Facebook Helped Develop a Tails Exploit

This is a weird story:

Hernandez was able to evade capture for so long because he used Tails, a version of Linux designed for users at high risk of surveillance and which routes all inbound and outbound connections through the open-source Tor network to anonymize it. According to Vice, the FBI had tried to hack into Hernandez’s computer but failed, as the approach they used “was not tailored for Tails.” Hernandez then proceeded to mock the FBI in subsequent messages, two Facebook employees told Vice.

Facebook had tasked a dedicated employee to unmasking Hernandez, developed an automated system to flag recently created accounts that messaged minors, and made catching Hernandez a priority for its security teams, according to Vice. They also paid a third party contractor “six figures” to help develop a zero-day exploit in Tails: a bug in its video player that enabled them to retrieve the real I.P. address of a person viewing a clip. Three sources told Vice that an intermediary passed the tool onto the FBI, who then obtained a search warrant to have one of the victims send a modified video file to Hernandez (a tactic the agency has used before).


Facebook also never notified the Tails team of the flaw—breaking with a long industry tradition of disclosure in which the relevant developers are notified of vulnerabilities in advance of them becoming public so they have a chance at implementing a fix. Sources told Vice that since an upcoming Tails update was slated to strip the vulnerable code, Facebook didn’t bother to do so, though the social media company had no reason to believe Tails developers had ever discovered the bug.


“The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls,” a Facebook spokesperson told Vice. “This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice.”

I agree with that last paragraph. I’m fine with the FBI using vulnerabilities: lawful hacking, it’s called. I’m less okay with Facebook paying for a Tails exploit, giving it to the FBI, and then keeping its existence secret.

Another article.

EDITED TO ADD: This post has been translated into Portuguese.

Posted on June 12, 2020 at 6:23 AM18 Comments


Who? June 12, 2020 6:52 AM

@ Bruce

I agree with you. The world is not either black or white, it has a huge gray scale and, sometimes, even really odd colors. As you I am ok with Hernández being captured, but I do not approve at all the steps followed. Actions like this Facebook’s one set a dangerous precedent. They are chasing Hernández today, but may be chasing activists tomorrow.

Who? June 12, 2020 6:58 AM

…chasing activists tomorrow by weakening the industry security, I wanted to write. It is not ethical spending large corporations money developing exploits, nor actively opening vulnerabilities in operating systems, something that Apple, Google or Microsoft can easily do[*] (hopefully Facebook has not his own operating system).

[*] or currently have, as was demonstrated years ago when Microsoft actively removed the patch that broke the Windows 7 update framework from millions of computers.

Somebody Anon June 12, 2020 11:30 AM

@ Who ?

You make an interesting point. It is very relevant to note that this has been a recurring theme in our society, wherein a valid case is made for certain actions but later it has been misused to target people who disagree with the establishment.

“Quis custodiet ipsos custodes”

vas pup June 12, 2020 1:30 PM

@Somebody Anon • June 12, 2020 11:30 AM wrote:
“but later it has been misused to target people who disagree with the establishment.”

I agree with you – that is common practice to keep general population in control utilizing tools developed by smart people.

I just want to point attention of all technical experts developing such tools, create some kind of countermeasure for your own self against your own product developed to the folks in power. History suggested, you never know you could become blacklisted tomorrow by them and be targeted utilizing your own product.

As soon as Facebook is operating globally, who they are going tomorrow to cooperate: FSB, BND, Chinese top LEA (or generally speaking of their version of Stasi?)

traveler June 12, 2020 3:31 PM

Yeah, but who controls the LAW?

In Estonia LEA once abused Finfisher malware,
there was fee access to it and they played around with
it just for FUN, targeting friends, family members etc.

What? June 12, 2020 9:27 PM

They also paid a third party contractor “six figures” to help develop a zero-day exploit in Tails: a bug in its video player that enabled them to retrieve the real I.P. address of a person viewing a clip.

They probably have something similar for other OS’s.

It would explain how they figured out I was accessing Facebook from USA although I was running in a VirtualBox where the host machine was connected through VPN routed from Europe.

Clive Robinson June 13, 2020 12:40 AM

@ ALL,

With regards, the notion that this was a “unique case” or a “special case”[1] and this somehow justified this allegedly “one off” tool development. Let me remind people that this is a “figleaf argument” for “doing bad things” because “we are the good guys” or some other self serving bull for other motives.

The basic flaw in their “unique” or “special” argument is all cases are, special or unique depending on how you look at them, all you have to do is walk around the problem till you find that supposadly unique view, which is not exactly difficult to do. Thus the follow through is that it boils down to “as all cases are unique, then all cases can be treated this way”.

Thus you have to ask the real question as to why Facebook did it, especially when you consider how they started (online abuse of young women).

The usual answer when corporates are involved is “shareholder value” which in the way Facebook has stiched up it’s shareholders must mean that somebody important would have to have been convinced by somebody else quite senior. Thus could not only see a big big loss in the near future, they would also be shown a “solution” to the problem.

Thus I suspect that the real reason Facebook did this was they did a cost-benifit analysis and went with the profit. That is they could see major bad publicity heading their way, at a time when political preasure was mounting and they just wanted it to go away before it cost them big… And a senior person gave a “gift wrapped idea” as a potential solution along with costings etc.

But the cost-benifit analysis could only be done, after someone with sufficient technical knowledge proposed the action to make the gift wrapped solution possible. Others would then need to “scout out” suppliers etc, which would require a lot of technical input. Thus the motives and morals of the technical people involved are a distinct factor[2]. Thus brings into question the realisation of someone thinking “this would be neat” etc.

As security proffessionals people have to learn to seperate out the fact that policy is in place for a reason, often legal and not to be waived for some “corner case” argument. Because once you put your toe over that line there is no going back. What was only acceptable for “corner cases” becomes acceptable for “edge cases” then “minor cases” then as “general policy for all cases irrespective”.

One of the ways you “coerce people” often gets termed as “MICE” by field operatives. You find a persons weakness and you play on it to get them to do something inline with those beliefs. You then use that to leverage up to the point you have the ability to blackmail the person into doing things that they know are not just wrong but would otherwise condemn others for with a vitriolic voice and pitch fork.

Facebook will find out at some point that their hands are nolonger clean, and thus others will know that their convictions are cheap and voided with a little preasure in the right way.

But consider this from a different view point, one which is not a potential “cause célèbre”, to be turned into a “think of the children” drum beat much beloved by certain political types with a distinctly unhealthy agender for the voting citizen. Thus ask yourself the question, if the US Executive are prepared to go after a single whistleblower with international bribery and coruption, which are both illegal in the US, on a scale beyond that which most could imagine, what do you think they would do with a dirty hands corp like Facebook?

Ignoring for the moment what the suspect in this case did to attract attention[1], consider what he did to try and protect himself and why he failed. His failure at the end of the day was by making unwaranted assumptions about technology. Technology that various people have repeatedly warned about on this blog for years.

Unlike most people this suspect’s actions were not “spur of the moment”, he knew what was likely to happen to him if he was caught. Thus he took what he thought incorrectly were sufficient precautions. Precautions over and above those many think are more than sufficient for whistleblowers (see what journalists put up for their confidential information hotlines, for instance).

In point of fact he was caught via a new version of a known technique that had been used before, for which there are known preventative measures. So the suspect was apprehended due to their own limited OpSec capabilities. Proving once again that not only is OpSec hard, you need a level of knowledge way way beyond that which most are ever likely to have.

[1] We know there are others out there who have done worse, and will continue to do worse if they can see a way to profit by it.

[2] Getting a users computer to reveal it’s IP address whilst being a conceptualy simple idea is one fraught with technical difficulties which makes it chalanging at the very least. In fact many had assumed it was effectively impossible untill a few years ago when it was first used against a Tor based user. Such technically challenging activities are “mind candy” to certain types of people and also would look good on a C.V. so the temptation to do this to certain technical types would be irresistible, thus overide things such as ethical and moral considerarions not just for this case but all future cases.

myliit June 13, 2020 6:25 AM

The last live cd I used to use much, w/ or w/o VirtualBox, was a U. S. DoD product called TENS or LPS, public version(s), but mainly the CD.

Based on your threat model, perceived or real, ymmv.

Any equal or better live CDs? … works with 32 bit processors would be nice. In other words, to try to bypass persistence or persistent supercookies.

Tails might be an option if Tor could be turned off. Anybody know how to turn off Tor in Tails, within Tails or outside of Tails? For example, to use Tail’s Insecure Browser without Tor chatter in the background.

Thanks. Any other food for thought or things to consider?

RealFakeNews June 14, 2020 2:30 AM

Why did Facebook foot the bill? If the FBI are investigating, then surely the cost to Facebook should be zero, and not 6-figures + 1 dedicated employee + technical team?

Why are Facebook at the center of a video hack of an unrelated platform at all? Facebook are allegedly just the messenger, not the technical experts for the FBI, nor even the developers of the OS or the video player being exploited.

What am I missing?

Q June 14, 2020 3:25 AM

RealFakeNews says: “What am I missing?”

I think what is missing is that Facebook are trying to learn everyone’s IP address, even if you are using tor, a VPN, a proxy, or whatever. So they develop these spying tricks using JS, images, videos and whatnot to unmask you.

It just so happens that this target was also doing something that most places consider “bad”, and then Facebook can get some publicity for “doing a good thing”.

grima squeakersen June 14, 2020 3:08 PM

@Q re: Facebook trying to learn everyone’s IP address – I don’t doubt this is true, but evidence suggests that they are a long way from everyday success. Otherwise I would expect that they would monetize this ability by targeting ads according to the real IP. I typically browse via a VPN, and the ads that FB insists on force-feeding me are always targeted to the geolocation of the apparent IP address. FB may have a few experts capable of doing what this article suggests they did for the FBI (or maybe they just got lucky, or maybe it’s just self-aggrandizing FUD) but I have never seen anything to indicate that the average FB IT drone is at all competent.

Norman Wald June 15, 2020 8:25 AM

Personally, I think that the fact that so much of our political speech now takes place on privately-owned platforms like Facebook, and so has no 1st amendment protections, poses far more danger and “ethical issues” than breaking TAILS in order to catch a perp.

If you’re clear about your values, episodes like this don’t bother you. And the increasing meaninglessness of “free speech” does.

Btw, for anyone that thinks the problem is “hopeless,” there is plenty of legal precedent for protecting speech on private property. See e.g. Marsh v. Alabama, 1946.

ketchum June 15, 2020 8:33 AM

So what I hear you saying is that he used his OWN NETWORK in order to commit crimes.

No matter what, that’s just dumb. Especially when it’s so easy to use someone else’s network (coffee shop, hotel, open wi-fi, whatever.)

attribution June 15, 2020 3:06 PM

Bruce, why are you linking to Gizmodo which is just paraphrasing the original Vice article?

Oliver Jones June 16, 2020 7:58 AM

Nobody can keep a secret forever, not even a state actor with unlimited funding. Nobody.

When will large orgs and state actors with unlimited funding figure this out? It has certainly been demonstrated to them with clarity.

The easiest way to avoid trouble is to refrain from gathering secrets. If you don’t have it, nobody can exfiltrate and misuse it.

Necessary secrets should be as innocuous as they possibly can be. One-time payment card tokens? reasonably innocuous. Exploits? No.

John Morris June 16, 2020 3:33 PM

This isn’t the first time this class of exploit has been successful against TOR or even VPNs.

The only solution is to make sure the browser CAN’T give up the real IP by ensuring it does not know. So you need at least two VMs. One runs a router, keep it simple and make it OpenWrt. It connects to the the VPN. The second VM only sees a network with itself and the router which hands out a 192.168.x.x address. The TOR Browser can run on that VM and it has no real chance to learn it’s “real” IP, only the VPN exit point. Since the base PC isn’t sharing the VPN there isn’t a chance of a tracking beacon on a browser there tying the two together.

Clive Robinson June 16, 2020 10:13 PM

@ John Morris, ALL,

This isn’t the first time this class of exploit has been successful against TOR or even VPNs.

Yup, more than one or two times though the FBI throwing money at the problem may be the time most remember.

The only solution is to make sure the browser CAN’T give up the real IP by ensuring it does not know.

Unfortunately that is not the only thing you have to do.

The browser contains other information that can be “got at” by the same sort of malware implant. This can in some cases give rise to identifing information becoming available to the attacking entity.

Thus you need to “ensure the machine is clean” with modern systems this can be difficult. However you can build from old parts a machine without any semi-mutable memory that you then boot up from an CD/DVD that is not writable to.

However it is not just theoreticaly possible for the malware implant to read memory you do not wish it to, it can also write to semi-mutable memory such as Flash ROM inside the multitude of System on a Chip (SoC) I/O controlers.

Semi-mutable memory can be found in use for the BIOS, Hard Drive control circuits, USB / Thumb Drive control circuits through most I/O cards of PCI level or above complexity, some keyboards, and even SoC’s in laptop and smart device batteries.

You have to go back to motherboards and I/O cards that are around a quater of a century old to avoid the “Flash Trap”.

But you can mitigate it in some more modern computers by reflashing the chips after every use with a suspect service. Which realy means that you should not visit the suspect service very often as such Flash memory only has a very limited number of write cycles (some microcontroler Flash memory is only guaranteed for a hundred or so write cycles.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.