And paid six figures for outside help. The FBI's approach "was not tailored for Tails" - surely if they had any approach that would work they would use it.
If the government couldn't break in to Tails and required the outside help of two well-resourced organisations to find (and burn) a single exploit then overall that seems a pretty good endorsement of the security of a volunteer open-source project.
Thats 100k for Facebook. They have the ability to find these white- or black-hat folks, and pay them. For you, random dude or dudette on the street, that might be a little more expensive.
I would assume a huge, IT-focused org like FB already has 3-4 high-end security orgs doing pen-testing and digging for zero-days in their code; they just poured a little sugar on top of an existing contract to help squash this one online predator douche.
Speaking of, I always find it very telling that the knee-jerk reaction is to blame a dependency or subcontractor. That's the same mentality that says "paid for code must be better" when, last I checked, there aren't any more Windows phones, are there?
But there was a Windows password hash method in the early 2000s that could be brute forced on a single consumer grade CPU in less than 24 hours on their current-at-the-time flagship network server OS. So there's that...
The nature/architecture of tails means this kind of attack is possible. Apps that can "break through" the OS networking, get access to the "real connection". Excuse my non-technical language.
Disclosure/ad: I work on Whonix, which is, uh, tails in VM essentially (to the person who only knows tails and not whonix). In Whonix, the desktop is in an VM, separate from another OS in another VM running the networking. No program in the desktop VM can reveal the public IP. On top of that, for advanced users, the desktop hardware itself might be separate from the hardware connected to the public internet.
The VM (virtualbox, kvm, whatever) is the single (practical) attack service, which is safer than ensuring every program the user may run is patched. Excuse the rant/ad/competition-bashing.
Other articles on this topic described that they had hired at least one full time employee just to track this one malicious user. I'm sure they also have additional fractional costs for legal, moderation, administration, PR, government oversight, and lobbying. They might even have legal liabilities to the victims (not sure).
They previously worked with the FBI to try and trap this malicious user with a TOR exploit that didn't work against Tails where the malicious user saw the effect and mocked his investigators.
The $0.5million reportedly spent for the Tails 0day seems like it might actually be proportionate (perhaps even affordable) to the costs they incurred. I'm typically pretty skeptical of the costs the FBI and large corporations assign to corporate hacks or copyright theft, but this seems like it carries legit risk if FB doesn't try to do alot to disable these malicious actions on their platform.
I'm sure it was proportionate to the costs they incurred, but I doubt it's really necessary to spend so much money to find an exploit in Tails, I imagine a single good hacker would be able to find another one at most in few weeks of dedicated work
> Several FBI field offices were involved in the hunt, and the FBI made a first attempt to hack and deanonymize him, but failed, as the hacking tool they used was not tailored for Tails. Hernandez noticed the attempted hack and taunted the FBI about it, according to the two former employees.
No evidence that it was a TOR exploit, but I interpreted it that way because they FBI and Facebook would most certainly have known he was using TOR from his exit IP rotating frequently and FB explicitly supports a TOR server hostname.
I think it's more likely that they used something targeting the browsers, maybe with 0-days maybe not.
But it doesn't seem to me that the FBI put much effort into this whole thing, maybe it was more a concern for Facebook than for them.
As I understand it knowing that someone is using Tor is usually trivial, the exit nodes normally set a reverse DNS record that signals it and there are exit nodes blacklists
> As I understand it knowing that someone is using Tor is usually trivial
Yeah, Facebook almost certainly receives a lot of attempted traffic from those relatively few TOR exit node IPs, so I'm sure part of their system is aware that they are effectively proxy IPs.
Where did you get that they used a Tor 0day? I don't see it in the vice or schneier articles, I only see mentions of a "Tails exploit"...
Anyway, of course it isn't proven, but I would be extremely surprised if said 3-letter agencies even needed a 0-day exploit to identify a Tor user...
Needing Facebook and a consulting firm to find a vulnerability in a video player? Come on, I would find more credible that they used a consulting firm to choose which exploit to use, if they could use all those available to the various agencies... :)
You are correct. I have no evidence of a TOR 0day.
I think I inferred what I said from this quote:
> Several FBI field offices were involved in the hunt, and the FBI made a first attempt to hack and deanonymize him, but failed, as the hacking tool they used was not tailored for Tails. Hernandez noticed the attempted hack and taunted the FBI about it, according to the two former employees.
> Facebook had tasked a dedicated employee to unmasking Hernandez