
The FBI Is Classifying Its Tor Browser Exploit - ashitlerferad
https://motherboard.vice.com/read/the-fbi-is-classifying-its-tor-browser-exploit
======
giardini
If the exploit is classified, how can it be verified that the exploit actually
extracted the evidence claimed? That is, how can the FBI prove that it did not
obtain the evidence by other, illegal means (as they have instructed other
agencies to do)? Provenance of evidence is everything in criminal cases.

~~~
gozur88
The FBI has two different, and sometimes opposed, missions. The primary
mission is security - it's supposed to stop terrorists from terrorizing, spies
from spying, saboteurs from... well, whatever.

After-the-fact law enforcement is secondary. It may be this is a tool they
intend to use to attack spy and terrorist networks where breaking up the
network is more important than getting prosecutions.

~~~
hackuser
> The primary mission is security ... After-the-fact law enforcement is
> secondary.

I'm not sure that's true. Where do you get that?

~~~
gozur88
[https://www.fbi.gov/about-us/quick-facts](https://www.fbi.gov/about-us/quick-
facts)

------
_audakel
The FBI and other government institutions often ask for the help of the tech
industry, and act like they want to build bridges but actions like this show a
double standard.

They are like your annoying needy friend. Always asking you for stuff but
never bothering to return the favor.

~~~
mhurron
> show a double standard

No they don't. Assistance that industry would provide would also be classified
and honestly a penalty would probably be levied if the found issues were ever
fixed.

So they found it on their own, results classified so they can't be fixed.

Needed help finding it, threaten penalties if the issue is ever fixed.

They're not trying to build bridges, they're trying to gain control of another
source of information.

------
f00_
Why is Tor Browser still using FF instead of Chrome or something?

A sandbox is necessary, and I'm 100% sure there are a ton of 0-days in all
browsers.

~~~
kolme
Chrome is not even open source. They can't use it.

If you're referring to Chromium, well, what makes you think it's more secure
than Firefox?

Also, don't you think that the developers of the Tor browser are pretty
security-aware? That they might make very well informed decisions?

~~~
lima
Chromium is a magnitude more secure than Firefox. If you find a 0day in the
Firefox renderer, bam, code execution with full user permissions. A 0day in
Chromium renderer code is pretty much worthless.

Firefox has zero additional layers of security. Chromium has a battle-tested
sandbox which kills 99% of all exploits in the absence of an additional kernel
exploit.

Also note how none of the recent Flash 0days was exploitable on Chrome.

------
kstenerud
So write a bot that browses bad sites on tor and see what infections it picks
up, then examine what vulnerabilities they exploit.

------
rotrux
Contrary to my usual opinion about the US Federal Government's "cyber-
tactics," this actually seems like a good thing.

I'd rather that fewer people understand how to break tor, as opposed to more.
There's a middle ground which may be better, but on the open-source/classified
spectrum I'm a little right-leaning on this one. Thoughts?

~~~
SparkyMcUnicorn
It should be patched. Am I wrong?

The entire reasoning behind using tor is for anonymity, and we don't know what
this exploit is exactly or how serious it is.

~~~
rotrux
I remember reading an doctoral paper from MIT about it, and the general
principal involved a combination of large swaths of man-in-the-middle tor
nodes, combined with algorithms resembling physics formulas which use
statistical mechanics to model fluid dynamics.

If that's the case the exploit is intrinsically linked to the way tor works,
and there may be no patching possible.

I'ma need someone to fact-check me because I'm semi-busy right now and I don't
have the article on-hand.

~~~
schoen
This is described as a Tor Browser exploit -- a vulnerability in the browser
that people normally use with Tor -- rather than a vulnerability in the design
of Tor or a way of performing traffic correlations. This vulnerability can
probably be fixed permanently for all users with a tiny software patch.

