Forgot your password?
typodupeerror
Encryption Government Privacy The Internet

NSA Agents Leak Tor Bugs To Developers 116

Posted by Soulskill
from the right-hand-thinks-the-left-hand-is-a-jerk dept.
An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.
This discussion has been archived. No new comments can be posted.

NSA Agents Leak Tor Bugs To Developers

Comments Filter:
  • by coldBeer (697138) on Friday August 22, 2014 @09:32AM (#47728589)
    When the NSA is plugging holes for you...
    • by Anonymous Coward

      Because that would be like trusting the fox to the hen house.

    • by Bill, Shooter of Bul (629286) on Friday August 22, 2014 @05:56PM (#47733269) Journal

      Cause the NSA ain't providing code, bandwidth, or servers to scale the system to millions of users. Google and Facebook have the knowledge and resources to actually do it, if they want.

      But yeah, its a pretty dumb hope. They don't want you to have any anonymity as it is.

      I think it would be cool if some one were to design a cryptocurrency wherein the proof of work was somehow related to the number of connections proxies. So mining would actually be providing anonymity to those who needed it and their would be an incentive to provide service. However that trick of providing indisputable proof of work, while not reveling the traffic or inbound/outbound connections might be a bit tricky to get right.

    • by Burz (138833)

      Of course, it won't work.

      OTOH, Skype and Bittorrent had successful models for scaling up: People were configured by default to add their bandwidth to the pool. In bittorrent's case, your throughput suffered if you were stingy about contributing.

      I2P is probably the closest networking layer [geti2p.net] there is to combining the goals of Tor with the methods of Skype and bittorrent. It is both highly decentralized and onion-like, and has been steadily improving for well over a decade now. If you happen to have a TAILS dis

  • by JeffOwl (2858633) on Friday August 22, 2014 @09:38AM (#47728629)

    He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

    If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

    • by geekmux (1040042) on Friday August 22, 2014 @09:50AM (#47728721)

      He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

      If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

      "Here's some bugs we've fixed for you guys. Trust us."

      Oh yeah, because the current debug team we can trust so much...

      • It's a matter of your history. Who'd you trust your child to? A babysitter who spent hundreds of hours and has hundreds of people vouching for her or that scary looking hobo at the corner? Who'd you trust your privacy with? An organization who has a record of defending people's freedom or a corporation who has a record of selling every kind of information they can get their fingers on?

      • Seriously I'm all for conspiracy FUD, but this seems legit. Who says everyone is in agreement on the same team? It's project where the code is visible to be scrutinized. This means that whoever is submitting back code is submitting good bug fixes. TOR developers aren't morons.

        • by gwolf (26339)

          I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA – But this friend has an independent mind and concience (he is not a NSA person, just an outside contractor). I know for a fact he also has worked voluntarily to make the world a better place (i.e. with the "good guys").
          I guess my friend is not the only such analyst. If people like him can sell their work and (in full or in part) leak part of his findings to the underground, privacy-m

          • For reference, see Manning and Snowden.

          • I happen to know a highly skilled person working as a security analist. He says his main customer for 0days is the NSA.......

            Golly someone connected directly to gwolf has now been outed.
            Unless you are Kim Kardashian with 23 million followers a zero
            level direct connection might well be an individual name.

            Further with 23 million followers for Kim; 600,000 for Robert Scoble;
            83,000 for /. ; 42 million for B. Obama.... we are all connected within three
            or so degrees of K Bacon

            • by gwolf (26339)

              I'm not a social media person, so no, it's neither somebody I follow or somebody followed by me.

              I know more than a few people working on security.

              And... Yes, I am outing somebody. Somebody who's well known for his activities already, as well as for his skills. And who has never hid them.

          • by ron_ivi (607351)

            No surprises here.

            It'd make perfect sense if NSA submits bug reports to Tor for vulnerabilities it knows its competitors are using; while at the same time keeping quiet about the ones it uses itself.

      • He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

        If one of those guys gets their hands on it you can forget about using it to hide anything from the government.

        "Here's some bugs we've fixed for you guys. Trust us."

        Oh yeah, because the current debug team we can trust so much...

        There are two parts..
        * Here is the bug.
        * Here is a bug fix.

        The first has a lot of value in an open source community.
        The second if taken with blind faith is a potential disaster.

        As a pair the time window for attack can be reduced.

        Gifts from the NSA are an interesting thing... Some might be triggered
        because they have evidence that others have knowledge of the
        flaw and are exploiting it. As the need for human intelligence
        grows the need for secure communication increa

    • by LordLimecat (1103839) on Friday August 22, 2014 @10:00AM (#47728791)

      Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government? Or that they cooperate with the EFF, and run ChillingEffects to make people aware of draconian DMCA takedowns?

      Everyone's so eager to lynch the one big corporate ally that OSS / privacy advocates have.

      • by linearZ (710002)

        Google, Facebook, and the NSA government are nothing more than competing Panopticons. They all want as much of your personal information as they can collect, and they all want to keep it as long as they can.

        If one of these organizations is legally battling the other, then you can be sure it is because they feel they should more of your data than the other, not because of a moral imperative.

        • Yes, it's either google or the atnt/bell crew (phone, cable, and ISP corps et all)

        • by Krishnoid (984597)

          Google, Facebook, and the NSA government are nothing more than competing Panopticons.

          Google provides me with free, high-ish-ly-available:

          • spam-culled email with high-performance web/IMAP access
          • online calendar with shareable events
          • online Office-lite document editing and collaboration
          • phone/text forwarding with online voicemail access and transcription
          • photo management application and storage
          • maps
          • search

          as well as sync of all of these with tablets and smartphones for no extra cost. So I'm getting something more from Google than the rest.

          • by drcagn (715012)

            Are you really this dense? Why do you think they provide you with these things *for free*? Out of the kindness of their hearts?

            They provide all of those things to you so they can mine the data from it.

      • by cshotton (46965) on Friday August 22, 2014 @10:23AM (#47728993) Homepage

        It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM. And regardless of the value and quantity of OSS contributions and support, definitely don't make the mistake of thinking that "Google" and "privacy" belong in the same sentence unless it has "doesn't do much to ensure" between those 2 words.

        • by iMySti (863056)
          Privacy doesn't do much to ensure Google.

          Hey, it works both ways!
        • It would be naive at best to think that Google is the "one big corporate ally that OSS" has. If you want to try and hang that badge on a single company, it's probably IBM.

          Erm, IBM is like a prostitute or a mercenary, no real principles concerning the situation at hand (so to speak). Google appears to make decisions based on principles and reality. How well Google follows those principles is a matter for debate.

      • by houghi (78078)

        Nowadays it isn't the Chinese governement you need to worry about.

        The issue is that if you rely on companies for your freedom, it is the companies that will get that freedom.

      • Are you aware that Google is one of the last big internet guys who refuses to cooperate with the Chinese government?

        What are you talking about? Google pretty much capitulated to the Chinese government on all fronts a couple years ago.

        Do some DuckDuckGo'ing if you don't believe me. I'd suggest not searching for this using Google, since using that engine for this seems to bury some of the less favorable stories - the ones at the top are the ones that use language refer to Google "reluctantly" giving in.

        But in any case there have been multiple instances over the past several years where Google has made noise about standing

        • Google pretty much capitulated to the Chinese government on all fronts a couple years ago.

          In 2006, yes (as did Yahoo and Microsoft, a few years earlier). As of 2009, the relationship between the two has become highly antagonistic, with Google refusing to cooperate, and actively undermining the GFW / censorship net in many cases.

          Thats why you cant actually visit google.com in China from the mainland these days.

    • by mlts (1038732) on Friday August 22, 2014 @10:35AM (#47729149)

      Tor needs a PR boost if that ever is going to happen. As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.

      No big company is ever going to touch Tor as it stands right now, because of its reputation as a service for criminals (q.q.v. Four Horsemen of the Infocalypse.)

      • As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application

        And there's plenty of reasons to do so. There's a reason that companies have firewalls that block outgoing connections as well as incoming. Or would you rather they allowed traffic from anonymous internet sources to route through their networks?

        Home users are a different story, but I don't see why most corps would want to allow TOR. They have enough i

      • by laffer1 (701823)

        It's not just about companies. I haven't used Tor despite my interest in the project because I don't think a court would understand if illegal traffic came from my home internet connection despite me running Tor. Most courts hold the account holder responsible for traffic on their network.

      • by Rich0 (548339)

        As it stands right now, it is SOP for an admin to block all exit nodes at the incoming router, the IP stack on the machine, the web server, and the application, because of abuse.

        If only. It seems to be SOP to block relay nodes as well. I run one, which does not allow exits, and I run into lots of sites that block me. Must be fun for whoever gets my dynamic IP next.

    • He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

      So that they can punch as many holes as they want in a heavily "scaled" unmaintainable code base

      -----------
      emesis

    • If that happens, then everyone who needs to go on swapping terrorist plans or child porn images will move to some new shaky little service. IP over carrier pigeons? Stegged vacation snapshots? Direct-beamed lasers? Lather, rinse, repeat.

  • by Cornwallis (1188489) on Friday August 22, 2014 @09:39AM (#47728639)

    "Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users as they sell the traversing information to the NSA."

  • Beware of Greeks bearing gifts....

    • by Kjella (173770) on Friday August 22, 2014 @09:45AM (#47728689) Homepage

      Beware of Greeks bearing gifts....

      Shouldn't that be "Beware of geeks bearing gifts...." in this case?

    • by 93 Escort Wagon (326346) on Friday August 22, 2014 @02:24PM (#47731579)

      Beware of Greeks bearing gifts....

      Remember, the NSA is the group that originally gave us Tor. If I was one of the original developers, and I took pride in my work - it is likely I would continue to help the project improve, even if my employer had changed focus.

      Also, remember that the NSA is not just one huge monolithic group with only one task on their plate. I find it easy to believe that some folks there question the wisdom of attempting to cripple security (such as they seem to have done with the elliptic curve ciphers). Plus code breakers and cryptographers are, in general, going to be working at cross purposes - it's the nature of their jobs.

      • Beware of Greeks bearing gifts....

        Remember, the NSA is the group that originally gave us Tor.

        Incorrect. Onion routing was originally created at the U.S. Naval Research Lab as a way to provide independent, real-time, and bi-directional anonymous connections that are resistant to both eavesdropping and traffic analysis. Tor is the 3rd design of said project, which was originally started in 1996.

        I have no idea when the NSA started using onion routing, but I know for a fact that they did not create it.

  • "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software."

    Come on... NSA undoubtedly has highly developed automated tools for identifying flaws source code, or at least rating the probability of a flaw existing within any section of code so that analysts can focus t

    • by TWX (665546)
      Sounds like we need them to go through the Linux Kernel, all of the communications daemons and applications, and the web browsers, and the problems with these could be solved in a few weeks!
      • by mlts (1038732) on Friday August 22, 2014 @10:41AM (#47729201)

        SELinux is a good stab at that. While not 100%, it has helped ensure that a program that manages to get a root context still doesn't have full superuser reign over the system. It isn't simple, but it does a good job at security over previous tools like SUID wrappers.

        I wouldn't mind a code review of web browsers and browser add-ons, as those are the first points of contact and generally a primary vehicle for malware to get a foothold.

  • Another Angle (Score:5, Insightful)

    by Talderas (1212466) on Friday August 22, 2014 @09:54AM (#47728753)

    Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

    • Re: (Score:2, Funny)

      by Anonymous Coward

      They probably found tachyons or some shit, knowing them.

      Who needs to give a damn about exploiting Tor when you can see the damned future?!

    • Re:Another Angle (Score:5, Interesting)

      by jandrese (485) <kensama@vt.edu> on Friday August 22, 2014 @10:31AM (#47729085) Homepage Journal
      It's also possible that the NSA is fixing bugs in TOR because their own agents use it for its original purpose.
      • Who the hell would the NSA hide their traffic from? If there's anyone able to snoop on the spooks, I bet a few "touch and burn your hand" laws should take care of that.

        • by Anonymous Coward

          Who the hell would the NSA hide their traffic from? If there's anyone able to snoop on the spooks, I bet a few "touch and burn your hand" laws should take care of that.

          If you think that the Chinese secret service cannot spy on the NSA, then I have this bridge I want to sell you.

        • Despite all their Orwellian, unconstitutional acts of treason against the American public, I'm sure the NSA is also still continuing to perform counterintelligence against foreign threats (e.g. the Chinese) like they're supposed to.

    • by AHuxley (892839)
      It depends on the US or UK mission. If the US gov wants to support some NGO doing a Colour revolution http://en.wikipedia.org/wiki/C... [wikipedia.org] then the communications and support has to work well over years.
      For every other use of online anonymity the US and UK would like to have a way in as now understood with most of the tame telco and banking crypto over decades.
      e.g. NSA surveillance: A guide to staying secure http://www.theguardian.com/wor... [theguardian.com] (6 September 2013)
      the classic line "... have invested in enormo
    • Isn't TOR partially funded by the government? And also used by government agents? It would be really awkward if one of the "let's overthow this government that America doesn't like" movements hidden by TOR traced back to government agents.

    • by tlhIngan (30335)

      Am I alone in thinking that the NSA doesn't really care about exploiting flaws in TOR but rather is more interested in encouraging its use because they've exploited something else?

      I think the NSA encourages TOR use, to be honest - they used to, or still run, one of the largest set of exit nodes, for the sole purpose of monitoring traffic. (Most Tor users don't really care about the private tor stuff, they just want their "anonymous facebook" and "anonymous G+" without gubmint spying)

      I mean, unless one keeps

  • by macromorgan (2020426) on Friday August 22, 2014 @09:55AM (#47728761)
    While I love and appreciate Tor as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places Tor. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the Tor network expands the list of exit nodes remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.
    • by mspohr (589790)

      Most companies with half a brain have figured out how to block "comment spam".
      (I'll give you one free clue: Blocking TOR has nothing to do with it.)

    • by WhoBeI (3642741)
      If you are using a well know framework for your site there might already be support for comment spam management. It's not always free as some of them are basically interfaces for a paid service but it may still be worth a look. They would block comment spam in general instead of focusing on comments from a specific set of nodes.

      https://www.drupal.org/node/20... [drupal.org]
      http://wordpress.org/plugins/s... [wordpress.org]
    • While I love and appreciate IPV6 as a means to remain anonymous online, I work for a company that's the victim of quite a bit of "comment" spam hailing from among other places IPV6. The spam ranges from individual businesses promoting themselves for their own benefit under false pretenses, all the way to professional spammers gaming the system (mostly locksmiths). I hope if the IPV6 network expands the list of proxies remains maintained so I can continue to blacklist content from those sources... it's heavy handed but beats swimming in spam.

      FTFY.

      In both cases, we're shooting the messenger. And yes, I regularly see IPV6 proxies being blocked, probably for these reasons.

  • OPSEC (Score:5, Insightful)

    by Noryungi (70322) on Friday August 22, 2014 @09:58AM (#47728783) Homepage Journal

    If you are a Tor programmer, and if there are really NSA/GCHQ insiders who actually help you to correct bugs... For Pete sake, just keep quiet about it!!!

    Now, both agencies will have to initiate a mole-hunting operation, and you will lose these valuable insiders!

    On the other hand, it may paralyze these agencies for months, maybe even years, while they try to figure out who has been leaking invaluable bug information back to the Tor project.

    So it might be a wash. Either way, it also probably means that people inside the Puzzle Palace and the Donut are beginning to realize that enough is enough, so that is also encouraging.

    • Nah this is just Sony Electronics wanting to leverage their entertainment holdings to sell TVs and PLayers with proprietaty formats while Sony Entertainment wants to maximize sales. Or maybe I got it backward. Anyhow lots of diversified companies have internal conflicts. The IBM PC which uses all non-IBM parts was not made by the primary Computer division at IBM. Samsung also has internal competition with conflicting objectives,

    • Re:OPSEC (Score:5, Interesting)

      by Joe Gillian (3683399) on Friday August 22, 2014 @10:15AM (#47728907)

      I don't think that these bug reports that the NSA is making are actually leaks. My theory is that these exploits have already been used by the NSA, and are believed to be at the end of their useful life cycle (ie; the NSA suspects that someone else has found the bug and may report it) so they go ahead and report it - it boosts the NSA's image because they're supposedly reporting zero-days, but in reality they're just getting rid of what they don't need anymore.

      • If you RTFA you'll see that Lewman has zero evidence for this assertion. The headline paints it as a statement of fact but in reality all Lewman knows is there are people who appear to be reading the source code and reporting bugs anonymously. That's it. They could be NSA/GCHQ moles. Or, more likely, they could be anonymity fans who like security audit work. They really have no idea.

        • by phorm (591458)

          Indeed, it could be people who are using TOR but don't want to end up on an NSA watch-list because they have in-depth knowledge of a tool that's probably not well-received by the NSA...

      • Do you think it's possible that they are also ferreting out the paths an actual mole's information would go through?

        However, I think what you say is NOT the reason, because it would mean that the NSA was a crafty and well run organization, with intelligent (yet evil) people at the top, and loyal workers doing their bidding.

        An underling wouldn't just DECIDE to reveal this information if they were loyal. And someone at the top would have to be clever and understand a bit of tech to make the order.

        What history

    • You just gave me a great idea. Why not simply spoof such "leaks" and send the spooks on a wild goose chase?

    • To me it means there are two possibilities;

      1) The White Hats are being brazen because they know that the political appointees are not savvy enough to turn them in.

      2) The White Hats are foolish, because looking at the type of exploits in Tor revealed would quickly narrow the list of mole suspects.

      I seriously doubt #2 is the answer based on the type of person who would find these bugs. So it gives me hope that the "Geeks" are a separate class from the "Suits" and the suits as usual are arrogant political appo

    • by wmansir (566746)

      On the other hand if you're a Tor developer interested in disrupting the NSA unit assigned to hack your system why not just say you receive regular leaks from the NSA unit assigned to hack your system.

  • Guess what departments are going to have to redo their lifestyle polygraphs now!
  • by Andy Dodd (701) <atd7@co[ ]ll.edu ['rne' in gap]> on Friday August 22, 2014 @10:09AM (#47728877) Homepage

    The NSA has two directives that often conflict with each other:
    1) Protect communications that are critical to our nation's security. This is mostly military/government comms, but they have a role in securing banking and other civilian networks. An example of what comes from this side of the NSA is SELinux - which is now heavily used by Android to provide additional security against malware.
    2) Compromise and monitor the communications of our enemies. These guys overstepping their bounds are what has been routinely making the news lately.

    While I can't see an obvious reason for the guys in category 1 to want to strengthen Tor, it's possible. (Potentially on behalf of another agency... Think in terms of Tor's use by Chinese dissidents.)

    I'm fairly certain the people in categories 1 and 2 don't get along with each other. While in theory their goals should not conflict (one focuses on our enemies, one focuses on strengthening friendlies), the truth is that it's hard for the guys in category 1 to strengthen friends without also making those tools available to our enemies - and the guys in category 2 are routinely overstepping their bounds and attacking friendlies.

    • by qbast (1265706)
      And to make it even worse - 'friendly' and 'enemy' categories frequently overlap.
    • by PPH (736903)
      "We have met the enemy and he is us." -- Walt Kelly
    • Are you sure those are (the) two official NSA directives? They almost can't be, for 2. can entirely be seen as a subset of 1.

      Other than that, they (or you?) have a very loose way of using 'our' in 'our nation's security' and 'our enemies'. Do you, personally, consider yourself among 'our' as used here? Not to be personal -- but I am almost certain they do not count you among the 'our'; you see, the NSA's true objective is to protect those of ultimate wealth and power in the US against those without weal

  • by Jodka (520060) on Friday August 22, 2014 @10:22AM (#47728987)

    Tor developer Andrew Lewman says... agents from [NSA and GCHQ ] leak flaws directly to the developers, so they can be fixed quickly.

    Why announce that publicly? The NSA and GCHQ will now attempt to to shut down the leaks and arrest the leakers. Even if they fail, it is certain to scare the leakers and make leaking more difficult.

    "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source....

    Why give those agencies clues to help them figure out who are the leakers?

       

    • by AHuxley (892839)
      Dual missions and attracting the next generations to gov, mil work and onion routing.
      From collect it all reality to 'help' spread democracy branding.
      If US backed dissidents face a new range of telco tools that are just been sold to govs, better to help developers stay one step ahead.
      If a new range of telco tools used by the US govs to collect it all are just been upgraded, better to give developers some busy work for a few years.
      Both options need clean social engineering access to real people to shape s
  • I've heard that Tor was initiated by three-letter government agencies in the first place, and that the last thing they want to do is shut it down or ruin the anonymity it gives it's users, because they're using it in their own operations to start with. Compromising it would inevitably lead to their own enemies getting their hands on the exploits, and ultimately on their own operatives, so why wouldn't they have a covert program of improving the overall security of Tor? Now, on the other hand, I wouldn't at
    • NSA doesn't give a rip. Their job is to get into Tor. If they find out military or CIA secrets it is not a problem because they are on the same side. Ideally, they'd find exploits or put them in and patch it for the military's client only... but their primary goal is to get themselves in, secondary goal is to help the other agencies (so they are not going to publicly give Tor patches... or if they do decide that is more important, do you think they would be public about it? I would think they would purpo

    • If by "three-letter government agencies" you mean the USN, specifically the Office of Naval Research, then you're correct. But most people in the US call the USN "the Navy", so there are some extra letters.
  • Doesn't this make peoples PC open and vulnerable to viruses/malware and are they not also one of the bad guys, making me have to pay a yearly fee to my antivirus provider? Can we sue the NSA for part of what we have been paying all theses years for viruses THEY released??
  • ... to make Tor a mainstream app. What percentage of potential users actually use Tor?

    It's not in the billions.

    If NSA could make Tor viral, how cool would that be?

  • "He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users."
    What the hell? Then he doesn't know how Tor works. If a large entity controls a ton of the entry and exit nodes, they can traffic match and identify users. The LAST thing we need is a giant entity ruining it by adding millions of servers.
  • not everyone who works for the NSA is a douchebag.

    I'm sure most of them still are, but this is encouraging nonetheless.

"Don't discount flying pigs before you have good air defense." -- jvh@clinet.FI

Working...