Re: Tor Project infrastructure updates in response to security breach

[Roger Dingledine <arma@xxxxxxx>]

On Wed, Jan 20, 2010 at 11:12:29PM -0500, Peter Thoenen wrote:
> > In early January we discovered that two of the seven directory
> > authorities were compromised (moria1 and gabelmoo), along with
> > metrics.torproject.org, a new server we'd recently set up to serve
> > metrics data and graphs. The three servers have since been reinstalled
> > with service migrated to other servers.
> 
> While the issue was resolved, could this of had an impact had they known
>what they broke into between the time of breach and time of discovery?

Yes, depending on how paranoid you want to get.

I don't think they could have done anything particularly devious with
the directory authority. We've got that pretty well sorted out with the
distributed trust thing -- nothing moria1 does can rig the consensus
by itself.

So it's really a question of the services running.

Moria was running a nameserver for torproject.org (still is), so they
could send web requests elsewhere. If people check SSL certs, no problem
(modulo the usual points about SSL not being perfect); if they don't
check SSL certs, we hope they check package signatures. This risk isn't
specific to our machines though -- your local ISP can lie to you about
your DNS resolves, or some jerk could redirect our bgp record like how
Pakistan stole Youtube for a few hours last year.

It was also the mail host for @torproject.org, though most of the mails
went off to other mail servers after that. So they could have read my
mail. Most of my mail is public (and/or boring) anyway though.

I could imagine that they might try to sneak in a commit to the git
repository. We have a hook that mails all commits to the mailing list,
and we watch that pretty well. But they could disable the hook during
their commit. As I mentioned in the earlier mail, the git tree is made up
of hashes, so they can't just modify it outright. I've looked over the
'git log' output, and didn't find anything odd. It might be neat to do
an automated comparison of "mails that made it to the mailing list" vs
"commits to the git repository", if we wanted another layer of checking.

Svn is less secure. It's just a database, and people can muck with it how
they like. We've compared several of the svn repositories to backups, and
nothing looked out of the ordinary. Good thing we moved Tor, Torbutton,
BridgeDB, etc to git last year. The website wml files are still in svn
and not git though, to make it easier for our volunteer translators;
give us a holler if you find "Tor sucks" scribbled in some corner. :)

If you want to scale up on the paranoid meter, you could imagine ssh
client buffer overflows for the developers when we connected to it. That
rabbit-hole goes as far as you like.

Speaking of rabbit-holes, my gpg key is nearly a decade old and only
1024 bits. Sometime in the next little while I'm going to switch to a
bigger one.

> Do we know how they broke in?

As I understand it, we have a 450G disk image from one of the machines
sitting somewhere in Canada, but not anywhere near any of the Tor people.

The attacker(s) were sloppy, so we know some things like the name of the
local-to-root exploit they used (which by its name works on a surprisingly
wide spread of kernel versions... security is hard). I still don't know
how they got in to moria originally, though. Too much was going on on
that machine.

--Roger

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/