
Windows DRM Files Used to Decloak Tor Browser Users - edgarvm
https://www.bleepingcomputer.com/news/security/windows-drm-files-used-to-decloak-tor-browser-users/
======
throwaway2016a
I only ever use Tor for security research and with the nature of my particular
work, I don't have a reason to download files but...

If I did and I cared about anonymity I would never download a file unless all
internet on my machine or VM was piped through Tor (such as using Whonix or
some dedicated security appliance). If I was using the Tor browser I wouldn't
even even turn on Javascript without those protections for that matter.

On the other side of the spectrum, running Tor on Windows is insane. Almost
every flaw I have seen in Tor mostly or only effects Windows users.

------
throwaway7767
The list of file formats that can trigger the viewer to fetch a resource over
the internet is so large that it's impossible to cover them all. Unless you're
working with plain text or something you _know_ is safe, don't open files
downloaded over Tor if you're running on a standard OS (and not, say, in a
whonix workstation that's isolated from direct internet connections).

------
brudgers
Tor was developed by the US Naval Research Laboratory as a munition (that's
the strong view of cryptography and developing munitions is what NRL does).
There are a number of assumptions baked into it's design. Among them is
hygiene appropriate when handling munitions in the external operating
environment.

Viewed as a munition, the fact that Tor source code was opened up more than a
decade ago but well into the post-Patriot act era suggests that its direct
value as a munition had become less significant. However, since the release
seems to have had the effect of retarding development of alternatives for some
years, this might be seen as an indirect value of Tor as a munition.

Practically speaking, Tor on its own and absent an ecosystem of serious
security hygiene, is likely to leak data to an attacker with targeted
intelligence and barely non-trivial technical means. Because relatively few
people have the will and the technical skill and the need to do all the other
things that are required to use Tor in a secure manner.

Or to put it another way, in the context of the GWOT, it seems likely to me
that Naval Research Labs only provided a free and unlimited crytpographic
munition only because it could readily defeat its use by adversaries.

------
cnvogel
What's the standard way to use Tor for people who are really diligent with
their operational security?

Personally I haven't used Tor except for short casual testing. But if my
personal security would depend on the anonymity provided by Tor, I think I'd
seriously consider adding an additional layer of protection to avoid
information leaking out "to the sides".

~~~
mikegerwitz
Use Tails or Whonix which prevents leaking data outside of the Tor network.
Qubes OS makes Whonix easy/transparent (though I haven't had the pleasure of
trying out Qubes yet).

Never access files downloaded over Tor outside of those environments, and
_never_ mix identities: if you're going to be pseudononymous, don't access
files downloaded under another pseudonym or visit websites you'd access
(especially if logging in) under another. If you're going to be anonymous,
don't save the data: let it be ephemeral, which is easy in the case of Tails,
which is ephemeral by default.

Always use Tor Browser, not Tor over Foxyproxy in a vanilla Firefox or
something. Don't rely on torify on your normal setup for complete anonymity,
for reasons above.

But it depends on your threat model. I _do_ do both things in the previous
paragraph for my day-to-day stuff where my threat model involves e.g.
advertisers and other privacy-invading trackers, where I'm reading tech-
related articles or downloading videos of talks, for example. But that
involves a number of other addons as well (e.g. Privacy Badger, HTTPS
Everywhere, NoScript, uBlock Origin, self-destructing coookies, ...).

Edit: Forgot to mention:
[https://www.whonix.org/wiki/DoNot](https://www.whonix.org/wiki/DoNot)

~~~
dukeluke
It's also a good idea to assume Tor is already pwned and to follow good
opsec(burner devices, mac address cloaking, using open/pwned wifi APs, loading
& running OS completely through ram, and use hard drive write blockers). True
anonymity is tough nowadays.

~~~
mikegerwitz
Tails randomizes the MAC address by default, I believe.

(Edit:
[https://tails.boum.org/contribute/design/MAC_address/](https://tails.boum.org/contribute/design/MAC_address/))

But yes, you need hardware you can trust. Burner won't be a bad idea if your
life depends on your anonymity.

~~~
chopin
Out of curiosity: Why is this necessary? Being not exactly a network expert I
would have assumed that leakage of the MAC address terminates at the next
router or switch (which eg. would be my home router, if using TOR from home).
Is the MAC address part of IP packets somehow?

~~~
moyix
It's not part of the IP packet, but in some previous cases exploits on Tor
(such as the one the FBI used in the Freedom Hosting takedown) have explicitly
queried the MAC address and then exfiltrated that information. I assume the
intent was that they could then arrest the suspect and compare the captured
MAC address to the physical machine to prove it was the same person.

~~~
angry_octet
In addition to providing confirmatory evidence, MACs are essentially serial
numbers in a can. Every batch of chips sold can be traced to an OEM. If that
was a laptop OEM then the manufacturer will know the serial number of the
device with that MAC, and CPU ID etc. There is a good chance they can trace
who initially purchased the laptop.

Also, if it is a WiFi MAC then your laptop is blasting that out constantly,
and many services collect that info. Fortunately we are slowly seeing a move
to randomisation of the MAC used when scanning. Unfortunately an active probe
can pierce the veil by causing the true MAC to be used. Lots of venues
(shopping malls) offer free Wifi because it causes the phone to reveal its
true address when it connects, allowing tracking (lots of other entropy in
Wifi apart from the MAC though).

There is no reason random MACs shouldn't be used for all transmissions in
modern systems except for software inertia.

------
danjoc
Not just windows DRM files. Specifying a special codec is enough to trigger an
auto download attempt in certain players. You can even embed smil animations
in quicktime files to trigger content downloads.

This is why the feds want to redistribute child porn for weeks at a time. They
can't break tor to de-anonymize users. They need to distribute files with
beacons in them for this plan to work. Never mind that the police have become
the child porn traffickers.

[http://disinfo.com/2016/01/why-did-the-fbi-operate-a-
child-p...](http://disinfo.com/2016/01/why-did-the-fbi-operate-a-child-porn-
site/)

------
UnoriginalGuy
While true this is like any other file type that connects back to the
internet. It has nothing at all to do with DRM in particular.

For example you could download a HTML file over Tor, that file could have a
<img /> tag in it which reveals your real IP when you open it in the non-Tor
browser. Ditto with Office macros, any scripting language, Adobe Reader, etc.
If you're going to just accept through warning dialogs then you're in trouble.

~~~
hackerfantastic
There are other ways of doing a similar attack which have been covered by HD
Moore. We found this one interesting due to the minimal interaction required
on Windows and the prevalence of media sharing on the darknet (for good or
evil).

~~~
hackerfantastic
just to clarify, there are no warning messages doing this with signed WMV
files. There is a single warning from Tor which you can selectively disable -
and I am sure many users do. You open the file and the action is triggered,
office documents now have protected mode which comes with alerting and I am
sure that Adobe warns users in a similar fashion. Most users would not expect
playing a movie file to perform this action hence why it has a use case here.

------
niij
OFFTOPIC: Does anyone know the name of the song from that video? I searched
for the title of what was playing, but only came up with some weird anime
soundtracks for some reason.

~~~
campuscodi
Ask @hackerfantastic (Twitter). He made the video.

~~~
hackerfantastic
It is a copyright free video from bassrebels.

~~~
niij
Couldn't find the exact video, but great music. I needed some background music
like this to listen to at work.

Also, great work on finding the exploit in the video.

~~~
campuscodi
It's this:
[https://www.youtube.com/watch?v=yUKjM_3DHc8](https://www.youtube.com/watch?v=yUKjM_3DHc8)

~~~
niij
Thank you!

------
youdontknowtho
It would be interesting to see if this could be extended to images? Can't
Windows DRM be used with certain image formats? It's just a thought.

------
ComodoHacker
>such a niche attack

Niche indeed. The potential target group of users who think "just use Tor and
you're safe" is vanishing rapidly.

------
nueded
This is a TOR exploit in the same way that downloading a blob through TOR is a
TOR exploit.

~~~
campuscodi
Nobody said it was a Tor exploit. It's just a deanonymization technique, which
like most, rely on social engineering (convincing the user to push a "Save
File" button).

~~~
kristofferR
Would simply saving it, without opening it, execute it?

