Slashdot Mirror

← Back to Stories (view on slashdot.org)

Developer Of Anonymous Tor Software Dodges FBI, Leaves US (cnn.com)

Posted by BeauHD on from the u-can't-touch-this dept.

An anonymous reader quotes a report from CNN: FBI agents are currently trying to subpoena one of Tor's core software developers to testify in a criminal hacking investigation, CNNMoney has learned. But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system -- and expose Tor users around the world to potential spying. That's why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany. "I was worried they'd ask me to do something that hurts innocent people -- and prevent me from telling people it's happening," she said in an exclusive interview with CNNMoney. Earlier in the month, Tech Dirt reported the Department of Homeland Security wants to subpoena the site over the identity of a hyperbolic commenter.

21 of 323 comments (clear)

  1. Power corrupts... by boa · · Score: 4, Insightful

    "Unlimited power is apt to corrupt the minds of those who possess it"
    -- William Pitt the Elder, 1770

  2. undermining the Tor system by Anonymous Coward · · Score: 5, Insightful

    If she is "one of Tor's core software developers" and she thinks she alone could "undermine the Tor system -- and expose Tor users around the world to potential spying", what does that tell us about Tor.

    Is she saying nobody checks code-submissions she makes?

    What exactly is she saying here.

    1. Re:undermining the Tor system by houstonbofh · · Score: 5, Insightful

      No, what she is saying is the FBI may believe she can which puts her in a very bad position. If she is successful she "undermine(s) the Tor system -- and expose(s) Tor users around the world to potential spying" and if she is not she is imprisoned for contempt of court. I can see why she left. I can also see why so many security professionals keep their passport current. Way to keep the USA in the forefront of security; scare them to Germany.

    2. Re:undermining the Tor system by 110010001000 · · Score: 1, Insightful

      How can she undermine Tor? Do the developers have some sort of "special access" to the Tor system? If so, then the system isn't secure.

    3. Re:undermining the Tor system by wonkey_monkey · · Score: 4, Insightful

      No, but they know more about it than most people, and thus are in a better position to break it. That, or the FBI may want to utilise her standing in the community to push through unfavourable code without too much scrutiny.

      --
      systemd is Roko's Basilisk.
    4. Re:undermining the Tor system by Anonymous Coward · · Score: 2, Insightful

      Of course they have special access - they write it. Yes, the source code is there to read and there are a whole team of developers, and if she tried to introduce a security-breaking bug it could be discovered, either straight away assuming there are commit reviews, or later on. But, especially if well crafted and obfuscated (see the Underhanded C Contest for examples), it could survive long enough for the feds to get what they want, and it could even be plausibly deniable that it was malicious anyway.

      So yes, if the feds put pressure on the developers of your favourite open source security software I'd be worried. And given that most projects have at least some US developers, I'd be worried anyway.

    5. Re:undermining the Tor system by Anonymous Coward · · Score: 3, Insightful

      Okay, sure, we get it, a brick is secure. Anything more complex is not. Can we move on now?

      Of course Tor can be compromised more easily by a developer. Do you regularly download new copies, compile from source, verify that the binaries match the source, and verify that the changelogs posted match the changes that you downloaded? No? Geez, it's like you don't want to check whether things are secure or not!

    6. Re:undermining the Tor system by TheGratefulNet · · Score: 3, Insightful

      no system is secure. why do you keep parroting that same thing over and over?

      (fingered, mate. fwiw)

      --

      --
      "It is now safe to switch off your computer."
    7. Re:undermining the Tor system by Anonymous Coward · · Score: 2, Insightful

      There are many differences to you and me that melt away in the eyes of law enforcement. When you add secret courts, secret laws, Patriot Acts, NSLs, and other Gestapo-level shit into the mix, it starts getting dangerous. I wouldn't trust the FBI any farther than I could throw them.

    8. Re:undermining the Tor system by vel-ex-tech · · Score: 5, Insightful

      Yeah, keep following those etymologies like you found the true meaning of this or that magickal term, as if citing the true etymology of the word gives you some magickal power over those who would destroy liberty. Sir James George Frazer called. He wanted to ask you more about your system of magick for an updated edition of The Golden Bough.

      My memory isn't what it used to be, but wasn't it a subpoena that Apple fought for weeks and weeks not so long ago? A subpoena that attempted to coerce Apple into spending time and resources writing custom firmware?

      Maybe Lovecruft here didn't think she would be able to mount the same quality defense against such a subpoena as an international megacorp known for having a veritable money bin of wealth sitting around.

      I don't give a shit if it's called a subpoena or whatever the fuck that means in your system of magick. It's clear what the government is doing.

    9. Re:undermining the Tor system by c · · Score: 3, Insightful

      This might be relevant. Not a contributor to the core code base, but somewhat in the loop.

      Given the competence and professionalism shown by the FBI on this, I imagine their method for choosing a target was less about how important they are to the project and more about how accessible and vulnerable they are to law enforcement threats.

      --
      Log in or piss off.
    10. Re: undermining the Tor system by vux984 · · Score: 4, Insightful

      I was speaking in general to the notion that counting commits means anything; I don't know anything about her. And I certainly wouldn't get all pedantic about the term 'developer' as used in an article on the web; where everyone from a system architect, to the person who edits the content on the company intranet via CMS is routinely called a 'developer'.

      But fine, you've made me look... happy?

      https://www.torproject.org/abo...

      "Isis: Lead maintainer and developer on BridgeDB. Used to work on OONI."

      So where does that take us:
      https://bridges.torproject.org...

      "When using Tor with Tails in its default configuration, anyone who can observe the traffic of your Internet connection (for example your Internet Service Provider and perhaps your government and law enforcement agencies) can know that you are using Tor."

      "This may be an issue if you are in a country where the following applies:
      1. Using Tor is blocked by censorship [...]
      2. Using Tor is dangerous or considered suspicious: in this case starting Tails in its default configuration might get you into serious trouble. [...]

      "Tor bridges, also called Tor bridge relays, are alternative entry points to the Tor network that are not all listed publicly. Using a bridge makes it harder, but not impossible, for your Internet Service Provider to know that you are using Tor."

      isislovecruft #1: 1,619 commits, 130,599++ / 82,789--
      https://github.com/isislovecru...

      and
      https://ooni.torproject.org/

      "A free software, global observation network for detecting censorship, surveillance and traffic manipulation on the internet"

      isislovecruft #2 with 271 commits, 31,590++, 23,581 --
      https://github.com/TheTorProje...

      She removed ONE line of code (a double free). That is it. That isn't a core developer.

      That burning feeling in your cheeks... that's the shame. Assuming you are a decent human.

  3. You know... by MitchDev · · Score: 4, Insightful

    ..there was a time when people would think it was ridiculous to fear that the US would "I was worried they'd ask me to do something that hurts innocent people -- and prevent me from telling people it's happening,"...Shows how far America has fallen...

  4. What do they expect? by serviscope_minor · · Score: 5, Insightful

    If they act like untrustworthy douchebags, then surprise surprise people don't trust them even when they're working on a legitimate investigation. Naturally because they insist on acting like untrustworthy douchebags, no one even has any idea if it is legitimate.

    Well done, FBI, you're your own worst enemy.

    --
    SJW n. One who posts facts.
  5. WWII by fishscene · · Score: 2, Insightful

    How many thousands of people gave their lives in World War 2 so that we could have the freedom to escape the U.S. government and fleet to Germany? I'm surprised we haven't felt the earthquake from all the bodies rolling in their graves. :(

  6. Unit tests, read by 1-3 others (not iine-by-line) by raymorris · · Score: 4, Insightful

    I don't work on Tor specifically. In the important / well organized open source software I've been involved with, submissions are typically read by 1-3 other people, and there are unit tests and/or regression tests.

    When I say the code is "read", I mean the same way you might read this post. You aren't looking at individual letters and words, you're reading sentences and paragraphs. You could easily overlook typos (but you might catch some typos too).

    Often the unit tests aren't 100% thorough. Especially, they tend to cover the expected/correct case. If the code is supposed to send an MMS message, it is tested that entering a phone number and a message causes the message to be sent. often untested is what happens if instead of a phone number some injection code is entered. What happens if the message is millions of characters long? If the disk is full or the network is unavailable what happens?

    > Is inserting code the only way someone on the inside can undermine TOR?

    There are several other ways. In systems intended to be secure, flaws in the design create problems just like flaws in the implementation can. Someone could undermine Tor by suggesting a feature that seems useful and good.

    Policy decisions matter for security - when you download the tor client, how do you know you're not getting a trojaned copy? That's based on how the Tor project operates, separate from any code submitted.

    Somebody has the tor.org TLS key. If a sophisticated attacker had the tor.org key, they could impersonate tor.org and cause a target to download a trojaned copy of the tor client. Even if the target checked the hash of the download, they would probably get the hash from tor.org, which is really the attacker. If I thought about for more than 60 seconds, I could probably think of some more ideas.

  7. Re:Game over, the Land of the Free by dcollins117 · · Score: 5, Insightful

    People around here think the words "the land of the free and the home of the brave" signify some deeply held core American values, but they are really just lyrics to a song. The phrase first appeared in a poem written in 1814 by Francis Scott Key which was later set to a British tune called "To Anacreon in Heaven" and renamed "The Star-Spangled Banner" which as you know was eventually adopted as the national Anthem.

    My point is that they are just song lyrics, and while pleasing and patriotic they are really no more meaningful or insightful as Frank Zappa's "Watch out where the huskies go, and don't you eat that yellow snow."

  8. Re:There is no Subpoena by PPH · · Score: 4, Insightful

    same thing as a judicial subpoena.

    It's worse. You have no legal recourse. Once the FBI 'talks' to you, they can include a gag order and you can't discuss the particulars of the conversation with anyone. Just like an NSL.

    --
    Have gnu, will travel.
  9. Re: Game over, the Land of the Free by Anonymous Coward · · Score: 4, Insightful

    I forgot that songs and poems don't mean anything... We aren't talking about "Shake it off" here, the song may just be a song but it is written based on events and principles that are values that Americans used to believe in. To say that lyrics are meaningless devalues the whole art of music.

  10. Re:Game over, the Land of the Free by Anonymous Coward · · Score: 4, Insightful

    People around here think the words "the land of the free and the home of the brave" signify some deeply held core American values, but they are really just lyrics to a song.

    People around here think the Constitution signifies some deeply held core American values, but its just words on a piece of parchment for the CIA to wipe its ass with.

    That's not really the question. The question is whether this state is the best we should aim for. Laws, declarations and anthems, while just being words or sequences of glyphs and phonemes, are tools for projecting and promoting a vision for improvement and coexistence.

    So you say that the American People have given up on ideals as anything meaningful. That's certainly a plausible view of the evidence.

  11. Re:signs of a guilty conscience by geekgirlandrea · · Score: 3, Insightful

    Her actions are the actions of someone who quite rationally fears 'just talking' to people who might return armed and bearing a warrant if rebuffed. In a world where the POTUS bombs wedding parties with flying robots and cracks jokes about it, if you aren't a criminal you aren't doing enough.