back to article Renegade NSA, GCHQ spies help fix Tor vulns, claims project boss

GCHQ and NSA cyber-spooks secretly report vulnerabilities in Tor so they can be patched, a leading developer of the anonymity-preserving software has claimed. Andrew Lewman, the Tor Project's executive director, claimed that some spies place a higher priority on fixing flaws in the privacy-preserving technology than keeping …

  1. i like crisps
    Alien

    "BEWARE ROMULAN'S BEARING GIFTS"

    Thats all i'm going to say...

    1. Irony Deficient Silver badge

      Re: "BEWARE ROMULAN'S BEARING GIFTS"

      What a delightful surprise! But you really shouldn’t have — I’ve already got more apostrophes than I know what to do with.

      1. BillG
        Mushroom

        Re: "BEWARE ROMULAN'S BEARING GIFTS"

        Both NSA and GCHQ declined to comment on Lewman's suspicions.

        ...as maybe they were too busy looking for employees to fire?

        I appreciate that there are ethical employees in these organizations, but by going public hasn't Tor just made it harder for these ethical employees to report bugs and keep their jobs?

  2. graeme leggett

    Cynical, moi?

    They leak the easy-to-find vulnerabilities, to make it harder for other nations' spying efforts....

    1. Primus Secundus Tertius

      Re: Cynical, moi aussi

      Just what I was thinking.

      Our side leak the ones they think the other side are using. But what do the other side get up to?

  3. Will Godfrey Silver badge
    Unhappy

    I see we're promoting the 'evil' bit

    No mention of the uses of Tor to protect those trying to get news out of various government atrocities then.

    1. Old Handle

      Re: I see we're promoting the 'evil' bit

      To be fair, it does mention use by human rights activists, which kind of says the same thing.

  4. Trollslayer

    Not so much NCIS

    as Abbot and Costello.

    These places are nothing like they are portrayed on TV.

  5. Anonymous Coward
    Anonymous Coward

    Doing the job we pay them to do

    The main job of these agencies is to defend us from attack. But for almost 3/4 of a century the public in the US and UK have also made it clear we want to see freedom promoted both at home and abroad. Tor was created and is maintained to serve both those ends. What has to happen is for the "destroy the village to save it" types to be given their pensions and escorted off the premises. We really can't afford any more of their misguided antics, not if the freedom we treasure is going to survive.

  6. Anonymous Coward
    Anonymous Coward

    Open Source

    So what they're saying is that Tor is one of the few open source projects where the idea that everyone is scrutinising the code so bugs are found and fixed is working very well?

    If only they did the same for OpenSSL...

  7. Wzrd1

    Well, here, in the real world

    The NSA *officially* supported the software. Officially.

    Then, unofficially.

    Then, considering the official mandate of supporting certain people, via TOR.

    Meanwhile, I consider the *mission* of the "puzzle palace" and their ongoing mission to meet new encryption and crush it or adopt it.

    *That* is the real world.

    Some parts are trying to catch up, some parts are forward of that curve, a few adjusting, the "senior management" still fights and is first echelon.

    We, in the real world are stuck with licensing of our software, guarding against many enemies, some being part of the US "bad list", some earning their keep onto a watchlist.

    For the El Reg correspondent, I'll suggest more research. You've screwed the pooch and missed a much more notable story, as I know from a firsthand basis, if the NSA doesn't want to be noticed, it shan't. That said, I know full well how said agency goes "loud".

    Now, if you'll excuse me, I have to phrase something, I *really* need to address a certainand current problem set.

  8. Matt Bryant Silver badge
    WTF?

    LOL!

    Really? He seriously thinks the GCHQ/NSA types are dropping anonymous tops into his in-box? He even admits he has no way of knowing. TBH, he sounds like a kid that wants to believe in Santa Claus. Did he stop for one moment to think that such teams at the TLAs are going to be monitored, and they're hardly stupid enough to want to risk their jobs for TOR. Then also consider that, when a hole is found, the list of people at either agency that would know about it would be very small - the minute a hole was plugged shortly after having been found by The Man then the people on that small list would be under a spotlight, which would leave very little wriggle room for a leaker to hide behind.

    There is one possibility that either the GCHQ or NSA would let the TOR project know of a hole, and that's if they already knew it was in use by an opposing group such as the Russians or Chinese. There is, unfortunately, the possibility the tips are coming either from the Russians or Chinese to block Western spying efforts, or (worse) they are coming from black hats working for nastier groups such as paedo rings and drug gangs.

    1. logistix

      Re: LOL!

      But what about when they get lie detector tested every 6 months or so and this is one of the questions?? Then they get demoted, maybe. And how do I know if anyone replies to this message or quotes me? It doesn't email me. I can't keep coming back to this page to check like some crazy mad man I got work to do....

    2. Vic Sub
      Boffin

      Re: LOL!

      "Did he stop for one moment to think that such teams at the TLAs are going to be monitored, and they're hardly stupid enough to want to risk their jobs for TOR. Then also consider that, when a hole is found, the list of people at either agency that would know about it would be very small - the minute a hole was plugged shortly after having been found by The Man then the people on that small list would be under a spotlight, which would leave very little wriggle room for a leaker to hide behind."

      You mean to say that people at the security guru level working at the NSA on TOR and anonymization services would not know to submit these security holes anonymously?

      For any other government employee with a security clearance even connecting to TOR is a huge red flag unless it's part of your official duties. These guys not only know what holes are currently exploitable and what capabilities the intelligence services have but have first hand experience working with them.

      Though the article repeats the TOR project developers' speculation that these might be NSA types submitting bugs, your argument does not, in my view, lessen the validity of their speculation.

  9. PyLETS

    M\kes sense

    If parts of GCHQ and the NSA need to use Tor to carry out their own investigations, which seems likely, they have the same kind of motivation to fix it as the US Navy had to fund its development in the first place. Doesn't mean other parts of GCHQ or the NSA can't have operations compromised by this development, but who expects the left and right hands in any secretive organisation to know what each other are doing anyway ? It's not as if everyone in GCHQ will know about any particular zero day vulnerabilities involved in any particular investigation, as knowledge will have to be restricted on a "need to know" basis in any such environment. Don't forget it was the NSA who developed SELinux - and open sourced their patch which provided this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022