Yes, we know about the Guardian article

by arma | October 4, 2013

And also the Washington Post article.

We're planning to write up a more detailed analysis later, but for now here's a place to centralize all the "hey did you know about this article" blog comments.

And for the journalists out there who want a statement, here's my quote from the article:

"The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard.

Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on.

Just using Tor isn't enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications."

Comments

Please note that the comment area below has been archived.

October 04, 2013

Permalink

These new disclosures confirm (as some of us strongly suspected) that it was NSA tech that was used in the "torsploit" attack on Freedom Hosting in early August this year. Details, for those curious:

This matters because we're dealing with military-grade cyberweapons here - designed, built, and directed by military personnel. It requires a change of cognitive space, to respond effectively: this isn't LEO.

The Tor project is doing an excellent job of standing up under withering fire from a branch of the most powerful and well-funded military establishment ever in existence throughout history (by far). Think on that, perhaps, before slagging Tor for this or that limitation.

As to the political, social, and cultural implications of this confirmation that torsploit was NSA military offensive tech (not merely FBI, as so many erroneously claimed)... a different question and not directly relevant to issues on the table here.

military-grade cyberweapons?
Give me a break, TorSploit was a bread and butter exploit.

trickle down survey ( the little guys want what the big-fish has) : haven't heard anyone realize this online yet. realize it. the local coppers want what the Big Bro has... and in that means little stuff you don't think is a big deal.

They decide what exploit to use based on the target. Says so right in their documents. Why burn good 0day when a patched bug one will work just the same?

What a load of bs. There was nothing in the exploit or the payload that a single good hacker couldn't make. Even the vulnerability itself was in public domain for at least a month.

tor can't be able to do that much hence the fact they only have like 3 or 4 active programmers to keep up with this. to really be effective there would need to be like freakin 900 programmers.

October 04, 2013

Permalink

Thanks arma! You and everyone who contributes to Tor (and there are a lot) are doing an excellent work, please keep it up!

October 04, 2013

Permalink

Pretty good roundup of all the articles and documents, for anyone who cares:

http://media.encrypted.cc/files/nsa/

This 2006 document (on MJOLNIR) is perhaps the most interesting:

http://media.encrypted.cc/files/nsa/ces-summer-2006-tor-paper-28redacte…

It describes multiple potential attacks against the Tor network; one can only imagine how many of those are in production after seven years. To assume they cannot do traffic analysis on the network -- e.g. to locate hidden services -- sounds extremely naive to me. (The section on hidden services in the MJOLNIR document is actually pretty interesting.)

If nothing else, this document shows that every threat you ever dreamed about is actually out there. And then some.

- Nemo
https://self-evident.org/

First, you should realize that the document you're reading was written by some interns -- students who popped in for the summer, wrote a paper, and then probably went back to their university. This is not NSA's "master plan".

I mean, you're welcome to assume that they allocated a new brilliant research team to each sentence in the paper, and these teams all went on to turn it into amazing attacks. But I think it's pretty clear from the "Tor stinks" slides that at least some of the research teams weren't able to do much with it.

If you want a much better newer version of the Mjolnir paper, check out the Usenix Security 2009 paper from Christian Grothoff's research group:
http://freehaven.net/anonbib/#congestion-longpaths

If you want some good documentation to show that every threat you ever dreamed of is actually out there, check all all the papers on http://freehaven.net/anonbib/ -- now, these are just research papers, but they have a lot more convincing details than the documents we read yesterday.

October 06, 2013

In reply to arma

Permalink

OK, I have now read the 2009 paper, and I still think you are being naive. (And yes, I know who I am talking to. Do you? Hint: You are not the only MIT grad here...)

Your _2009_ paper describes a "novel" congestion attack that is also described in detail in the _2006_ MJOLNIR paper; they called it the "flower" attack. Do you really think the people who found this attack three years before you were "some interns" who "popped in for the summer"? Where did you get that idea? (You think "summer program" implies students?)

MJOLNIR appears to be a sophisticated Tor client API designed for use by exploitation teams across the Five Eyes. The paper describes much more than the "flower" attack. Did you actually read the whole thing?

For example... Section 7.2.2 (and Appendix D.4.2) describes how to attack hidden services to determine their location. By controlling the rendezvous point, they can arrange so that they only have to follow traffic through two hops, rather than the usual three, to locate the hidden service. Is that attack out of date?

Combine this with some unknown number of Tor nodes being run by NSA and friends, and this seems worth worrying about. How many Tor nodes could _you_ run with a $10 million annual budget? How about $100 million? $1 billion?

One last thing. Could you please provide specific references instead of a generic link to hundreds of papers going back to 1970? Because that just looks like deflection / blowing smoke. Compared to NSA, all of academic cryptography is elementary school stuff. Tor's own use of 1024-bit public keys, authenticate-before-encrypt, etc. just reinforce this impression. But go ahead and spend time on "reproducible builds" because that is obviously the biggest threat.

In short, you are not worried enough in my humble opinion. But hey, what could I possibly know.

- Nemo
https://self-evident.org/

As for the summer program thing, yes. Check out Andy Isaacson's analysis here:
https://mailman.stanford.edu/pipermail/liberationtech/2013-October/0117…

I should have pointed you to the other papers in the series. I thought reading the 'related work' section of the 2009 paper would be enough. But here they are:
http://freehaven.net/anonbib/#torta05
http://freehaven.net/anonbib/#torspinISC08
http://freehaven.net/anonbib/#tissec-latency-leak
http://freehaven.net/anonbib/#congestion-longpaths
http://freehaven.net/anonbib/#esorics10-bandwidth

"By controlling the rendezvous point, they can arrange so that they only have to follow traffic through two hops, rather than the usual three, to locate the hidden service. Is that attack out of date?"

That attack never worked in the first place. They never bothered learning how hidden services work, so they speculated some attacks and misunderstood the design.

Anyway, I encourage others to read this paper and form their own opinion. I'm going to keep ignoring it in favor of papers that really do have great attacks that we need to deal with (e.g. the upcoming CCS paper).

October 07, 2013

In reply to arma

Permalink

Arma, I think you "tor" and mozilla should get together to file a lawsuit against the federal government "for damaging your products name and compromising it", just like yahoo, google and microsoft have sought to do

http://cir.ca/news/tech-companies-push-back-against-fisa

also lavabit's founder is going to file a lawsuit against them

https://rally.org/lavabit

this administration needs to be sent a message, "that we will not tolerate this kind of tyranny" and that fight starts with you guys

October 04, 2013

Permalink

It would be good if you could give a good advisory how to protect yourself from exploits of this kind.
I would say it is quite safe if you run Tor-Browser on a guest-system in e.g. Virtualbox (on Linux) and run Vidalia on the host-system using it as proxy for Virtualbox. A hardened Linux alone should be also good.

The PROBLEM with TAILS is that using it always directs itself at the TAILS startpage, so the exit node will obviously node it is dealing with a TAILS user. From all TOR-users, the amount of TAILs users are few, making tracking Tails users easier , especially in combination with browser fingerprinting (panopticlicks) and server-side cookies.

But unfortunately TAILS seems to choose for advertising themselves over anonimity. Let people please direct to a random or private search engine instead of the TAILS startpage every browser startup ....

October 04, 2013

Permalink

I really respect you arma, and everyone who works on Tor, and other Tor applications - you gals/guys are the Internet (and real world - see Arab Spring) heroes of the 21st century.

October 05, 2013

Permalink

Congratulations on being the first good news story of the Snowden revelations. Keep on stinking.

Botnet is not NSA, if they wanted to ddos SR they would have done it BEFORE they took over their servers. Botnet didnt show up until a month after SR servers were located.

Having circuits break quicker would likely *harm* your anonymity, depending I guess on how the rest of the design proposal goes. And having them get longer would likely also harm your anonymity by e.g. making congestion attacks better.

Careful -- anonymity is tricky. I suggest reading more of the papers at http://freehaven.net/anonbib/

And unless you can describe any anonymity attack that requires a botnet to sign up millions of clients, I think it is not reasonable to conclude that the botnet thing is related.

I tried to respond to some of the other implications in this comment:
https://blog.torproject.org/blog/yes-we-know-about-guardian-article#com…

read this first: https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN

Good in most cases:
you -> VPN/SSH -> Tor

Bad if they can track who paid for the VPN:
you -> Tor -> VPN/SSH

you -> Tor -> x
"This is generally a really poor plan."

Personally I consider this the best:
you -> ssh on VPS you paid for anonymously -> tor ->

You can also do this (regex):
you -> (ssh on VPS you paid for anonymously -> tor ->)+

LOLOLOLOL, if you paid for a service they can track you. this is a trap in itself. get real. unless you used some sort of identity theft, they can track you. don't pay for anything if you want to remain anonymous...this is just plain COMMON SENSE.

October 05, 2013

Permalink

To: Tor developers

In the light of what the USA's NSA and the UK's GCHQ have done and/or will be doing in the future, it would be in the interest of the Tor community for Tor developers to create a web page containing every information that Tor is able or unable to counter the American and British surveillance programmes.

That would be good I agree. But that's a huge undertaking. First I think we should focus on fixing some of the known anonymity problems with Tor.

To quote some paragraphs I sent a journalist last night:

"""Looking over the rest of the slides, they seem to be asking some of the right questions but they don't seem to have any more answers than we do in the academic research community -- and in many cases the papers at http://freehaven.net/anonbib/ provide significantly better answers than these slides do.

Or said more clearly, we still have a lot of work to do to make Tor both safe and usable, but we don't have any new work based on these slides."""

October 05, 2013

In reply to arma

Permalink

Do you think these slides provide any real help in working out where there is work to be done or are you saying that everything in them was basically already known with a better understanding already?

Thanks in advance.

I really liked this OS BUT I found it was creating ethernet interfaces on its own after I deleted them to try to figure out what it was up to. I could not control this OS's connection to the internet and data transfer I had to delete it after testing on a clean machine. I just did not trust it.

If anyone has an explanation or more detailed information I'd love to hear it.

October 05, 2013

Permalink

Given that we know that the NSA are actively trying to influence encryption standards and implementations, is anyone doing any investigating into who associated with the Tor Project was pushing to keep TBB based on thne insecure version of Firefox?

Don't get me wrong, TorProject is doing a wonderful job. and there's no need to be paranoid. But being realistic helps us all...

Nobody was, and it wasn't based on the insecure version?

You should learn about Firefox's ESR releases.

That said, we're still on Firefox 17-ESR right now because of the many major privacy problems in Firefox 24-ESR. Mike is busy working on fixing them (among the many other Tor jobs he has) before Firefox 17-ESR goes unsupported.

If you want a conspiracy theory, you can say that Mozilla is conspiring to keep Tor distracted by new application-level privacy bugs, by putting out new versions so often.

But really, that's not entirely Mozilla's fault. Google is conspiring, using its fast Chrome release cycle, to force Mozilla to conspire to ... :)

October 05, 2013

In reply to arma

Permalink

That said, we're still on Firefox 17-ESR right now because of the many major privacy problems in Firefox 24-ESR.

I do not understand why Tor developers have to keep up with Mozilla's releases of Firefox.

The adage "If it ain't broke, don't fix it" should apply to TBB.

If Firefox 17-ESR is able to provide 100% anonymity and without any vulnerabilities/exploits, I will use it over any most recent version of Firefox.

Perhaps arma could explain to us the need for Tor developers to always use the latest version of Firefox for TBB. And perhaps Mike would be free to focus on other more urgent and important tasks.

right
i think there's no need to strictly follow Firefox new versions' features.

Why cant Tor simply take a Firefox version and stick with that, repairing its bugs each time they appears?

New version = New bugs.

and also:
New version = New features

I'd really prefer less "New features", if it comes with less bugs!

The trouble is that Mozilla drops support for them. It's a forced upgrade path, since they keep dumping new features in and they barely have time to keep up with the vulnerabilities introduced.

So, FF17 will soon be obsolete and vulnerable to known attacks that nobody has fixed. Just like FF10 is already that way.

We'd love to find a browser that normal people like to use that doesn't suffer from this problem. By 'normal people' I mean that we're aiming to have something useful for millions of people, not something that only thousands find usable. But the simple fact is that browser security is a disaster yet you need one for the web.

To be even clearer, we're *already* using the "stay behind as much as we can while still having it be supported" approach. Firefox puts out a new version every six weeks, and we stick to the old one as long as we can. You can read about ESR here:
http://www.mozilla.org/en-US/firefox/organizations/faq/

October 15, 2013

In reply to arma

Permalink

To quote beloved arma, "Application-level security is a disaster these days."
There is no "forced upgrade path." The longer Tordevs stick with, refine and make more secure ONE unbloated FF version, the LESS work it is for them to keep up and the more secure the TBB will be. Debian security repos have always taken this approach and it's not because they are dim. Also arma, the US military takes the approach I suggest. Any military officer loading constantly new, untestable bloat-browsers into the closed network would be fired, then shot..not maybe in that order.

Debian gave up on that model, because Firefox gives them no other choice.

Also, the military certified Windows for use in these situations, and nobody got fired/shot over that.

Anyway. I guess the constructive way to say it is that dealing with all the new bugs in new Firefox releases is still less work than maintaining the old obsolete Firefox, by ourselves, with all of its bugs.

October 21, 2013

In reply to arma

Permalink

Windows and Linux are EAL 4+ certified... they can defend against "inadvertent and casual" security breach attempts (Chandler). The military here, for all critical systems applications is using INTEGRITY-178B RTOS (from Green Hills) operating systems. They never use Windows in work-or-die applications.

October 05, 2013

Permalink

But the FH servers were exploited after they located its owner through non-technical means, or is that just parallel reconstruction? Either way the exploit was OLD and had already been patched by the time they released it, i would hardly call that some sort of military super weapon.

Yeah, I think it's safe to assume that the FBI can contract to some dude in SAIC or wherever to scrape together a web exploit for a vulnerability that's been known for a month. Application-level security is a disaster these days.

As for parallel reconstruction on the FH case, who the heck knows. They gave us just the facts they wanted to give us. Maybe it'll become clearer over the coming years.

October 05, 2013

Permalink

Excuse me, i've a question: if we disable all the scripts through NoScript, we are ipotetically safe from browser attacks, right?

I'm sorry, but I think it isn't right. JavaScript is just one road to attack through a browser, perhaps the broadest one, but there is more code that can be searched for weaknesses, for example the libraries used to render images. What I mean is that there can be vulnerabilities everywhere, but disabling JavaScript certainly closes a door. I'm not so sure about how can it affect your anonymity, though. I'm afraid that this cold lead to two identifiable groups of Tor users: the group with JavaScript enabled and the one with JavaScript disabled, thus reducing the number of people you can blend with. I'm just guessing, though.

NoScript secures also other features, not only javascript (IMO)

Maybe a better approach could be:
1) leave NoScript as it is. (leave the default setting)
2) disable javascript via menu (Edit->Preferences->Content)

But if you decide to disable "all" scripts through NoScript keep in mind that Noscript has a whitelist that contains youtube/google/mozilla and some other domains. You'll probably want to disable (delete 'em from the whitelist) them as well.

October 05, 2013

Permalink

It is interesting that the NSA specifically mentioned using javascript and cookies as ways to get what they want. If one had javascript disabled, "torsploit" wouldn't have executed.

We have known for years that in order to surf safe, one has to disable javascript and cookies, and even referrers. Seems that got lost along the way.

Are you sure?

javascript/cookies -less browsers are *not* vulnerable? I dount it.

Btw i think it could be a nice idea to have a sort of TBB-textonly based on some text-only browser (like elinks, for example).
Maybe it's easier to implement and it could be much more secure if compared to Firefox.

elinks has no java/javascript support. It also doesnt load images (you decide what image you want to view and then it gets downloaded and opened by your preferred image viewer , like "feh" or "xli" or "fbi" etcetera), elinks is also *very* fast and customizable.

October 05, 2013

Permalink

I've got a question concerning this article: http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-onli…

There it says: 'FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. One of the top-secret documents provided by Snowden demonstrates how FoxAcid can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.'

'malicious software that survives a reboot process' sounds bad. Imagine the following scenario: A user with windows uses TBB for his everyday tasks and for sensible research or communications, he uses Tails on the same machine. Imagine his windows was infected by such malicious code. Is it possible that the malware is leaking through the freshly rebooted Tails or any other live system?

"survive a reboot process" simply means that the infected OS (or, rare/unverified case, the MBR) load the virus code during the next reboot.

Usually, once an attack is done your PC will have the malicious code in memory.
"persistent" means that che malicious code "saves" itself on the hard disk, mainly to be able to execute again during the next reboot.

If by "using Tails" you mean "using CD or USB to boot Tails", then you're not going to load that virus again.

the safest way ever? simple, keep the virus code unavailable to Tails:
1)poweroff the pc.
2)remove the battery and current cable
3)press 2 or 3 times the power button (to discarge it)
4)leave the PC alone for 6 or (better) 10 minutes, (so that the RAM loses all its data)
5)while waiting the 6 (or 10) minutes, you can physically disconnect your hard disk (remove its cables), so that if it's infected you'll not risk to access it while using Tails.

this is a good (and maybe eccesively precautious) way.
Anyway, Tails usually doesn't automatically mount the internal hard-disks.

In the 90% of cases, the normal users can simply reboot and insert the USB/CD Tails and it's ok ....
... but if you think the Nsa considers YOU as an enemy(**) ... maybe you've better following the "long procedure" i described ;)

(**) "enemy", in the case of the NSA means: all people that disapprove the Gestapo-like mass-surveillance made by the NSA.
By this definition, if you are an antifascist be aware they consider you an enemy.

Sure, RAM can be powered off, and the hard drive untouched. But what about the trick of storing of the virus code in the video adapter? It was a university research project using the Nvidia hardware. Sorry I don't remember the details or the URL - do your own web search.

While here... if you had a significant budget and the unlimited "national security" pressure on the vendors, why not using some other hardware (i.e., a popular BIOS brand) to develop a way of storing there something small that survives the reboot?

On the similar near-paranoia subject, sometime ago I was playing with a simple radio scanner near my Intel-made Core i7 system. When the scanner is near, it picks up some definite periodic radio broadcasts. Go figure what's in your hardware nowadays. :-)

October 05, 2013

Permalink

Based on my limited understanding (I am not IT trained) of the FoxAcid system as described in The Guardian

http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-onli…

it would seem that the best way for the Firefox in TBB to avoid being "exploited", "compromised" is to use Tails Live DVD (write-once DVD media)

Correct me if I am wrong: the NSA is unable to inject malware into TBB's Firefox if the latter is on a Live DVD such as Tails.

October 05, 2013

Permalink

Hey arma, what you can do right now is produce an easy how-to guide for making your own internal Tor and bridge relays to encourage more people to do so. The slides revealed they are unwilling to attack existing relays and would prefer to just flood the Tor network with their own relays that redirect traffic into the GCHQ network for analysis. If you are unlucky enough to connect to one of their relays as the first hop it's game over, so we should all be making our own.

Torservers.net has a step by step guide to doing this for an exit relay but not a bridge or internal relay. Could also use puppet config to automatically deploy relays on VPSs not located in US, UK, or other "5 eyes alliance" countries.

As for TBB you are in a privacy arms race to keep up with ~70,000 professional crypto engineers and exploit writers who are employed by those 5 agencies you can't win. Distro a text shell browser maybe you can hold them off and activists can use it to sign up for email instead of getting blasted with java/javascript vulnerabilities.

i agree.

A text browser (like lynx/elinks/xlinks ecc) could be the real (and long term) solution.

I'd like to find some instruction to modify, for example, the elinks config so that it appears and act basically like the TBB without javascript and images.

Changing the UserAgent is trivial, but there's also the problem of the headers' order and some headers to omitt or to add.

Maybe later this day i try to post a config here if i find the way to config it right ;)

October 05, 2013

Permalink

All I can say is use TAILS without a hard drive, surf with Javascript turned OFF, all the while sitting in a van at McDonald's using free wireless, and NEVER giving out personal info. What could be safer?

lol you made me laugh cause I do pretty much the same thing. Just buy a USB wifi modem to increase the range, change you mac address, dont have any important stuff on your persistence volume and your sweet as

avoiding MacDonald's wireless.
That, would be safer. (always avoid corporation apparate, they're part of the surveillance)

You could also buy a good directional antenna and sit on your sofa using the wifi network of some unknown neightboor ;)

or, why not, a free wireless network. (but it's way too booring :! )

October 05, 2013

Permalink

"Proposed eventual change will kill identification!

- Each Tor node will generate random-ish signatures in a volatile
way specifically designed to look like normal website TLS traffic!"

Is this change already in unstable version?

October 05, 2013

Permalink

check.torproject.org server has been unreachable for a few hours. All those "is it down or is it just me?" websites confirm it. I was expecting something on here about it.

I'm sure its all perfectly innocent and nothing is wrong. can anyone else confirm or deny it?

i can only confirm that i had the same problem.

But I cant say if it was down or if it was the NSA blocking/altering access to it.

The message i've read on that page was something like "you dont appear to be connected through the Tor network"
and then there was "my" Tor-IP address (an IP from Bulgaria)

October 05, 2013

Permalink

I am unable to use tor, when it tries to check TOR, I get a timeout error and a message that my version of TOR (the latest version) cannot be confirmed to be a TOR Node, a timeout error, or HTML 500 error. Is TOR down? Was it shut down by the US Government similar to Lavabit when the Guardian reported that it was used by Edward Snowden and had emails stored in encrypted form on their server for privacy?

October 06, 2013

Permalink

What if that document is a big-big FAKE? We know TOR since 2002, and they can't make an exploit for already 11 years? O_o

October 06, 2013

Permalink

Arma,

Please be honest, do you really think some "interns" at the NSA, can, in theory, undermine TOR? Is TOR that fragile? I hate to say it, considering all the effort that has been put into this project, but you are starting to sound like Richard Christman (http://quicksilvermail.net/). Is TOR now as vulnerable as qsl, qs, and JBN2 (panta` mod) and JBN original from RProces? I'd TRULY appreciate your comment arma. Should I open port 9000 for Flashproxy? That sounds like a great idea (https://crypto.stanford.edu/flashproxy/).

Still awaiting arma's response. FYI no response is also a response. Blame it on the "interns" That's a good one. I'll be sure to open as many ports as TOR requests. Port 9000 for Flashproxy - maybe you'd like root access too.

Sorry, I've been busy doing actual work and haven't made time for accusatory blog comments.

Maybe I answered your questions at
https://blog.torproject.org/blog/yes-we-know-about-guardian-article#com…
?

As for setting yourself up as a Flash Proxy client, if you need to use Flash Proxy in order to reach the Tor network, yes; otherwise you don't need it (but feel free to experiment with it -- as always we need help making everything in the Tor ecosystem better).

October 06, 2013

Permalink

At this pace TOR will be toast and join history if there is no drastic change to catch up.

It might have been history already, who knows. These leaks are just the tip of the iceberg.

October 06, 2013

Permalink

Arma,
I recently downloaded the Tor Browser Bundle and was surprised to see that it seems to be disabling Javascript. I read in the Tor Project FAQ that it disables all scripts BUT Javascript, by default. When I go to the same websites in regular Firefox, they work fine. Do you know why TBB seems to be disabling Javascript? Did I misinterpret the FAQ or is it out-of-date? Please forgive my ignorance I am trying to learn. Thanks for your time.

October 06, 2013

Permalink

The paper "Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization" was released in May 2013:
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

It describes how to get the IP of a Hidden Service in the chapter:
"VI. OPPORTUNISTIC DEANONYMISATION OF HIDDEN SERVICES"

I would like a response from someone in Tor-project about this.
Could this be how they got Silk Road and Freedom Hosting?

It is a real attack. It's the same attack as described in these two papers:
http://freehaven.net/anonbib/#wpes12-cogs
http://freehaven.net/anonbib/#ccs2013-usersrouted

I wrote a background blog post here:
https://blog.torproject.org/blog/lifecycle-of-a-new-relay
and stay tuned for my upcoming blog post to explain more what we need to do to solve it. (It keeps getting delayed because I'm distracted doing other work.)

And oh, you asked whether this attack was used to find Freedom Hosting or Silk Road. As far as we can tell, no -- they were vulnerable to even easier (out of band) attacks. See e.g. https://blog.torproject.org/blog/tor-and-silk-road-takedown#comment-356… for more thoughts.

October 06, 2013

Permalink

Basic Vidalia feature is missing..a quick lockout for any nodes or exits user deems unsavory. Thanks.

note: the CAPTCHA was wrong. Pi are round, not square.
Also, why are you requiring installing cookies on my box to verify captchas?

October 07, 2013

Permalink

Proven Facts:

1. You can copy cookies and parse form data and map them to domains from any TOR node, yes the very middle one even. In fact any data that comes across in any node is vulnerable unless TLS is used, and even then you're talking about the worlds most powerful security agency, you just can't map client IP data unless on first&last, but who cares. Remember that cookies and host data are just HTTP headers..

2. There is a gaping security hole that allows cookie access to system installs of FF.. somebody cut corners in TOR dev..

3.TOR "portable" FF isn't portable, buffer overflows write outside of any hook system with no special code..

4. TOR encryption is worthless,,, why you ask? each node can decrypt and encrypt and even manipulate routing by design

Well, ok. You should feel free to trust some anonymous person on the Internet then I guess.

But those who don't like to be trolled, go learn about things for yourself. :)

October 07, 2013

Permalink

Would it be possible to protect the Tor/Tails website with an Extended Validation (EV) Cert as described here https://www.grc.com/fingerprints.htm ?

At least then, when visiting the site with Firefox or Chrome users could be sure that they're not subject to a MITM attack and the website/downloads are less likely to have been tampered with (obviously this excludes the possibility that someone has gained access to the server and altered the data there but I imagine this would be caught fairly quickly).

We'd still need to verify the signatures of downloads, which is problematic as we have to do that by downloading another file but again, with the elimination of the possibility of a MITM attack it would reduce the risk of that being tampered with too.

October 07, 2013

Permalink

Where can I find out how to inspect my computer to see if it has any NSA malware on it? Will regular anti-virus get the job done?

October 07, 2013

Permalink

Let's not forget one thing. Tor itself is a project to deliver military grade anonymity and encryption, isn't it?

It was initially started by United States Naval Research Laboratory, a branch of the Navy. They developed Onion Routing and financed it some years ago. Which means the military started Tor, secure communication is crucial for them. But we need it too.

So, is it a wonder it isn't easy for the nsa to identify tor-users?

No, if you read that blog you will realize how screwed everybody is on the Internet.

Tor still helps -- they have to resort to attacks like that one, and they have to target individual Tor flows without knowing who they're targeting.

Without Tor, the attacks are even easier.

October 08, 2013

Permalink

I love TOR, all developers and contributors of TOR and all the fine projects that continue to grow from it and from other our freedom expanding and supporting ideas.
I love all who are for TOR as well all folks in the NSA, including those who are against it – yes, I love them too - I love them unconditionally.

Yes, I love all folks, no matter whether they are my family or friends or as most may choose to call them “foes”, - I love everybody deeply and unconditionally no matter what they do or say or think.

Please understand that those who are against Tor and free internet do it because of their fears and powerlessness that they experience pushing against free will that everyone have not only in our world but in all of the our Galaxy, our Universe as well as other Universes: To be Free, to live in Joy while seeking Growth. (and there are uncountable numbers of worlds and civilizations. Creation is always expanding and growing each moment of NOW)

October 08, 2013

Permalink

Hi,
Isnt the "check.torproject.org" web page an HUGE security problem?

1) it gets loaded at the Tor startup, with javascript and cookies *enabled*

2)Drones could exploit TEMPEST to have a snapshot with the IP address of the exit node the user is using. (that's why i immediatly press Ctrl+T and then i move the window to an edge so that i cant see the IP but i can only see if the text is green and then i close the tab ;)

3) Since the NSA wants to infect the most Tor users' PC, couldn't it be reasonable to think that "check.torproject.org" could be a nice target to use? or maybe their *MAIN* target?
They are probably already using one of theirs fast servers to inject traffic, impersonating the real server. They probably are injecting javascript malicious code, to be able to infect a TBB at the very first link visited (check.torbrowser.org).

Someone could argue: "hey, but it's an HTTPS website"
But if i recall right the CA are private enterprises and maybe they're also forced to be collaborationists with the NSA.

So the only way to mitigate just a bit could be:
1)press ESC immegiately when the Tor-browser appears
2)Use Alt+F and then press "w" to go in Offline mode.
3)Disable javascript, cookies, and images ( remember: the check page is the ONLY page they're 100 sure you'll visit via Tor!! )
4)press Ctrl+N and then Ctrl+T
5)Now use the "anti-TEMPEST" remedy i proposed some lines ago. (move the window so that it's possible to check if the text in the check page is *GREEN* )
6)close the tab containing the check page.
7)Have a nice browsing (eventually, you can re-enable the images at this point)

oh, recently there's an extra page (aka "extra target" for the NSA). I'm referring to the "HTTPS everywhere page".
Maybe the right way to do this documentation thing could be to include that html file in the TBB so that this extra page gets loaded from the *local* file instead.

October 09, 2013

In reply to arma

Permalink

it cuts the vidalia support... baaaad!!! :((( fix it pls, make it not mandatory but readd it pllssssss!!!

No, the Vidalia support is already long gone. We're shipping obsolete unmaintained garbage in TBB 2.x. I'm sorry we're still doing that to you. Soon it will be solved I hope!

October 09, 2013

In reply to arma

Permalink

ok but in which way can i see my open circuits or where my connections really goes?

We'll probably end up with instructions on how to hook up an old obsolete garbage Vidalia onto your TBB 3.x if you want to. And by "we" I mean folks like you will cobble the instructions together for yourselves I hope.

Or you should use Tails (or other Linux) and then the arm controller will work for you.

October 11, 2013

In reply to arma

Permalink

this is my last question: why the choise of dont see the circuits and dont see where everything goes you think that is a good choise?

October 13, 2013

In reply to arma

Permalink

As Vidalia fades away, PLEASE, PLEASE, make some new way of visualizing the Tor circuits in real time. Running the circuits blindly is not wise.

Those of us who exclude the nodes by the country letter codes rely on that feedback to fine-tune the torrc config. Oftentimes something missed is caught by doing the visual inspection.
For instance, this is how the bug allowing the unidentified relays (having the the {??} country flag) from the normally excluded countries was nailed and reported earlier this year.

Thank you.
(And sorry, myself is not a programmer.)

October 09, 2013

In reply to arma

Permalink

thanks!

and what do you think about the text-only-browser proposal? couldnt it be a nice idea?

I bet 1000 people would be overjoyed. And the other million users would never touch it or even understand what it is.

So, sounds great if somebody wants to work on it. Probably not the best use of our time. Also, remember that unless you get enough users using it, the fact that you're using it at all will contribute greatly to making you recognizable (the fact that you're using this thing rather than Tor Browser acts as a sort of cookie).

October 11, 2013

In reply to arma

Permalink

Isnt it simply all about headers? I mean, if i replicate the TBB headers with elinks or lynx or whatever, an eavesdropped will think it's a the firefox of TBB right?

If you're talking about disabling javascript , well .. it's something that many people do also on TBB. Many other people also disable the images (to go faster, and also because images are possible *attack* vectors)

What other aspects remains? css files? headers order? gz compression?

October 10, 2013

Permalink

Does running Tor in Sandboxie help prevent 'agencies' from affecting my computer?

October 13, 2013

Permalink

Did anyone test the scenario where the Tor circuits used 4 nodes instead of 3? Perhaps it would make hacking via the bulk node ownership more difficult while the CPU load increase were still acceptable?