[tor-talk] FBI cracked Tor security

Mirimir mirimir at riseup.net
Mon Jul 18 23:31:30 PDT 2016

Hash: SHA1

On 07/18/2016 07:08 PM, Jon Tullett wrote:
> On 18 July 2016 at 16:17, Mirimir <mirimir at riseup.net> wrote:
>> On 07/18/2016 07:33 AM, Jon Tullett wrote:
>>> On 18 July 2016 at 14:57, Mirimir <mirimir at riseup.net> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> On 07/18/2016 06:11 AM, Jon Tullett wrote:
>>>>> Haroon Meer, who I greatly respect in the security space, 
>>>>> describes UX complexity in terms of his mum. As in, "could
>>>>> my mum do this?" and if the answer is no, it's too complex
>>>>> for the average user. I like that.
>>>> His mum probably shouldn't be using Tor.
>>> Why not? Are you able to say with certainty that they are not
>>> at risk and shouldn't be using Tor? Sounds like a risky
>>> assumption. Not that it's applicable here, but activists'
>>> families are not uncommonly at high risk. I'd caution against
>>> assuming you know someone's risk profile better than they do.
>>> And that, in a nutshell, is why I don't think Tor should be
>>> making such an assumption in its recommendations to users in
>>> general.
>> Giving clueless folk an illusion of safety is arguably bad.
> Now you're back to "sheep". Don't assume that "technically 
> inexperienced" equates to "clueless".

Well, say "technically inexperienced" if you like. In my world, we
call that "clueless". I'm more or less clueless in many areas, and am
not ashamed to admit it.

> Security theatre is generally not positive, but again, security is 
> never absolute and you will always be able to find an argument for 
> doing more, and someone who will argue that failing to do so is,
> yes, arguably bad. Everyone has to draw the line somewhere. Tor has
> done so.

Well, given what we know of TLA capabilities, what Tor Project says at
<https://www.torproject.org/> is tantamount to false advertising:

| Anonymity Online
| Protect your privacy. Defend yourself against network surveillance
| and traffic analysis.

Maybe so against local adversaries. But clearly not against global
adversaries. Cynical folk note that so far, the US and its allies are
the only known global adversary. And claim that this is self-serving

| Tor prevents people from learning your location or browsing habits.

It for sure hasn't stopped FBI, with their honeypots that drop
malware. And I doubt that it stops NSA/GCHQ. But Tor Project just
postures about "bad FBI". They don't give naive users, who may be at
risk, even a brief heads up about proxy leakage, and how to prevent it.

Two or three years ago, even after the Freedom Hosting debacle, I was
willing to cut Tor Project some slack. But after the PlayPen attack,
it's becoming harder to escape the conclusion that Tor Project either
doesn't want to mitigate this risk, or doesn't have the contractual
freedom to do so.

> We're going in circles on this now, so this will be my last
> repetition of that particular argument. As I've said, I think we
> agree there's room for better education, but just differ on
> details.

Fair enough :)

>>>>> It's probably far more meaningful to help users understand 
>>>>> that spectrum, self-assess where they fall on it and what
>>>>> their risk profile may look like as a result, and pointers
>>>>> to resources which would align with that.
>>>> That sounds good to me. Except that there's nothing on the
>>>> Tor Project site about Whonix, and virtually nothing about 
>>>> proxy-bypass leaks.
>>> Why should there be mention of Whonix? It's an independent 
>>> project.
>> What about
>> <https://www.torproject.org/projects/projects.html.en>?
> That's a list of projects Tor is involved with. It's interesting
> but there's no context - someone who knows they need the tool is
> already most of the way there. Helping people identify that the
> need the tool at all is the part I'm interesting in.

It's my general impression that Whonix project has been actively
rebuffed. But I have no inside knowledge.

> (snip)
>> Tails is on
>> <https://www.torproject.org/projects/projects.html.en> but not
>> Whonix. Why is that?
> At a guess, it's because Tor is more actively involved in Tails
> than in Whonix. But that is just a guess. Have you asked the
> maintainers?

Yes, that does seem to be the case. But asking hasn't gotten me
anywhere. Maybe some fly on the wall will dump some evidence ;)

>>> Proxy bypass, maybe, but that's in there with all the other 
>>> potential risks, and again, Tor can't document all of them.
>> Tor Project has made a huge deal over the PlayPen pwnage.
>> Demanding that the FBI release information about its NIT. But
>> they can't be bothered to actually explain how users could have
>> been protected?
> Very different issues, I think. I'm sure you disagree; I'm not
> going to debate it.

I don't disagree that they're different issues. My point is that
warning users about proxy bypass takes but a few words on a website,
and maybe a link. And given that it's such an easy fix, I suspect that
Tor Project either doesn't want to admit the risk so clearly, or is
somehow being prevented from doing so.

>>> That's a rhetorical question - I'm sure there are pros and
>>> cons either way and it could be argued at length without
>>> conclusion. I'm not convinced Tor should be promoting either;
>>> same way I'm not convinced Tor should be promoting any specific
>>> tools. There will always be others, and they may be better
>>> suited to users depending on their circumstances.
>> Sure. Except that proxy bypass has been a major fail. Do you
>> disagree?
> Yes, I do. Systems get attacked, and are updated to thwart
> attacks. Tor does this - that is not a fail, that's the normal
> security dev process. Don't assume that nothing is happening - it's
> not like Tor is not actively researched and developed.

It's been at least five years! The relay early bug got fixed in
months. Maybe devs are working on some integrated firewall or
whatever. That would be cool. But Whonix isn't vulnerable, has been
available for years, and gets no love. And it's not just Whonix. Other
approaches that separate tor process and userland have also been
largely ignored.

>> A few years ago, I wrote 
>> <https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me>.
> Have you updated it to account for subverted VPN providers?
> Advising people to use VPNs which may have been subject to national
> security letters is arguably bad.

Which VPNs have received NSLs?

Anyway, I don't assume that a particular VPN operator can be trusted
any more than a particular Tor relay operator can. Just as Tor uses
three-relay circuits, I recommend using nested VPN chains, with at
least three different VPNs, operating in different jurisdictions.

Some useful links:

IVPN privacy guides: https://www.ivpn.net/privacy-guides
VPN info/ratings: https://thatoneprivacysite.net/
VPN test results: https://vpntesting.info/

Version: GnuPG v2.0.22 (GNU/Linux)


More information about the cypherpunks mailing list