
Anonymity Is Hard - j_s
http://grugq.github.io/blog/2013/03/12/anonymity-is-hard/
======
patio11
_The adversary, Hezbollah, used access to the telephone company logs (they
have those), and searched for atypical mobile phone usage patterns:_

Word to the wise, for people contemplating picking a nation state as the
adversary for their circumvention tool programming project: see the amount of
sophistication and technology involved here? Many countries routinely direct
substantially more resources at, and I mean this _entirely_ literally, killing
mosquitoes.

~~~
pa5tabear
Malaria kills more than half a million people every year, and mosquitoes are
the primary vector.

Killing mosquitoes is not trivial.

~~~
pyre
... so we should learn OpSec from mosquitoes?

~~~
saraid216
My instincts say that I should link Goonswarm from EVE Online at this point.

------
cs702
Key insight: _" The problem with many security systems based purely on secrecy
is that their usage is itself anomalous. It singles out and attracts attention
to the users."_ In other words, the very use of secrecy is itself a weakness
that can be exploited by attackers.

~~~
lambda
And this is why privacy advocates try to push for pervasive cryptography. If
everyone's traffic is encrypted, then use of crypto doesn't bring suspicion on
you.

This is why I'm somewhat dubious about Tor. While it can be a valuable tool,
by it's nature it routes you between 3 other machines, which may be spread all
over the world, thus substantially impacting performance. It can't really be
used by the general population, as opposed to, say, encrypted email which if
implemented well would have negligible impact.

~~~
dmix
3-5 anonymous hops wouldn't be a bad thing in the future, say ~5yrs assuming
continued investment in better broadband infrastructure as well as investment
in Tor nodes.

The performance drop could hypothetically be unnoticeable to the user. Just as
most TCP handshakes are.

This has to become a movement indeed towards pervasive cryptography. Tor's
design isn't the real problem. The lack of Tor nodes/efficient broadband is
the real problem.

~~~
vbuterin
Speed of light says 3-5 hops will always be a bad thing and there's nothing we
can do about it.

------
Edvik
This is the exact way in which metadata, in the age of computer analysis, is
just as important as the data itself. With a computer looking for patterns,
it's possible to sift through billions of pieces of data to single out someone
trying to hide in the noise.

------
conductor
One solution (if you really need to communicate using a mobile phone) is to
drive (better with public transport or in taxi) with the phone (turned off, no
battery) to some random location, with no CCTVs around, turn it on at
predefined time, wait for contact, turn it off, remove the battery, go home.
The phone must be clean (not used before with other SIM cards that can be
linked to you) and the SIM card must be clean (not used with other phones that
can be linked to you). And you should change the phone (or at least its IMEI,
but better change the phone, changing the IMEIs is illegal in most countries)
and the SIM card regularly.

Edit:

Or better use the internet for communications, cryptography and steganography
are working.

~~~
eksith
All invalidated by corroborating the times with the call log where you were
_not_ present.

Your edit is a better option in that regard, but as long as online is blended
in some way with offline, anonymity is impossible... which is why I don't even
bother for the most part.

~~~
userulluipeste
If you don't have much of a presence (either social or on-line) to begin with,
like being a reserved person, there isn't much data to be corroborated with in
the first place.

~~~
eksith
True. But then again, you don't need that much anyway. I doubt they scanned
his entire email archive at least first. Just the fact of including his real
email and that one post on SO seemed to have been enough to establish probable
cause.

His social interactions could have only been directly traced to 2-3 posts
outside of Tor at most. What really did him in are the pseudonyms and
similarity of preferences picked up from those few instances. So really, _any_
online/social presence is a liability if it's contaminated with something
about you offline.

------
knodi
If I run a tor node on my home network would that raise viable defense of
claim that the traffic originating from network was/could possibly not be my
own?

~~~
gwern
Yes. One of the investigative tools is correlating presence of a nick online
with Tor activity from a suspect. IIRC, they did this on an Anonymous they
were tracking a few years ago: watched his physical Internet connection, and
observed that the traffic matched his IRC nick's presences.

~~~
pygy_
To counter this kind of attack, you'd need to proxy through tor to a server,
which would also connect to the rest of world through tor.

You would then create a script on a local machine (say, a Raspberry Pi) that
simulates traffic to the proxy while you're not active.

~~~
AnIrishDuck
Traffic analysis is still possible under this scenario. It's only marginally
harder.

How would your magic traffic generator work? Randomly send a packet every
minute? Not good enough, it'd be very easy to detect increased activity, which
would be correlated to actual usage of the Tor network.

The best you could do is create some kind of Tor gateway that buffers packets.
This gateway would always send n packets / minute through Tor in some
programmatic pattern isolated from any packet input. If n real packets aren't
available, send fake packets in their place. This is further complicated by
length analysis; you would need some way to limit the length of real outgoing
packets (probably via MTU) and their data so length is indistinguishable from
the fakes.

You should also avoid any sort of wireless connection to this gateway, as
snoopers could detect this traffic from outside your residence and again break
this scheme. And the whole scheme still falls apart if your adversary is
willing / capable of entering your residence. Needless to say, many nation-
state level adversaries are completely comfortable doing this.

~~~
pygy_
_> If n real packets aren't available, send fake packets in their place._

That's what I had in mind, but with a smarter gateway, that analyses your
traffic and uses a Markov chain to time bogus packets when you're AFK,
statistically similar to what you produce. Better still drown your real
traffic in a larger stream of bogus packets.

Sending packets like clockwork is a good way to raise flags at the ISP level
(beside using Tor).

The remote proxy should probably be a Tor service, like Silk road was.

------
joe_the_user
The methods supposedly used by the CIA here seem terrible for the reasons
mentioned (especially always meeting at the same pizza place).

My knowledge of intelligence comes mostly from old movies but it still _feels_
like I could have thought of something better.

My _guess_ is the methods were really simple just to keep people from screwing
it up, that the thing about complicated methods is that they fall apart from
people forgetting all the complicated schemes and so they're worse than simple
methods (sometimes). But that's just a guess, anyone know?

------
theboywho
I think this is not exactly about anonymity and the title is a little bit
misleading. The title should be "Hiding secret activities is hard", as
anonymity also applies to cases where you have nothing to hide.

~~~
morley
You seem overly concerned with adding your political feelings to the concept
of anonymity. One definition of anonymity is "lacking individuality, unique
character, or distinction," which is what spies attempt to do when they
practice tradecraft. This article is about how difficult it was to do that.

While I do think the title lacks specificity to the topic, I don't think it's
incorrect or misleading.

~~~
theboywho
> You seem overly concerned with adding your political feelings to the concept
> of anonymity.

What makes you think those are "political" "feelings"?

> While I do think the title lacks specificity to the topic, I don't think
> it's incorrect or misleading.

I just changed my mind and I think the same thing as you do.

~~~
grugq
As it states in the opening paragraph, the post prompted as a response to this
blog post: [http://blog.cryptographyengineering.com/2013/03/here-come-
en...](http://blog.cryptographyengineering.com/2013/03/here-come-encryption-
apps.html)

> It seems like these days I can't eat breakfast without reading about some
> new encryption app that will (supposedly) revolutionize our communications
> -- while making tyrannical regimes fall like cheap confetti.

The point that my post was driving at is that simply having a great usable and
secure encrypted chat application is meaningless in the face of a nation state
adversary. The resources that they have available, and the approach that they
take to unmasking people is not dependant on being able to read the content of
their messages _.

Using "Super Crypto Chat 5000" to protect your message content doesn't buy you
anything if you're the only person using it, and you have access to
information that would place you in a pool of suspects.

As we're now seeing with the Snowden documents, this is exactly how the
national security forces see encrypted messages. They pay more attention to
them, and they look at who is sending them to whom.

Finally, while a more accurate title might be "Clandestine Operative
Tradecraft is Complex and Error Prone in the Face of Nation State Level
Adversaries" that isn't really pithy.

_ of course they want to read the messages and it helps them tremendously,
that isn't necessary for them to be effective as a security force.

~~~
omohgq
Just wanted to take the time to ask: If you want anglophones to read up on
operational security, and perhaps adhere to such tenets as prescribed in your
articles, why are all of your sites plaintext and not secure?

Another tidbit is that they mostly seem to be listed under a subdomain of your
namesake, meaning that a person perusing your blogs would still reveal that
they were reading your work, even over a secure connection, since the
subdomain is communicated in plaintext to resolve the dns lookup.

When writing about paranoia at the nation state scale, these details become
important, because you're ostensibly educating english-speaking users on the
black art of skull duggery.

A subdomain is a good way to ups fame, but it would be slightly better to
engage in forbidden discussions of this sort, with a free blog platform that
offers HTTPS service, and urls identified by solely the /uri?query=string,
with respect to the domain, since the non-domain portion of the URL is wrapped
in SSL's encryption.

;) ...otherwise, maybe some nation state now has a list of readers borrowing
subversive literature from the public library, no? And so many of them showing
ycombinator as their referrer! What a seedy little hotbed of intelligencia!

------
j_s
Encryption isn't enough!

\- _an interesting lesson in [...] real world counterintelligence_

\- _they were looking for [...] the exact usage pattern [...] for a mobile
that is used exclusively for a handler to contact an agent_

\- _privacy of communication content [...] is not sufficient to protect
against even minimal monitoring_

~~~
smacktoward
It's actually worse than that. It's not just that encryption isn't enough,
it's that encryption can be _worse than no encryption_ , since using
encryption marks you out as someone who's different than the vast majority of
users on the network. In a world where normal people are happy to sling
everything around in the clear, a person using any encryption at all flags
themselves as potentially suspicious. (Not suspicious enough by itself to give
a Western law enforcement agency what it needs to make a case against you --
but more than enough to convince less scrupulous actors like intelligence
agencies that you're a person deserving of a hard, hard look.)

Moreover, the more sophisticated the encryption you use, the more you set
yourself apart from the crowd, further increasing your vulnerability.

~~~
mahyarm
This is why we want to make it standard for the world over. If everyone uses
OTR chat clients, you using OTR chat clients doesn't stand out. If the
corporate world uses VPN, then VPN traffic doesn't stand out. If %70 of the
internet is always under SSL, then you using another SSL website or email
server does not stand out. If %10 of the country uses TOR to look at porn or
whatever else in your country because you restrict it with your countries'
firewall, then TOR doesn't stand out.

------
mkup
_The adversary, Hezbollah, used access to the telephone company logs (they
have those), and searched for atypical mobile phone usage patterns._

Very important observation for advocates of two-factor authentication:
cellular network and SMS services in some parts of the world are not
trustworthy. It's much better to use single strong password versus weak
password + numeric codes delivered by SMS which can be monitored/changed on
the fly by an adversary.

~~~
EGreg
What the CIA should have done is have phones which impersonate actual,
"normal" phones when necessary and send messages which resemble normal
messages. Not "PIZZA!" but whatever the local people send, e.g. "miss u".
There could be a challenge-response that is not deterministic, e.g. "are we
still on for tomorrow?" "looking forward to it" and then some normal sounding
conversation (of course, tomorrow wouldn't be the day they would meet).

The key is to impersonate enough phones (tunneling over a trusted subset of
the network) or use a network that won't identify the endpoints. The former is
much easier.

~~~
mkup
They could even transfer usual "miss u"-alike stuff over SMS, and encode
actual message in the time delays.

~~~
EGreg
Great point! Anyway they don't even have to use SMS. Anonymity is easy:
[http://pastie.org/private/fkbu4qpsvwcwiocrdeang](http://pastie.org/private/fkbu4qpsvwcwiocrdeang)

Would you know who wrote it if I didn't link to it?

~~~
grugq
If you wrote and posted it from inside Lebanon, then Hezbollah would know.
Nationstate adversaries are very powerful beasts.

~~~
sigkill
What if you had a friend or family outside, and you used teamviewer or
equivalent on their computer?

------
ballard
Suppose to ensure anonymity, let's call a hypothetical anonymous, encrypted
mixnet overlay service : Cone of Silence.

CoS has two types of N nodes: relays R and clients C (Csrc wants to send
packets to Cdst).

Every nodes, N, talks to each other at constant rate B. Directional asymmetric
rates are allowed. If there is nothing to send, a packet containing the output
of a CSPRNG must be sent to meet B, which will be dropped by the other node.
Every link in each direction maintains B.

C must use at least 1 node to talk to each other. Direct C-C traffic and
network loops are expressly forbidden.

C must agree to encrypt the contents of their opaque application payload, P,
amongst themselves.

R informs Csrc of the list keys (k0, k1, .. kn) to recursively encrypt P with,
resulting in payload to send, M = E(kn,..E(k1,E(k0,P))).

Keys must never be reused except given the same Csrc to Cdest, but only for a
maximum time and number of bytes.

M is decrypted by each node and forwarded on to the neighbor if it is a valid
packet.

N must _never_ know the complete path a beyond the neighbor node with which to
send a packet and the specified path nodes.

N must be assumed to be hostile.

\--

The reason for russian dolls encryption per link is to prevent correlation
analysis.

Lots of unanswered Q's:

\- Node discovery / reachability

\- Node impersonation (remember tcp connection hijacking?)

\- Hostile nodes (relays and clients), especially hostile relays that prefer
to connect to each other. Perhaps clients (Csrc and Cdest) each specify a
small # of nodes that a path must traverse. Periodically check with each
specified node with a challenge to verify path integrity? (There must be a
better way to ensure path integrity using crypto without backchannels to
specified nodes.)

\- (D|)DoS - limits for all operations. Exponential backoff.

\- Crypto specifics, key scheduling, rotation, minimum&maximum rekey rate.

\- Packet particulars (packet size tradeoff: overhead vs. latency),
transport/s (TCP sounds easiest), reconnection.

\- Multipath? Just say no (at least initially).

\- How is this better than tor? (Statistical analysis may prove if a host
belongs to CoS, but not to whom. Tor may not be sufficiently mixed under
"capture everything".)

\- Node identifier? 384-bits is plenty.

------
jsnk
I am the creator of Dmtri.com. It's a place where you can share thoughts
anonymously whether you are signed up or not. Even when you sign up you have a
choice to write anonymously to keep track of your writing.

Anonymity online is really important to me and I want to learn more about how
to achieve that. As a rule of thumb, I use Tor when I browse. What other
things can people do to hide their trace online?

~~~
grugq
Start with this piece "observations on OPSEC"
[http://grugq.tumblr.com/post/61960027685/observations-on-
ops...](http://grugq.tumblr.com/post/61960027685/observations-on-opsec) which
sets out some broad outlines of what is involved.

~~~
jsnk
Thanks for the link. Definitely will be reading that.

------
kbart
I see the only lesson here: NEVER use cell phones for activities that you want
to keep secret. They are known to be easily trackable and heavily backdored.
Linux netbook (single-use&destroy for extra credits) with TOR + encrypted mail
or IM on public WiFi networks would be much more secure and not so impractical
on such high stakes.

------
sciguy77
Why didn't they use satellite phones? Seems like that would bypass the whole
phone logs issue.

~~~
smacktoward
My guess would be deniability. If the Bad Guys come search your house and you
have a mobile phone sitting in a drawer, that in itself isn't incriminating,
because lots of people have mobile phones sitting in drawers. Very few people
have satphones sitting in drawers, though, so possessing one would be
anomalous -- which raises suspicions in the same way that having a mobile
phone that never moves and only infrequently turns on does.

------
gwright
This is an example of a very old tactic, traffic analysis.

------
peterwwillis
Organized criminals seem a lot better at keeping their operations and methods
hidden than the CIA. Perhaps the CIA should do some case studies?

------
EGreg
Let's be clear here.

Anonymity can be maintained even if the pattern of communication is not
"normal". What you need for anonymity is for the parts of the system(s) you
interact with to not identify you. This certainly should apply to the nodes
you interact with directly, so they should be under your control (e.g. the
user-agent software, the computer you use, the facility the computer is
located in, etc.) Further out, the system components have to not have a
centralized ID of the endpoints. Cellphone networks DO have a centralized hub,
namely the cellphone company. The key to anonymity is to make sure that none
of the parts of the system can identify you, either because they don't require
a centralized ID, or because the ID provider / facility / computer you used to
access the system is unwilling or unable to identify you.

The way that governments and other organizations combat anonymity is by
requiring various systems to identify other parts of the system (e.g.
cellphones) with unique identifiers before letting them use that system. There
are only two ways to defeat this:

1) Create a fake user-agent, to impersonate existing identifier(s), or

2) Circumvent the requirement to identify oneself.

The first one will put individuals you impersonate at risk, but it is likely
they'll be let go and not subjected to "rubberhose cryptanalysis". The second
one will eventually attract the attention of the governments. If they can set
things up in such a way that systems (e.g. Lavabit) that refuse to identify
individuals are somehow punished, their license to operate revoked, etc. then
this should prove a deterrent to anonymity.

In the real world there are plenty of systems in the world who do not care
about who is sending the data through the wires (net neutrality is related).
Some of them are tunneled over other systems. Tor is an example, Freenet is
another. They use primarily legitimate, identified accounts (e.g. someone in
their home using an ISP) to transmit this tunneled information, sometimes over
a protocol that is indistinguishable from TLS. As long as things like SSL and
TLS are allowed, this will be possible.

As long as such a system is distributed enough that it doesn't have a central
way to shut it down, it will be infeasible for governments to intimidate
enough operators of the system into shutting it down. These are the ways to
have true anonymity. PerfectDark and Freenet are used in countries with
oppressive governments.

Note that you can have a consistent identity and still be anonymous! This can
be great for reputations, e.g. of app developers, app stores, antivirus
companies and reviewers of software. I have written a lot more on the subject
here:

[http://magarshak.com/blog/?p=114](http://magarshak.com/blog/?p=114)

What the article describes is that steganography is hard. Acting in the real
world while avoiding suspicion of a government with access to many systems
(telephone systems, etc.) is hard. Which is probably a good thing. Terrorism
is a problem of technology. 300 years ago it was nearly impossible for a few
guys to kill thousands -- they'd be apprehended and stopped first. Today,
there is more and more technology that empowers individuals to kill may
people. This goes back to the machine-gun debate, but basically as
capabilities grow (3d printers printing guns, for instance) so does the
surveillance. Sadly the surveillance isn't going away, because the technology
for both is only increasing.

~~~
grugq
Actually the problem goes beyond this. The adversary (Hezbollah in this case)
correlated anomalous data (the weird mobile phone behavior) with information
about people inside their organisation who had access to sensitive
information. They could say "this apartment complex has a static mobile phone"
and also "this same apartment complex is where the regional director of
operations lives". This correlation is what allowed them to then place
surveillance on the suspect and eventually they were able to unravel the whole
spy ring (due to other tradecraft errors).

To be anonymous online is extremely difficult. It requires a huge change in
lifestyle. Here is one example of a CIA operative explaining how difficult it
would be: [http://blogsofwar.com/2013/08/06/tor-and-the-illusion-of-
ano...](http://blogsofwar.com/2013/08/06/tor-and-the-illusion-of-anonymity/)

Here is some technology that I put together to make it easier to avoid
mistakes: [http://grugq.github.io/blog/2013/10/05/thru-a-portal-
darkly/](http://grugq.github.io/blog/2013/10/05/thru-a-portal-darkly/)

Here is why you are probably wrong about your techniques for avoiding
detection. Essentially, we don't know what the capabilities of the adversary
are, and therefore we can't develop effective countermeasures. We can
postulate, and guess, but we can't know if our countermeasures are successful
until they fail catastrophically. [http://grugq.github.io/blog/2013/06/14/you-
cant-get-there-fr...](http://grugq.github.io/blog/2013/06/14/you-cant-get-
there-from-here/)

Here is how one can begin to unlink and operate anonymously, however it is not
a viable long term proposition and few people can maintain the discipline to
do this for extended periods of time.
[http://grugq.github.io/blog/2013/06/13/ignorance-is-
strength...](http://grugq.github.io/blog/2013/06/13/ignorance-is-strength/)

The article does not talk about steganography. It talks about how in the real
world real adversaries use real data to find real people who made real
mistakes and really kill them. The problem was that the CIA case officer was
lazy (or incompetent) and reused the same meeting places; the agents inside
Hezbollah were contacted in a way that attracted attention, although it likely
seemed very low profile at the time it was adopted; and, Hezbollah was able to
use this signal "something weird is happening at this location" to narrow the
list of suspects that they had to surveil for counterespionage.

~~~
EGreg
It is not difficult to be anonymous online:

[http://pastie.org/private/fkbu4qpsvwcwiocrdeang](http://pastie.org/private/fkbu4qpsvwcwiocrdeang)

That could have been a coded message using a one-time pad. The encryption
doesn't have to be super complex. If I didn't link to it, how would you know
who posted it?

You'd have to track down pastie.org, or its ISP and see who posted this
message around the time it was posted. Then you'd have to track down the IP
that originated the message, and then talk to my ISP about who owns that IP.
Even assuming everyone cooperated with you, I could have went to a library and
sent it from there. If they took some form of ID I could have faked the ID.
Then you'd have to obtain video footage from the library of who used the
computer.

But you'd get stuck at the first stage - it's unlikely pastie.org keeps track
of who's posting. It's a case of #2.

Tor is much less resilient than Freenet because it's A) susceptible to traffic
pattern analysis, and B) because each resource has a single point of failure -
its host.

~~~
grugq
You're missing the "nation state level adversary" component. I personally, do
not know your mobile phone number or the last cell tower that it associated
with. But I am not your adversary. A nation state level adversary ipso facto
has access to that information.

I suggest that you read the links I have posted and the articles I've written,
both on [http://grugq.tumblr.com](http://grugq.tumblr.com) and
[http://grugq.github.io](http://grugq.github.io) ... there is a lot of
information there about how to operate clandestinely.

~~~
EGreg
I took a look at the links you provided. There's some interesting stuff in
there. I note, however, that the downfall of guys like Ulbricht involved
things like:

1) Single point of failure. This is also related to increased susceptibility
to network analysis. Even if the CIA "can't deanonymize everyone all the time"
they can deanonymize a given host of a given network, by analyzing traffic
patterns, placing proxies in the way or backdooring the nodes in the network,
etc.

2) Recording. As you say, he got serious about his security "too late". In an
age where tons of stuff you do online can be recorded and found when needed,
you have to protect your anonymity from day 1.

What I am claiming is that it's possible to BEGIN an alternate identity by
leveraging techniques #1 and #2. #1 is what you can do with freenet or
perfectdark - basically, distributed DHTs which DO NOT record the originator
of a file. While it's true that a given freenode network can be compromised by
backdooring enough nodes, that is much harder to do than with Tor. And #2 is
what you can do with services like pastie and others who simply DO NOT have
the capability in place to record who posted a message. As governments go
after people, they will attempt to intimidate #2 type services.

Either way there can be databases listing the confidence that a given system
does NOT record a particular identifier such as an IP address. The ones that
score high can be used directly. The ones that score low must unfortunately be
used via commandeered accounts and the steganography would proceed that way.

If there were truly no networks that the agents could trust, the agents could
have aggressively employed steganography - they should have basically
commandeered some email addresses in the country
([http://xkcd.com/792/](http://xkcd.com/792/)) and then tunneled messages
through a number of different channels, including the text, the timing of the
messages, the order of the messages, etc.

There's tons of ways to do this without falling prey to being doxed. However,
once even the smallest bit is revealed (e.g. your literary writing style is
identified) the whole thing can unravel IN THEORY.

------
avty
It's a startup opportunity.

