Former Tor Developer Created Malware To Hack Tor Users For The FBI

Patrick O'Neill writes: Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago. Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases. The Tor Project has confirmed this report in a statement after being contacted by the Daily Dot, "It has come to out attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware." Maybe Tor users will now be less likely to anonymously check Facebook each month...

Less Facebook?

[Gr8Apes]

Yes, please. Anonymous or otherwise, FB needs to be removed as a main gatekeeper for the masses.

Re:Less Facebook?

[fustakrakich]

Gatekeeper? What are they keeping us from?

Re:Less Facebook?

They're keeping all duh masses inside.

Re: Less Facebook?

Sounds like they're providing a great service then. Keeping us from the dumbasses is fine.

Re: Less Facebook?

Shhh... we are not supposed to let them know they are dumbasses, and yes, they are in /. also

Re:Less Facebook?

Shouldn't you be there too, twitface?

No matter the intelligence and life choices, people are still people.

Broad generalisations like yours out you as one of those you describe =)

Re:Less Facebook?

"Gatekeeper? What are they keeping us from?"

Real life.

Oh please

Cornhusker used a Flash application to deliver a user's real Internet Protocol (IP) address to an FBI server outside the Tor network.

Really, you'd have to be next-level, monumentally stupid to use Tor and allow ANY kinds of plugins to run. Like holy shit, my general browsing habits are more secure than these retards.

Re:Oh please

[SumDog]

> Cornhusker used a Flash application to deliver a user's real Internet Protocol (IP) address to an FBI server outside the Tor network. Cornhusker—so named because the University of Nebraska's nickname is the Cornhuskers—was placed on three servers owned by Nebraska man Aaron McGrath, whose arrest sparked the the larger anti-child-exploitation operation.

So they took control of this guy's servers somehow, and then placed a flash object on all of them. So the only people it would catch are people who proxied their standard browsers via tor or used the tor package ... and installed Flash anyway.

This isn't .. even an exploit really. You could just put a fucking flashed based video player on a .onion and watch the logs.

Re: Oh please

Keep in mind they are going after paedophiles. Getting them by any means necessary is suitable. And this is mild, oh so mild, opposed to the measures I'd take if instructed to unmask these chi-mo's.

Re: Oh please

[meerling]

And you're just the type of person they want to hire. Someone who believes that the ends justifies the means, just like Stalin, and Hitler, and Mao, and Pol Pot, and so many others... Sure, they were a bit more violent, but they didn't start off with murdering people they don't like in the dark, they started off by convincing people that the ends justified the means.

Re: Oh please

and fucking JUDAS.

The only way this shitstain keeps his head if I meet him is if he convinces me they were going to send his mom and sisters to federal PIMA prison if he didn't comply.

Otherwise, there is a special circle in Hell for moral cripples like this.

Hope those 40 pieces of silver bought you a whole lot of new shiny for your broken ego.

Re: Oh please

Lol internet tough guy. If you meet him, you will try to sneak your way out of a confrontation. Nerds, always so belligerent when safe behind a keyboard. Are you trying to make up for all the humiliations you have been put through?

Re: Oh please

> Stalin, and Hitler, and Mao, and Pol Pot,
>Sure, they were a bit more violent

I think this is the funniest understatement I will come across in my lifetime!

Re: Oh please

Says the anonymous coward.

Post your name and we'll see how non confrontational I am mother fucker.

Re:Oh please

[Dr.+Evil]

"This isn't .. even an exploit really. You could just put a fucking flashed based video player on a .onion and watch the logs."

It's entirely possible that Matt said the exact same thing to his bosses.

It makes the ethics of what he did a bit less clear to me. He spent years telling people how to be secure on Tor, then spent a few more unmasking those who didn't listen.

Re:Oh please

[tlhIngan]

It makes the ethics of what he did a bit less clear to me. He spent years telling people how to be secure on Tor, then spent a few more unmasking those who didn't listen.

No, I think that's actually perfectly valid.

Because if you want to protect your anonymity, you have to take steps to do so. Tor is not a magic bullet, it has known flaws since the beginning (e.g., exit nodes) and doing stupid things will make you readily identifiable.

In fact, too many people are using Tor as a tool improperly - it's like using encryption improperly. You get a false sense of security when in reality you're making yourself plainly visible. Or using HTTPS and storying your passwords in plain text

No, "just use Tor" will not make you magically anonymous, especially if you immediately go and log into Facebook and Amazon and everywhere else. But too many people believe it will and blithely continue using the 'net as if Tor magically anonymizes them.

So demonstrating that people are stupid isn't a crime - in fact it should be published far and wide so people using it know what people can get at.

Re:Oh please

[bmo]

This isn't .. even an exploit really. You could just put a fucking flashed based video player on a .onion and watch the logs.

Prisons are generally full of people who aren't smart enough to cover their tracks well enough, or not run Flash.

Catching enough low-hanging fruit as a cop makes you look efficient.

--
BMO

Privacy

[Smiddi]

All your privacy are belong to us - "the" FBI

Gee I wonder why.

Perhaps you don't know Tor's history?

The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997.[17][18][19]

The alpha version of Tor, developed by Syverson and computer scientists Roger Dingledine and Nick Mathewson[20] and then called The Onion Routing project, or TOR project, launched on 20 September 2002.[1][21] On 13 August 2004, Syverson, Dingledine and Mathewson presented "Tor: The Second-Generation Onion Router" at the 13th USENIX Security Symposium.[22] In 2004, the Naval Research Laboratory released the code for Tor under a free license, and the Electronic Frontier Foundation (EFF) began funding Dingledine and Mathewson to continue its development.[20]

In December 2006, Dingledine, Mathewson and five others founded The Tor Project, a Massachusetts-based 501(c)(3) research-education nonprofit organization responsible for maintaining Tor.[23] The EFF acted as The Tor Project's fiscal sponsor in its early years, and early financial supporters of The Tor Project included the U.S. International Broadcasting Bureau, Internews, Human Rights Watch, the University of Cambridge, Google, and Netherlands-based Stichting NLnet.[24][25][26][27][28]

From this period onwards, the majority of funding sources came from the U.S. government.[20]

Tor is now, and has always been, and will always be compromised.

Despicable traitor

[ptaff]

Acting for your own paycheck instead of thinking about what's best for humanity, Matt? You're a despicable little traitor, Matt. Let's hope you like the surveillance society you contributed to, Matt, and I hope you already know you'll be stalked by the FBI for the rest of your life, Matt.

Re:Despicable traitor

Technically, any security software should be made with the assumption, and hardened or designed against, any of it's developers working for another team. Nothing security wise can make assumptions based off human social standing.

Re:Despicable traitor

[TheGratefulNet]

the only time I could excuse such traitorous behavior is if you had NO other choice but to go work for the enemy.

I've been in life situations where I could not find a job (almost at that point, now, sad to say) and if I was on my last month's savings and faced homelessness, I'd do whatever I had to, to keep a roof over my head. I'm over 50 and in the software field, its now 20x as hard to get a job as it was when I was just 20 years younger. I could see myself having to take just ANYTHING to keep income flowing.

but this guy - is he like that? is he on the 'do not hire because he's too old and expensive' list? is he of the 'wrong' race for the area of country he lives in?

I kind of doubt that he's in my situation, having to think long and hard about taking ANY job offered, just to stay alive.

I think of people who choose to work for evil corps as traitors (google is a shining example; google steals your info and no one knows where, exactly, it ends up). anyone working for google is helping the enemy in more ways than one. and I doubt there is a single 'hard luck case' at google who HAD to take the google job just to keep a roof over his/her head. its laughable, when you think of this example.

but I do see people my age and of my race who simply will take any job offered since the job offers come only a handful of times a year, if even that, and the 'contract to perm' promise that is all the rage for my age group never pans out and we're always back on the job search in just a few month's time.

my heart goes out to people like this who have no choice.

and I dispise, deeply, those who had a choice and still chose to work for the bad guys.

Re:Despicable traitor

[inode_buddha]

remember back when l0pht got bought out? Or CDC? Yeah, stuff like that is why I didn't pursue security as a career.

Re:Despicable traitor

[rmdingler]

I think they worked it out in Live Free or Die Hard.

Re:Despicable traitor

Lol, so basically what you are saying is that your opinion is the right one and anyone that disagrees is a traitor.

This is exactly why debating on slashdot is stupid... 99% of the comments espouse some sort of black-and-white view of the world while simultaneously insulting all other views.

Re:Despicable traitor

Developing open source software doesn't always put food on the table.

Re: Despicable traitor

I disagree with your stupid comment.

Re:Despicable traitor

[CaptainDork]

I don't think the FBI is the big fear.

It's a big world out there and stuff.

Re: Despicable traitor

"What's best for humanity?" LOL. Who appointed you as the speaker for all humanity? Go ask the man in the street his mind, little nerd. THAT is humanity. And traitor to whom or what? There is no war. There are no battles, no soldiers, no weapons. The law is simply evolving and so is law enforcement. Don't like it? Then confront it on the only field that matters: politics. Techno-toys will never cut it.

Re:Despicable traitor

You guys are hilarious.

>and I hope you already know you'll be stalked by the FBI for the rest of your life, Matt.

Yeah, don't think so.

http://www.thinkbrg.com/professionals-matthew-edman.html

Dr. Edman previously worked as a lead cyber security engineer for a federally funded research and development center, [probably MITRE] where he provided specialized computer network security research and development to federal law enforcement on a number of cases. He has been recognized within law enforcement and the United States Intelligence Community as a subject-matter expert on cyber investigations related to anonymous communication systems, such as Tor, and virtual currencies like Bitcoin [helped take down Silk Road guy]. As part of his work, he assembled and led an interdisciplinary team of researchers that developed a state-of-the-art network-investigative technique that was successfully deployed and provided critical intelligence in multiple high-profile law enforcement cyber investigations.

Re:Despicable traitor

[IamTheRealMike]

I suspect you're overlooking a more likely possibility on the grounds that you wouldn't like it - maybe he decided to turn on Tor because he eventually realised he didn't agree with how it was being used or run. A guy with his skills could clearly get well paid work in other fields, after all.

Re:Despicable traitor

Also, it's not like he used his position to sabotage Tor itself. Exploited knowledge not many others have, maybe, but that means one less hidden vulnerability that would otherwise have remained unfixed for longer.

Part of accepting an idealised, anonymous world is that you need to give up the idea of trusting individuals and rely on the design of the system. It's irrational to get angry about someone working for both sides.

Re:Despicable traitor

[DRJlaw]

I think of people who choose to work for evil corps as traitors (google is a shining example; google steals your info and no one knows where, exactly, it ends up).

You can't betray a cause that you never chose to join in the first place. Traitor is not a synonym for "people who never pretended to care about my principles."

I could see myself having to take just ANYTHING to keep income flowing.

Yeah... you have no business throwing stones.

I dispise, deeply, those who had a choice and still chose to work for the bad guys.

Well there's an inconsequential thought to start my day.

Re: Despicable traitor

I completely agree with your comment about the prior comment being stupid. However I disagree with your disagreement about the prior stupid comment.

Why are people willing to give up anonymity?

Even on Slashdot, I'm startled by the people willing to give up anonymity.

When the FBI wanted Apple to unlock the terrorist's phone, people pointed out that encryption wasn't the problem. They said that terrorists evaded detection with burner phones. The response, of course, is to require identification to use a prepaid sim card. It's trading away anonymity to retain privacy.

I'm also disappointed at how many people would like to get rid of anonymous posting. There are people who abuse anonymity, sure, but is it worth giving up anonymity to silence trolls?

Free speech often isn't free. The only kind of speech that needs protection is the kind of speech that offends someone. If nobody is offended, the speech won't be censored and the person speaking won't face retribution. The most threatened type of speech is the kind that benefits most from anonymity.

Re: Why are people willing to give up anonymity?

It's not like we're willing to give up anything. We're just being practical: anonymity is going away whether we like it or not, we might as well be on the winning side. When you know your side is losing you can do two things: you can keep fighting and ultimately lose it all (which may sound brave but is ultimately foolish) or you can understand that you may lose some and gain some, and see what you can win instead. There are two sides to a coin, you see, and only children or adults with a childish mindset can only see one. We're willing to sacrifice anonymity now instead that after a prolonged and doomed battle so that we can have other things that would be denied to us if we lost utterly. I'm deeply sorry for those of you who cannot escape their black and white morality. It's a thing for simpletons. Get over it.

How all conspiracies fail

A single Judas in your midst, and it all falls down.

While this tends to mean no networks are immune from the government intrusion, it also means no government network is secure either.

Your move.

Anonymous attack?

[tezbobobo]

I wonder if he'd be less likely to continue the work is a hacker collective attacked and destroyed his personal privacy.

Re: Anonymous attack?

I wonder if that hacket collective would be the same that went against Amazon and lost, went against credit cards companies and did no damage, went against Trump and nobody noticed, declared war on the Zetas only to back down immediately, then did the same with IS and nothing came of it. :) Nothing, that is, but some members of that "collective" arrested. They ratted out before they could even get hold of a judge. :)

Liberty seems to be a vice the FBI cannot endure

[AutodidactLabrat]

Well surprise, the FBI had broken into your favorite tool
Did you think you were ever going to speak freely?
Not in this country.

They would be fools not to

[rmdingler]

It is a pretty safe assumption that the governors have employed a crap ton of former industry specialists to their advantage in every era, and during every new wave of opportunistic technology.

In the same vein that you have a right to employ secure encryption, the spooks have a duty to decrypt it. There really is a national security interest in this now that every nation on earth is involved in it or interested in being so.

The trick is to constantly remind the folks with the unlimited budgets that they work for us.

Compartmentalize

Is IF/WHEN you're hired to write either ONLY interfaces OR portions of a ware (as in a subsystem) BUT NOT THE ENTIRE THING...

* "Been there, done that" in my career & I wondered WHY things were done that way during them (& when I asked/complained since knowing the BIG PICTURE helps too? I was told I didn't need to know)...

APK

P.S.=> You build a piece of a larger whole but you never see the ENTIRE 'machine' (ware) @ work OR what it's for... apk

Re:Compartmentalize

No offence APK but you're actually making sense today. Whatever you're doing (meds, yoga, whatever), keep doing it!

Re:Compartmentalize

No, asshole APK, you just don't work for those motherfuckers. Ever.

I could have earned a lot more money over the last 40 decades coding for the military industrial/security complex, but I have too much self-respect. I started out during the military buildup of St. Reagan the Senile, when they were giving away massive salaries (with caviar; literally true) at the job fairs while his ilk invented the US homelessness problem to balance the budget (that they never bothered to balance).

If you take their nickel, you're complicit. Get it?

If that isn't clear to you, go look up "agentic state" and see if you are one of the few who can save yourself from that state. The best way is not to get there in the first place.

"Humanity was my business!" "I wear the chain I forged in life." - Jacob Marley

come to "out" attention????

???

Tor users... have something to hide

Really, I get the whole "mah privacy" thing, but if you use tor, it's obviously because you have something to hide.

Re:Tor users... have something to hide

[CaptainDork]

Said the AC.

Re:Tor users... have something to hide

Really, I get the whole "mah privacy" thing, but if you use tor, it's obviously because you have something to hide.

Well, depends on what you mean by hide..
The last couple of times I've fired up the tor browser, I've used it to access a site which is geoip blocked here, so yes, I'm hiding the fact that I'm in country x where the owners of the site, for whatever reasons, don't want me to see its content based on where I live.
Prior to that, mainly used tor to access to torrent search engines which have been blocked by ISPs here at the behest of the MAFIAA via court orders.

So yeah, something to hide, really deep scary dark secrets and all that shit..

Re:Tor users... have something to hide

I use it to access The Pirate Bay.

The ISPs here null-route it thanks to a lawsuit.

We are all bounty hunters now

[bretts]

Whoever pays the highest rate wins our (temporary) loyalty. Welcome to society where no one agrees on a set of values.

do7l

develop8ent models at times. From polite to bring many users of BSD

old news is old

Tor has always been funded by the CIA/Navy.. It has been infiltrated since day 1

Hang him as a traitor.

[thedarb]

Subject says it all.

Re:Hang him as a traitor.

One of my favorite lines in World of Warcraft was a simple "Get a rope."

Re:Hang him as a traitor.

You do realize he was working to expose Child Porn scumbags, right?

Audit Time! Time to audit Tor!

Just as there was an audit (or two) for TrueCrypt, I say it's time for an audit of Tor!

The same goes for the mysterious developer's project known as "Tails".

h e l l o t h e r e

I really wish

people would

stop

posting like this.

I know it's

easier to get

more views this way

but it's annoying.

Is Sabu still on daily dot?

[zedaroca]

I stopped reading the daily dot because they started paying Sabu (the anonymous snitch that put Hammond in jail). Did they kick him out? Even with adblockers I don't feel comfortable entering their domain.

It's disgusting to see an article about a traitor in a website that has one in their payroll.

Be careful what you ask for.

[westlake]

I wonder if he'd be less likely to continue the work is a hacker collective attacked and destroyed his personal privacy.

I wonder how difficult it would be to penetrate a Slashdot alias to make life a little more miserable for the agent provocateur.

The "hacker collective" is, by the way, widely despised beyond the inbred circles of Slashdot. When one is torpedoed the sound you are mostly to hear is applause. I don't expect that to change no matter which way the elections go this fall.

The victim of the retaliation you suggest could be drawn into something like the witness protection program. That would set a precedent that could cost the geek dearly somewhere down the road.

Lock'im up

He hacked, so he's a hacker, so a criminal, so must be locked up. It's the law.

Re:Lock'im up

He'll go to jail when Tommy Tongyai goes to jail. Which is to say never, because punk asshole spies get protected by the mothership. Not trusted, but protected.

Go read up on how Benedict Arnold made out in England after he sold out West Point. Brief answer: not well, his own handlers hated and distrusted him.

Gaze on the face of Judas Matt Edman

An ugly fucker with a head like a hemorrhoid http://www.dailydot.com/politi...

This scumbag?

Who, this man? http://www.thinkbrg.com/professionals-matthew-edman.html#Overview

false assumptions here

people here are assuming that this guy has sacrificed ethics for money.

those who are assuming this are assuming it from a belief that their own ethical discernment is the one true way.

that sounds a bit religious to me, i don't think it's that clear cut. i can see a good argument for both sides of this debate.

"The opposite of a fact is falsehood, but the opposite of one profound truth may very well be another profound truth." ~nils bohr

Not my point - more detail now... apk

See subject: Doing compartmentalizing no 1 man "knows it all" about a program IN DETAIL, so those looking to hire away a developer of such a program in order to subvert it CANNOT DO SO AS EASILY, if at all.

* Typically in software development that's NOT how it's done since it's GOOD for anyone on a larger project that has teams writing it to KNOW what the other parts do & in a GOOD software shop, you do code reviews of othes' work too & do get familiar with it that way also, PLUS, since you often have to interact with others' code routines also anyhow & LEARN what they're doing (you have to in order to work with it effectively + correctly).

(MAYBE only 1 guy does (who sometimes codes, sometimes not) - a Business/Systems Analyst OR team lead (that would be the WISEST to go after imo IF he can code himself - anyone else is useless for "reverse engineering" or vulnerability exploitations, imo) - but again... to stop this happening? What I noted DOES help...)

I also don't write wares to hurt others. I do QUITE the opposite in fact.

I write wares to empower people speeding them up, securing them better, making them more anonymous (to a degree), + more reliably connected online -> https://news.slashdot.org/comm... & I do it absolutely gratis, no strings attached.

Lastly - Imo @ least based on calling me a-hole?

You seem to THINK I did things like this article to WRECK security of a ware or 'hack it' etc. - no, I have not.

I have, however, done work in code for the "Military Industrial Complex" or their contracted companies @ times on contracts.

I have, however, been part of teams over a 23++ yr. long career professionally as a software engineer/programmer-analyst where I saw it done (hindered me imo) compartmentalizing with GOOD reasons now that I think about it putting myself in the companies' shoes that did it this way to protect their investments OR personal data of others, by being given datasets to work on that made little sense to me minus having knowledge of what it was doing OR for what (largely to do with personal data of others like payrolls that was 'faked' playground stuff to test if the code worked right @ all OR just a subsystem portion that was more 'tech' in nature for hardware interfaces - to protect intellectual property the way I said in fact)... that was the point of it being done thus.

Additionally: "40 decades"? What's your secret, "Highlander"??

APK

P.S.=> BOTTOM-LINE: Perhaps I didn't express myself as well as I should've that you misunderstood my point thus, per my subject... but, I'm no asshole to point out how to stop what happened to TOR by doing that - I don't even use TOR myself by the way (too slow when I tried it LONG ago just to see how it was) but I do NOT agree with it being done (other than it can help shore up deficiencies in it to correct them IF they are made public knowledge, this article says they're not) - yes, morons & "terrorists" & sickos + troublemakers use TOR quite often (nothing I can do about that) - yes, I don't like that either but that's how it goes quite often... good things get abused too for "the bad" (purely relative terms depending on what point of view you have)... apk

Re: Not my point - more detail now... apk

You're an asshole for saying "wares" a million times.

Probable Quote

[ThatsNotPudding]

"Yeah, it runs in the family; grandma turned in Anne Frank's family, so my decision was a no-brainer. The law is the law, you know."

Former Tox Developer Created Malware too!

Former Tox Developer Created Malware To Hack Tox Users For The FBI

https://slashdot.org/submissio...

https://github.com/Tox/tox.cha...

Former "Tox" Developer Created Malware too!

[aatestaa]

https://slashdot.org/submissio... https://github.com/Tox/tox.cha...

Re:Former "Tox" Developer Created Malware too!

[aatestaa]

https://github.com/Tox/tox.cha...

Despicable propaganda "story"

[gweihir]

First, why would any activity to break Tor cause people to use it less? Is the submitter implying that it is better to keep your mouth shut and cower in a corner? Seems to me he is.

Second, anybody that accesses FB via Tor is already known and identified when they log in because FB knows how they are. Keeping that in mind, the last sentence of the "story" could not be any more stupid, unless the submitter is actively trying to spread fear. Again, I think he is.