Wednesday, September 28, 2016

Some technical notes on the PlayPen case

In March of 2015, the FBI took control of a Tor onion childporn website ("PlayPen"), then used an 0day exploit to upload malware to visitors's computers, to identify them. There is some controversy over the warrant they used, and government mass hacking in general. However, much of the discussion misses some technical details, which I thought I'd discuss here.

IP address

In a post on the case, Orin Kerr claims:
retrieving IP addresses is clearly a search
He is wrong, at least, in the general case. Uploading malware to gather other things (hostname, username, MAC address) is clearly a search. But discovering the IP address is a different thing.

Today's homes contain many devices behind a single router. The home has only one public IP address, that of the router. All the other devices have local IP addresses. The router then does network address translation (NAT) in order to convert outgoing traffic to all use the public IP address.

The FBI sought the public IP address of the NAT/router, not the local IP address of the perp's computer. The malware ("NIT") didn't search the computer for the IP address. Instead the NIT generated network traffic, destined to the FBI's computers. The FBI discovered the suspect's public IP address by looking at their own computers.

Historically, there have been similar ways of getting this IP address (from a Tor hidden user) without "hacking". In the past, Tor used to leak DNS lookups, which would often lead to the user's ISP, or to the user's IP address itself. Another technique would be to provide rich content files (like PDF) or video files that the user would have to be downloaded to view, and which then would contact the Internet (contacting the FBI's computers) themselves bypassing Tor.

Since the Fourth Amendment is about where the search happens, and not what is discovered, it's not a search to find the IP address in packets arriving at FBI servers. How the FBI discovered the IP address may be a search (running malware on the suspect's computer), but the public IP address itself doesn't necessarily mean a search happened.

Of course, uploading malware just to transmit packets to an FBI server, getting the IP address from the packets, it's still problematic. It's gotta be something that requires a warrant, even though it's not precisely the malware searching the machine for its IP address.

In any event, if not for the IP address, then PlayPen searches still happened for the hostname, username, and MAC address. Imagine the FBI gets a search warrant, shows up at the suspect's house, and finds no child porn. They then look at the WiFi router, and find that suspected MAC address is indeed connected. They then use other tools to find that the device with that MAC address is located in the neighbor's house -- who has been piggybacking off the WiFi.

It's a pre-crime warrant (#MinorityReport)

The warrant allows the exploit/malware/search to be used whenever somebody logs in with a username and password.

The key thing here is that the warrant includes people who have not yet created an account on the server at the time the warrant is written. They will connect, create an account, log in, then start accessing the site.

In other words, the warrant includes people who have never committed a crime when the warrant was issued, but who first commit the crime after the warrant. It's a pre-crime warrant. 

Sure, it's possible in any warrant to catch pre-crime. For example, a warrant for a drug dealer may also catch a teenager making their first purchase of drugs. But this seems quantitatively different. It's not targeting the known/suspected criminal -- it's targeting future criminals.

This could easily be solved by limiting the warrant to only accounts that have already been created on the server.

It's more than an anticipatory warrant

People keep saying it's an anticipatory warrant, as if this explains everything.

I'm not a lawyer, but even I can see that this explains only that the warrant anticipates future probable cause. "Anticipatory warrant" doesn't explain that the warrant also anticipates future place to be searched. As far as I can tell, "anticipatory place" warrants don't exist and are a clear violation of the Fourth Amendment. It makes it look like a "general warrant", which the Fourth Amendment was designed to prevent.

Orin's post includes some "unknown place" examples -- but those specify something else in particular. A roving wiretap names a person, and the "place" is whatever phone they use. In contrast, this PlayPen warrant names no person. Orin thinks that the problem may be that more than one person is involved, but he is wrong. A warrant can (presumably) name multiple people, or you can have multiple warrants, one for each person. Instead, the problem here is that no person is named. It's not "Rob's computer", it's "the computer of whoever logs in". Even if the warrant were ultimately for a single person, it'd still be problematic because the person is not identified.

Orin cites another case, where the FBI places a beeper into a package in order to track it. The place, in this case, is the package. Again, this is nowhere close to this case, where no specific/particular place is mentioned, only a type of place. 

This could easily have been resolved. Most accounts were created before the warrant was issued. The warrant could simply have listed all the usernames, saying the computers of those using these accounts are the places to search. It's a long list of usernames (1,500?), but if you can't include them all in a single warrant, in this day and age of automation, I'd imagine you could easily create 1,500 warrants.

It's malware

As a techy, the name for what the FBI did is "hacking", and the name for their software is "malware" not "NIT". The definitions don't change depending upon who's doing it and for what purpose. That the FBI uses weasel words to distract from what it's doing seems like a violation of some sort of principle.


I am not a lawyer, I am a revolutionary. I care less about precedent and more about how a Police State might abuse technology. That a warrant can be issued whose condition is similar "whoever logs into the server" seems like a scary potential for abuse. That a warrant can be designed to catch pre-crime seems even scarier, like science fiction. That a warrant might not be issued for something called "malware", but would be issued for something called "NIT", scares me the most.

This warrant could easily have been narrower. It could have listed all the existing account holders. It could've been even narrower, for account holders where the server logs prove they've already downloaded child porn.

Even then, we need to be worried about FBI mass hacking. I agree that FBI has good reason to keep the 0day secret, and that it's not meaningful to the defense. But in general, I think courts should demand an overabundance of transparency -- the police could be doing something nefarious, so the courts should demand transparency to prevent that.


Doris Brown said...

hi, am Doris, i had my friend help me hack my ex's email, facebook, whatsapp,and his phone cause i suspected he was cheating. all he asked for was a his phone number. he's email is ( u need help tell him Doris, referred you to him and he'll help. Am sure his going to help you do it, good luck..

scout walter said...

this might not be right,but i just have to show gratitude to the job well done,WALTSTEPH82@GMAIL.COM did for me,my jackass boss,blackmailed me just to get me in bed after i just got married,i had to consult the hacker, to help me hack into his mail..and he deleted all the evidence and now am free, just contact him whenever you need a good hacker.he can do alot of things,hack gmail,whatsapp,email,database,credit score,credit card, he can even change university grades. lol.

Simon Distintive said...

I know some really good hackers who has worked for me 2x, hey are very good at hacking anything concerning database, phone, social and also helps to retrieve accounts that have been taken by hackers or message them at +1 646 480 9658

Tracy Lane said... is a professional hacker that specializes in exposing cheating spouse,and every other hacking related issues. he helps catch cheating spouse by hacking their communications like call, Facebook, text, emails, Skype and many more. i have used this service before and he did a very good job, he gave me every proof i needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, he will definitely help you, he has helped a lot of people, contact him and figure out your relationship status. i wish you the best too.