why do so many in the anonymity community use passive when they mean external?

[m0rph]

It is such a bad habit. A habit that I sometimes myself engage in. Passive means that the attacker doesn't modify data, it has no relation at all to their position. Global Passive Adversary is bad terminology, it should certainly be Global External Adversary. The conflation of passive and external seriously boggles the mind, and I hate to see the two used interchangeably, they cannot properly be used interchangeably.

[FlashLight]

yeah man

[ModernLove]

I feel that you're being passive-aggressive. I mean external-aggressive.

[El Presidente]

It is such a bad habit. A habit that I sometimes myself engage in. Passive means that the attacker doesn't modify data, it has no relation at all to their position. Global Passive Adversary is bad terminology, it should certainly be Global External Adversary. The conflation of passive and external seriously boggles the mind, and I hate to see the two used interchangeably, they cannot properly be used interchangeably.

In security circles the term "passive attacker/adversary" generally refers to an eavesdropper. We think this is the same terminology in cryptography.

An external attacker is just that,  an attacker who is external to the target system or organization.

By not using the word passive we assume active which suggests an attacker who will actively modify traffic flows, endpoint and systems etc. If you are referring to the adversary we think you are then it is true to say that they are very much not passive but active and (we hope) external.

[Hux]

A global passive adversary is what we are up against. They are not interfering with Tor (that we know of), they simply observe it which is what they are doing. They are a global passive adversary. External assumes they are not a part of the system but this is incorrect, Tor still builds on the same pathway the Internet in general uses are so they are not at all an external threat since they are inherently on the network and can control it on a larger scale if they did wish to.

[whom]

It's very difficult to find a generic term that fits.   Passive global adversary seemed appropriate when those entities seemed passive, primarily collecting and analyzing..  Most of their true power and capabilities still come from those epic passive monitoring capabilities, in spite of their obvious ability to launch attacks.  Many of those active options seem to rely on the passive capabilities, though..   i.e. without the ability to passively scrape a target's TCP sequence numbers on a request, it would be a *wee bit* harder to send a fake HTTP response back ahead of the legitimate one and get it up the stack far enough to make something go boom.   

And I think that to some degree, everyone focuses on their passive capabilities because that's the impressive part, and that's the part that often presents the largest overall risk to anonymity mechanisms.   Intersection attacks, traffic analysis, etc.

Everybody knows someone somewhere can always pwn anything; doesn't matter if it's a 14 year old or a multibillion dollar intelligence agency with that capability.   So we probably overfocus on the global passive data collection aspect, because that's really what makes those entities present unique threats.

Global External Adversary makes me think: Aren't all global adversaries *external*?  Could you have an internal one?  That  would suck. 

[Public Enemy #1]

It's very difficult to find a generic term that fits.   Passive global adversary seemed appropriate when those entities seemed passive, primarily collecting and analyzing..  Most of their true power and capabilities still come from those epic passive monitoring capabilities, in spite of their obvious ability to launch attacks.  Many of those active options seem to rely on the passive capabilities, though..   i.e. without the ability to passively scrape a target's TCP sequence numbers on a request, it would be a *wee bit* harder to send a fake HTTP response back ahead of the legitimate one and get it up the stack far enough to make something go boom.   

And I think that to some degree, everyone focuses on their passive capabilities because that's the impressive part, and that's the part that often presents the largest overall risk to anonymity mechanisms.   Intersection attacks, traffic analysis, etc.

Everybody knows someone somewhere can always pwn anything; doesn't matter if it's a 14 year old or a multibillion dollar intelligence agency with that capability.   So we probably overfocus on the global passive data collection aspect, because that's really what makes those entities present unique threats.

Its true that the bulk of the capability stems from the ability to watch almost any traffic. But I think the ability to inject arbitrary traffic and seemingly to perform active man in the middle attacks almost anywhere over the Inernet seriously ups the ante.

You all know that many protocols are vulnerable to various forms of mitm, cryptography usually provides some protection against that not just from a confidentiality perspective but also integrity. However, when you can cook up or steal certificates and keys the protection from the crypto becomes much less effective. And this they certainly can do in many cases. I'd be much happier if all they could do was sniff. I could live with that much easier.

The ability to deploy active manipulation of traffic flow and content "remotely" is very dangerous indeed.

Global External Adversary makes me think: Aren't all global adversaries *external*?  Could you have an internal one?  That  would suck. 

Wouldn't it! I think we should regard them as omnipresent (but not omnipotent)

[m0rph]

It is such a bad habit. A habit that I sometimes myself engage in. Passive means that the attacker doesn't modify data, it has no relation at all to their position. Global Passive Adversary is bad terminology, it should certainly be Global External Adversary. The conflation of passive and external seriously boggles the mind, and I hate to see the two used interchangeably, they cannot properly be used interchangeably.

That's the term the Tor devs use so most people talking about Tor use that term.

They use a stupid term though. They say passive but they mean external. In some of their papers I see them use the correct term, but very frequently people in Tor community use passive and external interchangeably. A GPA could own all of the nodes or watch the links between all the nodes, but they use it to mean the attacker watches all the links between nodes, so they really should say global external. A global active attacker can fuck Tor just as well, so it seems strange that they would specify a global passive attacker can pwn Tor. Any global attacker can pwn Tor, passive or active, internal or external. The primary differentiation is between Tor and Mix networks; a global internal passive attacker can totally pwn a mix network but a global external passive attacker cannot do it nearly as quickly, so the terminology they should use when saying that Tor is pwnt by a type of attacker is "Global external" not "global passive".  Because a mix network can be totally defeated by a global passive attacker too, but with a mix network the question is really if the attacker is global internal or global external, and so if they are making comparison between Tor and a mix network, they should definitely say global external because it is the positioning that matters for this comparison not if the attacker modifies/injects traffic or not.

[m0rph]

It's very difficult to find a generic term that fits.   Passive global adversary seemed appropriate when those entities seemed passive, primarily collecting and analyzing..  Most of their true power and capabilities still come from those epic passive monitoring capabilities, in spite of their obvious ability to launch attacks.  Many of those active options seem to rely on the passive capabilities, though..   i.e. without the ability to passively scrape a target's TCP sequence numbers on a request, it would be a *wee bit* harder to send a fake HTTP response back ahead of the legitimate one and get it up the stack far enough to make something go boom.   

And I think that to some degree, everyone focuses on their passive capabilities because that's the impressive part, and that's the part that often presents the largest overall risk to anonymity mechanisms.   Intersection attacks, traffic analysis, etc.

Everybody knows someone somewhere can always pwn anything; doesn't matter if it's a 14 year old or a multibillion dollar intelligence agency with that capability.   So we probably overfocus on the global passive data collection aspect, because that's really what makes those entities present unique threats.

Global External Adversary makes me think: Aren't all global adversaries *external*?  Could you have an internal one?  That  would suck. 

A global internal adversary is one that owns all of the nodes, you can actually protect from them with some schemes though, for example private stream searching and various PIR schemes provide computational receive anonymity even if there is a global internal attacker.

edit: Ahh I keep using passive/external and active/internal interchangeably, despite having made this thread for the entire purpose of bitching about it. Way to go Tor community, you have permanently fucked up the terminology.

This Taxonomy from the Military conflates them as well:

4.2.2
 Attackability.
Attackability is the combination of passive/external or active/internal. The objective
of any attack is to link sender and receiver, identify the sender or receiver for a particular
message, trace a sender forward/receiver back to messages or disrupt the system.
A passive/external adversary is an outsider that can only observe messages traversing
the network and is typically invisible.
 This adversary can only compromise
communication channels between nodes. In other words, it is a non-empty set of agents,
part of the surrounding of the anonymous system and capable of compromising links.
An active/internal adversary is an insider and may alter messages traversing the
network but is visible. This adversary controls nodes in the network. In other words, this
describes a non-empty set of agents which are part of the anonymous system and capable
of participating in normal communications and controlling at least some nodes.

I just think it is bad to tie passive directly to external and active directly to internal. What stops an attacker at an ISP from delaying your traffic to inject interpacket timing fingerprints? Are they then external since they don't have a node on the network, or are they internal since they are actively modifying traffic? The two terms just can't be conflated like that, clearly an ISP that inserts timing fingerprints into traffic is external (positioned between nodes) and active (modifying traffic). What about an attacker who owns nodes on the network but doesn't, for whatever reason, modify or inject traffic? They are internal (own nodes) passive (don't modify or inject traffic).

[tootiefruitie]

I just think it is bad to tie passive directly to external and active directly to internal. What stops an attacker at an ISP from delaying your traffic to inject interpacket timing fingerprints? Are they then external since they don't have a node on the network, or are they internal since they are actively modifying traffic? The two terms just can't be conflated like that, clearly an ISP that inserts timing fingerprints into traffic is external (positioned between nodes) and active (modifying traffic). What about an attacker who owns nodes on the network but doesn't, for whatever reason, modify or inject traffic? They are internal (own nodes) passive (don't modify or inject traffic).

If an 1st grade teacher depends on a student to deliver written correspondence to another faculty member, would the child's lack of faculty credentials & vocabulary qualify him as being on the EXTERIOR of the school?

You are confused, sir.

[m0rph]

I just think it is bad to tie passive directly to external and active directly to internal. What stops an attacker at an ISP from delaying your traffic to inject interpacket timing fingerprints? Are they then external since they don't have a node on the network, or are they internal since they are actively modifying traffic? The two terms just can't be conflated like that, clearly an ISP that inserts timing fingerprints into traffic is external (positioned between nodes) and active (modifying traffic). What about an attacker who owns nodes on the network but doesn't, for whatever reason, modify or inject traffic? They are internal (own nodes) passive (don't modify or inject traffic).

If an 1st grade teacher depends on a student to deliver written correspondence to another faculty member, would the child's lack of faculty credentials & vocabulary qualify him as being on the EXTERIOR of the school?

You are confused, sir.

I doubt I'm confused, I've been studying anonymity for a long time, and I think that the terminology in this specific instance is currently shit. Tying passive to external and active to internal doesn't allow you to talk about an ISP that inserts interpacket timing fingerprints, or a node that doesn't modify traffic. By not tying the two words together in such a strange way (why even have two words??), we can talk about more things more clearly. Tying them together makes it impossible to talk about some things in a clear way. Also, your analogy is close to nonsensical to me, I kind of see what you were attempting to go for, but it's very poorly mapped, and you failed to contribute any meaningful information (other than the apparent fact that you are willing to talk about things you don't understand and then accuse others of being confused).

[tootiefruitie]

The source of your confusion:  "The slash is most commonly used as the word substitute for "or" which indicates a choice (often mutually-exclusive) is present. "   

4.2.2
 Attackability.
Attackability is the combination of passive/external or active/internal. The objective
of any attack is to link sender and receiver, identify the sender or receiver for a particular
message, trace a sender forward/receiver back to messages or disrupt the system.

Do you understand what this means here?..... this quote you used allows for both Active External (DDoS is the only example that comes to mind) and Passive Internal (e.g. a logging-only node) as subcategories for our (booo) adversaries.

until here:

A passive/external adversary is an outsider that can only observe messages traversing
the network and is typically invisible.
 This adversary can only compromise
communication channels between nodes. In other words, it is a non-empty set of agents,
part of the surrounding of the anonymous system and capable of compromising links.
An active/internal adversary is an insider and may alter messages traversing the
network but is visible. This adversary controls nodes in the network. In other words, this
describes a non-empty set of agents which are part of the anonymous system and capable
of participating in normal communications and controlling at least some nodes.

My point before was primarily just that your ISP-based example is an INTERNAL part of the data chain that it is fingerprinting.

[tootiefruitie]

I think this is the result of the evolution from  something like

Passive adversaries (typically External)  ,  Active adversaries (almost always Internal) to   Passive/External, Active/Internal

Also, it should be considered that, if an adversary reroutes traffic through itself in order to sniff, but makes no changes directly to the data being transferred; that adversary is ACTIVELY affecting the data stream in question, and is INTERNAL as part of data's route, but is also PASSIVE and EXTERNAL in regard to the packets' respective Application Layers in use (HTTP and IRC seem to be the two examples worth specifying here).


Also important:   "A global passive adversary would be a person or an entity able to monitor at the same time the traffic between all the computers in a network." Your suggestion of "global external adversary" would only be possible in this sense if no Tor Nodes, ISP servers, etc. were needed to monitor all traffic network..... unless your meaning is external of the Tor network ...... but, as we can see, this brings more possible confusion.  Also, the idea of a global passive adversary encompasses the threat of a "global external adversary", unless I am simply unaware of an existing example of an adversary actively affecting a network from an external position.   Time based fingerprinting by an ISP server, for instance, is only active external of the Tor Network (making it passive and external in regard to tor traffic).

[tootiefruitie]

I doubt I'm confused, I've been studying anonymity for a long time, and I think that the terminology in this specific instance is currently shit. Tying passive to external and active to internal doesn't allow you to talk about an ISP that inserts interpacket timing fingerprints, or a node that doesn't modify traffic. By not tying the two words together in such a strange way (why even have two words??), we can talk about more things more clearly. Tying them together makes it impossible to talk about some things in a clear way. Also, your analogy is close to nonsensical to me, I kind of see what you were attempting to go for, but it's very poorly mapped, and you failed to contribute any meaningful information (other than the apparent fact that you are willing to talk about things you don't understand and then accuse others of being confused).

If an 1st grade teacher depends on a student to deliver written correspondence to another faculty member, would the child's lack of faculty credentials & vocabulary qualify him as being on the EXTERIOR of the school?

Outside the realm of young adult fiction, rhetoric can take many forms beyond the common interrogative analogy!  It's OK! I'll explain!

This statement's intent was
1. to act as a reflection of your misdirected logic.  (e.g. the idea that an ISP is somehow active within the Tor network simply because it can delay packets and record the duration of that delay, when in reality it's active on the Internet Layer/Transport Layer....where it is also INTERNALLY POSITIONED)
2. to resonate your thread's established theme and tone of self-justification, determined by the OP's attacks on some vocabulary-based miscommunication/confusion, yet no evidence that this "issue" has had any measurable or even anecdotal detriment to anyone active within the field(s) of study concerned
3. helping act as a source of familiarity for anyone of the intellectual level for this to be an actual issue, through use of a 1st grade student and the accompanying setting. (inclusion of the very young and/or disabled is always a worthwhile endeavor!)

[Jesus H Christ]

I doubt I'm confused, I've been studying anonymity for a long time, and I think that the terminology in this specific instance is currently shit. Tying passive to external and active to internal doesn't allow you to talk about an ISP that inserts interpacket timing fingerprints, or a node that doesn't modify traffic. By not tying the two words together in such a strange way (why even have two words??), we can talk about more things more clearly. Tying them together makes it impossible to talk about some things in a clear way. Also, your analogy is close to nonsensical to me, I kind of see what you were attempting to go for, but it's very poorly mapped, and you failed to contribute any meaningful information (other than the apparent fact that you are willing to talk about things you don't understand and then accuse others of being confused).

If an 1st grade teacher depends on a student to deliver written correspondence to another faculty member, would the child's lack of faculty credentials & vocabulary qualify him as being on the EXTERIOR of the school?

Outside the realm of young adult fiction, rhetoric can take many forms beyond the common interrogative analogy!  It's OK! I'll explain!

This statement's intent was
1. to act as a reflection of your misdirected logic.  (e.g. the idea that an ISP is somehow active within the Tor network simply because it can delay packets and record the duration of that delay, when in reality it's active on the Internet Layer/Transport Layer....where it is also INTERNALLY POSITIONED)
2. to resonate your thread's established theme and tone of self-justification, determined by the OP's attacks on some vocabulary-based miscommunication/confusion, yet no evidence that this "issue" has had any measurable or even anecdotal detriment to anyone active within the field(s) of study concerned
3. helping act as a source of familiarity for anyone of the intellectual level for this to be an actual issue, through use of a 1st grade student and the accompanying setting. (inclusion of the very young and/or disabled is always a worthwhile endeavor!)

Words are not m0rph's strong suit. He's got a very limited vocabulary, and isn't all that bright.

But I don't doubt that he's an expert on security and anonymity; he's got to be because he's engaged in the kiddie porn trade:
http://silkroad5v7dywlc.onion/index.php?topic=1972.375

[whom]

Oh, god, please don't troll that frickin thread over here in Security.  If I wanted to read that never-ending back-and-forth of debate, I'd go to the one thread where it's allowed at SRF.   And this isn't that one.

I personally don't give two shits whether m0rph is a good person or a horrible one.   Guessing that, like all of us, he's probably somewhere in the middle.   He often has good perspectives on technology and security.   He keeps those arguments over there, and these arguments over here.   

If I can learn something, or figure something out, talking to *anybody*, from the Pope to the fucking Antichrist, I'll do so.  And happily.   Don't need any learning or new opinions on CP, so I'll leave that thread to you guys.

If he starts dragging you guys into some endless mathematical discussion of bloom filters in your CP thread, please feel free to tell him to take that shit over here instead. 

[m0rph]

The source of your confusion:  "The slash is most commonly used as the word substitute for "or" which indicates a choice (often mutually-exclusive) is present. "   

4.2.2
 Attackability.
Attackability is the combination of passive/external or active/internal. The objective
of any attack is to link sender and receiver, identify the sender or receiver for a particular
message, trace a sender forward/receiver back to messages or disrupt the system.

Do you understand what this means here?..... this quote you used allows for both Active External (DDoS is the only example that comes to mind) and Passive Internal (e.g. a logging-only node) as subcategories for our (booo) adversaries.

until here:

A passive/external adversary is an outsider that can only observe messages traversing
the network and is typically invisible.
 This adversary can only compromise
communication channels between nodes. In other words, it is a non-empty set of agents,
part of the surrounding of the anonymous system and capable of compromising links.
An active/internal adversary is an insider and may alter messages traversing the
network but is visible. This adversary controls nodes in the network. In other words, this
describes a non-empty set of agents which are part of the anonymous system and capable
of participating in normal communications and controlling at least some nodes.

My point before was primarily just that your ISP-based example is an INTERNAL part of the data chain that it is fingerprinting.

ISP attacker is NOT internal they are external.

Passive adversaries (typically External)  ,  Active adversaries (almost always Internal) to   Passive/External, Active/Internal

Not correct to say active adversaries are almost always internal, absolutely nothing stops an external adversary from modifying traffic flows.

Also, it should be considered that, if an adversary reroutes traffic through itself in order to sniff, but makes no changes directly to the data being transferred; that adversary is ACTIVELY affecting the data stream in question, and is INTERNAL as part of data's route, but is also PASSIVE and EXTERNAL in regard to the packets' respective Application Layers in use (HTTP and IRC seem to be the two examples worth specifying here).

Jesus Christ please just shut up if you don't have a clue what you are talking about. You are essentially just making shit up as you go.

Also important:   "A global passive adversary would be a person or an entity able to monitor at the same time the traffic between all the computers in a network." Your suggestion of "global external adversary" would only be possible in this sense if no Tor Nodes, ISP servers, etc. were needed to monitor all traffic network..... unless your meaning is external of the Tor network ...... but, as we can see, this brings more possible confusion.  Also, the idea of a global passive adversary encompasses the threat of a "global external adversary", unless I am simply unaware of an existing example of an adversary actively affecting a network from an external position.   Time based fingerprinting by an ISP server, for instance, is only active external of the Tor Network (making it passive and external in regard to tor traffic).

External *DOES MEAN* external from the Tor network. That is what external means. It means between nodes on an overlay, versus internal which means inside nodes on an overlay. Adversaries can easily actively affect a network from an external position, already gave an example, ISP can delay packets to insert timing fingerprints, that is an active attack carried out from an external position.

[m0rph]

I doubt I'm confused, I've been studying anonymity for a long time, and I think that the terminology in this specific instance is currently shit. Tying passive to external and active to internal doesn't allow you to talk about an ISP that inserts interpacket timing fingerprints, or a node that doesn't modify traffic. By not tying the two words together in such a strange way (why even have two words??), we can talk about more things more clearly. Tying them together makes it impossible to talk about some things in a clear way. Also, your analogy is close to nonsensical to me, I kind of see what you were attempting to go for, but it's very poorly mapped, and you failed to contribute any meaningful information (other than the apparent fact that you are willing to talk about things you don't understand and then accuse others of being confused).

If an 1st grade teacher depends on a student to deliver written correspondence to another faculty member, would the child's lack of faculty credentials & vocabulary qualify him as being on the EXTERIOR of the school?

Outside the realm of young adult fiction, rhetoric can take many forms beyond the common interrogative analogy!  It's OK! I'll explain!

This statement's intent was
1. to act as a reflection of your misdirected logic.  (e.g. the idea that an ISP is somehow active within the Tor network simply because it can delay packets and record the duration of that delay, when in reality it's active on the Internet Layer/Transport Layer....where it is also INTERNALLY POSITIONED)
2. to resonate your thread's established theme and tone of self-justification, determined by the OP's attacks on some vocabulary-based miscommunication/confusion, yet no evidence that this "issue" has had any measurable or even anecdotal detriment to anyone active within the field(s) of study concerned
3. helping act as a source of familiarity for anyone of the intellectual level for this to be an actual issue, through use of a 1st grade student and the accompanying setting. (inclusion of the very young and/or disabled is always a worthwhile endeavor!)

Tootiefrutie you obviously just don't understand these words or this topic so instead of being a condescending shit and thinking you are proving me wrong (you are not) why don't you just shut the fuck up and fuck off?

Internal = Owns Nodes On The Network, aka: internal to the network overlay
External = Watches Links Between Nodes On The Network, aka: external to the network overlay
Active = Modifies Traffic Streams Or Injects Traffic, aka: actively modifies traffic
Passive = Watches Traffic Without Modifying It Or Adding Any, aka: passively observes traffic

clearly once we have these definitions, which are the best, you cannot say that passive is equal to external or that active is equal to internal. Because then you limit your ability to talk precisely. What the fuck is an ISP that inserts interpacket timing delay then? With my words (and the way many people use them) it would be external active. But then you get a lot of people using internal and active interchangeably, and that would mean it would be okay to say the attacker is external internal, but that is just fucking stupid. People are improperly using active and internal synonymously, and improperly using passive and external synonymously, period, end of story. If you have something that makes sense to say then say it but if you don't have the slightest clue don't just babble at me. 

Saying   Tor falls to a global passive adversary is a stupid way of saying Tor falls to a global external adversary. A mix network will fall to a passive internal adversary too! Passive has nothing to do with what they are talking about, external does.