Is there such a thing as good malware?
The FBI would argue that there is, if they are the ones who created it.
The origins of the case date back to February 2015, when the FBI seized control of a child sexual abuse website called Playpen.
You might have expected the FBI to shut down the site immediately. But instead, rather sneakily, they chose to continue to make the site available from a government server, planting code that could grab identifying information about computers – such as IP addresses – used by the site’s users, as well as downloading malware to their computers.
What makes that particularly interesting is that Playpen was on the dark web, and its users were attempting to remain anonymous by using Tor to cover their tracks.
That’s all very well and good, but when the FBI refused to share details of how it had managed to exploit Tor with a “Network Investigative Technique” (NIT) to discover the identities of alleged paedophiles, a judge threw out the evidence.
Now, as Julian Sanchez noted on Twitter, the FBI has claimed in a legal brief that its code simply isn’t malware.
As William Turton at Gizmodo reports, the FBI is bristling at the suggestion that its malware could in any way be considered.. umm… malware:
Obviously, the FBI is not pleased with any suggestion that what the agency may have done is wrong or that its malware wasn’t above board. In fact, the FBI is saying, well, it couldn’t possibly be malware because FBI agents are the good guys! Hmmmmmmmmm.
If you didn’t know, malware is just short for malicious software. Now, the FBI is trying to dispute what it really means.
The definition of malware has nothing to do with who might have created it. It’s to do with its function. Malicious software is simply code which does something that is designed to do something without the authorisation of the computer’s owner. Quite often that will include stealing information or invading a user’s privacy – something which clearly (regardless of whether you agree with its intentions or not) the FBI’s code did.
Look at it this way.
Code is just code. If the same snooping code were to spread by a stalker or internet fraudster as was used by the FBI, it’s code remains the same. How could you say that code which is byte-for-byte identical can be malware in one case and not in another? If you want to take it to its logical extreme, how should anti-virus software handle situations where sometimes the same piece of code might be spread by a criminal and in others it is planted by someone wearing a policeman’s uniform?
I understand that the FBI may very well wish to keep the details of its Tor exploit under wraps – no doubt they are keen to use it again and again.
But as long as a vulnerability exists, and code to exploit it, opportunities remain for malicious attackers to use the same security hole to invade the privacy of innocent, law-abiding members of society.
None of us wish to obstruct investigations into alleged child abuse by law enforcement agencies.
But we do all want to feel that the software we are using to protect us from criminals online is working safely, and not riddled with security holes that have been left unpatched.
Because it’s a grave error if the very people who are supposed to be protecting us are deliberately not sharing details of security vulnerabilities with those best placed to fix them.