Spoiled Onions: Exposing Malicious Tor Exit Relays

← Back to Stories (view on slashdot.org)

Spoiled Onions: Exposing Malicious Tor Exit Relays

Posted by timothy on Saturday January 25, 2014 @07:32PM from the just-tell-me-I'll-pass-on-the-message dept.

An anonymous reader points out this recently published study (PDF) on detecting malicious (or at least suspicious) Tor exit relays. From their conclusions: "After developing a scanner, we closely monitored all ~1000 exit relays over a period of four months. Wed discovered 25 relays which were either outright malicious or simply misconfigured. Interestingly, the majority of the attacks were coordinated instead of being isolated actions of independent individuals. Our results further suggest that the attackers made an active effort to remain under the radar and delay detection." One of the authors, Philipp Winter, wrote a followup blog post to help clarify what the paper's findings mean for Tor users, including this clarification: "First, it's important to understand that 25 relays in four months isn't a lot. It is ultimately a very small fraction of the Tor network. Also, it doesn't mean that 25 out of 1,000 relays are malicious or misconfigured (we weren't very clear on that in the paper). We have yet to calculate the churn rate of exit relays which is the rate at which relays join and leave the network. 1,000 is really just the approximate number of exit relays at any given point in time. So the actual number of exit relays we ended up testing in four months is certainly higher than that. As a user, that means that you will not see many malicious relays 'in the wild."

65 comments

Min score:

Reason:

Sort:

Confusing Summary by Frosty+Piss · 2014-01-25 19:39 · Score: 1

So, they tested around 1000 tor exit nodes, but actually tested many more? 25 of those node might have been malicious or maybe just misconfigured?
What?

--
If you want news from today, you have to come back tomorrow.
1. Re:Confusing Summary by Anonymous Coward · 2014-01-25 20:22 · Score: 0
  
  25 out of [every] 1,000 relays, just a guess since either Mr.Winter or /. editors screwed up again
  I am guessing since I am a caveman and know nothing of this stuff you call tech.
  The quote you use, as is typical with /. is taken out of context, in simple terms.. At any given time there may be several thousands relays and there not being exploited. But there study suggests the above number, and it doesn't matter because it is a rare occurrence that a tor user will come across this.
  I could translate it another way, perhaps the NSA or other US spying agencies are involved and they want people to keep using the network thinking it is safe and secure. Interesting the study says it was a singular scale attack and not the work of individuals, and then again it could be the RIAA or MPAA at work, or a large unknown group of hackers, I would figure hackers would support the Tor network as opposed to trying to exploit it, but there hackers so who knows what blackmail scheme they have going anymore.
2. Re:Confusing Summary by Sqr(twg) · 2014-01-25 21:00 · Score: 5, Informative
  
  25 out of 1000 relays were detectably suspicious. These are the script kiddies who set up an exit node in order to harvest credentials that can be used for fraud etc. Such nodes are easy to detect by verifying https certificates and/or transmitting false credentials over tor and checking if they are used later.
  The really sinister exit nodes are not as easy to detect. Transmit false dissident names and check if the named people are imprisoned and tortured?
3. Re:Confusing Summary by hairyfeet · 2014-01-25 21:23 · Score: 4, Interesting
  
  Not to mention we have seen several cases in the past couple of years of users having their computer equipment confiscated for running TOR exit nodes by grabbing them for CP distribution, who is to say that when they get their PC back it doesn't have a little "extra hardware" to keep an eye on TOR users?
  But you should be able to test without risking lives, have those using the exit nodes go to a "political website" that has an address that nobody would come up with by accident and see if that site after using supposedly "good" nodes suddenly has a jump in activity.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
4. Re:Confusing Summary by maxwell+demon · 2014-01-26 01:14 · Score: 1
  
  Actually, due to the nature of TOR, it would be easy for law enforcement to get some TOR user for CP access: They just have to access CP via TOR through the exit node themselves. Nobody can tell who accessed it through TOR, so as long as they don't leave a trail locally, nobody will ever find out. But there will be a trace leading to the computer the TOR exit point is running on.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
5. Re:Confusing Summary by mysidia · 2014-01-26 01:59 · Score: 2
  
  But there will be a trace leading to the computer the TOR exit point is running on.
  If an exit node is used; the client is supposed to be anonymous, the server is not.
  On the other hand..... if the remote site uses a Tor hidden service instead of an exit node; then both client and server are supposed to be anonymous.
  In practice, the server might be traceable --- if you have realtime monitoring of numerous internet backbone points; by using a large number of messages from clients with specified timing patterns, and statistical techniques, to identify places where packets with the proper timing pattern are showing up.
6. Re:Confusing Summary by maxwell+demon · 2014-01-26 02:14 · Score: 1
  
  If an exit node is used; the client is supposed to be anonymous, the server is not.
  Yes. The client would be the law enforcement agency trying to connect the TOR exit point provider to CP. The server would be some existing CP distributing server known to law enforcement (e.g. one in another country which they cannot just shut down, or one which they didn't yet shut down in order to catch clients who try to contact it).
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
7. Re:Confusing Summary by phwinter · 2014-01-26 03:47 · Score: 5, Informative
  
  I am the main author of the referenced paper. We tested more than 1,000 exit relays but don't know the actual number yet. However, it can be determined based on Tor's historical relay descriptors. The reason that's important is because the naive statistic "25 in 1,000 were malicious" is wrong.
8. Re:Confusing Summary by hairyfeet · 2014-01-26 05:45 · Score: 3, Insightful
  
  Which is why you had better be wealthy and without family if you plan on running an exit node or use Freenet, as the way it was explained to me by a friend in the state crime lab anybody whose system accesses CP (which is easy for the cops to find out as they often leave CP sites running after they bust them as honeypots, they simply replace the video files with junk while leaving the screencaps up to entice the pedo to try to download the vids) is legally distributing, doesn't matter if they could actually see the files or even if they were encrypted, if it passes through your IP address to somewhere else its distribution.
  This is why I've been saying for years to ALWAYS fight against expanding the CP laws, as the ones that have been on the books since the 70s worked perfectly fine and they purposely make the new ones as vague as possible to cast the widest net. If you want proof just look at the 2 guys in prison now for thoughtcrimes. 1 wrote the supposedly "pro pedo" book, no pics, no telling people to go rape kids, just his thoughts on the subject written down sent him to jail and with the other one his own therapist told him to write down his fantasies and thoughts so they could discuss them, again NO evidence that they were anything but fantasies, no CP found, he was thrown in jail simply for words on a page.
  If this doesn't scare the hell out of everybody I don't know what will, we literally have thoughtcrimes landing people in jail and simply trying to help dissidents in China and Syria can literally send you to prison for life and even if you manage to fight back and win in court it will break you, cost you years, probably your job and friendships. I don't know about everybody else but this isn't the country my grandfather fought for in WWII, in fact its looking more and more like the country he fought against.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:Confusing Summary by Jane+Q.+Public · 2014-01-26 07:46 · Score: 1
  
  While this doesn't directly bear on your results, I've been saying for quite a while that there aren't nearly enough Tor exit nodes running at any given time. 1000 seems pretty ridiculously low. I think 10 x or 100 x the current number would be far better.
  
  While "security through obscurity" is not ideal, isn't this the main purpose of Tor? To serve the purposes of anonymity and security, by burying any signal in a vast sea of noise?
  
  Your thoughts?
10. Re:Confusing Summary by tlhIngan · 2014-01-27 04:16 · Score: 1
  
  If an exit node is used; the client is supposed to be anonymous, the server is not.
  True, on a perfectly anonymous system.
  However, given the NSA is rumored to run the biggest collection of exit nodes (major Tor vulnerability), and given how most Tor users are probably Joe Average who doesn't realize just how identifiable they are, I think a large number of clients are easily identifiable.
  From doing basic things like logging into an account (Amazon, Google, Facebook, whatever) while on Tor (and thus being able to leave droppings all over the web (Thanks Google, for owning the world largest ad network and being able to track practically everyone....).
  And I'm sure others are just using it as a simple way to log into Hulu or other service...
If all it takes is one... by Lordfly · 2014-01-25 19:41 · Score: 0

...relay to be compromised to remove the entire point of using Tor, it's certainly besides the point how high the churn rate or how low the chances are, isn't it?

--
hookers and grits.
1. Re:If all it takes is one... by Anrego · 2014-01-25 20:01 · Score: 4, Informative
  
  My vague understanding of this (and I haven't really been following it so take with salt) is that this really doesn't defeat TOR itself, but merely takes advantage of ones position as an exit node to perform well known man in the middle style attacks.
  TOR is about hiding your identity. The exit node can see what you are sending and receiving, but doesn't know your actual IP (just the IP of the last node in the chain), the entry node knows your IP, but not what you are sending and receiving. This attack doesn't appear to compromise that.
2. Re:If all it takes is one... by Anonymous Coward · 2014-01-25 20:03 · Score: 0
  
  Except it doesn't. Assuming you're not using an outdated, vulnerable browser and are using secure protocols for anything important, malicious exits are absolutely harmless to you.
3. Re:If all it takes is one... by flonker · 2014-01-25 20:10 · Score: 4, Insightful
  The primary development goal of Tor is to prevent the request from being traced back to the requester. (As a secondary effect, it also bypasses various national/regional content blocking schemes.) Malicious exit relays are detrimental, but in theory the user should be aware of the trust issues involved. I would label this as a user education issue.
  The major points being:
  If your traffic is on the Internet, unless it is encrypted (such as by SSL), it can be passively monitored with only moderate effort.
  If you are using Tor to reach the Internet, your traffic can't be traced back to you, but it still goes out over the Internet; see the previous point for more details. Tor can do nothing once the traffic is back on the Internet.
  Attacks such as sslstrip exist. Be on guard against them.
4. Re:If all it takes is one... by MrBingoBoingo · 2014-01-25 20:19 · Score: 1
  
  What you send along to though can include things potentially mor idenifying than your IP might have ever been. The lesson is that there are no magic bullet solutions to anonymity and security which do not involve some degree or reading and learning how things work.
5. Re:If all it takes is one... by wbr1 · 2014-01-25 20:26 · Score: 2
  
  However, by performing a MITM and stripping that encryption, there may be identifying information in those packets. They might not see Joe Bobs IP, but instead snatched his logon creds, shipping address and payment info that was mused at illegalgunemporium.biz and giantbuttplugs.info
  
  --
  Silence is a state of mime.
6. Re:If all it takes is one... by Agent+ME · 2014-01-25 21:12 · Score: 1
  
  If all it takes is one relay to be compromised to remove the entire point of using Tor,
  That's not at all what the article is saying. A relay injecting content into your connection does not de-anonymize you. Tor works to guarantee anonymity. It doesn't guarantee that the exit relay isn't watching what's going through it or modifying the connection. That's why it's important to use HTTPS.
7. Re:If all it takes is one... by Opportunist · 2014-01-25 22:35 · Score: 4, Informative
  
  What people must understand is that the exit node is, to the server you're connecting to, essentially "you". In other words, it can see everything your computer could see if taking a look at the packet sent out. Everything a tool like Wireshark running on your computer could come up with is also what this exit node can see. If you send unencrypted traffic through TOR, the exit node will be able to read everything in plain text. That includes all credentials or cookies sent in plaintext.
  More, it can alter and modify the stream. That means it can easily inject cookies itself or other objects. I didn't try it yet, but I would not deem it impossible for an exit node to inject objects that can bypass TOR (like flash and the like) that could eventually compromise the users' identity. At the very least it would be trivial to inject a cookie that contains your TOR surfing habits. If I was a country, I'd try to team up with someone who has a high chance to be surfed to with a "normal" connection like a social media website or a search engine to ferret out someone's TOR surfing habits. If they use the same browser for TOR surfing and normal surfing, it becomes fairly trivial to detect them.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:If all it takes is one... by Anonymous Coward · 2014-01-25 23:53 · Score: 0
  
  That's why you should never use the same browser for Tor and non-Tor surfing, i.e., don't use Torbutton but the Tor browser bundle, preferably from different accounts.
  Also, you cannot use Flash, Javascript, Java, or any similar technology while browsing with Tor. You can and should use tools like https everywhere, cookie cleaners, Ghostery, etc. while browsing with Tor.
9. Re:If all it takes is one... by anti-todo · 2014-01-25 23:58 · Score: 1, Interesting
  
  Sounds like a good reason to tunnel your traffic through a vpn on top of tor, no?
10. Re:If all it takes is one... by Anonymous Coward · 2014-01-26 00:32 · Score: 0
  
  at illegalgunemporium.biz and giantbuttplugs.info
  These both fail to resolve for me. Are you sure you got that right? The second one looked promising.
11. Re:If all it takes is one... by StripedCow · 2014-01-26 03:13 · Score: 1
  
  So actually Tor software should warn the user when plaintext stuff is being sent over the network.
  This could be difficult to accomplish. But one easy way is to simply detect plaintext HTTP headers.
  
  --
  If Pandora's box is destined to be opened, *I* want to be the one to open it.
12. Re:If all it takes is one... by Anonymous Coward · 2014-01-26 04:25 · Score: 0
  
  it's not no but Hell No too using Ghostery while using Tor as it sends every fucking link to them for checking. God damn idiot or a fucking Gubbermint plant trying to get folks to use the worst tracking system possible while on Tor.
  What you want for Tor efforts is to use a stripped down browser like Dillo/Elinks on OSS (open source software) that doesn't handle flash/javascript/java or anything more the text and jpg, gif, png. That's all. You don't even need cookies.
  The best thing for the Tor folks to do is create a version using either Webkit (actively developed) as the rendering engine and build the entire bundle around it (doesn't do anything but TOR) or co-op the QTWeb project for a cross platform version that can be stripped to a minimum that doesn't understand Javascript/Flash/Silverlight/latest flavor of month w/o cookies and call it the TOR browser. No fucking bundle needed. As long as the browser is running, it's working as a relay node. Those who are willing to run an exit node can still download the Tor bundle.
  Posting AC due to Mod Points being available.
13. Re:If all it takes is one... by Anonymous Coward · 2014-01-26 04:52 · Score: 1
  
  Only if you purchase and maintain that VPN completely anonymously. Otherwise, that's a great way to de-anonymise yourself real quick.
14. Re:If all it takes is one... by flonker · 2014-01-26 06:56 · Score: 2
  
  Also, you are then susceptible to the very same MITM attacks by the VPN provider. (Although they do have an incentive to remain honest.)
15. Re:If all it takes is one... by Anonymous Coward · 2014-01-26 09:04 · Score: 0
  
  belt-and-suspenders
16. Re:If all it takes is one... by Anonymous Coward · 2014-01-26 12:38 · Score: 0
  
  Except it doesn't. Assuming you're not using an outdated, vulnerable browser and are using secure protocols for anything important, malicious exits are absolutely harmless to you.
  No, that's false.
  If I control a honeypot somewhere on the Tor Network there are ways to match traffic I'm sending/receiving on the server against the traffic flowing between your IP and the Exit Node. If I also happen to control the node in question I can do even better.
17. Re:If all it takes is one... by Anonymous Coward · 2014-01-26 21:19 · Score: 0
  
  I have seen AIM:: style links, over HTTP (browser error messages). I think they were attempt to deanymize me by having me to send instan messages.
  I do not know what other methods the exit relay used and if they worked or not, but I stopped and restarted tor.
What good is Tor by Anonymous Coward · 2014-01-25 19:42 · Score: 1

if you can monitor all exit relays?
1. Re:What good is Tor by Agent+ME · 2014-01-25 21:10 · Score: 1
  
  Anyone can use any of the exit relays. That's the point of the relays.
2. Re:What good is Tor by jones_supa · 2014-01-26 01:30 · Score: 1
  
  But then you never know if someone is eavesdropping you. Right?
3. Re:What good is Tor by gmuslera · 2014-01-26 02:39 · Score: 1
  
  That is different from the actual situation where you know that someone is eavesdropping you. And you have a list of "bad" exit nodes that you can test, and I bet that can be made a page somewhere that directly tells you that your current Tor connection is unsafe because the exit node.
4. Re:What good is Tor by aaaaaaargh! · 2014-01-26 04:23 · Score: 1
  
  Tor provides anonymity, not protection against eavesdropping. For the latter, you need to use additional endpoint-to-endpoint security like SSL. Of course, you also shouldn't announce to the whole world who you are while browsing with Tor, which is surprisingly harder than some people might think.
5. Re:What good is Tor by Qzukk · 2014-01-26 04:55 · Score: 2
  
  I bet that can be made a page somewhere that directly tells you that your current Tor connection is unsafe because the exit node.
  Except the bad exit node would replace the page with a page telling you that everything is all good.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
6. Re:What good is Tor by gmuslera · 2014-01-26 05:51 · Score: 1
  
  That page could have a particular certificate, maybe validated using Convergence
ArsTechnica Coverage by Anonymous Coward · 2014-01-25 19:50 · Score: 0

Scientists detect "spoiled onions" trying to sabotage Tor privacy network
Rogue Tor volunteers perform attacks that try to degrade encrypted connections.
http://arstechnica.com/securit...
Surprised by neiras · 2014-01-25 19:56 · Score: 1

I am kind of surprised by how small the Tor network is. Only 1000 exit relays? Guess I'll spin up a few.
1. Re:Surprised by Anrego · 2014-01-25 20:05 · Score: 4, Informative
  
  There's a reason there are so few..
  Running an exit relay is basically asking for major headaches from law enforcement. You are essentially allowing others to access _any_ content, some of which will very likely be highly illegal such as child porn, through your connection.
2. Re:Surprised by matthewv789 · 2014-01-25 20:07 · Score: 1
  
  Exit relays are trickier to host than just normal relays, because they're the ones police will come asking about when (probably not if) they discover something of interest came from it or was requested by it.
3. Re:Surprised by AmiMoJo · 2014-01-25 23:11 · Score: 4, Interesting
  
  How is that any different from running a free wifi service? Note that most of the illegal material is on Tor hidden services so would never leave your exit node at all, and all censorship on your connection remains in place for everyone using it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:Surprised by Anonymous Coward · 2014-01-26 00:11 · Score: 4, Informative
  
  In some countries you are responsible for everything that happens from your wifi endpoint unless you can either identify the culprit using your network or show that you took reasonable steps to secure it against abuse. This translates to every public network I have ever used requiring an account bound to your real identity so the owners can hand over your credentials just like any other service provider can.
5. Re:Surprised by Anrego · 2014-01-26 05:32 · Score: 1
  
  It doesn't, and many people who run those services have to deal with the same headaches.
  Usually stores/coffee shops/etc deal with it by requiring you to create an account before using the service, or at least logging connections, so they can point the finger away from them when law enforcement comes knocking.
6. Re:Surprised by Anonymous Coward · 2014-01-26 06:12 · Score: 0
  
  nope, lea is very well aware of tor and wnat it does and that they cant do anything about it due to free speech / dual use.
  so pretty much all they do now is verify that 'oh this is tor, ok, thanks, have a nice day, bye' via a knock or call or send letters. many now know how to check the tor registry first so u dont get stormtroopered.
  better u be able to access cp than nothing at all. that freedom's a pesky bitch aint it bro.
Not entirely a dupe by ljhiller · 2014-01-25 20:04 · Score: 1

This is a followup on http://yro.slashdot.org/story/... but the only new content is the blog posting.
1. Re:Not entirely a dupe by mSparks43 · 2014-01-25 20:56 · Score: 5, Interesting
  
  "New information" being this isn't 25 of 1,000 nodes.
  its 25 of some unknown number of nodes, of which 1,000 are active at any one time.
  And as I tried to point out last tiime (and am greatful for the opportunity to reiterate)
  exit nodes only account for 100Mbps of tors 3Gbps average traffic (most of the traffic being to hidden services which never go near an exit node)
  So if anything this is testament to the security of tor.network.
  I guess much of the fear comes from the silkroad take down, but that was foiled by the good old postal service and human error, not the technology itself.
2. Re:Not entirely a dupe by Antique+Geekmeister · 2014-01-26 01:33 · Score: 1
  
  > So if anything this is testament to the security of tor.network.
  I'm afraid not. It's a strong indicator of the underlying _vulnerability_ of the Tor architecture to malicious or mishandled exit nodes.
3. Re:Not entirely a dupe by Anonymous Coward · 2014-01-26 02:02 · Score: 0
  
  uh these are 25 of the detectable ones (the ones that are being stupidly obvious about it).
  Tor is better than nothing, but you have to be very careful to bet your life or other lives on it.
4. Re: Not entirely a dupe by Anonymous Coward · 2014-01-26 04:17 · Score: 0
  
  Disagree.
  Because they have been detected and can be bypassed by the network.
  Not something otherwise available afaik
Tor is only part of the solution by Anonymous Coward · 2014-01-25 20:07 · Score: 0

This is case in point of how using Tor is only one part of your security/encryption/privacy toolbox. Watching out for certificate errors is critical to staying safe on the internet, as is making sure you are using end-to-end encryption. Using Tor might hide you from your own ISP, but now we know it may not be good enough privacy.
RTFS! by Anonymous Coward · 2014-01-25 20:10 · Score: 0

We have yet to calculate the churn rate of exit relays which is the rate at which relays join and leave the network. 1,000 is really just the approximate number of exit relays at any given point in time. So the actual number of exit relays we ended up testing in four months is certainly higher than that.
IOW, at any given time, you've got ~0.25% chance to be routed through a bad exit node.
1. Re:RTFS! by Tetch · 2014-01-27 03:13 · Score: 1
  
  IOW, at any given time, you've got ~0.25% chance to be routed through a bad exit node.
  [cough] .. 25 out of 1000 would be 2.5%
  25 per 100 = 25%
  25 per 1000 = 2.5%
  25 per 10000 = 0.25%
  etc. etc.
  
  --
  If you don't pray in my school, I won't think in your church.
I still think exit relay should be forced by Anonymous Coward · 2014-01-26 00:56 · Score: 0

I still think Exit Relays should be turned on by default.
Anyone smart enough setting these up will KNOW how to set them up in the first place.
Those that won't will never enable it in the first place, which considerably limits how secure Tor can be. (it'd be trivial for someone with loads of money to make transparent onion routers that scrape everything. I'd hardly be surprised if many of hundreds already are now)
Sure, some people will be screwed over for running servers on their non-business lines, but there is a good chance well over half of those people likely already do nefarious things on their connections, according to the terms.
ISPs only give a damn if that nefarious usage goes beyond a threshold that impacts others connections.
All it'd need to do is detect the upload speed as it connects to other routers and then set a max of say 10% the upload speed, or a max bitrate of X MBytes, whatever is reached first. (don't want to use TOO much just in case people also have bandwidth limits and they might not know)
Of course, a problem with that is it is also pretty sneaky.
It is a double-edged sword that only education will really solve. But the problem with that is most people on the internet are outright thick, not even not used to computing, just straight thickos unwilling to learn anything. These are the types that torrent through Tor like morons and clog everything up.
I wish someone would make a decent Torrenting program with forced onion routing so they'd all beat it over there instead. Fund it Tor developers, fund it hard. For the network.
1. Re:I still think exit relay should be forced by qpqp · 2014-01-26 17:06 · Score: 1
  
  Dubious idea. Some countries prohibit you to share your network connection or face the consequences for any non-legal use of it.
What the ISP sees and knows. by Anonymous Coward · 2014-01-26 02:48 · Score: 0

I was my companies "abuse" department for several years. I processed loads of DMCA complaints, DNS Amplification attacks, NTP reflection attacks, spam, DOS, DDOS, phishing, etc.. In regards to TOR exit nodes most network Admins want them OFF their networks. They invite a lot of unwanted traffic not to mention attention from law enforcement if they're repeatedly used in attacks. TOR is a great way to remain anonymous. However, it's abused badly. Here's the skinny. YOU might by anonymous but your TOR provider isn't. They lease ip's from someone else. The person owning those ip's receives the complaints. They pass them on to the leaser. The leaser "knows" who's using their service( you ). If the pressure from law enforcement is strong enough you can bet you they'll provide them as much info to contact you. From there? Anything can happen. So behave or be smart or be both.
1. Re:What the ISP sees and knows. by Anonymous Coward · 2014-01-26 04:53 · Score: 1
  
  The leaser "knows" who's using their service( you )
  You seem to have confused Tor and VPNs. The Tor exit node doesn't know who is using their node unless the user has screwed up and/or the exit node is a malicious node that is reading the user's email and able to figure out the identity, in which case the user has still screwed up.
Re:Close down Tor by aaaaaaargh! · 2014-01-26 04:26 · Score: 1

Hardly. People would just use Freenet or Gnunet instead.
I've assumed the worst all along by garyebickford · 2014-01-26 08:28 · Score: 1

From the very first days of Tor I've assumed that at least one, and probably several different agents (legal and illegal, gov't and private) would be smart or at least interested enough to run a significant percentage of Tor hosts. This is akin to Willie Sutton's reasoning for why he robbed banks - "That's where the money is." Since Tor is of most interest to folks who want to keep things private, that's where people who want to know private things are sure to lurk. In the case of NSA, it's worth doing just in case they can _someday_ decrypt data going through. This would work best when some significant percentage of hosts is 'owned', which would allow those hosts to cooperate in determining the true path for some fraction of the data going through.
For a made-up example, assuming 1/3 of all Tor hosts are compromised in one way or another and preserve or report the data, the incoming and outgoing routes to the agent. If those hosts are optimally situated worldwide, they will on some occasions (often?) comprise a sufficiently large portion of the onion route between two 'bad actors', so that various techniques such as timing comparisons will assist in filling in the blanks and some, if not all, of the useful information will be exposed.
Then there are the possibilities of deeper hacks into apparently legitimate Tor hosts, which NSA is known to be capable of.
I'm just speculating, but if I, a relatively security-naive person can come up with these thoughts, I'm sure that folks who specialize in this could come up with better ones.

--
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
All it takes is one... by bmo · 2014-01-26 09:34 · Score: 1

"giantbuttplugs.info" he said, using it as a metasyntactic variable.
So I says to myself, "who the fuck would register that?" Then I says to myself, "it's the internet, someone must be using it." .gov, .info, .org, .mil, .net are all available.
The .com is taken.
Domain Name: giantbuttplugs.com
Registry Domain ID:
Registrar URL: http://www.fabulous.com/
Updated Date: 2013-06-30T17:14:35Z
Creation Date: 2006-08-16T02:14:40Z
Registrar Registration Expiration Date: 2014-08-16T00:00:00Z
Registrar: FABULOUS.COM PTY LTD.
Registrar IANA ID: 411
Registrar Abuse Contact Email: abuse@fabulous.com
Registrar Abuse Contact Phone: +61.730070015
Reseller: N/A
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Registry Registrant ID: N/A
Registrant Name: Domain Admin
Registrant Organization: Sunlane Media LLC
Registrant Street: PO Box 231789
Registrant City: Encinitas
Registrant State/Province: CA
Registrant Postal Code: 92024
Registrant Country: US
Registrant Phone: +1.877 849 6203
Registrant Phone Ext: N/A
Registrant Fax: +1.877 849 6203
Registrant Fax Ext: N/A
Registrant Email: fabulous@sunlane.com
Registry Admin ID: N/A
Admin Name: Domain Admin
Admin Organization: Sunlane Media LLC
Admin Street: PO Box 231789
Admin City: Encinitas
Admin State/Province: CA
Admin Postal Code: 92024
Admin Country: US
Admin Phone: +1.877 849 6203
Admin Phone Ext: N/A
Admin Fax: +1.877 849 6203
Admin Fax Ext: N/A
Admin Email: fabulous@sunlane.com
Registry Tech ID: N/A
Tech Name: Domain Admin
Tech Organization: Sunlane Media LLC
Tech Street: PO Box 231789
Tech City: Encinitas
Tech State/Province: CA
Tech Postal Code: 92024
Tech Country: US
Tech Phone: +1.877 849 6203
Tech Phone Ext: N/A
Tech Fax: +1.877 849 6203
Tech Fax Ext: N/A
Tech Email: fabulous@sunlane.com
Name Server: ns1.fabulous.com
Name Server: ns2.fabulous.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-01-26T13:00:00Z
The .com expires in August, you can probably snap it up then.
--
BMO
Vigilantes? by Anonymous Coward · 2014-01-26 12:53 · Score: 0

So...once we identify the people responsible for this, do we publish their names?
What if they are working for Fed.Gov?
What if they are well-meaning idiots who have had the computers hacked?
Do You shun someone when You don't know if You can trust the list of "bad onions?"
It will be an interesting ethical debate for decades...
We will never be free.. by anti-todo · 2014-01-26 19:36 · Score: 1

Until the last technocrat is strangled by the wiring of the last transhumanist.