[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] FBI cracked Tor security

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] FBI cracked Tor security
From: Jon Tullett <jon.tullett@xxxxxxxxx>
Date: Thu, 14 Jul 2016 13:45:50 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 14 Jul 2016 07:46:06 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=5tIowxn0VVyYyFZwfT4+z2lvNDWOMk7l2oUiV8OVsd8=; b=wPziZNJffFNw5TFVpWSEMMtr4mbqw3lPVSKJtqsXTf4GPnCOUdvWAAoPh5488bfG08 O9nKc2vn5PGPqC6UeD52vh0HmTeJmjKu18Ya35/nqh5dVFefq53bKDPRMbDR3CZYPUHd J5BNpNKn2ZRa1TTAST1NwsV9yUWcy2ABWA+l6M8svwGS5/mRs+R/wjSqqZf/NWhF1sc9 FNeF34+aKs3QYzClIrFt0WnDNpe3FHjWwDnXeOoN7gYugnJyrAsGIRZMmQteyyzPlk8T 6p+TidXJBuC7Q1+PW+9m4eL6oUl0hXkQYcSzPrQWg9yYS8hmb+IMdpbIW8UXohhKWemz JjYg==
In-reply-to: <5246e420-a53d-3d3d-f28c-665fc43c70e6@beroal.in.ua>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <652210562.2768097.1468453881242.JavaMail.yahoo.ref@mail.yahoo.com> <652210562.2768097.1468453881242.JavaMail.yahoo@mail.yahoo.com> <CAPkfgVYU_T9w0SJ9QsqSo8EXHgbJx68hROb6E8ELsrS2J6W6kg@mail.gmail.com> <5246e420-a53d-3d3d-f28c-665fc43c70e6@beroal.in.ua>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 14 July 2016 at 12:52,  <me@xxxxxxxxxxxx> wrote:
> On 14.07.16 09:23, Jon Tullett wrote:
>>
>> On 14 July 2016 at 01:51, Nick Levinson <nick_levinson@xxxxxxxxx> wrote:
>>>
>>> The FBI reportedly cracked Tor's security to crack a child porn case with
>>> over 100 arrests of Tor users.
>>
>> I think what you'll find in such cases is that the FBI generally crack
>> the servers hosting the illicit material, not Tor itself.
>
> It's still unclear to me whether there is a vulnerability in Firefox, in Tor
> Browser, or in Tor.

These are separate issues with separate ramifications. Breaking
Firefox is comparatively trivial. Breaking Tor would be extremely
untrivial, both in effort and implication.

Take one scenario; the FBI deploys malware on a server to identify its
users. That doesn't require (or even benefit from) attacking the Tor
network directly. It's about exploiting vulnerabilities in the hosting
software for delivery, then about vulnerabilities in the users'
browsers for infection. That may be browser vulnerabilities or Flash
vulns or whatever, but again, nothing to do with Tor.

Also worth separating Tor and TBB. Vulnerabilities in TBB would likely
be flaws in Firefox or a bundled addon. Exploiting that is certainly
plausible, but doesn't count as "cracking Tor" in the context of
compromising the network or encryption.

In the case of Freedom Hosting, it was reportedly a combination of
both; the FBI cracked the server, then planted malware which exploited
a vuln in Firefox (and therefore TBB) users. They didn't, it is
believed, compromise Tor crypto in the process.
https://www.wired.com/2013/09/freedom-hosting-fbi/

Should add that users with NoScript enabled would not have been
vulnerable - I get the "noscript decreases privacy" argument, but I'd
still kinda like it to be on by default to protect users. Maybe with a
big red "Turn on Javascript because I'm happy to get pwned by
malicious ads, FBI malware, and miscellaneous trackers" button :)

Lastly, I should acknowledge that none of this is proof that Tor has
NOT been compromised. Just that in the incident in question, it was
probably not.

>> There are frequently vulnerabilities in hosting services - content
>> platforms, web forums, third-party Javascript libraries, file uploads,
>> management interfaces...many sites, darkweb or not, have much broader
>> attack surfaces than their owners understand.
>
> Exactly. Bugs in software. Or, as Dijkstra put it, incorrect software. Users
> demand more features instead of more correctness because buggy software is
> "good enough" and a rare glitch is no problem. Then they discover that they
> lost control of their computers.

Unfortunately, security is rarely a top priority for either developers
or users.

-J
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] FBI cracked Tor security
  - From: krishna e bera

References:
- [tor-talk] FBI cracked Tor security
  - From: Nick Levinson
- Re: [tor-talk] FBI cracked Tor security
  - From: Jon Tullett
- Re: [tor-talk] FBI cracked Tor security
  - From: me

Prev by Author: Re: [tor-talk] FBI cracked Tor security
Next by Author: Re: [tor-talk] FBI cracked Tor security
Previous by thread: Re: [tor-talk] FBI cracked Tor security
Next by thread: Re: [tor-talk] FBI cracked Tor security
Index(es):
- Author
- Thread