Darknet Sweep Casts Doubt on Tor: Tor Will Be Defeated Again, and Again, and Again

(by Bill Blunden, via Dissident Voice)

When news broke of Silk Road 2.0’s seizure by law enforcement a lot of people probably wrote it off as an isolated incident. Silk Road 2.0 was the successor to the original Silk Road web site and like its predecessor it was an underground bazaar for narcotics, fueled by more than $8 million in Bitcoin transactions and operated as a hidden service on the Tor anonymity network.

According to the criminal complaint filed against Blake Benthall, the alleged 26-year-old operator of Silk Road 2.0, law enforcement officers caught their suspect using old fashioned police work. Specifically they sent in a mole, or what the text of the complaint refers to as an HSI-UC (a Homeland Security Investigations agent operating in an Undercover Capacity). Anyway, the undercover spy was wildly effective, gaining access to the Silk Road 2.0 discussion forum while the scheme was still in its formative stages and eventually acquiring administrative access to the web site after it launched.

But it turns out that the Silk Road 2.0 take-down was just the appetizer of a much larger main course called Operation Onymous. Onymous, as in anything but anonymous. Within a matter of hours it was announced that a joint operation involving dozens of officers from the FBI, the DHS, and Europol had taken down a grand total of 414 hidden services on the Tor network. This wasn’t just a single bust, no sir. This was a global dragnet that resulted in the arrest of 17 suspects.

The success of this international operation raises a question: how did they locate the hidden servers and identify the people who managed them?

In this instance Tor hidden services failed to live up to their namesake. Was the sudden collapse of several hundred Tor “.onion” domains the result of traditional police tradecraft ─developing informants, patiently waiting for opportunities, doggedly following leads─ or were security services quietly wielding advanced technical methods?

All told the cops are pretty tight-lipped. Wired Magazine asked Troels Oerting, head of the European Cybercrime Center, this very question and he replied:

This is something we want to keep for ourselves… The way we do this, we can’t share with the whole world, because we want to do it again and again and again.

Even with the discretion of insiders like Oerting there have been recent developments that hint at what’s going on behind closed doors. For instance, the FBI has just proposed that the U.S. Advisory Committee on Rules and Criminal Procedure alter federal search and seizure rules so that law enforcement agents can hack into machines that have been “concealed through technological means.” This is no doubt a thinly veiled reference to Tor.

The FBI’s request infers that public gripes against ostensibly strong encryption by officials like FBI Director James Comey, GCHQ Director Robert Hannigan, and former NSA General Counsel Stewart Baker are mere theater. The feds already have tools at their disposal to defeat encryption-based tools like Tor. In fact, an internal NSA document admits that “[A] critical mass of targets use Tor. Scaring them away from Tor might be counterproductive.”

Really? I wonder why?

This past summer I questioned the wisdom of netizens putting all their eggs in the Tor basket, as did other writers like Pando’s Yasha Levine. Granted there were protests voiced by advocates, some of which I responded to. Still, the public record demonstrates that Tor isn’t a guarantee against the intrigues of a knowledgeable adversary. And now we clearly see the purported security of the Tor anonymity network unraveled on a grand scale. Not just for one or two illicit websites but hundreds. As to whether it’s possible for an app to safeguard essential civil liberties… the techno-libertarians of Silicon Valley can eat crow.

The reality is that the Deep State’s minions aim to eradicate genuine anonymity for everyone but themselves. The steady erosion of privacy is a part of a long-term campaign to consolidate control as economic inequality accelerates and perpetual war expands. The looming Malthusian disaster born of our leaders’ unenlightened self-interest will be a brutal spectacle and the members of the ruling class want to make sure that they’ll have a good view.

The FBI Can Break Encryption

(By Bill Blunden via Dissident Voice)

Slide showing how the NSA performs <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle attacks</a> on SSL/TLS encrypted web traffic  (Photograph: Guardian)
Leaked slide showing how the NSA performs man-in-the-middle attacks on SSL/TLS encrypted web traffic (click to enlarge)Photo credit: Guardian 

[…] recent history is chock full of instances where the FBI employed malware like Magic Lantern and CIPAV to foil encryption and identify people using encryption-based anonymity software like Tor. If it’s expedient, the FBI will go so far as to impersonate a media outlet to fool suspects into infecting their own machines. It would seem that crooks aren’t the only attackers who wield social engineering techniques.

In fact, the FBI has gotten so adept at hacking computers, utilizing what are referred to internally as Network Investigative Techniques, that the FBI wants to change the law to reflect this. The Guardian reports on how the FBI is asking the U.S. Advisory Committee on Rules and Criminal Procedure to move the legal goal posts, so to speak:

The amendment [proposed by the FBI] inserts a clause that would allow a judge to issue warrants to gain ‘remote access’ to computers ‘located within or outside that district’ (emphasis added) in cases in which the ‘district where the media or information is located has been concealed through technological means’. The expanded powers to stray across district boundaries would apply to any criminal investigation, not just to terrorist cases as at present.

In other words the FBI wants to be able to hack into a computer when its exact location is shrouded by anonymity software. Once they compromise the targeted machine it’s pretty straightforward to install a software implant (i.e. malware) and exfiltrate whatever user data they want, including encryption passwords.

If encryption is really the impediment that director Comey makes it out to be, then why is the FBI so keen to amend the rules in a manner which implies that they can sidestep it? In the parlance of poker this is a “tell.”

As a developer who has built malicious software designed to undermine security tools I can attest that there is a whole burgeoning industry which prays on naïve illusions of security. Companies like Hacking Team have found a lucrative niche offering products to the highest bidder that compromise security and… a drumroll please… defeat encryption.

There’s a moral to this story. Cryptome’s John Young prudently observes:

Protections of promises of encryption, proxy use, Tor-like anonymity and ‘military-grade’ comsec technology are magic acts — ELINT, SIGINT and COMINT always prevail over comsec. The most widely trusted and promoted systems are the most likely to be penetrated, exploited, spied upon, successfully attacked, covertly compromised with faults hidden by promoters, operators, competitors, compromisers and attackers all of whom warn against the others while mutually benefiting from continuous alarms about security and privacy.

When someone promises you turnkey anonymity and failsafe protection from spies, make like that guy on The Walking Dead and reach for your crossbow. Mass surveillance is a vivid expression of raw power and control. Hence what ails society is fundamentally a political problem, with economic and technical facets, such that safeguarding civil liberties on the Internet will take a lot more than just the right app.

Read full article here.

The Great Firewall of China and how it blocks Tor traffic

Diagram showing how GFW filters/censors tor traffic
China’s firewall is now able to dynamically recognise Tor usage and block the respective relays and bridges. The diagram above illustrates how this works: 1) the firewall searches for a bunch of bytes which identify a network connection as Tor. If these bytes are found, 2) the firewall initiates a scan of the host which is believed to be a bridge. In particular, 3) the scan is run by seemingly arbitrary Chinese computers which connect to the bridge and try to “speak Tor” to it. If this succeeds, the bridge is blocked.

(via phw’s blog on Tor Project)

Over the last years, we learned a lot about how the Great Firewall of China is blocking Tor. Some questions remained unanswered, however. Roya, Mueen, Jed, and I just published a project which seeks to answer some of these open questions. Being curious as we are, we tried to find answers to the following questions:

  • Is the filtering decentralised (i.e., happening in provinces) or centralised (i.e., happening in Internet exchange points (IXP))?
  • Are there any temporal patterns in the filtering? Or in other words, are there certain times when people are more likely to be able to connect to Tor?
  • Similarly, are there any spatial patterns? Are folks in some special regions of China able to connect to Tor while others cannot?
  • When a computer in China tries to connect to a Tor relay, what part of the TCP handshake is blocked?

It turns out that some of these questions are quite tricky to answer. For example, to find spatial patterns, we need to be able to measure the connectivity between many Tor relays and many clients in China. However, we are not able to control even a single one of these machines. So how do we proceed from here? As so often, side channels come to the rescue! In particular, we made use of two neat network measurement side channels which are the hybrid idle scan and the SYN backlog scan. The backlog scan is a new side channel we discovered and discuss in our paper. Equipped with these two powerful techniques, we were able to infer if there is packet loss between relay A and client B even though we cannot control A and B.

You might notice that our measurement techniques are quite different from most other Internet censorship studies which rely on machines inside the censoring country. While our techniques give us a lot more geographical coverage, they come at a price which is flexibility; we are limited to measuring Internet filtering on the IP layer. More sophisticated filtering techniques such as deep packet inspection remain outside our scope.

Now what we did was to measure the connectivity between several dozen Tor relays and computers in China over four weeks which means that we collected plenty of data points, each of which telling us “was A able to talk to B at time T?”. These data points reveal a number of interesting things:

  • It appears that many IP addresses inside the China Education and Research Network (CERNET) are able to connect to at least our Tor relay.
  • Apart from the CERNET netblock, the filtering seems to be quite effective despite occasional country-wide downtimes.
  • It seems like the filtering is centralised at the IXP level instead of being decentralised at the provincial level. That makes sense from the censor’s point of view because it is cheap, effective, and easy to control.

Now what does all of this mean for Tor users? Our results show that China still has a tight grip on its communication infrastructure, especially on the IP and TCP layer. That is why our circumvention efforts mostly focus on the application layer (with meek being an exception) and pluggable transport protocols such as ScrambleSuit (which is now part of the experimental version of TorBrowser) and obfs4 are specifically designed to thwart the firewall’s active probing attacks.

Check out the comments section of the original blog post at Tor Project for interesting discussion … Also, see “How The Great Firewall of China Is Blocking Tor” (PDF)