Less than a month ago, tech news headlines heralded a Tor Project breach. Now, some are saying that government spies are sharing information with Tor to help it prevent future breaches.
Here’s the backstory: In July Tor’s developers warned users they might be victims of an attack launched against the project in early 2014. Tor is a browser that lets users access the entire Internet -- anonymously. Using Tor, a user can decide if he wants to make himself anonymous to log into sites like Google and Facebook.
In a blog post, developers of the anonymous browsing service said it found a group of relays it assumed were trying to deanonymize users.
Specifically, those relays appear to have been targeting people who operate or access the browsing service’s features. The attack essentially modified Tor protocol headers to do traffic confirmation attacks. Tor suspects the attackers could not actually see any application -level traffic, such as what pages were loaded or whether users visited the hidden services they looked up. But no one is completely sure.
Spies Leaking Data?
The BBC is reporting that American and British intelligence agents -- from the U.S. National Security Agency (NSA) and the U.K. Government Communications Headquarters (GCHQ) -- have been allegedly working to find Tor flaws. The Tor team says other spies are tipping them off, so they can fix those flaws quickly, according to the BBC.
Andrew Lewman, head of the Tor Project's operations, made the allegations in a BBC interview. Neither the NSA nor GCHQ were immediately available for comment on the claims that they are leaking bug info to help keep Tor traffic safe from peering eyes.
"There are plenty of people in both organizations who can anonymously leak data to us to say -- maybe you should look here, maybe you should look at this to fix this," he said. "And they have."
Watching the Watchers
We caught up with Tyler Reguly, director of security research for Tripwire, to discuss the issue. He told us this isn't the first time that this topic has been discussed and no one should be naive enough to think that it will be the last.
“Just a few weeks ago questions were raised about the safety of Tor. Stating that these organizations are assisting in increasing Tor's safety is the perfect marketing ploy,” Reguly said. “The statements can't be verified and they help reduce concerns regarding privacy breaches while using Tor.”
The BBC headlines sound to Reguly like a dream marketing campaign for both sides. Who watches the watchers? In this tidy arrangement, he said, the watchers are watching themselves.
“While one group carries out the search for vulnerabilities in Tor, the other group leaks data about the vulnerabilities,” Reguly said. “Whenever the safety of Tor is questioned, suddenly vulnerabilities are being fixed based on intel from the very groups doing the discovery. Ultimately, this benefits the reputation of both groups.”
Then again, he said, it could be that the NSA and GCHQ use an exploit until they know a competing spy agency discovers it, at which point they move on to a new technique and leak the old technique to the Tor Project to ensure the competitions' access “disappears.” The bottom line, he concluded: We'll never know the truth.
Irritating to Catastrophic
We also asked TK Keanini, CTO at network security firm Lancope, for his thoughts on the Tor news. He told us bugs and exploits in any open source software can range from irritating to catastrophic.
“What you must recognize is that all of the code is in the clear for both the good guys and the bad guys to attack or defend. It is an equal playing field and the side with more time and talent will gain the upper hand,” Keanini said. “But even when the balance changes, it is quick to be corrected as it is this dance that drives the co-evolution of the open source project.”