 Talk is going to be called Law Enforcement, or Hacking the Planet by Joseph Cox. Joseph is an investigative journalist for VICE's motherboard, covering hackers, data breaches, and digital security. When I went to check him out and look at his Twitter account, I discovered I already follow him, which is funny or was from a little anecdote about the modern world. I recognized his avatar immediately, but not his name. I guess that's just something about how we live these days. So, anyway, with no further ado, Joseph, look to give it over to you. Hello, hello. How would you react if the FBI came over from the United States, came into Germany, went to an apartment and say Hamburg, kicked down the door and then started searching the apartment? They haven't been invited by German law enforcement. They're acting on their own accord. They then seize a load of evidence and go back to the States. You might think this isn't a great thing. I mean, what does the FBI have to do coming into another country and then searching buildings or arresting suspects? But the searching, this is essentially what the FBI is doing, but digitally, with malware and hacking tools, reaching into computers in other countries, extracting evidence from them and then sending them back to a government server in Virginia, or wherever it may be. To clear, we're not talking about a normal intelligence agency here like the NSA or GCHQ. They're going to hack computers internationally all the time as part of espionage. We expect that. Maybe that's a good thing. Here, we're talking about an agency that's predominantly focused with law enforcement, hacking into computers in other countries as part of criminal investigations. I'm going to talk about one FBI case in particular, briefly touch upon another one, and then just explain an operation that was led by local Australian law enforcement which hacked computers in the United States. At the moment, typically, these sorts of investigations are done to counter child sexual exploitation or child abuse on the dark web. Just about me, briefly, a journalist from Motherboard has mentioned, which is the technology and science part of vice, hackers, cybercrime, the dark web drug trades, the stuff like Silk Road, all the usual stuff. But for the past year, I've been really interested in law enforcement's international use of malware, which brings us to Operation Pacifier. The FBI is not very good at naming its child sexual exploitation investigations. So in August 2014, a new dark web child abuse site is launched called PlayPent. It was a tall hidden service, meaning that the majority of people that were connected to it would do so over the toll and limiting network masking their real IP address. But because it ran as a hidden service, the physical location of the server itself was also protected, meaning that the FBI couldn't just go and immediately subpoena the hosting company or seize the server or whatever it may be, because they didn't know where it was. A few months pass, and PlayPent is a really, really big deal. It's the largest child pornography site on the dark web. 215,000 members, 117,000 posts, and on average, 11,000 unique people were visiting every week. The FBI is trying to find a way in. They're acting in an undercover capacity on the site as law enforcement often do with these sort of hidden services. But at one point, a foreign law enforcement agency, and we don't know which one, provided the real IP address of the PlayPent server to the FBI. It turned out the PlayPent's administrator who's now been convicted, Stephen Chase, he misconfigured his server, so the real IP address was exposed to the normal internet. So in February 2015, the FBI go to the North Carolina Data Center, they seize the server and they take control of PlayPent. Just as a side note, the Stephen Chase administrator, he had paid for the hosting via a PayPal account in his own name, so it was incredibly easy to convict him. If you're gonna run an illegal talk-in service, don't use PayPal. And then this is where the hacking comes in. So even though the FBI is in control of the site, they can see what people are doing, what videos they're watching. As mentioned, they can't see where these people are coming from and they can't identify. So they need another way, and what they decide to do is hack the computers of individual users. The same, well, very, very shortly after the FBI sees the server, they start to run it from a government facility in Virginia, so the site is fully functioning, except one section that encouraged people to produce more child porn. It's still a fully functional website, though. They run that and the FBI deploys what it calls a network investigative technique, an NIT or a NIT, or what we would probably just call a piece of malware. In short, and this is a really, really basic overview, the NIT just did several things. First, somebody will log in to Playpen and then go visit a specific child porn-related forum. The exploit is then automatically delivered to their computer. This exploit certainly affected, and the underlying vulnerability, certainly affected the Tor browser. We don't know if it affected Mozilla Firefox as many of you will know. Tor browser is obviously based on Firefox and they share much of the same code base, but we don't actually know much about the vulnerability or the exploited Tor. All that we know is that it used a non-publicly known vulnerability. And then when the exploit is delivered, the rest of the code causes the target machine to phone home outside of the Tor network to a government server, and now the FBI has a real IP address. Armed with that, the FBI just goes to the ISP, Comcast, Verizon, gets a name, subscribe to details on address, kicks down the door, arrests the person, if there's enough evidence, and presumably, and in many, many of the cases, if not all of them, find a load of child porn on the suspect's machine. But that's not everything the FBI collected with it, knit. It also got the username, the host name, the MAC address, and it also generated the unique code per unique infection, I think, that you could then use to correlate activity on the site with a IP address. And I mean, just remember this whole time, the FBI could see what people were doing on the site. Oh, so user Jimmy went onto this section of the site and looked at this thread. Now we have his IP address, we can link it to that. So the FBI deploys its malware. For 13 days, it runs the site. Over that amount of time, 100,000 users log into Playpen, which, as you'll notice, is a lot more than 11,000, which was apparently the average login rate. For some reason, the site became a lot more popular when the FBI was running it. You can infer where you want from that. So in the US, the FBI gets around 1,300 IP addresses of US users of the site. Europol, say they generated 3,229 cases. I haven't highlighted it, but it's in the middle column at the bottom. And 34 of those were in Denmark. This is a presentation I just found online when I found out it was called Operation Pacifier. I searched that, file type PDF, and someone from law enforcement had left this online, so that was convenient. Austria, staying with this part of the world, I think this is a letter from an MP to a group of politicians just talking about the country's child porn investigations and it mentions Operation Pacifier and 50 IP addresses. So the FBI hacked at least 50 computers in Austria. Latin America as well. Again, there's another presentation I found online. Law enforcement are really, really sloppy with just leaving all of this stuff online, which was great. And you can just see Operation Pacifier there. As for Chile, it was local media reports that just said pacifier, playpen, child porn, arrest. So it was pretty easy to infer that the computers were hacked there as well. Australia, this is part of a freedom of information request I made with the Australian and federal police asking for documents and communications about Operation Pacifier. This isn't actually the result of the request. This is them saying, hey, we have too much stuff in Operation Pacifier so we can't give it to you, which obviously already gave me enough information to confirm that pacifier hit Australia as well. Anyway, you get the idea. I'm not just gonna list all these countries. Oh, apart from the UK and Turkey were probably hacked as well. But it turns out that the FBI hacked computers in many, many more countries. And this just came out, end of last month, I think. In total, the FBI hacked 8,700 computers in 120 countries. 8,700 computers in 120 countries with one warrant. And arguably, that warrant was illegal, but we have to back up a little bit just to see what that is. Right, okay. So the US has something called Rule 41, which dictates when a judge can authorize searches, including remote searches, so hacking. A judge can only authorize a search within his or her own district. So if the judge is in the Western District of Washington, he or she can only sign a warrant and it's gonna search stuff within that district. With a few exceptions, I think terrorism and if there's a tracking device and then the person moves out of state, it's still okay. Well, in the case of Playpen, Judge Theresa Buchanan was in the Eastern District of Virginia, as you can see at the top. Clearly, the vast majority of computers were not in the Eastern District of Virginia. The search warrant application, which is that document that the FBI presents to a judge and say, hey, here's our reasons, please sign our search warrant. It said that what was gonna be searched was computers logging into Playpen wherever located. It's pretty debatable how explicit that is. I mean, the FBI did not write, hey, we're gonna hack into computers no matter what state they're in, what country they're in, anything like that, and we're gonna hack into them. The word hack is obviously never ever used in the search warrant application. So with that in mind, it's kind of unclear if Judge Theresa Buchanan would have actually understood that she was signing a global hacking warrant, and now this isn't to castigate the judge at all, it's more that these warrants applications aren't very explicit, and it's still unclear because Judge Buchanan won't respond to my requests for comment. Just check that. All right, okay. So, whether Operation Pacifier violated Rule 41 has probably been the central component of all the legal cases that came out after the FBI side busting people. Defense lawyers have brought it up saying, hey, this judge did not have authority, you now need to throw out all the evidence against my client. According to the most recent figures, and this might be very, very slightly out of date, 21 decisions have found the operation did violate Rule 41. Out of those, judges in four cases have thrown out all evidence obtained by the FBI's malware. So that obviously includes the main bit of evidence, which is the IP address, but then also everything that came after that. I mean, the only reason the FBI found child porn on people's devices is because the IP address led them there, so all of that child porn is also struck from the record as well. And those people are essentially free to bar DOJ appeals, which are ongoing. Whether people based outside the United States will have a similar sort of defense is kind of unclear at the moment. The IP address could fall under something like the third party doctrine, whereas if there's a German suspect and they try to challenge the legality of the search, the German police may say, hey, look, we didn't do the hacking, we just got given this IP address by a third party, and then the defense might not have much leg to stand on. But I do know of one lawyer in the country outside the US who is going to challenge the legality of the hacking operation. I can't really say where he is right now because I think they're still sorting it out, but that's gonna be really, really interesting when that happens, hopefully in the new year. So forget everything I just told you about Rule 41 because it doesn't matter anymore. Earlier this month, changes to Rule 41 came into place, meaning that judges now can authorize searches outside of their district. So if the Playpen warrant was signed today, it probably would not violate Rule 41 and the FBI wouldn't have done anything wrong or the DOJ wouldn't have done anything wrong. And I just want to emphasize that these changes to Rule 41 came about in part, specifically because of the problem that anonymity networks and TOR present to law enforcement. It's not like Operation Pacifier was over here, FBI doing its thing, and the DOJ was sorting out these Rule 41 changes. The changes have come specifically in response to criminal investigations on the so-called dark web. And it's just a Justice Department quote here. We believe technology should not create a lawless zone merely because a procedural rule has not kept up with the times. Their argument is that the Rule 41 is basically an antique and they need to change the rules to keep up with criminals that are using stuff like TOR or VPNs. So that was Pacifier. That's the largest law enforcement hacking operation to date that we know about. Just very, very briefly, I'm going to talk about another FBI one where they likely hacked into computers abroad. This one's called Torpedo, which is even worse than Operation Pacifier when it comes to child porn names. So in 2012 or 2013, the FBI take over freedom hosting, which is sort of a turnkey hosting provider. You sign up to the service, the host's your dark website, it doesn't matter if it's legal or not, whatever. The FBI sees it, they deploy an NIT again, a piece of malware, and this time, the FBI are trying to identify users of 23 different child pornography sites. In the warrant application, there's a section specifically about a Hungarian language site. I mean, even the FBI officer, I think it's FBI, writing it, says, oh, if you put this into Google, translate, it means this, it's Hungarian, blah, blah, blah. As I mentioned in the Playpen example, the FBI did not know where the computers that they were going to hack were located. This is an interesting case because I'm going to guess that a lot of the users of a Hungarian language site are probably in Hungary. So the FBI might have had some idea that they were going to hack computers there. Did the FBI warn Hungarian law enforcement? Did they get permission of the Hungarian authorities to hack computers in that country? We don't know yet, and I somehow doubt it. And then just finally, it's, excuse me, it's not just the FBI that's using hacking tools to target suspects overseas. A local Australian police department, Queensland Police, has a specialized task force for child sexual exploitation, a task force, Argos. And they were the ones that led this operation. There wasn't any sort of official statement from Queensland Police saying, hey, look, we unmasked all of these criminals in the US. It was only by piecing together pretty spread out US court documents that I could map the contours of this hacking operation that everyone kind of wanted to keep quiet about. So in 2014, task force Argos take over another dark web child porn site called The Love Zone. They run it not for 13 days like the FBI, but for six months, posing as the site's administrator who they'd already arrested. According to one document, not this one, the Australians obtained at least 30 IP addresses of US-based users of the site. I don't know about other countries yet. It's only through these US court documents that we've been able to figure this out. And the way they did it was pretty different to the FBI. What they would do is they would send a link to a suspect for a video file. The suspect would click the link. They would get a warning saying, warning, you're opening a file on the external site. Do you want to continue something to that effect? If the person ignored the warning and clicked yes, a video of real child pornography played on the suspect's machine, and then that video phoned home to Australian server. I mean, you can debate whether this is hacking or not. I mean, the FBI one clearly is. They're delivering a tour browser exploit with malware, et cetera. Is this hacking? I would say so. If we think that phishing for government emails is hacking, sure. But that's kind of the trivial debate anyway. The real debate is was this a search in the legal sense of the word? Did the Australians obtain information from a private place, namely a private computer in a private residence? And did they get a search warrant to do that? And again, we don't know because they weren't told to me. So clearly that was all about child abuse and child pornography investigations. And so far, this sort of international hacking, as far as we know, as far as I know, has only been used for those sorts of investigations. That's the future with rule 41, the change is there. We could presumably see it to go to other types of investigations, maybe dark web drug markets. Plenty of these markets have dedicated vendor-only sections that you can only log into if you are a drug dealer on the site. I mean, here, this isn't from a NIT or a malware investigation. This is when Carnegie Mellon University attacked the Tor network, obtained IP addresses, and then gave those, well, was subpoenaed for those and gave them to the FBI. But the key part is that in this search warrant, it's saying, hey, look, there's probable cause because this suspect was logging in to the drug dealer-only section of Silk Road 2 so we have reason to raid his house. I can easily see this sort of section being in a malware warrant or an NIT warrant as well. And then I suppose the other more obvious example, if it hasn't happened already, is putting a piece of malware to hack suspects internationally on a jihadi forum. Maybe an administrator or a moderator section so you know you're gonna be targeting high-ranking members of the forum. I mean, I personally don't know if that would be the FBI or another agency doing that. But that's clearly somewhere where malware could be used in an international context. But apart from predicting where this might go, I mean, clearly this is gonna continue just a few weeks ago. There was a Firefox zero day out in the wild. Me and my colleague Lorenzo tracked it back to a specific child porn site on the dark web where that ode had been deployed. So this is an active thing. This is still going on. And that's it. But just the last thing, if you have any documents, data, information, tips on FBI malware, law enforcement malware, who's using it, who's buying it, how they're using it, these are my various contact channels. Thanks a lot. Thank you, Joseph. Thank you. Any questions from the audience? One on four? Thanks for the talk. Really nice. Quick question. You've presented some pretty illegal things on both sides, on child pornography and all of those things, and on the law enforcer side. Now my question is, did you intentionally mention those really illegal aspects like child pornography to justify the actions of the FBA in any way? You mean, did I specifically speak about child pornography to justify the FBI's actions? Yes. No, this is just... I mean, child pornography and child sexual exploitation is where law enforcement are using the really cool stuff. This is where they're using their tall browser exploits. This is where they're using their Firefox zero days. And I'm just attracted to where the cops are doing interesting things. So if it was on drug markets, I'd cover that as well. But at the moment, at least to my knowledge, it's just localized to the child pornography investigations, presumably because law enforcement feel like not many people are gonna argue with them with maybe doing a legal search for child porn because everybody finds that crime abhorrent. But no, that's just how it is at the moment. Okay, let me rephrase that. Do you feel it's justified for them to use exploits? Do I feel it's justified for them to use exploits? I don't think there's anything intrinsically wrong with law enforcement hacking. And I, but even though child pornography is an absolutely disgusting crime and I can't find it obviously any way to justify it, I also want law enforcement to follow the law and to respect the law as well. Thank you. Any other questions? Anybody from IRC? Sorry, didn't see you there on five, go ahead. Well, I wanted to ask probably the same question, whether it's dubious from the moral point of view. And you already answered it that you don't see dubious as I understand, right? As the legislation can be questioned and should be rearranged, there is not much ethical discussion whether this should be done or not. But while you were at the topic for a while, do you have any other proposals how to resolve this issue maybe technically from the technical point of view? Sure, so I mean, just before I answer that, I just want to make clear that I'm like a journalist, not an activist or a technologist. I don't think it would be right for me to say this is how we should combat this. I'm just saying, hey, this is what the FBI did and that sort of thing. But to answer the question, I think Mozilla and Tor have been working on a way to stop this sort of a de-anonymization attack that when the FBI would hit a computer with their exploits and then the knit code would deploy, that's not enough. I really can't remember the technical details off the top of my head, but there is an article online that I wrote. But then they would then have to break out the sandbox as well. But more to answer your question generally, there are technological solutions that people are making here. And they could be live pretty soon, but then what is the FBI gonna do after that? They're not gonna stop making malware. They're gonna be able to deploy a knit that will then rummage through your computer and find the criminating documents and then phone home. If they can't get your real IP address, they're gonna get evidence somehow. Number one was up next. Hey, Joseph. In your background research on law enforcement, using technology like this to target child porn sites. So you profiled the FBI and how they may have skirted around some of the letter of the law in order to get done the job they needed to get done. Are there other law enforcement agencies that you found that are kind of like a gold standard in their approach to solving this problem that abide by the rules and maybe solve this problem a different way? When you say, so the question was there are other law enforcement agencies who may be better or the same sort of standards the FBI, this problem. When you say this problem, you mean combating child porn on the dark web. Yeah, clearly something needs to be done about these sites and there's a limited number of options available. And I mean, so the FBI is kind of busted out and tried every single piece of technology that they can to solve it. But are there others that maybe take a more restrained approach but still solve the problem? When it specifically comes to malware, I haven't seen much in the wild or publicly but in the UK, GCHQ, the country's signals intelligence agency has said or a report said it is using bulk interception. So GCHQ's mass surveillance capabilities to do traffic correlation attacks that can then unmask dark web users and hidden service IP addresses. So that's not malware, but that is an extreme use of technological capability I guess. And yeah, we could definitely see more of that. I think in the report, the home office said that GCHQ had got something like 50 individuals in the past 18 months through bulk traffic analysis. That's not malware, but yeah, that's where stuff could go definitely. Cool, thanks. One last question will be number four over here. Hi, I was wondering, because you mentioned bulk analysis, which I consider to be significantly worse than targeted analysis in the way that it, it violates everybody's liberties rather than specific individuals who are definitely engaging in criminal activity. So why is it you feel that there's some kind of violation? Like these people, they need to find these criminals and the jurisdiction needs to be significantly wider. And I understand that it's terrible that they're hacking us but at the same time, these people need to be caught. So how can they make legislation that's able to find these people legally when it's outside of their jurisdiction? And they might be targeting people, if they're doing a dragnet on a website, like your example, they're gonna be hitting people that are not in their country. They can't limit it to the people that are in their country and only hack those people. It's technically impossible. So what's the solution for this? So I mean, some senators in the US did propose the Stop Mass Hacking Act, which would have blocked the rule 41 changes. It was unsuccessful and in part, this is just my personal opinion, I think it's because they didn't present a viable alternative. I mean, as you say, these people need to be caught and I mean, that sort of thing. But when these senators said, yeah, we need to stop all this global hacking, there was no alternative presented. So we don't know basically as for legislative changes. I think it's more that, oh, it's less that, hey, here's a concrete law or rule that we need to fix right now. It's more like there is a looming issue of what happens when the FBI hacks a child pornographer in Russia or one who happens to be a politician in another country. Are they still gonna go and then go to local law enforcement? Hey, we've got this IP address of one of your senior politicians who happens to be looking at child porn. I mean, what are the ramifications of that gonna be? But to answer your question, we don't really know. It's more of just this looming issue that law enforcement are firing malware and asking questions later. Thank you so much. If we get a round of applause for Joseph Cox.