Report : Facebook Helped the FBI Exploit Vulnerability in a Secure Linux Distro for Child Predator Sting
Une affaire très intéressante. Tout part d’une « bonne intention » (arrêter un pédophile ; cela aurait aussi pu être des terroristes) mais conduit à d’une part avoir Facebook se comporter comme un Etat et d’autre part diminuer la sécurité des activistes, journalistes et autres usagers de systèmes hypersécurisés.
Facebook security personnel and engineers helped the FBI track down a notorious child predator by helping a third-party company develop an exploit in a security-focused version of the Linux operating system, Tails, per a Wednesday report by Vice. But they did so quietly and without notifying the developers of Tails afterwards of the major security flaw, potentially violating security industry norms while handing over a surveillance backdoor to federal agents.
Facebook had tasked a dedicated employee to unmasking Hernandez, developed an automated system to flag recently created accounts that messaged minors, and made catching Hernandez a priority for its security teams, according to Vice. They also paid a third party contractor “six figures” to help develop a zero-day exploit in Tails: a bug in its video player that enabled them to retrieve the real I.P. address of a person viewing a clip. Three sources told Vice that an intermediary passed the tool onto the FBI, who then obtained a search warrant to have one of the victims send a modified video file to Hernandez (a tactic the agency has used before).
There’s no clear evidence as to whether the FBI knew the exploit was developed in part by Facebook, leading one to wonder how forthcoming it was planning to be about its involvement. There are also obvious ethical issues with developing exploits in another company’s product, especially Tails, which was designed with the security of users including reporters, whistleblowers, stalking victims, and political activists in mind.
Facebook also never notified the Tails team of the flaw—breaking with a long industry tradition of disclosure in which the relevant developers are notified of vulnerabilities in advance of them becoming public so they have a chance at implementing a fix. Sources told Vice that since an upcoming Tails update was slated to strip the vulnerable code, Facebook didn’t bother to do so, though the social media company had no reason to believe Tails developers had ever discovered the bug.
Some of the current and former Facebook employees aware of the decision to help the FBI were critical, with one telling Vice that the “precedent of a private company buying a zero-day to go after a criminal” was “fucked up” and “sketchy as hell.” Others told the site it was a decision made of last resort that doesn’t set a precedent, with one saying it was the “right thing” to do and other companies would not be willing to “[spend] the amount of time and resources to try to limit damage caused by one evil guy.”