Millions of users of Mozilla’s Firefox web browser may be at risk, thanks to a ruling handed out by a federal judge on Monday.
US District Court Judge Robert J. Bryan rejected Mozilla’s request to force the government to reveal a vulnerability that, the company believes, the FBI exploited as part of its investigation into child pornography.
Hunting down suspects
As part of that investigation, the FBI operated a child porn site on the anonymous Tor network called Playpen for almost two weeks in early 2015.
Websites on the Tor network, known as .onion sites, are normally accessed using a modified version of Firefox called the Tor Browser. Users and sites on the Tor network don’t reveal their IP addresses to each other in order to stop their locations being revealed.
During the fortnight that they operated Playpen, the agency used a so-called “network investigative technique” (NIT) to identify the website’s users. Computers visiting the site were unwittingly infected with code that could reveal their IP address, defeating the anonymity afforded by Tor.
A defense built on the vulnerability
The ruling is part of a case involving defendant Jay Michaud, a schoolteacher and one of 137 people facing US charges in connection with Playpen. Judge Bryan ordered the government to turn over information on the software flaw to Michaud’s defence team back in February.
The team wanted the details to help build his defence after a US federal judge threw out a case against another Playpen suspect, ruling that the FBI’s NIT warrant was improperly granted by a federal magistrate judge for a case outside her jurisdiction.
Fixing the flaw
Eager to fix the software bug, on 11 May 2016 Mozilla asked Judge Bryan to order the government to disclose the vulnerability to them at least two weeks before revealing it to Michaud, so it could patch the code. It argued that millions of users could be at risk once the vulnerability was revealed.
In the meantime, however, government prosecutors had sought to reverse Judge Bryan’s order, citing national security.
Last Thursday – a day after Mozilla filed its motion – Judge Bryan decided to reverse his original decision. That meant prosecutors – i.e. the government – no longer needed to disclose details of the vulnerability to Michaud … or Mozilla. Reuters commented:
Bryan on Monday said that made Mozilla’s request moot, adding it “appears that Mozilla’s concerns should be addressed to the United States.”
Keeping users secure
Mozilla has not given up. Reuters reports that Mozilla said in a statement that it would argue to the government that…
…the safest thing to do for user security is to disclose the vulnerability and allow it to be fixed.
We’ll just have to wait and see what comes next in this saga. After all, it’s still unclear if Firefox actually has a vulnerability; it’s not know whether the flaw exploited by the FBI is in the Tor code or Firefox’s code base, although Mozilla has commented on its blog:
Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser.
Whether Firefox has a flaw or not, its millions of users won’t feel safe until the situation is clear and any holes have been plugged.
ejhonda
When it comes to whether the law protects the government or citizens, let this decision leave no doubt: it ain’t you.
Wilderness
I have no sympathy for Mozilla because they forced their CEO, Mr Brendan Eich, to resign merely because they didn’t like a political organization to which he donated. He wasn’t disrupting the business by being flagrant about it, nor was he abusing his position to further his views. Unfortunately, liberals in so-called developed countries such as the United States and the Greatness of Britain say they are for freedom of speech, but really seem only to allow it for themselves while harming anyone that have different views.
Bryan
off the main topic but inspired by TFA…
Yes–legal technicalities are in place to prevent abuse of suspects before proven guilty, but if a teacher (*a teacher*) is observed with a hand in this particular cookie jar it’s really really tough to stand by principles simply because they are correct.
“You were caught with photos of naked children, but maybe it’s okay if we can prove they caught you unfairly this time.” Not all attorneys suck, but any who have uttered that phrase sure do.
Even to go completely Kum Ba Yah and say “this guy can’t help that he’s attracted to kids, he’s only drawn that way” (let’s save that volcanic can-o-worms for another day), he should’ve chosen a career to keep him as far away from children as possible (Antarctic weather researcher) instead of daily contact with kids who are already vulnerable enough to require counseling.
Fry him! Then give Firefox their code back.
foo
“In the meantime, however, government prosecutors had sought to reverse Judge Bryan’s order, citing national security.”
The magic words are “national security.” Government prosecutors know that merely uttering them – no proof required – will convince any judge to rule in favor of the government.
jkwilborn
Even as a retired officer, I cannot accept police distributing child porn, then prosecuting those they who’ve ended up with it. Distribution usually includes longer prison times then for simple possession charges. They need to prosecuted, as they have broken the law, and not all of it could have been recovered. They have violated the law, using “we violated it to catch them” phrase, is no excuse. It could also be argued that THEY set the hook for child porn addiction, making it more easily available. I’m glad there is no shortage of ‘hang him’, hope you never get caught up in some crap like this, others will be as caring towards you… If you want to stop child porn and those that are addicted to it, you have to stop it before it starts, meaning that the parents are usually involved in propagating this behavior. You cannot legislate morality and when someone knows if they say anything about it, they are looking a prison time, it’s kept quiet. Unless they come in for help, it will never stop. Imprisonment, is not the sugar to catch them with. Some will be saddled with this for life. They must understand what they leave with a child after some kind assault like this, possible lifetime of devastation. There will always be those that can’t be cured. I used to download blocks of data from USENET, but had to quit because of the child porn that ended up on the computer. It worked for many years, maybe the Feds were distributing it then…