Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Agents Leak Tor Bugs To Developers

Posted by Soulskill on from the right-hand-thinks-the-left-hand-is-a-jerk dept.

An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

13 of 116 comments (clear)

  1. Why Facebook or Google? by coldBeer · · Score: 4, Funny

    When the NSA is plugging holes for you...

  2. Yes Google and FB are the ones to protect us? by JeffOwl · · Score: 5, Insightful

    He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

    If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

    1. Re:Yes Google and FB are the ones to protect us? by LordLimecat · · Score: 4, Insightful

      Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government? Or that they cooperate with the EFF, and run ChillingEffects to make people aware of draconian DMCA takedowns?

      Everyone's so eager to lynch the one big corporate ally that OSS / privacy advocates have.

    2. Re:Yes Google and FB are the ones to protect us? by cshotton · · Score: 4, Insightful

      It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM. And regardless of the value and quantity of OSS contributions and support, definitely don't make the mistake of thinking that "Google" and "privacy" belong in the same sentence unless it has "doesn't do much to ensure" between those 2 words.

      --

      Shut up and eat your vegetables!!!
    3. Re:Yes Google and FB are the ones to protect us? by mlts · · Score: 4, Insightful

      Tor needs a PR boost if that ever is going to happen. As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.

      No big company is ever going to touch Tor as it stands right now, because of its reputation as a service for criminals (q.q.v. Four Horsemen of the Infocalypse.)

    4. Re:Yes Google and FB are the ones to protect us? by xvan · · Score: 5, Funny

      An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on.

      Mmm... I don't know which applies to google and which to the NSA....

  3. Re:Beware of Greeks bearing gifts.... by Kjella · · Score: 5, Funny

    Beware of Greeks bearing gifts....

    Shouldn't that be "Beware of geeks bearing gifts...." in this case?

    --
    Live today, because you never know what tomorrow brings
  4. Another Angle by Talderas · · Score: 5, Insightful

    Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

    --
    "Lack of speed can be overcome. In the worst case by patience." --Znork
    1. Re:Another Angle by jandrese · · Score: 4, Interesting

      It's also possible that the NSA is fixing bugs in TOR because their own agents use it for its original purpose.

      --

      I read the internet for the articles.
  5. Larger Tor Isn't Necessarily Better by macromorgan · · Score: 4, Informative

    While I love and appreciate Tor as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places Tor. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the Tor network expands the list of exit nodes remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.

  6. OPSEC by Noryungi · · Score: 5, Insightful

    If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!

    Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!

    On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.

    So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:OPSEC by timrod · · Score: 5, Interesting

      I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.

  7. Not entirely surprising by Andy+Dodd · · Score: 4, Interesting

    The NSA has two directives that often conflict with each other:
    1) Protect communications that are critical to our nation's security. This is mostly military/government comms, but they have a role in securing banking and other civilian networks. An example of what comes from this side of the NSA is SELinux - which is now heavily used by Android to provide additional security against malware.
    2) Compromise and monitor the communications of our enemies. These guys overstepping their bounds are what has been routinely making the news lately.

    While I can't see an obvious reason for the guys in category 1 to want to strengthen Tor, it's possible. (Potentially on behalf of another agency... Think in terms of Tor's use by Chinese dissidents.)

    I'm fairly certain the people in categories 1 and 2 don't get along with each other. While in theory their goals should not conflict (one focuses on our enemies, one focuses on strengthening friendlies), the truth is that it's hard for the guys in category 1 to strengthen friends without also making those tools available to our enemies - and the guys in category 2 are routinely overstepping their bounds and attacking friendlies.

    --
    retrorocket.o not found, launch anyway?