"BEWARE ROMULAN'S BEARING GIFTS"
Thats all i'm going to say...
GCHQ and NSA cyber-spooks secretly report vulnerabilities in Tor so they can be patched, a leading developer of the anonymity-preserving software has claimed. Andrew Lewman, the Tor Project's executive director, claimed that some spies place a higher priority on fixing flaws in the privacy-preserving technology than keeping …
Both NSA and GCHQ declined to comment on Lewman's suspicions.
...as maybe they were too busy looking for employees to fire?
I appreciate that there are ethical employees in these organizations, but by going public hasn't Tor just made it harder for these ethical employees to report bugs and keep their jobs?
The main job of these agencies is to defend us from attack. But for almost 3/4 of a century the public in the US and UK have also made it clear we want to see freedom promoted both at home and abroad. Tor was created and is maintained to serve both those ends. What has to happen is for the "destroy the village to save it" types to be given their pensions and escorted off the premises. We really can't afford any more of their misguided antics, not if the freedom we treasure is going to survive.
The NSA *officially* supported the software. Officially.
Then, unofficially.
Then, considering the official mandate of supporting certain people, via TOR.
Meanwhile, I consider the *mission* of the "puzzle palace" and their ongoing mission to meet new encryption and crush it or adopt it.
*That* is the real world.
Some parts are trying to catch up, some parts are forward of that curve, a few adjusting, the "senior management" still fights and is first echelon.
We, in the real world are stuck with licensing of our software, guarding against many enemies, some being part of the US "bad list", some earning their keep onto a watchlist.
For the El Reg correspondent, I'll suggest more research. You've screwed the pooch and missed a much more notable story, as I know from a firsthand basis, if the NSA doesn't want to be noticed, it shan't. That said, I know full well how said agency goes "loud".
Now, if you'll excuse me, I have to phrase something, I *really* need to address a certainand current problem set.
Really? He seriously thinks the GCHQ/NSA types are dropping anonymous tops into his in-box? He even admits he has no way of knowing. TBH, he sounds like a kid that wants to believe in Santa Claus. Did he stop for one moment to think that such teams at the TLAs are going to be monitored, and they're hardly stupid enough to want to risk their jobs for TOR. Then also consider that, when a hole is found, the list of people at either agency that would know about it would be very small - the minute a hole was plugged shortly after having been found by The Man then the people on that small list would be under a spotlight, which would leave very little wriggle room for a leaker to hide behind.
There is one possibility that either the GCHQ or NSA would let the TOR project know of a hole, and that's if they already knew it was in use by an opposing group such as the Russians or Chinese. There is, unfortunately, the possibility the tips are coming either from the Russians or Chinese to block Western spying efforts, or (worse) they are coming from black hats working for nastier groups such as paedo rings and drug gangs.
But what about when they get lie detector tested every 6 months or so and this is one of the questions?? Then they get demoted, maybe. And how do I know if anyone replies to this message or quotes me? It doesn't email me. I can't keep coming back to this page to check like some crazy mad man I got work to do....
"Did he stop for one moment to think that such teams at the TLAs are going to be monitored, and they're hardly stupid enough to want to risk their jobs for TOR. Then also consider that, when a hole is found, the list of people at either agency that would know about it would be very small - the minute a hole was plugged shortly after having been found by The Man then the people on that small list would be under a spotlight, which would leave very little wriggle room for a leaker to hide behind."
You mean to say that people at the security guru level working at the NSA on TOR and anonymization services would not know to submit these security holes anonymously?
For any other government employee with a security clearance even connecting to TOR is a huge red flag unless it's part of your official duties. These guys not only know what holes are currently exploitable and what capabilities the intelligence services have but have first hand experience working with them.
Though the article repeats the TOR project developers' speculation that these might be NSA types submitting bugs, your argument does not, in my view, lessen the validity of their speculation.
If parts of GCHQ and the NSA need to use Tor to carry out their own investigations, which seems likely, they have the same kind of motivation to fix it as the US Navy had to fund its development in the first place. Doesn't mean other parts of GCHQ or the NSA can't have operations compromised by this development, but who expects the left and right hands in any secretive organisation to know what each other are doing anyway ? It's not as if everyone in GCHQ will know about any particular zero day vulnerabilities involved in any particular investigation, as knowledge will have to be restricted on a "need to know" basis in any such environment. Don't forget it was the NSA who developed SELinux - and open sourced their patch which provided this.