Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Government Security The Internet

New 'Hardened' Tor Browser Protects Users From FBI Hacking (vice.com) 103

An anonymous reader quotes an article from Motherboard: According to a new paper, security researchers are now working closely with the Tor Project to create a "hardened" version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement...

"Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers," the researchers write in their paper, whose findings will be presented in July at the Privacy Enhancing Technologies Symposium in Darmstadt, Germany.

The researchers say Tor is currently field-testing their solution for an upcoming "hardened" release, making it harder for agencies like the FBI to crack the browser's security, according to Motherboard. "[W]hile that defensive advantage may not last for too long, it shows that some in the academic research community are still intent on patching the holes that their peers are helping government hackers exploit."
This discussion has been archived. No new comments can be posted.

New 'Hardened' Tor Browser Protects Users From FBI Hacking

Comments Filter:
  • by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Sunday June 19, 2016 @08:42PM (#52349597) Homepage Journal

    it shows that some in the academic research community are still intent on patching the holes that their peers are helping government hackers exploit.

    So, to recap, the government-paid researchers are fighting the efforts of government-paid hackers to make the tool, that the government paid to create as a secure one, less so.

    Whichever side wins, we, the taxpayers lose [youtube.com]...

    • by SeattleLawGuy ( 4561077 ) on Sunday June 19, 2016 @09:04PM (#52349679)

      it shows that some in the academic research community are still intent on patching the holes that their peers are helping government hackers exploit.

      So, to recap, the government-paid researchers are fighting the efforts of government-paid hackers to make the tool, that the government paid to create as a secure one, less so.

      Whichever side wins, we, the taxpayers lose [youtube.com]...

      You have multiple countries with teams of very smart people working to crack everything crackable that protects privacy--because what allows private communication necessarily allows evasion of monitoring.

      Of course, there are a lot of kinds of monitoring. Most obvious categories include:

      1. Good purposes (attacking and/or defending against terrorists/child pornographers/organized crime/repressive regimes; tracking and blocking malware and other electronic attacks; etc...).
      2. Middle-ground purposes (arguably ends-justify-the-means-behavior like violating some civil liberties while hunting white-collar criminals, child support nonpayment grey market income, doing propaganda against people in group #1).
      3. Bad purposes (hunting political opposition, tracking and classifying people based on their political opinions or other things that should be prevented by freedom of speech, finding dirt for blackmail, gathering evidence of and prosecuting someone for common civil ordinance violations and petty crimes in a way which chills and stifles free speech and gives the monitoring agency unfettered power, etc...)

      • So the US government claims reason 1 to crack it, while most of the US constitution is oriented around preventing #3, and, having cracked stuff, so, too, do China and Russia. Thus does simple crime detection here enable a steel toe boot to be pressed on the necks of billions, forever.

        Yay.

      • by axewolf ( 4512747 ) on Monday June 20, 2016 @09:07AM (#52351665)

        GOOD
        BAD
        Does it ever get tiring cramming reality down to 0s and 1s?

        Your simplistic morality is an intellectual torture device.

        ALL MONITORING IS AGAINST YOUR INTEREST
        Fight for your interest. Stop apologizing for societal problems caused by other people by sacrificing your rights. The solution to "terrorism", child porn, etc etc etc is not more crime that is just as a grave of an offense against natural law.

        What you have is a government that assumes you will never amount to shit, and that you SHOULD never amount to shit, so you don't deserve any rights and should be forced to help in any way with whoever's interest the government happens to be serving that day. What if that person's interests directly compete with yours? The fact is that this is ALWAYS the case.

        It's always for the little man to bear the burden of morality. Doesn't that clue you in to the nature of it?

    • by Sarten-X ( 1102295 ) on Sunday June 19, 2016 @09:09PM (#52349697) Homepage

      Yeah, that pretty much sums it up.

      Why, is that a problem?

      See, these government guys are different from those government guys, who have an entirely different agenda from that government branch, because it's really coming from the authority of this government office, rather than that government office, and has an entirely different chain of command with entirely different officials from an entirely different Congressional committee.

      Nobody wakes up in the morning and says "Today, I'm going to oppress my fellow citizens and make their lives worse!". Instead, all the government employees work toward the common goal of "advance America's interests", according to their specific areas of expertise. One group says build a thing because it helps America, and another group says to break it because it helps America's enemies.

      Apart from paranoia, there is no reason to believe that either side isn't doing their best. If you trust that the Tor researchers (stemming from DARPA and the U.S. Navy) could possibly create a secure network, and trust that the Tor project could possibly create a secure browser, then you can trust that this browser is secure. That the government who funded it is now also trying to break it has little effect on how trustworthy the software itself actually is.

      • by Ziest ( 143204 ) on Sunday June 19, 2016 @09:55PM (#52349857) Homepage

        Bullshit.

        See COINTELPRO - https://en.wikipedia.org/wiki/... [wikipedia.org]

        • I'm quite familiar with the subject... but did you have a point to make, or did you think that merely mentioning a mistake relieves you of the duty to make an argument?

          • by Anonymous Coward

            I think his comment was an answer to your comment

            Nobody wakes up in the morning and says "Today, I'm going to oppress my fellow citizens and make their lives worse!".

            It's pretty clear that the COINTELPRO people were making the lives of quite a number of US citizens, specifcally those with black skin, worse.

      • by Anonymous Coward

        Today, I'm going to oppress my fellow citizens ...

        They say "I'm going to oppress those foreigners because it helps America." Then it becomes "I'm going to oppress my fellow citizens because it helps America." The contradiction in that statement is lost on them. If they understood it they wouldn't break laws, which happened in the war on terror, mass surveillance programs and CoIntelPro.

        ... government employees work toward the common goal ...

        We'll skip over the politicking and pork-barreling that occurs in government; while relevant, it's a different issue. Having a "common goal" isn't the problem. The prob

      • by Salgak1 ( 20136 )

        **ALL** government guys are subject to Pournelle's Iron Law of Bureaucracy [jerrypournelle.com]. So, no matter WHAT the aim of the researchers, either they or their research will eventually be co-opted to serve the needs of the particular bureaucracy, and not that of the citizens it was created to serve. . .

    • Yes odd that they would specifically mention the FBI with no prompting.

  • full employment (Score:4, Insightful)

    by turkeydance ( 1266624 ) on Sunday June 19, 2016 @09:03PM (#52349673)
    for both sides. enjoy
  • by zedaroca ( 3630525 ) on Sunday June 19, 2016 @09:49PM (#52349845)

    The new version will protect against hacking, not from FBI hacking. The research with the hack the FBI used was published, so other people could use the same method. So basically this update protects people from a known vulnerability. This kind of reporting does more harm than inform, as it gives the impression that the main purpose of TOR is to commit crimes.

    • by NotInHere ( 3654617 ) on Sunday June 19, 2016 @10:08PM (#52349903)

      Well yeah I agree with you that the impression that TOR is mainly used to commit crimes is bad, but the paper has mentioned the FBI hacking in its introduction.

      The technique they use is in fact per-function ASLR, and probably the places it can be used are as vast as for ASLR. Its not just limited to TBB or Firefox.

      It'll surely severely limit the ability of doing ROP (return oriented programming), a very popular exploit technique.

    • yes. And to the majority of the world, the FBI is not the primary threat.
    • by gweihir ( 88907 )

      The thing people fail to understand is that you can always do thought-crime securely when you have secure anonymity. It is in the very definition of anonymity. And this whole thing is a trade-off, but the modern enlightened stance is that freedom is more important than suppression of though-crime and hence anonymity that works is hugely desirable.

      Crimes with a physical component are different. For example, selling counterfeit objects (passports, ...) via a Tor hidden service still requires physical shipping

  • Why must you record my phone calls?
    Are you planning a bootleg LP?
    Said you've been threatened by gangsters
    Now it's you that's threatening me
    Can't fight corruption with con tricks
    They use the law to commit crime
    And I dread, dread to think what the future will bring
    When we're living in gangster time

  • by campuscodi ( 4234297 ) on Sunday June 19, 2016 @10:06PM (#52349893)
    • Wow that image reminds me of that infamous microsoft defragmentation tool. I remember watching it moving around stripes of stuff.

  • by Lumpy ( 12016 ) on Monday June 20, 2016 @08:13AM (#52351411) Homepage

    A hardened Android based on the raw android that protects you from being backdoored and tried to identify and alert you to the fake cellphone towers when you connect to one.

    Then let's get a nice hardened Linux as well that actively fights attacks and tried to hide.

    THEN we have a place for this browser to live.

    • I'm not exactly sure how you can specifically protect against a backdoor besides auditing the code, but in regards to Stingray detection, I believe that's still in the research stage.
      • by Lumpy ( 12016 ) on Monday June 20, 2016 @10:04AM (#52352051) Homepage

        That is actually very simple. Runtime is 100% read only except for user area for data and nothing can be executed from there. impossible to backdoor.

        Updates must be out of band and done after a power cycle and booting into a "admin mode" that has no connectivity. If the installer shows it's clean and unmolested, allow it to run. It will severely limit the ability to be backdoored in any way if it requires a physical ower down and reboot into a protected mode for installs and updates.

  • by joe_frisch ( 1366229 ) on Monday June 20, 2016 @11:42AM (#52352815)

    How does a non-expert know whether this really is secure or has a NSA / FBI / Chinese etc back door. The government can easily afford to pay people to post on public forums like this claiming that any particular software is or is not secure.

    Open source doesn't really help since very few people are expert enough (or have time) to review the code, and its impossible to tell if other "experts" are paid to spread misinformation.

  • Bueller...
    Bueller...

    That's what I thought.

Basic is a high level languish. APL is a high level anguish.

Working...