Slashdot Mirror
Russia's Plan To Crack Tor Crumbles
mspohr writes: It looks like Russia's effort to crack Tor was harder than they anticipated. The company that won the contract is now trying to get out of it. Bloomberg reports: "The Kremlin was willing to pay 3.9 million rubles ($59,000) to anyone able to crack Tor, a popular tool for communicating anonymously over the Internet. Now the company that won the government contract expects to spend more than twice that amount to abandon the project. The Central Research Institute of Economics, Informatics, and Control Systems—a Moscow arm of Rostec, a state-run maker of helicopters, weapons, and other military and industrial equipment—agreed to pay 10 million rubles ($150,000) to hire a law firm tasked with negotiating a way out of the deal, according to a database of state-purchase disclosures. Lawyers from Pleshakov, Ushkalov and Partners will work with Russian officials on putting an end to the Tor research project, along with several classified contracts, the government documents say."
Are we forgetting some zeroes in this article? If it was so easy to break Tor that $59,000 would get the job done, I imagine that it would already be widely known how to crack it. That's less than the price of hiring a single coder for a year.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Large issue not just in Russia, but all Governments. "We want you to do X" becomes a contract to do exactly "X" without anyone questioning what A-W will be required to get to X. Also, is X required or can we get by with W?
If that seems convoluted, apology and I can try to think of better descriptions.
Obviously this company agreed to do X. Sounds to me like in Russia you have to actually meet your contractual obligations. Unlike the US which would allow overruns, partial plans, and decades of run around until the project was cancelled. (Nope, I would rather be in the US than the USSR but if we don't admit our own problems we look like idiots complaining about others).
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
So they already cracked it and now they are trying to stage very public fiasco in order to convince everybody it is still safe. *dons tinfoil hat*
It's only failed because the NSA has taken over many of the end-points. Onion routing itself is not "broken" nor has it "failed". There are plenty areas of it that are very secure and very difficult to break. Some of the high profile cases were because of stupid mistakes that the site owners did (mixing email accounts/user IDs/other identifying information with external sources).
For a long time in my mind there's been no doubt that Tor is broken, at least with respect to the powers available to the United States and its allies. Think about it. There are no where near a million Tor nodes and even fewer exit nodes, and a million servers is a rounding error in the DoD black budget for a year.
Sure, non DoD Tor nodes exist, but what % of them are p0wned? I'll hazard a guess; just that % required to make it statistically implausible that, combined with traffic analysis, context gleaned from exit nodes a handful of zero-days etc. etc. no one can use Tor and expect sustained anonymity from the government.
I actually think that's a good thing. Hear me out. For the general Tor user who just wants their ISP , nosy Shark Wire aware neighbor, political opponents, large corporations, website owners land various databrokers to fuck off, they have what they want For dissidents in oppressive nations, those nations probably can't muster the resources to de-anonymize Tor users. For very bad people who want to do very bad things, we can get them, with some effort.
I know this is a minority opinion, but I think that the opposing opinion is regressive. Once, it wasn't possible for a small group of non-nation-state individuals to wreak mayhem on millions of people at once.
Once, the amount badness that could be achieved by Bad Guys was a trade-off between the number of people the Bad Guys wanted to effect, the number of people the Bad Guys could enlist to help them and the degree of severity of the Badness itself. Not any more. This changes everything.
We are living more and more in a world in which a few or even one really fucked up person can reach out and kill. This is nothing but the advancement of technology, and it's not going to stop. That means the power of small groups gets larger and broader even as the size of that group spiral down to one.
How are we going to counter this general phenomena? I agree, that giving any government unchecked, unobservable, unlimited powers is always a bad idea. (Ironcially, I believe this because of the actions members of administrations who profess to want to "get government off our backs" and told us "government isn't the solution, it's the problem"- Oliver North, James Secord, Dick Cheney, Alberto Gonzales etc etc. )
But in the face of this hypothetical and not-always hypothetical threat we still have the facts on the ground with respect to advancing technologies and the leverage it gives just anyone.
I don't think the answer is to limit the power of government. We need that power to exist. I think the answer lies in the people being able to hold the government accountable and their actions rendered transparent to a degree that would shock most people today, both in and out of government. We need to radically re-think the national security 3rd-rail issues like national security classifications, clearances, Presidential directives, etc. etc.
It will tear this country apart if the government continues to do what it knows it needs to do in order to avert terrorism and societal chaos and the people continue to feel like they have no faith in the integrity of the processes and powers of the government- that it could at any moment turn the death ray on them, and probably will. That whole dynamic, the whole world view needs to be addressed and not just addressed but actually resolved by some radical out of the box thinking no one had done yet.
We can have both security and freedom, but it's not going to just arise naturally by continuing on with the status quo conceptual categories we are using now.
But some fool was stupid enough to take the contract and not be able to deliver.
So either they successfully cracked it and are done and want to look they failed. Or they actually failed to crack it and they want out of the deal. Either way, we know nothing more. This article offers no useful information at all.
I'm pretty sure the only reason the "editors" accepted this story was for the ISR joke.
The first thing you would want to do is convince everyone else that you failed.
Attacks on TOR invariably work through good old social engineering or browser hacks. I have yet to see an article where someone was successfully tracked through TOR itself instead of some out of band attack. TOR itself isn't the problem, it's the users.
TOR can't help you if you run some random executable that some random guy on the drug trading message board asked you to run. Believe it or not, this is apparently a very common way for the FBI to catch TOR users, simply asking them to run a Trojan.
TOR hasn't failed, but it is not a magic bullet either. It is but one piece of a security system.
I read the internet for the articles.