Slashdot Mirror
New 'Hardened' Tor Browser Protects Users From FBI Hacking (vice.com)
An anonymous reader quotes an article from Motherboard: According to a new paper, security researchers are now working closely with the Tor Project to create a "hardened" version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement...
"Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers," the researchers write in their paper, whose findings will be presented in July at the Privacy Enhancing Technologies Symposium in Darmstadt, Germany.
The researchers say Tor is currently field-testing their solution for an upcoming "hardened" release, making it harder for agencies like the FBI to crack the browser's security, according to Motherboard. "[W]hile that defensive advantage may not last for too long, it shows that some in the academic research community are still intent on patching the holes that their peers are helping government hackers exploit."
"Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers," the researchers write in their paper, whose findings will be presented in July at the Privacy Enhancing Technologies Symposium in Darmstadt, Germany.
The researchers say Tor is currently field-testing their solution for an upcoming "hardened" release, making it harder for agencies like the FBI to crack the browser's security, according to Motherboard. "[W]hile that defensive advantage may not last for too long, it shows that some in the academic research community are still intent on patching the holes that their peers are helping government hackers exploit."
So, to recap, the government-paid researchers are fighting the efforts of government-paid hackers to make the tool, that the government paid to create as a secure one, less so.
Whichever side wins, we, the taxpayers lose...
You have multiple countries with teams of very smart people working to crack everything crackable that protects privacy--because what allows private communication necessarily allows evasion of monitoring.
Of course, there are a lot of kinds of monitoring. Most obvious categories include:
1. Good purposes (attacking and/or defending against terrorists/child pornographers/organized crime/repressive regimes; tracking and blocking malware and other electronic attacks; etc...).
2. Middle-ground purposes (arguably ends-justify-the-means-behavior like violating some civil liberties while hunting white-collar criminals, child support nonpayment grey market income, doing propaganda against people in group #1).
3. Bad purposes (hunting political opposition, tracking and classifying people based on their political opinions or other things that should be prevented by freedom of speech, finding dirt for blackmail, gathering evidence of and prosecuting someone for common civil ordinance violations and petty crimes in a way which chills and stifles free speech and gives the monitoring agency unfettered power, etc...)
Real lawyers write in C++
Yeah, that pretty much sums it up.
Why, is that a problem?
See, these government guys are different from those government guys, who have an entirely different agenda from that government branch, because it's really coming from the authority of this government office, rather than that government office, and has an entirely different chain of command with entirely different officials from an entirely different Congressional committee.
Nobody wakes up in the morning and says "Today, I'm going to oppress my fellow citizens and make their lives worse!". Instead, all the government employees work toward the common goal of "advance America's interests", according to their specific areas of expertise. One group says build a thing because it helps America, and another group says to break it because it helps America's enemies.
Apart from paranoia, there is no reason to believe that either side isn't doing their best. If you trust that the Tor researchers (stemming from DARPA and the U.S. Navy) could possibly create a secure network, and trust that the Tor project could possibly create a secure browser, then you can trust that this browser is secure. That the government who funded it is now also trying to break it has little effect on how trustworthy the software itself actually is.
You do not have a moral or legal right to do absolutely anything you want.
Bullshit.
See COINTELPRO - https://en.wikipedia.org/wiki/...
Another day closer to redwood heaven
Man, Slashdot has gone downhill ever since the GNAA freed Natalie Portman from her petrification in grits.
Fucking Lunix losers.
Well yeah I agree with you that the impression that TOR is mainly used to commit crimes is bad, but the paper has mentioned the FBI hacking in its introduction.
The technique they use is in fact per-function ASLR, and probably the places it can be used are as vast as for ASLR. Its not just limited to TBB or Firefox.
It'll surely severely limit the ability of doing ROP (return oriented programming), a very popular exploit technique.
That is actually very simple. Runtime is 100% read only except for user area for data and nothing can be executed from there. impossible to backdoor.
Updates must be out of band and done after a power cycle and booting into a "admin mode" that has no connectivity. If the installer shows it's clean and unmolested, allow it to run. It will severely limit the ability to be backdoored in any way if it requires a physical ower down and reboot into a protected mode for installs and updates.
Do not look at laser with remaining good eye.