Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Project Says It Can Quickly Catch Spying Code

Posted by timothy on from the diffing-and-flagging-aren't-just-breakdance-moves dept.

itwbennett writes: The Tor Project, which provides more anonymous browsing across the Internet using a customized Firefox Web browser. is fortifying its software so that it can quickly detect if its network is tampered with. To address worries that Tor could either be technically subverted or subject to court orders, Tor developers are now designing the system in such a way that many people can verify if code has been changed and 'eliminate single points of failure,' wrote Mike Perry, lead developer of the Tor Browser, on Monday. 'Even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue,' said Perry.

34 comments

  1. Re:not a single comment hour later? by Anonymous Coward · · Score: 1

    Posted by timothy on Tuesday March 22, 2016 @09:26AM from the diffing-and-flagging-aren't-

    by sittingnut (88521) on Tuesday March 22, 2016 @09:24AM

    Maybe you should wait until things are actually posted to try your awkward nerd-shaming attempt.

    As for this, of course Tor can detect organized intrusions, it was built to allow dissidents a way to communicate with US contacts when the weight of a technologically advanced country is trying to stop the communications. The designers started from the expectation that the enemies trying to break the system would have the same types of resources that they had when setting it up, but 5 to 10 times as much of all of it.

  2. Would be nice if... by elixircode · · Score: 3, Interesting

    Would be nice if they called out the malicious nodes when they're detected as a deterrent against future attacks. Yes, I'm thinking about CMU as I write this.

    1. Re:Would be nice if... by Errol+backfiring · · Score: 1

      What is a CMU?

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:Would be nice if... by Anonymous Coward · · Score: 0

      http://www.cmu.edu/

      They often participate in Research and mess around with traffic.

    3. Re:Would be nice if... by Anonymous Coward · · Score: 0

      Carnegie Mellon University

    4. Re: Would be nice if... by Anonymous Coward · · Score: 0

      CMU is many things:
      https://en.m.wikipedia.org/wiki/CMU
      Note, it is not Coal Miners Union.

    5. Re:Would be nice if... by Anonymous Coward · · Score: 0

      They do. The developers assign a BadExit flag to bad relays (exit or not). The problem is knowing that a relay is malicious, which is why the CMU's relays never got the flag.

    6. Re:Would be nice if... by Anonymous Coward · · Score: 0

      They often participate in Research and mess around with traffic.

      That's like saying a hurricane is a little moist. Carnegie Mellon University was paid $1 million by the FBI to unmask the true IP addresses of Tor hidden sites and visitors thereto. CMU is a hostile entity and should be treated as such, from now on.

  3. Deja Vu? by Anonymous Coward · · Score: 0

    > can verify if code has been changed

    Was it the same cat? It happens when they change something...

    1. Re:Deja Vu? by Anonymous Coward · · Score: 1

      #!/bin/bash

      lastKnownGoodBuild=$1
      someBuildInQuestion=$2

      if [ "$(sha256sum $lastKnownGoodBuild | cut -c 1-64)" == "$(sha256sum $someBuildInQuestion | cut -c 1-64)" ]; then

              echo -e "\n\e[1;32mSucess: The two files have equal sha256sum's !!\e[0m\n"

      else

              echo -e "\e[1;31mFail: The two files have DIFFERENT sha256sum's !!\e[0m"
              echo -e ""
              echo -e "Sha of file1 = $(sha256sum $lastKnownGoodBuild | cut -c 1-64)"
              echo -e "Sha of file2 = $(sha256sum $someBuildInQuestion | cut -c 1-64)"

      fi

  4. Re:not a single comment hour later? by Anonymous Coward · · Score: 0

    Probably because this is one of the blandest news stories I have ever seen.... it basically narrows down to: "Tor says it won't add software backdoors" ... but the editor wrote 500 words of crap on this subject chasing his tail

  5. misleading title by Anonymous Coward · · Score: 0

    the tor blog post says that tor won't add a backdoor... the CSO article just invented the title

  6. Re:This by Anonymous Coward · · Score: 0

    I'm assuming this was downvoted by somebody else who uses the same trick and doesn't want the moderators to see how easy it is.

  7. how is tor still relevant by Anonymous Coward · · Score: 0

    I thought DARPA developed this. How is this securing users FROM the government? How fucking stupid are sheep?

    1. Re:how is tor still relevant by Anonymous Coward · · Score: 0

      How sheep are you to call people sheep?

      What is this, 1992? 30 AD?

    2. Re:how is tor still relevant by Anonymous Coward · · Score: 0

      DARPA also created the internet, but we use that too under the believe that we have some semblance of security while we do so. At least under certain circumstances.

    3. Re:how is tor still relevant by AHuxley · · Score: 1

      Considering its origins and funding?
      US government increases funding for Tor, giving $1.8m in 2013
      http://www.theguardian.com/tec...
      How is this securing government backed users and their tasks globally?
      The need to communicate with network promoting color revolutions vs the role of US federal law enforcement to track back to an original ip.
      Secure enough to still offer communications to shape, direct and project US foreign policy, still able to be trackable by federal US law enforcement...
      For all that to work a growing, larger user base in needed to offer cover for the more important communications to the backers of say a color revolution or well funding international NGO pushing for another regime change.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:how is tor still relevant by gweihir · · Score: 1

      You thought wrong. Roger Dingledine did the R&D and his story how he came to be funded by DARPA for a while is pretty interesting. At least it was when I asked him about it 15 years ago. So no, not a DARPA project, just some DARPA funding at one time and nobody ever kept that secret.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. Re:not a single comment hour later? by Anonymous Coward · · Score: 0

    Sorry it took me so long, dude. My Tor client detected that it had been tampered with and shut itself down.

    I had to go buy a new laptop since I couldn't trust the old one anymore. Then I had to find my Gentoo Live USB, verify that the tamper tape was still in place, and rebuild the Gentoo OS from my local source repository. Then I could rebuild my Tor client from the same source repository.

    Once that was all done, I could safely go online to update my source repository (hadn't done that in over a year). Only then could a rebuild an up-to-date Gentoo OS and Tor client. Whew.

    So, no worries, I'm here now. What did you want to chat about?

  9. Re:not a single comment hour later? by AmiMoJo · · Score: 1

    This is indeed excellent news, I'm just not sure there is much to say about it other than that.

    Plus we just had a terror attack in Europe, so Tor will probably be banned here next week anyway, even though no-one used it. The security services can't let a good opportunity go to waste.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  10. Tor Streaming? by LWATCDR · · Score: 1

    I have not searched many onion sites but it seems to me that tor would be a great place for a pirate radio station or a "Big Time Television Network esq" video network.https://en.wikipedia.org/wiki/Max_Headroom_(TV_series)
    But I have never seen or heard of one. Too bad since it would be a nice change of pace from all the drugs, porn, and weapons dealing on the TOR network.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  11. "a government or a criminal" by lambsonic · · Score: 1

    Spoken together more and more in the same breath.

    --
    # make clean sig
    1. Re:"a government or a criminal" by gweihir · · Score: 1

      Very true, and done with good cause.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Re:This by Anonymous Coward · · Score: 0

    Having used tor to post on slashdot, I'm impressed that you managed to find usable exits within only a few minutes, it usually takes me 30 minutes + to find one that hasn't either been banned or is on cooldown from other people posting from that IP.

  13. Re:not a single comment hour later? by sittingnut · · Score: 1

    i posted after 1 hour, after seeing the story on front page below 2 others posted later with over 10 comments in them.

     

  14. Re:This by Anonymous Coward · · Score: 0

    Hmm, in the past I'd had similar troubles but today it worked pretty much straight away. I kept getting "resource longer available" and had to refresh once or twice, but other than that a single "SIGNAL NEWNYM" is all it took for each post.

  15. Re: not a single comment hour later? by Anonymous Coward · · Score: 0

    What compiler and libraries do you use? How do you know they aren't compromised?

  16. Re: not a single comment hour later? by Anonymous Coward · · Score: 0

    OMFG! You mean I have to do this all over again! I'm never going to get to participate in this Slashdot discussion.

    Hold on, BRB...