What Do the Pentagon and the Tor Anonymity Network Have in Common?

John Pescatore
Jul 21, 2017 · 3 min read

Last year, we gave the US Office of the Secretary of Defense a SANS Difference Makers award for the Hack the Pentagon program. Basically, they ran a “managed bug bounty” program that encouraged security researchers (and the general public) to find vulnerabilities in DoD software and rewarded them financially for forwarding the bugs to the DoD (and only the DoD.) This approach has proven to be widely successful in private industry and the US Digital Service estimated that Hack the Pentagon resulted in 138 unknown vulnerabilities being exposed at less than 1/6th cost of a traditional contracting engagement.

This week, the Tor anonymity network announced it was launching a similar managed bug bounty program. Tor (acronym for “The Onion Router” which you will understand in a second) is basically free software that allows users to hide their IP addresses from websites and their Internet traffic from eavesdroppers — such as government agencies. Tor uses encryption and thousands of routers in multiple layers (like an onion! well, other than the encryption part) to provide random IP addresses and make it hard, if not impossible, for anyone to connect those random addresses to the Tor user’s real IP address.

Source: torproject.org

While anonymity on the Internet is a desirable feature to many legitimate users, Tor is widely used by criminals and others doing illegal and dodgy things. Because of that, the US intelligence community has been active in trying to compromise Tor, and in March 2017 the FBI dropped a case against a suspected child pornographer who had been using Tor, rather than go to court and expose the methods by which it defeated Tor’s anonymity. This may have been the impetus for Tor looking to find and fix vulnerabilities in its software.

The ironic part: both the Pentagon and Tor are using the same security service vendor to run their managed bug bounty programs Hackerone. Hackerone has a long list and varied of customers, ranging from Tor and Pornhub to AirBnB, Dropbox and Twitter. But, I still get jolt of cognitive dissonance when I see the Pentagon and Tor sharing security services.

Another Hackerone customer has also been in the news recently — Kasperky Labs, the Russia antiviral software vendor. The US General Services Administration removed Kaspersky from the list of approved vendors for US government agencies because of the company’s ties to the Russian government. This despite the fact that Kaspersky has been around and in use for a long time and there has been no public evidence of any hidden or nefarious capabilities in their software.

So: this global economy is complex stuff! Reducing vulnerabilities overall is critical to protecting yourself — and it is also critical to make sure your vendors and partners are secure and trustworthy. This doesn’t mean they don’t do business with your enemies or that they have no ties to the government of your opponents — if that were the case, a lot of US security companies would lose a lot of overseas revenue. To paraphrase the late President Ronald Reagan: Verify, then trust.

Lots of information on how to do this is published by the
OWASP organization here and by the SANS Institute here. Twitter-worthy “Twelve Word Tuesday” on this topic here with some additional pithy analysis in SANS Newsbites.

)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade