Less than a month ago, tech news headlines heralded a Tor Project breach. Now, some are saying that government spies are sharing information with Tor to help it prevent future breaches.
Here’s the backstory: In July Tor’s developers warned users they might be victims of an attack launched against the project in early 2014. Tor is a browser that lets users access the entire Internet -- anonymously. Using Tor, a user can decide if he wants to make himself anonymous to log into sites like Google and Facebook.
In a blog post, developers of the anonymous browsing service said it found a group of relays it assumed were trying to deanonymize users.
Specifically, those relays appear to have been targeting people who operate or access the browsing service’s features. The attack essentially modified Tor protocol headers to do traffic confirmation attacks. Tor suspects the attackers could not actually see any application-level traffic, such as what pages were loaded or whether users visited the hidden services they looked up. But no one is completely sure.
Spies Leaking Data?
The BBC is reporting that American and British intelligence agents -- from the U.S. National Security Agency (NSA) and the U.K. Government Communications Headquarters (GCHQ) -- have been allegedly working to find Tor flaws. The Tor team says other spies are tipping them off, so they can fix those flaws quickly, according to the BBC.
Andrew Lewman, head of the Tor Project's operations, made the allegations in a BBC interview. Neither the NSA nor GCHQ were immediately available for comment on the claims that they are leaking bug info to help keep Tor traffic safe from peering eyes.
"There are plenty of people in both organizations who can anonymously leak data to us to say -- maybe you should look here, maybe you should look at this to fix this," he said. "And they have."
Watching the Watchers
We caught up with Tyler Reguly, director of security research for Tripwire, to discuss the issue. He told us this isn't the first time that this topic has been discussed and no one should be naive enough to think that it will be the last.
“Just a few weeks ago questions were raised about the safety of Tor. Stating that these organizations are assisting in increasing Tor's safety is the perfect marketing ploy,” Reguly said. “The statements can't be verified and they help reduce concerns regarding privacy breaches while using Tor.” (continued...)