Saturday, April 30, 2016 - 19:55

Former Tor project member developed Tor exploits for the FBI

The good news first. The developer in question never had a relevant role in the Tor project. So if you're worried that he might have placed malicious code into Tor it's quite safe to say that he hasn't. He was working on Vidalia, a GUI frontend.

The Tor involvement should be taken with the necessary grain of sand. It's more for the 'oh he didn't!'-show rather than relevant facts. It is distracting from the real jewel in this case. Edman actually is the far less interesting party in this scheme. The more interesting one is his former employer ... Mitre corporation.

Mitre corporation is a private not-for-profit organization with a 1.5 billion dollar annual revenue and over 7,500 employees. I would actually say it is sorts of a defense contractor. Among others they develop exploits for the FBI. And that was Edman's job at the time.

Now if you think I have heard of Mitre before you are probably correct. It is the very same not-for-profit organization that functions as the primary editor and CNA of the CVE database. Yes. I shit you not. The guys who develop exploits from vulnerabilities are sitting at the very core of publishing them.

Personally I find that a much more interesting detail that deserves light than the fact that Edman is a former employee of Mitra where he developed a Tor exploit that isn't really a Tor exploit and I'm fairly certain his time developing a GUI with the project isn't of much relevance here either. 

Tor exploits quite often are not exactly vulnerabilities in Tor (or anything else for that matter). They are systemic vulnerabilities created by the environment. Tor pretty much works like a VPN from a user's perspective. But it's generally not automated and secure in a way that the system blocks all other traffic and routes everything through the Tor network. It's a problem that's haunting Tor (and other services) for quite a while. Quite often you have to configure the software you're using to use a Tor proxy running on your computer. Everything going through that proxy is secured; everything else is not. While this is rather obvious it becomes a whole lot less obvious if you correctly configure your browser to use that proxy but a plugin (i.e. flash) doesn't care. In that case you would connect to the server through Tor and while that connection would be secure and anonymous your lovely flash plugin might connect to the very same site over your normal internet connection. And that of course voids every security or privacy protection Tor might otherwise provide.

And this was pretty much what was done here. It was - among others - used in a case in Nebraska where a guy was distributing child pornography. I don't remember the case well enough to say whether they replaced already existing flash elements on the side or just added one. Doesn't matter. Said flash element obtained the users' real IP addresses and forwarded them to the FBI. And from there on the process is pretty much straight forward.

With a more general look it's the good old security isn't as easy as it might look problem and it's not just Tor. It's pretty much a generic problem. Leaking data is a much higher risk than someone cracking the protection. It's also a much more accessible attack vector ... not just for the FBI.