Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Agents Leak Tor Bugs To Developers

Posted by Soulskill on from the right-hand-thinks-the-left-hand-is-a-jerk dept.

An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

3 of 116 comments (clear)

  1. Not entirely surprising by Andy+Dodd · · Score: 4, Interesting

    The NSA has two directives that often conflict with each other:
    1) Protect communications that are critical to our nation's security. This is mostly military/government comms, but they have a role in securing banking and other civilian networks. An example of what comes from this side of the NSA is SELinux - which is now heavily used by Android to provide additional security against malware.
    2) Compromise and monitor the communications of our enemies. These guys overstepping their bounds are what has been routinely making the news lately.

    While I can't see an obvious reason for the guys in category 1 to want to strengthen Tor, it's possible. (Potentially on behalf of another agency... Think in terms of Tor's use by Chinese dissidents.)

    I'm fairly certain the people in categories 1 and 2 don't get along with each other. While in theory their goals should not conflict (one focuses on our enemies, one focuses on strengthening friendlies), the truth is that it's hard for the guys in category 1 to strengthen friends without also making those tools available to our enemies - and the guys in category 2 are routinely overstepping their bounds and attacking friendlies.

    --
    retrorocket.o not found, launch anyway?
  2. Re:OPSEC by timrod · · Score: 5, Interesting

    I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.

  3. Re:Another Angle by jandrese · · Score: 4, Interesting

    It's also possible that the NSA is fixing bugs in TOR because their own agents use it for its original purpose.

    --

    I read the internet for the articles.