Once again: Tor timing attacks and a Tor confession
Searching the web for "tor timing attacks" (without quotes) returns too many hits. Short summary and PoC is at [1]. At [2] Tor (and/or DoD) confess:
The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network.
NSA and the like definitely can "see" traffic almost everywhere, so Tor doesn't protect against the NSA, right? (some people learnt this the hard way). IMHO the first fucking thing Tor must do is to make the user click at least three times on the above disclaimer. Trying to make the rant on topic: Is it theoretically possible at all to make low latency anonymity of sufficiently decent quality? [1] http://seclists.org/fulldisclosure/2014/Mar/414 PoC: End-to-end correlation for Tor connections using an active timing attack [2] https://blog.torproject.org/blog/one-cell-enough
On 2/29/16, Georgi Guninski <guninski@guninski.com> wrote:
Is it theoretically possible at all to make low latency anonymity of sufficiently decent quality?
For those able to pay the price of fill traffic, possibly (theoretically). However even in that case, you will need at least some level of trust with your immediate peers (or high level of trust if your immediate peer is singular, only 1, from which you access the rest of the network). Visibly stable fill traffic requires peers that don't collaborate with the NSA - e.g., you can imagine how trivial it might be to put in "bandwidth signals" if you are an untrustworthy peer - just a slight temporary dip at a specific point in time, could be a signal to the NSA. Example peers: - your ISP - your neighbours in say a wireless or wired local mesh net I am not aware of any academic research regarding the benefits and or pitfalls of fill traffic. I2P states fill traffic as one of their "todo" goals, and therefore might be a good network to implement this on for testing and or academic research. Good luck.
On 2/29/16, Zenaan Harkness <zen@freedbms.net> wrote:
On 2/29/16, Georgi Guninski <guninski@guninski.com> wrote:
Is it theoretically possible at all to make low latency anonymity of sufficiently decent quality?
For those able to pay the price of fill traffic, possibly (theoretically).
However even in that case, you will need at least some level of trust with your immediate peers (or high level of trust if your immediate peer is singular, only 1, from which you access the rest of the network).
Maybe you have some validation packets looping around and coming back to you on other [virtual] path. Maybe peer does not know traffic from you is from you as an endpoint. Maybe you're doing nothing and he wastes time.
Visibly stable fill traffic requires peers that don't collaborate with the NSA - e.g., you can imagine how trivial it might be to put in "bandwidth signals" if you are an untrustworthy peer - just a slight temporary dip at a specific point in time, could be a signal to the NSA.
If all nodes are multiply connected and independantly reclocking and jittering their output packet streams and your data passes through at least one good node besides yourself, it erases all the bad signals perturbed up to reaching it. Encryption also thwarts picking out some given user. Yet, again, what is trying to be defeated? - strict GPA (I only ever said this type) - traffic manipulation at internet layer - evil nodes doing whatever Fill is more obvious applicable to strict GPA. It gets harder for latter two, for which fill traffic may not be as simple benefit, and maybe start playing with packet switching / mixing / spreading / reassembly. What is adversaries non sunk cost and reach and odds of seeing given user traffic for each type?
Example peers: - your ISP
You could be multihomed, multi overlayed, multi vpn'd...
- your neighbours in say a wireless or wired local mesh net
That's potentially a social knowledge / friendly situation. - [peer] nodes wherever in the overlay network.
I am not aware of any academic research regarding the benefits and or pitfalls of fill traffic.
Paper titles were quoted in this thread, some had such appendix references. And in tor-talk / tor-dev whenever fill traffic comes up.
On 2/29/16, Georgi Guninski <guninski@guninski.com> wrote:
Searching the web for "tor timing attacks" (without quotes) returns too many hits.
Short summary and PoC is at [1].
At [2] Tor (and/or DoD) confess:
These quote active attacks.
The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network.
"Timing", "seeing", and "measuring" are passive attacks. There is a difference.
NSA and the like definitely can "see" traffic almost everywhere, so Tor doesn't protect against the NSA, right? (some people learnt this the hard way).
"Where" they can see just constrain probability of having you in that set. Can the NSA passively pair up "your" comms endpoints therein, or find "hidden services", I'd say the chance is definitely yes, with some usage patterns and opsec being easier or more difficult than others. Enhanced by passively running certain node types. "Users Get Routed" "Trawling for Tor Hidden Services" "TorScan" Further enhanced by actively attacking traffic or protocols via nodes or fiber. "The Sniper Attack" $25mil or less to most onions and ~25% users, who gives odds?
IMHO the first fucking thing Tor must do is to make the user click at least three times on the above disclaimer.
Disclaimers confuse and ward off users, and aren't popular in marketing departments.
[1] http://seclists.org/fulldisclosure/2014/Mar/414 PoC: End-to-end correlation for Tor connections using an active timing attack [2] https://blog.torproject.org/blog/one-cell-enough
On Mon, Feb 29, 2016 at 04:58:14AM -0500, grarpamp wrote:
At [2] Tor (and/or DoD) confess:
These quote active attacks.
The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network.
"Timing", "seeing", and "measuring" are passive attacks.
I meant the quoted text, which is passive.
There is a difference.
Even if active attack is needed, does it matter with what buzzword I am deanonimized?
On 2/29/16, Georgi Guninski <guninski@guninski.com> wrote:
Even if active attack is needed, does it matter with what buzzword I am deanonimized?
No, food in detention is same either way. Yet must define problem to make solution. Some of each are more likely or easier than others.
On Mon, Feb 29, 2016 at 05:30:05AM -0500, grarpamp wrote:
No, food in detention is same either way. Yet must define problem to make solution. Some of each are more likely or easier than others.
As I asked in this thread: Is it theoretically possible at all to make low latency anonymity of sufficiently decent quality? "sufficiently decent" is not well defined i agree. Replace "sufficiently decent" by "perfect", or define it to be "provably intractable" and do not assume hardness not proved unconditionally, like P != NP.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/29/2016 06:38 AM, Georgi Guninski wrote:
Is it theoretically possible at all to make low latency anonymity of sufficiently decent quality?
"sufficiently decent" is not well defined i agree.
Bingo. How fast do you want web pages to load, vs. how much do you want it to cost to de-anonymize your traffic? In the case of TOR, it has long appeared to me that its leading design objectives include competing on the speed front with unprotected networking and VPN services. The benefits of this competition include a larger user base = larger anonymity set. The drawbacks include "the government that pays for TOR also has the capability to defeat TOR." Last time I checked, the TOR Browser ships with NoScript turned off by default, leaving it unprotected against a large family of side channel attacks. This choice also looks like a convenience for technologically naive end users, again degrading the core security mission for the sake of a larger user base. In this case we do know that hostile State actors have used the deficiency to unmask users, via a honey pot attack exploiting javascript to phone home and report the users' IP addresses. Leaving fill traffic on the "to do list" forever, pending the disappearance of vocal advocates who claim that cover traffic is not practicable - either "impossible!" or due to a perceived head-to-head performance contest with unprotected networking - completes the picture of a State sponsored cryptographic tool breakable by the State that funds it (but nobody else so far).
Replace "sufficiently decent" by "perfect", or define it to be "provably intractable" and do not assume hardness not proved unconditionally, like P != NP.
I personally consider TOR sufficiently decent to positively lock out routine commercial surveillance of end users. Sufficiently decent to provide reliable protection against NSA assets when combined with physical OpSec, i.e. covertly using open WiFi routers and single use disposable computers for brief one-off sessions. Sufficiently valuable as an NSA collection asset to discourage routine harassment or prosecution of TOR users for petty offenses, which would reveal to more "valuable" targets that TOR does not protect them. So far we are only talking about passive attacks by an actor who can observe both ends of most TOR network connections. More costly active attacks could defeat /any/ anonymizing network protocol based on onion or garlic routing protocols. So whether or not to "fix" TOR at the cost of alienating the bulk of its user base due to performance issues might merit some debate. My preferred solution: Defund the the agencies that can and almost certainly do defeat all current network anonymity protocols. My program for accomplishing this objective: Wait. They are hell bend on self destruction and Nature will provide. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJW1EP3AAoJEDZ0Gg87KR0LpIIP/3wB/+9xc01hLSi6nyzxzARH tz3YlyimkNyK79z7fu1uh6ZoHu72i23Ll7z5UUNKHpqcMhJVE8+PqvdESjLCcPOj ZLh1vwVv1+D/HRh5293i1kyIgDqwurzKxBvcJjYdjOzBPC9iCl9GpMtByVAdtn1D z4XF6t6dcj+2MUr9zN8W2hQY8dvIircahMQwL3LlItLQJeOTN0AKH0M4YGcDC9M+ QENwQwLK3V5gRcrv0cHu8IsciO2HU8vm/tuCjyxVLxQfwhN+SAVjai08gDJ2OKp7 8Lscq9TPqlJ2e2vMX9e4aFYIWGWscJ9qPUI2DbSemRFSBC8o7VTYEQK6/1JCCcsQ xxA3AklszTIhpeLnCjOaGuXjki6RumPq2YGb8I0hc9bY5/J6eTrXEIXzaTNhTSLp Nn8qVyV9Bbk9BkneNEbWo2XBW54mthypwMeS0NSvbFKpY4JFGHVpeHrAvPHTiAYJ ej0y+VlaFMhF76esR0XNEKYEAE2S1C+KWnhE7ZJ4SKI7/8eEzqNMt4nX+MrTtZVq XUZ6eVvysH3/ck/zV6sG1i2EvFd7KeSm9SklYScjHp3HbQAHqhS0qdtmR3HZdYb3 e8KmtTLLWQ+IRHcpuBSxr7zrV8o6+SSDJOCosK0ErV/CPsjIesOjPg35Gt9WG4vG 5G/U1XG3xCNqDbaKkygT =6qF2 -----END PGP SIGNATURE-----
On 2/29/16, Steve Kinney <admin@pilobilus.net> wrote:
On 02/29/2016 06:38 AM, Georgi Guninski wrote:
Is it theoretically possible at all to make low latency anonymity of sufficiently decent quality?
"sufficiently decent" is not well defined i agree.
Bingo. How fast do you want web pages to load, vs. how much do you want it to cost to de-anonymize your traffic?
In ATM the cost was unfilled buckets... here, filling them even with junk (if not useful protocol)... is beneficial to you. Tradeoffs may also have sweet spots and asymmetric scales. The other meaning of "fast load" vs "$cost" is of bandwidth / bytes choices of the user to their ISP which is another topic and never "free".
In the case of TOR, it has long appeared to me that its leading design objectives include
Hiding participants to a communication from each other, negotiating their own encryption over the path, and confounding vanilla hop by hop backtracing by police level jurisdiction based authorities. That's mostly it.
competing on the speed front with unprotected networking and VPN services.
This is more a function of TCP's natural performance over WAN than anything else. Also some OS's like FreeBSD now have quite improved bandwidth x delay product handling in their stacks. (tor-relays should really evaluate this when considering which OS's to deploy as relays.)
The benefits of this competition include a larger user base = larger anonymity set.
s/competition/nature/ , which may end up being achievable with other designs as well.
The drawbacks include "the government that pays for TOR also has the capability to defeat TOR."
Well, then go find funding from an enemy of your enemy who also has no issue with what you're building. Or just don't accept strange money. How many of you donated or bought anything? Oh noes!, the influence. Next!
Last time I checked, the TOR Browser ships with NoScript turned off by default, leaving it unprotected against a large family of side channel attacks. This choice also looks like a convenience for technologically naive end users, again degrading the core security mission for the sake of a larger user base.
They've said as much. At least users can turn it on.
In this case we do know that hostile State actors have used the deficiency to unmask users, via a honey pot attack exploiting javascript to phone home and report the users' IP addresses.
"Disclaimers confuse and ward off users, and aren't popular in marketing departments."
Leaving fill traffic on the "to do list" forever, pending the disappearance of vocal advocates who claim that cover traffic is not practicable - either "impossible!" or due to a perceived head-to-head performance contest with unprotected networking -
This is a head-in-sand mindset problem. They are useless to you and will only hold you back. Go find other development partners.
I personally consider TOR sufficiently decent to positively lock out routine commercial surveillance of end users.
Yes. ie: All of the current strong anonymity overlay networks successfully fend off and are immune to the copyright MAFIAA, and all manner of other civil, police and non-state adversaries. (Note that's real world in practice now, vs current academic research attacks that may be deployed in production by them in the future. And that's at the protocol of the network level, not the age-old application layer exploit level.)
Sufficiently decent to provide reliable protection against NSA assets when combined with physical OpSec, i.e. covertly using open WiFi routers and single use disposable computers for brief one-off sessions.
Yes. Physical location separation plus non pattern generation.
Sufficiently valuable as an NSA collection asset to discourage routine harassment or prosecution of TOR users for petty offenses, which would reveal to more "valuable" targets that TOR does not protect them.
Yes. Though it still supplies profiling database and parallel construction in that mode.
So far we are only talking about passive attacks by an actor who can observe both ends of most TOR network connections. More costly active attacks could defeat /any/ anonymizing network protocol based on onion or garlic routing protocols. So whether or not to "fix" TOR at the cost of alienating the bulk of its user base due to performance issues might merit some debate.
Tor is fundamentally a tunneled circuit based encrypted network. It was designed roughly 15 years before Snowden's confirmations and before 911 in a time when networks were still mostly trusted and GPA's effectively spying at scale much less attacking were only in the minds of crackpot cypherpunks. Tor's circuit design probably doesn't lend itself to fill traffic / management, and bolting it on the side may be non ideal. (Those are open questions.) Yet "Tor" without its original design model could hardly longer be called Tor (or TOR) at that point. If you want fill traffic, you're probably better off forking and gutting it, or starting something completely new that incorporates ideas from knowledge both inclusive and post Tor's design. Tor is great at what it does well, which is a lot. You just have to know what that is, and find (or make in it or elsewhere) what it isn't good at.
My preferred solution: Defund the the agencies that can and almost certainly do defeat all current network anonymity protocols. My program for accomplishing this objective: Wait. They are hell bend on self destruction and Nature will provide.
You'll be dead by then. It's more fun to risk dying now ;) Tor is looking at some forms of network fill traffic, which may or may not be integrated to the entire network wide sense, or useful in your own designs... https://gitweb.torproject.org/torspec.git/tree/proposals/251-netflow-padding... https://gitweb.torproject.org/torspec.git/tree/proposals/254-padding-negotia...
Hi, Dnia poniedziałek, 29 lutego 2016 16:57:02 grarpamp pisze:
My preferred solution: Defund the the agencies that can and almost certainly do defeat all current network anonymity protocols. My program for accomplishing this objective: Wait. They are hell bend on self destruction and Nature will provide.
You'll be dead by then. It's more fun to risk dying now ;)
My personal solution of choice would also be defunding, but I believe this needs some help to happen.
Tor is looking at some forms of network fill traffic, which may or may not be integrated to the entire network wide sense, or useful in your own designs...
I was thinking (and I'm sure somebody else also got the idea) that maybe combining ideas from Tor with ideas from BotTorrent might be a way to go. Distribute the stuff people access among people accessing it and it becomes harder to do timing attacks, and the network might work a bit faster too. However, it's basically running full speed into one of the two hard problems in IT -- cache invalidation. So, I don't know. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On 2/29/16, Georgi Guninski <guninski@guninski.com> wrote:
Replace "sufficiently decent" by "perfect", or define it to be "provably intractable" and do not assume hardness not proved unconditionally, like P != NP.
So long as each node accounts for negotiated contract rate with peers, and generate fill for missing packets on the inbound links when output the other side, and reclock all the input when output to a fixed rate, and add random jitter to the output links to mask time spend negotiating and compensating for the input junk received... it would seem range from reasonable sufficient to damn hard. It's an enhanced level of the fixed bucket clocks in old school ATM / TDM that people seem to forgot about... https://en.wikipedia.org/wiki/Asynchronous_Transfer_Mode#Traffic_policing https://en.wikipedia.org/wiki/Time-division_multiplexing There was even talk on one of these lists about doing fill not just in the overlay networks, but also doing it, along with automatic pfs style encryption in the layer zero link hardware itself (ethernet PHY, etc) by starting an IEEE / IETF working group... every switch, router and NIC port everywhere. Some OP threads for ref: https://cpunks.org/pipermail/cypherpunks/2016-February/012436.html metzdowd: "traffic analysis" Jan 2015 My spam on @cpunks @torproject Etc et al Encrypted fill traffic is at least worth thinking about, thus cc.
Is jitter/fill traffic full solution? What if they disrupt or slow X times your traffic to Tor? This will be observable at the other end. Probably easier is to just own me via some application sploit (as suggested in this thread). RE: cost of ownage/minor offenses. Don't exclude the possibility single investment to result in compromise of all of Tor and then deanonimizing will be just a simple query. In one Snowden slide there was something like: "NSA can deanonimize some Tor users ... but we don't want to scare all of them". This is consistent with the fate of Lulzsec. According to the official story (which I don't believe), the first of them got caught because "he forgot to use tor when on irc..."
On 3/1/16, Georgi Guninski <guninski@guninski.com> wrote:
Is jitter/fill traffic full solution?
Again, to what threat model? I've only mention GPA, fix for which may involve, at possible minimum, all nodes encrypting full fill traffic reclocked with jitter, under some form of negotiated and enforced possibly dynamic traffic contracts with peers. I may also be on crack.
What if they disrupt or slow X times your traffic to Tor?
That's an active attack, not a GPA trolling through packets. Then your peers may de-peer you until things look normal. Or it may take a while for you to get signal through. And if they're already close enough to disrupt you specifically, you've probably got other problems.
This will be observable at the other end.
Not when every node is doing reclocking and de-peering peers that seem to be misbehaving or dishonoring contracts.
Probably easier is to just own me via some application sploit (as suggested in this thread).
Again, that's active, and application level, not GPA.
RE: cost of ownage/minor offenses. Don't exclude the possibility single investment to result in compromise of all of Tor and then deanonimizing will be just a simple query.
You mean like rooting a bunch of Linux nodes, 6+:1 ratio ... 6831 Linux 696 Windows 291 FreeBSD 74 OpenBSD 33 Darwin 8 NetBSD 4 ElectroBSD 4 Bitrig 3 SunOS 2 DragonFly 1 GNU/kFreeBSD 1 CYGWIN_NT-10.0-WOW Or compromising the repo or developers or 3rd party libraries... Or asking your friends AT&T et al to help... What's the threat?
"NSA can deanonimize some Tor users ...
Again, talk about whatever, but people need to specify the threat model if they're going to really discuss solutions. Nor is Tor the only active network currently subject to attack.
This is consistent with the fate of Lulzsec. According to the official story (which I don't believe), the first of them got caught because "he forgot to use tor when on irc..."
Do they and their court docs officially say that? Or just some blogger reading 4chan?
On Tue, Mar 01, 2016 at 03:15:44AM -0500, grarpamp wrote:
On 3/1/16, Georgi Guninski <guninski@guninski.com> wrote:
Is jitter/fill traffic full solution?
Again, to what threat model?
The threat model is the entire world -- in real life do you care much what accident will "own" your life? If this is too broad for you, the threat model are state sponsored actors including NSA.
You mean like rooting a bunch of Linux nodes, 6+:1 ratio ...
...
Or compromising the repo or developers or 3rd party libraries...
Or asking your friends AT&T et al to help...
What's the threat?
Combination of many threats -- owning, timing, crypto, etc
This is consistent with the fate of Lulzsec. According to the official story (which I don't believe), the first of them got caught because "he forgot to use tor when on irc..."
Do they and their court docs officially say that? Or just some blogger reading 4chan?
Don't know about courts, here is a reference from thereg: http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis/
Police locked onto Hector Xavier Monsegur, an unemployed 28-year-old from New York – allegedly LulzSec hacktivist supremo Sabu – after he apparently made the mistake of logging into an IRC chat server without using the Tor anonymisation service (^1)
On 3/1/16, Georgi Guninski <guninski@guninski.com> wrote:
Is jitter/fill traffic full solution? The threat model is the entire world --
Then the full solution is to unplug, smash, and go outside and play...
in real life do you care much what accident will "own" your life?
... just be sure to wear your helmet :)
Combination of many threats -- owning, timing, crypto, etc
If the thread is a thread just griping on threats that's fine. But lumping them all in versus fill traffic (being a possible solution to the one specific subthreat of GPA)... probably isn't productive towards solving anything... whether the entire threat or any particular subthreat. Especially when fill traffic hasn't yet been speculated here to enhance the efficacy of any other existing threat, or to create new threats.
Do they and their court docs officially say that?
Don't know about courts, here is a reference from thereg: http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis/
That's not a quote from an original source. Neither is what it references... http://blog.erratasec.com/2012/03/notes-on-sabu-arrest.html ... which goes to Fox, which probably goes to... and to... and to... ... including possibly to stretching / ignoring the law, parallel construction... or to some other legit defendant screwup... at least until the quote is validated. Have the actual chain of custodied investigative materials as to exactly how the SilkRoad server was found come out yet? (And other similarly fishy cases where nodes on supposedly strong overlay networks were found...) Or is that still wrapped in grand jury, work product, state secret, in camera, sealed...
i like the idea of mathmatical echo as solution http://guap.ru/guap/nids/pdf_2010/kuyumchev.pdf On Tue, Mar 1, 2016 at 7:52 PM, grarpamp <grarpamp@gmail.com> wrote:
On 3/1/16, Georgi Guninski <guninski@guninski.com> wrote:
Is jitter/fill traffic full solution? The threat model is the entire world --
Then the full solution is to unplug, smash, and go outside and play...
in real life do you care much what accident will "own" your life?
... just be sure to wear your helmet :)
Combination of many threats -- owning, timing, crypto, etc
If the thread is a thread just griping on threats that's fine. But lumping them all in versus fill traffic (being a possible solution to the one specific subthreat of GPA)... probably isn't productive towards solving anything... whether the entire threat or any particular subthreat. Especially when fill traffic hasn't yet been speculated here to enhance the efficacy of any other existing threat, or to create new threats.
Do they and their court docs officially say that?
Don't know about courts, here is a reference from thereg: http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis/
That's not a quote from an original source. Neither is what it references... http://blog.erratasec.com/2012/03/notes-on-sabu-arrest.html ... which goes to Fox, which probably goes to... and to... and to... ... including possibly to stretching / ignoring the law, parallel construction... or to some other legit defendant screwup... at least until the quote is validated.
Have the actual chain of custodied investigative materials as to exactly how the SilkRoad server was found come out yet? (And other similarly fishy cases where nodes on supposedly strong overlay networks were found...) Or is that still wrapped in grand jury, work product, state secret, in camera, sealed...
-- Cari Machet NYC 646-436-7795 carimachet@gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet <https://twitter.com/carimachet> 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited.
On Tue, Mar 01, 2016 at 01:52:24PM -0500, grarpamp wrote:
Don't know about courts, here is a reference from thereg: http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis/
That's not a quote from an original source. Neither is what it references... http://blog.erratasec.com/2012/03/notes-on-sabu-arrest.html ... which goes to Fox, which probably goes to... and to... and to... ... including possibly to stretching / ignoring the law, parallel construction... or to some other legit defendant screwup... at least until the quote is validated.
Have the actual chain of custodied investigative materials as to exactly how the SilkRoad server was found come out yet? (And other similarly fishy cases where nodes on supposedly strong overlay networks were found...) Or is that still wrapped in grand jury, work product, state secret, in camera, sealed...
If you find out, let us know. This is the most "official" version for me for now.
"That was enough for a judge to grant the FBI a warrant and permission to secretly install what’s known as a pen/trap device, which allowed for the monitoring of Hammond’s Internet activity at the end of February 2012. That, coupled with the physical surveillance, allowed the agency to see when he was home. What they found correlated with his Tor usage—which allowed him to hide his IP address—and when “yohoho” was online, " http://kernelmag.dailydot.com/issue-sections/headline-story/9895/jeremy-hamm... "Bello Coffee appears to be the cafe from which police say Ulbricht logged into the virtual private network (VPN) that he allegedly used as an extra layer of protection to access Tor and Silk Road. The prosecution says they have records from Google showing Ulbricht logging into his Gmail account from the Internet cafe on a regular basis, including on days when the VPN was used from the same cafe." oh its too funny.... so what jeremy says about his case is that they just did lots of different types of investigations and that is what got him - he also states that he should have been mobile - nomadic ... maybe solutions should be nomadic as well On Wed, Mar 2, 2016 at 3:01 PM, Georgi Guninski <guninski@guninski.com> wrote:
On Tue, Mar 01, 2016 at 01:52:24PM -0500, grarpamp wrote:
Don't know about courts, here is a reference from thereg: http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis/
That's not a quote from an original source. Neither is what it references... http://blog.erratasec.com/2012/03/notes-on-sabu-arrest.html ... which goes to Fox, which probably goes to... and to... and to... ... including possibly to stretching / ignoring the law, parallel construction... or to some other legit defendant screwup... at least until the quote is validated.
Have the actual chain of custodied investigative materials as to exactly how the SilkRoad server was found come out yet? (And other similarly fishy cases where nodes on supposedly strong overlay networks were found...) Or is that still wrapped in grand jury, work product, state secret, in camera, sealed...
If you find out, let us know.
This is the most "official" version for me for now.
-- Cari Machet NYC 646-436-7795 carimachet@gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet <https://twitter.com/carimachet> 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited.
Georgi Guninski wrote:
"sufficiently decent" is not well defined i agree. ...is definable for the purpose as exorbitantly expensive and/or time-consuming in relationship to the necessity of gathering that information. You don't really think they're going to put a Cray and full-time satellite surveillance on you for dealing a little weed using tor do you?
Albeit there's always 'practice'... http://auntieimperial.tumblr.com/search/NSA+hookers -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
participants (7)
-
Cari Machet -
Georgi Guninski -
grarpamp -
Rayzer -
rysiek -
Steve Kinney -
Zenaan Harkness