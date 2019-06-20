[...] Modern security and privacy tools like Tor and the Tails distribution are amazing and potentially extremely useful. Journalists, protesters, and even whistleblowers find legitimate use for the tool set. However, Every once in a while a story forces us to look straight into the ugly face of the dark side of the net. In this case, it’s a predator that used Tor to stalk and harass teenage girls on Facebook, and extort compromising photographs out of them.

The reason we’re talking about this case is that Facebook went to the extreme of hiring a security firm to develop an exploit specifically for their anonymous stalker. They found a zero-day in the Tails video player, and developed a full de-anonymyzing attack. Facebook then handed the attack over to the FBI, who used it to finally catch Buster Hernandez.

It’s still unknown what the zero-day exploit was precisely, as disclosure never happened. Apparently the flaw was eventually removed from Tails through the process of normal updates, and never publicly identified as a vulnerability. It’s not entirely clear how long the FBI was in possession of the tool before the flaw was patched. It’s reasonable to suspect that it was used in other cases, though it’s not likely we’ll find out any time soon.

Was Facebook right to go to such extreme lengths to help capture a criminal who was abusing their platform?