Hacker News new | past | comments | ask | show | jobs | submit login
On being targeted by the NSA (torproject.org)
202 points by bjchrist on July 4, 2014 | hide | past | web | favorite | 55 comments

For a little bit of fun: Try linking to https://www.torproject.org/download/download-easy.html.en on Facebook and marvel at the non-descript error messages. They depend on where you try to post it (timeline, comment). For example "could not be posted because of technical error, try again in a few minutes"...

Hi, my name's Alec, I work as a software engineer for Facebook. Apologies for what you observed, it was due to an automatic system miscategorising the Tor download site. We've fixed the issue, given our software a stern talking-to, and are working to ensure that it does not happen again.

I sent a message to FB noting the "mis-categorization" on May 26.

How long did it take to fix the issue? Assuming that it is a simple task to fix, then why was it not fixed when I reported it on May 26th nor when I reported it again on June 24th?

Hi there; I don't know the answer to that question yet, but I will be investigating the matter next week and will take action accordingly. Thank you for the details and for taking the time to do that, it's appreciated.

FWIW, a bug appears to exist, as the following (perfectly safe) link also triggered the warning:


Note the irony of http://google.com/safebrowsing triggering a Facebook "unsafe link" security warning. Looks like the code is using a substring match, which might be incorrect logic.

Are your posts are Turing test? ;)

I'm not a bot, but my English teachers always taught me not to put two verbs in one sentence.

Good thing you put 3 verbs in your sentence then ;)

Sorry, Alec. I'm not buying into the whole customer service corporate doublespeak routine. Your words sound like those of an uninformed pawn, a tool implemented by nobility, a means to an end.

He can't be an uninformed pawn of his corporate masters and be engaged in doublespeak at the same time.

Hush. The existential contradiction is part of The Conspriacy!

Not true. An employee can adhere to a company policy without understanding the reason a given policy exists. It's certainly possible to carry out orders, and adhere to a script, with unquestioning obedience.

Fair enough I guess...

FB is a huge company now. Going through the reporting process, assigning to a dev, they get around to it after other assignments, goes to QA queue, it's tested, it'll get pushed out in a release. That'll take a month, easy. I don't smell conspiracy, I just smell software development.

Can I ask you, what category was Tor put into?

Could you provide disclosure regarding how this categorization system works?

Holy cow, it really doesn't work. I tried it once immediately as you posted, and then continuously via different people's accounts and different computers even. It really doesn't work, and it ain't just my computer or account. It isn't even a US thing.

I don't think there's a problem with parsing the URL because it clearly is able to load up the preview. All I can say is, MAN! They really don't want you helping people with Tor.

My facebook habits have shifted to posting almost exclusively NSA related materials. I've run into errors like this three times before. I don't know what the issue is.

Instead of error messages, I got this: http://i.imgur.com/mDTPnrq.png

I just posted that exact link without issue.

Before (12:41 PDT) and after (12:56 PDT): https://i.imgur.com/GAHQIXZ.png

"Worksforme" is a bad habit that we in the software industry need to get out of. When a user complains about something, they're almost never trolling, so we need to take the reports seriously.

"worksforme" isn't an accusation of trolling, it's just the second stage of debugging:


Any sane debugging process should proceed beyond this stage. :-)

It does contain a direct download to an executable file. Maybe it's just fear of viruses and not something exclusive to Tor?

I've occasionally seen similar errors posting links to sites like Wikileaks.

The link times out for me on Verizon, but it works under Tor. For those who cannot access it, here is the text of the page:

We've been thinking of state surveillance for years because of our work in places where journalists are threatened. Tor's anonymity is based on distributed trust, so observing traffic at one place in the Tor network, even a directory authority, isn't enough to break it. Tor has gone mainstream in the past few years, and its wide diversity of users -- from civic-minded individuals and ordinary consumers to activists, law enforcement, and companies -- is part of its security. Just learning that somebody visited the Tor or Tails website doesn't tell you whether that person is a journalist source, someone concerned that her Internet Service Provider will learn about her health conditions, or just someone irked that cat videos are blocked in her location.

Trying to make a list of Tor's millions of daily users certainly counts as widescale collection. Their attack on the bridge address distribution service shows their "collect all the things" mentality -- it's worth emphasizing that we designed bridges for users in countries like China and Iran, and here we are finding out about attacks by our own country. Does reading the contents of those mails violate the wiretap act? Now I understand how the Google engineers felt when they learned about the attacks on their infrastructure.

Works fine for me on Verizon.

demonstrate with screenshot plz.

The release of this source code does not match Snowden's modus operandi, which is to avoid releasing technical details which would allow other governments to construct similar surveillance systems. Bruce Schneier and Glenn Greenwald believe that there are now multiple NSA leakers [1].

[1] https://twitter.com/ggreenwald/status/485081861119832064

I suspect the "second NSA leaker" is just Jacob Appelbaum with the same set of documents that Laura Poitras brought back to Der Spiegel. There's already several people in the infosec community doubting the veracity of some aspects of the Tor article[1][2][3], including from within the Tor developer community itself[4]. Though there's no confirmation, some have suspected that Julian Assange's most likely source for the Afghanistan revelation back in May[5] was Appelbaum[6].

[1] http://blog.erratasec.com/2014/07/validating-xkeyscore-code....

[2] https://twitter.com/thegrugq/status/485158875721523200

[3] https://twitter.com/electrospaces/status/485193336912093185 (scroll up)

[4] https://lists.torproject.org/pipermail/tor-dev/2014-July/007...

[5] http://gawker.com/why-did-wikileaks-name-country-x-when-glen...

[6] http://www.csmonitor.com/World/Security-Watch/Backchannels/2...

I agree but the details still lead to him...


Could be Germany got an evaluation copy of the program and somebody there leaked it. Maybe it isn't restricted to just 5 eyes alliance

the details in these stories would be of no use to "other governments to construct similar surveillance systems.".

I can't even see this blog. See the screenshot at http://www.miketaylor.org.uk/tmp/tor-mitm.png

Transcription follows:


Cannot connect to the real torproject.org

Something is currently interfering with your secure connection to torproject.org.

Try to reload this page in a few minutes or after switching to a new network. If you have recently connected to a new Wi-Fi network, finish logging in before reloading.

If you were to visit torproject.org right now, you might share private information with an attacker. To protect your privacy, Chrome will not load the page until it can establish a secure connection to the real torproject.org.

torproject.org has public-key pinning in Chrome, although without the "More" information I can't tell whether it's a pinning error or just that your ISP is blocking the site.

You can try running:

$ openssl s_client -connect blog.torproject.org:443 -showcerts > /tmp/log

to get the certificates that are coming back. You can copy and paste a "-----BEGIN CERTFICIATE-----" ... "-----END CERTIFICATE-----" block into `openssl x509 -text -noout` to get a dump.

I would guess that it's a self-signed certificate fronting a "sorry, this site is blocked" page.

You may want to disable your /tmp directory's files listing.

Thanks for the concern, but no worries -- that's open by design. Which isn't to say it couldn't use a bit of a tidy up.

Yes, ouch. Dude that's a lot of important-looking files.

So who could be carrying out a man-in-the-middle attack on the TOR project? It's pretty hard to think of candidates, isn't it?

Please name names. Rhetorical questions don't add to the discussion.

> Please name names?

Seriously? It's not _perfectly_ clear who I'm talking about?

It depends on the country. It could be Sky, or whoever does internet filtering in Australia, I forget who does that.

What ISP are you using?

­it's worth emphasizing that we designed bridges for users in countries like China and Iran, and here we are finding out about attacks by our own country.

We begin therefore where they are determined not to end, with the question whether any form of democratic self-government, anywhere, is consistent with the kind of massive, pervasive, surveillance into which the Unites States government has led not only us but the world.

This should not actually be a complicated inquiry.


running timewarner cable, all of torproject.org is timing out.

For me as well. But using Google DNS server or OpenDNS solves the issue.

There's no reason not to link to the primary source.


Thanks for pointing that out

I found this particularly resonated:

"...we designed bridges for users in countries like China and Iran, and here we are finding out about attacks by our own country."

I don't really know what to say to the NSA/Snowden/etc. stories any more. Intellectually, I understand that each new worst revelation is worse than its predecessor - emotionally though, none of it even surprises me any more.

...come on Fort Meade, I want to be surprised. Drop something really juicy. Something so diabolical that it's actually cool.

This isn't for your entertainment. Please set aside your emotions and contribute to stopping this. Are you registered to vote?

Who could you vote for in the US to stop this?

Well George Miller is my current congressional representative, and he scores an A on the EFF's scorecard, so I vote for him. Also, in a lot of the primaries that I've seen, there's at least one candidate who is anti-mass surveillance.


Way to miss the joke, champ. Never mind, though.

As it happens, I am not a US citizen. I have no recourse to the ballot box or indeed any other entity to affect the NSA's actions. I, and the other 6.5 billion of us, have very little option but to sit back and watch this story.

Have you effectively encrypted all the things yet?

Or are you in the 'I am not interesting' camp? Because, you might be interesting one of these days. Are you going to snare us all in your net?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact