Nettime mailing list archives

<nettime> Hacking Team, Breaking Tor, Universities, Spooks, and all that
patrice on Fri, 13 Nov 2015 23:35:22 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Hacking Team, Breaking Tor, Universities, Spooks, and all that (aka

Original to: 
bwo Access Express

$30,000 to $1 Million -- Breaking Tor Can Bring In The Big Bucks
By Thomas Fox-Brewster
Forbes Magazine/ Security
Nov 12, 2015

Earlier this year, before his company was torn apart by a security 
breach, I was having coffee with Eric Rabe, the mouthpiece for Hacking 
Team. The Italian organisation, which even its CEO called a ???notorious??? 
provider of government spyware, was looking to expand its line of 
products, Rabe said. That included targeting the anonymizing Tor 
network, where civil rights activists, researchers, paedophiles and drug 
dealers alike try to hide from the global surveillance complex.

Rabe wouldn???t say much more on how it might do that, but just a matter 
of weeks later, the leaks from the attack revealed their Tor exploits ??? 
a service that would see Hacking Team hardware placed on a target???s ISP 
to intercept their previously-hidden traffic. Given it was selling its 
malware for millions of dollars, one would expect its anti-Tor tools to 
be worth a fair sum too, such is the obsession amongst mandarins and 
snoops with the so-called ???dark web???.

If it hasn???t already been made apparent, cops, spies and their 
contractors will pay anyone big money to break Tor. Unsubstantiated 
claims from the Tor Project that a pair of Carnegie Mellon (CMU) 
researchers were paid $1 million by the FBI to de-anonymize users are 
shocking not so much because of the figure, but because university 
researchers, not private dealers, were allegedly selling (keep in mind 
no one has admitted to any such deal and for now, the claims are based 
on hearsay and educated assumptions). There???s also been much anxiety 
around the techniques used ??? essentially catch-all exploits that could 
well have ensnared a vast number of innocent users, according to Tor 
Project leader Roger Dingledine. Was it justifiable to do that for the 
sake of catching a Silk Road 2 user and possibly some paedophiles?
Carnegie Mellon Software Engineering Institute

[Carnegie Mellon has found itself at the center of an ethical debate 
about sales of Tor exploits to government. But it hasn???t confirmed or 
denied claims two of its researchers were paid $1 million to unmask Tor 

There are, though, a vast number of those private exploit salesmen and 
women now focusing on Tor. A few times a year they share their exploits 
in private forums and exhibitions. Their hacks might place most Tor 
users in danger, but there???s currently not so much of a furore 
surrounding their business practices, even if concerns have been raised 
in the past.

Chaouki Bekrar, the founder of exploit sales firms VUPEN and Zerodium, 
says attacks targeting Tor nodes and de-anonymizing dark web users ???are 
the holy grail of exploits for government agencies in charge of criminal 
investigations???. Zerodium, he says, is currently offering researchers up 
to $30,000 per zero-day exploit ??? an attack on an otherwise-unknown, 
unpatched vulnerability ??? targeting the Tor Browser Bundle. That???s the 
same Zerodium that offered a $1 million bounty for an untethered iPhone 
6 jailbreak via browser exploits. As Zerodium will then sell zero-days 
on to interested parties, there???s likely a significant mark-up on that 
$30,000 by the time it is passed on to government agencies.

Bekrar believes a more targeted approach to identifying Tor denizens is 
better for law enforcement, however, rather than ensnaring large 
tranches of users to catch a few. ???Targeting the Tor network itself by 
attacking or manipulating nodes to trace a few criminals is a dangerous 
practice as it may leak and threaten the identity of legitimate users, 
hence we always recommended to government investigators to use Tor 
Browser exploits instead as they can target a group of criminals without 
destabilizing the whole Tor network, and it???s more reliable and much 
cheaper,??? he added.

Hacking Team???s Rabe, though coy about his company???s interest in Tor over 
email, expressed little surprise that a university may have been paid $1 
million for such a service. ???If the work led to shutting down a major 
drug bazaar on the Internet, law enforcement might well feel that $1 
million was cheap compared to the lives potentially destroyed by the 
criminal activity. ???Clearly, any effort such as the one Tor alleged 
happened here would have significant value based on the time and 
expertise required as well.???

The company was due to talk at ISS World Training in Prague this summer 
about breaking Tor, in a presentation entitled ???Demystifying SSL/TOR 
Interception: Attack case history and state-of-art countermeasures???. SSL 
is a web encryption protocol, shown in the address bar with the HTTPS 
prefix. The company???s CEO David Vincenzetti, operations manager Daniele 
Milan, and QA manager Fabrizio Cornelli were due to give the talk.

A brief look at the line-up for recent ISS conferences, which press and 
non-industry folk are not permitted to attend, also provides ample 
evidence that the dark web is a big seller. In October, the events 
organizer, TeleStrategies, provided a training seminar in Washington 
D.C. with the title ???Understanding and Defeating Tor???.

The techniques described in the presentation???s blurb cover similar 
ground to the promises of the cancelled Black Hat talk from CMU. 
TeleStrategies??? Dr. Matthew Lucas, who told me his alma mater happens to 
be CMU, was focused on ???identifying Tor traffic via IP lookups and 
protocol signatures???. He was also to guide law enforcement attendees 
through malware infection and uncovering ???identity-related traffic 
outside the Tor stack???.

Dr. Lucas was due to give a talk about how Bitcoin and dark markets, 
such as the now-defunct drug bazaar Silk Road, worked together too. That 
was part of an entire track dedicated to the ???Dark Web, Tor and Bitcoin 
Investigation???. There will be many, many more seminars on exposing those 
on Tor across a wide range of ISS events over the next year.

[OK to break Tor??? most of the time]

Why are Tor exploit sales deemed a depressing fait accompli but similar 
deals between academia and government are perceived as more ethically 
abhorrent? Universities across the world work closely with intelligence 
agencies and law enforcement, receiving significant funding in return.

CMU, for instance, hosts a major Computer Emergency Response Team (CERT) 
that regularly partners with government and law enforcement as they try 
to cope with manifold online threats. It is primarily funded by the U.S. 
Department of Defense and the Department of Homeland Security, and is 
widely seen as a boon to keep everyone abreast of the latest digital 

Born in the embryonic phase of the Cold War, the MIT Lincoln Laboratory, 
a federally-funded entity, continues to research ways to benefit 
national security. It has dedicated surveillance and cybersecurity arms.

In the UK, GCHQ is increasingly active in its sponsorship of 
universities. The Heilbronn Institute, for instance, comprises of 
distinguished research fellows at various UK universities. Half their 
time is spent pursuing research directed by the spy agency. Their 
research output is esoteric and little is known about how GCHQ uses the 
fellows??? findings.

Just this week, GCHQ announced a ??6.5 million scheme ???to support cutting 
edge cyber security research and protect the UK in cyber space???. Again, 
who knows how GCHQ might use what it learns from the so-called 
CyberInvest project? It has certainly been interested in hacking Tor in 
the recent past.

Academics need that kind of sponsorship to get on with their work, to 
the extent that a $1 million payday from the FBI shouldn???t be much of a 
surprise if true. ???Note that a ??100,000 personal grant is barely 
sufficient to obtain a PhD in UK for an EU citizen,??? said Dr. 
Markku-Juhani O. Saarinen, a research fellow with the Centre for Secure 
Information Technologies at Queen???s University Belfast. ???In CMU a small 
multiple of that would be required due to significantly larger tuition 
fees. Factor in administration, laboratories and other facilities, 
travel to conferences, etc., and a research project employing a couple 
of persons for few years may easily cost $1 million.???

It???s also worth noting that the Tor Project has received significant 
grants from various parts of the US government ??? grants that help it 
stay up.

???I think Tor are being a little disingenuous,??? said Professor Alan 
Woodward, a security expert from the University of Surrey, one of a 
handful of UK universities to have been named an Academic Centre of 
Excellence in Cyber Security Research, receiving a grant in the process. 
???CMU is a research-only university and relies external funding from a 
variety of sources. Not a great surprise then that the US government 
would pay them for their expertise in this area.???

But, for many, if CMU really did give away a set of Tor exploits for $1 
million, there are ethical difficulties. Saarinen said that if he had 
the chance to earn that much to crack Tor, he would take it, but he 
would ask for assurances he could report any findings back to the Tor 

Keith Martin, from London???s Royal Holloway, said GCHQ provides both 
sponsorship of PhD projects and small grants for certain projects, 
though it is never requested by the intel agency. But, he said, if the 
stories were true about CMU, he???d see ???an ethical clash between CMU???s 
apparent undermining of Tor and its technical support for Tor???. CMU not 
only helps run some of the nodes that make up the Tor network, but is 
believed to have set up malicious ones to carry out its attacks.

Matthew Green, cryptographer and professor at Johns Hopkins University, 
perhaps put it most eloquently in a blog post today: ???Active attacks 
that affect vulnerable users can be dangerous, and should never be 
conducted without rigorous oversight ??? if they must be conducted at all. 
It begins with the idea that universities should have uniform procedures 
for both faculty researchers and quasi-government organizations like 
CERT, if they live under the same roof. It begins with CERT and CMU 
explaining what went on with their research, rather than treating it 
like an embarrassment to be swept under the rug.???

Whether true or not, Dingledine???s claims have brought up some big 
ethical questions that, by their very nature, polarizing and possibly 
intractable. One fact that everyone can agree on, however, is that Tor 
is frequently shown to be flawed. For those who perceive Tor to be the 
home of drug dealers and paedophiles, this can only be a good thing. For 
those who see it as a beneficial tool for those who want to preserve 
their privacy and speak their mind away from the gaze of government, 
it???s simply depressing.

{If you have any more information on this story, tips and comments are 
welcome at TFox-Brewster {AT} forbes.com or tbthomasbrewster {AT} gmail.com for 
PGP mail. Get me on Twitter  {AT} iblametom.}

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime {AT} kein.org