key flag

FBI pwns TOR|How they screwed up


The FBI has allegedly used an exploit discovered in TOR (infrastructure for the anonymous internets) to catch some douchebag downloading child porn at a web site that won’t be referenced here. Catching criminals is what the FBI is paid to do, so the FBI did their job well and hopefully the douchebag they caught will rot in hell. Motherboard reports the FBI hacked over 1000 US computers and another 3000 abroad.

There is causality in all things, however, and this case is no different.

If you choose to criminally prosecute someone and your evidence is based on hacking an information system, you are going to have to disclose that in court. The Defense is going to ask you for your method, and you will need to disclose it. In this case, the Judge ordered the government to disclose the method to the Defense team, and no one else is allowed to know. A court ordered gag on a security exploit that prevents a bug-fix.

Why is that such a big deal? The gag on the method isn’t even the most interesting question, although it is baffling why a judge would give the code and the method of the exploit to the criminal, but not allow the developers who coded the browser to fix the vulnerability. I want to know why the FBI burned an exploit…a valuable exploit…on a child porn downloader?

fire fire!
Is it secure?

Because the TOR browser relies on Firefox Web browser code for the privacy and security component for anonymous web-browsing, it is therefore important to understand that the FBI can conduct traffic analysis operations on anyone who relies on Firefox for their security and privacy needs. And if the FBI can do it, so can anyone else. This is of course theoretical. Because the government hasn’t disclosed how they achieved their alleged exploit, and now the security of 100 million Mozilla users hangs in the balance.

Could you imagine? 

How bad does it suck for a company who builds its product using open standards for privacy in computing…to get hacked by the US Government who then broadcasts to the world that they arrested someone using a flaw in your product…affecting millions of your customers, but you can’t do anything about it? You can’t fix it. How could you fix it if you don’t know how you were exploited?

Who decided this was legit?

A guy named Bob. He wears a black dress to work.

Also published on Medium.

%d bloggers like this: