Law Enforcement Undermines Tor
85 comments
·October 25, 2024cedws
I have suspected Tor has been busted for quite a long time. LE is only using this power selectively for now - the last thing that they want is to scare users away lest they go and build something more secure.
The Nym mixnet[0] seems promising but it's still new and unproven.
I had an idea a while back to make traffic analysis more difficult by building circuits distributed across adversarial countries. Would like to hear thoughts on it.[1]
amy-petrik-214
It's a basic correlation attack. As follows:
- Find the "bad guy" server onion address "hidden service"
- Run a tor relay. Ideally many. No exit node shenanigans needed - hidden service, not exiting TOR. This is quite nice from a legalistic perspective since you're not on the hook for hacks coming off the exit node.
- Run a bunch of clients. Instruct to connect to "bad guy" onion.
- Gather data over time for correlation attacks. Correlate your client to relay to endpoint server.
- At some point, you'll find one of your relays is the guy connecting directly to said hidden service.
Very simple lesson here. One needs to encrypt the information, yes, but failing to consider packet timing as "information" is the fallacy.
mdhb
The public tends to have a very strange idea as to a lot of things on this topic while forgetting that TOR itself was actually a department of defence project or NSW I forget originally.
If you’re interested in seeing what the next generation of this stuff looks like (although AFAIK is not really known outside of defence contracting circles) take a look at this https://github.com/tst-race/race-docs/blob/main/what-is-race...
shavanerad
Tor was originally designed by a mathematician working for the US Naval Research Lab (NRL) to provide a way for MI agents to "phone home" safely from the field. It very quickly became clear that if only mil used it, it created anonymity about as effective as Batman on a rooftop backlit by a spotlight -- you didn't have a name but you knew precisely what the agent was about, and where.
So he persuaded NRL to give the project up to open source. Good thing, too, because he was a math geek but not a cryptographer. The two cryptology doctoral candidates at MIT who took the project over chucked his code, and rewrote Tor from the ground up.
Since it's open source, this can be documented. Getting spooky about it being designed for spooks is a red herring.
That GitHub doc vaguely mischaracterizes Signal -- all Signal ever sees is the connection negotiation metadata. Past that point there are no "servers" involved, or data to be retained for future discovery.
roastedpeacock
I was under the impression that the Signal server, if compromised could be utilised to potentially log metadata of communication between contacts. Sealed sender [1] is a feature of the Signal protocol to mitigate overt metadata retention but it may fail against certain correlation attacks.
GTP
> The public tends to have a very strange idea as to a lot of things on this topic while forgetting that TOR itself was actually a department of defence project or NSW I forget originally.
IIRC it was a US Navy project. But I didn't understand your point.
mdhb
NSW = Naval Special Warfare but yes somewhere within the alphabet soup that is US natsec
Jerrrrrrry
[flagged]
j-bos
One advantage of imperfect privacy solutions like Tor is they force authorities to invest if they want to snoop. In the before times if soneone wanted to read your mail they'd need to at least convince a judge and then spend manpower interecepting the envelopes, today they can just ping google for a bcc.
Cthulhu_
Is that true? IIRC they still need to do the legal paperwork to get an email from google et al (FISA request?).
c0wb0yc0d3r
Yes paper work is required. I think OP is pointing out that that it doesn’t require the same amount of work it used to. Especially from law enforcement.
mdhb
LE are mostly avoiding this by just buying from the same public ad network sources that everyone else does and using that as a way to avoid the paperwork, I know people get very pissy about EUs GDPR sometimes but if you want to put an end to that kind of thing you need to tackle the private sector collection problem which almost anyone can access and is comparable with mid tier nation state capabilities.
mdhb
Yes mostly true, exceptions apply mostly based on jurisdictions and capabilities.
The safeguards are actually much much better than what the opinions would lead you to believe on here.
People really seem to get off on the idea that they are on the targeting list of an intel service but you actually have to put in some real work to meet that criteria. If you’re buying drugs for example even the relevant LE authorities will at most knock on your door to scare you assuming you live in an English speaking jurisdiction.
rustcleaner
The dark network of the future will be an onion-routed Hyphanet/Freenet, with monthly "bandwidth quotas" that make links communicate uniformly at X GB/hr regardless of traffic (padding when there is none) until the monthly quota is hit right at the end of the month. If internodal links don't vary in externally measurable ways when utilized, netflow is diminished.
Jerrrrrrry
I2P with more steps and crypto-enforced minimum quotes to deter timing/correlative attacks.
Minimally-enforced "random" timeouts to prevent DDoS->outage correlation.
Also mirrors. Lots of mirrors.
Have mirrors tied to reputation tied to invites.
Then the border to entry is time + money + reputation(which is time + money)
Throw in some 0-KPz, and you are 100% chillin in Belize or 100% in Colorado-ADX
(in minecraft, hypothetically, to sell beets, i ♥ us)
orbisvicis
Doesn't i2p also use this model?
immibis
i2p is a bit harder because the circuits aren't end-to-end. Your traffic goes through typically 3 relays, then an all-to-all mixing where it goes directly to the start of the recipient's relay chain, then 3 of their chosen relays. A new connection is NOT set up through the whole network for each overlay connection - it uses your same outgoing relay chain, and your last relay sends the packet to the first relay in the recipient's incoming relay chain.
It also uses a separate chain in each direction which makes any attack based on observing timing both ways more difficult.
It's also not Sybil resistant at all.
sandworm101
Time for nodes to inject some random traffic. It sounds like if even 0.1% was random fluff they would not be able to track packets between nodes.
Jerrrrrrry
That time happened 10 years ago.
.1% fluff? May as well call em up yourself.
jagged-chisel
Is there something new here? I’m under the impression that we knew this kind of thing was possible with enough resources.
noirscape
Nothing new, and I'm pretty sure these sorts of attacks have been possible and used ever since it's founding.
TOR ultimately works like any old relay system; if you control enough nodes, you can effectively decloak people if they happen to connect to only your nodes. Nodes are assigned for connection based on a trust value so all a Nation state would have to do is host enough nodes (relay+exit) and they'd be able to decloak a connection. This kinda inherently gives TOR decloaking abilities to entities with the most infrastructure, which at that scale basically will only be nation states.
TOR works well enough for privacy when your adversaries aren't well-funded state actors. (ie. It's probably enough to mask your traffic if you use TOR to access resources to get out of an abusive relationship or need to circumvent cult-level inspection of your personal interests by religious schools. Most dictatorships also don't really have the resources to mount this sort of attack - it's probably just the US and some European countries.) That rule kinda also goes for VPNs in general however.
shavanerad
There are thousands of relays run by altruistic volunteers. Unless your opsec sucks (i.e. you configure Tor to favor performance and not swap circuits every ten minutes) the opportunity to correlate by malicious nodes is small.
Also, these nodes operated by bad actors are constantly identified and excluded.
null
rmarq10
The articled confirms that the authorities are conducting a dragnet operation. Everyone who connected to a certain entry relay was tracked and reported.
Does the tor daemon connect automatically? If so, even people who installed tor for fun and forget about may be on the list.
Did the lucky ones have the "Bundestrojaner" (gov surveillance app) installed on their machines?
potato3732842
>If so, even people who installed tor for fun and forget about may be on the list.
Good. That reduces the quality of the list.
immibis
They selected that relay after they determined it was the one used by the person they were trying to go after. That isn't a dragnet.
There probably is a dragnet too.
SamuelAdams
Plenty of people still believe that using a VPN + Tor means they are “private”. What we need to teach others is that this is no longer the case - privacy is not a one size fits all solution. You may be private from other users on your network, but not nation state actors.
upofadown
VPN/Tor provide something else anyway: anonymity. Privacy is a different thing. You can lead an entirely private life in an environment where everyone knows who you are and who you interact with. They just don't know how you are interacting with those people.
Most people don't need anonymity most of the time...
mdhb
Really curious on your definition of private here because I have a buttload of evidence that says that is entirely untrue and you can as a private citizen buy detailed demographic and location data at an easily identifiable level for people without even needing to talk to another person.
immibis
I think the surprising element is that the German government actually deployed enough resources.
Smurfix
They knew that the target had nearly half a million [child ab]users.
That's sufficient motivation right there.
The problem is that once you have the infrastructure you can go after, well, any other random Tor onion service you damn well please, all with a minimum of judical oversight (if any).
dialup_sounds
It's not directly mentioned in this article, but the four deanonymized users were admins of a CSAM site with hundreds of thousands of users. If you're concerned about being targeted by law enforcement, step one is probably: don't be that.
https://www.dw.com/de/darknet-missbrauchsplattform-boystown-...
https://www.sueddeutsche.de/panorama/kindesmissbrauch-boysto...
mingus88
Cool, we got the “if you don’t have anything to hide” argument out of the way early.
Now we can discuss the actual privacy implications of this news
dialup_sounds
Are you discussing the privacy implications? It looks like your only comment is this asinine middlebrow dismissal. Meanwhile, I've given actionable advice.
Brian_K_White
I don't think you get to charge anyone else with assinine.
If a tool does not perform as designed, all users of the tool have an interest in knowing that, and working towards correcting that.
It doesn't matter that there are both good and bad users.
mmzm
This is what everyone here seems to forget when they're ranting on about surveillance: that there are serious criminals out there who need to be caught. In this case, child abusers.
Whoever the engineers are who've worked on the technical aspects of deanonymizing Tor connections, they should feel very proud of their work and the good it's doing in the world.
bananamango
Split EntryGuard should help, means you connect to multiple of them instead of one, and your data is split between them then it gets to Exit through multiple paths (Middle Nodes) and there it is reconstructed to one data stream. How about that?
bananamango
Connecting through multiple EntryGuards should help in this situation, Tor should split data transfer to many smaller ones travelling through different paths (Entry+Midddle) and then get it reconstructed to one stream at ExitNode.
ementally
Are there any projects that generates random traffic? Like a website where you have it open it keeps sending random traffic. It will make traffic analysis very hard.
Brian_K_White
Decades ago when first hearing about timing attacks I thought every network switch and nic should generate essentially white noise at all times on the wire, with the actual traffic just mixed in. Random amounts of random data going to random destinations, completely filling the pipe 100% at all times like how a carrier wave is on at all times, just as a feature of lighting up the port. If the electricity is on, the noise is on. Or at least in the switches and maybe not needed at the end points.
A fantasy.
mdhb
As I mentioned elsewhere in this thread if you’re looking for proper state of the art it’s coming out of DARPA projects and you can see what I mean here https://github.com/tst-race/race-docs/blob/main/what-is-race...
Cthulhu_
It probably doesn't; think about it, most websites already have a load of random stuff, plus all users combined is also heaps of randomness. No self-respecting analyist would go through logs manually, it's all fed into search / analysis software, filtering through noise.
ementally
Depends, it is a very well-known attack vector https://www.whonix.org/wiki/Speculative_Tor_Attacks#Website_...
boltzmann64
It is already hard with bots drowning any legit traffic, and you want to add random traffic too.
radku
Would using VPN prevent prying eyes from detecting the IP address? This issue seems to be related only to Tor users who do not use VPN?
immibis
Yes, the German monitoring would point to the VPN provider, instead of directly at the user. However, they would then install a monitoring device at your VPN node.
null
Recent, related, and cited:
Is Tor still safe to use? - https://news.ycombinator.com/item?id=41583847 - Sept 2024 (562 comments)