NSA Trying Hard To Compromise Tor, But It's Still Mostly Safe

from the good-news dept

The latest from the Guardian out of the Ed Snowden leaks shows that the NSA and GCHQ have been trying desperately to target Tor, even though Tor is largely funded by the US government. The good news is that they basically haven't been able to attack the underlying Tor network, but rather rely on exploits elsewhere, such as within Firefox to try to target certain individuals.

Top-secret NSA documents, disclosed by whistleblower Edward Snowden, reveal that the agency's current successes against Tor rely on identifying users and then attacking vulnerable software on their computers. One technique developed by the agency targeted the Firefox web browser used with Tor, giving the agency full control over targets' computers, including access to files, all keystrokes and all online activity.

But the documents suggest that the fundamental security of the Tor service remains intact. One top-secret presentation, titled 'Tor Stinks', states: "We will never be able to de-anonymize all Tor users all the time." It continues: "With manual analysis we can de-anonymize a very small fraction of Tor users," and says the agency has had "no success de-anonymizing a user in response" to a specific request.

Another top-secret presentation calls Tor "the king of high-secure, low-latency internet anonymity".

In response to all of this the NSA put out one of its typically bland and empty statements about how what it does is "authorized by law" and it should be no surprise that it's seeking information on bad people.






Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Ninja (profile), Oct 4th, 2013 @ 11:15am

    They tried to cut the onion and ended up crying eh? /pun

    And given the sparked interest in privacy and better security they'll be having more reasons to cry in the future. Much for the benefit of the rest of us.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Baldaur Regis (profile), Oct 4th, 2013 @ 11:15am

    If by "seeking information on bad people" the NSA means "pantsing the entire population of Earth", then yes, that statement is true.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 11:21am

    I am torrified I say.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 11:23am

    Deterministic builds

    Tor and Bitcoin are two projects which go further than most when it comes to security. For instance, they are working on deterministic builds (https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise), which will allow anyone to validate that the downloaded binaries were produced from the published source code, and have not been modified afterwards.

    With most projects, even free/open-source software, you have to trust that the build machines have not been compromised. With deterministic builds, even this risk is reduced.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 11:32am

    Bad people my ass... They go after anyone they please.... and kill them. The US has an auto immune problem. The people who are supposed to protect us have decided ôlet's murder them instead".

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:04pm

    The definition of bad people, made up by a government gone rabid along with an agency that has no concept of truth, right to privacy, nor moral compass that has been shown time and again to be broken, is not of any comfort at all.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    LOL, Oct 4th, 2013 @ 12:05pm

    lol

    Meh, prove it.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Mark Wing, Oct 4th, 2013 @ 12:06pm

    If they can't de-anonymize Tor, then they can certainly demonize it. That seems to be the current strategy for defeating it. If you can't defeat the technology, then show the world all the bad things it's being used for, so everyone will throw the baby out with the bath water.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:27pm

    Re:

    torrorist !

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    PopeRatzo (profile), Oct 4th, 2013 @ 12:31pm

    Reminds me to install Tor

    This story is a reminder set up Tor on all the machines in my house, if only to have and to make the NSA work a little harder.

    What would happen if all of a sudden an additional billion people started using Tor? Make them drop their "national security" mask so the opposition can really take hold.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:36pm

    If Tor becomes compromise where will I go to buy my heroin and assassins?

    /s

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 12:54pm

    what is ... S//SI/REL ?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:11pm

    Re:

    Afghanistan

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:27pm

    Tor is no obstacle to NSA surveillance

    I'm sure this information is quite outdated (it's from way back in 2007) and misleading. An adversary with as much access to online traffic as the NSA can easily break a system like Tor by correlating traffic between clients, relay nodes, exit nodes and websites. If you think they're not already doing this, you are being naive.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:28pm

    but rather rely on exploits elsewhere, such as within Firefox to try to target certain individuals.


    I'm REALLY curious about this, does anyone know if this is a vulnerability in this software bundle or a problem with all Firefox browsers or Windows PCs?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:28pm

    Re:

    One technique developed by the agency targeted the Firefox web browser used with Tor


    Meant to quote this, sorry.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Sheogorath (profile), Oct 4th, 2013 @ 1:41pm

    Wait, that sounds familiar...

    You can de-anonymize some of the users all of the time, and all of the users some of the time, but you cannot de-anonymize all of the users all of the time.
    With apologies to Abraham Lincoln(?).

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    John Fenderson (profile), Oct 4th, 2013 @ 1:57pm

    Re:

    It's impossible to say without knowing the specifics of the technique(s) they're using.

    Speaking generally, pretty much every nontrivial program that uses the internet has vulnerabilities (that's a corollary to the fact that every nontrivial program has bugs). Many of these vulnerabilities are kept secret, so you probably won't know of them if you aren't the producer of the software, a spy, and/or a cracker.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 1:57pm

    Re: Tor is no obstacle to NSA surveillance

    Got the date wrong: The "Tor Stinks" document is not from 2007 but from 2012. Otherwise, I stand by my post.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 2:09pm

    If I were a criminal defense attorney

    ...I'd probably be signing up new clients by the score. Mr. Snowden has revealed that the NSA is guilty of who knows how many thousands of counts of numerous federal crimes, among them computer hacking & authoring and distributing malware. If the local federal D.A. gets some of his/her cases dismissed on technicalities due to questionable or improper police work, I don't see how the legal system can survive not upholding the same standard for these pricks.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Oct 4th, 2013 @ 3:33pm

    Even if the NSA can de-anonymise some Tor users through correlation. I'm not worried, because I'm a law-abiding citizen using Tor to opt-out of PRISM and exercise my 1st amendment right.

    If the NSA want's to waste valuable resources trying to figure out what I do online. That's their choice.

    Anything I can do to make their unconstitutional spying harder, is worthwhile.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Chronno S. Trigger (profile), Oct 4th, 2013 @ 3:40pm

    Re: Re:

    If I remember correctly, there is an old vulnerability that javascript code can take advantage of in Firefox 17. Firefox 17 is the version that comes bundled in the Tor Browser with the NoScript addon disabled. The easiest way around that problem is to enable NoScript.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    ldne, Oct 4th, 2013 @ 5:30pm

    Re: Tor is no obstacle to NSA surveillance

    Spoken by yet another person who doesn't understand how TOR works. You people should form a club.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous, Oct 4th, 2013 @ 5:50pm

    Re: Re: Tor is no obstacle to NSA surveillance

    Tor was invented in part by the government. That should tell you all you need to know.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    Postulator (profile), Oct 4th, 2013 @ 9:10pm

    Because if I don't want someone looking over my shoulder at everything I do on the Internet I'm a "bad person"?

    Thanks NSA for protecting the world, one rewritten dictionary at a time.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Oct 5th, 2013 @ 3:39am

    This is EXACTLY why the Tor project should compartmentalize development.

    The development of a "Tor Browser Bundle" is plain stupid. Tor should be developed, a few browsers should be hardened and configured for Tor usage, as well as other clients for other protocols.

    But they'll never do that, as they've made clear again and again.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Oct 5th, 2013 @ 10:17am

    Re: Re: Tor is no obstacle to NSA surveillance

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    AnonymousRat, Oct 5th, 2013 @ 7:46pm

    Lack of knowledge

    Reading the posts here it appears that about 95% of the posts are from those who have not a clue what Tor is, how it works and may not even know what PGP is much less how it works.
    I'm from the old school. I was in Crypto before PGP.
    I was Navy. What department will go forever undisclosed.
    What I'm reading here is so sgnorant it's hard to stomach.
    There are actually a few intellegent comments though.
    AnonymousCoward you are pretty much knowledgeable and are leading the pack here with common sense.
    Most of the rest of you should stop posting do a little more reading. Not here, go read about PGP, read about routing, read the history of PGP written by Phil Zimmerman who wrote and published it in the early 90's.
    Who was hounded by the US Communist run government.
    I helped to pay for his defense in those days.
    Go learn. You will never learn by just blabing about what you don't know.
    I still use Tor and what I use it for could be potentially life threatening.
    No I am not violating any laws of my country. I'm trying to help those who have not the freedom you have.
    Keep writing I want to learn just how ignorant my fellow citizens are.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous, Oct 6th, 2013 @ 5:56am

    Re: Lack of knowledge

    The government has for several years had the ability to decrypt PGP through the use of a program called Magic Lantern.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    btrussell (profile), Oct 8th, 2013 @ 3:42am

    Re:

    Why? They are just looking for torists, also spelt "tourists."

    More jails are being built. These are sunk costs and are very costly unless you are utilizing them fully.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Niall (profile), Oct 10th, 2013 @ 5:09am

    Re: Re:

    Nah, just rededicate them as student accommodation! They'll be better than most commercially available...

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Oct 12th, 2013 @ 5:02pm

    Re: Lack of knowledge

    thanks for your service man. I was an army ranger so I get what you are doing.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Jan 24th, 2014 @ 1:51pm

    Re:

    This is why some believe in perpetual war.... Let the jackasses that WANT to go around killing people get ewch other

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Jan 24th, 2014 @ 1:58pm

    Re: Reminds me to install Tor

    I still think they are monitoring TOR by controlling the nodes on mil bases

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Jan 25th, 2014 @ 9:55am

    Re: Re: Re: Tor is no obstacle to NSA surveillance

    The internet was created by the DARPA still the dark web exists.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    LivingParadox, Jan 28th, 2014 @ 5:12am

    Re:

    agreed. the us government as well as the nsa's opinion of a "bad person" is essentially anyone who disagrees or chanlenges thier establishment. that demographic doesnt apply to nearly as many people as it should.

    privacy is a natural human right in my opinion and for anyone to take that away from anyone is very wrong.

    the whole system is designed to collapse... and soon. its not just the internet that is in trouble.

    "End the fed, Arrest the Banksters!"

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This