Silk Road forums
Discussion => Security => Topic started by: Tyrano on December 22, 2012, 07:11 am
-
Should there be more security measures used? VPN?
Is it possible to trace to someone?
-
Tor is safe enough to prevent almost all attackers from easily linking your IP address to the websites you visit. Hidden services are harder to locate than servers that are on the clearnet, they are enough to prevent the average person from determining a servers IP address. Tor is not a magic shield, it can be compromised for individual users over time, but there is a very small chance that any attacker is capable of deanonymizing all Tor users in real time. Using a VPN in addition to Tor is not likely to help the situation much, although there are arguments that it could. From a purely technical point of view, your entry guards give you the most anonymity. As long as none of your entry guards are compromised or malicious you are totally safe from purely active attackers. Active attackers are those who insert nodes to spy on traffic, passive attackers are those who spy on links between nodes such as at ISP. The probability that Tor will keep you anonymous directly correlates with the percentage of the Tor network that your attacker can observe, actively and/or passively. Tor has the same major weakness of all other low latency anonymity solutions, including I2P, JAP and VPNs; your traffic is not significantly delayed at any of the points between you and its destination. This allows an attacker who can see traffic at two points to use statistical attacks to link the traffic together based on its time of arrival. This is in contrast to mix networks, where traffic is randomly delayed and reordered to prevent such attacks. This is particularly bad if the attacker is able to see your traffic leaving from you and arriving at its end destination; regardless of the number of nodes in between the attacker can link the traffic together and thus link you to your destination.
Tor and other low latency solutions take a less secure approach to providing anonymity than mix networks, and in return they offer the ability to surf the internet like normal (compared to mix networks, which are only much good for an E-mail model of communications, where there can be several hours of delay between you sending your data and it arriving at its end destination). The strategy Tor uses is to make it unlikely that any given attacker will be positioned to see your traffic originate AND arrive at its end destination. In the case of Tor this is accomplished by having a massive volunteer run network of nodes distributed through out the world. Since your ISP cannot likely see where you are going, you are no more suspect of breaking the law than any other Tor user is from their perspective. Even if you go to a compromised illegal website, the attacker can only see the traffic coming from your exit node. There is a very slim chance that an attacker will be able to start at your exit node and work their way back to you, they would need to obtain logs from two other nodes that are hopefully not logging. They have no reason to log your traffic at your ISP , at least they have no more reason to log your traffic than they do to log any other Tor users traffic, and Tor is used by millions of people for a wide variety of reasons. The biggest risk to your anonymity is thus that by chance you will use an entry node operated by an attacker, if you do this and they run/monitor your end destination or exit/end node, they will be able to deanonymize you with a timing attack. The probability that you will use such a combination of nodes correlates positively with the duration of time that you use Tor, the amount of surfing you do with Tor over the duration of time that you use it and also with the number of links your attacker actively/passively monitors.
It is quite likely that an attacker with significant resources (ie: tens of thousands of dollars) can deanonymize X Tor users every Y period of time, it is even more likely that they can if they control or monitor the end destination of interest directly rather than via exit nodes (which will only occasionally be selected to send data to an end destination of interest)....the chances that you will fall into that set of X users is much smaller and once again increases over the time that you use Tor and with the amount of surfing you do via Tor to a particular destination.
-
Here's a good overview of known attacks on Tor
https://lists.torproject.org/pipermail/tor-dev/2012-September/003992.html
> > - "Traffic confirmation attack". If he can see/measure the traffic flow
> > between the user and the Tor network, and also the traffic flow between
> > the Tor network and the destination, he can realize that the two flows
> > correspond to the same circuit:
> > http://freehaven.net/anonbib/#SS03
> > http://freehaven.net/anonbib/#timing-fc2004
> > http://freehaven.net/anonbib/#danezis:pet2004
> > http://freehaven.net/anonbib/#ShWa-Timing06
> > http://freehaven.net/anonbib/#murdoch-pet2007
> > http://freehaven.net/anonbib/#ccs2008:wang
> > http://freehaven.net/anonbib/#active-pet2010
It depends in what way you want to become more precise.
I think the #SS03 paper might have the simplest version of the attack
("count up the number of packets you see on each end"). The #timing-fc2004
paper introduces the notion of a sliding window of counts on each side.
The #murdoch-pet2007 one looks at how much statistical similarity you
can notice between the flows when you are only sampling a small fraction
of packets on each side.
> > - "Congestion attack". An adversary can send traffic through nodes or
> > links in the network, then try to detect whether the user's traffic
> > flow slows down:
> > http://freehaven.net/anonbib/#torta05
> > http://freehaven.net/anonbib/#torspinISC08
> > http://freehaven.net/anonbib/#congestion-longpaths
Section 2 and the first part of Section 3 in #congestion-longpaths is
probably your best bet here. It actually provides a good pretty overview
of related work including the passive correlation attacks above.
If by 'more precise' you mean you want to know exactly what the threat
model is for this attack, I'm afraid it varies by paper. In #torta05
they assume the adversary runs the website, and when the target user starts
to fetch a large file, they congest (DoS) relays one at a time until they
see the download slow down.
In #congestion-longpaths they assume the adversary runs the exit relay
as well, so they know the middle relay, and the only question is which
relay is the guard (first) relay.
In #torspinISC08 on the other hand, they preemptively try to DoS the
whole network except the malicious relays, so the target user will end
up using malicious relays for her circuit.
> > - "Latency or throughput fingerprinting". While congestion attacks
> > by themselves typically just learn what relays the user picked (but
> > don't break anonymity as defined above), they can be combined with
> > other attacks:
> > http://freehaven.net/anonbib/#tissec-latency-leak
> > http://freehaven.net/anonbib/#ccs2011-stealthy
> > http://freehaven.net/anonbib/#tcp-tor-pets12
These are three separate attacks.
In #tissec-latency-leak, they assume the above congestion attacks work
great to identify Alice's path, and then the attacker builds a parallel
circuit using the same path, finds out the latency from them to the
(adversary-controlled) website that Alice went to, and then subtracts
out to find the latency between Alice and the first hop.
#ccs2011-stealthy actually proposes a variety of variations on these
attacks. They show that if Alice uses two streams on the same circuit,
the two websites she visits can use throughput fingerprinting to
realize they're the same circuit. They also show that by looking at
the throughput Alice gets from her circuit, you can rule out a lot of
relays that wouldn't have been able to provide that throughput at that
time. And finally, they show that if you build test circuits through
the network and then compare the throughput your test circuit gets with
the throughput Alice gets, you can guess whether your circuit shares a
bottleneck relay with Alice's circuit. Where "show" should probably be
in quotes, since it probably works sometimes and not other times, and
nobody has explored how robust the attack is.
#tcp-tor-pets12 has the adversary watching Alice's local network, and
wanting to know whether she visited a certain website. The adversary
exploits vulnerabilities in TCP's window design to spoof RST packets
between every exit relay and the website in question. If they do it
right, the connection between the exit relay and the website cuts its
TCP congestion window in response, leading to a drop in throughput on
the flow between the Tor network and Alice. In theory. It also works
in the lab, sometimes.
I also left out
http://freehaven.net/anonbib/date.html#esorics10-bandwidth
which uses a novel remote bandwidth estimation algorithm to try to
estimate whether various physical Internet links have less bandwidth when
Alice is fetching her file. In theory this lets them walk back towards
Alice, one traceroute-style hop at a time. In practice they need an
Internet routing map (these are notoriously messy for the same reasons
the Decoy Routing people are realizing), and also Alice's flows have to be
quite high throughput for a long time.
> > - "Website fingerprinting". If the adversary can watch the user's
> > connection into the Tor network, and also has a database of traces of
> > what the user looks like while visiting each of a variety of pages,
> > and the user's destination page is in the database, then in some cases
> > the attacker can guess the page she's going to:
> > http://freehaven.net/anonbib/#hintz02
> > http://freehaven.net/anonbib/#TrafHTTP
> > http://freehaven.net/anonbib/#pet05-bissias
> > http://freehaven.net/anonbib/#Liberatore:2006
> > http://freehaven.net/anonbib/#ccsw09-fingerprinting
> > http://freehaven.net/anonbib/#wpes11-panchenko
> > http://freehaven.net/anonbib/#oakland2012-peekaboo
#oakland2012-peekaboo aims to be a survey paper for the topic, so it's
probably the right one to look at first.
> > - "Correlating bridge availability with client activity."
> > http://freehaven.net/anonbib/#wpes09-bridge-attack
If you run a relay and also use it as a client, the fact that the
adversary can route traffic through you lets him learn about your
client activity. Section 1.1 summarizes:
2. A bridge always accepts connections when its operator is using
Tor. Because of this, an attacker can compile a list of times when
a given operator was either possibly or certainly not using Tor, by
repeatedly attempting to connect to the bridge. This list can be used to
eliminate bridge operators as candidates for the originator of a series
of connections exiting Tor. We demonstrate empirically that typically,
a small set of linkable connections is sufficient to eliminate all but
a few bridges as likely originators.
3. Traffic to and from clients connected to a bridge interferes with
traffic to and from a bridge operator. We demonstrate empirically that
this makes it possible to test via a circuit-clogging attack [17, 15]
which of a small number of bridge operators is connecting to a malicious
server over Tor. Combined with the previous two observations, this
means that any bridge operator that connects several times, via Tor,
to a web-site that can link users across visits could be identified by
the site's operator.
> > I tried to keep this list of "excepts" as small as possible so it's not
> > overwhelming, but I think the odds are very high that if the ratpac comes
> > up with other issues, I'll be able to point to papers on anonbib that
> > discuss these issues too. For example, these two papers are interesting:
> > http://freehaven.net/anonbib/#ccs07-doa
Traditionally, we calculate the risk that Alice's circuit is controlled
by the adversary as the chance that she chooses a bad first hop and a bad
last hop. They're assumed to be independent. But if an adversary's relay
is chosen anywhere in the circuit yet he *doesn't* have both the first
and last hop, he should tear down the circuit, forcing Alice to make a
new one and roll the dice again. Longer path lengths (once thought to
make the circuit safer) *increase* vulnerability to this attack.
I think the guard node design helps here, but whether that's true is an
area of active research.
> > http://freehaven.net/anonbib/#bauer:wpes2007
If you lie about your bandwidth, you can get more traffic than you
"should" get based on bandwidth investment. In theory we've solved this by
doing active bandwidth measurement:
https://blog.torproject.org/blog/torflow-node-capacity-integrity-and-reliability-measurements-hotpets
but in practice it's not fully solved:
https://trac.torproject.org/projects/tor/ticket/2286
-----
All that being said, no Tor user has ever been identified through a direct attack on the Tor network. There are lots of ways to give up your identity, but if you behave safely, Tor won't betray you.
-
The people with the motivation to attack Tor generally fall into one of two camps:
A. People who know next to nothing about Tor or computer security / anonymity topics in general, so they are not a serious threat to Tor
B. People who are extraordinarily skilled at breaking anonymity and security, but who don't give a shit about you unless you are a spy or terrorist, and who don't want to reveal to spies and terrorists that they can break Tor
-
However I do imagine that someday we will start to see busts related to Tor compromises. Just adding a few high bandwidth entry guards to the network and running a high profile clearnet sting CP site for example, or monitoring one, is going to be enough for an attacker to pwn dozens or maybe even hundreds of Tor users every month. It wont let them trace any given suspect that they want to, but it will certainly be enough for them to identify many people using Tor to engage in illegal activity. I wouldn't even be that surprised if they trace freedom hosting and passively monitor it for a year or two, letting it continue to run but waiting for targets to use one of their entry guards to access a CP site hosted on it. They could do the same thing to Silk Road as well, and again it wouldn't be enough for them to say "Vendor Bob sure is selling a lot of Heroin, let's trace him!", but it would be enough for them to say "This month these fifty random people used one of our entry guards and we identified them accessing SR with a timing attack!".
-
Thanks for all the detailoed info!
-
nice read, thanks!
-
Only thing I will add is emphasize "low latency"
Anyone looking to improve Tor or "fix" its problems runs up against latency. If you want to help the project look for something else than the latency because the low latency isa hard limit we can't get around.
-
The latency is indeed a problem intrinsic to how TOR works. There always are a few nodes between you and an exit node, and if those are geographically far apart, that will induce latency simply due to the speed of light. If you send something around the world 7 times the latency is already 1 second just by relativistic limitation, and hardware/software latency has to be added on top of that.
As it is, TOR will never be fast in terms of 'ping' between you and the exit node, though it can be fast in terms of sustained transmission rate.
-
I'm pretty sure Feed Our Fame meant the problem is that the latency is too low. That is why correlation attacks are possible. If you send an email through a remailer and it arrives between 12 and 72 hours in the future, it's a lot harder to correlate your activity on one end with activity on the other end. High latency is safer but much less useful.
-
I'm pretty sure Feed Our Fame meant the problem is that the latency is too low. That is why correlation attacks are possible. If you send an email through a remailer and it arrives between 12 and 72 hours in the future, it's a lot harder to correlate your activity on one end with activity on the other end. High latency is safer but much less useful.
And if you use a remailer to send a message to a distributed PIR that message recipients poll and send fixed size cover traffic to in fixed duration cycles (although accumulating, so real time is not a requirement) , then it becomes all but impossible to correlate traffic from sender to recipient. The attacker would need to own n out of x PIR servers to narrow in on the message recipient past the total anonymity set size of the PIR cluster. And theoretically x and n can always grow larger. And of course there is the mixing during transit as well, which additionally makes it difficult to even correlate traffic at any other point in its transit, in addition to making the message sender extremely difficult to trace even for the messages final recipients. This is the current state of the art for significantly scalable anonymous communications. Of course the true state of the art for anonymous communications is a dining cryptographer net (DC-net) as it is mathematically proven as always maintaining anonymity for each user to the total set size of users, but it is actually very limited in other ways and I would compare it to the one time pad of the anonymity scene.
-
I should also mention that there are information theoretically secure anonymous encrypted packet header protocols. Mix designs these days are extremely secure and anonymous, having a single good mix on your messages path ensures that some anonymity is provided and path lengths can grow to any size if the resources are provided. These systems are pretty resource intensive though, they consume a lot of bandwidth, are quite CPU intensive and require several servers. But they do scale well enough and cheaply enough to be feasible for fairly frequent communications between significantly large groups of people.
-
kmfkewm, can you please elaborate on exactly what you mean by :
"I wouldn't even be that surprised if they trace freedom hosting and passively monitor it " ?
It sounds all too easy, I'd like to hear the technical detail please because I'd be pretty certain that Silk Road is on Freedom Hosting too... maybe ?
-
I find it hard to imagine that it would be exceedingly difficult for Interpol or even the FBI to trace any hidden service. Fact of the matter is, no matter how much some uninformed people may argue against, that hidden services are not very anonymous. There have been attacks carried out on the live Tor network that have traced hidden services, this was done in 2006. The attack is simply opening an arbitrary number of circuits to the hidden service, this causes the hidden service to open new circuits as well. Then you send the hidden service a watermarked stream and look for it at all of your Tor relays. You can massively reduce the amount of time it takes to trace a hidden service with this attack, back in 2006 they were finding them in a matter of minutes with minimal resources. After that research was published, the Tor developers tried to counter the problem by adding entry guards. Now Tor clients and hidden services select three Tor nodes with the entry flag and always enter the network through one of these nodes. The nodes used for entry guards are selected before your very first Tor circuit is formed, and new guards are selected every month to two months. This defense prevents the attacker from tracing directly up to the hidden service, because if they do not own an entry guard now they can only actively trace up to the entry guards until one of their entry guards are selected. I am not the biggest fan of this situation, it essentially means that with very little effort an even very weak attacker can trace a hidden service up to three points that have a direct link with it. If these points are in the USA or a cooperating country, there is nothing stopping Interpol or the FBI from passively monitoring them. If they passively monitor the entry guard, at its ISP for example, they will then be able to fully deanonymize the hidden service. If none of the entry guards are in places they have any power in, they can keep waiting until it rotates to a set of entry guards they own or can passively monitor.
After locating a hidden service it would be counterproductive for them to immediately take it down or announce their bust. Rather they would monitor traffic to it. Now they have met half of the requirements of a timing attack, they can see traffic arrive at its destination. This means that they can now deanonymize anyone who uses one of their entry guards to access the hidden service. As I said before, the Tor program selects three entry guards and it rotates them every month to two months. The probability that you will select a given entry guard also correlates positively with the amount of bandwidth being offered, and with several other factors as well. If they get a couple of high bandwidth Tor nodes, forty thousand dollars worth of servers and bandwidth perhaps, they can probably get several target Tor users using their entry node in any given month. At this point they will have broken the anonymity provided by Tor to the hidden service and to those particular clients. However there would still be a lot of people who they haven't gotten yet, and they can not pick their victim, it is like throwing out a fishing net and seeing what you drag up not like putting a deer in the sights of your rifle. The number of X people they can deanonymize in Y time will depend on a few things, for one the total size of the target group (the more people they are interested in the more likely they will get some of them), and especially the total percentage of bandwidth that their entry guard nodes handle for Tor.
-
Perhaps this is true, i have no idea on how much services like the fbi, cia, and its non-us equivalents monitor TOR traffic.
The flipside of that matter is, however, also founded in legislation. If a jurisdiction has the concept that breaking encryption is an offense, that rule also applies to intelligence agencies in that jurisdiction.
At is simplest that would mean that any evidence obtained through breaking encryption would not be admissible in court since it was illegally obtained.
-
First of all I don't know of a single nation in the world that prevents their police from attempting to break encryption if they have a warrant. Secondly, intelligence agencies are not anywhere nearly as restricted as the federal police are, and indeed some of them have the entire job of breaking encryption and spying on internet traffic (breaking anonymity falls under Signals Intelligence, breaking crypto falls under Communications Intelligence, both of which are handled by the NSA in the US and the GCHQ in the UK). Some federal police specialize in traffic analysis, I am certain of this as I once read a copy of an official FBI document discussing different sort of agents career path, and people who follow a certain computer forensic career path at the FBI are trained in traffic analysis although after quite a few years of service. I don't know how skilled their best agents are, possibly they have some really skilled ones. They have done pretty advanced proxy bypassing attacks with their CIPAVs but I think there is only proof that they used known vulnerabilities that their targets did not have patched. They seem to save CIPAV against very big targets, like kidnappers / child porn producers and perhaps very large drug dealers. It obviously isn't the solution to all of their anonymity woes though, as in 2008 there was a major sadistic CP ring partially busted, none of the members who used Tor for communications were busted in the initial sweep, and the ones who were later busted were busted through photograph analysis not traffic analysis. The busted ones had used VPN services without Tor and all of them were arrested. This was a high profile case and very important, some of the people involved were using Tor to upload very sadistic CP and the FBI thought one of the participants may kill the girl he had been abusing for years after they moved in on the rest of the group. Despite the FBI and their partners via interpol having this fear they moved in on the group members they had identified, and did not arrest this target until several months later, crediting analysis of the CP photographs for narrowing in on his position enough that they could identify his victim and thus him.
I imagine that the average FBI traffic analyst is mostly involved in running simple attacks against public P2P networks. There are a lot of tools already made for police use that simply scour through P2P networks until they identify someone sharing CP, then they spit out their IP address and the suspect photographs to the LE agent operating them. At this point the agent may verify the content of the image (I imagine they don't count entirely on hash functions since they all have collisions.). Then they see who the targets ISP is, and they send a court order demanding to know who that IP address was assigned to at a specific time. If it is a proxy exit node they will then need to probably move backwards down the chain, because I don't think they are currently even trying to carry out an active or internationally coordinated attack against Tor (a lot of them probably just filter Tor exit IP addresses from their suspect lists simply due to the failures LE have had with tracing it in the past). I imagine that their traffic analysts are generally making and utilizing systems like this, not trying to attack stronger networks. You need to keep in mind that they are currently completely overwhelmed with internet crime. Particularly CP they simply don't have enough resources to follow through on all of the leads their systems have detected already. Something like 1% of identified IP addresses in a given year are followed up on due to lack of man power, and they know that they will follow up on even less illegal activity detections if they spend the time required to go through the multiple layers of security and indirection protecting a hard target doing the same thing.
Also they have kept pretty busy with those systems, last time I read about them they had integrated fuzzy hashing so if they detect an image that has previously been identified as CP when they spider through a P2P network, they will still be able to identify it even if it has been slightly altered visually. Before they couldn't automatically detect and identify a previously identified image unless it had not been modified at all. But it must be kind of pointless feeling for them to be able to identify that many additional people when they don't even have the resources to put a dent into what they had already had the ability to identify.
So I guess to summarize my belief on the safety of Tor, I would say that Tor is technically safe enough to have a good chance of protecting your anonymity for a decent while against most attackers, but in practice so far nobody knows of any case where an attack against the anonymity Tor provides is what led to someone being arrested. And a lot of people know a lot of people who have used Tor for very illegal things for quite a lot of years.
-
Also I forgot to mention that even if they cannot break the encryption of Tor it does not matter as far as deanonymizing people goes. In quite a few cases you can even use traffic analysis to see what data someone is transmitting even if it is an encrypted transmission. One thing is for sure, directly breaking encryption is almost always the hardest way to obtain the plaintext version of a ciphertext.
-
I find it hard to imagine that it would be exceedingly difficult for Interpol or even the FBI to trace any hidden service. Fact of the matter is, no matter how much some uninformed people may argue against, that hidden services are not very anonymous. There have been attacks carried out on the live Tor network that have traced hidden services, this was done in 2006. The attack is simply opening an arbitrary number of circuits to the hidden service, this causes the hidden service to open new circuits as well. Then you send the hidden service a watermarked stream and look for it at all of your Tor relays. You can massively reduce the amount of time it takes to trace a hidden service with this attack, back in 2006 they were finding them in a matter of minutes with minimal resources. After that research was published, the Tor developers tried to counter the problem by adding entry guards. Now Tor clients and hidden services select three Tor nodes with the entry flag and always enter the network through one of these nodes. The nodes used for entry guards are selected before your very first Tor circuit is formed, and new guards are selected every month to two months. This defense prevents the attacker from tracing directly up to the hidden service, because if they do not own an entry guard now they can only actively trace up to the entry guards until one of their entry guards are selected. I am not the biggest fan of this situation, it essentially means that with very little effort an even very weak attacker can trace a hidden service up to three points that have a direct link with it. If these points are in the USA or a cooperating country, there is nothing stopping Interpol or the FBI from passively monitoring them. If they passively monitor the entry guard, at its ISP for example, they will then be able to fully deanonymize the hidden service. If none of the entry guards are in places they have any power in, they can keep waiting until it rotates to a set of entry guards they own or can passively monitor.
After locating a hidden service it would be counterproductive for them to immediately take it down or announce their bust. Rather they would monitor traffic to it. Now they have met half of the requirements of a timing attack, they can see traffic arrive at its destination. This means that they can now deanonymize anyone who uses one of their entry guards to access the hidden service. As I said before, the Tor program selects three entry guards and it rotates them every month to two months. The probability that you will select a given entry guard also correlates positively with the amount of bandwidth being offered, and with several other factors as well. If they get a couple of high bandwidth Tor nodes, forty thousand dollars worth of servers and bandwidth perhaps, they can probably get several target Tor users using their entry node in any given month. At this point they will have broken the anonymity provided by Tor to the hidden service and to those particular clients. However there would still be a lot of people who they haven't gotten yet, and they can not pick their victim, it is like throwing out a fishing net and seeing what you drag up not like putting a deer in the sights of your rifle. The number of X people they can deanonymize in Y time will depend on a few things, for one the total size of the target group (the more people they are interested in the more likely they will get some of them), and especially the total percentage of bandwidth that their entry guard nodes handle for Tor.
Thanks for the detailed reply.
If these points are in the USA or a cooperating country, there is nothing stopping Interpol or the FBI from passively monitoring them.
Is what you are stating that they would passively monitor with or without the knowledge of the owner of the entry guard ?
My understanding is that there has been for many years 'secret' rooms at the major ISP hubs where three letter agencies have plugged in and run deep packet inspection of ALL traffic that flow through the switches. This has been done without any judicial oversight (warrants)
With that sort of complete coverage of the internet, I wonder if they already have the capability of passively monitoring entry guards based in the USA given that apparently all USA internet data is DPI'd, they already have the packets in their 'haul', it would just be a master of being able to identify the relevant packets on both sides in real time.
I believe that the new 2 billion Utah data center is being built for not only breaking encryption keys but also for traffic analysis on an unprecedented scale.
Also your response begs the question... if you believe it to be so relatively easy for a three letter agency to locate and then passively monitor a hidden service for even years before taking it down, how can you have any real faith that it has not happened already ?
I know enough about the technical workings of the tor network to know you are correct in what you say, only I had never conceived of the methods of compromise you describe before and frankly I'm now very concerned about whether the road actually remains 'hidden' and is not indeed being passively monitored in the manner you describe to the point I may discontinue coming here. I mean, there is simply no way to verify that such a compromise has not occurred and its entirely within the realm of possibility that it has.
You must be of the opinion that the road remains hidden otherwise you would not be here, can you elaborate on your reasons for believing that please ?
Sorry if this post is a bit all over the place, I have to sleep now so have rushed writing it.
-
I don't think they are currently even trying to carry out an active or internationally coordinated attack against Tor (a lot of them probably just filter Tor exit IP addresses from their suspect lists simply due to the failures LE have had with tracing it in the past). I imagine that their traffic analysts are generally making and utilizing systems like this, not trying to attack stronger networks. You need to keep in mind that they are currently completely overwhelmed with internet crime. Particularly CP they simply don't have enough resources to follow through on all of the leads their systems have detected already. Something like 1% of identified IP addresses in a given year are followed up on due to lack of man power, and they know that they will follow up on even less illegal activity detections if they spend the time required to go through the multiple layers of security and indirection protecting a hard target doing the same thing.
Shit, I just noticed that some of what I have asked, you have happened to have answered in your post above.
I should have read the whole thread first.
Still, the shock of the realization that if they wanted to do it, it's a possibility has me questioning how wise it is to be here and also for how long it may remain to be wise to be here !
-
My subconscious came up with some thoughts while sleeping...
I'm pretty sure that there is a method for de-masking tor users that only requires that one end of the circuit is controlled by an adversary (entry node)
I'd also be pretty sure that you kmfkewm would be aware of 'fingerprinting' (I'm mostly sure that is the term used) as defined at 'polyfront' (so this is info is in the public domain)
Basically, a given file (x) located on a hidden services pages (say a default image file of the forums template page or scarier still a users avatar) will have a known number of bytes when encrypted with cipher (y) (say the tor default cipher) regardless of the random seed, salt and hash etc used.
Therefore, all an adversary who is in control of the entry guard needs do is add up packet contents looking for requests of the known number of bytes and cross reference this with the IP making the request.
Perhaps, and I'm not too sure on this, but perhaps even the first hop could be de masked also via analysis of the 'haul' of deep packet inspection data (all USA Internet traffic) captured by the 'secret' monitoring rooms all across the USA at all major backbones because the first hop must knows the IP address of the requester and this must be contained in the packet data somewhere and perhaps in a unique enough way for it to be flagged and saved.
The above would be one argument why a VPN might be a good idea because obviously, as the stream is encoded prior to leaving the original PC, the byte length will be different than if a VPN is not in usage.
Extrapolating on the above, I think i can see a way that actual vendors IP's could be identified uniquely in an automated fashion !, but I wont post if here publicly, look in your inbox for a PM kmfkewm. I'd be very interested in your thoughts.
-
Basically, a given file (x) located on a hidden services pages (say a default image file of the forums template page or scarier still a users avatar) will have a known number of bytes when encrypted with cipher (y) (say the tor default cipher) regardless of the random seed, salt and hash etc used.
Therefore, all an adversary who is in control of the entry guard needs do is add up packet contents looking for requests of the known number of bytes and cross reference this with the IP making the request.
Web site fingerprinting attacks are well known. Researchers have demonstrated that watching the local end of a Tor connection could allow an attacker to identify a web site with 55% accuracy (under their controlled conditions) if it had static content.
http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf
-
Is what you are stating that they would passively monitor with or without the knowledge of the owner of the entry guard ?
My understanding is that there has been for many years 'secret' rooms at the major ISP hubs where three letter agencies have plugged in and run deep packet inspection of ALL traffic that flow through the switches. This has been done without any judicial oversight (warrants)
With that sort of complete coverage of the internet, I wonder if they already have the capability of passively monitoring entry guards based in the USA given that apparently all USA internet data is DPI'd, they already have the packets in their 'haul', it would just be a master of being able to identify the relevant packets on both sides in real time.
The currently available data indicates that the NSA cannot actually monitor all USA traffic in real time, much less global traffic. There is a bit of literature on this and also some educated guesses based on leaked information. Probably nobody knows for certain. One paper that has discussed the abilities of agencies such as the NSA is called Global Spying: Realistic Probabilities in Modern Signals Intelligence. I used to be convinced of the legitimacy of this, however I find anything with Steve Topletz name on it to be worthy of taking with as many grains of salt as possible. Recently I have been shown some alleged technical details about the NSA monitoring systems that had leaked its way to Wikileaks. It indicated that they are only capable of sampling large amounts of traffic, not performing real time traffic analysis. Additionally this is the view that I find to be most common in the academic anonymity circles. Outside of the academic anonymity world, which consists almost exclusively of Tor, there exist several camps who have received little or no attention from the research community (I2P people for example). I find that the people who are not part of the academic community tend to estimate the NSA as being an all powerful attacker whereas people in the academic world seem to think of them more as a very strong but not all powerful attacker or even a global passive attacker. Here is a paper that discusses the level of luck the NSA will have against Tor traffic if they sample traffic rather than real time monitor the entire internet from their spy centers.
Sampled Traffic Analysis by Internet-Exchange-Level Adversaries
http://petworkshop.org/2007/papers/PET2007_preproc_Sampled_traffic.pdf
one thing to keep in mind as well is that it doesn't matter if the NSA can't passively spy on 100% of the internet so long as they can passively spy on 100% of Tor. That might be a lot easier for them. Not much stops even the feds from being proactive against Tor: they only need a good faith feeling that a pen register will aid in a criminal investigation for them to use a pen register (easily carried out thanks to CALEA compliance of the equipment at ISPs). If they ever make the case that monitoring Tor nodes is inherently beneficial to criminal investigations, I can conceive a scenario in which they are not restricted at all from performing dragnet passive spying on all Tor nodes in the USA. I believe that they can gather enough information with a pen register to perform a timing attack if they monitor entry and exit positions; CALEA has a list of requirements that includes them being able to monitor the timing information of communications. This is not the same thing as a wiretap either, they are interested in which computers talk to which computers when and how and how much and how frequently, not in what the computers actually say to each other. Most of the language of the current law regarding such things was written with traditional telephone systems/networks in mind and probably not with such advanced attacks in mind, but these laws still cover the entire USA's internet infrastructure.
I believe that the new 2 billion Utah data center is being built for not only breaking encryption keys but also for traffic analysis on an unprecedented scale.
Quite likely they will use their new data center to datamine extremely massive collections of traffic information (as well as extremely massive collections of a lot of different things, like cellphone positioning information). The NSA is the primary agency responsible for both Cryptography and Signals Intelligence, my guess is that with modern encryption what it is that they will focus more so on signals intelligence, although I suppose quantum computing is a serious threat to almost all currently used encrypted communications systems.
Also your response begs the question... if you believe it to be so relatively easy for a three letter agency to locate and then passively monitor a hidden service for even years before taking it down, how can you have any real faith that it has not happened already ?
I do not have any solid faith that it has not happened already. I try to keep up with what is current in the federal agent level scene as much as possible though. I look up their case studies against cyber crime groups. I look for as much information on them as I can find via as many ways as possible. Sometimes there will be an academic paper discussing a law enforcement traffic analysis system. At least their technological abilities that are not guarded as secret, I know about. I have even read some pretty detailed 'for official use only' LE documents, they sometimes make informational material to educate their officers about modern trends in cyber crime and how they can attempt to go about combating it. A lot of different things have leaked or been carelessly put out by LE over the years, one recent example is that internal LE paper about SR and its leaking to SR which is hilarious and something I find totally believable given the care that I have seen LE give to protecting their FOUO documents. When all of this information is analyzed as a hole I see the trend is that law enforcement agencies around the entire world are totally out of touch with modern times. They don't have strong computer units, the local police agencies that have forensics labs are carrying out extremely basic and easily counter forensic operations. The feds seem to largely do a lot of the same thing as local police forces although they step it up a bit. Local police will power down you encrypted drives for you after raiding you, federal police are starting to catch on to the fact that volatile memory is the primary target and it needs to be obtained and analyzed as quickly as possible to have a chance at carrying out a traditional cyber forensic investigation against an even mildly technically skilled target. They still have not gotten this message into the heads of all of their agents around all of the world, but it is something that starts to happen more and more in the reports of raids for cybercrime targets. However one serious threat that is posed is the very real risk of skilled groups creating sophisticated software and selling it to the police. There have already been several examples of private industry working in association with law enforcement groups in order to create more advanced policeware for them. One nice thing that counter balances this risk is the fact that intelligence and military agencies are in the market for many of the same tools/programs/etc as the police agencies are, but they are capable of paying a shitload more and they want their abilities to be shared by no others besides themselves. This will naturally keep police forces from being able to get the most cutting edge forensics / counter-security talent and tools.
So essentially even though I do not think they are technically limited from doing a lot more than they do, I think that they are limited in other ways. They are limited in that they want to make busts and it isn't going to lead to as many busts for them if they take the time required to go after secured targets. I think that they have some system for allocating their resources. It is apparent they run two types of operation, targeted and dragnet. There is certainly a targeted operation against the people who run Silk Road and the largest vendors here, an international team of agents and Interpol are very likely to be trying to find the top vendors and the people running SR. Other people on SR are less important to them, they would be the target of a dragnet attack ("We can arrest some percent of them so lets throw out a net and see which all people we can get" instead of the targeted operations "Let's get this group of high value targets"). They pick the targets of their targeted operations by the extent of the crime they have committed, for example they are not going to have a special team dedicated to busting the local drug dealer selling ten sacks on the corner. But they probably will for a group of people who have embarrassed them, especially since they have illegally made millions of dollars in the process. They don't select who they bust in a dragnet attack, they throw out bait or you get an unlucky draw on entry guard and then they have got you. They might not even care about you or they might care enough to send your local cops after you, generally if they have limited resources they will sort the people caught in their dragnet by the extent of their crime(s) and allocate resources to go after them in that order. This is very evident in CP cases on public P2P networks: they cannot even go after more than 1% of the people they identify sharing CP in any given year due to hard man power limitations, so they generally sort the IP addresses detected by the sort of CP the offender shared and their likelyhood of offending based on the discoveries (this can be automated with computers and various neat tricks. For example if you have shared a book on how to molest kids and get away with it, or child grooming materials, you will move to the top of the list as it is far more likely that you will / have molested a child than if you shared a pic of some 16 year old flashing her camera phone).
I know enough about the technical workings of the tor network to know you are correct in what you say, only I had never conceived of the methods of compromise you describe before and frankly I'm now very concerned about whether the road actually remains 'hidden' and is not indeed being passively monitored in the manner you describe to the point I may discontinue coming here. I mean, there is simply no way to verify that such a compromise has not occurred and its entirely within the realm of possibility that it has.
You must be of the opinion that the road remains hidden otherwise you would not be here, can you elaborate on your reasons for believing that please ?
Sorry if this post is a bit all over the place, I have to sleep now so have rushed writing it.
I am of the opinion that federal police are not trying very hard to break Tor. I also am of the opinion that even after they try very hard to break Tor, that they will not be able to immediately deanonymize very many people. They will get X people over Y time, like I said before. I can't particularly guess as to the value of X or Y without knowing how they go about carrying out any attack they do. I can certainly imagine situations where they could do substantial damage against Tor with very little legal resistance or much in the way of expense, but if it is as easy it seems the question remains why have they not done this? There have been cases of serious fucking psychopaths using Tor to protect themselves from LE while doing some truly detestable shit that would certainly have them as some of the highest targets; and they are not traced via attacks on Tor but rather very time consuming and more traditional detective work.
Additionally, I don't buy drugs or sell drugs here, I don't keep more than personal use amounts of drugs on me at any given time. They probably suspect my of quite some things but they will have trouble to prove anything against me in court and honestly I just don't think that I am currently a very valuable target to them. I think if I was running SR that I would be a little more paranoid, but I have had some fun doing erm... administrative work of my own over the years and I certainly think DPR can stay quite safe. My opinion is that it never hurts to combine using Tor with using WiFi from random locations and not traveling with a car or while carrying a cellphone on your way to the WiFi location.
-
Basically, a given file (x) located on a hidden services pages (say a default image file of the forums template page or scarier still a users avatar) will have a known number of bytes when encrypted with cipher (y) (say the tor default cipher) regardless of the random seed, salt and hash etc used.
Therefore, all an adversary who is in control of the entry guard needs do is add up packet contents looking for requests of the known number of bytes and cross reference this with the IP making the request.
Web site fingerprinting attacks are well known. Researchers have demonstrated that watching the local end of a Tor connection could allow an attacker to identify a web site with 55% accuracy (under their controlled conditions) if it had static content.
http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf
I believe CCC got a bit higher than 55% accuracy but I cannot recall the exact figure. Needless to say it was better than random chance. Tor is more resistant to this sort of attack than most other solutions are, for example many VPNs have had their traffic fingerprinted with accuracy that approaches 100%. However the accuracy of fingerprinting attacks against Tor has continued to rise. Recently there was some research of the effect of hidden markov models being used by traffic classifiers to aid in their ability to fingerprint sites, I have not yet read this yet but I am certain that using this technique will significantly increase the accuracy of fingerprinting Tor traffic.
Pretty much if you have a malicious entry guard you are in a bad situation. If the person who owns your entry guard is a weak attacker with only the ability to see a small percentage of the Tor network, then Tor can still save the day even when you have bad entry guards. But as the attacker starts to be just a little bit more powerful the threat posed to you gets quite high depending on the exact circumstances. On the other hand though, if you have only good entry guards and none are owned by an attacker, you are entirely protected from purely active attacks. So a lot of your anonymity does depend on having good entry guards, but for clients it isn't a sure fire you are fucked even if you have a bad entry guard. Unfortunately hidden services are completely fucked if they have a single entry guard operated by one of their attackers. The scary this is that hidden services have some easily implemented attacks against them for detecting who actually owns their entry guards; the situation is a little bit less bad for clients but there are still some sophisticated and nasty attacks for tracing clients up to their entry guards.
-
One thing I have certainly seen as true is that the feds are most interested in following a big fish little fish strategy. This means that they spend the majority of their resources going after big targets and targets that are easy to bust. The people who fall in between generally are not their focus: they are small enough targets that they are not worth an intensive targeted operation and they are secure enough targets that they are not worth going through all of the expensive and complicated steps required to catch them.
-
I believe CCC got a bit higher than 55% accuracy but I cannot recall the exact figure. Needless to say it was better than random chance. Tor is more resistant to this sort of attack than most other solutions are, for example many VPNs have had their traffic fingerprinted with accuracy that approaches 100%. However the accuracy of fingerprinting attacks against Tor has continued to rise. Recently there was some research of the effect of hidden markov models being used by traffic classifiers to aid in their ability to fingerprint sites, I have not yet read this yet but I am certain that using this technique will significantly increase the accuracy of fingerprinting Tor traffic.
True, which is kind of scary, but in the same paper they use a simple padding technique as a countermeasure and the detection rate drops to 3%. There are known, effective defenses, but they haven't been implemented on the live Tor network, mainly for performance reasons. The Tor folks choose usability over absolute safety in a lot of design decisions. I guess the rationale is that these attacks are unlikely to be occurring, and it's more important to get a lot of people to use Tor (which itself enhances security).
-
I think it's important to note that Tor, atleast for the average user, doesn't need to be 100% bulletproof, only secure enough and difficult/complicated enough to trace for law enforcement that it deters them from large-scale tracing and busts. If they could trace all of the Tor users and send our IP's to local LE then we might be in trouble but from what kmkfewm was saying (awesome info btw, wish I could give ya karma) that seems impossible right now. Maybe DPR or super-vendors should worry about this, but I don't think that the average user has any real risk, even if LE could theoretically crack Tor. Correct me if I'm wrong of course but that's my take on it.
-
one thing to keep in mind as well is that it doesn't matter if the NSA can't passively spy on 100% of the internet so long as they can passively spy on 100% of Tor. That might be a lot easier for them.
Tor relays are spread across about 75 countries. Entry guards and exits are spread across different sets of about 35 countries. The thousand or so published bridges are probably spread across a few dozen countries. Then there are an unknown number of private bridges spread across an unknown number of countries, which presumably even the NSA doesn't know about. I do not believe that the NSA has the ability to monitor 100% of the Tor network, since nobody knows where all the Tor relays are, not even the Tor Project, and jurisdictional problems make it highly impractical to impossible to monitor all of the known relays.
However, they have the ability to monitor a substantial fraction of the Tor network. I downloaded the Tor relay information a while ago and did some simple stats. 94% of Tor traffic goes through the top 500 relays and about 60% goes through just the top 100 relays. 30% of Tor traffic goes through relays in just 3 countries: DE, NL, US. A more important stat, which I didn't calculate at the time, is the percentage of entry guard bandwidth and estimated percentage of users who use entry guards in DE, NL, and US. Let's assume that number is also 30%. It wouldn't be difficult for the governments of those 3 countries to collude, and then they could pwn 30% of Tor users for as long as they use those entry guards.
That's not good enough to target specific individuals, but it is good enough to pwn a lot of people and destroy the credibility of Tor.
-
kmfkewm,
Thank you very much for your replies here and in other threads. They are very helpful to me and others who are newer to this sort of thing and/or don't have the technical knowedge you do.
Thank you so much.
- Empathy
-
Does running a proxy on top of using Tor increase my security?
-
Someone needs to dumb this down for me!
-
Quite likely they will use their new data center to datamine extremely massive collections of traffic information (as well as extremely massive collections of a lot of different things, like cellphone positioning information). The NSA is the primary agency responsible for both Cryptography and Signals Intelligence, my guess is that with modern encryption what it is that they will focus more so on signals intelligence, although I suppose quantum computing is a serious threat to almost all currently used encrypted communications systems.
Really, a serious threat ?
I thought that quantum computing had not moved past the 'purely theory' stage as yet and that even then the theory would only sustain the creation of one quantum 'bit' (whatever that means) for only a nanosecond and at cryogenic temperatures.
I thought that a working quantum computer was predicted to be even a century away, am I wrong ?
BTW, I'd also like to say thanks for your detailed information in this and many other threads.
-
Working quantum computers have already been constructed. In fact the quantum algorithm for prime factorization has already been run on one, although it was only to factor 15 into 3 and 5.
https://www.schneier.com/blog/archives/2009/09/quantum_compute.html
It is quite likely that a good deal of progress has been made since the first time they did this. Even doing it at all was a big step though as it took Shors algorithm from theoretical to implemented on a quantum computer. Now I am not educated enough to be truly up to date on the latest happenings with quantum computing, but I listen to smart cryptographers and physicists when they talk. And I have seen over the past few years the attitude shift from one of dismissing quantum computers as a viable strategy for attacking vulnerable sorts of asymmetric cryptography, to being one of acceptance that all of the widely used asymmetric algorithms are in serious danger and probably are not going to be secure for much longer. Even with really really big keys. In cryptography literature you can see a new interest in quantum resistant multivariate quadratic polynomial algorithms, and there is a good chance that this sort of asymmetric crypto will replace quantum vulnerable elliptic curve (ECDH) and prime factorization (RSA) sorts of asymmetric cryptography. Nobody knows when they will be able to break the keys we are currently using, but many people predict that there is going to be a rapid and exponential increase in the size of the composite numbers they can factor with their quantum computers.
-
Lets hope it's an early and painless transition to "quantum resistant multivariate quadratic polynomial algorithms".
Do you envisage current crypto software manufacturers (Truecrypt for example) to be able to seamlessly integrate the new algorithms into their existing GUI's ?
many people predict that there is going to be a rapid and exponential increase in the size of the composite numbers they can factor with their quantum computers.
Given this, I wonder if and when we may see some implementations of these new algorithms.
Perhaps with the conservative approach the cryptography community takes it may be soon. I would hate for the road or tor for that matter to get caught out in the cold without adequate encryption protection... Do you see that as a possibility ?
-
Lets hope it's an early and painless transition to "quantum resistant multivariate quadratic polynomial algorithms".
Do you envisage current crypto software manufacturers (Truecrypt for example) to be able to seamlessly integrate the new algorithms into their existing GUI's ?
many people predict that there is going to be a rapid and exponential increase in the size of the composite numbers they can factor with their quantum computers.
Given this, I wonder if and when we may see some implementations of these new algorithms.
Perhaps with the conservative approach the cryptography community takes it may be soon. I would hate for the road or tor for that matter to get caught out in the cold without adequate encryption protection... Do you see that as a possibility ?
Symmetric encryption is already resistant / immune to quantum computing attacks. The best they can do against symmetric algorithms is cut their key strength in half, giving 256 bit algorithms the still unbreakable key strength of 128 bits. It is only asymmetric algorithms that have a lot to worry about. I don't know when we will start to see implementations of multivariate quadratic polynomial algorithms, there are quite a few papers discussing how to implement them though. I think it will be quite a while even after people have the ability to break RSA/ECDH before they use this ability against the people here. I think the NSA will be the first agency with such capability. But as with everything, things tend to work their way downwards over enough time.
-
kmfkewm,
I saw you mention burner phones either in this thread or another but I don't recall reading anything about anon wifi hotspots that can be bought the same way a burner phone can. How do they rate vs random wifi spots? Is there any value in using them and changing location so you're not always connecting to the same tower?
Thanks.
Answered by pine on Discussion » Security » best phone for drug dealing. YW.
-
Awesome. Thanks.
-
kmfkewm - Check your PM's please !
-
My opinion is that it never hurts to combine using Tor with using WiFi from random locations and not traveling with a car or while carrying a cellphone on your way to the WiFi location.
What do you mean about not traveling with a car? You mean in general or that you shouldn't tap into wifi from your car? I get the cell phone part.
I think this is one of the most amazing threads I have ever read in my life. You guys are unbelievable.
-
Wow, what a wealth of info on here! We truly have some brilliant minds in our little community.
-
I believe TOR itself is safe to surf on, you'll stay anonymous; but as far as sending information goes, I would still encrypt any and all sensitive information.
-
Safe as it's users