It is not quite the same as a full fledged “bug bounty program,” but a tech firm known as Zerodium, which specializes in buying and selling computer programs, is now offering one million dollars in exchange for a “0-day” to the Tor browser or TAILS operating system. More specifically, Zerodium is looking for an exploit with leads “to remote code execution on the targeted OS either with privileges of the current user or with unrestricted root/SYSTEM privileges.”
— BleepingComputer (@BleepinComputer) September 13, 2017
Why is TAILS & Tor Being Targeted?
In a previous article loosely related to this topic last March, Legacy Medi4 addressed how, among other things, the TAILS operating system has been particularly helpful for hackers and Government contractors alike. Moreover, TAILS OS is also the primary reason why the Trump Administration cant find any of the “leakers” they are always talking about, because TAILS is the primary operating system through which these people do business. Considering that TAILS runs through Tor, this explains why exploits to hack through these system could be of very large benefit to some very powerful people right now.
While Zerodium claims that they are seeking out Tor and TAILs exploits for “morally upstanding reasons,” many people remain skeptical of their true motivations. Zerodium states that “While Tor network and Tor Browser are fantastic projects that allow legitimate users to improve their privacy and security on the internet, the Tor network and browser are, in many cases, used by ugly people to conduct activities such as drug trafficking or child abuse. ” Explaining that this is why the company has decided to launch their “special bounty for Tor Browser zero-days,” so that they can “help our government customers fight crime and make the world a better and safer place for all.”
The ironic thing about all of this is that, while Tor is often thought of as a dangerous platform exploited by psychopaths, drug dealers or criminals through the Darknet, the truth of the matter is that Tor and TAILS were first developed by and for members of United States Government. Believe it or not, as recently as 2014 the Tor Project, which first created and still develops the Tor browser and TAILS Operating System, still received 60% of their overall yearly funding from the United States Department of Defense.
The Tor Project Responds To Bounty Initiative
In response to the news that Zerodium was launching a bug bounty initiative against them, the Tor Project responded by reminding the world about the importance of their work and the systems they create. Explaining how breaching their systems could potentially put peoples lives at risk, because outside of criminals using their product for malicious intent, there services are primarily marketed to human rights defenders, political activists, lawyers, researchers, intelligence analysts, military personnel and others like them.
Pointing out why Zerodiums bug bounty program is financially motivated, the Tor Project reminded people that they already have a bug bounty initiative of their own, aimed at getting users to report flaws directly to the company so that the exploits could be immediately patched. While Tor isn’t paying as much for this information as Zerodium will, the companies goal is to help keep people safe, not make money at the expense of peoples privacy.
In a public response to Zerodium, in statements made available to The Hacker News, a spokesperson for the Tor Project said that they “think the amount of the bounty is a testament to the security we provide. We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty.” Adding how “Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”
Where did Zerodium Get Their Million Dollar Figure?
A figure of 1 million dollars was not just randomly pulled out of thin air, it is based on previous precedent for what various law enforcement agencies, such as the FBI, have been known to be willing to pay in the past. We know this because on multiple occasions the FBI has publicly admitted to paying at least 1 million dollars to private tech firms in exchange for exploits and bugs which would allow the agency to bypass security features and hack technological devices.
For example, as was reported by The Hacker News in 2014, leaked documents revealed how the FBI paid “Carnegie Mellon University (CMU) at least $1 Million to disclose the technique they had discovered that could help them unmask Tor users as well as Reveal their IP addresses as part of a criminal investigation.” Not only this, but again in 2015, as was widely reported by multiple press agencies, the FBI paid an Israeli tech firm around 1 million dollars to gain the ability to hack Apples IPhone OS in conjunction with the San Bernadino terrorism investigation.
— C K (@FiftyFiftyGirl) August 3, 2017
It is important to note that the Tor exploit the FBI bought in 2014 was patched within months and is no longer applicable, this also explains why the agency is still currently looking for exploits today. Zerodium even admits that the first thing the company is going to do with any exploit they purchase is to take the program and sell it to Government agencies for a higher price. Begging the question why someone would go to Zerodium with the patch for less money, instead of just going to the Government themselves?
Categories: Hacking News