Tor enabled them to filter down Internet traffic to a subset, and then they simply violated the security premise behind real-world Tor usage (that the rest of the stack was secure) to pierce the veil completely.
I'm not indicting Tor. The opposite. But in Iran, China, or Belarus, you don't get to call a foul ball when your libtech stack breaks somewhere you weren't working on.
And again, my concern isn't Tor, but the (far more amateurish) things people come up with as new Tor alternatives to e.g. "circumvent the great firewall".
The principle I'm trying to communicate is that there's a degree of chauvinism implicit in amateur libtech --- that despite the billions of dollars any real country can leverage against Internet privacy, indie developers have a fighting chance against Iran, because after all they're just a tinpot dictatorship.
The other more general principle I try to communicate is that it doesn't matter how nice, or even how necessary, any given bit of security technology is. What matters is the engineering: will it work as deployed. Not having a better answer doesn't change the engineering fact of whether the best current solution is viable.
tptacek, I'm not sure I understand: do these new revelations really indicate indie developers don't have a fighting chance against Iran?
U.S. - absolutely, no fighting chance.
China - chances look slim.
Iran, Belarus - are you familiar with the technical achievements of their NSA equivalents, and so came to the conclusion they're likely as good as the NSA? Or maybe what the NSA did is just generally easy to do in your opinion?
Sure, still got hacked by Russian usb's though. What I'm seeing (the slides, Mr Alexander and so forth) is a huge list of incompetent dinosaurs in key positions. Sure there are skilled - very skilled - people all over the place, NSA, Iran, India, China, Australia, Cyprus (you name it). Sure the NSA employs more mathematicians than anybody else.
They have vision of hackers with AK Rifles on their back, wearing masks? Logos with a planet and a huge eye spying on it?
The flops these Agencies do, might surpass the successes by far. The thing is that you need dig in order to find out the real story. Hollywood even makes movies, advertising epic failures for wins (i.e. Argo, seriously???).
It seems unlikely that similar systems in any country would have remained unpenetrated in the face of that attack.
Just because one entity in a country got hacked, it doesn't mean other entities in the same country can't hack others. At the moment attack seems much easier than defence.
We don't know if the NSA has been penetrated, but given that Google's law enforcement search system was penetrated by unknown parties originating from China it would surprise me if the NSA has remained free from breaches.
Yes, but I'm not sure that justifies the end conclusion:
1. Do we actually know Iran spends $500MM on vulnerability research? What about Belarus?
2. Suppose they do. So they have zero-day exploits, sure. IIUC, you need MITM capabilities to execute an attack on tor like the NSA did. This sounds costly, and I'm not sure it can be outsourced like buying zero-days. It also requires, ummm, "being on good terms" with telcos, backbone providers etc., which I'm not sure Iran is.
So I'm not saying it's inconceivable that Iran can attack tor users, but the opposite also sounds plausible.
I'm not indicting Tor. The opposite. But in Iran, China, or Belarus, you don't get to call a foul ball when your libtech stack breaks somewhere you weren't working on.
And again, my concern isn't Tor, but the (far more amateurish) things people come up with as new Tor alternatives to e.g. "circumvent the great firewall".
The principle I'm trying to communicate is that there's a degree of chauvinism implicit in amateur libtech --- that despite the billions of dollars any real country can leverage against Internet privacy, indie developers have a fighting chance against Iran, because after all they're just a tinpot dictatorship.
The other more general principle I try to communicate is that it doesn't matter how nice, or even how necessary, any given bit of security technology is. What matters is the engineering: will it work as deployed. Not having a better answer doesn't change the engineering fact of whether the best current solution is viable.