On 6/6/16, Steve Kinney <admin@pilobilus.net> wrote:
Since nobody asked, here's a description of why neither TOR nor any other existing or presently planned anonymizing protocol I know of can be relied on to conceal a user's identity from the Five Eyes or any of several other hostile actors. I surface this concept every year or so, but so far nobody seems interested in discussing it. Maybe it's just too discouraging to think about. No matter who created it or why, TOR and similar mix networks are at best security theater, relative to top tier State adversaries.
what if an effectively unlimited number of compromised routers, subject to realtime observation and internal manipulation, were available to hostile actors? Game over, I think.
About 15 years ago I used online traceroute utilities and whois lookups to determine (roughly) where all the high performing Mixmaster remailers were physically located. Over half of them, including most with "exotic sounding" TLDs, were apparently in the state of Texas.
Then I used my data to construct "hard to compromise" chains, routing Mixmaster messages through national jurisdictions not likely to have comprehensive data sharing between their security services, and started sending test messages. None of these test messages ever made it back to me.
So I concluded that, despite its major technical superiority to other anonymized networking protocols, the Mixmaster network was most likely compromised by passive observation (one owner for a majority of reliable remailers) and active intervention (traffic between uncontrolled remailers interrupted in transit).
Owning enough of the routers in an anonymizing network to negate its security is largely a question of money: How much budget to you have, how certain do you want to be that nobody is really anonymous?
While money can buy shill humans to stand in, as below, it's costly, and casual human interactions by multiple signers reviewing them may expose them to risk.
proxy hosts could be machines owned by "friendly" actors, rooted consumer grade routers, purpose built appliances, conventional Windows botnets or some combination of these.
Govt seems to have no issue doing such illegal / unethical things. And they certainly can use their own network, tor, to do it.
The only defense I can think of is to assure that message traffic passes back and forth between mutually hostile national jurisdictions before delivery.
This is suggested often on tor-talk. And tor devs continually pass on it.
This would be a bit of a hairball to implement
Not really. Tor already loads GeoIP. So 20 or so lines of code and you've got a separate country for each hop. A few more lines to define groups like FVEY / BRICS, hemispheres, regions, AS, etc. Users could isolate on whatever they wanted. And a bunch more lines to include attributes as to "verified to be a human node operator in person" pki web of trust into the consensus. At least that way it raises the cost and risk to adversaries who today just use their Govt credit card to order up VPS nodes all over the world. Does it benefit? Tor devs say trust the random node selection. Others say at least some subset of users know the / their environment better and could use such tools to advantage. Tor still refuses to do it. So like mixmaster, you have to do it yourself. That sucks. It could stand to be talked over a bit more.
have to be taken into account. But this approach could increase the cost and reduce the reliability of Hydra attacks against anonymizing
Long story short: If you want to be /really/ anonymous in the presence of hostile State sponsored actors, do not rely on a software-only approach: Use physical security measures to conceal your identity from the physical router that connects you to the Internet
No "airtight" security protocol has ever survived contact with end users.
password:12345, lol.