FBI: Er, no, we won't reveal how we unmask and torpedo Tor pedos
No NIT software exploit code for you
The FBI is refusing to hand over details of the software it used to track and unmask anonymous viewers of a child sex abuse websites. The Feds said the details are irrelevant to the case.
In February of 2015, the FBI seized the servers running a dark-web pedophile website called Playpen, described as the largest archive of its kind. Rather than shut it down immediately, the FBI kept it running for two weeks on the Tor network, but installed server-side software that would somehow worm its way into perverts' PCs and report back their real public IP addresses and MAC addresses to the government.
The software would also generate a serial number unique to the infected computer and send that back to investigators, so that if the PC changed its public IP address, it could still be linked to previous addresses.
With this information, agents could subpoena ISPs to hand over the personal details of subscribers assigned those addresses, and thus bring them in for questioning. The software, which the FBI calls a network investigative technique (NIT), successfully tracked hundreds of visitors around the world to the hidden Playpen site.
In an ongoing trial of Seattle teacher Jay Michaud, who has been charged with viewing child sex abuse imagery on the Playpen, his attorney has insisted that the FBI turn over the NIT for examination.
The FBI has provided some of the code, but crucially, no details of the flaw it exploited to install itself on some visitors' computers, nor the method by which it generated the unique identifier used to track them. In a brief filed on Monday, FBI special agent Daniel Alfin explained his reasoning:
"The exploit merely enabled the government to bypass the security protections on Michaud's computer to deliver the NIT instructions," the brief [PDF] states.
"Knowing how someone unlocked the front door provides no information about what a person did after entering a house."
Alfin said he was certain the identifier assigned to Michaud's IP and MAC addresses was unique and not duplicated for any other suspect. He offered to show the defense the full data stream between Michaud's computer and the server set up to collect the NIT data.
The NIT software consists of nine packets – the first three to establish a connection between the suspect and the government server, the fourth to relay the identifying information, and the last four to sign off the exchange.
The brief was filed as part of the FBI's ongoing attempts to hide the code – which a judge ruled last month it should provide to the defense. The FBI has filed a sealed brief to the judge explaining why it is unwilling to do so.
The FBI is understandably unwilling to release the full code to a third party, since this may allow people to work out how to evade it. It's clear that the NIT wasn't 100 per cent effective – Playpen had nearly 215,000 users and only a small fraction have been identified.
It could be that the NIT exploited vulnerabilities in Adobe Flash or the browser that the suspects had not yet patched. It could be that the NIT required no security flaws, and was simply some script code or a small Flash file that managed to send back information about the PC without going through Tor.
The defense may be hoping that the FBI will throw out the case rather than open up the code. It has happened before, when police withdrew from a number of prosecutions rather than reveal details of the FBI's Stingray cell phone tracking system. But those were low-level cases; not something as egregious as child abuse. ®