Nobody with an ounce of intelligence can believe for one moment that the most powerful intelligence agencies in the most powerful country of the world will stand idly by and watch a protocol/network be completely opaque for them. Whether there is evidence or not (in such cases there may never be enough evidence), it is safe to assume that many if not most Tor exit nodes are govt run (various govts), and one or more of the top intelligence agencies of the world can break Tor by more than one method. The only form of safe communication is one that relies on old fashioned and proven methods, utilising code and algo that has been scrutinised by researchers from many nations. People really wanting to be anonymous will do well to be wary of heavily 'promoted' solutions.
1. Controlling the exit nodes doesn't mean anything unless they can use it to perform correlation attacks (because TLS, GPG, etc. Exit nodes are considered malicious regardless of who owns them.)
2. Using hidden services obviates the problem of exit nodes.
Controlling just the exit nodes doesn't mean much, but by controlling the majority of all nodes you break TOR. If I controll all nodes your connection uses I can trivially deanonymize you (even if you use hidden services). It has also been shown multiple time that it is enough to control the first and the last node of the connection because timing correlation works great.
The upside is that no government would admit to having this capability, so your only worries are extrajudicial measures (e.g. the US does plenty of extrajudicial killings of middle easterners with its drone program) and parallel construction.
Running Tor exit node is dangerous. Very few people would dare to do so. Most of hosters will forbid that.
Now running ordinary Tor node is not dangerous. It does not consume a lot of resources (I'm running node on 256 MB OpenBSD VPS) and hosters don't care at all. It takes few minutes to install and set it up.
So there's absolutely no reason for people not to run Tor node on every server they have access to. And I'm sure that many people do. So I doubt that government control majority of Tor nodes.
If you operate a server, consider installing Tor node. It does no harm, it consumes as much of bandwidth as you will configure and you probably have a lot of unused resources anyway.
The flipside of that is that it's reasonable to assume that most (not government run) TOR nodes are run at hosters offering cheap small VPS with cheap traffic and high bandwidth. That gives a few select datacenters where sniffing and correlating network traffic is extremely beneficial for deanonymizing TOR traffic. And if the datacenter operator doesn't cooperate and isn't vulnerable to covert sniffing there are always their uplink providers.
I ran a TOR exit node at home for a while, I don't recommend it.
Within 30 minutes of my public IP changing, CloudFlare would get wind of it again and then it'd be back to hitting a captcha for 75% of all of my own NOR tor traffic with the same origin IP as a TOR exit node. This among myriad other misadventures resulted in me shutting it off after ~6 months.
> Running Tor exit node is dangerous. Very few people would dare to do so. Most of hosters will forbid that.
Even in the richest parts (relevant because they love forbidding things) of the EU you can find hosters that accept tor exit nodes. As for it being dangerous, that is kind of a spurious argument. Why do you think it is dangerous? Do you know because you tried, or do you "know" because you heard someone tell you it was?
> So there's absolutely no reason for people not to run Tor node on every server they have access to.
There is at lest one: list of tor relays IP addresses is public. Some mail servers use this list as an additional source for RBLs (probably people, who are not familiar with tor don't know the difference between exit nodes and relays and bun all just in case). So it is not a good idea to share mail server IP with a tor relay.
Im guessing that the .gov doesnt run 'many' of the nodes -- but im guessing they have MAPPED them all out and are 0-day exploiting as many as possible.
THIS is what I would guess a state entitiy would be training an AI to do as a function...
Govts have almost unlimited resources and willpower. They could easily just detect the tor nodes running, then spin up n /2 + 1 to compensate, giving them majority control. This could be automated.
Wouldn't the fact that several huge organizations all try to own as many nodes as possible make Tor safer? If more than one org try to gain the majority, everyones share will be lesser. I highly doubt that FSB and NSA are both agreeing that only one of them should be allowed to host a huge amount of nodes.
>The upside is that no government would admit to having this capability
Probably because it's very improbable that they have the capability to do so.
TOR isn't like bitcoin where you have to own N/2+1 nodes, you only have to see the traffic of the first and last node in each connection you care about. That means any one node can belong to more than one organization.
Suppose the NSA has a project to deanonymize TOR, so they set up TOR nodes. To be less conspicuous (TOR node ips are monitored for geographic distribution) they set up small clusters in various locations, one of them an apartment in Amsterdam. The FSB manages to get a double agent that installs software in those nodes to send the same information to Russia. India finds a 0-day exploit and installs their own data-extraction on those nodes as well. Since it's an undercover installation in Amsterdam usual US government rules don't apply and the ISP used uses Huawei networking equipment, giving China a way to listen in as well. Meanwhile the ISP itself is run by Mossad agents specifically to extract dutch traffic for Israeli analysis, and they struck gold with this NSA op choosing them because they are cheap and have no data cap. The ISP routes the traffic to the internet backbone, where most of it will pass through a GCHQ facility on the British coast.
That's 6 different agencies using the same pair of nodes to deanonymize TOR users, without any deliberate data sharing.
I have read that research. It works great in a controlled environment without the parallel requests of modern browsers, where packages all arrive in order, and where a high rate of false positives are acceptable. Outside of a lab settings the research gets much more muddy and more speculative that it maybe can be used, but I have yet to see an actually experiment that demonstrate it.
I was pretty confused, because the title mentions "FSB", but all of this discussion in this thread is about the US. I literally assumed that FSB must be an acronym for some US intelligence agency I don't know of. Then I went and read the article, and it really is about the Russian FSB.
A bunch of the comments are saying multiple governments and using lots of plurals. If you are reading such comments and assuming they only mean US I think you are misreading.
The majority of people don't read the articles posted, only the titles. Most TLAs are American, so if you don't know what the FSB is then "a US IC org" is a pretty safe guess.
What's interesting about this is that, in a competitive marketplace of governments attempting to do this...they'll actually make the network more secure.
"Against", not "for". It was against the enemy being able to get intelligence about communications. And it was also not created for an intelligence agency, in case what's how you meant it. I'm really not sure what you're trying to say here.
If Tor was made for intelligence (agencies), why would anyone ever use it? Makes no sense.
It was extensively funded by DARPA and the Navy and released to the public so that there would be other users.
I’m not suggesting that the code of Tor is compromised, as it has been under the control of others for years. I am suggesting that military/intelligence interests have been associated with the network from the beginning and no doubt have significant presence in terms of infrastructure, etc.
How do various embassies contact the mothership? I heard that a lot of them use TOR, and for smaller countries it makes sense. Big countries I suppose have their brew (which is not necessarily safer.)
Not a single intelligence agency or diplomatic service will rely on ToR for security that’s madness.
A properly configured commercial or open source VPN is considerably more reliable and secure than ToR since you have no idea who is listening on the exit nodes or who can execute unmasking attacks by traffic shaping or monitoring if they control enough relays.
For the most part any country which can perform intelligence collection out of its embassy will have sufficient budget and and technical capacity to develop their own secure means of phoning home.
Also for highly sensitive material a diplomatic pouch is still the most secure means of transport as it never leaves your sight and is never inspected and if you do get intercepted then destroying physical media is much easier than securing network traffic to the same level of assurance.
>Not a single intelligence agency or diplomatic service will rely on ToR for security that’s madness... For the most part any country which can perform intelligence collection out of its embassy will have sufficient budget and and technical capacity to develop their own secure means of phoning home.
The CIA has it's own onion service:
ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion
Tor was developed by the US naval research lab, it was opened up because an anonymity network only spooks use isn't anonymous.
Smart intelligence agencies are not going to reinvent the wheel (or in this case, the onion router).
>A properly configured commercial or open source VPN is considerably more reliable and secure than ToR since you have no idea who is listening on the exit nodes
If traffic is encrypted this does not matter. (HTTPS also provides integrity checking to show messages were not modified in transit)
Also, traffic to onion services does not exit the Tor network - there is no "exit node"
>Also for highly sensitive material a diplomatic pouch is still the most secure means of transport as it never leaves your sight and is never inspected and if you do get intercepted then destroying physical media is much easier than securing network traffic to the same level of assurance.
They may use diplomatic pouches for especially sensitive information, but the need for low latency communication is strong. What's more likely is that one time pad codes for said communications are sent via pouch, and the communication itself then goes over Tor or some other channel.
If I needed to design a secure system that didn't need to be anonymous I'd just have it send a HD full of random in a diplomatic pouch & ensure that the packets are sent with encrypted 0s if there isn't anything to say.
And that's only if you think that there isn't a safe pubic key protocol.
Bitcoin's security model relies on public key encryption & there is an extremely large bounty on breaking it. There doesn't seem to be evidence of it being broken yet.
I tried one of the older, shorter .onion addresses once out of interest. Didn't take long on a laptop to get a specified 7 characters at the beginning.
I don't know how much the longer .onions affects generation time - anyone?
Tor is an anonymizer. Why would embassies use an anonymizer for communicating back home? Everyone knows they’ll be communicating with home. There’s no point in hiding that. What you want to hide is the content of that communication, which Tor doesn’t do very well. You do that with standard encryption tools.
So you're claiming that using a VPN makes correlation attacks impossible? Do you have any sources on this? I'd love to read up to better understand your thinking.
Correlation attacks are attacing anonymity. If you are an embassy, there is no need for anonymity. Ok, an embassy connected to vpn.whitehouse.gov and sent 20 gb of data, so what?
(unless you are thinking about high level things, like "lots of traffic" -> "something going on", but tor won't help with that either)
I feel like if I were a network operator for something that sensitive I might send some bursts of traffic to nothing just to keep anyone trying to infer "lots of traffic" → "something going on" on their toes.
(Though certainly things like packet timing, packet size, etc. might make more thorough analyses harder to escape…)
I'm now imagining a significant portion of some small country in politically sensitive area's external internet bandwidth being composed entirely of vpn encrypted email with attached Word docs and Powerpoint decks full of "This page left intentionally blank" sent from embassies back to their respective motherships...
Yes, it's good practice for an embassy to use a VPN to their home country for 100% of incoming and outgoing traffic (at least that's how I would do it).
Yes, if you are an embassy, you can be pretty sure that the host country is watching all of your traffic very carefully. Having all the traffic go via VPN is just sanity.
(and for really secure stuff you will want a channel with constant rate, constant size packets, as others said)
One time pads[1] are an effective and cheap measure. Certain privileged diplomatic luggage (not exactly sure of the protocols) cannot be searched by the host country. You can bring them to your embassies on a regular basis.
jancsika is right in the sense that this is possible, but meaningless. The reason for that is that in OTP, you use your key ("pad") for every transmission, in 1-to-1 ratio to amount of data being transmitted. And you can only use your key once (hence "one time pad")
So let's say you brought 1000 MB of OTP keys to embassy in diplomatic mail, you can use it to send up to 1000 MB of encrypted data, and then you have to get a new one. If you are low on OTP keys, and you use it to send a new one, you'll have to spend 100 MB of "old" OTP keys to get 100 MB of "new" OTP keys -- entirely pointless process, as amount of unused key data won't change.
On the other hand, if Alice and Bob are just constantly sending each other these messages as a pointless exercise, the traffic they generate by doing so would technically make the exercise rise above the level of pointlessness. :)
Dedicated fibre, terrestrial radio, commercial and military satellite links. [0] Crypto algorithms implemented in hardware, keys managed by the signals intelligence agency.
The Department of Defense is probably one the largest and most sophisticated telecoms in the world. Cannot have dependencies on local infrastructure in countries you are bombing.
I'd be surprised if the big countries used plain Tor for their vital communication. They would be having their own secret networks or tunnel through Tor. Small countries have probably simply given up hiding their intelligence from the big ones at this point and are simply interested in ensuring their immediate rivals are kept out, which Tor can probably do.
A custom protocol can potentially be fingerprinted. I wouldn't be surprised if they used something less sophisticated. Like (encrypted) direct messages on twitter/reddit/facebook. This way the traffic blends with the rest.
An application level protocol implemented on top of HTTPS can be fingerprinted. If you look up "Website Traffic Fingerprinting" you will see what I mean. That traffic is encrypted.
For official operations, they would not be using the internet in any way, but their own parallel enterprise networks. Tor could be useful for covert operatives, and for generally weakening the grip of governments where we are inducing "popular" uprisings.
The fact that the embassy talks to the mothership is not secret.
How much it does so might be, and what it talks certainly is, but that's easily fixed by getting a line with dedicated bandwidth, running an encrypted connection (VPN or something custom) over it, and padding the traffic to ensure the bandwidth usage is constant (if you have a 100 Mbit line and 10 Mbit of traffic, you send 90 Mbit of padding).
The keys for the VPN get delivered via diplomatic courier.
Because that reveals that you are talking to the NSA right now. Sometimes the volume of chatter is useful information in its own right. Sure, you could script something to make the data rate constant, but that might be undesirably expensive and if you do everything over Tor then your video chat with HQ looks indistinguishable from you bit torrenting pirate episodes of My Little Pony.
I can't currently find the place on Wikipedia where I learned this, but an example of "volume of chatter" being important was e.g. before the attack on pearl harbor. While the US couldn't decrypt the internal messages, it was clear that an attack was imminent based on the pattern (including the radio silence) before the attack.
Last time Tor was mentioned here, a user posted this link [1], claiming Tor is a military financed destabilization project. Seems unbelievable, but there appear to be lots of supporting documents.
Wikipedia: “The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online.“
Recently, many or all of the US’s agents in China were captured and executed:
This is why things like mandating Apple, Google, et al use breakable encryption is extremely bad. Anyone who follows information security knows Apple struggles to keep up with 0 day exploits.
My opinion is that it is both in the interest of the United States government and all human-rights abiding democratically elected states to have as absolutely secure and anonymous communications systems as possible. I’m not the only one who believes this. In fact, I think this is very very much a CIA vs FBI situation, domestically. Is it really worth exchanging knowing what was on some dead nut jobs iPhone for the ability of government officials, the military, business executives (e.g. Jeff Bezos apparent breach by Israeli assisted Saudis), and every day common citizens to communicate securely?
Even when Tor was new I had my doubts about it due to its origins among other factors. My dissertation was on privacy technologies in that era (early '00s). I covered a lot of ground at the time.
The most sinister change in information technology is cloud and the fact that you have no 4th Amendment protections for anything stored there. Our laws simply aren't keeping up. But it was a neat trick to get everyone using cloud and then pulling the rug out of privacy by say "oh, and by the way, since the files aren't on your property, you have no legal protections for them."
RE CIA v. FBI - I wouldn't be surprised if it ended up being a loose handshake that they (CIA/NSA/FBI) will allow Tor (benefits CIA), in exchange for technical assistance in investigations (benefits FBI) -- namely the ability to own an endpoint. Don't need to own the service/protocol if I can own the host it is running on.
This is a silly conspiracy. The facts about the initial funding of research on Tor have always been public and well-known, and the conspiracy is based on the idea that there was some grand scheme looking forward into the future for more than 16 years. It's much more likely that some researchers at some government agency implemented the known idea of onion routing in a proof of concept, their work was more successful than anticipated, and later some other researchers at some other government agency were told to try to de-anonymize their colleagues' invention again.
However, I'd be more weary about more recent projects. A lot has happened during the past two decades in cryptography and privacy, and I do think it's credible that all kinds of agencies from all over the world nowadays have the task of subverting privacy projects right from the start. But back in the 90s? Unlikely.
Yeah, just because something was either invented or first implemented in the military doesn't mean it's tainted forever. SQLite was originally designed to be used on ballistic missiles. Heck, the internet itself was first developed by the DoD (ARPA). A lot of technologies have military origins.
What is unbelievable in aiming "to aid democracy advocates in authoritarian states"? I think the State Department has funded plenty of other censorship circumvention projects like Tor.
But you have to admit the funding for Tor was also meant to get the upper hand in the shadow battle across anonymous networks. I still remember how LulzSec was busted by the FBI with a timing attack on Tor. Without the ahead-of-time research on Tor it wouldn't be as easy for the FBI to get the same level of power against anonymous networks.
The funding part is not really a secret and it's even on the Wikipedia page but the "military financed destabilization project" begs for evidence.
The more likely scenario is, I believe, as soon as any government got concerned about the stuff going on on the internet they assigned people to take care of it and those people started to look for a ways to exploit anything and the Tor project was a good target.
I consider it very believable. Of course the US has the same interest in destabilizing other countries as other countries have in destabilizing the US.
Russia gives controversial people a voice in the US, while the US finances TOR.
"Yasha Levine is a Russian-American investigative journalist and author. Levine, who was born in the Soviet Union, is a former editor of Moscow-based satirical newspaper The eXile."
> Tax-3 - a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state's IT networks.
So, is this intranet used for keeping official (confidential) records or for blackmail purposes?
Or is it the network they won’t pass laws requiring backdoors for? Literally segment society into those with power and privacy, and those with neither?
Why on earth would they need separate infrastructure and the rest of us do not?
Probably a way to avoid the massive leak of the names of intel officers when that US gov employment database got leaked. The note about operating outside of the standard state IT network is the obvious indicator.
Part of their job is counter intelligence not just offensive.
Counter intelligence is FSB's pretty much the only job. If they do intelligence, it's in CIS (Commonwealth of Independent States) countries such as Belarus or Kazakhstan. It's SVR and GRU that are Russia's intelligence agencies.
Right, same with deanonyming Tor. That’s only useful for catching people/software trying to hide themselves which is more counter intelligence than purely offensive.
a) All that article states is that Russian intelligence runs their own servers to scan through the traffic. That isn't a huge threat; only when a party attempts to run a big majority of the entire network, it becomes an issue.
b) There are merely around 7000 servers active. With more funding or contributors, the danger of any single party taking over would quickly diminish.
Here's one way you could help: https://www.torservers.net/about.html
It sounds like the attack is not unusual or unknown - they're spinning up malicious nodes then trying to drive traffic to those nodes via DDOS. This is a common technique and unfortunately it's my understanding that aside from increasing the number of good nodes there's not much that can done about it. (Though monitoring for malicious behavior is much better nowadays, so bad nodes will quickly get kicked off the network)
Yeah I mean if you have the budget of an intelligence agency, even a russian one, you could automatically deploy hundreds, thousands, of tor exit nodes all the time.
Intelligence agencies could run a substantial part of the tor network with ease.
That's why I'd like to see some sort of identification for tor exit node operators. Like keybase or github accounts that can verify who they are and that they have a "normal" presence on the internet.
Sure, why not? Active Directory doesn't really scream top-secret security to me. Maybe someone with more knowledge can chime in here: Is AD really considered best of breed for what it offers, esp. in terms of security? Or am I not giving it enough credit?
Hosting an exit node is not illegal (in the United States), and generally you cannot be held liable if the network was used for illegal actions as a consequence of being an exit node and not committed by you (this is not legal advice); however, you have to be able to prove that and it does not necessarily mean you are protected from being investigated, having your door kicked in, and/or your equipment seized.
> being investigated, having your door kicked in, and/or your equipment seized.
True and good to be aware of (upvoted), but I think it is fair to note that this is a very small number of cases. It's not small odds like "win the lottery" odds, but it's also not likely that it'll happen to you. Definitely something to be aware of and plan for (e.g. don't also use that server for important stuff, say, your email and website).
As I understand it, part of the risk is proving that you didn't perform the illegal act, and that an investigation itself can be damaging (loss of equipment/public reporting that you are being investigated for being involved in illegal behaviour).
If you maintain a strict separation between your traffic/equipment and the exit node, this may be less of a risk, but is subject to the laws of your jurisdiction.
> In the USA, there have been no equipment seizures due to Tor exits, but there have been phone calls and visits. In other countries, people have had all their home computing equipment seized for running an exit from their home internet connection.
> Jan Bultmann and David Robinson, a married couple from Seattle and well-known privacy activists in that city, were awakened early one morning last month by police with a search warrant for their home. The detectives from the Seattle Police Department demanded passwords to access the couple's computers, saying they were investigating child abuse imagery [...] The couple consented to the search and gave their passwords to police, who found no child abuse imagery, didn't seize any equipment, and made no arrests.
> The operator of a Tor [exit node] used by someone to download a pornographic image of a minor has been given a three-month suspended prison sentence by an Austrian court for abetting access to pornographic images of minors [but chats show that he was aware of this use and did not disapprove, so this is not necessarily a general ruling]
I agree with the principle of your point re: marijuana in specific -- it was often used as a way to stack charges, and especially in a racialized way.
But I'm not sure it applies here. Clearly if the US is investigating a serious computer crime that came from your server, they can't take it on your say-so that it actually came from somewhere else. They need to be able to investigate. And typically for forensic reasons that's going to involve an infrastructure seizure.
Now, the failure to return infrastructure over a long period of time is more extrajudicial punishment, and they do that too sometimes. Lots of people haven't gotten laptops back for years via this.
The best/safest way to do so is to found a company/club/... that operates the node. The goal here isn't to hide who runs it, it's to make sure that the police find someone who understands what Tor is before they find whose _home_ to raid.
When there's bomb threats, child porn, or other illegal activity coming from your home IP, you're going to get raided before you get to explain what a Tor node is.
When that stuff is coming from a server that you personally have rented, you're probably going to get raided before you get to explain what a Tor node is.
When that stuff is coming from a server that a company, student club, or similar has rented, suddenly brains are required to be switched on since there isn't an "obvious culprit", and it's unlikely that they'll start raiding the private homes of random members or organizers. Not impossible, but significantly less likely. The office address of the company/club is at the highest risk, but if that's "digital freedom club, computer science department building, university road 17, biguniversity" that's not necessarily a big problem. A raid at the office address would already be the exception, not the rule, but if you can make sure that a raid happening wouldn't be more than a minor annoyance, do it.
For non-exit nodes, just run them wherever you feel like, as long as you're OK with the traffic and the risk that some people will treat the IP as "not reputable". Anyone who finds the IP of the node will by necessity have an idea how Tor works and understand that the node is not the origin of the traffic.
A reminder: Please run as many tor nodes as you can. They don't have to be exit nodes. This is a mostly free way to give back that has a big impact on privacy and free access and helps to prevent state actor attacks.
I wish there was some sort of secure protocol to allow tor clients to create their own exit nodes using cloud services. I just don't see how it would really be possible reliably.
As much as I hate to say this, we all knew it was happening, right? I'm still ninety percent sure they had to scramble to justify a non-tor-breaking reason they got Ulbricht. I don't know why people are still encouraging others to use it alone. You should also be using some kind of encryption of the content itself. Their goal is to figure out who you are and what you're saying; deny them either piece, and they're foiled (three-letters, that is).
Ulbricht was grossly incompetent, they didn't need a special attack on Tor to unmask someone who asks questions about connecting to Tor from a public StackOverflow account in their real name.
He really did that? Jeez, you're right. Still, such attacks have doubtless been used before. Even if they haven't broken the core protocol, I'd assume they've got a few zero-days sitting around.
Freedom Hosting is a good example of using alternative attacks to sidestep Tor:
> News reports linked a Firefox browser vulnerability to a United States Federal Bureau of Investigation (FBI) operation targeting Freedom Hosting's owner, Eric Eoin Marques. In August 2013, it was discovered that the Firefox browsers in many older versions of the Tor Browser Bundle were vulnerable to a JavaScript attack, as NoScript was not enabled by default. This attack was being exploited to send users' MAC and IP addresses and Windows computer names to the attackers. The FBI acknowledged they were responsible for the attack in a September 12, 2013 court filing in Dublin
From the news reports I’ve read, including Ulbricht's, it's enough for law enforcement to just find out who you are.
They can then set up a sting operation where the target inadvertently leaves their laptop exposed with the keys to the castle available while being arrested.
