Slashdot Mirror

← Back to Stories (view on slashdot.org)

User Error Is the Primary Weak Point In Tor

Posted by timothy on from the setting-aside-whether-you-like-particular-users dept.

blottsie (3618811) writes with a link to the Daily Dot's "comprehensive analysis of hundreds of police raids and arrests made involving Tor users in the last eight years," which explains that "the software's biggest weakness is and always has been the same single thing: It's you." A small slice: In almost all the cases we know about, it’s trivial mistakes that tend to unintentionally expose Tor users. Several top Silk Road administrators were arrested because they gave proof of identity to Dread Pirate Roberts, data that was owned by the police when Ulbricht was arrested. Giving your identity away, even to a trusted confidant, is always huge mistake. A major meth dealer’s operation was discovered after the IRS started investigating him for unpaid taxes, and an OBGYN who allegedly sold prescription pills used the same username on Silk Road that she did on eBay. Likewise, the recent arrest of a pedophile could be traced to his use of “gateway sites” (such as Tor2Web), which allow users to access the Deep Web but, contrary to popular belief, do not offer the anonymizing power of Tor. "There's not a magic way to trace people [through Tor], so we typically capitalize on human error, looking for whatever clues people leave in their wake," James Kilpatrick, a Homeland Security Investigations agent, told the Wall Street Journal.

15 of 70 comments (clear)

  1. Good Security by Anonymous Coward · · Score: 4, Insightful

    It is really easy to miss this, but all security is about people. Good security software guides users into the most secure behavior. Bad security software just sets up a bunch of rules that the user must memorize and follow without error. Users will always be the weakest link, but you can make it easy for them to make good decisions and hard for them to do the wrong thing.

  2. Security is too hard by mveloso · · Score: 3, Interesting

    If security is too hard for criminals to use, it's too hard for normal people to use.

    1. Re:Security is too hard by Anonymous Coward · · Score: 4, Insightful

      The average person that ends up in jail is dumber than the average person who doesn't. The average criminal among those that doesn't get caught is a lot smarter than that.

    2. Re:Security is too hard by Anonymous Coward · · Score: 4, Insightful

      > I imagine the average criminal as dumber than the population.

      Nah, that's just the average caught criminal. It is a common error to make.

    3. Re:Security is too hard by EnempE · · Score: 3, Informative

      It is not just you that thinks this. But I think it is a convenient thought not a considered one.
      I don't think there is anything in terms of research to support the 'criminal subclass' idea (i.e. a group too stupid to succeed without breaking the rules), it is just a rationalization that outlived phrenology.
      Even if the measure of criminal intelligence was not being caught, it assumes that the entire criminal justice system is composed of exactly average people with the same resources as the criminals. That is clearly not the case, as their 'situational awareness' tools are what motivates those without criminal intentions to consider these technologies.
      Regarding the use of TOR, when imagining the criminal 'eptitude', you have to balance the fact that the risk would motivate them to expend additional effort in using the system. These things are more about discipline than intelligence. You might be more disciplined in your approach to paid work than a hobby, it would be reasonable to expect that criminals would similarly be more disciplined with the use of TOR than a hobbyist.
      TLDR
      I think mveloso's heuristic for measuring a security tool is still valid.

    4. Re:Security is too hard by Matheus · · Score: 4, Insightful

      Incorrect. Your average criminal may be less moral BUT to lead a successful criminal life requires a level of intelligence the law abiding citizen does not require. It's easy to follow the rules laid out before you. Society has created a reality for you in which you choose to reside unaltered. The perpetual criminal chooses to reject that reality and so must not only create the one they choose to live in but constantly maintain the battlements between theirs and the rest of society's in order to not find themselves in a small locked room. An intelligent person may even be more likely to become a criminal to some degree in the respect that they see better than most the gray-scale of the world. Right and Wrong as taught to us as children is never so black and white in the harsh reality of adult life. Refining a complex moral code of your own creation and then holding yourself to it while living aside others is not for the simple minded.

      As an aside, your presumption may be that the average criminal gets caught (ergo unsuccessful) but I'm afraid that is most likely an incorrect assumption. People break the law on a daily basis probably more than they think they do. The ones who knowingly do this would be your "criminal" but to assume they are well represented by the news-worthy ones being dragged off on TV is a bad assumption. Entire swaths of this society live their entire lives breaking law after law after law and dying peacefully in their old age comfortable that they lived their life the way they chose to.

  3. Two Words by stoploss · · Score: 2

    Parallel Construction.

  4. Parallel Construction by Anonymous Coward · · Score: 4, Interesting

    It is virtually certain TOR is compromised by the NSA by listening at all entry and exit points at a minimum. However, the only cases that come to trial are those where they can estabish an alternative ( parallel ) path to the evidence.

  5. Human nature by s.petry · · Score: 2

    I don't agree that it's hard, just that human nature will always try and take the path of least resistance. Most security is actually pretty easy for users, just follow these X steps and you will be safe. Users read the first and last step because it's easy. Other users may perform all the steps a few times, and jump to using step 1 and finish because the don't remember the point in performing all the steps. There are others that believe the propaganda fed to them by media and government and consider all security a waste of time.

    To back my point, go back and reread all of the examples they give. Every single one of them was a result of someone missing a step, not because a step was hard.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  6. And, by the way... by Noryungi · · Score: 5, Insightful

    If people who have serious security preoccupations (drug dealers, pedophiles, etc...) are dumb enough to get caught due to human error (and probably not doing their homework), why exactly do the NSA, FBI, CIA, MI6, GCHQ, DGSE, FSB, BND, etc... etc... have to trace everything we do or say online?

    In other words, what, on earth, is the purpose of these gigantic spying programs for, if all that is needed is good old fashioned gumshoe work? You know, like, waiting for the bank robbers to brag of their exploits to a police informants, painstakingly tracing money flows from dodgy businesses, or gathering evidence and finger prints on a crime scene?

    Sure, security is hard, everyone makes a mistake once in a while, yadda yadda yadda, but what about the rights of the innocent average citizen? We are all being spied on, while police forces are perfectly able to catch the criminals, even if they use Tor! There is simply no justification, none whatsoever, for these agencies to spy on everyone. Think about that for a second.

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:And, by the way... by blahplusplus · · Score: 2

      "Why exactly do the NSA, FBI, CIA, MI6, GCHQ, DGSE, FSB, BND, etc... etc... have to trace everything we do or say online?"

      This (mass surveillance) is just more part and parcel of state suppression of dissent against corporate interests. They're worried that the more people are going to wake up and corporate centers like the US and canada may be among those who also awaken. See this vid with Zbigniew Brzezinski, former United States National Security Advisor.

      https://www.youtube.com/watch?...

      Look at the following graphs:

      http://www2.ucsc.edu/whorulesa...
      http://www2.ucsc.edu/whorulesa...
      http://www2.ucsc.edu/whorulesa...

      And then...

      WIKILEAKS: U.S. Fought To Lower Minimum Wage In Haiti So Hanes And Levis Would Stay Cheap

      http://www.businessinsider.com...

      https://www.youtube.com/watch?...

      Free markets?

      https://www.youtube.com/watch?...

      http://www.amazon.com/Empire-I...

      "We now live in two Americas. One—now the minority—functions in a print-based, literate world that can cope with complexity and can separate illusion from truth. The other—the majority—is retreating from a reality-based world into one of false certainty and magic. To this majority—which crosses social class lines, though the poor are overwhelmingly affected—presidential debate and political rhetoric is pitched at a sixth-grade reading level. In this “other America,” serious film and theater, as well as newspapers and books, are being pushed to the margins of society.

      In the tradition of Christopher Lasch’s The Culture of Narcissism and Neil Postman’s Amusing Ourselves to Death, Pulitzer Prize-winner Chris Hedges navigates this culture—attending WWF contests, the Adult Video News Awards in Las Vegas, and Ivy League graduation ceremonies—to expose an age of terrifying decline and heightened self-delusion."

  7. Please allow me to correct the title. by sconeu · · Score: 5, Insightful

    User Error is the Primary Weak Point In Software.

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:Please allow me to correct the title. by TuringTest · · Score: 2

      User Error is the Primary Weak Point In Software.

      Corollary: designing software that fails to work well under user error is the primary engineering mistake.

      --
      Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
  8. User not always weak link by manu0601 · · Score: 5, Informative

    In a related story from Brian Krebs, Silk Road was not outed by a badly configured CAPTCHA, as the FBI said. They seem to have another way to peek in TOR: http://krebsonsecurity.com/201...

  9. Re:Not all user error is equal? by Anonymous Coward · · Score: 2, Insightful

    er no fucktard, because violating the security rights of a huge number of people, with the justification that you find a few criminals is exactly the fucked up logic The Man uses to increasingly erode our rights until we get to a point where we have none. If the man had allocated all their resources they've put into illegal and immoral monitoring of the general populace and put it to actual investigation of crimes I daresay they would have solved a fuckton more shit than they actually have. But busting privacy online and in general our individual rights has actually got FUCK ALL TO DO with busting a few crims, so wake the fuck up and stop falling for the whole "think of the children" bullshit principle