Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Agents Leak Tor Bugs To Developers

Posted by Soulskill on from the right-hand-thinks-the-left-hand-is-a-jerk dept.

An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

6 of 116 comments (clear)

  1. Yes Google and FB are the ones to protect us? by JeffOwl · · Score: 5, Insightful

    He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

    If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

    1. Re:Yes Google and FB are the ones to protect us? by xvan · · Score: 5, Funny

      An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on.

      Mmm... I don't know which applies to google and which to the NSA....

  2. Re:Beware of Greeks bearing gifts.... by Kjella · · Score: 5, Funny

    Beware of Greeks bearing gifts....

    Shouldn't that be "Beware of geeks bearing gifts...." in this case?

    --
    Live today, because you never know what tomorrow brings
  3. Another Angle by Talderas · · Score: 5, Insightful

    Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

    --
    "Lack of speed can be overcome. In the worst case by patience." --Znork
  4. OPSEC by Noryungi · · Score: 5, Insightful

    If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!

    Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!

    On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.

    So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:OPSEC by timrod · · Score: 5, Interesting

      I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.