砸开匿名翻墙神器“洋葱路由”赢百万美元 [美国媒体]

$30,000 to $1 Million -- Breaking Tor Can Bring In The Big Bucks

3万到100万美元——砸开洋葱路由器即可得到

Earlier this year, before his company was torn apart by a security breach, I was having coffee with Eric Rabe, the mouthpiece for Hacking Team. The Italian organisation, which even its CEO called a “notorious” provider of government spyware, was looking to expand its line of products, Rabe said. That included targeting the anonymizing Tor network, where civil rights activists, researchers, paedophiles and drug dealers alike try to hide from the global surveillance complex.

今年早些时候，就在Hacking Team（HT）公司被黑泄密之前，我跟他们的发言人Eric Rabe曾一起喝了杯咖啡，聊了聊天。这家意大利黑客公司为政府提供监听软件，他们的CEO甚至被称为“臭名昭着”的政府间谍软件提供者。Rade当时跟我讲，他们公司正在设法扩充产品线，包括开发针对使用洋葱路由匿名上网者的产品。这些匿名者中，有民权运动者、研究员、恋童癖以及毒枭等等试图逃过全球网络监听的人。

Rabe wouldn’t say much more on how it might do that, but just a matter of weeks later, the leaks from the attack revealed their Tor exploits – a service that would see Hacking Team hardware placed on a target’s ISP to intercept their previously-hidden traffic. Given it was selling its malware for millions of dollars, one would expect its anti-Tor tools to be worth a fair sum too, such is the obsession amongst mandarins and snoops with the so-called “dark web”.

虽然Rade当时并没有多谈这件事，但仅仅几周后，从被黑后泄露的资料中就挖出了他们公司利用洋葱路由器的漏洞进行攻击的记录。HT利用在网络供应商（ISP）硬件上的漏洞来截获目标在使用洋葱路由器匿名前的数据流。在经由贩卖恶意软件赚了数百万美元之后，HT必然寄希望于这款针对洋葱路由器的黑客工具，能在对“暗网”感兴趣的政要和侦查组织中卖个好价钱。

If it hasn’t already been made apparent, cops, spies and their contractors will pay anyone big money to break Tor. Unsubstantiated claims from the Tor Project that a pair of Carnegie Mellon (CMU) researchers were paid $1 million by the FBI to de-anonymize users are shocking not so much because of the figure, but because university researchers, not private dealers, were allegedly selling (keep in mind no one has admitted to any such deal and for now, the claims are based on hearsay and educated assumptions). There’s also been much anxiety around the techniques used – essentially catch-all exploits that could well have ensnared a vast number of innocent users, according to Tor Project leader Roger Dingledine. Was it justifiable to do that for the sake of catching a Silk Road 2 user and possibly some paedophiles?

说得再直白点儿，警察、间谍以及HT的其他客户都会为破解洋葱路由器一掷千金。有些据说是从洋葱路由团队内部流出的传言说，FBI愿意付给卡内基梅隆大学（CMU）2名学者100万美元来将洋葱路由用户解除匿名状态。这些传言的骇人之处不在于100万美元这个数字，而在于传言中的卖方不是私企，而是大学学者（请注意，至今没有任何一个人证实了这些传言，这些传言完全是基于道听途说并且被教育说是臆断）。对这些技术的使用令人着实担忧——基本上利用这些漏洞会很容易诱捕到大批无辜的用户，洋葱路由项目领导者Roger Dingledine如是说。出于抓捕一个Silk Road 2网络黑市贩子或者一些可能存在的恋童癖的目的而做出这些事，就称得上是正当的了吗？



Carnegie Mellon has found itself at the center of an ethical debate about sales of Tor exploits to government. But it hasn’t confirmed or denied claims two of its researchers were paid $1 million to unmask Tor users. Photo from Wikipedia.

照片来自维基百科。卡内基梅隆大学身陷售卖洋葱路由的漏洞给政府的伦理争议之中，因为有传言说该校两名学者被支付100万美元来揭下洋葱路由匿名用户们的面具。但这些传言既没有被确认，也没有被否认。

There are, though, a vast number of those private exploit salesmen and women now focusing on Tor. A few times a year they share their exploits in private forums and exhibitions. Their hacks might place most Tor users in danger, but there’s currently not so much of a furore surrounding their business practices, even if concerns have been raised in the past.

不过，现在有不少漏洞销售个体户盯上了洋葱路由。他们每年都会在私人论坛和展会上分享他们发现的漏洞。他们的黑客行为或许会令大多数洋葱路由用户身处危险之中，虽然已经吸引了越来越多的关注，但目前他们的商业行为尚未引起公愤。

Chaouki Bekrar, the founder of exploit sales firms VUPEN and Zerodium, says attacks targeting Tor nodes and de-anonymizing dark web users “are the holy grail of exploits for government agencies in charge of criminal investigations”. Zerodium, he says, is currently offering researchers up to $30,000 per zero-day exploit – an attack on an otherwise-unknown, unpatched vulnerability – targeting the Tor Browser Bundle. That’s the same Zerodium that offered a $1 million bounty for an untethered iPhone 6 jailbreak via browser exploits. As Zerodium will then sell zero-days on to interested parties, there’s likely a significant mark-up on that $30,000 by the time it is passed on to government agencies.

漏洞销售公司VUPEN以及Zerodium的创始人Chaouki Bekrar谈到以洋葱路由节点为目标的攻击和解除暗网用户的匿名时说：“这些漏洞就是政府犯罪调查机构的圣杯”。Zerodium公司曾对经由浏览器漏洞进行的iPhone 6完美越狱破解悬赏100万美元。而这个Zerodium最近已经为每一个针对洋葱路由集成浏览器（Tor Browser Bundle）的零时差漏洞——对一个未知的、未打补丁的安全漏洞进行的攻击——标出了高达3万美元的悬赏。然后Zerodium将会把这些零时差漏洞卖给感兴趣的政党，当然，卖给政府机构的价格将会远高于3万美元。

Bekrar believes a more targeted approach to identifying Tor denizens is better for law enforcement, however, rather than ensnaring large tranches of users to catch a few. “Targeting the Tor network itself by attacking or manipulating nodes to trace a few criminals is a dangerous practice as it may leak and threaten the identity of legitimate users, hence we always recommended to government investigators to use Tor Browser exploits instead as they can target a group of criminals without destabilizing the whole Tor network, and it’s more reliable and much cheaper,” he added.

Bekrar相信，以识别洋葱路由网民为主要目的的手段优于强制执法这种“宁误杀一千，不放过一个”的手段。“通过针对洋葱网络本身发起攻击或控制节点的方式来追踪一小撮犯罪分子是一种危险的手段，会泄露或危及网络上其他合法的用户。所以我们一直建议政府调查机构去利用洋葱浏览器的漏洞来锁定犯罪分子，而非影响整个洋葱网络的稳定，而且这样做更可靠也更便宜，”他补充道。

Hacking Team’s Rabe, though coy about his company’s interest in Tor over email, expressed little surprise that a university may have been paid $1 million for such a service. ”If the work led to shutting down a major drug bazaar on the Internet, law enforcement might well feel that $1 million was cheap compared to the lives potentially destroyed by the criminal activity. “Clearly, any effort such as the one Tor alleged happened here would have significant value based on the time and expertise required as well.”

HT发言人Rabe，尽管在邮件里对他公司对洋葱路由产生兴趣一事吞吞吐吐，但却表示了对一个大学愿意以100万美元的价格提供“这种服务”的些许诧异。如果说付出100万美元就能够查处一个在线毒品交易大集市，那么执法部门没准会觉得这钱花的很值，毕竟跟这些犯罪活动继续存在而可能造成的破坏相比，100万美元算是便宜的了。“很显然，如果应用洋葱路由的漏洞就能做到这些事，跟其他方法所需要的时间和人力成本相比，这类手段的潜在价值是巨大的。”

The company was due to talk at ISS World Training in Prague this summer about breaking Tor, in a presentation entitled “Demystifying SSL/TOR Interception: Attack case history and state-of-art countermeasures”. SSL is a web encryption protocol, shown in the address bar with the HTTPS prefix. The company’s CEO David Vincenzetti, operations manager Daniele Milan, and QA manager Fabrizio Cornelli were due to give the talk.

该公司原定于夏天在布拉格举办的情报支持系统世界贸易展（ISS World Training）上进行题为《简明SSL/TOR窃听：攻击案例历史和最新对策》的关于破坏洋葱路由的报告。SSL是一种网络编码协议，与HTTPS前缀一起显示在地址栏。报告人原定为公司CEO David Vincenzetti，运营经理Daniele Milan以及客服支持经理Fabrizio Cornelli。

A brief look at the line-up for recent ISS conferences, which press and non-industry folk are not permitted to attend, also provides ample evidence that the dark web is a big seller. In October, the events organizer, TeleStrategies, provided a training seminar in Washington D.C. with the title “Understanding and Defeating Tor”.
The techniques described in the presentation’s blurb cover similar ground to the promises of the cancelled Black Hat talk from CMU. TeleStrategies’ Dr. Matthew Lucas, who told me his alma mater happens to be CMU, was focused on “identifying Tor traffic via IP lookups and protocol signatures”. He was also to guide law enforcement attendees through malware infection and uncovering “identity-related traffic outside the Tor stack”.

大致了解一下最近的ISS会议，会发现该会议强调非企业身份不可申请参加，这为证明暗网是会上的重要卖家之一提供了证据。8月份的时候，大会组织者TeleStrategies在华盛顿特区举办了一场名为“理解并击败洋葱路由”的研讨会。报告简介中描述的技术包括了类似来自CMU的黑帽子取消了的会谈中的内容。TeleStrategies的Matthew Lucas博士曾告诉我说他的母校就是CMU，他曾专注于“通过IP查找以及签名协议来识别洋葱路由通信”。他同时指导执法部门的与会者通过感染恶意软件来揭露“识别洋葱路由存贮栈外的身份相关通信”。

Dr. Lucas was due to give a talk about how Bitcoin and dark markets, such as the now-defunct drug bazaar Silk Road, worked together too. That was part of an entire track dedicated to the “Dark Web, Tor and Bitcoin Investigation”. There will be many, many more seminars on exposing those on Tor across a wide range of ISS events over the next year.

Lucas博士原定做出关于比特币和类似Silk Road黑市的报告，也一同进行着关于“暗网、洋葱路由和比特币的侦查”的工作。明年ISS将会在世界范围内举办很多很多关于破解洋葱路由的研讨会。

OK to break Tor… most of the time

OK，砸开洋葱路由器吧……在大多数时候

Why are Tor exploit sales deemed a depressing fait accompli but similar deals between academia and government are perceived as more ethically abhorrent? Universities across the world work closely with intelligence agencies and law enforcement, receiving significant funding in return.

为什么洋葱路由漏洞的贩卖活动已经成为令人沮丧的既定事实，但学术界和政府间的相关交易还被认为是有损道德的？世界上很多高校都在与情报和执法部门合作，并且得到巨额资助作为回报。

CMU, for instance, hosts a major Computer Emergency Response Team (CERT) that regularly partners with government and law enforcement as they try to cope with manifold online threats. It is primarily funded by the U.S. Department of Defense and the Department of Homeland Security, and is widely seen as a boon to keep everyone abreast of the latest digital threats.

例如CMU一个强力的计算应急反应小组（CERT）就经常与政府和执法部门合作抓捕各种各样的网络犯罪。这支团队主要受到美国国防部和国土安全部的资助，被广泛认为是对抗最新数字化犯罪的恩物。

Born in the embryonic phase of the Cold War, the MIT Lincoln Laboratory, a federally-funded entity, continues to research ways to benefit national security. It has dedicated surveillance and cybersecurity arms.

诞生于冷战时期的麻省理工（MIT）林肯实验室，在政府的资助下不断研究保障国家安全的方法，为监控和网络安全战争做出了贡献。

In the UK, GCHQ is increasingly active in its sponsorship of universities. The Heilbronn Institute, for instance, comprises of distinguished research fellows at various UK universities. Half their time is spent pursuing research directed by the spy agency. Their research output is esoteric and little is known about how GCHQ uses the fellows’ findings.

英国政府通信总部（GCHQ）对高校的资助也在不断增加。例如Heilbronn研究所就是一家由多所英国大学的科研精英合作的机构。这些精英们一半的精力都花在了间谍部门指导的追踪研究项目上。他们的科研成果非常深奥难懂，而至于GCHQ怎么使用这些成果就更不为人知了。

Just this week, GCHQ announced a ￡6.5 million scheme “to support cutting edge cyber security research and protect the UK in cyber space”. Again, who knows how GCHQ might use what it learns from the so-called CyberInvest project? It has certainly been interested in hacking Tor in the recent past.

就在本周，GCHQ宣布了一个650万英镑的项目来“支持尖端信息安全研究以保护英国在电子信息空间中的安全”。同样没人知道GCHQ将怎么运用他们所谓的“信息技术投资项目”的成果。只有一点是明确的：这个投资项目在过去的几年里对黑进洋葱路由很有兴趣。

Academics need that kind of sponsorship to get on with their work, to the extent that a $1 million payday from the FBI shouldn’t be much of a surprise if true. “Note that a ￡100,000 personal grant is barely sufficient to obtain a PhD in UK for an EU citizen,” said Dr. Markku-Juhani O. Saarinen, a research fellow with the Centre for Secure Information Technologies at Queen’s University Belfast. “In CMU a small multiple of that would be required due to significantly larger tuition fees. Factor in administration, laboratories and other facilities, travel to conferences, etc., and a research project employing a couple of persons for few years may easily cost $1 million.”

学术界需要这类资助来继续他们的研究工作，如果传言是真的，那么FBI那100万美元哪天真的支付了出去也不会引起太大的惊讶了。“10万英镑只够一个欧洲人在英国拿到一个博士学位，”来自贝尔法斯特女王大学信息安全系的研究员Markku-Juhani O. Saarinen博士说，“CMU的学费更贵，所以这个价还得翻几倍。”在行政上，实验室或者其他机构，去几次会议，或者进行一个需要雇几个人做几年的研究项目，轻轻松松就会花费100万美元。

It’s also worth noting that the Tor Project has received significant grants from various parts of the US government – grants that help it stay up.

同时，洋葱路由项目组也从美国政府各部门得到了可观的资助来保持屹立不倒。

“I think Tor are being a little disingenuous,” said Professor Alan Woodward, a security expert from the University of Surrey, one of a handful of UK universities to have been named an Academic Centre of Excellence in Cyber Security Research, receiving a grant in the process. “CMU is a research-only university and relies external funding from a variety of sources. Not a great surprise then that the US government would pay them for their expertise in this area.”

“我认为洋葱路由已经有些不清白了，”来自萨里大学的安全专家Alan Woodward教授说，“CMU作为一个研究型大学，其资金来源多种多样，政府为该校这一出色领域付钱也没什么好惊讶的。”萨利大学作为英国屈指可数的拥有顶级信息安全研究中心的大学之一，在研究过程中得到了资助。

But, for many, if CMU really did give away a set of Tor exploits for $1 million, there are ethical difficulties. Saarinen said that if he had the chance to earn that much to crack Tor, he would take it, but he would ask for assurances he could report any findings back to the Tor team.

但是，如果CMU真的为了100万美元交出了洋葱路由器的一些漏洞，那么确实是很不道德的。Saarinen表示，如果他有机会可以赚到这么一大笔钱，那么他肯定会交出洋葱路由的漏洞，不过他会要求把这些漏洞也报告给洋葱路由的团队。

Keith Martin, from London’s Royal Holloway, said GCHQ provides both sponsorship of PhD projects and small grants for certain projects, though it is never requested by the intel agency. But, he said, if the stories were true about CMU, he’d see “an ethical clash between CMU’s apparent undermining of Tor and its technical support for Tor”. CMU not only helps run some of the nodes that make up the Tor network, but is believed to have set up malicious ones to carry out its attacks.

来自伦敦大学皇家霍洛威学院的Keith Martin表示GCHQ为博士课题提供资助，也为另一些课题提供了小额资助，但那些课题从来没有情报机构参与其中。但是他又说，如果关于CMU的那些传言是真的，那么他会认为“在CMU明显暗中破坏洋葱路由以及对洋葱路由的技术支持之间有道德冲突”。CMU不但在帮助运行构成洋葱网络的一些节点，而且同时也被认为在设置恶意代码来进行攻击。

Matthew Green, cryptographer and professor at Johns Hopkins University, perhaps put it most eloquently in a blog post today: “Active attacks that affect vulnerable users can be dangerous, and should never be conducted without rigorous oversight — if they must be conducted at all. It begins with the idea that universities should have uniform procedures for both faculty researchers and quasi-government organizations like CERT, if they live under the same roof. It begins with CERT and CMU explaining what went on with their research, rather than treating it like an embarrassment to be swept under the rug.”

约翰霍普金斯大学的密码学专家Matthew Green教授今天在博客上写了一篇雄辩之文，称：“在频繁的攻击下，脆弱的用户将会发生危险，并且在没有经过缜密的监管前不应该对他们做出任何处理——如果他们一定要被处理的话。如果像CERT那样的类政府组织和高校确实生活在同一个屋顶之下的话，那么二者应该按照统一的程序办事。要做到这点，CERT和CMU就要先把他们的研究解释清楚，而不是把这些研究当做污点一般掩盖。”

Whether true or not, Dingledine’s claims have brought up some big ethical questions that, by their very nature, polarizing and possibly intractable. One fact that everyone can agree on, however, is that Tor is frequently shown to be flawed. For those who perceive Tor to be the home of drug dealers and paedophiles, this can only be a good thing. For those who see it as a beneficial tool for those who want to preserve their privacy and speak their mind away from the gaze of government, it’s simply depressing.

不管真假与否，Dingledine的话确实带来了不少道德上的争议问题，这些问题质朴、两极分化而且相当棘手。不过，有一个事实是每个人都承认的，那就是洋葱路由越来越频繁地现出瑕疵。这对那些认为洋葱路由是毒贩和恋童癖之家的人来说，无疑是一件好事。但对那些能够看到洋葱路由带来的好处的人，那些试图保护自己隐私的人以及不愿活在政府监视之下的人来说，这绝对是一件令人沮丧不已的事。