How on Earth is $110,000 a reasonable value for this level of vulnerability? (And with a multi-thousand dollar up front cost to boot.) I'm not remotely an expert on security, much less nefarious black-market hacks, but I would think that a whole lot of nations around the world would be willing to pay millions (each!) for this capability. Heck, if not for this, I would have included Russia on that list.
The "hackathon" spirit has caught on at the state level. Get a bunch of college kids to slave away for free and give the best one a paltry sum for their efforts and retain all rights to the work.
It's the spirit ever since the term "hackaton" caught the attention of the employers and the events are organized by companies for their profit instead of hobbysts/enthusiasts just for fun.
Isn't that the parent comment's point? That it's such a relatively small amount of money that the only people who are into hacking stuff anyway would attempt it.
There shouldn't be any money at all in hackathons, it should be voluntary and tinkering/hacking on technololgy for fun or societal benefit. This is for a project with a well-defined goal defined by a large government that may be used against dissidents by a authoritarian state.
That doesn't quite fit into hacker culture at all.
If they aren't going to hire a well-paid hackers full-time like the NSA does to do the same thing, then at least make the prize significant similar to X-prize.
I saw this headline and immediately thought, "that's much too low."
But I've got no idea how much that vulnerability would actually go for. Millions? Tens of millions? Anyone with a stronger understanding of the market have any rough estimate?
I'm like you, I'm not sure how to assign a dollar value to this vulnerability. The implications of a broken TOR are huge for all players, especially over time. Considering TOR protects the livelihood (and lives even) of so many people who employ it, it doesn't seem unreasonable to put the ticket price up in the tens of millions to me. TOR's mission-critical for the work of a lot of folks, shady-dealings or no.
"The reward of $114,000 seems pretty cheap for this capability. And we now get to debate whether 1) Russia cannot currently deaonymize Tor users, or 2) Russia can, and this is a ruse to make us think they can't."
Assuming Russia can deanonymize Tor users, isn't this a way of finding out "who else out there can denonymize Tor users", and later question these people very gently "what else can you do?"
I wouldn't disclose something like this to the big boys , as it would reveal far too much about my own capabilities and/or connections.
That's because they're asking if someone's done it and wants some cash. If you had, monetizing the knowledge isn't exactly easy. No intelligence agency will bother paying for it.
Why wouldn't they? This is exactly the stuff I'd want to pay for if I was an intelligence agency; you want the hackers to come back with more exploits, after all.
No intelligence company would pay for it if it were publicized they had paid for it. It's more useful to keep quiet and let people think Tor is still anonymous.
"or 2) Russia can, and this is a ruse to make us think they can't."
Even if they could ... why say anything at-all? Perhaps - to encourage use of an exploitable method of communication, but even-then why would somebody looking to hide use a form of communication they know is actively being targeted by the government they're looking to evade?
Heh. This is low-ball. I was once offered $150,000 in a discussion with a broker when I inquired about a hypothetical Tor 0day. After the broker's fees, I would have still walked away with $120,000 if I had one. (Then taxes, of course.)
If anyone wants to do this, I recommend shopping around first ;P
"In its 2013 financial statements, the Tor Project - a group of developers that maintain tools used to access Tor - confirmed that the US Department of Defense remained one its biggest backers.
The DoD sent $830,000 (£489,000) to the group through SRI International, which describes itself as an independent non-profit research centre, last year.
Other parts of the US government contributed a further $1m.
Those amounts are roughly the same as in 2012."
I'm not familiar at all how those founding works, could someone, from US, explain how and why US government is giving money to TOR?
I've seen two explanations for why the US government gives money to the Tor Project. One reason is to support dissidents in countries like China. Another is that US agents use Tor, but that the network requires a degree of popularity in order for agents to "hide" in it.
Another option is an effort to identify cryptographically-capable individuals around the works as targets for potential contact, work, on behalf of the U.S. and its allies.
Isn't there a third possibility that US security services are capable of breaking Tor, and want to popularize it in order to encourage Tor usage among potential targets?
1. Help political dissent in countries that cannot crack tor.
2. There's a reasonable chance that they can crack tor, at least to some extent ,especially with the help of the 5-eyes countries. Having that ability while "evildoers" think tor is safe is valuable.
I was of a slightly different impression, but have no idea what is the "truth".
"Tor was not started by the US Navy. The US Naval Research Labs (NRL) started a project in the 1990s called onion routing7. Tor uses the basic onion routing principles and applies them to the Internet. The volunteer Tor group started in 2001. The formal charity, The Tor Project, started in 2006. We continue to work with Dr. Paul Syverson from NRL on improving onion routing and therefore Tor."
Not started by the US Navy but started by US Naval Research Labs instead? Is there any practical difference except where it appears on a military budget sheet? :)
If you ignore some of the drama, Pando has a very long and fairly comprehensive look at its funding (at least, it seemed comprehensive to me, I am not a Tor expert) - http://pando.com/2014/07/16/tor-spooks/
Yes, the government funds Tor. Pando thinks that all of the US government is akin to the NSA and wants to spy on people. This is not how it works. The government is not just one body and there are many parts of it that probably don't agree with what the NSA is doing.
Yes Tor is funded by the US government. My question is, how does it matter? The protocol is open. The code is open. There are research groups at some major universities researching on Tor.
> This is not how it works. The government is not just one body and there are many parts of it that probably don't agree with what the NSA is doing.
This, I think, is a very important point. It is beyond naive to assume that a large body of structures that together are called "the US government" is a homogeneous entity that can be ascribed goals as if it were a single agent.
"Securing government comms" can be misleading. Tor is not by itself a secure channel, but may be part of a secure channel if you're concerned that a local or semi-local adversary may intercept your communications. My understanding is that Tor was developed primarily to facilitate informants and dissidents in countries with restrictive internet access policies, like China, who would not take kindly to seeing communications between Chinese IPs and U.S. military IPs.
There is a very widespread and dangerous misconception that Tor is a one-stop shop for secure or anonymous communication. This is not true. You need to encrypt your messages separately. When outside the onion network, Tor actually exposes all content sent through it to a third-party, the exit node. This means using Tor may be more dangerous than not using Tor if you don't know what you're doing.
Very good point. In fact, I had to council one of my colleagues on this issue as she prepares for an overseas trip. She was asking about Tor, but I advised that our organization's VPN is the correct solution... especially since she wanted confidentiality rather than anonymity.
The primary intended purpose of the tor network was to provide cover for US agents. Many of the core developers of TOR have at various times either directly worked for US intelligence or have been funded by them. It was opened to the public and popularized, because an anomization network that is only used by spies is pointless. Most of the current exit nodes are currently located in the US, so there is no question that almost all TOR traffic is monitored by the NSA. The tradeoff is that while TOR makes it slightly harder to identify targets, the majority of them use TOR and there are still ways to identify them if they are not extremely careful (this has been revealed in some of Snowdens documents).
> The primary intended purpose of the tor network was to provide cover for US agents. Many of the core developers of TOR have at various times either directly worked for US intelligence or have been funded by them
That's very interesting. Could you provide sources that back this up, especially the employment history of TOR developers?
It isn't just FUD, there are some serious questions that have been raised which are ignored by the EFF crowd. At the bare minimum it has been used as an intelligence honeypot because most users have no idea what they are doing. Google, FB, and so on forcing SSL may have reduced this value a little bit.
Lesson one is that Tor guards against traffic analysis not traffic confirmation. If there is reason to suspect that a client is talking to a destination over Tor, it is trivial to confirm this by watching them both. </quote>
Bear in mind that in Russia, many "offers" like this are not ment to be real competitions for accomplishing something (to crack Tor, to build a bridge, etc), but simply a way to appropriate state's money.
maybe that is their goal. Perhaps they want to (or already are) use(ing) tor to hide their own activities from the NSA. They want to make sure what they are doing is truly as secure as it claims to be and if not motivate devs to make it so. After all, it seems it would be cheaper to offer this small reward than to have to pay full time employees to help keep their activities secure from prying eyes.
It likely will, open source projects are nearly impossible to stop. The SSL/TLS standard and their associated standards and clients has shrugged off a number of attacks at surprising speeds. Patch cycles are measured in hours or days apposed to weeks or months.
If the attack is particularity disastrous then there will likely be a large fork. But once a project is started and a community built its unlikely that force will be stopped.
I don't know why anyone would do this for $110,000. Especially after the entry fee, probably wouldn't make much money after the hardware costs, though if you're good enough to take on TOR, you probably also have a botnet. Also, why the hell would anyone give it to the Russians? Of all people, they're definitely who need exclusive access to a TOR hack. Especially if you consider that some of those people who are using it in Russia could be regular people who are trying to not be persecuted for their sexual orientation. Bad idea overall.
All the sources refer the same government requisition for a "performing the scientific research, code "TORUS/Fleet". The details should be available for people who chose to participate and foreign nationals are specifically banned from participation.
With the Russian word for torus being "тор" which could be transliterated as "tor" I see why people might get excited. But I'd like to see something more concrete than word play to support the news articles' theory.
It wasn't clear to me from the article that there was any sort of time limit. Presumably a researcher could simply enter the contest once he was sure he had an exploit? The math doesn't really work out for profitability.
The deadline is August 13th, and the winner (if any) will be announced on the 20th. (According to an Helsinki Times article, but the English translation[1] doesn't have the dates)
Then the point stands. If a Russian researcher has an exploit on the 13th and thinks the prize is worth it, she'll enter. Why would anyone else enter? With that in mind, the proposed profit model seems unlikely.
I'd be really surprised if Russia were actually not able to do this already, they're known for having a very strong national community of security experts and overall excellent mathematicians.
What's to stop someone from selling one of these exploits to multiple nations and companies?
What is the normal process for selling these exploits? They'd want to see the exploit first, I'm guessing in person, then they transfer over the money, then you give the code and details?
What if someone wanted to remain anonymous during the transaction? What would be the best method of doing that? You couldn't really send a friend because it might be easy to trace back to you, and it would be hard to trust a stranger.
I don't understand, it seems like researchers have to pay to enter and then are only given the funding if successful, that's not exactly funding R&D, more of a contest. It seems really strange that Russia would be offering this kind of bounty in effort to improve the program's security, don't they know how many activists and dissidents use it. Is the sole reason to aid their own spies?
I really wish the US government would offer bounties for their sites and systems. Right now if people try to exploit a US government system, even if they have the intention to properly disclose the vulnerability they face prosecution.
It is definitely R&D to find a vulnerability in TOR or lack thereof, it's just that BBC as usual is arbitrarily choosing what to report and what to stay silent about.
Here they explicitly state that it's a tender for 'Выполнение научно-исследовательской работы, шифр «ТОР (Флот)»' (Research and Development works, code "TOR (Navy)")
Then it's a closed tender (stated in the same document), meaning that they come up with a list of organisations they invite to participate in this tender. No organization they did not invite can participate.
So you see this is nothing like a bounty.
>it seems like researchers have to pay to enter
I wager they are required by law to demand some sum of money, maybe this sum is determined as a function of a tender value; I don't believe there is some additional meaning to asking people to pay 5500 usd to participate in a closed tender.
I already posted publicly online how to find the identity of a Tor user.
To reiterate:
1. Get the Tor user in question to visit a website controlled by you ( or at least a site where you can cause JS to run; such as an advertisement )
2. Know which ISP the user is on, and be allowed to install a high speed device watching all traffic for a sequence of specific sized packets.
3. Use the JS to send a specifically crafted sequence of sized packets with specific time periods in between them. After sending this preamble, send sized packets to send the 'pseudo identity' of the user ( whatever pseudonym you wish to attach back to their real IP )
4. Use your monitored ISP device to detect the preamble, then log IP and the data.
Note this method could be done en-masse and would only require high speed FPGA devices at each ISP "trunk". Inject JS code correlating users back for any system which you wish to identify the users.
Done. Whichever Russian demonstrates this and wins the $100k; throw me a bone please. :)
I don't know the exact parameters of the competition, but I doubt pretty strongly if the solution is allowed to manipulate the targeted user's behavior, and, oh, by the way, install a high speed listening device on the trunk of every ISP in the world.
If you have to know already which ISP the suspected user is using, you're not really finding the user, you're just confirming their identity.
And as others have pointed out, running with JS enabled is a vulnerability. If the user is that careless, it's probably easier to get them to load a particular file over plain HTTP and just listening to requests for that file.
I don't think so. What you could do is have the webserver set up chunked encoding on a resource (say an image) and vary the size of the chunks for each user.
You're all making this much too complicated. Who needs the client to make multiple requests when you control the server? Client does "GET /" and the server starts sending a large index.html using irregular sized packets at specific intervals.
But suppose we broke it, now we have to fix it, right? Start padding everything to power-of-two size boundaries with a minimum of 16. Or if that would make Tor traffic too identifiable, then instead add random()%packetsize padding to each packet. Either would reduce the number of detectable packet sizes below a 1500 byte MTU to 8 at the cost of less than doubling the bandwidth consumption.
I think this will be a bit harder, as you don't really have control in what order the images are being loaded. They could be loaded in parallel for example. If you try to circumvent it by adding delay's on the server side you quickly block the browser as you will reach the maximum amount of parallel connections.
Even simpler: create a website which responds in a recognizable way, serially rather than concurrently. If person A received recognizable packet P at time T, and the site was serially serving that connection at time T to recognizable-but-pseudonymous person X, then A==X.
They are also charging an entry fee for this "contest" in addition to the prize being ridiculously small. The good news is that it's quite unlikely this will be successful regardless of the prize.
I'd assume you wouldn't have to look to hard to find someone willing to pay $110k+ to identify specific individual Tor users, let alone find general exploits in Tor.
Freenet is a resource hog, and can be rather slow. It's also not particularly interesting for people who just want to browse and access the "normal" web anonymously. There are few services. There's little interesting content.. Plus it's not clear Freenet can really provide that much as far as anonymity goes. The consensus recently has been that opennet is quite vulnerable, and the only way to be really safe out there is with a global darknet where everyone only connects to trusted peers. Achieving this is not so easy, and there are potential complications.
ugh, capitalism. someone somewhere will actually do work towards this goal with that much money in mind as a worthwhile payoff. ending tor anonymity should have at least 2 more 0s on the end of the figure.
