Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Federal judge rejects Mozilla's demand to see bug in Tor browser

Gregg Keizer | May 20, 2016
Mozilla wants to know about vulnerability so it can patch Firefox; judge tells Mozilla to talk to the government. Good luck with that.

A federal judge earlier this week rejected a request by Mozilla that the U.S. government provide it with technical information about a vulnerability in the Tor browser, which is based on Mozilla's Firefox.

Last week, Mozilla filed a motion with a federal court in Seattle asking U.S. District Judge Robert Bryan to force authorities to disclose the Tor browser vulnerability to Mozilla before revealing the bug to others, including the defendant in an ongoing case who was charged with visiting a child pornography website.

"If the Court determines that the Exploit takes advantage of an unfixed vulnerability in Firefox, disclosure to any third parties, including the defendant, before it can be fixed may threaten the security of the devices of Firefox users," Mozilla's lawyers argued in a May 11 motion.

More than 100 were identified by the FBI as visitors to a child pornography site, including the case in question's defendant, Jay Michaud. The FBI used what it called a "network investigative technique," or NIT, to track visitors to the site, which was masked by the Tor network. The FBI traced visitors who had used the Tor browser by exploiting an undisclosed vulnerability in the browser.

Mozilla wanted to know whether the bug was also in Firefox, and if so, wanted the necessary information to patch the vulnerability. The organization argued that it should be allowed to intervene in the case, or failing that, be allowed to participate as an amicus curiae, or "friend of the court."

Judge Bryan put the kibosh on Mozilla's request.

"That the plaintiff is not required to produce the requested discovery apparently makes Mozilla's Motion to Intervene or Appear as Amicus Curiae moot," Bryan ruled on Monday. "Mozilla's concerns should be addressed to the United States [government] and should not be part of this criminal proceeding."

The case has been confusing of late.

After Michaud's lawyer demanded access to the NIT last year, Bryan originally ruled that the defendant had a right to see the exploit's source code. But the government objected, and in a closed-door session this month, convinced the judge to reverse himself.

"The Court ruled orally that the government had made a sufficient showing and was not required to disclose the entire N.I.T. code to the defendant," Bryan wrote.

Yesterday, however, Bryan issued another ruling that essentially said he was caught between a rock and a hard place.

"The defendant has the right to review the full N.I.T. code, but the government does not have to produce it," Bryan noted in a May 18 order. "Thus, we reach the question of sanctions: What should be done about it when, under these facts, the defense has a justifiable need for information in the hands of the government, but the government has a justifiable right not to turn the information over to the defense?"


1  2  Next Page 

Sign up for CIO Asia eNewsletters.