[thephyber]

Other articles on this topic described that they had hired at least one full time employee just to track this one malicious user. I'm sure they also have additional fractional costs for legal, moderation, administration, PR, government oversight, and lobbying. They might even have legal liabilities to the victims (not sure).

They previously worked with the FBI to try and trap this malicious user with a TOR exploit that didn't work against Tails where the malicious user saw the effect and mocked his investigators.

The $0.5million reportedly spent for the Tails 0day seems like it might actually be proportionate (perhaps even affordable) to the costs they incurred. I'm typically pretty skeptical of the costs the FBI and large corporations assign to corporate hacks or copyright theft, but this seems like it carries legit risk if FB doesn't try to do a lot to disable these malicious actions on their platform.

[g-b-r]

I'm sure it was proportionate to the costs they incurred, but I doubt it's really necessary to spend so much money to find an exploit in Tails, I imagine a single good hacker would be able to find another one at most in few weeks of dedicated work

[g-b-r]

I now noticed that you mention a TOR exploit here too, as said at https://news.ycombinator.com/item?id=23545331 I wasn't able to find references to that

[thephyber]

I think I inferred what I said from this quote:

> Several FBI field offices were involved in the hunt, and the FBI made a first attempt to hack and deanonymize him, but failed, as the hacking tool they used was not tailored for Tails. Hernandez noticed the attempted hack and taunted the FBI about it, according to the two former employees.

No evidence that it was a TOR exploit, but I interpreted it that way because they FBI and Facebook would most certainly have known he was using TOR from his exit IP rotating frequently and FB explicitly supports a TOR server hostname.

[g-b-r]

I think it's more likely that they used something targeting the browsers, maybe with 0-days maybe not.

But it doesn't seem to me that the FBI put much effort into this whole thing, maybe it was more a concern for Facebook than for them.

As I understand it knowing that someone is using Tor is usually trivial, the exit nodes normally set a reverse DNS record that signals it and there are exit nodes blacklists

[thephyber]

> As I understand it knowing that someone is using Tor is usually trivial

Yeah, Facebook almost certainly receives a lot of attempted traffic from those relatively few TOR exit node IPs, so I'm sure part of their system is aware that they are effectively proxy IPs.