Delivery-Date: Mon, 25 Aug 2014 19:32:25 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id AF1FD1E0CC7;
	Mon, 25 Aug 2014 19:32:22 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 06CD830AEB;
	Mon, 25 Aug 2014 23:32:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8009230AE9
 for <tor-talk@lists.torproject.org>; Mon, 25 Aug 2014 23:32:14 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id O2dHsQzdz8_e for <tor-talk@lists.torproject.org>;
 Mon, 25 Aug 2014 23:32:14 +0000 (UTC)
Received: from turtles.fscked.org (turtles.fscked.org [76.73.17.194])
 by eugeni.torproject.org (Postfix) with ESMTP id 17EBD30AE7
 for <tor-talk@lists.torproject.org>; Mon, 25 Aug 2014 23:32:14 +0000 (UTC)
Date: Mon, 25 Aug 2014 16:31:25 -0700
From: Mike Perry <mikeperry@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20140825233125.GA17800@torproject.org>
References: <53FAA2EC.6080006@riseup.net>
 <53FBB25F.7060804@cpunk.us>
MIME-Version: 1.0
In-Reply-To: <53FBB25F.7060804@cpunk.us>
Subject: Re: [tor-talk] BBC: NSA and GCHQ agents 'leak Tor bugs',
 alleges developer
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5474358965340061539=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============5474358965340061539==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S"
Content-Disposition: inline


--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Cypher:
> On 08/24/2014 09:43 PM, Michael Wolf wrote:
> > I haven't seen this mentioned here, but thought it would be of interest
> > to the list.  Perhaps something for TWN?
> >=20
> > "NSA and GCHQ agents 'leak Tor bugs', alleges developer"
> > http://www.bbc.com/news/technology-28886462
> >=20
> >> Spies from both countries have been working on finding flaws in Tor, a=
 popular way of anonymously accessing "hidden" sites.
> >>
> >> But the team behind Tor says other spies are tipping them off, allowin=
g them to quickly fix any vulnerabilities.
> >>
> >> The agencies declined to comment.
> >>
> >> The allegations were made in an interview given to the BBC by Andrew L=
ewman, who is responsible for all the Tor Project's operations.
> >>
> >> He said leaks had come from both the UK Government Communications Head=
quarters (GCHQ) and the US National Security Agency (NSA).
>=20
> Interesting. We should remember that the spies are really living in a
> two sided world. On one side, they need a reliable, hardened, Tor that
> doesn't stand out from anyone else using Tor so that they can
> communicate amongst themselves. On the other hand, they need to be able
> to break Tor so they can do their jobs. It has to be a tough place for
> them to be.
>=20
> The article was very interesting - except the part about 'here's how you
> might want to fix this'. I certainly hope that the Tor project /is not/
> accepting patches submitted by NSA or GCHQ! Sure, I realize those
> agencies could very easily embed someone within the project (in fact,
> don't a few of the Tor project folks work in intel?) but developing a
> trusting relationship by accepting patches just seems like a bad idea to =
me.
>=20
> /me puts on tinfoil hat

For the record, in the original interview transcript[1] Andrew states
that "it's a hunch" that these orgs are leaking us bugs, not known fact.

I kind of wish Andrew didn't fan the flames of conspiracy on this point,
though it probably is causing some intelligence bureaucrats to be
scratching their heads in confusion right now, which I guess is a good
thing? On the other hand, if this was happening, making a press release
about it probably is one of the best ways to get it to stop. Which I
also find to be a confusing move by Andrew, if this is what he really
believes.

Regardless, in my opinion, while it's fun to speculate that our
favorite bug reporter (bobnomnom/skruffy) is actually an intelligence
service, and that the other "cypherpunk" bug reports we get are also
leaks from this service, I think what is more likely is that we're just
witnessing the "With enough eyes, all bugs are shallow"[2] phenomenon of
Open Source development, coupled with a userbase that is probably at
least a couple sigmas above the norm in terms of technical proficiency.

This is naturally leading to all sorts of interesting bugs being found
by the wider community at a regular frequency.

I also suspect that once bobnomnom/skruffy's bug reporting and
linguistic signature (broken English with a Slavic accent so thick you
can hear it over ASCII) became legendary, many other random people began
to mimic it to report their own bugs, if nothing else to avoid
stylometry attacks.

I've repeatedly seen multiple cypherpunks users with very similar broken
English writing styles argue with each other on the bugtracker. Very
strange, but more supportive of the "random mimicker" scenario than of
multiple NSA/GCHQ agents arguing openly on our bugtracker.

We have gotten some patches from anonymous contributors, but we review
them very closely, and they usually end up going through a few revisions
before we merge them. We obviously subject all contributed patches to
careful review like this, regardless of if they are named, pseudonymous,
anonymous, or "bobnomnymous".


1. http://www.bbc.co.uk/news/technology-28886465
2. https://en.wikipedia.org/wiki/Linus%27s_Law

--=20
Mike Perry

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT+8dNAAoJEHF/HxMOOpLk9UgP/0VD1dMGJ6IDHDOVOuL6pDZ7
YjXlk5snzDHntu14g6iLi0PAGarc+ChlTa2Zem7HNJoa/JK0M221zn58fRY0jbyw
dN8Xkobb8e9PnzrdxaX+InKUZsK0TttfeWTdf/6oyI2nesep9CCGeLTGqRhvB9FW
x4ywm9PxSricW+kTBTrvVysNtfwrX1Jfu4N24c9QDAG8kP3ng+oFdAKmlXCk8Gyf
Y7ngIvyWUqm/zHg7oZ52Cw8C8rxzR3rNPv0BfBUbUTjpa6j5Jjrj2adi4erpt7rQ
zDmx6BwYBmpyYVWQQkaImLatL40M8sNRKntt3vR8bcyOabqyCuNhE0eUJgWVsuh/
88n1MYAiCmm73ukzQmDdTy3f2UuQdCrmYyPn+/1RGMILqSLCYtrLi8wZJmaQQuEE
P/Hs+Pn8/k5zQFs7IC+3RKS1KVMbe39+6blAJAuudwVLMONqk1YGzoG2GdSGZksO
H+VZj7CovgKq59E1+7xHEl3bePjRtXYgbWfIvnMLVdY0L3wDUDBBAKfaRNC1oo2A
CGaWvjgiI4D6gCxzPWCv7noW/M9gkPh869M3Y8VLIhPfefgvXz9No784MKgODjJg
dPq7cLl8CSgUefKAgbcQ4AuQSN4QIkT6h5Vl2v4UDRE78U1iB3gEXDyQB/axBPHj
1cglZbbiVLR/zR/vDxT8
=/PB+
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--

--===============5474358965340061539==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============5474358965340061539==--

