Yet More Spy Vultures Take Flight From The Tor Nest

By: Anon - Posting #174 - Original by Cryptome

Note* Anon exposes some disturbing issues concerning rouge developers working under the Tor umbrella. Can some of the security issues surrounding SSL be traced back to Tor development and developers.

An interesting bug report was filed on the Mozilla bug tracker in September. [1] It is titled ``Addons can silently disable certificate validation and alter errors that are presented to the user'' and names the Convergence Firefox plugin what it really is -- a spy tool.

But first, recall my expose of the EFF's Firefox plugin -- the Decentralized SSL Observatory. [2] This plugin was a joint effort by the EFF and the Tor Project, with Mike Perry as a developer. Another of the developers is Peter Eckersley who maintains the plugin's source code repository on Tor's servers. [3] The purpose of this plugin was to intercept all SSL certificates seen by the user's browser and secretly send them all back to EFF servers for `observation'. It was shown how all this was to be pushed to users' machines without their knowledge nor consent. I'll take this opportunity to remind the EFF -- as a legal entity in the United States -- of the possible implications of not reigning in their wannabe spy friends' behaviour.

This brings us to the Convergence Firefox plugin. [4] The author, `Moxie Marlinspike' (real name unknown) openly bragged in 2009 of intercepting Tor exit node traffic. [5] In fact, passive spying was not enough for `Moxie', he actively tampered with exit node traffic, specifically the SSL layer, removing any encryption which got in the way of his spying. This way, he was able to collect passwords and credit card numbers alike. Supposedly all this was to raise awareness of the insecurity of HTTPS. However, not only did Tor users remain oblivious to his actions -- the Tor Project kept mute -- so that they could perhaps modify their behaviour accordingly (like, say, not using Tor), but `Moxie' then went on to lecture cadets at West Point about his spying skills. [6] An anarchist security researcher wanting to raise awareness? Or a wannabe spy wanting a piece of the spy establishment's pie?

Back to that Mozilla bug. `Moxie' has been itching to push his plugin on ignorant users -- which, he openly brags, intercepts users' SSL certificates and distributes them to his network of servers (just like the EFF/Tor Project's Distributed SSL Observatory plugin). Seeing this, a Mozilla developer opened the bug to discuss how to protect users from these malicious plugins. The reply from `Moxie', apart from flames on Twitter, was:

``Addons can execute arbitrary code, and the potential for malicious addons is somewhat infinite.'' [7]

Apart from being absurd (in the logical sense), this sentence is incorrect. Something is either finite or infinite, there is no ``somewhat infinite.'' Machines are finite, and their possibilities are also finite. His reponse to developers trying to protect users by fixing a bug he exploits to spy on them is ``There's so many other bugs, and I will never give up trying to spy on people, so just give up now.''

Note that Google LOL not only makes Moxie's spying on Chrome users impossible by design (Google's policy is only NSA gets to spy on you, no one else), but Google Chrome developers have outright rejected the possibility. LOL (Does someone smell bullshit here)[8] Not because Google is concerned about user privacy, but because Google wants to own all the notaries first...

Finally, note that Jacob Appelbaum has been one of the few vocal supporters of Moxie's work. Appelbaum has also been outed as a spy of Tor users' traffic. Note also that Anonymous recently outed Mike Perry as a Tor exit spy -- and worse, as probably the target of their recent takedown of child pornography. Anonymous' expose is well worth the read. [9]

The moral of this story is that birds of a feather flock together -- `Moxie' is a one trick poney and is looking to replicate his success in spying on Tor users by bringing the spying straight to the browsers of a wider audience (maybe West Point will fly him out again and put him up in a nice hotel). This person has no integrity, they don't even use their real name.

SSL, like Tor, were designed from the bottom up as spy tools. Only once another government gets a clue and begins exploiting them (cf. Comodo/DigiNotar) do the wannabe spies take exception. Keep this pattern in mind, it is important.

"And Ye Shall Know The Truth And The Truth Shall Set You Free"

WAKE UP AMERICA....ITs OUR COUNTRY!!!

Love "Light" and Energy

_Don

References:

Bug 686095 - Addons can silently disable certificate validation and alter errors that are presented to the user

Planned not-so-secret Backdoor in Tor/EFF Software Exposed

In this memo, a planned not-so-secret backdoor in Tor/EFF software is exposed. ``HTTPS Everywhere'' is a Firefox extension developed by the EFF. [1] Basically, this extension forces your browser to use HTTP with SSL (HTTPS), when browsing common websites such as Twitter, Facebook, and Wikipedia. HTTPS Everywhere intercepts the (unencrypted) HTTP requests your browser sends when browsing various websites, and replaces these on the fly with (encrypted) HTTPS requests, whenever possible. This is great, since HTTPS is supposedly more secure than HTTP (cf. Firesheep). Note, however, that this browser extension now has access to: all your browsing habits -- visited sites, precise timestamps, etc.; all content -- whether it's encrypted on the wire or not; and specifics of the SSL connection -- SSL certificates contain a bundle of metadata. The importance and relevance of this fact will become clear briefly.

Projects / pde/https-everywhere.git / summary

An agile, distributed,and secure strategy for replacing Certificate Authorities

[Tor-talk] Tor spying

Video - Beginning at 55 minutes into the video.

Moxie 2011-09-10 08:54:27 PDT:

Agreed, I think this bug is a step backwards. Addons can execute arbitrary code, and the potential for malicious addons is somewhat infinite. Even if malicious addons were not able to intercept SSL traffic, they could simply intercept keystrokes and transmit those home instead. It'd be a lot easier.

Why not Convergence? (07 Sep 2011)

False stories were planted against the IT community LOL [I wonder WHO did this?] LOL

At-last, we cracked the lock and found the true identity of the builder and architect of Freedom Hosting. What we found was truly shocking, it was the deeds to a California, USA 'shell' company for 12 Tor Exit Nodes named Formless Networking LLC.