Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Agents Leak Tor Bugs To Developers

Soulskill posted about 2 months ago | from the right-hand-thinks-the-left-hand-is-a-jerk dept.

Encryption 116

An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

Sorry! There are no comments related to the filter you selected.

Why Facebook or Google? (4, Funny)

coldBeer (697138) | about 2 months ago | (#47728589)

When the NSA is plugging holes for you...

Re:Why Facebook or Google? (1)

Anonymous Coward | about 2 months ago | (#47729819)

Because that would be like trusting the fox to the hen house.

Re:Why Facebook or Google? (0)

Anonymous Coward | about 2 months ago | (#47729865)

I think you a word.

Re:Why Facebook or Google? (0)

Anonymous Coward | about 2 months ago | (#47733087)

Or he word a switched.

There's always reading it as "Because that would be like trusting the hen house to the fox."

Granted, the edit distance is larger...

Re:Why Facebook or Google? (3, Interesting)

Bill, Shooter of Bul (629286) | about 2 months ago | (#47733269)

Cause the NSA ain't providing code, bandwidth, or servers to scale the system to millions of users. Google and Facebook have the knowledge and resources to actually do it, if they want.

But yeah, its a pretty dumb hope. They don't want you to have any anonymity as it is.

I think it would be cool if some one were to design a cryptocurrency wherein the proof of work was somehow related to the number of connections proxies. So mining would actually be providing anonymity to those who needed it and their would be an incentive to provide service. However that trick of providing indisputable proof of work, while not reveling the traffic or inbound/outbound connections might be a bit tricky to get right.

Re:Why Facebook or Google? (0)

Anonymous Coward | about 2 months ago | (#47733385)

That would be GCHQ AKA Gay Cock Headquarters. As we all know, most Brits are homosexuals.

Re:Why Facebook or Google? (2)

Burz (138833) | about 2 months ago | (#47733401)

Of course, it won't work.

OTOH, Skype and Bittorrent had successful models for scaling up: People were configured by default to add their bandwidth to the pool. In bittorrent's case, your throughput suffered if you were stingy about contributing.

I2P is probably the closest networking layer [geti2p.net] there is to combining the goals of Tor with the methods of Skype and bittorrent. It is both highly decentralized and onion-like, and has been steadily improving for well over a decade now. If you happen to have a TAILS disc, its included. However, its not designed to access the regular Internet so much as replace it.

Yes Google and FB are the ones to protect us? (5, Insightful)

JeffOwl (2858633) | about 2 months ago | (#47728629)

He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

Re:Yes Google and FB are the ones to protect us? (3, Funny)

geekmux (1040042) | about 2 months ago | (#47728721)

He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

"Here's some bugs we've fixed for you guys. Trust us."

Oh yeah, because the current debug team we can trust so much...

Re:Yes Google and FB are the ones to protect us? (2)

Opportunist (166417) | about 2 months ago | (#47729229)

It's a matter of your history. Who'd you trust your child to? A babysitter who spent hundreds of hours and has hundreds of people vouching for her or that scary looking hobo at the corner? Who'd you trust your privacy with? An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on?

Re:Yes Google and FB are the ones to protect us? (5, Funny)

xvan (2935999) | about 2 months ago | (#47731071)

An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on.

Mmm... I don't know which applies to google and which to the NSA....

Re:Yes Google and FB are the ones to protect us? (2)

flayzernax (1060680) | about 2 months ago | (#47729331)

Seriously I'm all for conspiracy FUD, but this seems legit. Who says everyone is in agreement on the same team? It's project where the code is visible to be scrutinized. This means that whoever is submitting back code is submitting good bug fixes. TOR developers aren't morons.

Re:Yes Google and FB are the ones to protect us? (2)

gwolf (26339) | about 2 months ago | (#47729393)

I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA – But this friend has an independent mind and concience (he is not a NSA person, just an outside contractor). I know for a fact he also has worked voluntarily to make the world a better place (i.e. with the "good guys").
I guess my friend is not the only such analyst. If people like him can sell their work and (in full or in part) leak part of his findings to the underground, privacy-minded networks... Well, I'm sure he will do so.
And after all, people with such skillset do know how to remain under cover.

Re:Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47729695)

:D

Re:Yes Google and FB are the ones to protect us? (1)

CaptainDork (3678879) | about 2 months ago | (#47730469)

For reference, see Manning and Snowden.

Re:Yes Google and FB are the ones to protect us? (1)

niftymitch (1625721) | about 2 months ago | (#47730697)

I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA.......

Golly someone connected directly to gwolf has now been outed.
Unless you are Kim Kardashian with 23 million followers a zero
level direct connection might well be an individual name.

Further with 23 million followers for Kim; 600,000 for Robert Scoble;
83,000 for /. ; 42 million for B. Obama.... we are all connected within three
or so degrees of K Bacon

Re:Yes Google and FB are the ones to protect us? (1)

gwolf (26339) | about 2 months ago | (#47731477)

I'm not a social media person, so no, it's neither somebody I follow or somebody followed by me.

I know more than a few people working on security.

And... Yes, I am outing somebody. Somebody who's well known for his activities already, as well as for his skills. And who has never hid them.

Re: Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47731663)

Thanks gwolf, checking your friends now.

NSA Bot.

Re:Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47733077)

highly skilled person working as a security analist

At the risk of acting half my age... what on earth does this person do? Protect your booty from plunder? :)

Re:Yes Google and FB are the ones to protect us? (1)

niftymitch (1625721) | about 2 months ago | (#47730611)

He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

"Here's some bugs we've fixed for you guys. Trust us."

Oh yeah, because the current debug team we can trust so much...

There are two parts..
      * Here is the bug.
      * Here is a bug fix.

The first has a lot of value in an open source community.
The second if taken with blind faith is a potential disaster.

As a pair the time window for attack can be reduced.

Gifts from the NSA are an interesting thing... Some might be triggered
because they have evidence that others have knowledge of the
flaw and are exploiting it. As the need for human intelligence
grows the need for secure communication increases from individuals
(assets) far afield. In that regard bug disclosures would be self
serving but still be quality fixes the Tor community needs.

One important point to me in terms of global security is that
"actions speak louder than words" and if the TLAs like the NSA
pay attention to global bad actors things might find clarity in contrast
to the thought police reaching out four+ degrees of connectivity
for co-conspirators (almost the entire world today)

Speaking about bad actors... our news media outlets seem to
have abandoned all attempts at quality, completeness and
truth. The web does not have time editorial limitations the way
airtime programming does and unedited content should be available.
It is not obvious how one might edit out the payment for cigars
unless the shop is a source of illegal Cubans for the local big
wigs...

Decades ago news broadcast (Walter Cronkite time frame) news
was a mandate and effectively a cost center not a profit center.
This has gone to stink with the advent of cable and broadcast
outside of the airwaves. But if the FCC can get in the middle
of net neutrality these magazine format sensation and headline
grabbing outlets could find their finances and marketing vastly different.

Re:Yes Google and FB are the ones to protect us? (4, Insightful)

LordLimecat (1103839) | about 2 months ago | (#47728791)

Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government? Or that they cooperate with the EFF, and run ChillingEffects to make people aware of draconian DMCA takedowns?

Everyone's so eager to lynch the one big corporate ally that OSS / privacy advocates have.

Re:Yes Google and FB are the ones to protect us? (1)

linearZ (710002) | about 2 months ago | (#47728929)

Google, Facebook, and the NSA government are nothing more than competing Panopticons. They all want as much of your personal information as they can collect, and they all want to keep it as long as they can.

If one of these organizations is legally battling the other, then you can be sure it is because they feel they should more of your data than the other, not because of a moral imperative.

Re:Yes Google and FB are the ones to protect us? (1)

flayzernax (1060680) | about 2 months ago | (#47729361)

Yes, it's either google or the atnt/bell crew (phone, cable, and ISP corps et all)

Re:Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47730515)

Google and Facebook cannot arrest me or otherwise punish me with the impunity that the NSA can. Lesser of two evils. Let the FTC handle the few times Google engages in overreach. This is checks and balances. The NSA has WAY too much power and leverage for any single entity.

Re:Yes Google and FB are the ones to protect us? (1)

Krishnoid (984597) | about 2 months ago | (#47731587)

Google, Facebook, and the NSA government are nothing more than competing Panopticons.

Google provides me with free, high-ish-ly-available:

  • spam-culled email with high-performance web/IMAP access
  • online calendar with shareable events
  • online Office-lite document editing and collaboration
  • phone/text forwarding with online voicemail access and transcription
  • photo management application and storage
  • maps
  • search

as well as sync of all of these with tablets and smartphones for no extra cost. So I'm getting something more from Google than the rest.

Re:Yes Google and FB are the ones to protect us? (1)

drcagn (715012) | about 2 months ago | (#47732545)

Are you really this dense? Why do you think they provide you with these things *for free*? Out of the kindness of their hearts?

They provide all of those things to you so they can mine the data from it.

Re:Yes Google and FB are the ones to protect us? (0, Insightful)

Anonymous Coward | about 2 months ago | (#47728945)

Seeing that the Chicoms aren't in a position to rendition, disappear, or NDAA top level management at Google, big whoop. As for Chilling Effects, another big whoop since Google probably receives 90% of all DMCA takedown requests, which is costly for them.

As for calling the top advertiser on earth a privacy advocate, that is beyond ridiculous.

Re:Yes Google and FB are the ones to protect us? (1)

LordLimecat (1103839) | about 2 months ago | (#47731571)

Google has lost ~1.2 billion customers by their actions in China. They are no longer accessible from mainland china (since May) and VPNs generally work very poorly there.
"Big whoop" that they've lost access to 20% of potential customers and the largest emerging market, right?

Re:Yes Google and FB are the ones to protect us? (4, Insightful)

cshotton (46965) | about 2 months ago | (#47728993)

It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM. And regardless of the value and quantity of OSS contributions and support, definitely don't make the mistake of thinking that "Google" and "privacy" belong in the same sentence unless it has "doesn't do much to ensure" between those 2 words.

Re:Yes Google and FB are the ones to protect us? (1)

iMySti (863056) | about 2 months ago | (#47730349)

Privacy doesn't do much to ensure Google.

Hey, it works both ways!

Re:Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47732903)

I have to laugh. Neither IBM nor Google have your privacy or freedom interests in mind. These companies are purely good at public relations. Before Lenovo bought IBM's PC division they were implementing digital restrictions to take away users freedoms. Google bought one of the most privacy invasive tracking/marketing companies that has ever existed and continues to spy on its partner's users. I don't even think I need to get into what Facebook has done nor Microsoft. Both are nightmares. Microsoft bought and redesigned a decentralized Skype such that there is now a central point at which the NSA can tap (more easily). Facebook takes no serious measures to secure its users data (and every so often its data is dumped and a torrent is available for download) and routinely ignores any reasonable privacy practices. The only thing thing Facebook does is grudgingly react to laws which are passed, and/or going to be passed if they don't *do something*.

Re:Yes Google and FB are the ones to protect us? (-1)

Anonymous Coward | about 2 months ago | (#47729165)

Are you aware that Harold Shipman, one of the most prolific murderers in British history, doesn't kill kittens? Or that, for the majority of his working life, there is no evidence that he murdered /anyone/?

Everyone's so eager to lynch the one mass murderer who also saved a lot of lives.

Re:Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47729391)

and now everyone will respond to you as if android vs iphone arguments never existed. fucking slashdot i swear you're mental

Re:Yes Google and FB are the ones to protect us? (2)

houghi (78078) | about 2 months ago | (#47730817)

Nowadays it isn't the Chinese governement you need to worry about.

The issue is that if you rely on companies for your freedom, it is the companies that will get that freedom.

Re:Yes Google and FB are the ones to protect us? (1)

93 Escort Wagon (326346) | about 2 months ago | (#47731507)

Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government?

What are you talking about? Google pretty much capitulated to the Chinese government on all fronts a couple years ago.

Do some DuckDuckGo'ing if you don't believe me. I'd suggest not searching for this using Google, since using that engine for this seems to bury some of the less favorable stories - the ones at the top are the ones that use language refer to Google "reluctantly" giving in.

But in any case there have been multiple instances over the past several years where Google has made noise about standing up to China, then more quietly reversed course months later. But people only seem to remember the original noise, which means Google has an effective PR team.

Re:Yes Google and FB are the ones to protect us? (1)

LordLimecat (1103839) | about 2 months ago | (#47731589)

Google pretty much capitulated to the Chinese government on all fronts a couple years ago.

In 2006, yes (as did Yahoo and Microsoft, a few years earlier). As of 2009, the relationship between the two has become highly antagonistic, with Google refusing to cooperate, and actively undermining the GFW / censorship net in many cases.

Thats why you cant actually visit google.com in China from the mainland these days.

Re:Yes Google and FB are the ones to protect us? (4, Insightful)

mlts (1038732) | about 2 months ago | (#47729149)

Tor needs a PR boost if that ever is going to happen. As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.

No big company is ever going to touch Tor as it stands right now, because of its reputation as a service for criminals (q.q.v. Four Horsemen of the Infocalypse.)

Blocking exit nodes (1)

phorm (591458) | about 2 months ago | (#47731073)

As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application

And there's plenty of reasons to do so. There's a reason that companies have firewalls that block outgoing connections as well as incoming. Or would you rather they allowed traffic from anonymous internet sources to route through their networks?

Home users are a different story, but I don't see why most corps would want to allow TOR. They have enough issues securing their networks as it is (see: UPS breach).

Re:Yes Google and FB are the ones to protect us? (1)

laffer1 (701823) | about 2 months ago | (#47732341)

It's not just about companies. I haven't used Tor despite my interest in the project because I don't think a court would understand if illegal traffic came from my home internet connection despite me running Tor. Most courts hold the account holder responsible for traffic on their network.

Re:Yes Google and FB are the ones to protect us? (1)

invictusvoyd (3546069) | about 2 months ago | (#47729153)

He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

So that they can punch as many holes as they want in a heavily "scaled" unmaintainable code base

-----------
emesis

Re:Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47729381)

Much less hiding anything from Mark Zuckerberg.

Re:Yes Google and FB are the ones to protect us? (0)

Anonymous Coward | about 2 months ago | (#47729429)

Why does Lewman think there is gonna be this huge growth in Tor use? It's not like the average Joe Schmoe user is gonna start using any time soon.

Re:Yes Google and FB are the ones to protect us? (1)

Applehu Akbar (2968043) | about 2 months ago | (#47729677)

If that happens, then everyone who needs to go on swapping terrorist plans or child porn images will move to some new shaky little service. IP over carrier pigeons? Stegged vacation snapshots? Direct-beamed lasers? Lather, rinse, repeat.

FTFY (2)

Cornwallis (1188489) | about 2 months ago | (#47728639)

"Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to the NSA."

Re:FTFY (0)

Anonymous Coward | about 2 months ago | (#47728809)

"Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to anyone who will pay for it."

FTFY

Re:FTFY (1)

Cornwallis (1188489) | about 2 months ago | (#47729693)

"Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to anyone who will pay for it."

FTFY

Touché

Beware of Greeks bearing gifts.... (1)

mrbill1234 (715607) | about 2 months ago | (#47728645)

Beware of Greeks bearing gifts....

Re:Beware of Greeks bearing gifts.... (5, Funny)

Kjella (173770) | about 2 months ago | (#47728689)

Beware of Greeks bearing gifts....

Shouldn't that be "Beware of geeks bearing gifts...." in this case?

Re:Beware of Greeks bearing gifts.... (1)

penguinoid (724646) | about 2 months ago | (#47730087)

No, it's "Beware of Geeks bearing .gifs" goatse.gif [no-im-not-linking-to-it]

Re:Beware of Greeks bearing gifts.... (1)

K. S. Kyosuke (729550) | about 2 months ago | (#47731103)

Beware of Geeks' baring .gifs

FTFY...?

Re:Beware of Greeks bearing gifts.... (1)

jtwiegand (3533989) | about 2 months ago | (#47730399)

Timeo Danaos et dona ferentes. "I fear the Greeks, even though they bear gifts." I believe is the line. It could also be rendered as "I fear the Greeks, especially because they bear gifts," as well. Either way.

Re:Beware of Greeks bearing gifts.... (3, Interesting)

93 Escort Wagon (326346) | about 2 months ago | (#47731579)

Beware of Greeks bearing gifts....

Remember, the NSA is the group that originally gave us Tor. If I was one of the original developers, and I took pride in my work - it is likely I would continue to help the project improve, even if my employer had changed focus.

Also, remember that the NSA is not just one huge monolithic group with only one task on their plate. I find it easy to believe that some folks there question the wisdom of attempting to cripple security (such as they seem to have done with the elliptic curve ciphers). Plus code breakers and cryptographers are, in general, going to be working at cross purposes - it's the nature of their jobs.

Reading source for months... (1)

java_dev (894898) | about 2 months ago | (#47728731)

"You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software."

Come on... NSA undoubtedly has highly developed automated tools for identifying flaws source code, or at least rating the probability of a flaw existing within any section of code so that analysts can focus their time on the areas most likely to produce results.

Re:Reading source for months... (1)

TWX (665546) | about 2 months ago | (#47728915)

Sounds like we need them to go through the Linux Kernel, all of the communications daemons and applications, and the web browsers, and the problems with these could be solved in a few weeks!

Re:Reading source for months... (3, Interesting)

mlts (1038732) | about 2 months ago | (#47729201)

SELinux is a good stab at that. While not 100%, it has helped ensure that a program that manages to get a root context still doesn't have full superuser reign over the system. It isn't simple, but it does a good job at security over previous tools like SUID wrappers.

I wouldn't mind a code review of web browsers and browser add-ons, as those are the first points of contact and generally a primary vehicle for malware to get a foothold.

Re:Reading source for months... (0)

Anonymous Coward | about 2 months ago | (#47728985)

Automated tools can only go so far.

They'd literally need to make machine learning systems throw everything at the code and figure out the best way to deal with the results, because even exploitable results could be hidden in the noise of errors that are useless for exploiting.

Makes me wonder if anyone has tried to throw exploit-finding under a machine learning system. Combine all knowledge of exploits in to it, run it through some programs, see what it finds.
Seems like something you would think they would do, but if they are looking over it manually, likely not.
We do know they use automated tools to find the usual exploits that we all know and love. (Thanks PHP)
Something to think about social monitoring team.

Another Angle (5, Insightful)

Talderas (1212466) | about 2 months ago | (#47728753)

Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

Re:Another Angle (2, Funny)

Anonymous Coward | about 2 months ago | (#47728859)

They probably found tachyons or some shit, knowing them.

Who needs to give a damn about exploiting Tor when you can see the damned future?!

Re:Another Angle (4, Interesting)

jandrese (485) | about 2 months ago | (#47729085)

It's also possible that the NSA is fixing bugs in TOR because their own agents use it for its original purpose.

Re:Another Angle (1)

Opportunist (166417) | about 2 months ago | (#47729263)

Who the hell would the NSA hide their traffic from? If there's anyone able to snoop on the spooks, I bet a few "touch and burn your hand" laws should take care of that.

Re:Another Angle (0)

Anonymous Coward | about 2 months ago | (#47729399)

Sure, no one else in the world is able to do what almighty american NSA can do. 'MURICA 'MURICA 'MURICA

Re:Another Angle (1)

Anonymous Coward | about 2 months ago | (#47729477)

Who the hell would the NSA hide their traffic from? If there's anyone able to snoop on the spooks, I bet a few "touch and burn your hand" laws should take care of that.

If you think that the Chinese secret service cannot spy on the NSA, then I have this bridge I want to sell you.

Re:Another Angle (1)

mrchaotica (681592) | about 2 months ago | (#47729553)

Despite all their Orwellian, unconstitutional acts of treason against the American public, I'm sure the NSA is also still continuing to perform counterintelligence against foreign threats (e.g. the Chinese) like they're supposed to.

Re:Another Angle (0)

Anonymous Coward | about 2 months ago | (#47729119)

From a law enforcement perspective, TOR is a nuisance due to the relative difficulty in identifying competent users, but also a great benefit in knowing where the unlawful behavior is taking place. A couple stings and undercover activities in a location trusted by the criminals will be a much better return on investment than having Google hand over the entire search history of the world for them to sift through.

That's not even taking into account how many NSA employees want a secure TOR so they can browse unapproved web sites when they are supposed to be spying on us.
"I'm collating user data on the darknet, and my pants are off for medical reasons."

Re:Another Angle (1)

AHuxley (892839) | about 2 months ago | (#47729219)

It depends on the US or UK mission. If the US gov wants to support some NGO doing a Colour revolution http://en.wikipedia.org/wiki/C... [wikipedia.org] then the communications and support has to work well over years.
For every other use of online anonymity the US and UK would like to have a way in as now understood with most of the tame telco and banking crypto over decades.
e.g. NSA surveillance: A guide to staying secure http://www.theguardian.com/wor... [theguardian.com] (6 September 2013)
the classic line "... have invested in enormous programs to automatically collect and analyse network traffic"
The US gov and mil can afford do both and keep users guessing. Protect the very well supported "freedom fighters" just enough globally and still collect it all.

Re:Another Angle (0)

Anonymous Coward | about 2 months ago | (#47729303)

I suspect that they get enough information from the metadata to not have to worry about TOR.
Assuming that the network connection is more of a bottleneck than the encryption it should be fairly easy to monitor and endnode to see what input corresponds to the output of interest. If you can follow that information for every node in a TOR network then you don't need a flaw in the TOR encryption, you just need to map the data as it leaves the network to the original host. They don't need even need formal proof, they just need to reduce the number of possible sources to something manageable.
As long as they are sure that they can do that kind of tracing they don't lose anything from making sure that the encryption and implementation is as good as possible.

Another Angle (0)

Anonymous Coward | about 2 months ago | (#47729717)

Just because you are paranoid doesn't mean they aren't after you...

Protecting their investment (1)

penguinoid (724646) | about 2 months ago | (#47730143)

Isn't TOR partially funded by the government? And also used by government agents? It would be really awkward if one of the "let's overthow this government that America doesn't like" movements hidden by TOR traced back to government agents.

Re:Another Angle (1)

tlhIngan (30335) | about 2 months ago | (#47730625)

Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

I think the NSA encourages TOR use, to be honest - they used to, or still run, one of the largest set of exit nodes, for the sole purpose of monitoring traffic. (Most Tor users don't really care about the private tor stuff, they just want their "anonymous facebook" and "anonymous G+" without gubmint spying)

I mean, unless one keeps their traffic solely within the Tor network, monitoring exit nodes quickly becomes a way to identify people and their traffic.

Larger Tor Isn't Necessarily Better (4, Informative)

macromorgan (2020426) | about 2 months ago | (#47728761)

While I love and appreciate Tor as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places Tor. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the Tor network expands the list of exit nodes remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.

Re:Larger Tor Isn't Necessarily Better (2)

mspohr (589790) | about 2 months ago | (#47730917)

Most companies with half a brain have figured out how to block "comment spam".
(I'll give you one free clue: Blocking TOR has nothing to do with it.)

Re:Larger Tor Isn't Necessarily Better (1)

WhoBeI (3642741) | about 2 months ago | (#47731301)

If you are using a well know framework for your site there might already be support for comment spam management. It's not always free as some of them are basically interfaces for a paid service but it may still be worth a look. They would block comment spam in general instead of focusing on comments from a specific set of nodes.

https://www.drupal.org/node/20... [drupal.org]
http://wordpress.org/plugins/s... [wordpress.org]

Re:Larger Tor Isn't Necessarily Better (0)

Anonymous Coward | about 2 months ago | (#47732137)

Mod parent down. There are many ways to destroy a business [wired.com] that are more serious than some comment spam, and these happen with or without a TOR of any size.

OPSEC (5, Insightful)

Noryungi (70322) | about 2 months ago | (#47728783)

If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!

Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!

On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.

So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.

Sony (1)

goombah99 (560566) | about 2 months ago | (#47728897)

Nah this is just Sony Electronics wanting to leverage their entertainment holdings to sell TVs and PLayers with proprietaty formats while Sony Entertainment wants to maximize sales. Or maybe I got it backward. Anyhow lots of diversified companies have internal conflicts. The IBM PC which uses all non-IBM parts was not made by the primary Computer division at IBM. Samsung also has internal competition with conflicting objectives,

Re:OPSEC (5, Interesting)

Joe Gillian (3683399) | about 2 months ago | (#47728907)

I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.

Re:OPSEC (0)

Anonymous Coward | about 2 months ago | (#47730033)

You could be right, but the TOR developers would see an obvious pattern if so.

Re:OPSEC (2)

IamTheRealMike (537420) | about 2 months ago | (#47730727)

If you RTFA you'll see that Lewman has zero evidence for this assertion. The headline paints it as a statement of fact but in reality all Lewman knows is there are people who appear to be reading the source code and reporting bugs anonymously. That's it. They could be NSA/GCHQ moles. Or, more likely, they could be anonymity fans who like security audit work. They really have no idea.

Re:OPSEC (1)

phorm (591458) | about 2 months ago | (#47731095)

Indeed, it could be people who are using TOR but don't want to end up on an NSA watch-list because they have in-depth knowledge of a tool that's probably not well-received by the NSA...

Re:OPSEC (1)

Vitriol+Angst (458300) | about 2 months ago | (#47730897)

Do you think it's possible that they are also ferreting out the paths an actual mole's information would go through?

However, I think what you say is NOT the reason, because it would mean that the NSA was a crafty and well run organization, with intelligent (yet evil) people at the top, and loyal workers doing their bidding.

An underling wouldn't just DECIDE to reveal this information if they were loyal. And someone at the top would have to be clever and understand a bit of tech to make the order.

What history has REALLY shown us;
While they have great hackers working there, and have found successful exploits. A low level geek "Snowden" was able to uproot their plans for World Domination, because they outsourced things to companies that were driven by profit and greed.

Their leader shot his mouth off a few times in an unwise fashion.

The NSA shows promising signs as a bottom heavy organization with not so intelligent but mean spirited people at the top. The ability to be in charge of such an organization is not the same as the ability to conquer the world.

Re:OPSEC (0)

Anonymous Coward | about 2 months ago | (#47729231)

If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!

The average Tor programmer is probably not a trained spook and can be expected to make many common tradecraft mistakes outside of their technological area of expertise. For example, letting bits of privileged information slip into casual conversations or failing to be guarded when speaking to the press or even speaking to the press in the first place.

Re:OPSEC (0)

Anonymous Coward | about 2 months ago | (#47729661)

Loose lips sink ships.

Re:OPSEC (1)

Opportunist (166417) | about 2 months ago | (#47729287)

You just gave me a great idea. Why not simply spoof such "leaks" and send the spooks on a wild goose chase?

Re:OPSEC (1)

Vitriol+Angst (458300) | about 2 months ago | (#47730771)

To me it means there are two possibilities;

1) The White Hats are being brazen because they know that the political appointees are not savvy enough to turn them in.

2) The White Hats are foolish, because looking at the type of exploits in Tor revealed would quickly narrow the list of mole suspects.

I seriously doubt #2 is the answer based on the type of person who would find these bugs. So it gives me hope that the "Geeks" are a separate class from the "Suits" and the suits as usual are arrogant political appointees who told the smart guys to "go get us everything" and the poor worker drones had to carry it out. But they are still hackers and they don't like authority like this.

Gives me hope. Fascists tend to promote small minds who follow orders and this is their undoing.

Re:OPSEC (1)

wmansir (566746) | about 2 months ago | (#47731203)

On the other hand if you're a Tor developer interested in disrupting the NSA unit assigned to hack your system why not just say you receive regular leaks from the NSA unit assigned to hack your system.

nice watching their backs (1)

spacerodent (790183) | about 2 months ago | (#47728857)

Guess what departments are going to have to redo their lifestyle polygraphs now!

Not entirely surprising (4, Interesting)

Andy Dodd (701) | about 2 months ago | (#47728877)

The NSA has two directives that often conflict with each other:
1) Protect communications that are critical to our nation's security. This is mostly military/government comms, but they have a role in securing banking and other civilian networks. An example of what comes from this side of the NSA is SELinux - which is now heavily used by Android to provide additional security against malware.
2) Compromise and monitor the communications of our enemies. These guys overstepping their bounds are what has been routinely making the news lately.

While I can't see an obvious reason for the guys in category 1 to want to strengthen Tor, it's possible. (Potentially on behalf of another agency... Think in terms of Tor's use by Chinese dissidents.)

I'm fairly certain the people in categories 1 and 2 don't get along with each other. While in theory their goals should not conflict (one focuses on our enemies, one focuses on strengthening friendlies), the truth is that it's hard for the guys in category 1 to strengthen friends without also making those tools available to our enemies - and the guys in category 2 are routinely overstepping their bounds and attacking friendlies.

Re:Not entirely surprising (2)

qbast (1265706) | about 2 months ago | (#47728935)

And to make it even worse - 'friendly' and 'enemy' categories frequently overlap.

Re:Not entirely surprising (1)

PPH (736903) | about 2 months ago | (#47729047)

"We have met the enemy and he is us." -- Walt Kelly

Re:Not entirely surprising (2)

Mister Liberty (769145) | about 2 months ago | (#47729177)

Are you sure those are (the) two official NSA directives? They almost can't be, for 2. can entirely be seen as a subset of 1.

Other than that, they (or you?) have a very loose way of using 'our' in 'our nation's security' and 'our enemies'. Do you, personally, consider yourself among 'our' as used here? Not to be personal -- but I am almost certain they do not count you among the 'our'; you see, the NSA's true objective is to protect those of ultimate wealth and power in the US against those without wealth and power in the US.
If there's one thing that has become abundently clear over the last years, esp. since the banking crisis, and a fortiori since the last year or so, that is it.

Re:Not entirely surprising (0)

Anonymous Coward | about 2 months ago | (#47731657)

Are you one of those morans who never heard of the NSA before Snowden?

Keith's Law (0)

Anonymous Coward | about 2 months ago | (#47728951)

"Given enough Five Eye-balls, all bugs are shallow!" :-P

secrecy (2)

Jodka (520060) | about 2 months ago | (#47728987)

Tor developer Andrew Lewman says... agents from [NSA and GCHQ ] leak flaws directly to the developers, so they can be fixed quickly.

Why announce that publicly? The NSA and GCHQ will now attempt to to shut down the leaks and arrest the leakers. Even if they fail, it is certain to scare the leakers and make leaking more difficult.

"You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source....

Why give those agencies clues to help them figure out who are the leakers?

   

Re:secrecy (1)

AHuxley (892839) | about 2 months ago | (#47729301)

Dual missions and attracting the next generations to gov, mil work and onion routing.
From collect it all reality to 'help' spread democracy branding.
If US backed dissidents face a new range of telco tools that are just been sold to govs, better to help developers stay one step ahead.
If a new range of telco tools used by the US govs to collect it all are just been upgraded, better to give developers some busy work for a few years.
Both options need clean social engineering access to real people to shape software directions over decades.

Unsubstantiated, but this is what I've heard: (1)

kheldan (1460303) | about 2 months ago | (#47729075)

I've heard that Tor was initiated by three-letter government agencies in the first place, and that the last thing they want to do is shut it down or ruin the anonymity it gives it's users, because they're using it in their own operations to start with. Compromising it would inevitably lead to their own enemies getting their hands on the exploits, and ultimately on their own operatives, so why wouldn't they have a covert program of improving the overall security of Tor? Now, on the other hand, I wouldn't at all be surprised if a fair number of exit nodes are being operated by three-letter-agency employees -- and for that matter, by enemies of said three-letter-agencies, as well.

No. left hand doesn't know what right hand does (1)

bussdriver (620565) | about 2 months ago | (#47731627)

NSA doesn't give a rip. Their job is to get into Tor. If they find out military or CIA secrets it is not a problem because they are on the same side. Ideally, they'd find exploits or put them in and patch it for the military's client only... but their primary goal is to get themselves in, secondary goal is to help the other agencies (so they are not going to publicly give Tor patches... or if they do decide that is more important, do you think they would be public about it? I would think they would purposely leak patches.)

Can we sue the NSA (1)

Stan92057 (737634) | about 2 months ago | (#47729883)

Doesn't this make peoples PC open and vulnerable to viruses/malware and are they not also one of the bad guys, making me have to pay a yearly fee to my antivirus provider? Can we sue the NSA for part of what we have been paying all theses years for viruses THEY released??

History folks.. (0)

Anonymous Coward | about 2 months ago | (#47730467)

Tor was a US Gov project. Yall are idiots.

"Originally sponsored by the U.S. Naval Research Laboratory,[16] which had been instrumental in the early development of onion routing under the aegis of DARPA"

It's a nudge ... (1)

CaptainDork (3678879) | about 2 months ago | (#47730535)

... to make Tor a mainstream app. What percentage of potential users actually use Tor?

It's not in the billions.

If NSA could make Tor viral, how cool would that be?

It's law (0)

Anonymous Coward | about 2 months ago | (#47731469)

Reed's law that is.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?