Testing the limits of vulnerability
TECHSPLOITATION Among hackers, exploitation is a social good. Exploiting a piece of software means discovering a little chink in its armor, a vulnerability that could allow a crook to slip through and do unwanted things to innocent people's computers. Researchers write an exploit a little program that takes advantage of the vulnerability and then show it to everybody involved so that the vulnerability can be patched up.
But things are not always so tidy, and a case in point is an exploit recently released by a researcher named HD Moore. He publicized a vulnerability in a system called Tor, which facilitates anonymous Web surfing and online publishing. Used by political dissidents, journalists, and people who just want additional privacy, Tor routes Internet traffic through a special network of protected servers run by thousands of volunteers.
To run his exploit, dubbed Torment, Moore set up a series of fake Tor nodes that did the opposite of what a real Tor node would do: they looked at every bit of traffic passing through and did some tricks to tag that traffic and follow it back to its source so that the people using Tor could be identified. Like many exploits, Torment only works on people who have misconfigured Tor. So anyone who has faithfully followed the instructions on how to use Tor is still safe but of course, even the most anal-retentive of us make mistakes sometimes when installing and configuring software.
Moore has said that he decided to launch this attack on Tor because he suspects that child pornographers are using the anonymous network to hand out kiddie porn. But it's also more than that. Via e-mail, he told me, "If anything, I want my demonstration site to serve as a warning for anyone who believes their Web traffic is actually anonymous."
There are two problems here. First, there's a technical problem. Moore's exploit isn't new research that will help improve Tor's security it's simply a rehash of exploits that work on anyone who has misconfigured their browser software. As Tor developer Nick Mathewson pointed out in an online chat with me, "I don't think that polishing exploit code for existing attacks that depend on users being improperly configured really helps the research field much. When you're demonstrating new attacks, that looks like research to me."
Contrast Moore's work with that of UK researcher Steven Murdoch, who last year published an unusual new exploit that could reveal the identities of Tor users who have all the proper configurations. In other words, Murdoch found a vulnerability in Tor; Moore found a vulnerability in software users they misconfigure stuff that would apply no matter what program they used.
And this leads to the second problem that Moore's exploit raises. Given that he found a general problem that goes far beyond Tor, why call it a vulnerability in Tor? It would almost be more accurate to say he's noticed that it's hard to surf the Internet anonymously while using a browser because most browsers hand out your IP address to anyone who asks for it. Although I can't speculate about Moore's motivations, his disclosure winds up coming across as a potshot at the Tor community. The way Torment works only shores up this interpretation. He's asked people who use Torment to watch the traffic going through their fake Tor nodes. He wants them to read and track people's private data not only in violation of those people's wishes, but also potentially in violation of the law.
It would be easy to claim that Moore's motivation is political in nature. He says he built Torment to help law enforcement. Perhaps he believes only criminals want anonymity and innocent people shouldn't be worried about publishing articles that can be traced back to their computers' IP addresses. Those of us who want to protect the identities of dissident journalists, privacy lovers, queer activists, and human rights workers in Central America obviously feel otherwise.
Of course, this debate highlights the problem with releasing exploits in general. When hackers find vulnerabilities in Windows, they're accused of wanting to destroy Microsoft rather than make the world a safer place. Same goes for hackers who exploit government computer networks. But unlike real-world exploitation, nearly all computer exploitation can be turned to good in the end. Even Torment has had good side-effects. "We're working on clarifying the instructions for configuring Firefox and Tor," Mathewson said. "Moore has helped us to realize we should do that." *
Annalee Newitz is a surly media nerd who isn't anonymous but is glad that she could be.