Comments on: TOR is hiring

By: Ant

Ant — Sun, 22 Apr 2012 18:50:00 +0000

I thought this was about SW:TOR!

By: oasisob1

oasisob1 — Sun, 22 Apr 2012 02:59:00 +0000

Wasn’t a paper already published proving that a sufficient number of TOR nodes owned by any one entity was enough to identify all the end users, or at the very least, end users of interest?

By: MarcVader

MarcVader — Sun, 22 Apr 2012 01:17:00 +0000

Instead of going to bed I read your comments twice and all I can say right now is: Your dystopia beats my dystopia. You make a frighteningly good point about pre-existing backdoors, peppered with evidence of non-average understanding of implementation details. Thank you. And now I really need to sleep.

By: bardfinn

bardfinn — Sat, 21 Apr 2012 23:17:00 +0000

Apologies for the grammar deficiencies — My son just discovered that bouncing off Daddy is hi-larious.

By: bardfinn

bardfinn — Sat, 21 Apr 2012 22:34:00 +0000

That creates a serious hurdle to creating a secure implementation of TOR that widespread users, technically inclined or not, will feel comfortable in using. The Windows OS will complain that the software being installed isn’t signed (as far as it cares). It’ll do that twice, spooking casual users — that is, if it even allows the installation of unsigned code that runs in “kernel mode/ring 0″, and/or the user knows how to shut that off. For technically inclined users, they’ll have to download the binaries on a secure platform, fingerprint and verify signatures there, copy the binaries to the Windows machine, occasionally audit the image in memory by inducing a core dump and verifying it isn’t compromised, and praying that Windows doesn’t come packaged with a bit of code that specially recognises TOR and inserts a trampoline into the memory image to tamper with it on the fly.
The problems with using an untrusted and untrustable computing platform.

By: bardfinn

bardfinn — Sat, 21 Apr 2012 22:27:00 +0000

In tl;dr:

The US government doesn’t want to install any software backdoors. They gave up trying that in Clinton’s administration. They just want to know whether any backdoors they might already be using are discovered, or are compromised.
If they wanted to find weaknesses in a released implementation, they can do that while circumventing any need for direct access to TOR’s team.

Any useful implementation of TOR on the Windows platform would need to bypass the Windows encryption API altogether, because of _NSAKEY — there’s zero cryptographic trust in Windows’ architecture. It would need to be signed independently of Windows’ architecture. That will require any Windows implementation to have a low-level cryptography interface that differs in structure and method from, say, a *NIX implementation, where the trustedness of the OS’ APIs can be verified, independently, and don’t contain a known backdoor for which no one is practically or legally accountable.

By: bardfinn

bardfinn — Sat, 21 Apr 2012 22:11:00 +0000

Presumably, as their core demographic is tech-savvy privacy-conscious open-source aficionadoes, there would (will be) a large contingency of people who would be (will be) compiling the source code with all types of compiler directives on all platforms and then further fuzzing the results.
So, if there’s an inside position here for the us government, it would likely be in discovering whether anyone on this team discovers any existing backdoor systems.

Given that the us government has an electrical engineering group dedicated to manufacturing and certifying backdoor-free hardware for us government use, then it’s also quite likely that they’re not hoping the TOR team is going to stumble across a backdoor system the USG doesn’t already know is in existence.
If the US govt has a hand in the TOR team, it would be to find out whether someone on the TOR team, while developing a software-based surveillance-avoidance system, finds evidence of an existing hardware-based surveillance system.
The USG wouldn’t be looking to find anyone’s surveillance system or place one, through TOR. They’d be looking to find out if one that is already in place had been discovered, and what intel they could use to prevent that information from being spread.

By: MarcVader

MarcVader — Sat, 21 Apr 2012 09:40:00 +0000

If I were in the intelligence business I would make it a very high priority to get one of my guys hired for this position!
First objective: infiltration and information gathering over a long time period. Second objective: I can haz backdoor, yes?

By: SedanChair

SedanChair — Sat, 21 Apr 2012 04:53:00 +0000

Just so

By: Antinous / Moderator

Antinous / Moderator — Sat, 21 Apr 2012 04:18:00 +0000

Oxymoronically?

By: SedanChair

SedanChair — Sat, 21 Apr 2012 04:07:00 +0000

Probably not, but I know how intelligence agencies work in 2012…

By: jacklaughing

jacklaughing — Sat, 21 Apr 2012 04:01:00 +0000

You *really* don’t know how the technology world works in 2012, do ya?

By: SedanChair

SedanChair — Sat, 21 Apr 2012 03:36:00 +0000

White person hired=”technology job”
Brown person with funny name hired=”aiding and abetting terrorism”

By: oasisob1

oasisob1 — Sat, 21 Apr 2012 01:13:00 +0000

Oh, man! I thought you meant TOR Books. Dang.