No, this is not the latest installment in the Lord of the Rings saga. It’s about the fight between the US government and the developers of the Tor browser – the browser that keeps users anonymous while browsing online. You see, the government looks at Tor as an evil that must be controlled to maintain national security. In contrast, those in the deep web community are fighting to keep control of one of the last bastions of privacy. Recently, this battle between the forces of privacy and national security has intensified. It’s a theme that is likely to dominate the cyber security landscape in the coming year as the government presses companies that manufacture smart devices to produce these devices with a backdoor – a hidden way to access the information on any device without going through the normally required authentication; in other words, the government wants the right to seize control of any smart device they may deem suspicious.
The Tor browser subverts the government’s attempt to keep track of users’ communications and browsing habits by using a network of computers to bounce a message from the initiating user to the final destination user. These randomly chosen nodes only know information about the last node the message came from. They don’t know the original source or the final destination of the message. At each node, encryption and an addition to the header are added. The more nodes the message passes through, the greater the degree of privacy. The pictures below from the Tor website, may make this a bit more understandable.
From this you can see that if someone gained control of these nodes, or at least enough of these nodes, it might be possible to determine who the sender and receiver of the message was. However, with currently over 7,000 nodes, this mode of attack would not be easy. Thus, other modes of attack on Tor should prove more effective.
It is necessary to make one thing clear. Many people use Tor and not because they want to buy illicit goods or do other questionable things. People use it who simply want to remain anonymous, such as dissidents, journalists, police, parents concerned about their children’s safety, and regular internet users who use Tor simply because they may not want marketers to get their IP address. I use it whenever I have doubts about a site I’m visiting, which happens a lot when I do research on cyber security. I feel better knowing that those who run the site don’t know my IP address. And it’s not only personal users who employ it. Governments around the world use Tor when they infiltrate pedophile rings. No one can complain about that.
It’s not just the US government that wants to compromise the anonymity Tor offers. Russia has tried, unsuccessfully, to hack Tor and is now considering banning it outright. Using Tor is illegal in China and Belarus, for obvious reasons. However, surprisingly, both Britain and France have considered a ban on it as well. Like any technology, there is the potential of Tor being used for good or evil purposes.
Tor has a long and complex history of involvement with the US government. In fact, Tor was originally developed by the US Navy in 1995 to cloak its communications. However, now, some sectors of the government see Tor as a national security threat for its ability to hide potential criminal communications and transactions. Oddly, at the same time, other government agencies support its use by dissidents, journalists, and human rights activists. In fact, the State Department gives Tor the majority of its funding. Tor is also financially supported by the National Science foundation and the German government. Tor’s own financial report for the years 2012 and 2013 (the last report made available) states that, “Tor received approximately 90% and 73% of its grants and contribution revenues from three federal grants during the years ended December 31, 2013 and 2012, respectively.” The total amount of these grants was not overwhelming by grant standards, amounting to around $1,820,000 in 2013. Nonetheless, it made up a considerable amount of Tor’s income, 93% to be exact. Some think this is suspicious. Why would the government be funding something it is trying to gain control of? Could it be that the government has become so big that agencies are working at cross-purposes without them realizing it? That’s one possibility. However, others claim that Tor may have been working with the government all along. That would be unsettling, to say the least.
Key Tor Battles
According to secret NSA documents, the US government began trying to compromise Tor in 2006. They would put trackers on messages and follow them through the network or divert the message from a node into its own network. Since Tor is built on Firefox code, the NSA found a way to tell which Firefox users were using Firefox and which were using the Tor variant. They could also inject code into the Tor browsers of individuals visiting certain websites which would make the browser give up identifying information.
In 2007, the first criminal activity using the Tor network was discovered by a Swedish programmer who found that someone was trying to gain access to government and corporate information. It now appears that this ‘someone’ was a group of Chinese hackers. Coincidentally (?), Wikileaks was formed around the same time with its founder, Julian Assange, stating that he had already received millions of documents to begin his organization. It now appears, according to sources, that these were not true leaks freely given to him. It now seems they were intercepted/stolen from Chinese hackers using Tor to transfer documents that they, themselves, had previously stolen.
In 2012, Tor was again compromised by the US government when they brought down the deep web’s Farmer’s Market; a market dedicated to selling illegal drugs. In 2013, the same was done to the infamous Silk Road. At the same time, however, a leaked document shows that the NSA was unable to take complete control of Tor. This is what probably led the government to look elsewhere for help. That ‘elsewhere’ now appears to have been Carnegie Mellon University (CMU).
In July of 2014, Tor Project Director, Roger Dingledine, reported that someone had been gathering Tor user information for 5 months before Tor discovered the breach. Who this was became clear when, at the August, 2014 Black Hat USA conference, a presentation entitled, “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget” was cancelled. This presentation was sponsored by both CMU and the government’s Software Engineering Institute (SEI). “Unfortunately, Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet approved by CMU/SEI for public release.” It was not clear whether the CMU researchers were working with the university’s knowledge or not. In any event, Dingledine claimed the group received $1 million for their exploit. He condemned the government action saying, “Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities.”
The methodology for compromising Tor that was developed because of this breach was, according to Wired, connected to a later FBI-Europol takedown of Tor-supported websites. This takedown, known as Operation Onymous, affected 414 .onion (hidden deep web) sites. Why some sites survived the takedown remains a mystery. However, there was no lack of confidence in the agencies’ ability to take down future sites. As Troels Oerting, one of those involved in the operation, boasted, “This is just the beginning of our work. We will hunt these sites down all the time now. We’ve proven we can work together now, and we’re a well-oiled machine. It won’t be risk-free to run services like this anymore.” They must have known something that made them feel so confident. Yes, they had the exploit designed by CMU and they also had something more.
When Hacking Team was hacked last July, Tor found that there were others trying to compromise its browser. Hacking Team sells cyber surveillance tools to governments and law enforcement agencies. Unfortunately for Hacking Team, they also sold such software to oppressive governments that wanted to learn the identity of dissidents. This made the firm a target for ideological hackers who brought it down and released 400 GB of data. Among that data was evidence that the FBI had paid Hacking Team around $775000 to find a way to break the anonymity of the Tor Browser. According to an unnamed FBI agent, 60% of their targets were using Tor.
Shortly after learning about the FBI-Hacking Team connection, Tor got more bad news. A firm with a similar business model to Hacking Team, Zerodium, announced that they were paying up to $30,000 for zero-day exploits on Tor. Here is the chart they published showing what they paid for various exploits (I enhanced some numbers on the left to improve their visibility).
I’ve previously reported on Zerodium (Somebody Just Paid Millions to Take Total Control of Your iPhone: Jailbreaking iOS 9.2b ) and their possible connection with the FBI in their offering of a $1million payout for an iOS 9 exploit. It would not surprise me (or probably anyone) if the FBI was not underwriting their Tor payout. In any event, by the end of 2015, it was clear that Tor was on the ropes. They had to do something fast or simply admit that Tor was no longer in their control.
This brings us to the present and Tor’s Last Stand. This year, Tor is going to offer a bug bounty to select participants. The process will be overseen by HackerOne, a firm that helps manage bug bounty programs. This, it is hoped, will keep Tor at least on a level playing field with those trying to take control of it, but it also creates an interesting scenario.
In order to stop bug bounty hunters going to Zerodium, the Tor project would have pay more than the $30,000 to whoever can find weak points in their browser. Tor had a $2.5 million profit in 2014, so they may need to pay around 20% or more of their income on bounties. Since most of their operating money comes from the US government, they will, in fact, be using government money to protect themselves against hacks by the government. In other words, one branch of the US government will be spending millions of dollars to undermine the million dollar efforts of another branch of the government.
Your tax dollars at work.