NSA Agents Leak Tor Bugs To Developers

← Back to Stories (view on slashdot.org)

NSA Agents Leak Tor Bugs To Developers

Posted by Soulskill on Friday August 22, 2014 @01:29AM from the right-hand-thinks-the-left-hand-is-a-jerk dept.

An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

32 of 116 comments (clear)

Min score:

Reason:

Sort:

Why Facebook or Google? by coldBeer · 2014-08-22 01:32 · Score: 4, Funny

When the NSA is plugging holes for you...
1. Re:Why Facebook or Google? by Bill,+Shooter+of+Bul · 2014-08-22 09:56 · Score: 3, Interesting
  
  Cause the NSA ain't providing code, bandwidth, or servers to scale the system to millions of users. Google and Facebook have the knowledge and resources to actually do it, if they want.
  But yeah, its a pretty dumb hope. They don't want you to have any anonymity as it is.
  I think it would be cool if some one were to design a cryptocurrency wherein the proof of work was somehow related to the number of connections proxies. So mining would actually be providing anonymity to those who needed it and their would be an incentive to provide service. However that trick of providing indisputable proof of work, while not reveling the traffic or inbound/outbound connections might be a bit tricky to get right.
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
2. Re:Why Facebook or Google? by Burz · 2014-08-22 10:22 · Score: 2
  
  Of course, it won't work.
  OTOH, Skype and Bittorrent had successful models for scaling up: People were configured by default to add their bandwidth to the pool. In bittorrent's case, your throughput suffered if you were stingy about contributing.
  I2P is probably the closest networking layer there is to combining the goals of Tor with the methods of Skype and bittorrent. It is both highly decentralized and onion-like, and has been steadily improving for well over a decade now. If you happen to have a TAILS disc, its included. However, its not designed to access the regular Internet so much as replace it.
Yes Google and FB are the ones to protect us? by JeffOwl · 2014-08-22 01:38 · Score: 5, Insightful

He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
If one of those guys gets their hands on it you can forget about using it to hide anything from the government.
1. Re:Yes Google and FB are the ones to protect us? by geekmux · 2014-08-22 01:50 · Score: 3, Funny
  
  He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
  If one of those guys gets their hands on it you can forget about using it to hide anything from the government.
  "Here's some bugs we've fixed for you guys. Trust us."
  Oh yeah, because the current debug team we can trust so much...
2. Re:Yes Google and FB are the ones to protect us? by LordLimecat · 2014-08-22 02:00 · Score: 4, Insightful
  
  Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government? Or that they cooperate with the EFF, and run ChillingEffects to make people aware of draconian DMCA takedowns?
  Everyone's so eager to lynch the one big corporate ally that OSS / privacy advocates have.
3. Re:Yes Google and FB are the ones to protect us? by cshotton · 2014-08-22 02:23 · Score: 4, Insightful
  
  It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM. And regardless of the value and quantity of OSS contributions and support, definitely don't make the mistake of thinking that "Google" and "privacy" belong in the same sentence unless it has "doesn't do much to ensure" between those 2 words.
  
  --
  
  Shut up and eat your vegetables!!!
4. Re:Yes Google and FB are the ones to protect us? by mlts · 2014-08-22 02:35 · Score: 4, Insightful
  
  Tor needs a PR boost if that ever is going to happen. As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.
  No big company is ever going to touch Tor as it stands right now, because of its reputation as a service for criminals (q.q.v. Four Horsemen of the Infocalypse.)
5. Re:Yes Google and FB are the ones to protect us? by Opportunist · 2014-08-22 02:42 · Score: 2
  
  It's a matter of your history. Who'd you trust your child to? A babysitter who spent hundreds of hours and has hundreds of people vouching for her or that scary looking hobo at the corner? Who'd you trust your privacy with? An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Yes Google and FB are the ones to protect us? by flayzernax · 2014-08-22 02:53 · Score: 2
  
  Seriously I'm all for conspiracy FUD, but this seems legit. Who says everyone is in agreement on the same team? It's project where the code is visible to be scrutinized. This means that whoever is submitting back code is submitting good bug fixes. TOR developers aren't morons.
7. Re:Yes Google and FB are the ones to protect us? by gwolf · 2014-08-22 02:58 · Score: 2
  
  I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA – But this friend has an independent mind and concience (he is not a NSA person, just an outside contractor). I know for a fact he also has worked voluntarily to make the world a better place (i.e. with the "good guys").
  I guess my friend is not the only such analyst. If people like him can sell their work and (in full or in part) leak part of his findings to the underground, privacy-minded networks... Well, I'm sure he will do so.
  And after all, people with such skillset do know how to remain under cover.
8. Re:Yes Google and FB are the ones to protect us? by houghi · 2014-08-22 05:13 · Score: 2
  
  Nowadays it isn't the Chinese governement you need to worry about.
  The issue is that if you rely on companies for your freedom, it is the companies that will get that freedom.
  
  --
  Don't fight for your country, if your country does not fight for you.
9. Re:Yes Google and FB are the ones to protect us? by xvan · 2014-08-22 05:33 · Score: 5, Funny
  
  An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on.
  Mmm... I don't know which applies to google and which to the NSA....
10. Re:Yes Google and FB are the ones to protect us? by ron_ivi · 2014-08-22 10:50 · Score: 2
  
  No surprises here.
  It'd make perfect sense if NSA submits bug reports to Tor for vulnerabilities it knows its competitors are using; while at the same time keeping quiet about the ones it uses itself.
FTFY by Cornwallis · 2014-08-22 01:39 · Score: 2

"Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to the NSA."
Re:Beware of Greeks bearing gifts.... by Kjella · 2014-08-22 01:45 · Score: 5, Funny

Beware of Greeks bearing gifts....
Shouldn't that be "Beware of geeks bearing gifts...." in this case?

--
Live today, because you never know what tomorrow brings
Another Angle by Talderas · 2014-08-22 01:54 · Score: 5, Insightful

Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

--
"Lack of speed can be overcome. In the worst case by patience." --Znork
1. Re:Another Angle by Anonymous Coward · 2014-08-22 02:06 · Score: 2, Funny
  
  They probably found tachyons or some shit, knowing them.
  Who needs to give a damn about exploiting Tor when you can see the damned future?!
2. Re:Another Angle by jandrese · 2014-08-22 02:31 · Score: 4, Interesting
  
  It's also possible that the NSA is fixing bugs in TOR because their own agents use it for its original purpose.
  
  --
  
  I read the internet for the articles.
Larger Tor Isn't Necessarily Better by macromorgan · 2014-08-22 01:55 · Score: 4, Informative

While I love and appreciate Tor as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places Tor. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the Tor network expands the list of exit nodes remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.
1. Re:Larger Tor Isn't Necessarily Better by mspohr · 2014-08-22 05:20 · Score: 2
  
  Most companies with half a brain have figured out how to block "comment spam".
  (I'll give you one free clue: Blocking TOR has nothing to do with it.)
  
  --
  I don't read your sig. Why are you reading mine?
2. Re:Larger Tor Isn't Necessarily Better by Em+Adespoton · 2014-08-22 11:14 · Score: 2
  
  While I love and appreciate IPV6 as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places IPV6. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the IPV6 network expands the list of proxies remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.
  FTFY.
  In both cases, we're shooting the messenger. And yes, I regularly see IPV6 proxies being blocked, probably for these reasons.
OPSEC by Noryungi · 2014-08-22 01:58 · Score: 5, Insightful

If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!
Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!
On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.
So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.

--
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
1. Re:OPSEC by timrod · 2014-08-22 02:15 · Score: 5, Interesting
  
  I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.
2. Re:OPSEC by IamTheRealMike · 2014-08-22 05:07 · Score: 2
  
  If you RTFA you'll see that Lewman has zero evidence for this assertion. The headline paints it as a statement of fact but in reality all Lewman knows is there are people who appear to be reading the source code and reporting bugs anonymously. That's it. They could be NSA/GCHQ moles. Or, more likely, they could be anonymity fans who like security audit work. They really have no idea.
Not entirely surprising by Andy+Dodd · 2014-08-22 02:09 · Score: 4, Interesting

The NSA has two directives that often conflict with each other:
1) Protect communications that are critical to our nation's security. This is mostly military/government comms, but they have a role in securing banking and other civilian networks. An example of what comes from this side of the NSA is SELinux - which is now heavily used by Android to provide additional security against malware.
2) Compromise and monitor the communications of our enemies. These guys overstepping their bounds are what has been routinely making the news lately.
While I can't see an obvious reason for the guys in category 1 to want to strengthen Tor, it's possible. (Potentially on behalf of another agency... Think in terms of Tor's use by Chinese dissidents.)
I'm fairly certain the people in categories 1 and 2 don't get along with each other. While in theory their goals should not conflict (one focuses on our enemies, one focuses on strengthening friendlies), the truth is that it's hard for the guys in category 1 to strengthen friends without also making those tools available to our enemies - and the guys in category 2 are routinely overstepping their bounds and attacking friendlies.

--
retrorocket.o not found, launch anyway?
1. Re:Not entirely surprising by qbast · 2014-08-22 02:18 · Score: 2
  
  And to make it even worse - 'friendly' and 'enemy' categories frequently overlap.
2. Re:Not entirely surprising by Mister+Liberty · 2014-08-22 02:38 · Score: 2
  
  Are you sure those are (the) two official NSA directives? They almost can't be, for 2. can entirely be seen as a subset of 1.
  
  Other than that, they (or you?) have a very loose way of using 'our' in 'our nation's security' and 'our enemies'. Do you, personally, consider yourself among 'our' as used here? Not to be personal -- but I am almost certain they do not count you among the 'our'; you see, the NSA's true objective is to protect those of ultimate wealth and power in the US against those without wealth and power in the US.
  If there's one thing that has become abundently clear over the last years, esp. since the banking crisis, and a fortiori since the last year or so, that is it.
secrecy by Jodka · 2014-08-22 02:22 · Score: 2

Tor developer Andrew Lewman says... agents from [NSA and GCHQ ] leak flaws directly to the developers, so they can be fixed quickly.
Why announce that publicly? The NSA and GCHQ will now attempt to to shut down the leaks and arrest the leakers. Even if they fail, it is certain to scare the leakers and make leaking more difficult.

"You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source....
Why give those agencies clues to help them figure out who are the leakers?

--
Ceci n'est pas une signature.
Re:Reading source for months... by mlts · 2014-08-22 02:41 · Score: 3, Interesting

SELinux is a good stab at that. While not 100%, it has helped ensure that a program that manages to get a root context still doesn't have full superuser reign over the system. It isn't simple, but it does a good job at security over previous tools like SUID wrappers.
I wouldn't mind a code review of web browsers and browser add-ons, as those are the first points of contact and generally a primary vehicle for malware to get a foothold.
Re:Beware of Greeks bearing gifts.... by 93+Escort+Wagon · 2014-08-22 06:24 · Score: 3, Interesting

Beware of Greeks bearing gifts....
Remember, the NSA is the group that originally gave us Tor. If I was one of the original developers, and I took pride in my work - it is likely I would continue to help the project improve, even if my employer had changed focus.
Also, remember that the NSA is not just one huge monolithic group with only one task on their plate. I find it easy to believe that some folks there question the wisdom of attempting to cripple security (such as they seem to have done with the elliptic curve ciphers). Plus code breakers and cryptographers are, in general, going to be working at cross purposes - it's the nature of their jobs.

--
#DeleteChrome
Re:Beware of Greeks bearing gifts.... by geekylinuxkid · 2014-08-22 12:47 · Score: 2

Beware of Greeks bearing gifts....
Remember, the NSA is the group that originally gave us Tor.
Incorrect. Onion routing was originally created at the U.S. Naval Research Lab as a way to provide independent, real-time, and bi-directional anonymous connections that are resistant to both eavesdropping and traffic analysis. Tor is the 3rd design of said project, which was originally started in 1996.

I have no idea when the NSA started using onion routing, but I know for a fact that they did not create it.