Facebook paid for Tails exploit to bust a child predator.
Motherboard reports that Facebook paid a third-party cybersecurity firm six figures to develop a zero-day exploit in Tails, a Tor-using Linux distro, in order to help the FBI track down a child predator. The predator, Buster Hernandez, was charged in 2017 and pleaded guilty to forty-one Federal charges earlier this year, including eight counts of production of child pornography, three counts of coercion and enticement of a minor, ten counts of threats to kill, kidnap, and injure, four counts of threats to use an explosive device, and two counts of retaliation against a witness or victim.
Facebook had been tracking Hernandez for years, and some employees called him "him the worst criminal to ever use the platform." The FBI was also hunting him, but were unable to deanonymize him since their hacking tools weren't designed for use against Tails. Facebook's security team—at the time led by Alex Stamos—retained a cybersecurity consulting firm to create an exploit for a zero-day flaw in the Tails video player that would expose the IP address of a user watching a video. Facebook then gave the exploit to the FBI through an intermediary, and the FBI succeeded in identifying Hernandez.
The decision was apparently extremely controversial within Facebook, but the company went ahead with it in light of the depravity of Mr. Hernandez's crimes. Facebook didn't report the flaw to Tails even after Hernandez had been identified because the Tails developers inadvertently removed the vulnerable code soon afterward, rendering a disclosure unnecessary. A Facebook spokesperson told Motherboard, "The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls. This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice."
For more, see the CyberWire Pro Privacy Briefing.