI kept it running for two weeks on the Tor network, but installed server-side software that would somehow worm its way into perverts' PCs and report back their real public IP addresses and MAC addresses to the government.

The software would also generate a serial number unique to the infected computer and send that back to investigators, so that if the PC changed its public IP address, it could still be linked to previous addresses.

With this information, agents could subpoena ISPs to hand over the personal details of subscribers assigned those addresses, and thus bring them in for questioning. The software, which the FBI calls a network investigative technique (NIT), successfully tracked hundreds of visitors around the world to the hidden Playpen site.

In an ongoing trial of Seattle teacher Jay Michaud, who has been charged with viewing child sex abuse imagery on the Playpen, his attorney has insisted that the FBI turn over the NIT for examination.

The FBI has provided some of the code, but crucially, no details of the flaw it exploited to install itself on some visitors' computers, nor the method by which it generated the unique identifier used to track them. In a brief filed on Monday, FBI special agent Daniel Alfin explained his reasoning:

"The exploit merely enabled the government to bypass the security protections on Michaud's computer to deliver the NIT instructions," the brief [PDF] states.

"Knowing how someone unlocked the front door provides no information about what a person did after entering a house."

Alfin said he was certain the identifier assigned to Michaud's IP and MAC addresses was unique and not duplicated for any other suspect. He offered to show the defense the full data stream between Michaud's computer and the server set up to collect the NIT data.

The NIT software consists of nine packets – the first three to establish a connection between the suspect and the government server, the fourth to relay the identifying information, and the last four to sign off the exchange.

The brief was filed as part of the FBI's ongoing attempts to hide the code – which a judge ruled last month it should provide to the defense. The FBI has filed a sealed brief to the judge explaining why it is unwilling to do so.

The FBI is understandably unwilling to release the full code to a third party, since this may allow people to work out how to evade it. It's clear that the NIT wasn't 100 per cent effective – Playpen had nearly 215,000 users and only a small fraction have been identified.

It could be that the NIT exploited vulnerabilities in Adobe Flash or the browser that the suspects had not yet patched. It could be that the NIT required no security flaws, and was simply some script code or a small Flash file that managed to send back information about the PC without going through Tor.

The defense may be hoping that the FBI will throw out the case rather than open up the code. It has happened before, when police withdrew from a number of prosecutions rather than reveal details of the FBI's Stingray cell phone tracking system. But those were low-level cases; not something as egregious as child abuse. ®

Similar topics

Other stories you might like

  • UK Home Secretary delays Autonomy founder extradition decision to mid-December

    Could be a Christmas surprise in store from Priti Patel

    Autonomy Trial Autonomy founder Mike Lynch's pending extradition to the US has been kicked into the long grass again by the UK Home Office.

    Lynch is wanted in the US to stand trial on 17 charges of fraud and false accounting. He is alleged to have defrauded Hewlett Packard investors over the sale of British software firm Autonomy in 2011.

    Continue reading
  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • All change at JetBrains: Remote development now, new IDE previewed

    Security, collaboration, flexible working: Fleet does it all apparently

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading

Biting the hand that feeds IT © 1998–2021