British and American intelligence agents are undermining their colleagues - other agents attempting to hack the "dark web" - by finding and reporting flaws in Tor.
Spies from both countries have been working on finding flaws in Tor, a popular way of anonymously accessing "hidden" sites.
But the team behind Tor says other spies are tipping them off, allowing them to quickly fix any vulnerabilities.
The agencies declined to comment.
The allegations were made in an interview given to the BBC by Andrew Lewman, who is responsible for all the Tor Project's operations.
He said leaks had come from both the UK Government Communications Headquarters (GCHQ) and the US National Security Agency (NSA).
By fixing these flaws, the project can protect users' anonymity, he said.
"There are plenty of people in both organisations who can anonymously leak data to us to say — maybe you should look here, maybe you should look at this to fix this," he said. "And they have."
(Score: 5, Insightful) by MrGuy on Friday August 22 2014, @02:44PM
I'd especially love this press release if it's NOT true.
Taking your own worst enemies and sending them into a tizzy of internal witch hunting is the best revenge!
(Score: 2) by tangomargarine on Friday August 22 2014, @02:50PM
But they won't give us all their users so we have to destroy them anyway. Damn idealists.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 4, Insightful) by Rune of Doom on Friday August 22 2014, @05:03PM
The "to aid democracy advocates in authoritarian states" bit makes me giggle, because my brain automatically adds, "like the United States" to the end of it. Black humor is essential to life in modern America.
(Score: 3, Funny) by c0lo on Friday August 22 2014, @10:42PM
Yeap, US seems to be venting more spleen [wikipedia.org] by the day :)
(ducks)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by kaszz on Saturday August 23 2014, @12:22AM
If I recall correctly DoD wants to protect their browsing and have no real motivation to help other agencies to screw their work tool.
(Score: 3, Insightful) by francois.barbier on Friday August 22 2014, @03:13PM
Could the spies use this to insert flaws into the design?
E.g. by "fixing" an issue that also allows a backdoor or something?
Like when they provided "strong" cyphers for encryption...
Genuinely wondering here.
(Score: 3, Insightful) by quitte on Friday August 22 2014, @03:16PM
The Tor developers are very well aware of that threat. It would have to be an insanely convoluted attack to send bug reports without fixes and that way introduce backdoors.
(Score: 4, Interesting) by frojack on Friday August 22 2014, @04:30PM
You say this, but yet there are continuing stories [ibtimes.com] of government penetration of tor.
A subtle fix here, followed weeks later by another one over there, could have a cumulative effect to fingerprint the traffic.
To my way of thinking there is an uncomfortable level of government support and funding for TOR, while the NSA works to unmask TOR.
No, you are mistaken. I've always had this sig.
(Score: 2) by mrider on Friday August 22 2014, @05:51PM
What you describe is certainly a consideration, but it's somewhat orthogonal to inserting malicious but obfuscated code. What the TOR folks need to watch out for are code patches that are the more sophisticated version of if(x=0)...
What would concern me if I were a TOR maintainer (I'm not), would be having patches where any one patch is innocent enough, but the sum total of several patches produces a subtle exploit hole.
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 2, Informative) by soylentsandor on Friday August 22 2014, @04:43PM
According to the BBC [bbc.com], they do sometimes include patches:
(Score: 2) by tibman on Friday August 22 2014, @04:24PM
If they were supplying patches, then yes. But this seems to be just identifying bugs. A "trusted" person working on Tor is making the patch.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by opinionated_science on Friday August 22 2014, @04:39PM
i know next to nothing about Tor , but I know a little bit about software, hardware, and the assumptions we all make.
If a secure packet is sent over a dodgy ethernet port, it doesn't matter because the packet is "safe".
My worry is there are backdoors built into other parts of the chipset or more subtly in the algorithms that are used.
There is a great deal of sophisticated mathematics that goes into securing a packet of information, but to my knowledge there is no mathematical proof that there is not a tractable algorithm to reverse this process.
The scientist in me is very nervous with "nothing has been found so far", as these words normally precede the discovery of the contradiction...
The happy person in me, is hoping the spooks are doing this for our benefit, because y'know, we pay them...!
(Score: 4, Informative) by No.Limit on Friday August 22 2014, @08:53PM
The mathematics are also based on assumptions. E.g. if P = NP [wikipedia.org] most encryption schemes are broken.
If P = NP the keyspace must be at least as big as the messagespace [wikipedia.org] to enable secure encryption. That is the OTP [wikipedia.org] would be the most efficient secure system. Or simpler your key ("password") must be as big as all of your messages that you ever want to exchange with a party (very unpractical). P = NP would mean that a brute force attack would be practically feasible (so you'd need information theoretic security [wikipedia.org] which even cannot be broken by brute force)!
Since P = NP is one of the hardest problems left in computer science, mathematicians have created a different security defintion (semantic security) [wikipedia.org] that gives security under the assumption that P != NP. So breaking these schemes is at least as hard as proving P = NP (so extremely hard).
But statistically speaking the user and the software implementation are usually the weakest link.
So yea you're right that there is no mathematical proof (only assumptions) that you can't reverse the algorithms. But you usually don't have to worry about the mathematics.
You're also right to worry about backdoors build into chipsets or other hardware, because it's very hard to protect against those.
(Score: 3, Insightful) by darkfeline on Friday August 22 2014, @11:25PM
That's more of a Tor devs being negligent than the spies being malicious issue. If the Tor devs are accepting patches without auditing them, Tor users have much more serious problems than intelligence agents trying to insert a backdoor.
Join the SDF Public Access UNIX System today!
(Score: 3) by TestablePredictions on Friday August 22 2014, @08:04PM
Assuming for the moment that there are no corrupt ulterior motives for this. Thank you one and all leakers working within the system to improve things. Your working conditions are probably hostile and with zero gratitude. Thank you for not leaving for greener pastures. Thank you for staying and fighting the good fight.