Silk Road forums
Discussion => Security => Topic started by: merked on October 24, 2011, 04:02 pm
-
Interesting read came in one of my security mailing lists. Doesn't sound like the anonymity of the tor network is in any danger yet, but these guys are possibly onto something. Figured some security-minded people on these forums might enjoy the read.
Clearnet link below.
http://thehackernews.com/2011/10/tor-anonymizing-network-compromised-by.html
-
Yep: good read. cautionary, for sure. Not in the wild, but make sense. Need to up my security a bit.
-
So how does this get addressed and who does the addressing, I'd like to know.
-
Interesting read. Very creative. The good point to note here is that the exploit was found by researchers who published their findings. This allows others to work on a fix for the issue.
-
There are two steps to this one - first they have to infect a number of tor nodes with a virus. That means that everyone should keep their computers clean and updated. Second, they perform a denial of service attack to force tor to route thru the nodes infected with their virus.
Encrypt, encrypt, encrypt.
I suspect the NSA isn't publishing their findings.
-
Response by Tor developers:
blog.torproject.org/blog/rumors-tors-compromise-are-greatly-exaggerated
-
It seems more like a theoretical way to force traffic through compromised nodes, rather than a true fault with the anonymity in general.
I'm not too worried. TOR is only one aspect of a total security solution. If I'm doing it right, then even if TOR was compromised in this way I wouldn't be at risk myself.
And according to the Tor Project's response, the numbers this group was reporting are way off base, which leads me to question the rest of their findings as well.
The specific attack involves creating a virus and using it to infect such vulnerable systems in a laboratory environment, and thus decrypting traffic passing through them again via an unknown, unmentioned mechanism. Finally, traffic is redirected towards infected nodes by essentially performing a denial of service on clean systems.
What mechanism? Isn't Tor traffic encrypted between each node? Wouldn't they have to control every node in a data chain in order to have all the relevant keys?
-
Update for interested parties: http://arstechnica.com/business/news/2011/10/slicing-the-onion-is-tor-vulnerable-or-not.ars
Filiol’s work has drawn criticism before. In 2003, he published a paper claiming that the AES encryption algorithm could be broken through a simple ciphertext block attack, but he later modified his claims. A team of researchers trying to replicate his results found that even his modified claims could not be reproduced. One Luxembourg-based security expert complained on Twitter, “Every few years, Eric Filiol claims an amazing infosec discovery which turns out to be nonsense.”
Apparently, the full details won't be known until he gives his presentation, but other security experts aren't holding their breath.
-
This guy is full of shit. Every 5 years or so he comes out with a massive claim that cannot be replicated "for some reason" when put to the test by experts.
He basically knows enough programming and technical jargon to dupe the right people into giving him publicity. This conference this is garbage - he's just playing off this claim against the conference in the hopes that a shitload of people show up, paying the ticket price, and he gets to rake in the cash.
I would love to see video from the Q&A session though lol.
-
Please, everyone, forget the stupid rumors, and go to the Tor Project blog, and update your Tor software. There was a serious issue, and I do fear that it was exploited by many TLAs - however, we shall see what actually falls out.
https://blog.torproject.org/blog/
if you have been paying attention to the network map when you connect, you will see immediately what I mean. The TLS security bug allowed a dirty node in the USA, and the rest as we say, is history. Now, the whole mess about what if a customs seizure, is the address trapped, how can they break Tor......its all in play now. Thank G-d they fixed two out of three issues. There are so many implications that my head is spinning, and its not ALL bad, just bad. More later.
-
Has this exploit been used as far as anyone knows? Or did the user just identify it to the Tor Project for it to be fixed.
-
This following is very sad to say -the last few weeks have been rocky in my corner of the SR community. Rock solid vendors going MIA< Customs letters to many folks here on the boards. Orders marked in transit and then canceled by the vendor without a peep or PM.
You get the idea. Then the
and I agree that there is a large gap between a reported and subsequently patched vulnerability, and one that was used to effect real adverse actions. However , I cant help but see that one high-bandwidth node (not sure what type) that was these all the time in my geography, is no longer there after the Tor update. Bleah.
Now, Tor is a big network, with tens of thousands of users and thousands of bridges, exists, and hidden Onion services. Thank G-d that SR uses a hidden service, which is one level more secure than using exists. I am also very glad that Tor Project alerted us and made the fix available, and have been tireless in bringing this essential service to market. I plan to donate. lavishly.
it pays to be careful but not crazy. I am not crazy. After the Tor update, several almost permanent nodes int he USA, most notably the high bandwidth node Tenkwanishara or something like that, dropped of the Tor net like a stone. there could be many reasons, and the odds argue against a major LE action against SR specifically,or Tor generally. Although we know for sure that TLAs and white Hat researchers amke it their business to penetrate Tor! And that's a good thing, it makes Tor stronger.
I will also repeat that the entire SR economy is less than $50M, probably more like 10-20M - the transactions are biased towards small to smaller. The vendors are usually not majors, who would never deal the hassle of bitcoins and mailing 1G packs.
I love SR and I love the Vendors, who in book are freedom activists. One might posit that a political dissident in China has a more exalted use for Tor than a recreational pharma hobbyist - but Im not so sure.....We are actually accomplishing what the LE wants in the end results - low or zero street violence due to territory beefs, lower crime in general, and most of the users here are geeky adults that have created and use a very involved, service that 95% of the population would never even try to do.
Its an mature adult market for responsible people who take their autonomy seriously. I'd would be actually tickled pink if I were the US drug Tzar! Why, because this is as close as gov or society will ever get to understanding what a limited, legal, self policing recreational drug market looks like and what might be its consequences!!!
I'll tell ya another thing - If I was a smart DEA or other agency analyst, I would just sit back and watch the SR experiment for a at least a two year or longer period to get a feel for the size and shape of the market - what is the fallout, does it impact the larger drug trade, does it have an effect on local drug economies, ....get it?
This is a grand experiment on many levels for many invested parties, 1) for the SR owners and other anon markets, 2) for security researchers, 3) for LE to see what comes of these markets, and 4) for non-mentally ill libertarians who know what's what, to prove the point that, "you see, if people have the freedom to choose, the good and bad effects are no different than your nanny state, with police busting George over here for a 1g buy of whatever......
I think you all get what Im saying: There are many issues being worked out in this forum, and the least of which is, "where's my damned dope?"/. Stay safe everyone -
and vendors, do you want to cut 90% of the risk out of the equation? Make your mailings look like business mail - geniuses! I just got a package that was so,......innocuous, that no postal inspector in their right mind would even think twice. Also, I understand that there is a very clever vendor out there that I just ordered from has a new twist on addressing that is just genius. let's see if you know who I mean. They really figured out one true thing about mail that they turned to our advantage. Now, everyone cant so that same thing, that would be stupid. But....it does show that there are ways to think things through and get better results.
One vendor I loved who is no longer with us.....where I dont know - used to mail a a very personal looking item, just like your grandma - cute. One took my advice and used my "business type and name" to adjust his return address and shipping to match my mail flow and type.
Thought and strategy pays off here more than the technology.
-
The hacker to hacker conference in Brazil: http://h2hc.org.br/palestrantes.php#Speaker7
-
A similar real-world case study was done on i2p to locate i2p eepsites (similar to tor hidden services): http://grothoff.org/christian/i2p.pdf
I have been developing with i2p for about a year now. Check it out ( http://www.i2p2.de/ ). It is not as well known as tor but is growing significantly. I am participating in the development of bitcoin commerce and trading systems that use tor, i2p, Freenet, and a new technology called Open-Transactions developed by FellowTraveler to extend the bitcoin network significantly (https://github.com/FellowTraveler/Open-Transactions/wiki).
i2p security peer-review on the i2p forums: http://forum.i2p2.de/viewforum.php?f=27
Work is being done to interconnect or bridge i2p, tor, Freenet, and bitcoin.