How on Earth is $110,000 a reasonable value for this level of vulnerability? (And with a multi-thousand dollar up front cost to boot.) I'm not remotely an expert on security, much less nefarious black-market hacks, but I would think that a whole lot of nations around the world would be willing to pay millions (each!) for this capability. Heck, if not for this, I would have included Russia on that list.
The "hackathon" spirit has caught on at the state level. Get a bunch of college kids to slave away for free and give the best one a paltry sum for their efforts and retain all rights to the work.
I saw this headline and immediately thought, "that's much too low."
But I've got no idea how much that vulnerability would actually go for. Millions? Tens of millions? Anyone with a stronger understanding of the market have any rough estimate?
"The reward of $114,000 seems pretty cheap for this capability. And we now get to debate whether 1) Russia cannot currently deaonymize Tor users, or 2) Russia can, and this is a ruse to make us think they can't."
Assuming Russia can deanonymize Tor users, isn't this a way of finding out "who else out there can denonymize Tor users", and later question these people very gently "what else can you do?"
I wouldn't disclose something like this to the big boys , as it would reveal far too much about my own capabilities and/or connections.
That's because they're asking if someone's done it and wants some cash. If you had, monetizing the knowledge isn't exactly easy. No intelligence agency will bother paying for it.
"or 2) Russia can, and this is a ruse to make us think they can't."
Even if they could ... why say anything at-all? Perhaps - to encourage use of an exploitable method of communication, but even-then why would somebody looking to hide use a form of communication they know is actively being targeted by the government they're looking to evade?
Heh. This is low-ball. I was once offered $150,000 in a discussion with a broker when I inquired about a hypothetical Tor 0day. After the broker's fees, I would have still walked away with $120,000 if I had one. (Then taxes, of course.)
If anyone wants to do this, I recommend shopping around first ;P
"In its 2013 financial statements, the Tor Project - a group of developers that maintain tools used to access Tor - confirmed that the US Department of Defense remained one its biggest backers.
The DoD sent $830,000 (£489,000) to the group through SRI International, which describes itself as an independent non-profit research centre, last year.
Other parts of the US government contributed a further $1m.
Those amounts are roughly the same as in 2012."
I'm not familiar at all how those founding works, could someone, from US, explain how and why US government is giving money to TOR?
I've seen two explanations for why the US government gives money to the Tor Project. One reason is to support dissidents in countries like China. Another is that US agents use Tor, but that the network requires a degree of popularity in order for agents to "hide" in it.
1. Help political dissent in countries that cannot crack tor.
2. There's a reasonable chance that they can crack tor, at least to some extent ,especially with the help of the 5-eyes countries. Having that ability while "evildoers" think tor is safe is valuable.
The primary intended purpose of the tor network was to provide cover for US agents. Many of the core developers of TOR have at various times either directly worked for US intelligence or have been funded by them. It was opened to the public and popularized, because an anomization network that is only used by spies is pointless. Most of the current exit nodes are currently located in the US, so there is no question that almost all TOR traffic is monitored by the NSA. The tradeoff is that while TOR makes it slightly harder to identify targets, the majority of them use TOR and there are still ways to identify them if they are not extremely careful (this has been revealed in some of Snowdens documents).
It isn't just FUD, there are some serious questions that have been raised which are ignored by the EFF crowd. At the bare minimum it has been used as an intelligence honeypot because most users have no idea what they are doing. Google, FB, and so on forcing SSL may have reduced this value a little bit.
Lesson one is that Tor guards against traffic analysis not traffic confirmation. If there is reason to suspect that a client is talking to a destination over Tor, it is trivial to confirm this by watching them both. </quote>
Bear in mind that in Russia, many "offers" like this are not ment to be real competitions for accomplishing something (to crack Tor, to build a bridge, etc), but simply a way to appropriate state's money.
maybe that is their goal. Perhaps they want to (or already are) use(ing) tor to hide their own activities from the NSA. They want to make sure what they are doing is truly as secure as it claims to be and if not motivate devs to make it so. After all, it seems it would be cheaper to offer this small reward than to have to pay full time employees to help keep their activities secure from prying eyes.
It likely will, open source projects are nearly impossible to stop. The SSL/TLS standard and their associated standards and clients has shrugged off a number of attacks at surprising speeds. Patch cycles are measured in hours or days apposed to weeks or months.
If the attack is particularity disastrous then there will likely be a large fork. But once a project is started and a community built its unlikely that force will be stopped.
I don't know why anyone would do this for $110,000. Especially after the entry fee, probably wouldn't make much money after the hardware costs, though if you're good enough to take on TOR, you probably also have a botnet. Also, why the hell would anyone give it to the Russians? Of all people, they're definitely who need exclusive access to a TOR hack. Especially if you consider that some of those people who are using it in Russia could be regular people who are trying to not be persecuted for their sexual orientation. Bad idea overall.
All the sources refer the same government requisition for a "performing the scientific research, code "TORUS/Fleet". The details should be available for people who chose to participate and foreign nationals are specifically banned from participation.
With the Russian word for torus being "тор" which could be transliterated as "tor" I see why people might get excited. But I'd like to see something more concrete than word play to support the news articles' theory.
I'd be really surprised if Russia were actually not able to do this already, they're known for having a very strong national community of security experts and overall excellent mathematicians.
What's to stop someone from selling one of these exploits to multiple nations and companies?
What is the normal process for selling these exploits? They'd want to see the exploit first, I'm guessing in person, then they transfer over the money, then you give the code and details?
What if someone wanted to remain anonymous during the transaction? What would be the best method of doing that? You couldn't really send a friend because it might be easy to trace back to you, and it would be hard to trust a stranger.
I already posted publicly online how to find the identity of a Tor user.
To reiterate:
1. Get the Tor user in question to visit a website controlled by you ( or at least a site where you can cause JS to run; such as an advertisement )
2. Know which ISP the user is on, and be allowed to install a high speed device watching all traffic for a sequence of specific sized packets.
3. Use the JS to send a specifically crafted sequence of sized packets with specific time periods in between them. After sending this preamble, send sized packets to send the 'pseudo identity' of the user ( whatever pseudonym you wish to attach back to their real IP )
4. Use your monitored ISP device to detect the preamble, then log IP and the data.
Note this method could be done en-masse and would only require high speed FPGA devices at each ISP "trunk". Inject JS code correlating users back for any system which you wish to identify the users.
Done. Whichever Russian demonstrates this and wins the $100k; throw me a bone please. :)
I don't know the exact parameters of the competition, but I doubt pretty strongly if the solution is allowed to manipulate the targeted user's behavior, and, oh, by the way, install a high speed listening device on the trunk of every ISP in the world.
If you have to know already which ISP the suspected user is using, you're not really finding the user, you're just confirming their identity.
And as others have pointed out, running with JS enabled is a vulnerability. If the user is that careless, it's probably easier to get them to load a particular file over plain HTTP and just listening to requests for that file.
Even simpler: create a website which responds in a recognizable way, serially rather than concurrently. If person A received recognizable packet P at time T, and the site was serially serving that connection at time T to recognizable-but-pseudonymous person X, then A==X.
They are also charging an entry fee for this "contest" in addition to the prize being ridiculously small. The good news is that it's quite unlikely this will be successful regardless of the prize.
I'd assume you wouldn't have to look to hard to find someone willing to pay $110k+ to identify specific individual Tor users, let alone find general exploits in Tor.
Freenet is a resource hog, and can be rather slow. It's also not particularly interesting for people who just want to browse and access the "normal" web anonymously. There are few services. There's little interesting content.. Plus it's not clear Freenet can really provide that much as far as anonymity goes. The consensus recently has been that opennet is quite vulnerable, and the only way to be really safe out there is with a global darknet where everyone only connects to trusted peers. Achieving this is not so easy, and there are potential complications.
ugh, capitalism. someone somewhere will actually do work towards this goal with that much money in mind as a worthwhile payoff. ending tor anonymity should have at least 2 more 0s on the end of the figure.
[+] [-] Steuard|11 years ago|reply
[+] [-] jcromartie|11 years ago|reply
[+] [-] don_draper|11 years ago|reply
[+] [-] JulianMorrison|11 years ago|reply
[+] [-] scarmig|11 years ago|reply
But I've got no idea how much that vulnerability would actually go for. Millions? Tens of millions? Anyone with a stronger understanding of the market have any rough estimate?
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] scrollaway|11 years ago|reply
"The reward of $114,000 seems pretty cheap for this capability. And we now get to debate whether 1) Russia cannot currently deaonymize Tor users, or 2) Russia can, and this is a ruse to make us think they can't."
https://www.schneier.com/blog/archives/2014/07/russia_paying...
[+] [-] draugadrotten|11 years ago|reply
I wouldn't disclose something like this to the big boys , as it would reveal far too much about my own capabilities and/or connections.
[+] [-] XorNot|11 years ago|reply
[+] [-] uptown|11 years ago|reply
Even if they could ... why say anything at-all? Perhaps - to encourage use of an exploitable method of communication, but even-then why would somebody looking to hide use a form of communication they know is actively being targeted by the government they're looking to evade?
[+] [-] sarciszewski|11 years ago|reply
If anyone wants to do this, I recommend shopping around first ;P
[+] [-] kar-kub|11 years ago|reply
"In its 2013 financial statements, the Tor Project - a group of developers that maintain tools used to access Tor - confirmed that the US Department of Defense remained one its biggest backers. The DoD sent $830,000 (£489,000) to the group through SRI International, which describes itself as an independent non-profit research centre, last year. Other parts of the US government contributed a further $1m. Those amounts are roughly the same as in 2012."
I'm not familiar at all how those founding works, could someone, from US, explain how and why US government is giving money to TOR?
[+] [-] JasonIpswitch|11 years ago|reply
[+] [-] pinkyand|11 years ago|reply
1. Help political dissent in countries that cannot crack tor.
2. There's a reasonable chance that they can crack tor, at least to some extent ,especially with the help of the 5-eyes countries. Having that ability while "evildoers" think tor is safe is valuable.
[+] [-] noblethrasher|11 years ago|reply
Source: https://www.torproject.org/about/overview
[+] [-] orbifold|11 years ago|reply
[+] [-] AJ007|11 years ago|reply
[+] [-] moogoo|11 years ago|reply
[deleted]
[+] [-] d0mine|11 years ago|reply
$100,000 is for a research paper.
Translation of the auction lot title: "Research the possibility of getting technical information about Tor users (their hardware)".
Here's the talk that claims the possibility to deanonymize Tor users for less than $3,000 http://web.archive.org/web/20140705114447/http://blackhat.co...
There are published papers on the topic e.g., http://www.syverson.org/tor-vulnerabilities-iccs.pdf
Lesson one is that Tor guards against traffic analysis not traffic confirmation. If there is reason to suspect that a client is talking to a destination over Tor, it is trivial to confirm this by watching them both. </quote>
[+] [-] a-nikolaev|11 years ago|reply
[+] [-] drzaiusapelord|11 years ago|reply
[+] [-] chris_mahan|11 years ago|reply
Imagine if the CIA offered $1M to crack TOR. They would be the laughingstock of the intelligence community.
I think there is something else going on. I would not touch this. It looks like bait.
[+] [-] asdfologist|11 years ago|reply
[+] [-] xyclos|11 years ago|reply
[+] [-] valarauca1|11 years ago|reply
If the attack is particularity disastrous then there will likely be a large fork. But once a project is started and a community built its unlikely that force will be stopped.
[+] [-] daj40|11 years ago|reply
[+] [-] throwaway27237|11 years ago|reply
[deleted]
[+] [-] pandaman|11 years ago|reply
With the Russian word for torus being "тор" which could be transliterated as "tor" I see why people might get excited. But I'd like to see something more concrete than word play to support the news articles' theory.
[+] [-] hucker|11 years ago|reply
This seems rather bizarre... ~$5500 cannot simply be a symbolic sum to deter idiots.
[+] [-] mkup|11 years ago|reply
[+] [-] VeejayRampay|11 years ago|reply
[+] [-] PerfectDlite|11 years ago|reply
Nowadays most of them emigrated and those who don't, they mostly will not work for KGB spooks.
[+] [-] dm2|11 years ago|reply
What is the normal process for selling these exploits? They'd want to see the exploit first, I'm guessing in person, then they transfer over the money, then you give the code and details?
What if someone wanted to remain anonymous during the transaction? What would be the best method of doing that? You couldn't really send a friend because it might be easy to trace back to you, and it would be hard to trust a stranger.
[+] [-] homhomhom|11 years ago|reply
[+] [-] nanoscopic|11 years ago|reply
To reiterate:
1. Get the Tor user in question to visit a website controlled by you ( or at least a site where you can cause JS to run; such as an advertisement )
2. Know which ISP the user is on, and be allowed to install a high speed device watching all traffic for a sequence of specific sized packets.
3. Use the JS to send a specifically crafted sequence of sized packets with specific time periods in between them. After sending this preamble, send sized packets to send the 'pseudo identity' of the user ( whatever pseudonym you wish to attach back to their real IP )
4. Use your monitored ISP device to detect the preamble, then log IP and the data.
Note this method could be done en-masse and would only require high speed FPGA devices at each ISP "trunk". Inject JS code correlating users back for any system which you wish to identify the users.
Done. Whichever Russian demonstrates this and wins the $100k; throw me a bone please. :)
[+] [-] malka|11 years ago|reply
So you cannot find the identity of a tor user.
* Either the TOR user is a 'newbie' (no offense), and he will use the tor package wich come with a version of firefox where JS is disabled by default
* Either he is a seasoned user and knows that disabling JS while using TOR is mandatory.
[+] [-] mseebach|11 years ago|reply
If you have to know already which ISP the suspected user is using, you're not really finding the user, you're just confirming their identity.
And as others have pointed out, running with JS enabled is a vulnerability. If the user is that careless, it's probably easier to get them to load a particular file over plain HTTP and just listening to requests for that file.
[+] [-] jonahx|11 years ago|reply
[+] [-] JulianMorrison|11 years ago|reply
[+] [-] broolstoryco|11 years ago|reply
How easy would it be to do this (even with JS on)?
[+] [-] downandout|11 years ago|reply
[+] [-] goatforce5|11 years ago|reply
[+] [-] golergka|11 years ago|reply
https://news.ycombinator.com/item?id=8079195
[+] [-] Ecio78|11 years ago|reply
[+] [-] EGreg|11 years ago|reply
And anyway why cant people then just use Freenet or some such network?
[+] [-] clarry|11 years ago|reply
[+] [-] thothamon|11 years ago|reply
[+] [-] coledubz|11 years ago|reply