
N reasons why the spooks love Tribler - _wmd
https://lists.torproject.org/pipermail/tor-dev/2014-December/007999.html
======
santacluster
Tribler has a very long history of making high profile claims and never being
able to follow through with actually usable software, so I'm not really
surprised by this.

The entire project is a combination of TU Delft publicity stunt and EU
subsidies sinkhole. In 10 years of screwing around with bittorrent it hasn't
produced anything that could compete with the side projects of individual
hackers.

It's a disgraceful waste of community money.

The code may be fixable (though I doubt they even care), the project however
isn't.

~~~
praseodym
"Work on Tribler has been supported by multiple Internet research European
grants. In total we received 3,538,609 Euro in funding for our open source
security research. Roughly 10 to 15 scientists and engineers work on it full-
time." [http://www.tribler.org/about.html](http://www.tribler.org/about.html)

~~~
synctext
we are not an anti-spook project and never claimed to be. Our aim is to give
an option where there is none. We will make our warning more elaborate and
will work differently with bloggers/journalists in the future.

~~~
letstryagain
An "option" for what? Tribler seems completely useless in the light of this
article. People are even getting automated infringement notices from the MPAA!
What's the use case for Tribler?

------
tyho
Everything that could go wrong has gone wrong.

ECB mode AES? Check.

No authentication on encrypted data? Check.

RSA without blinding? Check.

Bad random number source? Check Check Check.

~~~
userbinator
_ECB mode_

I think this is the worst part, as anyone who has even the slightest bit of
knowledge about how to use block ciphers (even if it's just reading Wikipedia
articles -
[http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#...](http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_.28ECB.29)
) would know ECB is seriously weak.

~~~
lunixbochs
I believe the random number generation failures are much worse. ECB allows
detection of duplicate blocks and block shuffling/copy-paste, while poor
random number generation allows you to blindly recover entire keys and use
them to decrypt or encrypt whatever you want.

~~~
stouset
ECB with chosen-plaintext also allows you to decrypt whatever you want.

~~~
tedunangst
Details?

~~~
tptacek
It's one of our crypto challenges, and the conceptual basis for the BEAST
attack.

~~~
tedunangst
I believe I read a little too much into "decrypt anything."

~~~
tptacek
What were you thinking they meant? (Just curious.)

~~~
tedunangst
Guess and check (beast, as I understand it) requires some prior knowledge of
the data format. I was imagining something that worked against entirely random
data.

~~~
tptacek
Yes. You can do simple things to data to make the basic byte-at-a-time attack
hard to conduct. But a comparable amount of effort takes you to strong
authenticated encryption. Virtually all systems that use ECB and have
attacker-influenced plaintext are susceptible to the attack we're talking
about.

------
lunixbochs
Solid writeup. My takeaway:

The protocol and library designers

1\. Appear to have not read any recent crypto literature or done even the
first few sets of the Matasano crypto challenges.

2\. Implemented crypto and random number generation with complete disregard
for best practices, which include "don't implement crypto yourself" and
directly spell out things like which algorithms to use and how to get random
numbers.

------
grizzles
I got this impression too. After hearing about it (again) on HN I joined
#tribler a few days ago and asked a few questions about some of their crypto
choices.

whirm (who seems like a really nice guy) was pretty upfront that he wasn't a
cryptographer.

The tribler webpage mentions a reputation system of sorts so I asked whirm how
tribler deals with sybil attacks and his response was "I think it was dimitra
who was working on that kind of stuff". I thought that was an unusual
response.

I hope they take this feedback as an opportunity to redesign their system from
scratch. Building a censorship free publishing system is a noble pursuit.

------
yason
The whole unspoken point of the Tribler project, as I see it, is to provide an
anonymous enough way to seed and leech BitTorrent to keep MAFIAA befuddled
until something better comes along.

Thus, the cryptography was probably never as much in focus as in projects like
Tor or Freenet which are basically designed to handle situations of life and
death. If it provides a good enough plausible deniability that you can't know
what's happening and what you're routing to whom while your IP address is
sharing blocks of a certain movie, it's probably good enough.

While the project does aim to solve a real-world problem I would much prefer
anything that's simpler than Tor or Tribler.

For example, let's say I'm seeding a blob of data, and you then download three
different blobs (including mine) and xor them together and happen to get a
video film as a result, nobody can plausibly claim that I, or any single one
of the seeders, was actually sharing that video film. I know about the "Color
of your" side of bits but xor makes things really intangible. The above scheme
would work even if the blob that I was seeding only contained purely random
data straight from /dev/urandom -- data that I simply chose to share publicly
in order to let others use it to mix and match with their blobs in order to
communicate privately.

If you're willing to sacrifice download speeds for anonymity then you would be
similarly willing to sacrifice the use of bandwidth, and the above scheme is
just 3x the bandwidth. And instead of creating a new online protocol, you
could just keep using the regular BitTorrent in the first place; only the way
you would use it would change.

~~~
synctext
Thank you for defending our work.

The media space is where society thinks; online videos need anonymous access.

Our attack model is indeed an adversary of moderate sophistication, also our
architecture is design to evolve the coming years to support _offline_ sync.
Really different from Tor.Sadly we did not use more disclaimers on our
website, the one on anomymity.html is too little.

Our strong point is scalability, 340million Bittorrent users moving to Tor
would utterly break things. With Tribler it possibly might not break, it
evolved for 10 years with unbounded scalability as the key constraint and test
requirement. Anyways, we will do no publicity in 2015. Only if we solve the
incentive to relay problem before the Tor people do. They worked on designs
for 3 years. We have deployed prototypes for 7 years.

~~~
MichaelGG
The Tribler homepage boasts:

    
    
      Anonymity using our dedicated Tor-like network
      Search and download torrents without worries or censorship
    
      Anonymous downloads with strong encryption
    

The disclaimer is only if you click through to details on anonymity. To
pretend that you just didn't put enough disclaimers on is disingenuous. Your
site is actively encouraging users to use the software and not worry.

Can you comment on how y'all managed to ship such massive mistakes? And after
_10_ years? Even a quick read through "Practical Cryptography" would cover
those errors.

------
xeromal
Dammit. I downloaded this and was excited to make it my primary tool, but
thanks for this. I know next to nothing about cryptography and experts
weighing in help people like my avoid getting dupped.

Thanks for the post OP.

~~~
mparramon
The question is, is it less secure than current offerings (Transmission,
uTorrent, qbittorrent…)?

~~~
lunixbochs
It gives a false sense of security at best. The crypto is broken at a basic
level, trivially allowing things like key recovery, denial of service, block
copy-pasting...

However, about BitTorrent crypto: `In an interview in 2007, Cohen stated "The
so-called ‘encryption’ of BitTorrent traffic isn’t really encryption, it’s
obfuscation. It provides no anonymity whatsoever, and only temporarily evades
traffic shaping.` [1]

[1]
[https://en.wikipedia.org/wiki/BitTorrent_protocol_encryption...](https://en.wikipedia.org/wiki/BitTorrent_protocol_encryption#Criticism)

------
_wmd
Would a mod care to explain why this this link was demoted? I anticipated the
title correction (in this case, counter-PR to security snake oil IMHO is
warranted), but I cannot fathom any reason an uncontroversial story like this
with few comments would otherwise be demoted.

[http://i.imgur.com/1gWWJB5.png](http://i.imgur.com/1gWWJB5.png)

edit: why, that's quite magical:
[http://i.imgur.com/YuXftG9.png](http://i.imgur.com/YuXftG9.png)

------
cLeEOGPw
> For users, "don't". Cursory analysis found enough fundamental flaws, and
> secure protocol design/implementation errors that I would be reluctant to
> consider this secure, even if the known issues were fixed. It may be worth
> revisiting in several years when the designers obtain more experience, and a
> thorough third party audit of the improved code and design has been done.

Pretty good advice at this point.

------
praseodym
Related MSc thesis: "Anonymous Internet: Anonymizing peer-to-peer traffic
using applied cryptography" \-
[http://repository.tudelft.nl/view/ir/uuid%3Ace3bd867-6540-42...](http://repository.tudelft.nl/view/ir/uuid%3Ace3bd867-6540-426d-87d0-348bdf78279d/)

------
doctorfoo
It's worth bearing in mind their adversary is not "spooks", but rather the
MPAA. Is the anonymity good enough to prevent the user getting nasty letters
from their ISP?

~~~
iopq
No, it's not. The anonymous downloading doesn't really work either. It's day 3
of trying to download a 50MB test file right now.

------
Sami_Lehtinen
Good comments about the details of the protocol. But I'm wondering why nobody
found anything to comment about it on higher level than the crypto? We all
know(?) that Tor and multihop data passing isn't efficient way to implement
'anonymity' for distributed file sharing.

For that particular reason I was personally amazed that they did select Tor as
example. Tor wastes a lot of bandwidth as well as allows easy traffic
correllation attacks in the cases where that's generally feasible. I really
loved Freenet and GNUnet designs, because those use really efficient caching,
partitioning, routing compared to Tor. At least in theory anonymous downloads
could be even faster than when using non-anonymous downloads, due to improved
efficiency of the network resource utilization due to distribution and
caching. When Tor is used as base, all these benefits are lost and in addition
there will be huge bandwidth overhead causing about 600% slowdown.

Does anyone agree with me? I was almost sure that someone would immediately
comment this aspect, but as far as I can see, nobody has noticed these
facts(?) yet.

------
Nutomic
What's a good resource to learn about crypto?

I'm using the java.security and javax.crypto implementations, definitely not
implementing algorithms on my own.

~~~
bostik
For a good kickstart on the topic, Applied Cryptography. (Yes yes yes, I know,
much of the technical recommendations are outdated.) It's still a damn good
primer on the field itself.

Then follow up with something like Handbook of Applied Cryptography. [0] It's
a beast.

And to top it off with something recently modern, I'd go with Cryptography
Engineering. [1] After _understanding_ the material from the earlier readings,
this book is a suitably humbling experience. There are many subtle error paths
and attack vectors in applied cryptography, and this book brings a few of them
on, one by one.

0: [http://cacr.uwaterloo.ca/hac/](http://cacr.uwaterloo.ca/hac/) 1:
[https://www.schneier.com/book-ce.html](https://www.schneier.com/book-ce.html)

~~~
sillysaurus3
Tptacek said it's a bad idea to read Applied Cryptography. "Take that book
Applied Cryptography that's on your bookshelf and burn it. Do that as a
commitment to really learning crypto. But absolutely _don 't_ read it. If you
don't read it, you have nothing to unlearn, so you're much better off."
Source:
[http://wiki.securityweekly.com/wiki/index.php/Episode292](http://wiki.securityweekly.com/wiki/index.php/Episode292)
time index 22:10, but the whole podcast is good.

Instead, he recommends Cryptography Engineering:
[http://www.amazon.com/Cryptography-Engineering-Principles-
Pr...](http://www.amazon.com/Cryptography-Engineering-Principles-Practical-
Applications/dp/0470474246)

Another way to get a primer on crypto is to do the Matasano crypto challenges:
[http://cryptopals.com/](http://cryptopals.com/)

The solutions aren't (yet?) published, but don't let that stop you. It will be
fairly obvious when you've come up with a solution that solves the challenge.
It's also an excellent way to get you really thinking about all of the
problems with crypto. And it will hopefully scare you from ever implementing
your own crypto scheme, which is always a good thing.

Make sure to do all the challenges though. They get exponentially more
difficult, but the best ones are near the end.

~~~
tptacek
This came up often enough that I wrote a blog post about it:

[http://sockpuppet.org/blog/2013/07/22/applied-practical-
cryp...](http://sockpuppet.org/blog/2013/07/22/applied-practical-
cryptography/)

------
rb2k_
Another example of most universities not being able to release quality
software that goes over the "basic algorithm" stage :(

------
whitehat2k9
AES in ECB mode? Oh for fuck's sake. I'm not a crypto nerd by any stretch of
the imagination and even I know ECB is bad.

------
knodi123
why on earth didn't they title this article "The Trouble With Tribler"????

------
SchizoDuckie
Autsj.

Lesson learned (again): Don't do encryption if you don't know what you're
doing.

------
synchronise
Welp, looks like it's time to rebase on I2P.

