Tor Developer Created Malware for FBI To Hack Tor Users

Espionage works like this: identify a target who has the info you need. Determine what he wants to cooperate (usually money.) Be sure to appeal to his vanity and/or patriotism. Create a situation where he can never go back to his old life, and give him a path forward where it favors his ongoing cooperation in a new life. Recruit him, because you own him.

The FBI appears to have run a very successful, very classic, textbook recruitment on the guy above, Matt Edman, to use his insider-knowledge to defeat one of the best encryption/privacy software tools available. Aloha, privacy, and f*ck you, Fourth Amendment rights against unwarranted search and seizure.

Edman is a former Tor Project developer who created malware for the FBI that allows agents to unmask users of the anonymity software.

Tor is part of a software project that allows users to browse the web and send messages anonymously. In addition to interfacing with encryption, the basic way Tor works is by bouncing your info packets from server to server around the Internet, such that each server knows only a little bit about where the info originated. If you somehow break the chain, you can only trace it back so far, if at all. Tor uses various front ends, graphic user interfaces that make it very easy for non-tech people to use.

Tor is used by (a small number of) bad guys, but it is also used by journalists to protect sources, democracy advocates in dangerous countries, and simply people choosing to exercise their rights to privacy because they are in fact entitled to do so and don’t need a reason to do so. Freedom and all that. It is up to me if I want to lock the door to my home and close the blinds, not anyone else.

Our boy Edman worked closely with the FBI to customize, configure, test, and deploy malware he called “Cornhusker” to collect identifying information on Tor users. The malware is also known as Torsploit. Cornhusker used a Flash application to deliver a user’s real Internet Protocol (IP) address to an FBI server outside the Tor network. Cornhusker was placed on three servers owned by a Nebraska man who ran multiple child pornography websites.

We all hate child pornographers and we all would like to see them crammed up Satan’s butthole to suffocate in a most terrible way. But at the same time, we should all hate the loss of our precious rights. Malware has a tendency to find its way into places it should not be, including into the hands of really bad dictators and crooks, and even if we fully trusted the FBI to only use its Tor-cracking tools for good, the danger is there.

And of course we cannot trust the FBI to use its Tor-cracking tools only for good. If Tor can be taken away from a few bad actors, then it can be taken away from all of us. Our choice to browse the web privately and responsibly is stripped from us. Encryption and tools like Tor are like any tool, even guns, in that they can be used for good or for evil. You never want to throw the baby out with the bathwater, especially when fundamental Constitutional rights are at stake.

Rough and unpleasant as it is to accept, the broad, society-wide danger of the loss of those fundamental rights in the long run out-shadows the tragedy of child pornography.

Peter Van Buren blew the whistle on State Department waste and mismanagement during Iraqi reconstruction in his first book, We Meant Well: How I Helped Lose the Battle for the Hearts and Minds of the Iraqi People. His latest book is Ghosts of Tom Joad: A Story of the #99 Percent. Reprinted from the his blog with permission.

8 thoughts on “Tor Developer Created Malware for FBI To Hack Tor Users”

  1. Matt’s hack actually doesn’t crack Tor, it uses a bug in Flash. It’s funny, because it makes me wonder if he hadn’t picked this up from my lectures or blogs, although Tor has always had it on our documentation that you should never, ever use Flash with Tor.

    But from the time I was founding executive director of Tor, and since, I’ve often been asked how I could sleep at night knowing that someone might be cruising kiddie porn using the software.

    Now, I took the helm of the project over a decade ago (I’m long retired) in order to help journalists, human rights workers, and others in hot spots all over the world preserve their safety. My dad worked night security on the summer marches for MLK and the SCLC. He and my family were under surveillance from the time I was four, in 1963. Do you see my motivation here?

    And when we trained journalists, for example, I saw these folks adopt the procedures and discipline — we call it “operational security” — you need to use Tor properly with the same methodical detail that they would devote to a camera case with fine optics in a desert war zone. Every detail, every step. They read the ___ manual. You’d expect that. Union organizers, human rights workers, women’s rights advocates in central Asia. These were people who had stakes, and were used to caution with good reason.

    But some of these other sorts, like say your KP cruiser? They might use Tor like it was a St. Christopher’s medal for traveling the dark net. You install it and you go. Then, if you want to view porn, what’s the first thing you do? You load up Flash. Which if you RTFM, is specifically warned against, because it means you can be tracked, regardless if you are using Tor or not.

    These folks who get busted using Tor don’t get busted because they are using Tor. They get busted because they are dumbasses. And thank God.

    When have you ever heard of a journalist, civil rights worker, human rights worker, or anyone you would care about (ok, some folks really cared about DPR…sorry, I am not one…maybe if you couldn’t buy assassinations and such on the site huh?) being busted for using Tor?

    You hear about people being busted for using Tor for crimes where they are impulsive and undisciplined.

    Some are victimless crimes but in every revealed case now, and I think now every major case has been revealed as of this news, they are all crimes where the person was subject to “social engineering” — doing something that compromised their security outside of Tor use itself, except in some very rare cases when they used an old version of Tor that hadn’t been patched (and the software tells you to patch and you have to ignore that).

    Knowing this, seeing it over and over, used to mean that when someone came to me asking, “Don’t baaaaaaaad people use Tor?” I always had a set of pretty good answers for them, depending on their concerns.

    At the very least, the message here is don’t drink/drug and drive the dark net. It could be bad for your future. Blue lights in the rear view mirror are larger than they appear. Do not be a dumb ass.

    Another message here is, it’s now far less likely that KP users will be as easily caught as they used to by just Flash. I anticipate huge volumes of KP being converted overnight to HTML5 as we speak because of this story. And so sadly, LE will have to find another attack, since the one that’s worked for more than a decade on most cases just got compromised.

    I never said or wrote much about this when I was ED at Tor. But I’m retired. I’m not volunteering at the project, not on the board. I haven’t so much as said howdy to the newest executive director since she took over a while back. It’s nice to be able to speak for myself, after a career of mostly being a spokesperson for this cause or another. I care deeply about these issues, but damn, there’s a lot you can’t say out of discretion when you are in a “role.”

    And one thing is, what Matt did would be not so awful, in my opinion if it weren’t for who he was doing it for (and the folks at the project might disagree with me here, I don’t know). It’s a white hat thing to do, unmasking KP users.

    In the simplest case.

    But he’s working with Comey, the FBI director, who has baldly lied to Congress regarding encryption issues, privacy, and so on. He’s working with folks who are promoting that if they want to hack into your home computer, as of December, they can — and they can send the warrant to your last known-to-them email address (which really means they can make one up and say it was sent in good faith). He’s working with people who can take any security research he does and not only use it against people who cruise kiddie porn, but any incautious activist, journalist, or anyone who does break discipline — or anyone who has a security flaw on their machine or in software that the NSA or FBI has hidden from the public.

    So there’s a part of me that has to look askance and say, “Which side are you on?” There’s a war on encryption, and I didn’t draw that line in the sand. He crossed to the other side of it. He has the opportunity to say a few things now — or not.

    Wonder what he has to say?

    1. Two comments:

      1. But from the time I was founding executive director of Tor, and since,
      I’ve often been asked how I could sleep at night knowing that someone
      might be cruising kiddie porn using the software.

      Just as bus drivers could provide transportation for pedophiles, murderers or terrorists. Or worse yet: people who illegally (or legally, in my opinion) download digital media!

      2. And thank God[sic!]

      You seem like an educated, intelligent individual. Embrace Helmut, the invisible unicorn, he sh*ts rainbows and eats dwarves (ok, so the last part is quite un-cool, but he’s still way nicer than the christian/judean/muslim “god”)!

      1. Actually, I’m more Tibetan Buddhist in practice, and rather much interfaith deist or something — it might take hours to work out vocabulary over several beverages — but it’s just an idiom.

        You take life so seriously! ;)

        1. You take life so seriously

          I just (well, 12 days ago) ranked people who download media illegally above typical muslims (“pedophiles, murderers or terrorists”) and praised the ultimate deity: Helmut, the invisible unicorn (may cheese be upon him)…

          …if I take life seriously, the rest of you people really need to learn to take it easy.

    2. you do know that tor has been cracked, hacked and rendered useless.

      Do you think that law enforcement agencies are going to let KPorners get away with that which they do.

      Also this is good reading:

      1. Uhuh. Look, you hear about kp busts, but oddly you so rarely — like never — hear about journalists, activists, human rights workers, and so on, being busted. If kp folks and such read the manuals and didn’t load media and plug ins, likely they’d be ok, but personally, I’m not QQing horribly. Have a nice drama.

Comments are closed.