Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Software Crime Privacy Security United States Technology

Developer Of Anonymous Tor Software Dodges FBI, Leaves US (cnn.com) 323

An anonymous reader quotes a report from CNN: FBI agents are currently trying to subpoena one of Tor's core software developers to testify in a criminal hacking investigation, CNNMoney has learned. But the developer, who goes by the name Isis Agora Lovecruft, fears that federal agents will coerce her to undermine the Tor system -- and expose Tor users around the world to potential spying. That's why, when FBI agents approached her and her family over Thanksgiving break last year, she immediately packed her suitcase and left the United States for Germany. "I was worried they'd ask me to do something that hurts innocent people -- and prevent me from telling people it's happening," she said in an exclusive interview with CNNMoney. Earlier in the month, Tech Dirt reported the Department of Homeland Security wants to subpoena the site over the identity of a hyperbolic commenter.
This discussion has been archived. No new comments can be posted.

Developer Of Anonymous Tor Software Dodges FBI, Leaves US

Comments Filter:
  • Power corrupts... (Score:5, Insightful)

    by boa ( 96754 ) on Wednesday May 18, 2016 @08:03AM (#52134035)

    "Unlimited power is apt to corrupt the minds of those who possess it"
    -- William Pitt the Elder, 1770

  • Hyperbolic (Score:2, Funny)

    by Anonymous Coward

    Tech Dirt reported the Department of Homeland Security wants to subpoena the site over the identity of a hyperbolic commenter.

    What a bunch of NAZIs!

    I mean, here's some poor bastard who wants to talk about geometry, calculus and math, and those fucking NAZIs at the DHS want him?!

    Talk about an anti-science society!

  • by Anonymous Coward on Wednesday May 18, 2016 @08:10AM (#52134071)

    If she is "one of Tor's core software developers" and she thinks she alone could "undermine the Tor system -- and expose Tor users around the world to potential spying", what does that tell us about Tor.

    Is she saying nobody checks code-submissions she makes?

    What exactly is she saying here.

    • by houstonbofh ( 602064 ) on Wednesday May 18, 2016 @08:18AM (#52134141)
      No, what she is saying is the FBI may believe she can which puts her in a very bad position. If she is successful she "undermine(s) the Tor system -- and expose(s) Tor users around the world to potential spying" and if she is not she is imprisoned for contempt of court. I can see why she left. I can also see why so many security professionals keep their passport current. Way to keep the USA in the forefront of security; scare them to Germany.
      • Re: (Score:2, Insightful)

        How can she undermine Tor? Do the developers have some sort of "special access" to the Tor system? If so, then the system isn't secure.
        • by wonkey_monkey ( 2592601 ) on Wednesday May 18, 2016 @08:36AM (#52134295) Homepage

          No, but they know more about it than most people, and thus are in a better position to break it. That, or the FBI may want to utilise her standing in the community to push through unfavourable code without too much scrutiny.

          • If people can make commits to Tor without too much scrutiny then the system isn't secure.
            • by TheGratefulNet ( 143330 ) on Wednesday May 18, 2016 @08:57AM (#52134439)

              no system is secure. why do you keep parroting that same thing over and over?

              (fingered, mate. fwiw)

              • I'm just responding to posts. I know no system is 100% secure, but some are more secure than others.
          • or the FBI have already cracked the current version of Tor and want to spread some FUD around to slow down any updates and/or convince people that newer versions of Tor are unsafe and they should keep using the current version. Don't underestimate the level of douchebaggery you're dealing with here.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Of course they have special access - they write it. Yes, the source code is there to read and there are a whole team of developers, and if she tried to introduce a security-breaking bug it could be discovered, either straight away assuming there are commit reviews, or later on. But, especially if well crafted and obfuscated (see the Underhanded C Contest for examples), it could survive long enough for the feds to get what they want, and it could even be plausibly deniable that it was malicious anyway.

          So yes

          • Well if they have special access to the running Tor network and they can slip in obfuscated flaws then the system isn't secure.
            • Re: (Score:3, Insightful)

              by Anonymous Coward

              Okay, sure, we get it, a brick is secure. Anything more complex is not. Can we move on now?

              Of course Tor can be compromised more easily by a developer. Do you regularly download new copies, compile from source, verify that the binaries match the source, and verify that the changelogs posted match the changes that you downloaded? No? Geez, it's like you don't want to check whether things are secure or not!

              • by mrchaotica ( 681592 ) * on Wednesday May 18, 2016 @08:59AM (#52134455)

                Do you regularly download new copies, compile from source, verify that the binaries match the source, and verify that the changelogs posted match the changes that you downloaded? No? Geez, it's like you don't want to check whether things are secure or not!

                And then cross-compile again on several heterogeneous architectures (including at least one very old one) and verify that all the output matches, in order to avoid the Ken Thompson hack? And did you do all this for every single piece of code running on the machine, including things like the hard drive firmware and CPU microcode?

                • But the thing is that outfits like the NSA (because, let's face it, all the FBI has to do to search or hack into your machine or wifi network, is get a rubber-stamped warrant)--who don't need a warrant and go after very hard to infiltrate targets, rely on very obscure and hard to reproduce vulnerabilities in hardware or software, that only they know about, and then very cleverly exploit those vulnerabilities to pown the system.

                  And then if that doesn't work, they get their friends at the CIA to exploit the 3

                  • They don't need obscure vulnerabilities. There are tons of well known exploits in all operating systems and networks. MacOSX has a one-line CLI root access bug in its shipping system for example. You don't need to be clever.
                • by Shinobi ( 19308 )

                  And don't forget to verify what compiler settings are used when you check the compiled software ,so you don't incorrectly mistake compiler optimizations for malicious code and vice versa.

                  And, in the end, it all hinges on your intimate knowledge of the code and the architecture in question, compared to the knowledge of the attacker.

            • by ( 4475953 )

              It is impossible to create a system that does not allow the developer(s) of the system to slip in flaws. No source code auditing can prevent that, since either the auditors can control the distribution of the executables, in case of which they could slip in a flaw, or they cannot control the distribution of the executables, in case of which one of the developers could slip in a flaw.

              The best that could be done is to do all development in teams, preferably randomly assigned, and ensure that all code changes

            • It's funny you should say this, because (and more interestingly) a former tor developer, who also has a PhD in CompSci, is now the lead researcher for a security firm closely aligned to to the FBI, in fact employing some of the agents responsible for catching DPR and shutting down SilkRoad.

              "Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago."
              "By 2012, Edman was working at Mitre Corporat

      • by AmiMoJo ( 196126 )

        Developers are prime targets because if the FBI can coerce them secretly they can introduce flaws that look like innocent mistakes. When discovered people just put them down to human error and move on.

      • Re: (Score:3, Interesting)

        by tom229 ( 1640685 )
        I decided to verify some of this speculation with information easy to obtain. [github.com]. It turns out she's a very minor contributor. 3 commits, ever. To suggest her code contributions wouldn't be reviewed by the plethora of more active maintainers is pretty wild. Tor is open source, the FBI can make "clever" contributions on their own. They don't need the secret help of a very minor contributor. Furthermore, exit nodes are a much better avenue for compromise.

        Something fishy is going on here. If she's running and
        • Facts don't belong in this discussion.
        • by hoggoth ( 414195 )

          You're on to something here. I think she may turn out to be accused of not using a condom in Sweden.

        • Something fishy is going on here. If she's running and offering this bad of an excuse ("I don't want people to get hurt") it sounds like she's got something more I important to hide. Don't be surprised when more of this unravels and she turns out to be complicit in some illegal activities on that network.

          This is the USA, most things are illegal.

        • by Anonymous Coward on Wednesday May 18, 2016 @11:04AM (#52135615)

          You are clearly not looking hard enough. She is the lead developer of BridgeDB and has been working on OONI:
          https://www.torproject.org/about/corepeople.html.en
          Looking at the checkins on BridgeDB shows that she at least has been very active:
          https://gitweb.torproject.org/bridgedb.git

        • by c ( 8461 ) <beauregardcp@gmail.com> on Wednesday May 18, 2016 @11:09AM (#52135649)

          This might be relevant [github.com]. Not a contributor to the core code base, but somewhat in the loop.

          Given the competence and professionalism shown by the FBI on this, I imagine their method for choosing a target was less about how important they are to the project and more about how accessible and vulnerable they are to law enforcement threats.

      • No, what she is saying is the FBI may believe she can which puts her in a very bad position. If she is successful she "undermine(s) the Tor system -- and expose(s) Tor users around the world to potential spying" and if she is not she is imprisoned for contempt of court. I can see why she left. I can also see why so many security professionals keep their passport current. Way to keep the USA in the forefront of security; scare them to Germany.

        I would say that in the current climate ANYONE who lives in the USA and who works in computer or network security, and doesn't work for the US government, should get out of the USA while they can.

    • This is false; Isis does a lot of valuable work on Tor and on some related projects like bridgedb, but she does not have commit rights on the Tor daemon itself. The people who do are me (Andrea Shepard), Nick Mathewson and Roger Dingledine. All patches are reviewed by at least one committer other than the patch author.
  • by DatbeDank ( 4580343 ) on Wednesday May 18, 2016 @08:16AM (#52134117)
    She should be heading to a country that doesn't have an extradition treaty with the US.
  • You know... (Score:5, Insightful)

    by MitchDev ( 2526834 ) on Wednesday May 18, 2016 @08:16AM (#52134123)

    ..there was a time when people would think it was ridiculous to fear that the US would "I was worried they'd ask me to do something that hurts innocent people -- and prevent me from telling people it's happening,"...Shows how far America has fallen...

    • Re: (Score:3, Informative)

      When was this? This isn't new. As Ronald Reagan said: "The most terrifying words in the English language are: I'm from the government and I'm here to help."
      • Re:You know... (Score:5, Informative)

        by boa ( 96754 ) on Wednesday May 18, 2016 @08:45AM (#52134367)

        AFAICT: You're quoting Reagan out of context. He was speaking about farming and government subsidies. This is what Reagan actually said:

        "When I first started traveling abroad as President, especially to our annual economic summits, I suggested that the best foreign aid or development program the United States could give the world was a crash study in free enterprise. And this idea was, to say the least, greeted with skepticism. But when America's economic miracle took over and as we created during the past 67 months 17 million new jobs, I noticed that the idea of fostering growth through encouraging the entrepreneur began to take hold -- even to the point where the emphasis on agricultural subsidies, once so sacrosanct in other nations, is giving way at these summits to ideas on how to develop more free enterprise. There seems to be an increasing awareness of something we Americans have known for some time: that the 10 most dangerous words in the English language are, ``Hi, I'm from the Government, and I'm here to help.'' [Laughter]

        Well, of course, sometimes government can help and should help -- natural disasters like the drought, for example -- but we need to look to a future where there's less, not more, government in our daily lives. It's that philosophy that brought us the prosperity and growth that we see today. That's why we've proposed nothing less than a total phaseout by the year 2000 of all policies that distort trade in agriculture, and I'm speaking of worldwide. This proposal reflects one of my abiding beliefs -- I think it's a belief that you share: The solution to the world agricultural problem is to get government out of the way and let farmers compete."
        https://reaganlibrary.archives... [archives.gov]

        • It applies in general. Lincoln rerouted all the telegraph lines in the 1800s so the government could listen in on telegraph traffic.
      • Re: (Score:2, Flamebait)

        I would add the words "ronald reagan" to that list, as well. that guy fucked us over so badly and for so long, and yet quite a lot of people see him as some kind of saint or model. the disconnect is strong, with this one, master yoda says.

      • by starless ( 60879 )

        When was this? This isn't new. As Ronald Reagan said: "The most terrifying words in the English language are: I'm from the government and I'm here to help."

        Actually, the words are mainly terrifying when the person from the government is Ronald Reagan...

  • A secure system isn't secure if a single developer can subvert it.
    • by ( 4475953 )

      Then again, being able to subvert a system and fearing that you might be forced to subvert it (whether or not you're successful) are two very different things, aren't they?

    • Re: (Score:3, Informative)

      by KiloByte ( 825081 )

      The Underhanded C Contest [underhanded-c.org] provides plenty of ideas how a smart developer can subvert a system even in face of thorough code review.

      And in Isis' case, if she was forced to make such a subversive commit, she could either:
      * refuse to be a traitor -- certain contempt of court
      * do it and get caught (immediately or after the fact) -- likely charge of contempt of court (they'd suspect she tipped the reviewers)
      * do it successfully -- and be a traitor of what we believe in

  • by serviscope_minor ( 664417 ) on Wednesday May 18, 2016 @08:17AM (#52134133) Journal

    If they act like untrustworthy douchebags, then surprise surprise people don't trust them even when they're working on a legitimate investigation. Naturally because they insist on acting like untrustworthy douchebags, no one even has any idea if it is legitimate.

    Well done, FBI, you're your own worst enemy.

  • Isis (Score:3, Funny)

    by 110010001000 ( 697113 ) on Wednesday May 18, 2016 @08:30AM (#52134243) Homepage Journal
    Her first name is Isis. What are the chances?
  • Her reason for fleeing doesn't even make sense. The FBI doesn't need her to write compromising code, Tor is open source. If Tor is in a state where she's the linchpin for all code submissions, then that's a pretty gaping security problem with that software anyways. Furthermore, Tor has never really been as secure from law enforcement as its users like to think. There's only a handful of exit nodes, and law enforcement could do a lot by simply compromising one, code intact. .

    I wouldn't be surprised if we
    • Agreed. As usual we only hear half of the story. She ran away to Germany because an FBI agent left a card at her house while she was in vacation in Hawaii?
  • WWII (Score:3, Insightful)

    by fishscene ( 3662081 ) on Wednesday May 18, 2016 @08:41AM (#52134345)
    How many thousands of people gave their lives in World War 2 so that we could have the freedom to escape the U.S. government and fleet to Germany? I'm surprised we haven't felt the earthquake from all the bodies rolling in their graves. :(
  • One a scale of 1(fictitiously idealized America) to 10(Trumps America) this makes me about a 3.5 or 4 in uneasiness. Not nearly enough to head for Canada but enough to maybe read up on them.

  • Last I checked they don't just hand out residency permits, and tourist visas for Americans expire after 90 days, at which point she has to leave Germany.
    How did she do it?

    • Pure speculation: If you're a notable security professional who hinders the feds for a living, you probably have your exit strategy planned well ahead, and it is no stretch of the imagination for that plan to include your friend's company abroad already waiting with the job offer you need to immigrate, and only too happy to welcome any existing clients you can bring along.

    • Notable security professionals usually can line up a job in the country of their choice and being highly skilled in a necessary area will very often speed along the process. Most every country is looking for talented IT workers and the demand is only apt to increase.

If all else fails, lower your standards.

Working...