[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] BBC: NSA and GCHQ agents 'leak Tor bugs', alleges developer



Cypher:
> On 08/24/2014 09:43 PM, Michael Wolf wrote:
> > I haven't seen this mentioned here, but thought it would be of interest
> > to the list.  Perhaps something for TWN?
> > 
> > "NSA and GCHQ agents 'leak Tor bugs', alleges developer"
> > http://www.bbc.com/news/technology-28886462
> > 
> >> Spies from both countries have been working on finding flaws in Tor, a popular way of anonymously accessing "hidden" sites.
> >>
> >> But the team behind Tor says other spies are tipping them off, allowing them to quickly fix any vulnerabilities.
> >>
> >> The agencies declined to comment.
> >>
> >> The allegations were made in an interview given to the BBC by Andrew Lewman, who is responsible for all the Tor Project's operations.
> >>
> >> He said leaks had come from both the UK Government Communications Headquarters (GCHQ) and the US National Security Agency (NSA).
> 
> Interesting. We should remember that the spies are really living in a
> two sided world. On one side, they need a reliable, hardened, Tor that
> doesn't stand out from anyone else using Tor so that they can
> communicate amongst themselves. On the other hand, they need to be able
> to break Tor so they can do their jobs. It has to be a tough place for
> them to be.
> 
> The article was very interesting - except the part about 'here's how you
> might want to fix this'. I certainly hope that the Tor project /is not/
> accepting patches submitted by NSA or GCHQ! Sure, I realize those
> agencies could very easily embed someone within the project (in fact,
> don't a few of the Tor project folks work in intel?) but developing a
> trusting relationship by accepting patches just seems like a bad idea to me.
> 
> /me puts on tinfoil hat

For the record, in the original interview transcript[1] Andrew states
that "it's a hunch" that these orgs are leaking us bugs, not known fact.

I kind of wish Andrew didn't fan the flames of conspiracy on this point,
though it probably is causing some intelligence bureaucrats to be
scratching their heads in confusion right now, which I guess is a good
thing? On the other hand, if this was happening, making a press release
about it probably is one of the best ways to get it to stop. Which I
also find to be a confusing move by Andrew, if this is what he really
believes.

Regardless, in my opinion, while it's fun to speculate that our
favorite bug reporter (bobnomnom/skruffy) is actually an intelligence
service, and that the other "cypherpunk" bug reports we get are also
leaks from this service, I think what is more likely is that we're just
witnessing the "With enough eyes, all bugs are shallow"[2] phenomenon of
Open Source development, coupled with a userbase that is probably at
least a couple sigmas above the norm in terms of technical proficiency.

This is naturally leading to all sorts of interesting bugs being found
by the wider community at a regular frequency.

I also suspect that once bobnomnom/skruffy's bug reporting and
linguistic signature (broken English with a Slavic accent so thick you
can hear it over ASCII) became legendary, many other random people began
to mimic it to report their own bugs, if nothing else to avoid
stylometry attacks.

I've repeatedly seen multiple cypherpunks users with very similar broken
English writing styles argue with each other on the bugtracker. Very
strange, but more supportive of the "random mimicker" scenario than of
multiple NSA/GCHQ agents arguing openly on our bugtracker.

We have gotten some patches from anonymous contributors, but we review
them very closely, and they usually end up going through a few revisions
before we merge them. We obviously subject all contributed patches to
careful review like this, regardless of if they are named, pseudonymous,
anonymous, or "bobnomnymous".


1. http://www.bbc.co.uk/news/technology-28886465
2. https://en.wikipedia.org/wiki/Linus%27s_Law

-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk