New 'Hardened' Tor Browser Protects Users From FBI Hacking (vice.com) 103
An anonymous reader quotes an article from Motherboard: According to a new paper, security researchers are now working closely with the Tor Project to create a "hardened" version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement...
"Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers," the researchers write in their paper, whose findings will be presented in July at the Privacy Enhancing Technologies Symposium in Darmstadt, Germany.
The researchers say Tor is currently field-testing their solution for an upcoming "hardened" release, making it harder for agencies like the FBI to crack the browser's security, according to Motherboard. "[W]hile that defensive advantage may not last for too long, it shows that some in the academic research community are still intent on patching the holes that their peers are helping government hackers exploit."
"Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers," the researchers write in their paper, whose findings will be presented in July at the Privacy Enhancing Technologies Symposium in Darmstadt, Germany.
The researchers say Tor is currently field-testing their solution for an upcoming "hardened" release, making it harder for agencies like the FBI to crack the browser's security, according to Motherboard. "[W]hile that defensive advantage may not last for too long, it shows that some in the academic research community are still intent on patching the holes that their peers are helping government hackers exploit."
Re: Better idea (Score:1, Insightful)
Generalizing, if you haven't done anything wrong then you have no need to fear constant surveillance.
Re: (Score:2, Flamebait)
And what the "wrong" thing you did was to denounce some human right violations of your current government or a corruption case?
Re: (Score:1)
Well, in those specific cases, you deserve the death penalty. duh.
Re: (Score:1)
Re: Better idea (Score:4, Insightful)
Generalizing, if you haven't done anything wrong then you have no need to fear constant surveillance.
Just being accused of doing something wrong can be enough to fuck up your life forever. You could be stuck in jail until your court date, and then go bankrupt because of the attorney's fees.
Re: (Score:2)
It's more subtle and pervasive than that. We have a twit of a girl who thinks it's OK to report people shoplifting who merelyv rub her the wrong way.. she think's they're "sketchy". The only thing stopping those names and faces from being added to a list is we can rewind and see the person didn't do anything. Management won't fire her because people like her and she does her job well, plus she's pretty. But she has somehow learned that it' s OK to leverage security against people who "creep you out".
I can
Re: (Score:1)
Re: (Score:1)
Re:Better idea (Score:5, Insightful)
Which law? There are a bout 150 different versions and the FBI will hack anybody (which is criminal in almost all countries for them to do). So, you are right, if the FBI stopped breaking the law, this problem would go away.
Re: (Score:2)
This, and what probable cause?
Re: (Score:3)
Why can't they just stop passing unreasonable laws? Then they wouldn't have to surveil everyone.
Re: (Score:1)
Why can't they just stop passing unreasonable laws? Then they wouldn't have to surveil everyone.
Because terrorists will kill our children!
Re: (Score:3)
What about those of us who are communicating with oppressed people?
Re: (Score:1)
What about those of us who are communicating with oppressed people?
Don't. You are only aiding and abetting terrorism!
Re: (Score:2)
I said, "oppressed," not depressed.
Re: (Score:1)
Government vs. Government (Score:5, Insightful)
So, to recap, the government-paid researchers are fighting the efforts of government-paid hackers to make the tool, that the government paid to create as a secure one, less so.
Whichever side wins, we, the taxpayers lose [youtube.com]...
Re: (Score:1, Interesting)
Man, Slashdot has gone downhill ever since the GNAA freed Natalie Portman from her petrification in grits.
Fucking Lunix losers.
Re: Government vs. Government (Score:1)
I blame systemd.
Re: (Score:3)
Wey hey! since everyone's doing it... Shut up you donkey-raping shit eating mung filled muff cabbage.
I'm pretty sure you can watch that porn without needing TOR.
Re: (Score:2)
Wey hey! since everyone's doing it... Shut up you donkey-raping shit eating mung filled muff cabbage.
I'm pretty sure you can watch that porn without needing TOR.
Depends on jurisdiction, here in Norway I think bestiality porn is illegal. Then again, so is cartoons and 18+ yos pretending to be underage.
Re: (Score:1)
Re: (Score:2)
So, you are saying, your taxes only pay for one side of this fight, right?
Billion-dollar holes... (Score:5, Interesting)
So, to recap, the government-paid researchers are fighting the efforts of government-paid hackers to make the tool, that the government paid to create as a secure one, less so.
Whichever side wins, we, the taxpayers lose [youtube.com]...
You have multiple countries with teams of very smart people working to crack everything crackable that protects privacy--because what allows private communication necessarily allows evasion of monitoring.
Of course, there are a lot of kinds of monitoring. Most obvious categories include:
1. Good purposes (attacking and/or defending against terrorists/child pornographers/organized crime/repressive regimes; tracking and blocking malware and other electronic attacks; etc...).
2. Middle-ground purposes (arguably ends-justify-the-means-behavior like violating some civil liberties while hunting white-collar criminals, child support nonpayment grey market income, doing propaganda against people in group #1).
3. Bad purposes (hunting political opposition, tracking and classifying people based on their political opinions or other things that should be prevented by freedom of speech, finding dirt for blackmail, gathering evidence of and prosecuting someone for common civil ordinance violations and petty crimes in a way which chills and stifles free speech and gives the monitoring agency unfettered power, etc...)
Re: (Score:2)
So the US government claims reason 1 to crack it, while most of the US constitution is oriented around preventing #3, and, having cracked stuff, so, too, do China and Russia. Thus does simple crime detection here enable a steel toe boot to be pressed on the necks of billions, forever.
Yay.
Re:Billion-dollar holes... (Score:5, Insightful)
GOOD
BAD
Does it ever get tiring cramming reality down to 0s and 1s?
Your simplistic morality is an intellectual torture device.
ALL MONITORING IS AGAINST YOUR INTEREST
Fight for your interest. Stop apologizing for societal problems caused by other people by sacrificing your rights. The solution to "terrorism", child porn, etc etc etc is not more crime that is just as a grave of an offense against natural law.
What you have is a government that assumes you will never amount to shit, and that you SHOULD never amount to shit, so you don't deserve any rights and should be forced to help in any way with whoever's interest the government happens to be serving that day. What if that person's interests directly compete with yours? The fact is that this is ALWAYS the case.
It's always for the little man to bear the burden of morality. Doesn't that clue you in to the nature of it?
Re:Government vs. Government (Score:5, Interesting)
Yeah, that pretty much sums it up.
Why, is that a problem?
See, these government guys are different from those government guys, who have an entirely different agenda from that government branch, because it's really coming from the authority of this government office, rather than that government office, and has an entirely different chain of command with entirely different officials from an entirely different Congressional committee.
Nobody wakes up in the morning and says "Today, I'm going to oppress my fellow citizens and make their lives worse!". Instead, all the government employees work toward the common goal of "advance America's interests", according to their specific areas of expertise. One group says build a thing because it helps America, and another group says to break it because it helps America's enemies.
Apart from paranoia, there is no reason to believe that either side isn't doing their best. If you trust that the Tor researchers (stemming from DARPA and the U.S. Navy) could possibly create a secure network, and trust that the Tor project could possibly create a secure browser, then you can trust that this browser is secure. That the government who funded it is now also trying to break it has little effect on how trustworthy the software itself actually is.
Re:Government vs. Government (Score:4, Interesting)
Bullshit.
See COINTELPRO - https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
I'm quite familiar with the subject... but did you have a point to make, or did you think that merely mentioning a mistake relieves you of the duty to make an argument?
Re: (Score:1)
I think his comment was an answer to your comment
It's pretty clear that the COINTELPRO people were making the lives of quite a number of US citizens, specifcally those with black skin, worse.
Re: (Score:1)
Today, I'm going to oppress my fellow citizens ...
They say "I'm going to oppress those foreigners because it helps America." Then it becomes "I'm going to oppress my fellow citizens because it helps America." The contradiction in that statement is lost on them. If they understood it they wouldn't break laws, which happened in the war on terror, mass surveillance programs and CoIntelPro.
We'll skip over the politicking and pork-barreling that occurs in government; while relevant, it's a different issue. Having a "common goal" isn't the problem. The prob
Re: (Score:3)
**ALL** government guys are subject to Pournelle's Iron Law of Bureaucracy [jerrypournelle.com]. So, no matter WHAT the aim of the researchers, either they or their research will eventually be co-opted to serve the needs of the particular bureaucracy, and not that of the citizens it was created to serve. . .
Re: (Score:2)
Yes odd that they would specifically mention the FBI with no prompting.
Re: (Score:3)
pornographers have a larger audience?
"Won't someone think of the children?"
full employment (Score:4, Insightful)
Re: Bull-fucking-shit. (Score:3, Informative)
The article never stated that Tor (or the hardened branch of the Tor Browser) was designed to frustrate law enforcement. Only that it could, which is a true statement. It's simply an unintentional though welcome side-effect.
Re: (Score:1)
An anonymous reader quotes an article from Motherboard:
According to a new paper, security researchers are now working closely with the Tor Project to create a "hardened" version of the Tor Browser, implementing new anti-hacking techniques which could dramatically improve the anonymity of users and further frustrate the efforts of law enforcement...
The topic of law enforcement was brought up obviously to mislead. Encrypted data transmission happens even when you see https:// in your browser like you do right now. What Tor does is encrypts everything so Google can't database your surfing habits and correlate it with Facebook and other corporations .. and GOVERNMENTS. If they don't read what you say their lives go on just fine. If they are scared of fucking terrorists maybe they should fire THE SPOOKS.
Re: Bull-fucking-shit. (Score:4, Informative)
Isn't it useless on Windows 10, where Microsoft monitors everything you type and every site you go to? The govt. probably doesn't even need a warrant because you "have no expectation of privacy" on your data in Microsoft's databases. Thus do they have warrantless access to your privacy because of some fine print on page 287 of your Windows click-through license agreement.
Re: (Score:3)
Re: (Score:2)
That idiot is obviously a government propaganda shill, of course he would recommend things that are dangerous.
Re: (Score:2)
Unpatched and out of date has nothing to do with how secure it is.
Re: (Score:3)
For Tor? It has and very much so. When the FBI quite criminally (for most non-US citizen affected) mass-hacked Freedom Hosting (and they hacked everybody they could, quite a few users of entirely legal services among them), nobody that had updated their Tor Browser when prompted was affected. It was just people that used the old one for two weeks or so longer than they should have. And here is the kicker: Tor Browser releases have change notes and these state what was patched. And there is the patched sour
Re: does this really help (Score:1)
It does if you use two devices, one offline for content creation and encryption, Then send the encrypted data to the other which is connected to the internet
Re: (Score:3)
If your computer is completely untrusted then there are ways it still can communicate over an air gap with another untrusted computer.
For example, if you use usb sticks to share data, they could obiously store different stuff as well on the USB stick.
Re: (Score:3)
Believe it or not, Yes! It's a feature no less. https://en.wikipedia.org/wiki/... [wikipedia.org]
Not that I believe it's really being used in that way, but it's possible. The thing is, many of us don't have a problem with targeted surveillance, if you have a nice court approved warrant beforehand for an individual I don't even have a problem with surveillance of US citizens. This sort of tech isn't really useful for bulk surveillance, which is what many people have a problem with.
Protects against hacking (Score:5, Insightful)
The new version will protect against hacking, not from FBI hacking. The research with the hack the FBI used was published, so other people could use the same method. So basically this update protects people from a known vulnerability. This kind of reporting does more harm than inform, as it gives the impression that the main purpose of TOR is to commit crimes.
Re:Protects against hacking (Score:5, Interesting)
Well yeah I agree with you that the impression that TOR is mainly used to commit crimes is bad, but the paper has mentioned the FBI hacking in its introduction.
The technique they use is in fact per-function ASLR, and probably the places it can be used are as vast as for ASLR. Its not just limited to TBB or Firefox.
It'll surely severely limit the ability of doing ROP (return oriented programming), a very popular exploit technique.
Re: Protects against hacking - Feminist (Score:2, Insightful)
Probably because the World's Leadership are all devout believers in such things.
Which explains why the World is in such piss poor condition.
I sometimes wonder where we would be as a species if not for the religious speed bumps we've had to deal with theoughout history.
Re: (Score:2)
Re: (Score:3)
The thing people fail to understand is that you can always do thought-crime securely when you have secure anonymity. It is in the very definition of anonymity. And this whole thing is a trade-off, but the modern enlightened stance is that freedom is more important than suppression of though-crime and hence anonymity that works is hugely desirable.
Crimes with a physical component are different. For example, selling counterfeit objects (passports, ...) via a Tor hidden service still requires physical shipping
The question was settled in the 1970s. Just don't (Score:3)
Why must you record my phone calls?
Are you planning a bootleg LP?
Said you've been threatened by gangsters
Now it's you that's threatening me
Can't fight corruption with con tricks
They use the law to commit crime
And I dread, dread to think what the future will bring
When we're living in gangster time
GitHub link (Score:3)
Re: (Score:3)
Wow that image reminds me of that infamous microsoft defragmentation tool. I remember watching it moving around stripes of stuff.
How about what is needed more... (Score:4, Insightful)
A hardened Android based on the raw android that protects you from being backdoored and tried to identify and alert you to the fake cellphone towers when you connect to one.
Then let's get a nice hardened Linux as well that actively fights attacks and tried to hide.
THEN we have a place for this browser to live.
Re: (Score:3)
Re:How about what is needed more... (Score:4, Interesting)
That is actually very simple. Runtime is 100% read only except for user area for data and nothing can be executed from there. impossible to backdoor.
Updates must be out of band and done after a power cycle and booting into a "admin mode" that has no connectivity. If the installer shows it's clean and unmolested, allow it to run. It will severely limit the ability to be backdoored in any way if it requires a physical ower down and reboot into a protected mode for installs and updates.
Trust? (Score:3)
How does a non-expert know whether this really is secure or has a NSA / FBI / Chinese etc back door. The government can easily afford to pay people to post on public forums like this claiming that any particular software is or is not secure.
Open source doesn't really help since very few people are expert enough (or have time) to review the code, and its impossible to tell if other "experts" are paid to spread misinformation.
Re: (Score:2)
This a million times.
Consider for example, systemD.
OK now tell me when you're done considering it.
Everyone who still trusts Tor raise your hand (Score:3)
Bueller...
Bueller...
That's what I thought.
Re: This only helps terrorists and criminals (Score:5, Insightful)
Bad news.
In this day and age, " The Government " IS the threat.
We the people aren't sending drones over to kill folks.
We're not spearheading the "War on Drugs".
We're not doing regime changes, implementing no fly lists, spying on anyone and everything and doing our damdest to undo The Constitution.
We don't lock people up in a prison with no means to even challenge their accusers. Nor do we outsource torture to get around local laws.
We're not trying to force our will on any other people or governments.
The Government, on the other hand, is guilty of every single statement above and a whole lot more I don't need to type. Not to mention the crap we don't even know about
So, yeah, if there is anything to be wary of, it's the Government