Wednesday, April 26, 2017

Technical Paper Review: Lighting the Dark Web

There was a bit of a 1 vs 1 between two law professors on the subject of NITs, which I think is worth a read. Ahmed Ghappour, contends that the FBI and current legal practice of NITs is a thorn in the side of international legal norms, on the summary basis of "Hacking random computers in other countries has issues". Orin Ker, on the other hand, is like "It's all cool, yo." Both papers are drafts.

There are several technical holes that need to be discussed, although Ghappour's paper goes into depth into the details of what a NIT is, the reality is that "NIT" is not a technical specification but simply a description of the end user (aka, Law Enforcement), and the definition is simply "Malware that helps you investigate".  In other words, legal analysis that assumes or presumes that "NIT" is in some way a special technique, separate from intrusion techniques as they are used elsewhere, feels highly deceptive to a technical crowd.

Current known LE practice is to take over a web domain that is utilized exclusively by "bad people" and then attack those bad people from that trusted website with a client-side exploit, which then does some very simple things to locate them.

But building legal rules on this scenario is short-sighted because future scenarios are almost certain to be much more complex and require essentially the same level of toolkit and methodology that penetration testing or SIGINT attacks carried out by TAO have. For example, future targets could be using the Grugq's "Portal" firewall.

Likewise, a key issue is revealed in Orin's draft text:
In this particular context, it is doubtful that the rule expressed in the 1987 Restatement is viewed by states today as extending to the use of NITs. First, the 1987 rule is focused on conduct that occurs exclusively in a foreign state. Yet use of a NIT is not necessarily such conduct; it is entirely possible that the use of a NIT results in conduct solely within the territory of the state employing the NIT. To put it another way, application of the 1987 rule in the manner suggested by Ghappour results in a state being prohibited from using a NIT even to pursue criminal conduct in its own territory. The 1987 rule had no (and was intended to have no) such effect.
There are two ways to think about hosts that you do not know the location of:

  • They default to somewhere within your borders.
  • They default to somewhere NOT within your borders.
  • It is in fact, NEITHER within or without your borders - but handled in a special way, much like Microsoft and Google would prefer, because of rule 2.

From original paper by Ahmed Ghappour:
The legal process for network investigative techniques presumes search targets are territorially located, which is not at all accurate. Indeed, most potential targets on the dark web are outside the territorial United States.27 Approximately 80% of the computers on the dark web are located outside the United States.28
So as far as I can tell only in special circumstances should the default warrant process really be valid. Just because this results in a situation LE does not like, where Tor-services are not domestically warrantable under current legal frameworks, does not mean we should pretend this is not the case.

And of course, computer networks have many more complexities than are addressed. For example, what happens when your intrusion discovers that what you reasonably THOUGHT was a domestic computer, is in fact, a foriegn computer? There are many ways this can happen: Load balancers and various types of proxies can redirect connections from one computer to another transparently, for example.

Keep in mind that IP addresses are often ephemeral - the very process of uniquely identifying a machine is an extremely difficult one technically, especially for remote techniques (speaking from the experience of anyone who has built a large scale scanner).

Orin's paper talks about attacks (CNA):
To be sure, the FBI’s existing hacking techniques, properly executed, do not rise to the level of a cyber “armed attack,” which would permit a state to respond with force under Article 51 of the U.N. Charter.43
While inadvertent "computer attack", meaning "damage or destruction" is unlikely under the current methodologies, it is none-the-less technically possible, and becomes more likely in the future as techniques become more necessarily invasive. Collateral damage is a very real threat - there were a lot of legitimate customers on MegaUpload, for example. There is real risk here of international incident - Orin's paper currently states "There is no sign that the USG or the American public was offended by the foreign search", but there are easy ways to see scenarios where this would not be the case.

For example, BSDM is illegal in the UK but very legal in the States. Should the UK's Law Enforcement officers execute a UK NIT warrant collecting the list of users to search for UK citizens, we can see immediate conflict with American perspectives.

The Playpen story in Oren's paper, where we discovered the server was in Iceland with NIT, then collected it with a MLAT, is instructive. What's our plan when we discover the server is in Iran? Likewise, we had already conducted a search of the Icelandic server BEFORE we knew it was in Iceland, where we had a good legal relationship.

Orin's paper continues:
"But he does not point to any instances in which the ongoing practice actually caused the reaction he fears"

  1. Friction may be covert and handled quietly. Not seeing the friction does not mean there isn't any.
  2. We may self-limit to child porn and mega-crime for a reason. What about when it's not that? What about the norms we set?

As another side note about how hard this is getting to be in practice, check out what happens when Law Enforcement asks an unwilling party to help them with an investigation, as seen today on the Tor mailing list:

That response shows the built in gravitational forces that are going to require Law Enforcement step up to the level of the NSA or CIA's teams.

Lastly, Orin's paper has a VERY strange ending:
NITs are very expensive to develop and require a great deal of technical sophistication to use. Drafting an NIT warrant requires considerable legal sophistication and the evaluation of significant legal ambiguities. Use of NITs may lead to disclosure of their details in subsequent litigation, potentially depriving the government of future access to computers by using that same vulnerability. 
So far the Government has successfully prevented any disclosure of vulnerabilities used (and here of course we have a built in confusion of the "vulnerability" and "malware/implant" with the term "NIT").  Likewise, there's no technical reason the FBI cannot scale to the level of the NSA, given sufficient funding. Oren seems to be implying there's an operational security issue here, when it's really a resources issue. The FBI COULD, in theory, use a new exploit and implant and toolchain for every single investigation. This is, in fact, the most secure way to do this kind of work.

Keep in mind, Law Enforcement, especially local Law Enforcement, often leaks the things they find out in order to pressure people, even people who are not suspects. For example, here is an article of them leaking the porn browsing data from a non suspect.

No comments:

Post a Comment