Tech by VICE

Transcript Shows Why a Judge Ordered the FBI to Reveal Its Mass Hacking Malware

“You say you caught me by the use of computer hacking, so how do you do it? How do you do it? A fair question.”

by Joseph Cox
Feb 24 2016, 5:30pm

Photo: FBI/Facebook

Last week, a judge ruled that defense lawyers in an FBI child pornography case must be provided with the full code of the malware used to hack their client's computer, including the exploit used to bypass the security features of the Tor Browser.

But the reasoning behind that decision was focused on anything but the technical elements of the case. According to a transcript of the relevant hearing, judge Robert J. Bryan boiled the issue down to its more fundamental, constitutional elements.

"Much of the details of this information is lost on me, I am afraid, the technical parts of it, but it comes down to a simple thing," Bryan said. "You say you caught me by the use of computer hacking, so how do you do it? How do you do it? A fair question."

"And the government should respond under seal and under the protective order, but the government should respond and say here's how we did it," he continued.

The hearing was in response to a third motion to compel discovery filed by the defense of Jay Michaud, a Vancouver public schools administration worker. Michaud was arrested after the FBI seized 'Playpen', a hugely popular child pornography site on the so-called dark web.

Since September, Michaud's lawyers have been trying to get access to the full NIT code

Instead of shutting the site down straight away, however, the FBI briefly ran it from their own servers in order to deploy a network investigative technique (NIT)—the agency's term for a hacking tool.

This NIT launched against any user who visited specific threads of the forum, according to an FBI Special Agent who worked on the investigation, and the malware sent the targets' IP address, MAC address, operating system and architecture, the computer's username, and some other technical information.

Motherboard found that computers as far a field as Greece, Chile and likely the UK have been infected.

Since September, Michaud's lawyers have been trying to get access to the full NIT code. In January, they received some, but it was incomplete, missing, amongst other things, the section that would ensure that the identifier issued to Michaud's NIT-infection was unique, and the exploit that was used to bypass his web browser. This information is necessary for determining whether the NIT carried out other actions beyond those mentioned in the government's description of the code, the defense has said.

In filings and hearings, the Department of Justice has said that the defense has declined discovery that would allow them to verify the accuracy of the information gathered by the NIT, and that the requested discovery has no bearing on the huge collection of child pornography found on the suspect's USB thumb drives and mobile phone.

Regardless, judge Bryan felt it was important that, at bottom, the defendant still gets the opportunity to find out more about how he was identified.

"So, you know, I guess what I am saying is that this whole thing didn't seem that complex to me," he said.

The full transcript of the hearing is embedded below.