I spent some time looking at this. I cant find the source but things appear to point to the pirate browser from the pirate bay. As mentioned on the tor-talk mailinglist the pirate bay website is a high ranking site and on the 10th of august the linked from one of the 10 or so links under the search to the pirate browser. archive.org cache shows this clearly. So why didnt the uptick happen until the 19th. I cant explain. Twitter conversations increased around the 16th. News articles seem constant from the 10th onward.
initially i assumed a conspiracy to flood the network or conduct research when I read about abnormal spikes for india and brazil but actually looking at the graphs the huge spikes are across most nations.
for reference i checked the source code for the graphs page and how the data is compiled and the only data available for user count is country so at the moment there is no way to do pattern analysis for tor version or the like to definitively point to the pirate browser.
I was initially worried about end-to-end traffic, but saw that the exit nodes and bridges haven't increased. If Google search traffic is a fair indicator, it looks like genuine user growth is driving this. Google searches for "tor" haven't seemed to move much globally [1] but Russia saw a huge jump starting on August 16th [2].
Anyone know how to get the same info for Yandex to cross-check?
The RU increase is relatively minor compared to the 50-60k user increase in the US. I find it very difficult to believe that these increases represent new actual people using Tor for web. The botnet-theory seems far more likely.
I don't buy it, PirateBrowser can not possibly attract 600k users: If someone wants to use tor, TorBundle is good enough. It's a crystal-clear botnet infecting massively computer (java-for-local and something else RPC? for remte access) running through tor to hide the mothership.
An NSA attack would be possible, but seriously they would get 1 out of 100 targeted users. I don't think its worth the effort and I think they're not so stupid. Then again they are severely more stupid than what we use to think... so everything is possible. My money is on the botnet theory though.
Stupid? Effectively intercepting telecommunications from not only within and with the consent of the 'big players' networks, but also assuring they achieve total surveillance through compromising undersea cables is quite the feat. Storing data until they have the machine power to break encryption strikes me as clever and prudent, not stupid.
Stupid is disparaging an entity that has engineered around entire industry and international infrastructure to accomplish their goals.
But yea, botnet sounds like its right on the money. When does the NSA's Utah data center go online?
>Stupid? Effectively intercepting telecommunications from not only within and with the consent of the 'big players' networks, but also assuring they achieve total surveillance through compromising undersea cables is quite the feat. Storing data until they have the machine power to break encryption strikes me as clever and prudent, not stupid.
the 'stupid' part is that any random contract sysadmin could pull huge amounts of data without setting off any alarms. I mean, this isn't some tiny VPS provider, where you might expect all the admins to have root. This is the fucking NSA. they should have tight control and logging over who accesses what, and if they have a master key, the folks with access to that master key ought to be fully vetted employees, and there ought to be few of those people.
Sure, it's hard to design a system where your sysadmins don't have full access, but not nearly as hard as everything else they've done.
This is what I find so shocking about the leak. We all knew that the government was spying on us. The shocking part is that they don't have any better security than I have when it comes to storing that data.
I mean, this is the leak we know of... how much do you want to bet that someone else has already used this data for personal gain, without the public or even the NSA finding out?
It's one thing to keep all my internet history, and use it for investigations... it's quite another to keep all that data where any random contractor can come in and fish through it without setting off alarms.
No matter what you think about the rightness or wrongness of the spying itself, I think we can all agree that if they must collect data, they must also secure that data, and this leak proves that they have not done so.
lets be fair, they can still be stupid, achieveing what you have said, getting that kind of access is easy if you are the US govt/NSA/CIA. They have unlimited funds, near zero regulatory oversight and a huge fucking army backing them. So yes they can do this but they can still be stupid.
Now the clever guy is the guy that can get that access without access to the resources of the NSA.
Relays haven't increased correspondingly, so it's not a straightforward correlation attack.
Here's a list of hypotheses:
1. The recent Russian censorship crackdown.
2. Botnets using Tor to search for vulnerable systems and to hide the C&C server.
3. US publicity following the recent NSA news events.
4. The Pirate Browser's use of Tor.
5. An OP (client) based vulnerability in the network.
If you have upstream collection on the backbones, then you might be able to fingerprint hidden services with staggered connection floods (watermarking.) Also, you may be able to do stream watermarking on the OP->Hidden Service traffic through the Tor cell delay side channel. That seems very possible.
Edit: Another possibility just occurred to me. You could use the OP clients to overload the relays you don't control, driving traffic to the attacker's hostile relays.
Something in my gut says that's not right though... Mostly because this is so very amateurish, with no slow ramp up of nodes, etc. Then again, the Freedom Host takedown wasn't exactly a model of subtlety either.
Botnets have started to use Tor in a major way for C&C. Of all the above, (2) seems most likely.
If someone really wants to find out, stand up a couple exit nodes on EC2 and watch the exit traffic pcap. That might be a bit dodgy in light of ECPA, but after all it's just metadata, right? ;)
> If someone really wants to find out, stand up a couple exit nodes on EC2 and watch the exit traffic pcap.
Ideally it would be someone who has had such set up from before the spike, so that there is a baseline for computing the increase.
Also, an arbitrary set of exit nodes is obviously not guaranteed to capture the spike. In fact there might be no spike at all in exit traffic (quote:) "So while there are a bunch of new Tor clients running, it would seem they're not doing much."
So while there are a bunch of new Tor clients running, it would seem they're not doing much.
Huh, didn't notice that. Should have seen it from the network bandwidth graph. It's even more odd in some ways than the OP spike.
I've got a fairly good understanding of the mechanics of the Tor network having studied it down to the packet level, modified the source for academic experiments, etc. I can't think of any reason that would compromise anonymity where it would help to have a whole bunch of mostly idle OPs idling on the network.
Maybe a botnet C&C with low bandwidth staggered command orders, or maybe it's infrastructure building for something that hasn't been activated yet. Or of course the more mundane explanation that lots of people downloaded the clients after the recent publicity, and don't really use the browser bundles.
I think most likely reason for this one is pretty obvious. If we do not hear any social effect contributing to the explosion, such as China or India adding massive numbers of people, then my money would be on somebody getting a massive botnet on TOR.
I'm speculating heavily, but it might be beneficial to precompute some kind of timing map for a large portion of the network in order to have a baseline for future timing analysis attacks. I only have a very vague idea of how that might be useful, so this is low probability.
Ok, I can't think of an attack that could be accomplished by controlling half the traffic on the network. It doesn't mean there isn't one, but I can't think of it. I think that was a bad guess on my part.
Guard nodes make it so only a certain number of certain types of nodes are visible to any client. By controlling a huge number of clients, you are able to enumerate them much more easily.
The number of directly connecting users from Russia does appear to have doubled [1], but this can also be seen in UK user numbers [2]. For such an increase to be seen globally my hunch is that this is down to either the Pirate Browser [3] or some other software release - not necessarily a response to a particular law being passed, NSA leak etc.
And usage from Bulgaria increased seven to eight times [1]. This is really strange, I don't know anybody who uses tor on purpose. My money is on a bittorrent client connecting automatically.
I will wager that some somewhat popular high-bandwidth application (bittorrent client?) has integrated tor in some way, and they released the version with that integration about a week ago.
If a government entity had enough tor exit nodes and peers in place, might they catch some traffic end-to-end, and therefore be able to track usage of some people?
I can't speak to the cause of the jump, but a single entity controlling a large amount of the network is a known weakness in Tor. Essentially, Tor is designed to be a low-latency system. This means that if someone controls both the entry and exist node you use, they can correlate the timing of your packets and de-anonymize you. Having internal nodes problem helps, as would having ISP access.
I started to use the Tor browser bundle this week. Manly because of the whole NSA/Snowden thing. Plus Tor was a lot in the news from the Freedom Hosting take down, so I was reminded several times that I should test it out.
Maybe many others experienced the same? At list I have had enough. Obama is tracing me no more!
Just tried it. Nothing has changed. Browsing with TOR is ~30 times slower than normal browsing. It means it takes 2-3 seconds to load google.com, and 30s-1min to load my local news page, 15min.lt. I don't know who downvoted me for stating this fact, but he either doesn't use TOR or the nodes are near his physical location.
Occasionally you get a slow path. If this happens and you're in a hurry, just press the "New Identity" button to get a new random path. It usually works.
It's whack-a-mole, basically. Amazon has not been too keen on dealing with abuse reports that I've seen, and even then, criminals setting up botnets and exits on AWS are almost certainly using stolen identities.
Botnet scraper. Or maybe a zero day in tor that NSA might have discovered and is trying to exploit it .
600K to 1.2 Million is effectively double the traffic .
But what bothers me is that all of these are clients , if they were relays then that would make sense.But NSA has gotton more aggressive and out-front after the leaks though.
The linked paper describes an attack on Tor that relies on percentage of network ownership to deanonymize communications.
I thought that this might be what is going on, but since the increase seems to be clients and not new nodes I assume that this is not the case, however the paper is kinda cool anyways.
Whenever there's discussion of timing attacks on Tor, somebody always says "that's impossible unless they were able to monitor a very significant amount of all Tor traffic. Tor is safe."
Somehow, they don't realize that the NSA's upstream program is exactly that. They've been intercepting any Internet traffic they can get their hands on all the way back to 2003. Tor is not safe.
I got a real poor internetconection (for free) with about 16kb/s up/down, And it seems from my position that many of you are fastidiously about "tor is slow/ slows down my internetusage". I can not say that tor-usage slows anything for me. Maybe my conection speed does not satisfy any of your internet claims ?! (traped in a loop -sry, cant fix the prob..)
pirate browser - http://piratebrowser.com/ - was released on the 10th, and only uses tor when normal access doesn't work (so would explain the low use).
It seems possible someone is revving up the engines on their botnet in anticipation of some upcoming event.
But this is hardly the first time someone has noticed malware spreading exponentially over the network. Correlation to current newsworthy events may be completely accidental.
initially i assumed a conspiracy to flood the network or conduct research when I read about abnormal spikes for india and brazil but actually looking at the graphs the huge spikes are across most nations.
for reference i checked the source code for the graphs page and how the data is compiled and the only data available for user count is country so at the moment there is no way to do pattern analysis for tor version or the like to definitively point to the pirate browser.