
Russia offers $110,000 to crack Tor anonymous network - theklub
http://www.bbc.com/news/technology-28526021
======
Steuard
How on Earth is $110,000 a reasonable value for this level of vulnerability?
(And with a multi-thousand dollar up front cost to boot.) I'm not remotely an
expert on security, much less nefarious black-market hacks, but I would think
that a whole lot of nations around the world would be willing to pay millions
(each!) for this capability. Heck, if not for this, I would have included
Russia on that list.

~~~
jcromartie
The "hackathon" spirit has caught on at the state level. Get a bunch of
college kids to slave away for free and give the best one a paltry sum for
their efforts and retain all rights to the work.

~~~
aroman
How is that the "hackathon" spirit?

~~~
TeMPOraL
It's the spirit ever since the term "hackaton" caught the attention of the
employers and the events are organized by companies for their profit instead
of hobbysts/enthusiasts just for fun.

~~~
dmix
For ex: Hackathon's shouldn't primarily be about cash prizes. It defeats the
purpose and ideology behind hacking culture.

~~~
eli
Isn't that the parent comment's point? That it's such a relatively small
amount of money that the only people who are into hacking stuff anyway would
attempt it.

~~~
dmix
There shouldn't be any money at all in hackathons, it should be voluntary and
tinkering/hacking on technololgy for fun or societal benefit. This is for a
project with a well-defined goal defined by a large government that may be
used against dissidents by a authoritarian state.

That doesn't quite fit into hacker culture at all.

If they aren't going to hire a well-paid hackers full-time like the NSA does
to do the same thing, then at least make the prize significant similar to
X-prize.

------
scrollaway
As Schneier says:

"The reward of $114,000 seems pretty cheap for this capability. And we now get
to debate whether 1) Russia cannot currently deaonymize Tor users, or 2)
Russia can, and this is a ruse to make us think they can't."

[https://www.schneier.com/blog/archives/2014/07/russia_paying...](https://www.schneier.com/blog/archives/2014/07/russia_paying_f.html)

~~~
XorNot
That's because they're asking if someone's done it and wants some cash. If you
had, monetizing the knowledge isn't exactly easy. No intelligence agency will
bother paying for it.

~~~
tormeh
Why wouldn't they? This is exactly the stuff I'd want to pay for if I was an
intelligence agency; you want the hackers to come back with more exploits,
after all.

~~~
jbigelow76
No intelligence company would pay for it _if it were publicized_ they had paid
for it. It's more useful to keep quiet and let people think Tor is still
anonymous.

~~~
ddoolin
Could the person who sold it to them publicize it? Assuming they would be
outside of Russia or unbound from any sort of gag order (not likely)?

------
sarciszewski
Heh. This is low-ball. I was once offered $150,000 in a discussion with a
broker when I inquired about a hypothetical Tor 0day. After the broker's fees,
I would have still walked away with $120,000 if I had one. (Then taxes, of
course.)

If anyone wants to do this, I recommend shopping around first ;P

------
kar-kub
Last paragraphs are very interesting:

"In its 2013 financial statements, the Tor Project - a group of developers
that maintain tools used to access Tor - confirmed that the US Department of
Defense remained one its biggest backers. The DoD sent $830,000 (£489,000) to
the group through SRI International, which describes itself as an independent
non-profit research centre, last year. Other parts of the US government
contributed a further $1m. Those amounts are roughly the same as in 2012."

I'm not familiar at all how those founding works, could someone, from US,
explain how and why US government is giving money to TOR?

~~~
JasonIpswitch
I've seen two explanations for why the US government gives money to the Tor
Project. One reason is to support dissidents in countries like China. Another
is that US agents use Tor, but that the network requires a degree of
popularity in order for agents to "hide" in it.

~~~
chris_mahan
Another option is an effort to identify cryptographically-capable individuals
around the works as targets for potential contact, work, on behalf of the U.S.
and its allies.

TOR as a recruitment tool?

------
d0mine
I don't think that you need to crack anything.

$100,000 is for a research paper.

Translation of the auction lot title: "Research the possibility of getting
technical information about Tor users (their hardware)".

Here's the talk that claims the possibility to deanonymize Tor users for less
than $3,000
[http://web.archive.org/web/20140705114447/http://blackhat.co...](http://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-
dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget)

There are published papers on the topic e.g., [http://www.syverson.org/tor-
vulnerabilities-iccs.pdf](http://www.syverson.org/tor-vulnerabilities-
iccs.pdf)

 _Lesson one is that Tor guards against traffic analysis not traffic
confirmation. If there is reason to suspect that a client is talking to a
destination over Tor, it is trivial to confirm this by watching them both._
</quote>

------
a-nikolaev
Bear in mind that in Russia, many "offers" like this are not ment to be real
competitions for accomplishing something (to crack Tor, to build a bridge,
etc), but simply a way to appropriate state's money.

~~~
drzaiusapelord
Right, someone's CS drop out cousin is getting this.

------
chris_mahan
Are we saying that Russian intelligence services cannot hack TOR and need some
random hacker to do it?

Imagine if the CIA offered $1M to crack TOR. They would be the laughingstock
of the intelligence community.

I think there is something else going on. I would not touch this. It looks
like bait.

------
asdfologist
I wonder if this would backfire and make Tor even stronger, as now even more
attention is given to Tor's robustness.

~~~
xyclos
maybe that is their goal. Perhaps they want to (or already are) use(ing) tor
to hide their own activities from the NSA. They want to make sure what they
are doing is truly as secure as it claims to be and if not motivate devs to
make it so. After all, it seems it would be cheaper to offer this small reward
than to have to pay full time employees to help keep their activities secure
from prying eyes.

------
daj40
I don't know why anyone would do this for $110,000. Especially after the entry
fee, probably wouldn't make much money after the hardware costs, though if
you're good enough to take on TOR, you probably also have a botnet. Also, why
the hell would anyone give it to the Russians? Of all people, they're
definitely who need exclusive access to a TOR hack. Especially if you consider
that some of those people who are using it in Russia could be regular people
who are trying to not be persecuted for their sexual orientation. Bad idea
overall.

------
pandaman
All the sources refer the same government requisition for a "performing the
scientific research, code "TORUS/Fleet". The details should be available for
people who chose to participate and foreign nationals are specifically banned
from participation.

With the Russian word for torus being "тор" which could be transliterated as
"tor" I see why people might get excited. But I'd like to see something more
concrete than word play to support the news articles' theory.

------
hucker
"Applicants must pay 195,000 roubles to enter the competition"

This seems rather bizarre... ~$5500 cannot simply be a symbolic sum to deter
idiots.

~~~
mkup
IMO Russians intend to make their venture profitable.

~~~
jessaustin
It wasn't clear to me from the article that there was any sort of time limit.
Presumably a researcher could simply enter the contest once he was sure he had
an exploit? The math doesn't really work out for profitability.

~~~
kiiski
The deadline is August 13th, and the winner (if any) will be announced on the
20th. (According to an Helsinki Times article, but the English translation[1]
doesn't have the dates)

[1]: [http://www.helsinkitimes.fi/finland/finland-
news/domestic/11...](http://www.helsinkitimes.fi/finland/finland-
news/domestic/11341-reward-offered-by-russia-to-crack-tor-likely-to-improve-
the-anonymity-network-finnish-expert-views.html)

~~~
jessaustin
Then the point stands. If a Russian researcher has an exploit on the 13th and
thinks the prize is worth it, she'll enter. Why would _anyone_ else enter?
With that in mind, the proposed profit model seems unlikely.

------
VeejayRampay
I'd be really surprised if Russia were actually not able to do this already,
they're known for having a very strong national community of security experts
and overall excellent mathematicians.

~~~
PerfectDlite
They _had_ this community.

Nowadays most of them emigrated and those who don't, they mostly will not work
for KGB spooks.

------
dm2
What's to stop someone from selling one of these exploits to multiple nations
and companies?

What is the normal process for selling these exploits? They'd want to see the
exploit first, I'm guessing in person, then they transfer over the money, then
you give the code and details?

What if someone wanted to remain anonymous during the transaction? What would
be the best method of doing that? You couldn't really send a friend because it
might be easy to trace back to you, and it would be hard to trust a stranger.

~~~
homhomhom
They don't want to 'buy' the exploit outright, just fund the R&D. Thank you
sensationalist media.

~~~
dm2
I don't understand, it seems like researchers have to pay to enter and then
are only given the funding if successful, that's not exactly funding R&D, more
of a contest. It seems really strange that Russia would be offering this kind
of bounty in effort to improve the program's security, don't they know how
many activists and dissidents use it. Is the sole reason to aid their own
spies?

They should just provide funds on a site such as
[https://hackerone.com/](https://hackerone.com/)

I really wish the US government would offer bounties for their sites and
systems. Right now if people try to exploit a US government system, even if
they have the intention to properly disclose the vulnerability they face
prosecution.

~~~
homhomhom
It is definitely R&D to find a vulnerability in TOR or lack thereof, it's just
that BBC as usual is arbitrarily choosing what to report and what to stay
silent about.

Look no further than the tender page:
[http://zakupki.gov.ru/epz/order/notice/zkk44/view/common-
inf...](http://zakupki.gov.ru/epz/order/notice/zkk44/view/common-
info.html?regNumber=0373100088714000008)

Here they explicitly state that it's a tender for 'Выполнение научно-
исследовательской работы, шифр «ТОР (Флот)»' (Research and Development works,
code "TOR (Navy)")

Then it's a closed tender (stated in the same document), meaning that they
come up with a list of organisations they invite to participate in this
tender. No organization they did not invite can participate.

So you see this is nothing like a bounty.

>it seems like researchers have to pay to enter

I wager they are required by law to demand some sum of money, maybe this sum
is determined as a function of a tender value; I don't believe there is some
additional meaning to asking people to pay 5500 usd to participate in a closed
tender.

------
nanoscopic
I already posted publicly online how to find the identity of a Tor user.

To reiterate:

1\. Get the Tor user in question to visit a website controlled by you ( or at
least a site where you can cause JS to run; such as an advertisement )

2\. Know which ISP the user is on, and be allowed to install a high speed
device watching all traffic for a sequence of specific sized packets.

3\. Use the JS to send a specifically crafted sequence of sized packets with
specific time periods in between them. After sending this preamble, send sized
packets to send the 'pseudo identity' of the user ( whatever pseudonym you
wish to attach back to their real IP )

4\. Use your monitored ISP device to detect the preamble, then log IP and the
data.

Note this method could be done en-masse and would only require high speed FPGA
devices at each ISP "trunk". Inject JS code correlating users back for any
system which you wish to identify the users.

Done. Whichever Russian demonstrates this and wins the $100k; throw me a bone
please. :)

~~~
jonahx
I assume a Tor user with js turned off would be immune to this?

~~~
robertfw
I wonder if something similar could be done with detecting specifically sized
images?

~~~
AnthonyMouse
You're all making this much too complicated. Who needs the client to make
multiple requests when you control the server? Client does "GET /" and the
server starts sending a large index.html using irregular sized packets at
specific intervals.

But suppose we broke it, now we have to fix it, right? Start padding
everything to power-of-two size boundaries with a minimum of 16. Or if that
would make Tor traffic too identifiable, then instead add random()%packetsize
padding to each packet. Either would reduce the number of detectable packet
sizes below a 1500 byte MTU to 8 at the cost of less than doubling the
bandwidth consumption.

------
downandout
They are also charging an entry fee for this "contest" in addition to the
prize being ridiculously small. The good news is that it's quite unlikely this
will be successful regardless of the prize.

------
goatforce5
I'd assume you wouldn't have to look to hard to find someone willing to pay
$110k+ to identify specific individual Tor users, let alone find general
exploits in Tor.

------
golergka
Previous thread about it:

[https://news.ycombinator.com/item?id=8079195](https://news.ycombinator.com/item?id=8079195)

~~~
Ecio78
I submitted this one as well but was not very successful:
[https://news.ycombinator.com/item?id=8083790](https://news.ycombinator.com/item?id=8083790)

------
EGreg
Must be some small agency there, not really representing "Russia"

And anyway why cant people then just use Freenet or some such network?

~~~
clarry
Freenet is a resource hog, and can be rather slow. It's also not particularly
interesting for people who just want to browse and access the "normal" web
anonymously. There are few services. There's little interesting content.. Plus
it's not clear Freenet can really provide that much as far as anonymity goes.
The consensus recently has been that opennet is quite vulnerable, and the only
way to be really safe out there is with a global darknet where everyone only
connects to trusted peers. Achieving this is not so easy, and there are
potential complications.

------
thothamon
Great news. $110,000 from Russia to find and (although they did not intend it)
patch Tor bugs. Thanks, Putin!

------
coledubz
ugh, capitalism. someone somewhere will actually do work towards this goal
with that much money in mind as a worthwhile payoff. ending tor anonymity
should have at least 2 more 0s on the end of the figure.

------
wooptoo
I bet NSA is willing to pay much more.

