Silk Road forums
Discussion => Security => Topic started by: kmfkewm on September 10, 2013, 10:07 am
-
http://imgur.com/a/FD5VM/noscript
note that there are two tabs on their traffic analysis tool, one is called 'flying pig' and appears to be for general internet traffic analysis, the other is called 'quick ant' and is for Tor related traffic analysis.
Dingledine made a guess as to what it does
ok, maybe a guess. my guess is that they have a tor flow or destination-IP detector that tags that flow in their db.
-
It's interesting, but "Tor events" could mean "we've detected an unusual amount of activity from your network", ie they could have been recording botnet attacks from exit nodes.
-
I don't think anybody has actually used a Botnet to DDoS through Tor. If they did, it would likely bring down a lot of Tor nodes.
-
It's interesting that Tor makes the list of the three main tabs in a GUI for querying TLS/SSL traffic. The first appears to be a target justification tab (i.e. the part where you pretend it's a legitimate query). The second is the main SSL query window. The third is labeled "Tor events QFD". Dunno WTF QFD is. Quick find database? query flow database?
Assuming that's a general GUI interface that we're seeing screenshots of (and not Analyst X's customized tab view), the only conclusion is that Tor is a very significant priority for NSA, and that data is queried often enough to make the main window. It rates one of the two data-related tabs on the interface.
Not surprising, really, given the sheer number of Tor users and the percentage of Tor traffic that's bound to be "interesting" to NSA.
My guess is that it's exactly what it appears to be. A searchable database of their known Tor events. Traffic from exit nodes, traffic headed to entry guards, traffic flows between Tor nodes, traffic matching any DPI patterns to identify Tor, all the Tor data they can extrapolate from Tor routing database, up/down for relays and nodes, all the internal data from the Tor relays they operate, etc.
And the latest date I see on the slides is Oct 26 2011. So that was two years ago. Which is a long, long time ago in the grand scheme of exchanging billions of dollars for capabilities.
-
What's QFD? Quality Function Deployment? Though I doubt the check the quality of the Tor network.
Anyway Tor events may just mean "someone connected to a website using Tor", probably with entry node/real IP if possible to find it with traffic analysis.
-
I don't think anybody has actually used a Botnet to DDoS through Tor. If they did, it would likely bring down a lot of Tor nodes.
It's not necessarily to DDOS. It could be used for massive amounts of scanning. Google routinely blocks exit nodes for large numbers of search queries. The NSA could also be watching exit nodes for scans/queries/attacks/connections to sensitive targets, government computers, terrorist forums, etc.
-
My guess is that it's exactly what it appears to be. A searchable database of their known Tor events. Traffic from exit nodes, traffic headed to entry guards, traffic flows between Tor nodes, traffic matching any DPI patterns to identify Tor, all the Tor data they can extrapolate from Tor routing database, up/down for relays and nodes, all the internal data from the Tor relays they operate, etc.
So you interpret "event" to mean every detected connection to, from and between Tor relays?
-
So are we talking about analyzing clearnet connections via exit nodes or are we talking about traffic analysis WITHIN the tor network? Because I thought the latter was impossible.
-
Nobody knows for sure.
I interpret "events" to mean patterns of connections that are interesting to the NSA.
-
It seems to me that whole program is for finding/tracking somebody. Esp the "GEOFUSION export" part which is GIS mapping. So it seems likely the NSA runs nodes and with this program you can check to see if said person has been traversing them, and maybe they (unluckily) used all 3 hops that were owned by NSA.
QFD (Quality Function deployment) in regular world lingo would mean deployment on Tor to maybe launch your MITM attack server, however this is NSA where all acronyms are completely different on purpose to detract from what they're actually doing. It would be Quack Flying Duck for all we know, yet another code word for lighting the constitution on fire.
It could also be that a targeted person is using a backdoored version of Tor. Schneier, and the Tor project believe the digital signatures on their builds are now meaningless, the NSA is probably MITM attacking targets and getting them to download backdoored Torbrowser bundles and these events are the backdoors reporting back to HQ. Scheneir in his blog's Sept 6 comments fully believes all open source projects including Linux can easily be "cheated" by subverting the download process and instead getting a nice MITM payload from the NSA instead of torproject.org
Hell, even torproject.org devs are now doing deterministic builds and no longer trust their own compilers, believing it would be the easiest way to automate a backdoor into every version of Tor, hide it in the compiler.
-
Of course the NSA has a backdoor or a method to analyze TOR traffic. The entire project is DOD related....
-
So you interpret "event" to mean every detected connection to, from and between Tor relays?
Yes. But obviously, I'm just making inferences like everybody else.
Logically, if you're going to provide an interface to grab SSL/TLS traffic by network/host, and your main interface contains a primary tab for that, and a second tab just for Tor, I'd expect that second tab to be roughly related to the first. i.e. not a deep text search interface or something, but a method to grab Tor events (I think we can probably trust the word "event" as meaning roughly what it always does). So what events could GCHQ be providing access to? The ones I listed are my best guess. And I'm guessing that while we're all focused on hidden service traffic, the majority of the traffic that interests them is destined for cleartext sites via exit nodes. Most paranoid/aggressive-view-of-their-capabilities explanation is that via traffic analysis, they could be as sophisticated as ending up with "events" like src_ip sent traffic to this entry guard, and the same traffic exited at Exit Node X, headed for www.eviljihad.com.
I guess they could somehow magically rip through Tor's encryption and view unencrypted streams, but that's a really big reach. I haven't seen anything remotely close to convincing me of that. And if they have, it's going to be using another interface. The one that the screenshots show is clearly a network-centric view. Who knows what you can deep dive down to from it.
And FYI, I think those screenshots are from GCHQ, not from NSA. The NSA version of the interface probably has a less entertaining name and a tab for drone strikes. :)
-
vpn ftw imo but i am far from poro with this shit
-
Would it be possible for the nsa or some other agency to slow down all the relays with bots except for the ones they own in order to try and track tor users?
-
Would it be possible for the nsa or some other agency to slow down all the relays with bots except for the ones they own in order to try and track tor users?
To me it seems that I am being routed through the same few exit nodes; GoldenDragon and Arachnide94 are two that I am seeing VERY OFTEN........
-
"Flying Pig"... this is a joke, right?
-
So are we talking about analyzing clearnet connections via exit nodes or are we talking about traffic analysis WITHIN the tor network? Because I thought the latter was impossible.
Traffic analysis on Tor is not impossible. Tor is like a stab vest. It will protect you from someone with a knife, but a gun will shoot right through it.
-
Of course the NSA has a backdoor or a method to analyze TOR traffic. The entire project is DOD related....
they dont have a backdoor - they have nodes.
there r 1.5 million new tor users and most all nodes etc.
it is approximated that 1/3 of those r being used to flood the real nodes and the rest r set up to handle
normal traffic that cant use the trusted older ones because of dos.
please use the new beta version of tor .4 .
it has a new handshake. check out the news on torproject.org and stay safe.
better yet use the new .7 and use it as a client.
the bot army isnt running a ton of info through tor just enough to dd the older nodes - be careful!
-
Very interesting, subbing.
Is anyone else amused by how they called the knowledge base "Flying Pig"? As in the idiom used to depict something that will never happen. Nice one, NSA. Got some clever minds working over there, huh?
-
subbing
interesting discussion to follow
-
To me it seems that I am being routed through the same few exit nodes; GoldenDragon and Arachnide94 are two that I am seeing VERY OFTEN........
Are you sure those are your EXIT nodes and not your entry nodes? Because it would make sense if Tor always uses those nodes as entry guards.
there r 1.5 million new tor users and most all nodes etc.
They are only clients, not nodes. If ti were nodes the Tor network would be faster, not slower/broken.
-
Would it be possible for the nsa or some other agency to slow down all the relays with bots except for the ones they own in order to try and track tor users?
To me it seems that I am being routed through the same few exit nodes; GoldenDragon and Arachnide94 are two that I am seeing VERY OFTEN........
Posting that on a public LEO monitored forum is probably a bad idea.
-
Would it be possible for the nsa or some other agency to slow down all the relays with bots except for the ones they own in order to try and track tor users?
To me it seems that I am being routed through the same few exit nodes; REDACTED and REDACTED are two that I am seeing VERY OFTEN........
Posting that on a public LEO monitored forum is probably a bad idea.
Quoting it on a public Leo monitored forum so the author can't change it may not be such a great idea either; just sayin'.
I'm also kind of curious about all this psyops the NSA supposedly does. Who's da rat among us, hmmm?! :P
-
Maybe we should have a serious talk about what a psyops unit would be tasking in this network.. NSA or otherwise.
-
Kinda related, hidden services will get a crypto update in Tor 0.2.5. Though this probably won't help against whatever the GCHQ/NSA is doing with their flying pigshit.
The future of Tor cryptography
Nick also plans to change more algorithms [25]: “Over the 0.2.5 series,
I want to move even more things (including hidden services) to
curve25519 and its allies for public key crypto.
https://lists.torproject.org/pipermail/tor-talk/2013-September/030021.html
Generally hidden services will probably get more attention by the Tor developers in the future, which is no surprise when there is an obviously up to no good adversary with a planetary surveillance system.
I'm posting the draft of a proposal that specifies how to hide HS
descriptors and addresses from the hidden service directories.
https://lists.torproject.org/pipermail/tor-dev/2013-August/005280.html
-
I've been enjoying reading your posts Baz, ty for your contributions to the community.
-
there r 1.5 million new tor users and most all nodes etc.
They are only clients, not nodes. If ti were nodes the Tor network would be faster, not slower/broken.
idk would tor be faster if they were on completely messed up and infected win xp boxes - i read they were nodes.
all of the info is under a week or longer and might be wrong but i trust the site i got the info from.
granted some of this is speculation as is everything but i choose to err on the side of caution.
took me a whole 1 min to download the new beta and set it up on an encrypted usb.
anywho dont run that as superuser.
-
Would it be possible for the nsa or some other agency to slow down all the relays with bots except for the ones they own in order to try and track tor users?
To me it seems that I am being routed through the same few exit nodes; REDACTED and REDACTED are two that I am seeing VERY OFTEN........
Posting that on a public LEO monitored forum is probably a bad idea.
Quoting it on a public Leo monitored forum so the author can't change it may not be such a great idea either; just sayin'.
I'm also kind of curious about all this psyops the NSA supposedly does. Who's da rat among us, hmmm?! :P
idk if nsa does psyops but i think fbi and cia does. there are psyops agents on here for sure.
-
Quoting it on a public Leo monitored forum so the author can't change it may not be such a great idea either; just sayin'.
I'm also kind of curious about all this psyops the NSA supposedly does. Who's da rat among us, hmmm?! :P
idk if nsa does psyops but i think fbi and cia does. there are psyops agents on here for sure.
I'm sure there are plenty of LE viewers of this site, and more than a handful of posters. This is probably one of the worst places imaginable to accidentally post personally revealing details, reuse usernames with any clearnet location indexed by Google, etc. Every once in a while, it's a good idea to go re-read all your previous posts and see what your little tidbits of sharing post-by-post add up to.
But some elaborate psyops campaign? To what end? Scaring people away from using SR? I'm not seeing the benefit to any large organized action. Sure, there are probably all kinds of folks trolling, some LE, but I'm guessing it's closer to a fat guy in the corner of the sheriff's office on some computer crimes squad with nothing better to do than it is a team of people in a datacenter at Ft. Meade. If I was going to launch some psyops campaign against SR, I'd start loading up sockpuppet identities to post lots and lots of "I got busted doing X!" threads. I'm guess there's some threshold of those that if done right, would undermine user confidence and discourage use to some degree.
You can go with the whole "babysitting discussions" theory, trying to steer topics away from certain subjects, but I've yet to see any threads here that are discussing anything that I can see someone being all that afraid of.
But you kinda have to assume that in any form of anonymous communication, the guy you're talking to might be a FBI agent, a college professor, or he might be somebody sitting in a trailer park, typing furiously into a rusty old 486, wearing only a bathrobe made out of human skin.
-
there r 1.5 million new tor users and most all nodes etc.
They are only clients, not nodes. If ti were nodes the Tor network would be faster, not slower/broken.
idk would tor be faster if they were on completely messed up and infected win xp boxes - i read they were nodes.
all of the info is under a week or longer and might be wrong but i trust the site i got the info from.
granted some of this is speculation as is everything but i choose to err on the side of caution.
took me a whole 1 min to download the new beta and set it up on an encrypted usb.
anywho dont run that as superuser.
No need to speculate, look at the node list. They are not nodes.