[tor-relays] NSA's "Tor Stinks"

[Adam Back]

Btw speaking of GCHQ or NSA operating Tor nodes, of course that is
inevitable; and to the extent that they are not perfectly policy aligned a
good thing, and they'll try to do a professional job of securing their own
tor nodes :) eg if you are a chinese dissident maybe you want to use them as
one hop.

You just dont want them controlling to many nodes.  And probably the
Russians, French, Israelis, Chinese etc are all running Tor nodes and even
less mutually cooperative.  What we could really do with is North Korea, and
Iran intelligence services running some also.

I suspect to the extent that they are experiencing limited success you could
imagine its because not ony are some nodes controlled by users, but more
that some are operated by mutually distrustful competing intelligence
agencies.

The intelligence agency nodes are probably better secured than user nodes,
though some user nodes maybe run by security capable and conscious users. 
The intelligence agencies however have a budget for and hoard of unpublished
0-days on PC & router operating systems so they have a slight edge.

Also the intelligence agency is not going to cave under legal pressure when
someone from law enforcement comes with threats and demands relating to exit
traffic so they have that advantage too.

It would be better to my mind if they just came out and said yes this is our
node and ran it from their own domain tor.gchq.gov.uk or tor.nsa.gov; then
users could opt to use it.  However I suspect they think no one would use
it, or the people they actively want to use it (who they are trying to
trace) would avoid it.  Could be useful if they used an identified one and a
plausibly hidden one.

Speaking of plausibly hidden I notice there is mention of code word 'NEWTONS
CRADLE' in one of the docs for a GCHQ tor node operation, speculating could
that be some MoD funded student at cambridge in their dorm?  (Quite commnon
in the UK for students to be sponsored by a company they will work for
afterwards or a government career they took a break from.  A couple of my
classmates at BSc, University of Exeter (UK) comp sci BSc were openly MoD
sponsored.)

No matter, its trivial for establishment to provide perfect cover for node
operation, just run from home address, or persuade ISP/telco to route
traffic via DSL lines identifying IP address range as a IP forwarding proxy. 
They can do whatever they want, you'd think that more likely, however a
university dorm IP address range would look nice and plausible/credible
also, maybe more so than a DSL address.  Probably a university upstream or
the university IT itself (universities often take defense contracts) could
fake it or operate it under contract with intelligence cleared dual-hat
admin if they cared enough.

I do think it would be very useful if the intelligence agencies running tor
nodes also ran one on their own domain.  Then you could route via one who's
government is overtly supportive of your political cause.  (Doesnt protect
you from backroom information exchange deals and horse trading, which I'm
sure happens even with sworn enemies, but its a start if you are
unintersting enough!) However I expect another reason they dont want to do
that is they dont want to enable people to get stronger privacy period. 
They have a dual hat, they want internet privacy for their own open source
research, but they selfishly dont want other users to have privacy or gain
any privacy as a side-effect from their own.

Adam

On Mon, Oct 14, 2013 at 11:18:33AM +0200, Eugen Leitl wrote:
>----- Forwarded message from Jesse Victors <jvictors at jessevictors.com> -----
>
>Date: Tue, 08 Oct 2013 13:23:48 -0600
>From: Jesse Victors <jvictors at jessevictors.com>
>To: tor-relays at lists.torproject.org
>Subject: [tor-relays] NSA's "Tor Stinks"
>Message-ID: <52545BC4.3020106 at jessevictors.com>
>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
>Reply-To: tor-relays at lists.torproject.org
>
>
>I recently ran across several articles related to the NSA's attempts at
>cracking Tor and de-anonymizing its users. They are after terrorists and
>other individuals who seek to do harm of course, but their work
>obviously has implications into other Tor users, the vast majority of
>whom use Tor for legal and proper activities. So far, it appears that
>the cryptographic standards and protocols implemented by the Tor devs
>appear to be holding, which I find interesting. The NSA has been trying
>other methods to figure out Tor, including identifying and then
>infecting user machines, trying to control/hijack the Tor network, or by
>influencing the network as a whole, and they've had a very small amount
>of success, but not much. One thing that was especially interesting to
>me (and I expect to everyone on this mailing list) is that they are
>trying to control more relays via cooperation or direct access, which
>can then be used for timing attacks or disruptions to the users. They
>are also trying to shape traffic to friendly exits. For anyone
>interested, I would highly recommend these links:
>http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
>http://www.bbc.co.uk/news/technology-24429332
>http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption
>
>Also, from
>http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity
>it appears that their opinion of Tails is that it "adds severe CNE
>misery to [the] equation". These are all highly informative articles,
>and it appears that Tor is remaining resilient to their efforts, as long
>as people (including relay/exit operators) use the latest software,
>remain aware that Tor doesn't protect them in all aspects, and as long
>as there are enough non-NSA relays and exits (we need more!) such that
>everything they see still remains encrypted and anonymous. Interesting I
>say.
>
>Jesse V.
>
>
>
>
>_______________________________________________
>tor-relays mailing list
>tor-relays at lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>----- End forwarded message -----
>-- 
>Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
>______________________________________________________________
>ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
>AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5