NSA Agents Leak Tor Bugs To Developers

← Back to Stories (view on slashdot.org)

NSA Agents Leak Tor Bugs To Developers

Posted by Soulskill on Friday August 22, 2014 @01:29AM from the right-hand-thinks-the-left-hand-is-a-jerk dept.

An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

116 comments

Min score:

Reason:

Sort:

Why Facebook or Google? by coldBeer · 2014-08-22 01:32 · Score: 4, Funny

When the NSA is plugging holes for you...
1. Re:Why Facebook or Google? by Anonymous Coward · 2014-08-22 03:34 · Score: 1
  
  Because that would be like trusting the fox to the hen house.
2. Re:Why Facebook or Google? by Anonymous Coward · 2014-08-22 03:38 · Score: 0
  
  I think you a word.
3. Re:Why Facebook or Google? by Anonymous Coward · 2014-08-22 09:22 · Score: 0
  
  Or he word a switched.
  There's always reading it as "Because that would be like trusting the hen house to the fox."
  Granted, the edit distance is larger...
4. Re:Why Facebook or Google? by Bill,+Shooter+of+Bul · 2014-08-22 09:56 · Score: 3, Interesting
  
  Cause the NSA ain't providing code, bandwidth, or servers to scale the system to millions of users. Google and Facebook have the knowledge and resources to actually do it, if they want.
  But yeah, its a pretty dumb hope. They don't want you to have any anonymity as it is.
  I think it would be cool if some one were to design a cryptocurrency wherein the proof of work was somehow related to the number of connections proxies. So mining would actually be providing anonymity to those who needed it and their would be an incentive to provide service. However that trick of providing indisputable proof of work, while not reveling the traffic or inbound/outbound connections might be a bit tricky to get right.
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
5. Re:Why Facebook or Google? by Anonymous Coward · 2014-08-22 10:18 · Score: 0
  
  That would be GCHQ AKA Gay Cock Headquarters. As we all know, most Brits are homosexuals.
6. Re:Why Facebook or Google? by Burz · 2014-08-22 10:22 · Score: 2
  
  Of course, it won't work.
  OTOH, Skype and Bittorrent had successful models for scaling up: People were configured by default to add their bandwidth to the pool. In bittorrent's case, your throughput suffered if you were stingy about contributing.
  I2P is probably the closest networking layer there is to combining the goals of Tor with the methods of Skype and bittorrent. It is both highly decentralized and onion-like, and has been steadily improving for well over a decade now. If you happen to have a TAILS disc, its included. However, its not designed to access the regular Internet so much as replace it.
7. Re:Why Facebook or Google? by Anonymous Coward · 2014-08-22 15:22 · Score: 0
  
  It makes perfect sense, you just can't read.
Yes Google and FB are the ones to protect us? by JeffOwl · 2014-08-22 01:38 · Score: 5, Insightful

He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
If one of those guys gets their hands on it you can forget about using it to hide anything from the government.
1. Re:Yes Google and FB are the ones to protect us? by geekmux · 2014-08-22 01:50 · Score: 3, Funny
  
  He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
  If one of those guys gets their hands on it you can forget about using it to hide anything from the government.
  "Here's some bugs we've fixed for you guys. Trust us."
  Oh yeah, because the current debug team we can trust so much...
2. Re:Yes Google and FB are the ones to protect us? by LordLimecat · 2014-08-22 02:00 · Score: 4, Insightful
  
  Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government? Or that they cooperate with the EFF, and run ChillingEffects to make people aware of draconian DMCA takedowns?
  Everyone's so eager to lynch the one big corporate ally that OSS / privacy advocates have.
3. Re:Yes Google and FB are the ones to protect us? by linearZ · 2014-08-22 02:17 · Score: 1
  
  Google, Facebook, and the NSA government are nothing more than competing Panopticons. They all want as much of your personal information as they can collect, and they all want to keep it as long as they can.
  If one of these organizations is legally battling the other, then you can be sure it is because they feel they should more of your data than the other, not because of a moral imperative.
  
  --
  Revolution is the opium of the intellectuals.
4. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 02:19 · Score: 0, Insightful
  
  Seeing that the Chicoms aren't in a position to rendition, disappear, or NDAA top level management at Google, big whoop. As for Chilling Effects, another big whoop since Google probably receives 90% of all DMCA takedown requests, which is costly for them.
  As for calling the top advertiser on earth a privacy advocate, that is beyond ridiculous.
5. Re:Yes Google and FB are the ones to protect us? by cshotton · 2014-08-22 02:23 · Score: 4, Insightful
  
  It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM. And regardless of the value and quantity of OSS contributions and support, definitely don't make the mistake of thinking that "Google" and "privacy" belong in the same sentence unless it has "doesn't do much to ensure" between those 2 words.
  
  --
  
  Shut up and eat your vegetables!!!
6. Re:Yes Google and FB are the ones to protect us? by mlts · 2014-08-22 02:35 · Score: 4, Insightful
  
  Tor needs a PR boost if that ever is going to happen. As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.
  No big company is ever going to touch Tor as it stands right now, because of its reputation as a service for criminals (q.q.v. Four Horsemen of the Infocalypse.)
7. Re:Yes Google and FB are the ones to protect us? by invictusvoyd · 2014-08-22 02:36 · Score: 1
  
  He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
  
  So that they can punch as many holes as they want in a heavily "scaled" unmaintainable code base
  
  -----------
  emesis
8. Re:Yes Google and FB are the ones to protect us? by Opportunist · 2014-08-22 02:42 · Score: 2
  
  It's a matter of your history. Who'd you trust your child to? A babysitter who spent hundreds of hours and has hundreds of people vouching for her or that scary looking hobo at the corner? Who'd you trust your privacy with? An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
9. Re:Yes Google and FB are the ones to protect us? by flayzernax · 2014-08-22 02:53 · Score: 2
  
  Seriously I'm all for conspiracy FUD, but this seems legit. Who says everyone is in agreement on the same team? It's project where the code is visible to be scrutinized. This means that whoever is submitting back code is submitting good bug fixes. TOR developers aren't morons.
10. Re:Yes Google and FB are the ones to protect us? by flayzernax · 2014-08-22 02:56 · Score: 1
  
  Yes, it's either google or the atnt/bell crew (phone, cable, and ISP corps et all)
11. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 02:57 · Score: 0
  
  Much less hiding anything from Mark Zuckerberg.
12. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 02:58 · Score: 0
  
  and now everyone will respond to you as if android vs iphone arguments never existed. fucking slashdot i swear you're mental
13. Re:Yes Google and FB are the ones to protect us? by gwolf · 2014-08-22 02:58 · Score: 2
  
  I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA – But this friend has an independent mind and concience (he is not a NSA person, just an outside contractor). I know for a fact he also has worked voluntarily to make the world a better place (i.e. with the "good guys").
  I guess my friend is not the only such analyst. If people like him can sell their work and (in full or in part) leak part of his findings to the underground, privacy-minded networks... Well, I'm sure he will do so.
  And after all, people with such skillset do know how to remain under cover.
14. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 03:01 · Score: 0
  
  Why does Lewman think there is gonna be this huge growth in Tor use? It's not like the average Joe Schmoe user is gonna start using any time soon.
15. Re:Yes Google and FB are the ones to protect us? by Applehu+Akbar · 2014-08-22 03:24 · Score: 1
  
  If that happens, then everyone who needs to go on swapping terrorist plans or child porn images will move to some new shaky little service. IP over carrier pigeons? Stegged vacation snapshots? Direct-beamed lasers? Lather, rinse, repeat.
16. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 03:25 · Score: 0
  
  :D
17. Re:Yes Google and FB are the ones to protect us? by iMySti · 2014-08-22 04:24 · Score: 1
  
  Privacy doesn't do much to ensure Google.
  
  Hey, it works both ways!
18. Re:Yes Google and FB are the ones to protect us? by CaptainDork · 2014-08-22 04:36 · Score: 1
  
  For reference, see Manning and Snowden.
  
  --
  It little behooves the best of us to comment on the rest of us.
19. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 04:40 · Score: 0
  
  Google and Facebook cannot arrest me or otherwise punish me with the impunity that the NSA can. Lesser of two evils. Let the FTC handle the few times Google engages in overreach. This is checks and balances. The NSA has WAY too much power and leverage for any single entity.
20. Re:Yes Google and FB are the ones to protect us? by niftymitch · 2014-08-22 04:52 · Score: 1
  
  He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
  If one of those guys gets their hands on it you can forget about using it to hide anything from the government.
  "Here's some bugs we've fixed for you guys. Trust us."
  Oh yeah, because the current debug team we can trust so much...
  There are two parts..
  * Here is the bug.
  * Here is a bug fix.
  The first has a lot of value in an open source community.
  The second if taken with blind faith is a potential disaster.
  As a pair the time window for attack can be reduced.
  Gifts from the NSA are an interesting thing... Some might be triggered
  because they have evidence that others have knowledge of the
  flaw and are exploiting it. As the need for human intelligence
  grows the need for secure communication increases from individuals
  (assets) far afield. In that regard bug disclosures would be self
  serving but still be quality fixes the Tor community needs.
  One important point to me in terms of global security is that
  "actions speak louder than words" and if the TLAs like the NSA
  pay attention to global bad actors things might find clarity in contrast
  to the thought police reaching out four+ degrees of connectivity
  for co-conspirators (almost the entire world today)
  Speaking about bad actors... our news media outlets seem to
  have abandoned all attempts at quality, completeness and
  truth. The web does not have time editorial limitations the way
  airtime programming does and unedited content should be available.
  It is not obvious how one might edit out the payment for cigars
  unless the shop is a source of illegal Cubans for the local big
  wigs...
  Decades ago news broadcast (Walter Cronkite time frame) news
  was a mandate and effectively a cost center not a profit center.
  This has gone to stink with the advent of cable and broadcast
  outside of the airwaves. But if the FCC can get in the middle
  of net neutrality these magazine format sensation and headline
  grabbing outlets could find their finances and marketing vastly different.
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
21. Re:Yes Google and FB are the ones to protect us? by niftymitch · 2014-08-22 05:03 · Score: 1
  
  I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA.......
  Golly someone connected directly to gwolf has now been outed.
  Unless you are Kim Kardashian with 23 million followers a zero
  level direct connection might well be an individual name.
  Further with 23 million followers for Kim; 600,000 for Robert Scoble;
  83,000 for /. ; 42 million for B. Obama.... we are all connected within three
  or so degrees of K Bacon
  
  --
  Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
22. Re:Yes Google and FB are the ones to protect us? by houghi · 2014-08-22 05:13 · Score: 2
  
  Nowadays it isn't the Chinese governement you need to worry about.
  The issue is that if you rely on companies for your freedom, it is the companies that will get that freedom.
  
  --
  Don't fight for your country, if your country does not fight for you.
23. Re:Yes Google and FB are the ones to protect us? by xvan · 2014-08-22 05:33 · Score: 5, Funny
  
  An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on.
  Mmm... I don't know which applies to google and which to the NSA....
24. Re:Yes Google and FB are the ones to protect us? by gwolf · 2014-08-22 06:11 · Score: 1
  
  I'm not a social media person, so no, it's neither somebody I follow or somebody followed by me.
  I know more than a few people working on security.
  And... Yes, I am outing somebody. Somebody who's well known for his activities already, as well as for his skills. And who has never hid them.
25. Re:Yes Google and FB are the ones to protect us? by 93+Escort+Wagon · 2014-08-22 06:15 · Score: 1
  
  Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government?
  What are you talking about? Google pretty much capitulated to the Chinese government on all fronts a couple years ago.
  Do some DuckDuckGo'ing if you don't believe me. I'd suggest not searching for this using Google, since using that engine for this seems to bury some of the less favorable stories - the ones at the top are the ones that use language refer to Google "reluctantly" giving in.
  But in any case there have been multiple instances over the past several years where Google has made noise about standing up to China, then more quietly reversed course months later. But people only seem to remember the original noise, which means Google has an effective PR team.
  
  --
  #DeleteChrome
26. Re:Yes Google and FB are the ones to protect us? by LordLimecat · 2014-08-22 06:23 · Score: 1
  
  Google has lost ~1.2 billion customers by their actions in China. They are no longer accessible from mainland china (since May) and VPNs generally work very poorly there.
  "Big whoop" that they've lost access to 20% of potential customers and the largest emerging market, right?
27. Re:Yes Google and FB are the ones to protect us? by Krishnoid · 2014-08-22 06:26 · Score: 1
  Google, Facebook, and the NSA government are nothing more than competing Panopticons.
  Google provides me with free, high-ish-ly-available:
  spam-culled email with high-performance web/IMAP access
  online calendar with shareable events
  online Office-lite document editing and collaboration
  phone/text forwarding with online voicemail access and transcription
  photo management application and storage
  maps
  search
  as well as sync of all of these with tablets and smartphones for no extra cost. So I'm getting something more from Google than the rest.
28. Re:Yes Google and FB are the ones to protect us? by LordLimecat · 2014-08-22 06:26 · Score: 1
  
  Google pretty much capitulated to the Chinese government on all fronts a couple years ago.
  In 2006, yes (as did Yahoo and Microsoft, a few years earlier). As of 2009, the relationship between the two has become highly antagonistic, with Google refusing to cooperate, and actively undermining the GFW / censorship net in many cases.
  Thats why you cant actually visit google.com in China from the mainland these days.
29. Re: Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 06:36 · Score: 0
  
  Thanks gwolf, checking your friends now.
  NSA Bot.
30. Re:Yes Google and FB are the ones to protect us? by laffer1 · 2014-08-22 07:50 · Score: 1
  
  It's not just about companies. I haven't used Tor despite my interest in the project because I don't think a court would understand if illegal traffic came from my home internet connection despite me running Tor. Most courts hold the account holder responsible for traffic on their network.
  
  --
  MidnightBSD: The BSD for Everyone
31. Re:Yes Google and FB are the ones to protect us? by drcagn · 2014-08-22 08:14 · Score: 1
  
  Are you really this dense? Why do you think they provide you with these things *for free*? Out of the kindness of their hearts?
  They provide all of those things to you so they can mine the data from it.
  
  --
  Scorta futuere amo!
32. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 08:57 · Score: 0
  
  I have to laugh. Neither IBM nor Google have your privacy or freedom interests in mind. These companies are purely good at public relations. Before Lenovo bought IBM's PC division they were implementing digital restrictions to take away users freedoms. Google bought one of the most privacy invasive tracking/marketing companies that has ever existed and continues to spy on its partner's users. I don't even think I need to get into what Facebook has done nor Microsoft. Both are nightmares. Microsoft bought and redesigned a decentralized Skype such that there is now a central point at which the NSA can tap (more easily). Facebook takes no serious measures to secure its users data (and every so often its data is dumped and a torrent is available for download) and routinely ignores any reasonable privacy practices. The only thing thing Facebook does is grudgingly react to laws which are passed, and/or going to be passed if they don't *do something*.
33. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 09:21 · Score: 0
  
  highly skilled person working as a security analist
  
  At the risk of acting half my age... what on earth does this person do? Protect your booty from plunder? :)
34. Re:Yes Google and FB are the ones to protect us? by ron_ivi · 2014-08-22 10:50 · Score: 2
  
  No surprises here.
  It'd make perfect sense if NSA submits bug reports to Tor for vulnerabilities it knows its competitors are using; while at the same time keeping quiet about the ones it uses itself.
35. Re:Yes Google and FB are the ones to protect us? by Impy+the+Impiuos+Imp · 2014-08-22 10:58 · Score: 1
  
  Submit everthing but the latest and greatest bugs.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
36. Re:Yes Google and FB are the ones to protect us? by Impy+the+Impiuos+Imp · 2014-08-22 11:00 · Score: 1
  
  Googlexand Facebook are more interested in if I want to buy Twizzlers or muffler repair.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
37. Re:Yes Google and FB are the ones to protect us? by Anonymous Coward · 2014-08-22 11:48 · Score: 0
  
  "security analist" is someone so anal about security that they can't get anything done. Or FUDing everything out of proportion so nobody else can either.
38. Re:Yes Google and FB are the ones to protect us? by Rich0 · 2014-08-23 01:00 · Score: 1
  
  As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.
  If only. It seems to be SOP to block relay nodes as well. I run one, which does not allow exits, and I run into lots of sites that block me. Must be fun for whoever gets my dynamic IP next.
39. Re:Yes Google and FB are the ones to protect us? by strikethree · 2014-08-24 18:11 · Score: 1
  
  It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM.
  Erm, IBM is like a prostitute or a mercenary, no real principles concerning the situation at hand (so to speak). Google appears to make decisions based on principles and reality. How well Google follows those principles is a matter for debate.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
FTFY by Cornwallis · 2014-08-22 01:39 · Score: 2

"Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to the NSA."
1. Re:FTFY by Anonymous Coward · 2014-08-22 02:01 · Score: 0
  
  "Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to anyone who will pay for it."
  FTFY
2. Re:FTFY by Cornwallis · 2014-08-22 03:25 · Score: 1
  
  "Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to anyone who will pay for it."
  FTFY
  Touché
Beware of Greeks bearing gifts.... by mrbill1234 · 2014-08-22 01:40 · Score: 1

Beware of Greeks bearing gifts....
1. Re:Beware of Greeks bearing gifts.... by Kjella · 2014-08-22 01:45 · Score: 5, Funny
  
  Beware of Greeks bearing gifts....
  Shouldn't that be "Beware of geeks bearing gifts...." in this case?
  
  --
  Live today, because you never know what tomorrow brings
2. Re:Beware of Greeks bearing gifts.... by penguinoid · 2014-08-22 03:55 · Score: 1
  
  No, it's "Beware of Geeks bearing .gifs" goatse.gif
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
3. Re:Beware of Greeks bearing gifts.... by jtwiegand · 2014-08-22 04:27 · Score: 1
  
  Timeo Danaos et dona ferentes. "I fear the Greeks, even though they bear gifts." I believe is the line. It could also be rendered as "I fear the Greeks, especially because they bear gifts," as well. Either way.
4. Re:Beware of Greeks bearing gifts.... by K.+S.+Kyosuke · 2014-08-22 05:35 · Score: 1
  
  Beware of Geeks' baring .gifs
  FTFY...?
  
  --
  Ezekiel 23:20
5. Re:Beware of Greeks bearing gifts.... by 93+Escort+Wagon · 2014-08-22 06:24 · Score: 3, Interesting
  
  Beware of Greeks bearing gifts....
  Remember, the NSA is the group that originally gave us Tor. If I was one of the original developers, and I took pride in my work - it is likely I would continue to help the project improve, even if my employer had changed focus.
  Also, remember that the NSA is not just one huge monolithic group with only one task on their plate. I find it easy to believe that some folks there question the wisdom of attempting to cripple security (such as they seem to have done with the elliptic curve ciphers). Plus code breakers and cryptographers are, in general, going to be working at cross purposes - it's the nature of their jobs.
  
  --
  #DeleteChrome
6. Re:Beware of Greeks bearing gifts.... by geekylinuxkid · 2014-08-22 12:47 · Score: 2
  
  Beware of Greeks bearing gifts....
  Remember, the NSA is the group that originally gave us Tor.
  Incorrect. Onion routing was originally created at the U.S. Naval Research Lab as a way to provide independent, real-time, and bi-directional anonymous connections that are resistant to both eavesdropping and traffic analysis. Tor is the 3rd design of said project, which was originally started in 1996.
  
  I have no idea when the NSA started using onion routing, but I know for a fact that they did not create it.
Reading source for months... by java_dev · 2014-08-22 01:52 · Score: 1

"You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software."
Come on... NSA undoubtedly has highly developed automated tools for identifying flaws source code, or at least rating the probability of a flaw existing within any section of code so that analysts can focus their time on the areas most likely to produce results.
1. Re:Reading source for months... by TWX · 2014-08-22 02:16 · Score: 1
  
  Sounds like we need them to go through the Linux Kernel, all of the communications daemons and applications, and the web browsers, and the problems with these could be solved in a few weeks!
  
  --
  Do not look into laser with remaining eye.
2. Re:Reading source for months... by Anonymous Coward · 2014-08-22 02:22 · Score: 0
  
  Automated tools can only go so far.
  They'd literally need to make machine learning systems throw everything at the code and figure out the best way to deal with the results, because even exploitable results could be hidden in the noise of errors that are useless for exploiting.
  Makes me wonder if anyone has tried to throw exploit-finding under a machine learning system. Combine all knowledge of exploits in to it, run it through some programs, see what it finds.
  Seems like something you would think they would do, but if they are looking over it manually, likely not.
  We do know they use automated tools to find the usual exploits that we all know and love. (Thanks PHP)
  Something to think about social monitoring team.
3. Re:Reading source for months... by mlts · 2014-08-22 02:41 · Score: 3, Interesting
  
  SELinux is a good stab at that. While not 100%, it has helped ensure that a program that manages to get a root context still doesn't have full superuser reign over the system. It isn't simple, but it does a good job at security over previous tools like SUID wrappers.
  I wouldn't mind a code review of web browsers and browser add-ons, as those are the first points of contact and generally a primary vehicle for malware to get a foothold.
Another Angle by Talderas · 2014-08-22 01:54 · Score: 5, Insightful

Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

--
"Lack of speed can be overcome. In the worst case by patience." --Znork
1. Re:Another Angle by Anonymous Coward · 2014-08-22 02:06 · Score: 2, Funny
  
  They probably found tachyons or some shit, knowing them.
  Who needs to give a damn about exploiting Tor when you can see the damned future?!
2. Re:Another Angle by jandrese · 2014-08-22 02:31 · Score: 4, Interesting
  
  It's also possible that the NSA is fixing bugs in TOR because their own agents use it for its original purpose.
  
  --
  
  I read the internet for the articles.
3. Re:Another Angle by Anonymous Coward · 2014-08-22 02:33 · Score: 0
  
  From a law enforcement perspective, TOR is a nuisance due to the relative difficulty in identifying competent users, but also a great benefit in knowing where the unlawful behavior is taking place. A couple stings and undercover activities in a location trusted by the criminals will be a much better return on investment than having Google hand over the entire search history of the world for them to sift through.
  That's not even taking into account how many NSA employees want a secure TOR so they can browse unapproved web sites when they are supposed to be spying on us.
  "I'm collating user data on the darknet, and my pants are off for medical reasons."
4. Re:Another Angle by AHuxley · 2014-08-22 02:42 · Score: 1
  
  It depends on the US or UK mission. If the US gov wants to support some NGO doing a Colour revolution http://en.wikipedia.org/wiki/C... then the communications and support has to work well over years.
  For every other use of online anonymity the US and UK would like to have a way in as now understood with most of the tame telco and banking crypto over decades.
  e.g. NSA surveillance: A guide to staying secure http://www.theguardian.com/wor... (6 September 2013)
  the classic line "... have invested in enormous programs to automatically collect and analyse network traffic"
  The US gov and mil can afford do both and keep users guessing. Protect the very well supported "freedom fighters" just enough globally and still collect it all.
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re:Another Angle by Opportunist · 2014-08-22 02:46 · Score: 1
  
  Who the hell would the NSA hide their traffic from? If there's anyone able to snoop on the spooks, I bet a few "touch and burn your hand" laws should take care of that.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Another Angle by Anonymous Coward · 2014-08-22 02:51 · Score: 0
  
  I suspect that they get enough information from the metadata to not have to worry about TOR.
  Assuming that the network connection is more of a bottleneck than the encryption it should be fairly easy to monitor and endnode to see what input corresponds to the output of interest. If you can follow that information for every node in a TOR network then you don't need a flaw in the TOR encryption, you just need to map the data as it leaves the network to the original host. They don't need even need formal proof, they just need to reduce the number of possible sources to something manageable.
  As long as they are sure that they can do that kind of tracing they don't lose anything from making sure that the encryption and implementation is as good as possible.
7. Re:Another Angle by Anonymous Coward · 2014-08-22 02:59 · Score: 0
  
  Sure, no one else in the world is able to do what almighty american NSA can do. 'MURICA 'MURICA 'MURICA
8. Re:Another Angle by Anonymous Coward · 2014-08-22 03:05 · Score: 1
  
  Who the hell would the NSA hide their traffic from? If there's anyone able to snoop on the spooks, I bet a few "touch and burn your hand" laws should take care of that.
  If you think that the Chinese secret service cannot spy on the NSA, then I have this bridge I want to sell you.
9. Re:Another Angle by mrchaotica · 2014-08-22 03:12 · Score: 1
  
  Despite all their Orwellian, unconstitutional acts of treason against the American public, I'm sure the NSA is also still continuing to perform counterintelligence against foreign threats (e.g. the Chinese) like they're supposed to.
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
10. Re:Another Angle by tlhIngan · 2014-08-22 04:53 · Score: 1
  
  Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?
  I think the NSA encourages TOR use, to be honest - they used to, or still run, one of the largest set of exit nodes, for the sole purpose of monitoring traffic. (Most Tor users don't really care about the private tor stuff, they just want their "anonymous facebook" and "anonymous G+" without gubmint spying)
  I mean, unless one keeps their traffic solely within the Tor network, monitoring exit nodes quickly becomes a way to identify people and their traffic.
Larger Tor Isn't Necessarily Better by macromorgan · 2014-08-22 01:55 · Score: 4, Informative

While I love and appreciate Tor as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places Tor. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the Tor network expands the list of exit nodes remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.
1. Re:Larger Tor Isn't Necessarily Better by mspohr · 2014-08-22 05:20 · Score: 2
  
  Most companies with half a brain have figured out how to block "comment spam".
  (I'll give you one free clue: Blocking TOR has nothing to do with it.)
  
  --
  I don't read your sig. Why are you reading mine?
2. Re:Larger Tor Isn't Necessarily Better by WhoBeI · 2014-08-22 05:51 · Score: 1
  
  If you are using a well know framework for your site there might already be support for comment spam management. It's not always free as some of them are basically interfaces for a paid service but it may still be worth a look. They would block comment spam in general instead of focusing on comments from a specific set of nodes.
  
  https://www.drupal.org/node/20...
  http://wordpress.org/plugins/s...
3. Re:Larger Tor Isn't Necessarily Better by Anonymous Coward · 2014-08-22 07:29 · Score: 0
  
  Mod parent down. There are many ways to destroy a business that are more serious than some comment spam, and these happen with or without a TOR of any size.
4. Re:Larger Tor Isn't Necessarily Better by Em+Adespoton · 2014-08-22 11:14 · Score: 2
  
  While I love and appreciate IPV6 as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places IPV6. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the IPV6 network expands the list of proxies remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.
  FTFY.
  In both cases, we're shooting the messenger. And yes, I regularly see IPV6 proxies being blocked, probably for these reasons.
OPSEC by Noryungi · 2014-08-22 01:58 · Score: 5, Insightful

If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!
Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!
On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.
So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.

--
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
1. Re:OPSEC by timrod · 2014-08-22 02:15 · Score: 5, Interesting
  
  I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.
2. Re:OPSEC by Anonymous Coward · 2014-08-22 02:43 · Score: 0
  
  If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!
  The average Tor programmer is probably not a trained spook and can be expected to make many common tradecraft mistakes outside of their technological area of expertise. For example, letting bits of privileged information slip into casual conversations or failing to be guarded when speaking to the press or even speaking to the press in the first place.
3. Re:OPSEC by Opportunist · 2014-08-22 02:49 · Score: 1
  
  You just gave me a great idea. Why not simply spoof such "leaks" and send the spooks on a wild goose chase?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:OPSEC by Anonymous Coward · 2014-08-22 03:23 · Score: 0
  
  Loose lips sink ships.
5. Re:OPSEC by Anonymous Coward · 2014-08-22 03:51 · Score: 0
  
  You could be right, but the TOR developers would see an obvious pattern if so.
6. Re:OPSEC by IamTheRealMike · 2014-08-22 05:07 · Score: 2
  
  If you RTFA you'll see that Lewman has zero evidence for this assertion. The headline paints it as a statement of fact but in reality all Lewman knows is there are people who appear to be reading the source code and reporting bugs anonymously. That's it. They could be NSA/GCHQ moles. Or, more likely, they could be anonymity fans who like security audit work. They really have no idea.
7. Re:OPSEC by Vitriol+Angst · 2014-08-22 05:10 · Score: 1
  
  To me it means there are two possibilities;
  1) The White Hats are being brazen because they know that the political appointees are not savvy enough to turn them in.
  2) The White Hats are foolish, because looking at the type of exploits in Tor revealed would quickly narrow the list of mole suspects.
  I seriously doubt #2 is the answer based on the type of person who would find these bugs. So it gives me hope that the "Geeks" are a separate class from the "Suits" and the suits as usual are arrogant political appointees who told the smart guys to "go get us everything" and the poor worker drones had to carry it out. But they are still hackers and they don't like authority like this.
  Gives me hope. Fascists tend to promote small minds who follow orders and this is their undoing.
  
  --
  >>"ad space available -- low rates!!!"
8. Re:OPSEC by Vitriol+Angst · 2014-08-22 05:18 · Score: 1
  
  Do you think it's possible that they are also ferreting out the paths an actual mole's information would go through?
  However, I think what you say is NOT the reason, because it would mean that the NSA was a crafty and well run organization, with intelligent (yet evil) people at the top, and loyal workers doing their bidding.
  An underling wouldn't just DECIDE to reveal this information if they were loyal. And someone at the top would have to be clever and understand a bit of tech to make the order.
  What history has REALLY shown us;
  While they have great hackers working there, and have found successful exploits. A low level geek "Snowden" was able to uproot their plans for World Domination, because they outsourced things to companies that were driven by profit and greed.
  Their leader shot his mouth off a few times in an unwise fashion.
  The NSA shows promising signs as a bottom heavy organization with not so intelligent but mean spirited people at the top. The ability to be in charge of such an organization is not the same as the ability to conquer the world.
  
  --
  >>"ad space available -- low rates!!!"
9. Re:OPSEC by phorm · 2014-08-22 05:35 · Score: 1
  
  Indeed, it could be people who are using TOR but don't want to end up on an NSA watch-list because they have in-depth knowledge of a tool that's probably not well-received by the NSA...
10. Re:OPSEC by wmansir · 2014-08-22 05:42 · Score: 1
  
  On the other hand if you're a Tor developer interested in disrupting the NSA unit assigned to hack your system why not just say you receive regular leaks from the NSA unit assigned to hack your system.
nice watching their backs by spacerodent · 2014-08-22 02:06 · Score: 1

Guess what departments are going to have to redo their lifestyle polygraphs now!
Not entirely surprising by Andy+Dodd · 2014-08-22 02:09 · Score: 4, Interesting

The NSA has two directives that often conflict with each other:
1) Protect communications that are critical to our nation's security. This is mostly military/government comms, but they have a role in securing banking and other civilian networks. An example of what comes from this side of the NSA is SELinux - which is now heavily used by Android to provide additional security against malware.
2) Compromise and monitor the communications of our enemies. These guys overstepping their bounds are what has been routinely making the news lately.
While I can't see an obvious reason for the guys in category 1 to want to strengthen Tor, it's possible. (Potentially on behalf of another agency... Think in terms of Tor's use by Chinese dissidents.)
I'm fairly certain the people in categories 1 and 2 don't get along with each other. While in theory their goals should not conflict (one focuses on our enemies, one focuses on strengthening friendlies), the truth is that it's hard for the guys in category 1 to strengthen friends without also making those tools available to our enemies - and the guys in category 2 are routinely overstepping their bounds and attacking friendlies.

--
retrorocket.o not found, launch anyway?
1. Re:Not entirely surprising by qbast · 2014-08-22 02:18 · Score: 2
  
  And to make it even worse - 'friendly' and 'enemy' categories frequently overlap.
2. Re:Not entirely surprising by PPH · 2014-08-22 02:27 · Score: 1
  
  "We have met the enemy and he is us." -- Walt Kelly
  
  --
  Have gnu, will travel.
3. Re:Not entirely surprising by Mister+Liberty · 2014-08-22 02:38 · Score: 2
  
  Are you sure those are (the) two official NSA directives? They almost can't be, for 2. can entirely be seen as a subset of 1.
  
  Other than that, they (or you?) have a very loose way of using 'our' in 'our nation's security' and 'our enemies'. Do you, personally, consider yourself among 'our' as used here? Not to be personal -- but I am almost certain they do not count you among the 'our'; you see, the NSA's true objective is to protect those of ultimate wealth and power in the US against those without wealth and power in the US.
  If there's one thing that has become abundently clear over the last years, esp. since the banking crisis, and a fortiori since the last year or so, that is it.
4. Re:Not entirely surprising by Anonymous Coward · 2014-08-22 06:34 · Score: 0
  
  Are you one of those morans who never heard of the NSA before Snowden?
Sony by goombah99 · 2014-08-22 02:14 · Score: 1

Nah this is just Sony Electronics wanting to leverage their entertainment holdings to sell TVs and PLayers with proprietaty formats while Sony Entertainment wants to maximize sales. Or maybe I got it backward. Anyhow lots of diversified companies have internal conflicts. The IBM PC which uses all non-IBM parts was not made by the primary Computer division at IBM. Samsung also has internal competition with conflicting objectives,

--
Some drink at the fountain of knowledge. Others just gargle.
Keith's Law by Anonymous Coward · 2014-08-22 02:20 · Score: 0

"Given enough Five Eye-balls, all bugs are shallow!" :-P
secrecy by Jodka · 2014-08-22 02:22 · Score: 2

Tor developer Andrew Lewman says... agents from [NSA and GCHQ ] leak flaws directly to the developers, so they can be fixed quickly.
Why announce that publicly? The NSA and GCHQ will now attempt to to shut down the leaks and arrest the leakers. Even if they fail, it is certain to scare the leakers and make leaking more difficult.

"You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source....
Why give those agencies clues to help them figure out who are the leakers?

--
Ceci n'est pas une signature.
1. Re:secrecy by AHuxley · 2014-08-22 02:50 · Score: 1
  
  Dual missions and attracting the next generations to gov, mil work and onion routing.
  From collect it all reality to 'help' spread democracy branding.
  If US backed dissidents face a new range of telco tools that are just been sold to govs, better to help developers stay one step ahead.
  If a new range of telco tools used by the US govs to collect it all are just been upgraded, better to give developers some busy work for a few years.
  Both options need clean social engineering access to real people to shape software directions over decades.
  
  --
  Domestic spying is now "Benign Information Gathering"
Unsubstantiated, but this is what I've heard: by kheldan · 2014-08-22 02:30 · Score: 1

I've heard that Tor was initiated by three-letter government agencies in the first place, and that the last thing they want to do is shut it down or ruin the anonymity it gives it's users, because they're using it in their own operations to start with. Compromising it would inevitably lead to their own enemies getting their hands on the exploits, and ultimately on their own operatives, so why wouldn't they have a covert program of improving the overall security of Tor? Now, on the other hand, I wouldn't at all be surprised if a fair number of exit nodes are being operated by three-letter-agency employees -- and for that matter, by enemies of said three-letter-agencies, as well.

--
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
1. Re:Unsubstantiated, but this is what I've heard: by DMUTPeregrine · 2014-08-22 16:35 · Score: 1
  
  If by "three-letter government agencies" you mean the USN, specifically the Office of Naval Research, then you're correct. But most people in the US call the USN "the Navy", so there are some extra letters.
  
  --
  Not a sentence!
Another Angle by Anonymous Coward · 2014-08-22 03:27 · Score: 0

Just because you are paranoid doesn't mean they aren't after you...
Can we sue the NSA by Stan92057 · 2014-08-22 03:40 · Score: 1

Doesn't this make peoples PC open and vulnerable to viruses/malware and are they not also one of the bad guys, making me have to pay a yearly fee to my antivirus provider? Can we sue the NSA for part of what we have been paying all theses years for viruses THEY released??

--
Jack of all trades,master of none
Protecting their investment by penguinoid · 2014-08-22 04:00 · Score: 1

Isn't TOR partially funded by the government? And also used by government agents? It would be really awkward if one of the "let's overthow this government that America doesn't like" movements hidden by TOR traced back to government agents.

--
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
History folks.. by Anonymous Coward · 2014-08-22 04:36 · Score: 0

Tor was a US Gov project. Yall are idiots.
"Originally sponsored by the U.S. Naval Research Laboratory,[16] which had been instrumental in the early development of onion routing under the aegis of DARPA"
It's a nudge ... by CaptainDork · 2014-08-22 04:43 · Score: 1

... to make Tor a mainstream app. What percentage of potential users actually use Tor?
It's not in the billions.
If NSA could make Tor viral, how cool would that be?

--
It little behooves the best of us to comment on the rest of us.
Blocking exit nodes by phorm · 2014-08-22 05:33 · Score: 1

As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application
And there's plenty of reasons to do so. There's a reason that companies have firewalls that block outgoing connections as well as incoming. Or would you rather they allowed traffic from anonymous internet sources to route through their networks?
Home users are a different story, but I don't see why most corps would want to allow TOR. They have enough issues securing their networks as it is (see: UPS breach).
It's law by Anonymous Coward · 2014-08-22 06:10 · Score: 0

Reed's law that is.
No. left hand doesn't know what right hand does by bussdriver · 2014-08-22 06:31 · Score: 1

NSA doesn't give a rip. Their job is to get into Tor. If they find out military or CIA secrets it is not a problem because they are on the same side. Ideally, they'd find exploits or put them in and patch it for the military's client only... but their primary goal is to get themselves in, secondary goal is to help the other agencies (so they are not going to publicly give Tor patches... or if they do decide that is more important, do you think they would be public about it? I would think they would purposely leak patches.)

--
Democracy Now! - uncensored, anti-establishment news
idiot! by slashmydots · 2014-08-22 13:08 · Score: 1

"He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users."
What the hell? Then he doesn't know how Tor works. If a large entity controls a ton of the entry and exit nodes, they can traffic match and identify users. The LAST thing we need is a giant entity ruining it by adding millions of servers.
1. Re:idiot! by Anonymous Coward · 2014-08-22 17:16 · Score: 0
  
  "He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users."
  What the hell? Then he doesn't know how Tor works. If a large entity controls a ton of the entry and exit nodes, they can traffic match and identify users. The LAST thing we need is a giant entity ruining it by adding millions of servers.
  Exactly. Bizarre comments like this from the Tor project, and claiming these bug fixes are by "rogue" NSA staff (yeah, right - these are deliberate leaks or not leaks at all), and the insistence on keeping javascript on by default in the tor browser (stupid), plus all of the shenanigans lately with actual attacks or claims of unspecified vulnerabilities in tor and/or tails - these all should reduce confidence in tor. Perhaps that is the intention.
maybe it's just regular nerds by Anonymous Coward · 2014-08-22 14:35 · Score: 0

I don't know, aren't there computer nerds out there who obsess over code? Who would "have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software"? Umm, probably the same type of nerds who frequent reddit every single night to grammar nazi everyone or perhaps act as moderators (unpaid).
Not that they're necessarily all tech-savvy. My point is that there are obsessive people out there, and it wouldn't surprise me if they knew how to code and acquired fancy software to do so.
Data MIning Co To Fix Tor by Anonymous Coward · 2014-08-23 02:11 · Score: 0

Google and Facebook securing Tor is absurd. Google managed to turn a relatively secure OS into a data mining gold mine.
Good to see by Kernel+Kurtz · 2014-08-23 05:08 · Score: 1

not everyone who works for the NSA is a douchebag.
I'm sure most of them still are, but this is encouraging nonetheless.