![\"TOR\"](\"https:\/\/hcsblogdotorg.files.wordpress.com\/2016\/04\/tor.jpg?w=620\")
<\/p>\n<\/p>\n
Last month, the FBI was ordered<\/a> to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan,said it was a \u201cfair question\u201d<\/a> to ask how exactly the FBI caught the defendant.<\/p>\n But the agency is pushing back. On Monday, lawyers for the Department of Justice filed a sealed motion asking the judge to reconsider, and also provided a public declaration from an FBI agent involved in the investigation.<\/p>\n In short, the FBI agent says that revealing the exploit used to bypass the protections offered by the Tor Browser is not necessary for the defense and their case. The defense, in previous filings, has said they want to determine whether the network investigative technique (NIT)\u2014the FBI’s term for a hacking tool\u2014carried out additional functions beyond those authorised in the warrant.<\/p>\n DoJ attorneys have also asked to submit a filing ex parte and in camera, meaning that only the judge would be presented with evidence under the motion.<\/p>\n \u201cTsyrklevich claims that he requires access to the government’s \u2018exploit\u2019 to determine if the government \u2018executed additional functions outside the scope of the NIT warrant,\u2019\u201d Special Agent Daniel Alfin writes. He is referring to Vlad Tsyrklevich, a malware expert held by the defense to analyse the NIT. In January, the defense did receive some of the NIT code, but not sections that would ensure that the identifier issued to the suspect’s NIT-infection was unique, and the exploit used to break into the computer.<\/p>\n This specific case concerns Jay Michaud, a public school administration worker from Vancouver, Washington, who was arrested in July 2015. In February 2015, the FBI seized a dark web child pornography site and ran it from their own servers for 13 days<\/a>. During this time, the agency deployed a NIT against people who visited specific, child pornography threads<\/a>, which grabbed their real IP address, among other technical details.<\/p>\n Tsyrklevich has written a declaration after analysing the parts of the NIT that have been disclosed, but the full text of that document remains under seal.<\/p>\n \u201cHe is wrong,\u201d Alfin continues. \u201cDiscovery of the \u201cexploit\u201d would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud’s computer, not what it did once deployed.\u201d<\/p>\n Here, Alfin starts an analogy for software vulnerabilities: that of a flaw in a lock.<\/p>\n \u201cIn layman’s terms, an \u2018exploit\u2019 could be thought of as a defect in a lock that would allow someone with the proper tool to unlock it without possessing the key,\u201d he writes.<\/p>\n \u201cKnowing how someone unlocked the front door provides no information about what that person did after entering the house. Determining whether the government exceeded the scope of the warrant thus requires an analysis of the NIT instructions delivered to Michaud’s computer, not the method by which they were delivered.\u201d<\/p>\n Alfin also claims that the identifiers attached to each NIT-infection, another point of contention for Tsyrklevich, are indeed unique.<\/p>\n \u201cI have reviewed the list of unique identifiers generated during the operation and confirmed that there were in fact no duplicate identifiers generated,\u201d Alfin adds.<\/p>\n NIT code has been disclosed in the past. In a 2012 case, the government provided details of its technique which turned out to involve the hacking-toolkit Metasploit<\/a>. The FBI used a Flash applet to make a direct connection over the internet, instead of routing the targets\u2019 traffic through Tor.<\/p>\n Peter Carr, a spokesperson for the Department of Justice, told Motherboard in an email \u201cWe’ll decline to comment beyond our public filings.\u201d<\/p>\n\n
\u201cKnowing how someone unlocked the front door provides no information about what that person did after entering the house.\u201d<\/h3>\n<\/blockquote>\n