'Tor Stinks' presentation – read the full document
theguardian.comToday's full Tor coverage by the Guardian is: (Greenwald's article) http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack... (Schneier's article) http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa... (Leaked doc #1) http://www.theguardian.com/world/interactive/2013/oct/04/tor... (Leaked doc #2)http://www.theguardian.com/world/interactive/2013/oct/04/ego... (Leaked doc #3) http://www.theguardian.com/world/interactive/2013/oct/04/tor...
That Schneier article [1] is very technical and reveals quite a lot of interesting information. It was immediately flagged off HN front page by the flagging brigade [2]. It's highly recommended reading, though.
[1]http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa...
No it wasn't. It at the top of the front page now.
It actually was earlier removed from frontpage, only to reappear after some 10 minutes or so.
Must be a conspiracy.
I wouldn't be so quick to dismiss weird behavior with submissions. Would you?
Yes, I would. You probably know less than you think you do about what the people running HN are doing/trying to do.
Seems you knew about the the YC company-related submissions being boosted. What makes you think nothing strange is happening to any other submissions?
>YC company-related submissions being boosted //
I missed the disclosure on this one, is it in the FAQ or somewhere else?
Looks like the NSA invoked the HN.RemoveArticle method.
That Schneier article is a must read with lots of technical details.
Anyone know how to start identifying the FoxAcid servers and calling them out?
A lot of these articles use abstruse acronyms. Is there perhaps a place where they're all compiled with their explanations?
For instance, what is (U)? Or (S), (SI), and (REL)?
U : Unclassified, S : Secret, SI : special intelligence (an SCI control marking), REL : marking that designates release
There's a bunch more too:
http://en.wikipedia.org/wiki/Classified_information
http://en.wikipedia.org/wiki/Sensitive_Compartmented_Informa...
Yes, such as "EPICFAIL".
Page 5: "Terrorist with Tor client installed"
And its a picture of a guy with a bandit mask and an AK-47. I don't know about you guys, but all my Tor activities are performed in my Halloween costume!
I honestly can't believe something this tacky would end up in a presentation. Is this supposed to be propaganda?
It's a powerpoint, doubtless put together by a middle-manager who thought some clipart would spice things up. Internal presentations at pretty much every company I've worked for have been just as tacky.
and a beard... like terrorists can be stereotyped like that. This is more than just propaganda, this is the mentality of the type of people who put these presentations together. That fact that whoever wrote this presentation has profiled people like this. I would wager that 99% of online "terrorists" are sitting around in jeans and t-shirts, on safe soil, have probably never handled a gun, let alone an AK-47 (or whatever that is on his back), probably don't have a beard. The ones financing them probably spend their life wearing a suit and tie and are either driving a top of the line vehicle or are driven everywhere in a top of the line vehicle.
If you look at the world around us and review the history of terrorism, most of it's been funded behind the scenes by one of the major superpowers, and you can't overlook the fact that a large portion of this has been by backed by the US. It's funny how when the US wants a government toppled, the terrorists are "friendly" and funded and armed by the US government, but when they're counter to US interests, they're suddenly part of the axis of evil and must be destroyed...
Perhaps if they stopped funding this ignorant behaviour and stopped supplying munitions to these terrorist interests, the problem would eventually go away... spend more on education and tolerance towards all points of view, enlightenment, the world would become a more peaceful place.
When will "democratic" governments eventually realize that money and greed is not the best approach to the furthering the human experience on this planet.
Sorry, didn't mean to get off on a rant there, but that one picture triggered a bit of annoyance.
And banks don't actually keep money in big cloth bags with dollar signs on them. It's just clip art, and to say that it speaks to the mindset of a type of people you probably don't really know much about. I would hasten to say that your stereotypes are probably no more grounded in reality than those of the straw men your attacking.
>"If you look at the world around us and review the history of terrorism, most of it's been funded behind the scenes by one of the major superpowers, and you can't overlook the fact that a large portion of this has been by backed by the US."
While this assertion is not completely baseless, it's simply not correct, but is the kind of empty-headed moral equivalence that gets tossed around to unanimous approval among a certain class who consider a shibboleth of sophistication.
To wit, in the history of terrorism, we see the Irish Republican Army, The Tamil Tigers, the Red Brigade, the Weather Underground, FALN, Baader Meinhof group, the Symbionese Liberation Army, the current Chechen groups, the Hindu and Muslim groups prior to the formation of Pakistan, and frankly many more -- all without super power support. While some national actors have stepped up to support terror groups, superpower, or even great power support has been the exception rather than the rule.
During the cold war, the USSR, the US and China fought a number of proxy wars, and supported opposition groups in various national civil wars, mostly in Asia, Africa and Central America. Additionally, the CIA engaged in specific assassinations of political leaders largely in Latin America but not really what anyone would consider terrorism by the current definition. You're statement that a large portion of terrorism has been backed by the United States would require expansive definitions of 'large portion', 'terrorism' or 'backed' to be true.
No, it requires the United States' own definition of terrorism to be applied to the US.
Drone strikes in Pakistan alone have killed thousands of civilians.
Many of the opposition groups you mentioned were backed by the US knowing that they committed and intended to commit terrorism and other war crimes.
A more detailed argument is here
http://www.washingtonsblog.com/2012/08/is-america-the-worlds...
++ this. this ppt isn't an analysis of terrorist personas, it's about tor.
it's expected to use steriotypical shoe-ins for concepts outside the scope of the presentation.
You shouldn't be divulging information like this ... now all the terrorists will shave and we'll be toast!
It's clearly intended as a joke. It's a slideshow shown to people with technological backgrounds. Most people in computer-based work have seen poorly selected stock photos like these to depict hackers/terrorists/whatever.
"Terrorist" -- as everyone knew it would become -- is now shorthand for anyone undesirable or anyone targeted for any reason.
It's the new red scare, the new Soviet.
We American's require a boogeyman.
In all fairness, most countries do. Watching South American leaders lately shows the exact same behavior. Find a foreign devil for everyone to rally against to hide domestic issues.
Soviets were not some bogeyman. They were real, their spies were real, and the international communist movement they sponsored was real.
Rosenbergs and others did spy for the Soviets. They did successfully transfer secrets related to the atomic bomb. And they were ideologically motivated.
Communist would have been a better word to use than Soviet. Soviet was relatively specific, but broad swaths of the world got labelled communist. While it's true that the Soviets were more than boogeymen, I think that the broader point stands that Americans (and everyone else really) tend to have some convenient, reductionist label to apply to "others" that is broadly taken as a synonym for "evildoer". "Terrorist" is the fashionable label today.
> And they were ideologically motivated.
I may be reading you incorrectly, but I get the sense you consider what the US/West does somehow isn't ideologically motivated or that having any such motivations is inherently sinister? Of course they were, just like the US is ideologically motivated. Defending and furthering capitalist goals is no less ideologically motivated than defending and furthering communist goals.
Something something McCarthyism.
"If the Devil didn't exist, it would be necessary to invent him."
Recall this line from Blade Runner:
> Replicants are like any other machine. They're either a benefit or a hazard. If they're a benefit, it's not my problem.
These people's job is to fight (their government's definition of) terrorists. It's not automatically in the job description to develop a nuanced view of terrorism, of various categories of hackers, etc. -- except to whatever degree it helps them to understand their enemy and thereby stop them.
People often do this even in jobs where the stakes are lower -- if you're running a struggling grocery store competing with a SuperWalMart, WalMart are the bad guys, even if the people who work at WalMart are perfectly nice people just trying to earn some money to raise a family.
Having said that, yes -- it's obviously particularly dangerous to go around branding anyone you have a problem with a terrorist.
Or for the Navy, since they invented Tor. This whole thing is wacko.
> I don't know about you guys, but all my Tor activities are performed in my Halloween costume!
I don't always hack, but when I do, I wear a balaclava
http://www.buzzfeed.com/copyranter/all-computer-hackers-wear...
Oh, come on, they're humans too, and thus subject to deliberately unfunny jokes in (technical or not) slide presentations like the rest of us.
From a quick look this one seems more plausible than the absurd PRISM presentation.
>From a quick look this one seems more plausible than the absurd PRISM presentation.
Are you suggesting that the leaked PRISM presentations are not authentic?
I'm not sure. You can imagine that presentation in some run-of-the-mill crappy company meeting full of 9-5ers, but it's hard to imagine intelligent people with good educations presenting information to each other like that. I know there are all sorts of contractors, but would they really be discussing such weighty issues?
If they built a Star Trek bridge replica to sell the idea of the NSA to the congress, they can do this too
http://americablog.com/2013/09/nsa-outrage-star-trek-bridge....
Yeah where is the value for my tax dollars? I want top shelf Powerpoint presentations.
This presentation seems very odd.
Page 4: Dumb Users (EPICFAIL)
Isn't EPICFAIL an operation nickname? (Like "GREAT EXPECTATIONS" and the others)
Yeah, is this real?
Especially... I can't imagine this is clip art. Someone must have sat down and drawn that to order.
That must be a really wierd job, doing tacky but still sophisticated illustrations for top secret internal presentations.
It's from some kind of character generator software package.
You pick a 'beard' and drag it onto the person, etc.
This similar looking one is all over the internet:
http://www.iconshock.com/img_jpg/SUPERVISTA/networking/jpg/2...
I thought it was more of a Zorro mask. It's very suspicious that the entire presentation seems to undermine the supposed severity of the issue with very silly names and pictures...
Tor Stinks, ONIONBREATH, EPICFAIL
Can we pleeeeease make this the new default icon for the OnionBrowser Bundle?
(edited to remove broken image link)
I'm getting 404.
Amazing.
Even better, on page 9: "Analytics: Dumb Users (EPICFAIL)"
This should provide clear warning to anyone who might consider themselves a cypherpunk: Even if you don't think that you are at war with the US government, the US government (and likely most other governments) believes it is at war with you.
It sounds dramatic because it is.
It's all part of the theatre and propaganda. Make the weak minded believe that everyone's the boogeyman. At least people on the internet can think critically and say "Er, this doesn't sound right"
When will everyone get off the bandwagon of referring to anyone that's willing to actually stand for their beliefs counter to U.S. interests a terrorist? It's gotten to the point where the word terrorist just makes me roll my eyes and say "whatever", I'm becoming desensitized to it, just like most of the UK did growing up in England during the height of IRA campaigns. After a while, it just became a tedious pain in the ass and everyone switched off.
General conclusion from all of the published leaks is that GCHQ punches (in technical capability and general quality of work) way above its weight class (funding and presumed staffing levels); they also seem much more willing than NSA to be completely unbound by any idea of domestic user privacy. Which is fitting for a country with the number of CCTV cameras they have.
Although, in effect I think you are right about GCHQ, that whole CCTV thing is pretty much a myth founded in a deeply flawed study focussed on a street in Central London. 90% of CCTV is privately owned, and if you step out of the metropolis CCTV is no more abundant than anywhere else. I suggest you stop using that argument with regard to the UK as it undermines your absolutely valid post.
They actually saw it as their job to make the experience of anyone using Tor difficult.
Isn't that kind of like the police deciding to make the roads full of potholes because that would make it more difficult for bank robbers to get away in a car.
Then again, considering the quality of the roads these days, maybe they are way ahead of me on that.
They are doing this all the time. They are buying exploits and keep them locked up, they actively backdoor software and hardware.
Basic statistics tells us it is pure insanity to compromise our security for the noise that is "international terror".
Police have to use the same roads. The presentation leads me to believe that they do not want to scare people away from Tor, so they can track at least some users, but probably/obviously have their own network/servers for anonymous connection that will not be impacted.
Otherwise yes, it seems stupid to make Tor unusable as a whole.
Depressingly, the document talks about plans to make Tor less reliable to dissuade people from using it:
> Could we set up a lot of really slow Tor nodes ... to degrade the quality of the network? > Given CNE access to a web server make it painful for Tor users?
At least the document seems to confirm that GCHQ has a really, really hard time de-anonymising Tor users.
I'm pretty sure Tor does smart peer profiling/selection to optimize for throughput. Lots of people run Tor relays on their silly little home DSLs and Tor still works.
Which is why the slide also talks about reporting as if being a high throughput node. i.e. Report back that you're handling a lot of traffic quickly while handling traffic very badly. Does Tor have protection against a node doing that?
I'm pretty sure Tor profiles against this as well. There's a presentation somewhere on YouTube addressing just this problem.
At the end they debate whether killing Tor would be bad, since if they could exploit it they'd have all the "bad guys" in one place.
But then the last slide has this:
> Critical mass of targets use Tor. Scaring them away from Tor might be counterproductive.
If anything this just encourages me to keep my non-exit relay up as much as possible.
This could be countered by setting up a lot of fast nodes. Stealthier malicious nodes that selectively drop or tar-pit traffic though would be harder to fight...
Why are these latest NSA stories getting flagged so much?
I don't like that PG has relaxed the flagging so much. You can probably flag even tens of stories a day now without having your flagging removed.
I wonder, if you flag too much, do you get a 'querulant' flag yourself that makes the site ignore your flags? :-D
I would totaly implement something like that if I were PG. Seems to fit the mindset of HN, as it also uses hellbans.
Nope, the flag link disappears when you flag "badly".
Thats a ringing endorsement for Tor. Its really works! They struggle to get info out of it.
Doesn't look like a very ethical/professional presentation. But then again, who said everyone's professional in all agencies. Its a conjecture to think our laws are systematically enforced by ethical folks.
Of course, if they actually have a really easy time de-anonymizing users, they might "leak" a document like this to encourage people to keep using it.
Conspiracy theories are fun!
It already says they want people to keep using Tor. Read the last slide:
> Critical mass of targets use Tor. Scaring them away from Tor might be counterproductive.
In other words, they'd rather only have to break one anonymization service instead of five.
If I had a few million dollars to run compromized Tor nodes, and the ability to subpoena (and gag order) any Tor node operator in USA, UK and a couple of other major countries to give me their keys, I would be able to easily de-anonymize a large portion of the network.
It is commonly assumed that the NSA/CIA run a substantial portion of the exit nodes. Morever, they are a global adversary (one Tor is not designed to defeat).
How many times can you employ that tactic until the savvy targets move onto more secure networks?
This is probably part of the Snowden files, so it was unlikely to be an intentional leak.
Does anyone know what the QUANTUM attack they refer to is? It doesn't seem like quantum computing on the face of it; It looks like it may be a system used to disrupt traffic on the internet, possibly man in the middle attacks.
Edit: I found a reference to something called a "Quantum Insert" in an article related to GCHQ. They state the following:
According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them
http://www.spiegel.de/international/europe/british-spy-agenc...
This might be what they are referring to, or a system that was built for targeting specific individuals.
"To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.
In the academic literature, these are called "man-on-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks."
Read more here: www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity
Can we translate that to something sane? Is it "shorter BGP/more specific route announcement?" Or some kind of MITM by being directly in line? Assuming it is TCP traffic, just being "faster to respond" doesn't help all that much without some other logic.
If I were MITMing with full cooperation of only a subset of a network carrier, I'd probably go for some route announcement tricks; easier to interface with the rest of the organization, and due to lack of filtering internally, not much config change required. Would fail safely (== non-detectably), also, and could potentially be explained away as "oh, shit, some stupid ISP leaked routes".
(I guess you could give bad dns responses, too, and then go from there, but that sounds more detectable at the end user device, which is very undesirable.)
This is enabled by a very obvious flaw in the CA infrastructure that SSL/TLS is based upon. All it takes is someone with leverage over the top level certificate authority and the DNS servers you use and there's nothing you can do to detect that's what's going on. That's a huge and very obvious flaw in the system that anyone questioning what they can trust on the internet should have spotted a mile away.
How do we know this wasn't just a trick to make people think tor is safe and keep using it?
Pretty sure it is. If you need serious anonymity, like if your life depends on it, get a botnet and use the trojaned PCs as proxies. Use public WiFi, and use cheap laptops that you replace regularly and/or VMs, and don't forget to fake your MAC address. Create multiple fake personas to confuse attackers. Have stuff you write rephrased by someone else, so they can't do a corpus analysis on your writings. Do as much offline as possible. If you have to transfer information, avoid the internet. Use dedicated lines, dialup, dead drops, etc. etc.
I'm so glad I have nothing to hide.
From the Schneier article:
"The good news is they [NSA] went for a browser exploit..." - Roger Dingledine, President of Tor project
It seems there are assumptions among parties that employ "browser exploits" against unsuspecting users that the persons targeted will be using "modern", complex, Javascript-enabled, graphical browsers, and that they'll use these browsers to retrieve content from the network and to view that content on machines with writeable permanent storage that can connect to the network. Am I misreading all these tales of browser exploitation?
Can these parties accomodate reboots from read-only media, text-only browsers, write-protected storage and offline viewing of content?
Maybe the problem isn't so much with Tor as with with the popular browsers and their gratuitous complexity.
The slides were from over a year ago, I'm sure a lot has changed since then. Also the timing of this is very suspect, obviously it's been in the news and the Guardian either want to run with this new line brought on by the Silk Road "bust", or they just want to "soothe" (take as you will) our worries with the network.
Would also love to know more about NEWTONS CRADLE, anyone heard of anything more specific?
Some nice recommendations tho for usage.
ORBOT / Tor Router Project / Hide-my-ip-address / Tor Project and the bootable OS Tails.
Some of the more advanced Obfuscation for the tor project
Skype Morph - Hides Tor traffic in Skype packets mmm fun and worth a look
Someone better be working on tor Obfuscation with flash packets, no one is going to block those things.
/tinhat
It's important to note this is from 2007 and thus things have probably changed immensely since then.
Edit: Nevermind, it says it's sourced from a 2007 file but dated 2012.
I think your original conclusion, 2007 is correct.
What exactly does sourced vs dated even mean?
The document states "still investigating" for multiple issues. It doesn't take the NSA 6 years to investigate these things.
The questions are very basic, such as, browser/JS exploits, leftover cookies, and owning the majority of nodes. That is hardly top secret, all of these were things that were public concerns long ago.
The other alternative is they just don't care. They can still slurp down a good portion of the incoming and outgoing email traffic. If one of wikileak's origin stories are to be believed most Tor users have no idea how Tor works or what they are actually doing, including government operators (with the appropriate code name EPICFAIL on page 9.)
Going completely off topic, I had an idea earlier. Bitcoin right now is using something around 16,000 petaflops of processing. This shows that when proper incentives exist massive computational and network resources can be utilized in a distributed manner.
What if a protocol existed which forced user participation or required them to exchange a store of value to use it? For example, if a user acted as a node (relay not exit) they mined a currency (probably inflationary.) If a user did not act as a node, they had to pay a currency which would then be distributed to exit node operators. The currency could be bought and sold through exchanges rather than to a central commercial entity.
The end goal, besides having a lot more network bandwidth, would be to have so many relay and exit nodes running it would be economically impossible for a single entity to compromise a significant number of them.
Of course, easier said than done.
After reading many of these articles about the NSA I keep wondering if they have an office specifically tasked with thinking up code names for these projects. I personally would find it difficult to keep them all straight—this article, for example, contained a new one to me: ONIONBREATH.
Just an odd image in my mind of a group of top-security clearance, extremely well trained, able-minded people who think up silly code names like these.
Many government agencies do this - check out the names for DEA stings, or even FDA operations.
TOR - The Onion Router.
Would be a hell of a co-incidence if it wasn't a reference.
I also quite like the point "Analytics: Cookie Leakage", like anyone that uses Tor doesn't use it in incognito mode with cookies disabled... or flushes their cookies before they use anything else...
... that either says they're stupid, or they're only after stupid terrorists... as if they're the ones they should really be concerned about.
I think Tor recommends surfing from a dedicated virtual machine, IIRC, which is probably the safest way to surf, though something like Flash or Java can still probably report the actual host IP.
After watching the presentation, I can think in two things to make TOR better, from the point of view of the anonymity of its users:
* Better education on how users can browser carefuly (no javascript, no plugins, updated browsers) * More nodes.
Somehow I find this presentation reassuring. It mainly suggests to me, that the NSA/GHCQ has to do 'honest' traffic analysis, implying that they did not break any of the crypto primitives used in Tor.
So, according to these documents, NSA and GCHQ do have few "owned" exit nodes, but not so many, hence, they want to own more. Interestingly enough, GCHQ set up Tor exit nodes on the AWS cloud.
Most fascinating part - using DoubleClick ad cookies to trace Tor users.
Given that it says that the NSA and the GCHQ is trying to setup tor nodes.. is it possible for us to identify these nodes? Some sort of trust network perhaps?
The document is dated 20070108, seems they'd be a lot further on with Tor now. Also they mention using AWS to set up Tor nodes.
Was interested in the user profiling to establish from raw network traffic which users are likely using Tor - so for example from this message.
Not sure what QFP is though?
This is a glorious release. I'm suspecting we have Schneier to thank for the full release of the slideshow that is mostly unredacted.
if you follow ioerror and ggreenwald on twitter you probably have some idea of what forced this particular cache of articles.
Of course it stinks. It's "only" weakness is a "global, passive adversary" + It was built by the US Government.
Don't we all know, that Tor is low latency solution and therefore directly voulnerable to statistical correllation attacks?
Dated: 20070108
Declassify on: 20370101
That is a lot of our tax payer money at work...
Freedom lover with Tor client installed.