
'Tor Stinks' presentation – read the full document - RMacy
http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
======
bernarpa
Today's full Tor coverage by the Guardian is: (Greenwald's article)
[http://www.theguardian.com/world/2013/oct/04/nsa-gchq-
attack...](http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-
network-encryption) (Schneier's article)
[http://www.theguardian.com/world/2013/oct/04/tor-attacks-
nsa...](http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-
online-anonymity) (Leaked doc #1)
[http://www.theguardian.com/world/interactive/2013/oct/04/tor...](http://www.theguardian.com/world/interactive/2013/oct/04/tor-
stinks-nsa-presentation-document) (Leaked doc
#2)[http://www.theguardian.com/world/interactive/2013/oct/04/ego...](http://www.theguardian.com/world/interactive/2013/oct/04/egotistical-
giraffe-nsa-tor-document) (Leaked doc #3)
[http://www.theguardian.com/world/interactive/2013/oct/04/tor...](http://www.theguardian.com/world/interactive/2013/oct/04/tor-
high-secure-internet-anonymity)

~~~
selmnoo
A lot of these articles use abstruse acronyms. Is there perhaps a place where
they're all compiled with their explanations?

For instance, what is (U)? Or (S), (SI), and (REL)?

~~~
AYBABTME
Yes, such as "EPICFAIL".

------
fein
Page 5: "Terrorist with Tor client installed"

And its a picture of a guy with a bandit mask and an AK-47. I don't know about
you guys, but all my Tor activities are performed in my Halloween costume!

I honestly can't believe something this tacky would end up in a presentation.
Is this supposed to be propaganda?

~~~
balabaster
and a beard... like terrorists can be stereotyped like that. This is more than
just propaganda, this is the mentality of the type of people who put these
presentations together. That fact that whoever wrote this presentation has
profiled people like this. I would wager that 99% of online "terrorists" are
sitting around in jeans and t-shirts, on safe soil, have probably never
handled a gun, let alone an AK-47 (or whatever that is on his back), probably
don't have a beard. The ones financing them probably spend their life wearing
a suit and tie and are either driving a top of the line vehicle or are driven
everywhere in a top of the line vehicle.

If you look at the world around us and review the history of terrorism, most
of it's been funded behind the scenes by one of the major superpowers, and you
can't overlook the fact that a large portion of this has been by backed by the
US. It's funny how when the US wants a government toppled, the terrorists are
"friendly" and funded and armed by the US government, but when they're counter
to US interests, they're suddenly part of the axis of evil and must be
destroyed...

Perhaps if they stopped funding this ignorant behaviour and stopped supplying
munitions to these terrorist interests, the problem would eventually go
away... spend more on education and tolerance towards all points of view,
enlightenment, the world would become a more peaceful place.

When will "democratic" governments eventually realize that money and greed is
not the best approach to the furthering the human experience on this planet.

Sorry, didn't mean to get off on a rant there, but that one picture triggered
a bit of annoyance.

~~~
JackFr
And banks don't actually keep money in big cloth bags with dollar signs on
them. It's just clip art, and to say that it speaks to the mindset of a type
of people you probably don't really know much about. I would hasten to say
that your stereotypes are probably no more grounded in reality than those of
the straw men your attacking.

>"If you look at the world around us and review the history of terrorism, most
of it's been funded behind the scenes by one of the major superpowers, and you
can't overlook the fact that a large portion of this has been by backed by the
US."

While this assertion is not completely baseless, it's simply not correct, but
is the kind of empty-headed moral equivalence that gets tossed around to
unanimous approval among a certain class who consider a shibboleth of
sophistication.

To wit, in the history of terrorism, we see the Irish Republican Army, The
Tamil Tigers, the Red Brigade, the Weather Underground, FALN, Baader Meinhof
group, the Symbionese Liberation Army, the current Chechen groups, the Hindu
and Muslim groups prior to the formation of Pakistan, and frankly many more --
all without super power support. While some national actors have stepped up to
support terror groups, superpower, or even great power support has been the
exception rather than the rule.

During the cold war, the USSR, the US and China fought a number of proxy wars,
and supported opposition groups in various national civil wars, mostly in
Asia, Africa and Central America. Additionally, the CIA engaged in specific
assassinations of political leaders largely in Latin America but not really
what anyone would consider terrorism by the current definition. You're
statement that a large portion of terrorism has been backed by the United
States would require expansive definitions of 'large portion', 'terrorism' or
'backed' to be true.

~~~
foobarqux
No, it requires the United States' own definition of terrorism to be applied
to the US.

Drone strikes in Pakistan alone have killed thousands of civilians.

Many of the opposition groups you mentioned were backed by the US knowing that
they committed and intended to commit terrorism and other war crimes.

~~~
foobarqux
A more detailed argument is here

[http://www.washingtonsblog.com/2012/08/is-america-the-
worlds...](http://www.washingtonsblog.com/2012/08/is-america-the-worlds-
largest-sponsor-of-terrorism.html)

------
debacle
This should provide clear warning to anyone who might consider themselves a
cypherpunk: Even if you don't think that you are at war with the US
government, the US government (and likely most other governments) believes it
is at war with you.

It sounds dramatic because it is.

~~~
balabaster
It's all part of the theatre and propaganda. Make the weak minded believe that
everyone's the boogeyman. At least people on the internet can think critically
and say "Er, this doesn't sound right"

------
balabaster
When will everyone get off the bandwagon of referring to anyone that's willing
to actually stand for their beliefs counter to U.S. interests a terrorist?
It's gotten to the point where the word terrorist just makes me roll my eyes
and say "whatever", I'm becoming desensitized to it, just like most of the UK
did growing up in England during the height of IRA campaigns. After a while,
it just became a tedious pain in the ass and everyone switched off.

------
rdl
General conclusion from all of the published leaks is that GCHQ punches (in
technical capability and general quality of work) way above its weight class
(funding and presumed staffing levels); they also seem much more willing than
NSA to be completely unbound by any idea of domestic user privacy. Which is
fitting for a country with the number of CCTV cameras they have.

~~~
BgSpnnrs
Although, in effect I think you are right about GCHQ, that whole CCTV thing is
pretty much a myth founded in a deeply flawed study focussed on a street in
Central London. 90% of CCTV is privately owned, and if you step out of the
metropolis CCTV is no more abundant than anywhere else. I suggest you stop
using that argument with regard to the UK as it undermines your absolutely
valid post.

------
GeorgeOrr
They actually saw it as their job to make the experience of anyone using Tor
difficult.

Isn't that kind of like the police deciding to make the roads full of potholes
because that would make it more difficult for bank robbers to get away in a
car.

Then again, considering the quality of the roads these days, maybe they are
way ahead of me on that.

~~~
revelation
They are doing this all the time. They are buying exploits and keep them
locked up, they actively backdoor software and hardware.

Basic statistics tells us it is pure insanity to compromise our security for
the noise that is "international terror".

------
henryaj
Depressingly, the document talks about plans to make Tor less reliable to
dissuade people from using it:

> Could we set up a lot of really slow Tor nodes ... to degrade the quality of
> the network? > Given CNE access to a web server make it painful for Tor
> users?

At least the document seems to confirm that GCHQ has a really, _really_ hard
time de-anonymising Tor users.

~~~
haakon
I'm pretty sure Tor does smart peer profiling/selection to optimize for
throughput. Lots of people run Tor relays on their silly little home DSLs and
Tor still works.

~~~
eterm
Which is why the slide also talks about reporting as if being a high
throughput node. i.e. Report back that you're handling a lot of traffic
quickly while handling traffic very badly. Does Tor have protection against a
node doing that?

~~~
plorg
I'm pretty sure Tor profiles against this as well. There's a presentation
somewhere on YouTube addressing just this problem.

------
devx
Why are these latest NSA stories getting flagged so much?

I don't like that PG has relaxed the flagging so much. You can probably flag
even tens of stories a day now without having your flagging removed.

~~~
captainmuon
I wonder, if you flag too much, do you get a 'querulant' flag yourself that
makes the site ignore your flags? :-D

I would totaly implement something like that if I were PG. Seems to fit the
mindset of HN, as it also uses hellbans.

~~~
aw3c2
Nope, the flag link disappears when you flag "badly".

------
tlarkworthy
Thats a ringing endorsement for Tor. Its really works! They struggle to get
info out of it.

------
sybhn
Doesn't look like a very ethical/professional presentation. But then again,
who said everyone's professional in all agencies. Its a conjecture to think
our laws are systematically enforced by ethical folks.

------
andrelaszlo
[http://s3.documentcloud.org/documents/801434/doc2.pdf](http://s3.documentcloud.org/documents/801434/doc2.pdf)

------
Ogre
Of course, if they actually have a really easy time de-anonymizing users, they
might "leak" a document like this to encourage people to keep using it.

Conspiracy theories are fun!

~~~
captainmuon
If I had a few million dollars to run compromized Tor nodes, and the ability
to subpoena (and gag order) any Tor node operator in USA, UK and a couple of
other major countries to give me their keys, I would be able to easily de-
anonymize a large portion of the network.

~~~
kansface
It is commonly assumed that the NSA/CIA run a substantial portion of the exit
nodes. Morever, they are a global adversary (one Tor is not designed to
defeat).

------
ianstallings
Does anyone know what the QUANTUM attack they refer to is? It doesn't seem
like quantum computing on the face of it; It looks like it may be a system
used to disrupt traffic on the internet, possibly man in the middle attacks.

Edit: I found a reference to something called a "Quantum Insert" in an article
related to GCHQ. They state the following:

 _According to the slides in the GCHQ presentation, the attack was directed at
several Belgacom employees and involved the planting of a highly developed
attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a
method with which the person being targeted, without their knowledge, is
redirected to websites that then plant malware on their computers that can
then manipulate them_

[http://www.spiegel.de/international/europe/british-spy-
agenc...](http://www.spiegel.de/international/europe/british-spy-agency-gchq-
hacked-belgian-telecoms-firm-a-923406.html)

This might be what they are referring to, or a system that was built for
targeting specific individuals.

~~~
berberous
"To trick targets into visiting a FoxAcid server, the NSA relies on its secret
partnerships with US telecoms companies. As part of the Turmoil system, the
NSA places secret servers, codenamed Quantum, at key places on the internet
backbone. This placement ensures that they can react faster than other
websites can. By exploiting that speed difference, these servers can
impersonate a visited website to the target before the legitimate website can
respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-on-the-middle" attacks, and
have been known to the commercial and academic security communities. More
specifically, they are examples of "man-on-the-side" attacks."

Read more here: www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-
online-anonymity

~~~
rdl
Can we translate that to something sane? Is it "shorter BGP/more specific
route announcement?" Or some kind of MITM by being directly in line? Assuming
it is TCP traffic, just being "faster to respond" doesn't help all that much
without some other logic.

If I were MITMing with full cooperation of only a subset of a network carrier,
I'd probably go for some route announcement tricks; easier to interface with
the rest of the organization, and due to lack of filtering internally, not
much config change required. Would fail safely (== non-detectably), also, and
could potentially be explained away as "oh, shit, some stupid ISP leaked
routes".

(I guess you could give bad dns responses, too, and then go from there, but
that sounds more detectable at the end user device, which is very
undesirable.)

------
umanwizard
How do we know this wasn't just a trick to make people think tor is safe and
keep using it?

~~~
captainmuon
Pretty sure it is. If you need serious anonymity, like if your life depends on
it, get a botnet and use the trojaned PCs as proxies. Use public WiFi, and use
cheap laptops that you replace regularly and/or VMs, and don't forget to fake
your MAC address. Create multiple fake personas to confuse attackers. Have
stuff you write rephrased by someone else, so they can't do a corpus analysis
on your writings. Do as much offline as possible. If you have to transfer
information, avoid the internet. Use dedicated lines, dialup, dead drops, etc.
etc.

I'm so glad I have nothing to hide.

------
gwu78
From the Schneier article:

"The good news is they [NSA] went for a browser exploit..." \- Roger
Dingledine, President of Tor project

It seems there are assumptions among parties that employ "browser exploits"
against unsuspecting users that the persons targeted will be using "modern",
complex, Javascript-enabled, graphical browsers, and that they'll use these
browsers to retrieve content from the network and to view that content on
machines with writeable permanent storage that can connect to the network. Am
I misreading all these tales of browser exploitation?

Can these parties accomodate reboots from read-only media, text-only browsers,
write-protected storage and offline viewing of content?

Maybe the problem isn't so much with Tor as with with the popular browsers and
their gratuitous complexity.

------
jawr
The slides were from over a year ago, I'm sure a lot has changed since then.
Also the timing of this is very suspect, obviously it's been in the news and
the Guardian either want to run with this new line brought on by the Silk Road
"bust", or they just want to "soothe" (take as you will) our worries with the
network.

Would also love to know more about NEWTONS CRADLE, anyone heard of anything
more specific?

------
processing
[http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...](http://webcache.googleusercontent.com/search?q=cache%3Ahttp%3A%2F%2Fcache.nevkontakte.com%2Fproxy.html#go=http://www.theguardian.com/world/interactive/2013/oct/04/tor-
stinks-nsa-presentation-document)

------
tinfoilman
Some nice recommendations tho for usage.

ORBOT / Tor Router Project / Hide-my-ip-address / Tor Project and the bootable
OS Tails.

Some of the more advanced Obfuscation for the tor project

Skype Morph - Hides Tor traffic in Skype packets mmm fun and worth a look

Someone better be working on tor Obfuscation with flash packets, no one is
going to block those things.

/tinhat

------
MichaelGG
It's important to note this is from 2007 and thus things have probably changed
immensely since then.

Edit: Nevermind, it says it's sourced from a 2007 file but dated 2012.

~~~
AJ007
I think your original conclusion, 2007 is correct.

What exactly does sourced vs dated even mean?

The document states "still investigating" for multiple issues. It doesn't take
the NSA 6 years to investigate these things.

The questions are very basic, such as, browser/JS exploits, leftover cookies,
and owning the majority of nodes. That is hardly top secret, all of these were
things that were public concerns long ago.

The other alternative is they just don't care. They can still slurp down a
good portion of the incoming and outgoing email traffic. If one of wikileak's
origin stories are to be believed most Tor users have no idea how Tor works or
what they are actually doing, including government operators (with the
appropriate code name EPICFAIL on page 9.)

Going completely off topic, I had an idea earlier. Bitcoin right now is using
something around 16,000 petaflops of processing. This shows that when proper
incentives exist massive computational and network resources can be utilized
in a distributed manner.

What if a protocol existed which forced user participation or required them to
exchange a store of value to use it? For example, if a user acted as a node
(relay not exit) they mined a currency (probably inflationary.) If a user did
not act as a node, they had to pay a currency which would then be distributed
to exit node operators. The currency could be bought and sold through
exchanges rather than to a central commercial entity.

The end goal, besides having a lot more network bandwidth, would be to have so
many relay and exit nodes running it would be economically impossible for a
single entity to compromise a significant number of them.

Of course, easier said than done.

------
backwardm
After reading many of these articles about the NSA I keep wondering if they
have an office specifically tasked with thinking up code names for these
projects. I personally would find it difficult to keep them all straight—this
article, for example, contained a new one to me: ONIONBREATH.

Just an odd image in my mind of a group of top-security clearance, extremely
well trained, able-minded people who think up silly code names like these.

~~~
code_duck
Many government agencies do this - check out the names for DEA stings, or even
FDA operations.

------
balabaster
I also quite like the point "Analytics: Cookie Leakage", like anyone that uses
Tor doesn't use it in incognito mode with cookies disabled... or flushes their
cookies before they use anything else...

... that either says they're stupid, or they're only after stupid
terrorists... as if they're the ones they should really be concerned about.

~~~
debacle
I think Tor recommends surfing from a dedicated virtual machine, IIRC, which
is probably the safest way to surf, though something like Flash or Java can
still probably report the actual host IP.

------
galapago
After watching the presentation, I can think in two things to make TOR better,
from the point of view of the anonymity of its users:

* Better education on how users can browser carefuly (no javascript, no plugins, updated browsers) * More nodes.

------
yk
Somehow I find this presentation reassuring. It mainly suggests to me, that
the NSA/GHCQ has to do 'honest' traffic analysis, implying that they did not
break any of the crypto primitives used in Tor.

------
conductor
So, according to these documents, NSA and GCHQ do have few "owned" exit nodes,
but not so many, hence, they want to own more. Interestingly enough, GCHQ set
up Tor exit nodes on the AWS cloud.

------
untog
Most fascinating part - using DoubleClick ad cookies to trace Tor users.

------
pwnna
Given that it says that the NSA and the GCHQ is trying to setup tor nodes.. is
it possible for us to identify these nodes? Some sort of trust network
perhaps?

~~~
pbhjpbhj
The document is dated 20070108, seems they'd be a lot further on with Tor now.
Also they mention using AWS to set up Tor nodes.

Was interested in the user profiling to establish from raw network traffic
which users are likely using Tor - so for example from this message.

Not sure what QFP is though?

------
aspensmonster
This is a glorious release. I'm suspecting we have Schneier to thank for the
full release of the slideshow that is mostly unredacted.

~~~
BgSpnnrs
if you follow ioerror and ggreenwald on twitter you probably have some idea of
what forced this particular cache of articles.

------
quantumpotato_
Of course it stinks. It's "only" weakness is a "global, passive adversary" \+
It was built by the US Government.

------
Sami_Lehtinen
Don't we all know, that Tor is low latency solution and therefore directly
voulnerable to statistical correllation attacks?

------
lelf
Dated: 20070108

Declassify on: 20370101

------
ffrryuu
That is a lot of our tax payer money at work...

------
ffrryuu
Freedom lover with Tor client installed.

