Tor Network May Be Attacked, Says Project Leader

Earthquake Retrofit writes The Register is reporting that the Tor Project has warned that its network – used to mask peoples' identities on the internet – may be knocked offline in the coming days. In a Tor blog post, project leader Roger 'arma' Dingledine said an unnamed group may seize Tor's directory authority servers before the end of next week. These servers distribute the official lists of relays in the network, which are the systems that route users' traffic around the world to obfuscate their internet connections' public IP addresses.

Re:Sony get's hacked

gets*

Tor directory servers

Long time Tor user, and was never aware of these 9 directory servers. This seems like an extremely weak link in the chain, esp. since 6 of these servers are in the US.

The Tor project promotes running relays, etc., but never a specific DS. Is this something the standard Tor client can do? Can anyone setup a Tor DS? Why has this never really been talked about until now??

Re:Tor directory servers

[ihtoit]

while using the World Wide Web, are you consciously aware of the thirteen root DNS nameservers?

No? So, why worry about the nine Tor servers which do pretty much the same thing - directing traffic so you get your fix of whatever?

The reason is, because these things are transparent to the client - you don't know they're there, all you know is that some endpoint protocol is making shit work, but to do that requires direction, which it gets from one of several servers which all agree on the basic structure of the (extremely fluid) network. Without those services, the network is a: chaotic and b: lost.

Re:Tor directory servers

No, that makes perfect sense -- I just don't recall ever hearing about these particular servers before. I raise this question because I'd bet there'd be more ppl. willing to host the Tor directory servers if they knew of their existence and this particular (perceived?) vulnerability.

Is this something more specialized than running an exit node or a relay? Specifically, can the standard Tor client host a DS? If so, there is zero information on this aspect of the client provided by the documention by the Tor project. Maybe something in the protocol docs, but it's not obvious in the information provided by the Tor project.

Re:Tor directory servers

[ihtoit]

well, yes, because the directory servers have a realtime index of active exit nodes. They hold no actual content, but what they do hold is really not very much in the way of payload (would probably fill a floppy disk); the killer is in the number of concurrent interrogations and the prerequisite bandwidth which would put it out of reach of an individual. All you'd need to do to bring the network to its knees is locate each directory server by IP, find a DOS vulnerability and exploit it. Same for any network with any sort of active directory service.

(knowing this because I built a distributed database that was vulnerable to precisely one thing: the loss (even momentarily) of the directory server. Killed it dead, and rebuilding/resynching it was a fucking nightmare. Having a failover for that one service would've saved a LOT of headaches but I'd already killed my budget).

Re:Tor directory servers

I expect TOR to be down just long enough for an interested Government power to add the backdoor it needs to enforce criminal activity.

It may be time for a replacement for Tor after it is compromised.

Re:Tor directory servers

To be clear, there are thirteen root DNS server addresses. The actual number of servers is larger because most of those addresses are backed by multiple servers via anycast. Based on the blog post, it seems that the Tor directory servers really are just 9 physical points of presence, which makes a pretty big difference if the threat is seizure of the servers.

Re:Tor directory servers

I raise this question because I'd bet there'd be more ppl. willing to host the Tor directory servers if they knew of their existence and this particular (perceived?) vulnerability.

The DS are essentially the root level of 'trust', you don't want random people able to run them. The TOR client is hardcoded to only trust specific Directory Servers, so if they end up being compromised the Tor project can release a new update to switch to different servers.
The risk of having them compromised is it would allow the controller to be able to do things such as only list nodes/relays under the control of a hostile entity.

Put simply, the DS are what define the Tor network. Control of them would let you make a new Tor network. Likewise, you could distribute a modified client which trusted different DS's and essentially create an alternate Tor-based network.

Re:Tor directory servers

There are 13 root DNS ADDRESSES, however there are probably over 200 DNS root server INSTANCES available spread all over the world. Most all are using IP Anycast to be able to run instances all over the world. If one instance gets knocked offline, the global BGP route tables will still have routes to the others.

Re:Tor directory servers

What happens to the internet again, without the DNS service?

Re:Tor directory servers

Uh...actually, while using the WWW... I am very much aware of the root directory servers.

Specifically because I of course run my own caching DNS at home to avoid my ISPs DNS, to filter out a few hostile elements, and redirect one or two slow as shit forums to my own poisoned proxy, at least for javascript.

More specifically, because I used to run my own unauthorized TLD with services provided over I2P to a few people.

So...while I don't think about them much, yeah -- I know they're there, know and understand most of the weaknesses.

That tor has centralized root nameservices comes as a massive surprise to me... and I recall reading the protocol nearly a decade ago.

Re: Tor directory servers

Don't worry, I got 12 Chinese teenagers to memorize the IP addresses of the top 10,000,000 websites (ranked by Alexa). We're covered.

Re:Tor directory servers

Its important to note that the DS don't have information about what the clients are doing. Since the directory servers tell the clients the addresses of the active nodes in the network, the servers are static and run by the Tor project themselves. This is because a malicious DS could tell the clients about malicious nodes the attacker controlls and not the legitamate nodes. Reading the OP, you would need to control a majority of the DS to do this.

And since the DS have a medium term online key (they say its hard to extract so hopefully it self-destructs if you break into the server cage) and a long term offline key, they are more concerned about this being a DOS attack on a network then this being a deanonimzation attack.

Re:Tor directory servers

To be clear, there are thirteen root DNS server addresses.

Actually, that is not correct. There are 24 root DNS server addresses. You apparently have forgotten about the IPv6 addresses. There are 13 named DNS servers (a, b, c, ..., l, m.root-servers.net) servers, and while all 13 have IPv4 addresses, 11 have an IPv6 address.

It should be noted that not only anycast, but also various load balancers are in place. The number of actual servers is large, geographically distributed, and multi-homed to multiple independent providers, and in reasonably reliable data centers. While anything is possible it is highly unlikely that all of those servers, networks, and countries would disappear all at once (and that anyone is left on the planet to care).

Re: Tor directory servers

But that's barely enough for the pr0n !!!!!!

Re:Tor directory servers

[Cito]

Without Tor however will we add to our R@ygold collections? :-P

Re:Tor directory servers

[Vlijmen+Fileer]

They are not thirteen servers, they are thirteen clusters of servers. And they are better distributed over nations than Tor's DS's. Oh, and alternatives exist. Oh, and TOR is there only for the good people and therefore an easy target. DNS is also used by the bad guys (the governments) and therefore not an obvious target.

would this unnamed group share its initials with

[ihtoit]

Flowers
By
Irene
?

Centralised?

I'm not really sure I understand why people use Tor. Its aim seems to be to make tracing Internet usage a little harder, but it's pretty much safe to assume that governments are running a significant proportion of the nodes, and traffic analysis can determine the rest. Stupid design decisions like having a single point of failure in the form of a centrally maintained list of nodes suggest that the whole thing had an expiry date waiting to be announced.

Re:Centralised?

Um, because not everyone is trying to hide from their government ??

Re:Centralised?

True - they could be trying to hide from other governments, and that could include governments which don't have access to any intelligence network that has an Internet presence.

But what other uses are there for Tor, please?

Re:Centralised?

Governments do not share all information they collect by mostly illegal means all the times with all other governments.

Re: Centralised?

No one said you had to use Tor alone. You can use it in combination with other tools like vpns, ad blockers to block tracking ads, anonymous browsing, etc While nonr of these by itself is perfect, all together it gets much harder to be traced.

Re:Centralised?

Stupid design decisions like having a single point of failure in the form of a centrally maintained list of nodes suggest that the whole thing had an expiry date waiting to be announced.

You're more than welcome to fork the project and come up with a better solution. The Tor folks have said that at least right now, it's the best solution they can come up with. Calling it a stupid design choice simply shows you don't know what you're talking about in the slightest.

And if those DS's do get compromised or shut down, they can issue a bundle update to switch to new Directory Servers.

Re:Centralised?

Calling it a stupid design choice simply shows you don't know what you're talking about

Yeah if only there were some way of decentralising a directory service.

And why would I want to fork a project that has countless vulnerabilities and which tries to find a technical solution to a social problem?

Re:Centralised?

Tor is explicitly not designed to defend against a global IP panopticon. That's the tradeoff it makes for low and reasonably consistent latency. It's mostly good for avoiding ISP tomfoolery (censorship, MITM insertion of ads, transparent proxies) and hiding your identity/location from remote sites. It's better than a VPN service because it's free and more transparent than those services, though either way you have to assume that exit nodes can get away with routinely capturing traffic or rarely MITMing plaintext traffic. Freenet, for instance, makes the opposite trade: its latency is too large and variable for any useful end-to-end "connection", but it's difficult to figure out where requests actually originate and terminate because everyone proxies for everyone else; there is no distinction between "relays" and "exit nodes".

Re:Centralised?

Would you please enlighten us how to decentralize a directory service without any bootstrapping servers whatsoever. I'm really interested in that. Would you do random portscans? Web crawling? None of this is effective, so please let us know about your ingenious solution. (Hint: No existing P2P technology offers this feature.)

Re: Centralised?

Sure. Have people running For servers publish their ECC plan plan public keys as much as they can. Maybe even confirm a few with a friend over text messahe. Then all you have to do is verify that you've contacted just a few of them, allowing you access to the global database.

Theoretically a MITM could fake everything you look at through your browser or even swap out keys that are texted to you. Bit if they're doing that then you're already screwed. And note that they'd have to do that before you bootstrapped yourself onto the network.

Bootstrapping can be solved well enough. The real problem is detecting and mitigating bad guys flooding the directory with malicious nodes. Presumably the EFF curates a portion of the nodes it lists, and makes sure they remain and a plurality of all nodes so with a sufficiently small number of hops you pass through at least 2 or more good nodes. OTOH, maybe they don't curate, in which case you might as well use a decentralized directory.

The field of trust metrics can't solve the problem well, yet. However, if Tor did switch to a decentralized directory model it might spur more research.

Re:would this unnamed group share its initials wit

[ArmoredDragon]

I don't think the FBI would give a shit about Tor. If they want to find your identity bad enough, they'll do so via extralegal means, mainly because they can. See the ongoing silk road case, where the DOJ has yet to show how exactly they physically identified its owner and its server locations.

The only organizations powerful enough with enough motive to take out Tor would have to be either Russia or China. China especially because Tor is perhaps the biggest means of circumventing the GFW, and unlike the FBI, China doesn't have either physical influence or physical presence in any of Tor's geographical nerve centers. (And yes, in spite of the distributed nature of Tor, I did correctly use the word center.)

Namecoin

In the future, this sounds like a perfect job for a decentralised dictionary such as Namecoin. Perhaps if the Namecoin project continues to grow and mature then it can be considered as a fallback and warning system should something happen to Tor's directory authority servers.

Re:Namecoin

this sounds like a perfect job for a decentralised dictionary such as Namecoin.

Why? Now you have to trust a wide pool of random, unknown actors instead of a single group.

The problem with allowing access to the Directory mechanism is that it opens a wide variety of channels which can allow a malicious entity to influence which nodes get used.

If something happens to the Tor DS's, they will simply move to new servers and issue an update to the Tor software which switches to the new servers.

Re:Namecoin

No, the Namecoin procotol and network are both trustless. You would still trust precisely only the single group.

It's just that the single group would be able to own a chunk of the decentralised dictionary, adding or subtracting from the list of approved relays in much the same way as people are able to own bitcoins and send them to the addresses of their choice.

Of course, other groups could paste up their own unofficial relay lists but the default Tor software would simply ignore them and point to the official Namecoin dictionary entry(-ies).

Re:would this unnamed group share its initials wit

There is no such agency that share these initials.

FBI and Sony hack

When I got r00ted by Sony from a Brittany Spears CD, the FBI was nowhere to be found, but when Sony was r00ted, the FBI is all up in that junk?

Re: FBI and Sony hack

Sony paid precisely $0 in federal taxes between the period I was victimized by Sony and they were pwned by GOP. As a matter of fact, they received over $11b in tax credits during this same period -- ie. the US government paid *them* money.

I paid *more* taxes than Sony, by far, and you probably did too. I should be affored more protection, no?

Re: FBI and Sony hack

lol if you bought a stick of gum you paid more taxes than sony in the past 15 years

Re: FBI and Sony hack

Fuck your mother, pig. Corporations are not people and are not entitled to more attention from authorities than people are. Fucking scumbag apologist for big business, Ebola can't come to your country soon enough.

Now do the world a favour and go off your fucking self.

Re: FBI and Sony hack

[ihtoit]

corporations are "persons" in Law. Otherwise a corporate "person"ality could not be sued, there would be no accountability in case of wrongful death or neglectful injury, and there would be no way a corporation with no personality can legally bind another person (individual or body corporate) in a contract or hold him to any obligations therein.

Re: FBI and Sony hack

Shit, if you bought that same Britany Spears CD you probably paid more taxes than Sony.

I fucking hate this world. Seriously.

Re:would this unnamed group share its initials wit

[ihtoit]

I said group, you said agency.

Re:would this unnamed group share its initials wit

Nah, probably the PRK at it again..

Re:would this unnamed group share its initials wit

[Iamthecheese]

yes. No such agency that has compromised Tor already.

Too late

99% of Tor servers are owned US government. Tor is already broken.

Re:Too late

FBI pwnes all Tor servers.

Re:would this unnamed group share its initials wit

[MichaelSmith]

I thought it was their project.

Re:would this unnamed group share its initials wit

[ihtoit]

you don't know that. I don't know for certain that it has. Only they know for sure, and they're not about to tell. When they claim to have information that could only be gained by compromising the network or through seizure of the hardware, then we'll know.

Lesson for today: if you don't want information to end up in the hands of those who you don't want having it, airgap it. DO NOT expose it to a network. Whatever you post on a public network, on whatever forum using whatever protocol or encryption or other obfuscation, becomes as far as you should be concerned, information that is now forever and irreversibly in the public domain for any and all to use for whatever nefarious reason.

Re:would this unnamed group share its initials wit

[ihtoit]

no, but they did use just 35 lines of code to compromise it in 2012, during the Operation Torpedo dragnet in which they managed to identify arrest and charge 25 US citizens on their IP addresses* and an undisclosed number of foreigners overseas on international arrest warrants (and slightly less legal means) on child sexual exploitation.

*I don't have the link handy, but I do seem to remember a bunch of John Doe claims by the **AA (or maybe it was the BPI) being thrown out because the respondents were identified by their IPv4 addresses.

TOR is NAVY MoFos

So damn the torpedos! Full SPEED Ahead!

You sunk!

BitTorrent Maelstrom

[ThePhilips]

That coming on the heels of the decentralized web solution coming from BitTorrent, Inc.

Pretty exciting times.

Re:BitTorrent Maelstrom

Don't get too excited. It's vaporware for now and honestly what little details they do give show it's a lousy idea.

Re:BitTorrent Maelstrom

[ThePhilips]

Still.

Dismantling the centralized institutions one by one - DNS, IANA/RIRs, hosting providers - whatever Maelstrom is capable of - is a step in the right direction.

If sufficient number of decentralized alternatives appears, one can try to nest them like a russian dolls. More layers of the nested services - higher the privacy (at the potential cost of reliability).

Re:BitTorrent Maelstrom

"at the potential cost of reliability"

We're slowly getting there. And with the net neutrality issue, we might not get a choice after all.

Re:would this unnamed group share its initials wit

[LordWabbit2]

One of the articles mentions a disgruntled employee against whom a hit had been taken out. Want to bet he ran to the feds because he was scared and ratted on the silk road. I don't attribute any mystical hacking of TOR to the FBI, someone came forward and spilled the beans. The reason the FBI are keeping it quiet is that in this way it seems that the FBI can track you regardless of what you are doing. If they are planning on taking out the main TOR network it's for the precise reason that they CAN'T track you through it, and so taking it out is the only other option. So let's assume they DDOS the TOR directory authorities, if I DDOS'ed someone it would be a criminal offense. Why can they do it without being criminally charged? Also whoever thinks TOR is the "biggest means of circumventing the GFW" is an idiot. You would get much better speed by simply using a credit card to rent a $30 a year vps server in the states and installing squid. Firewall circumvented. Hell, there a plenty of free proxies out there which will allow you to do the same thing. The GFW is a joke, and only stops the ignorant.

Sony rootkit

Why is the Sony music CD rootkit a civil matter while rooting of Sony is a criminal matter attracting the attention of the FBI?

TOR is a fucking honey pot !

[Taco+Cowboy]

... See the ongoing silk road case, where the DOJ has yet to show how exactly they physically identified its owner and its server locations

TOR is a HONEY POT that enjoys a successful deployment beyond anyone's expectation !

It is not China nor Russia who came up with TOR, it was Uncle Sam which is the entity who funded the TOR project

TOR has several uses for USA ---

1. As you mentioned, to offer dissents within Russia / China or any other dictatorial nation a way to sneak out of the watchful eyes of their respective ruling regime

2. TOR also offers a false sense of security to those who wanted to do something not-so-legal, and in that way, "fish" them out from the real DARK NET and land them inside TOR while Uncle Sam gets to watch their every single fucking move

The highlighted quote above in itself has explained all --- that Uncle Sam knows everything that happens within the TOR domains, including the identity of those involved

Re:TOR is a fucking honey pot !

[jenningsthecat]

Mod parent up! Whoever modded this comment down either hasn't investigated the matter, or sympathizes with those whose goal is the total destruction of privacy for average citizens.

Re:TOR is a fucking honey pot !

[Charliemopps]

You could be right, but given TOR's design, it doesn't even matter if the feds wrote it, they still couldn't figure out your identity. The feds would have to own all the nodes in the network, which is possible... but if they did own all the nodes, it wouldn't really matter if they wrote it or not now would it?

All that said... there are easier ways to hide your identity on the internet.

Re:TOR is a fucking honey pot !

Do you have any evidence to back your claim? According to Snowden's documents, the NSA and the GCHQ themselves say that they cannot track Tor users: http://www.theguardian.com/wor...

Is Snowden a "honey pot" too? Most importantly, how much "honey" have you been consuming recently?

Re:TOR is a fucking honey pot !

[Kjella]

You do realize that most "darknets" are built on a "bust one, bust all" model? Pretty much the only security is that the bad guys aren't in your darknet, they've never reached a popularity where there's any plausible deniability. The only other people likely to be in your darknet are the other members of your terrorist cell or whatever you're part of, it has never offered anything for "normal people" for you to hide in. And darknets have actually been used as honeypots, to make clueless people give away their IP to join a private group which turns out to be a sting. It is pretty much the exact opposite of anonymity, it's joining a conspiracy and you're at the mercy of the stupidity of everyone in it.

TOR is trying for something entirely different, which is to keep everyone at arm's length from each other. I talk to you over TOR, you get busted well tough shit they still can't find me. The users don't know the server, the server doesn't know the users. Of course by adding that glue in between you run the risk of the man in the middle working out who both ends of the connection are, but that's the trade-off. TOR is trying to do something extremely hard, it tries to offer low latency - easy to make timing attacks, arbitrary data sizes - easy to make traffic correlation attacks and interactive access - easy to manipulate services into giving responses, accessible to everyone and presumably with poison nodes in the mix. It's trying to do something so hard that you should probably assume it's not possible, not because they have any special inside access.

I actually did look at trying to do better, it was not entirely unlike Freenet done smarter only with onion routing instead of relying on statistical noise. It wouldn't try to be interactive so you could use mixmaster-style systems to avoid timing attacks and (semi-)fixed data block sizes to avoid many correlation attempts but I never felt I got the bad node issue solved well. TOR picks guard nodes, but it only makes you bet on a few horses instead of many. It was still too easy to isolate one node from the rest of the network and have it only talk to bad nodes, at which point any tricks you can play is moot because they see all your traffic. Even a small fraction of the nodes could do that on a catch-and-release basis and I never found any good countermeasures.

Re:TOR is a fucking honey pot !

I highly doubt that. If they have control over it why bother shutting down the darknet markets? Why not just pinch the dealers as they come on board?

The fact is that you can correlate date pretty easy when you don't have to worry about admissible evidence. Look up Parallel Construction if you want to know why they haven't explained exactly how they did it. It's because they did it through normally tainted means and therefore if it could be proven that the evidence they do use was obtained through inadmissible means all the evidence is tainted. If they keep that connection hidden then it works just fine and they can bust people.

I believe that the powers have the ability to see large detailed information about the traffic on the internet and can use that and some sophisticated traffic analysis they can determine the popular destinations. Watch it long enough and you can see exactly when things appear and become popular.

Re:TOR is a fucking honey pot !

Mod parent up! Whoever modded this comment down either hasn't investigated the matter, or sympathizes with those whose goal is the total destruction of privacy for average citizens.

I'm pretty sure at this point that Taco Cowboy's posts start off at -1 due to his reputation score.

In regards to his claims, the Tor software is open source and you can look at it yourself if you want to look for any backdoors. Put simply, in order to 'compromise' the network an attacker needs to control a significant number of Nodes, or have some method of forcing traffic to use nodes they control. These are known weaknesses and are published by the Tor Project. IF a 3 letter agency really was behind the whole thing, they wouldn't tell people any of that, and they would already control the Directory Servers themselves so that they could manipulate the network behavior.

tl;dr - Taco Cowboy is a resident nutter who likes to talk a lot of shit with nothing to back it up.

Re:TOR is a fucking honey pot !

[spacefight]

They don't need to own the nodes. They need to know their uplink and/or upstream provider. And I bet they do on a fucking large scale.

Re:TOR is a fucking honey pot !

They have already said how they got both sites, human error:

"The feds say that despite his tech savvy, Ulbricht had left loose ends, exposing, via an alias, his e-mail address when soliciting a developer to join a Bitcoin startup."

Read more: http://www.rollingstone.com/culture/news/dead-end-on-silk-road-internet-crime-kingpin-ross-ulbrichts-big-fall-20140204#ixzz3MSgbC2CW

"During the Government’s investigation, which was conducted jointly by the FBI and HSI, an HSI agent acting in an undercover capacity (the “HSI-UC”) successfully infiltrated the support staff involved in the administration of the Silk Road 2.0 website, and was given access to private, restricted areas of the site reserved for BENTHALL and his administrative staff. By doing so, the HSI-UC was able to interact directly with BENTHALL throughout his operation of the website."

Read more: http://www.fbi.gov/newyork/press-releases/2014/operator-of-silk-road-2.0-website-charged-in-manhattan-federal-court

Re: TOR is a fucking honey pot !

Maybe that's how our happened, maybe not. The way parallel construction works is that once you get the evidence illegally you concoct a plausible story using the evidence you illegally obtained. In the first instance they may have found the email address only after breaking the case. In the second they may have pinched am employee and turned him; of course he would be told to say he initiated contacting the feds. And if hr ever divulged what really happened, even if the prosecutors were to be punished he'd still go to jail, so he would have every reason to go along.

Re:TOR is a fucking honey pot !

I think that this idea deserves more attention really. A whole bunch of supposedly "dark" websites get busted or shut down (either by Anonymous or law enforcement, or both), the feds won't present the actual evidence they used to pop the Silk Road owners...what else needs to be said? No one who wants to remain anonymous on the Internet is depending upon TOR any longer. Some of them are using I2P, some of them are using Freenet again (ugh), some of them are using who knows what...but no one who expects any degree of anonymity is using TOR any longer. All I've ever used the TOR Browser Bundle for is to search for things that I'd like not being permanently linked to me as a keyword in a database somewhere...medications are an example of something more innocuous that I have a problem with all the time. Search for any kind of depression medication in the run of a week, all of a sudden my gmail spam folder is being flooded with ads for websites who will fill shady prescriptions "online..." That's about all TOR is good for; obscuring your original location a -little- bit more than you did to start with. That means that if you didn't do much to "anonymize" yourself to start with, TOR was never going to be of much help to you anyway. The reluctance of the surveillance happy FBI to actually admit to their methods in the case of the Silk Road would seem to indicate one of two things...one, they know those methods would not stand up in court and be thrown out, or two, those methods involve a means of identifying individual TOR users that the FBI has not previously disclosed. I would highly bet on it being the latter or a mix of both, I suspect the OP is right. In either case, I no longer use TOR for any communication I want to remain anonymous. A few bland web searches that I just want to remain slightly obscured I suppose, other than that start looking elsewhere.

Re:TOR is a fucking honey pot !

You could easily infer that from half of the materials that have been released by Snowden, the Guardian et. al. regarding the surveillance program of the NSA and the "Five Eyes" member states... The US has tapped every cable, infiltrated every telecom center, captured every cellphone communication and they CERTAINLY aren't going to have any issues identifying individual TOR users. Take a look at the news about some of the more shady "darknet" sites recently, they're getting pinned down and caught...I doubt it's due to lax security, not in every case. Sure, everyone screws up once in a while, but setting up a TOR hidden service in and of itself implies that you're doing something you're taking protection to hide...so if your server rattles off any information that could leak where you really are, I would think you'd configure the hell out of everything, write every script and every bit of HTML.

The NSA have a good thing going here, they have a lot of people depending upon TOR to obscure their identity when it's clear they have no issues pinning down exactly that, making TOR useless at best, at worst more likely a "honeypot" for sensitive traffic as suggested by others. In either case, if you want to "remain anonymous," don't use TOR. Get rid of it as soon as possible and hope that your system hasn't been compromised in some other way...yes, all of the source for the TOR project is available. Has any one person or group actually looked at all of it though? I mean ALL of it, a complete audit, building binaries to see if they match up with binaries built from source code known to be clean (if they don't it would suggest the binaries were built from different source code than what's available). It's one thing to say "it's open source, you can check it out yourself and see if there's a back door in there..." I've seen some of the examples from the Obfuscated C contest, if someone really, really wanted to make something unreadable to me it's apparently so easy for some people that it's actually a game. Add to that the fact that most computer users simply aren't programmers to start with and the whole "open source" claim is...nice if you're a contributor, I guess. I'd like to see an organization like the EFF or someone similar, with a decent reputation with the IT community at large, to come out and say that they've thoroughly audited all of the TOR Project and found no signs of a backdoor. If it were from a "legitimate" organization with a very good reputation, I'm sure people would be willing to "crowdsource" the funding for the audit even. Maybe then I might be convinced into using it again.

Re:TOR is a fucking honey pot !

[Raenex]

Tor Stinks... But it Could be Worse

• Critical mass of targets use Tor. Scaring them away from Tor might be counterproductive.
• We can increase our success rate and provide more client IPs for individual Tor users.
• Will never get 100% but we don't need to provide true IPs for every target every time they use Tor.

http://www.theguardian.com/wor...

Seems the NSA doesn't want targets to move away from Tor because they have some success and are confident of gaining more. They don't need to own all the nodes. It's a documented weak spot that they just need to tap the incoming and outgoing nodes and do timing attacks. Given the NSA's (and their foreign, cooperating counterparts) massive taps on the Internet backbones, that sounds pretty feasible.

Re:TOR is a fucking honey pot !

[OverlordQ]

It is not China nor Russia who came up with TOR, it was Uncle Sam which is the entity who funded the TOR project

Guess what else they funded? The Internet.

TOR gives a false sense of security

[Taco+Cowboy]

About 250 years ago the British army was fighting the French and their allies, the American Indians

The commanding officer thought up a very ingenious way to wipe out the French's allies by introducing smallpox to the American Indians, and he did it by seemingly by being kind to the American Indians --- he gave the Indians blankets

Of course he did not tell the American Indians that those blankets were used by people who were infected with smallpox

As a result of the biological warfare, untold number of the American Indians who fought alongside the French died

Now, back to 2014/2015

TOR seemingly offers the world a "security blanket", a "blanket" which would, by its reputation, ought to have give protection to the users from the authority's prying eyes

But like the blankets of yore, TOR came with "extra bonus" ... bonus in which will allow the authority to not only track the users, but also know everything that the users did

The TOR infrastructure is filled with many weak links, weak links which can be, and are being, exploited by Uncle Sam

No matter if it's NSA or FBI or CIA or whatever three-alphabetic agency, TOR will reveal to them whatever they want to know

Re: TOR gives a false sense of security

There were some letters discussing the idea, however there is no evidence infected blankets were actually distributed. One issue with the plan is that whoever distributed the blankets would also become infected and likely spread the disease.

Re: TOR gives a false sense of security

Unless that person had smallpox.

But, yeah. I'm not sure those Americans were that dumb to play with smallpox like that, which was still very lethal to Europeans. Although the Native Amercans gave the Europeans syphillis, which does make you dumb and deranged. Oh, the iroqani.

Re:TOR gives a false sense of security

[mSparks43]

You mean.
Unlike skype and the https protocol........

You don't seem to understand that tor is still THE most secure communication protocol we have over the internet. So secure that even the Snowden leaks discuss how the agencies you accuse of wanting to use it to spy on you - actually use it so the other agencies can't spy on THEM!

It's not a panacea, it's not the sole solution, but unless you can point to a *BETTER* solution, what is the point in making blind and blatantly false accusations?

Re:would this unnamed group share its initials wit

Group means a gathering for self interest. Agency implies they have government, and implicitly country, approval. In his defense, it's hard to tell the difference these days.

Re:would this unnamed group share its initials wit

no, but they did use just 35 lines of code to compromise it

1. Saying "35 lines of code" means nothing at all. I've seen massively complex programs shoe-horned into a few dozen "lines of code".
2. The code in question was not part of Tor, it was malicious code placed onto a web server which they had located and compromised. It used Flash or Javascript (I don't recall which off-hand) and when the browser ran the code, it simply opened a direct connection to a LE-controlled server, thus revealing the real IP that person was using. Anybody who ran script/flash blocking plugins (or simply didn't have them installed) was immune, as their browser simply did not execute the malicious code.

Tor was attacked Nov 4

[Mocko]

Major takedown of sites by *** agencies - they did traffic analysis attack and hacked poorly set up Tor servers, if I recall.

Re:would this unnamed group share its initials wit

[ihtoit]

1. citations required.
2. it was a Flash exploit.

Re:would this unnamed group share its initials wit

The burning stuff seems to be quite pupular... amongst many.

Sony Hackers? Tor is dooooooooomed!

Is this related to the Sony Hackers?
If N.Korea used Tor to attack Sony, then U.S. will shutdown Tor. Easy as pie.

allegedly

[slashmydots]

So allegedly the rumor is that the FBI is taking down part of the network to try and somehow catch and/or prove the North Koreans were behind the hack on Sony. I don't know how true that is. Seems like it wouldn't matter if we had proof or not. That puffy doughboy piece of shit running North Korea is a perpetual liar and we can't possibly like him less nor with the US do anything about it in either case.

Snowden can not know everything

As much as what Snowden wants to share with us we must understand that Snowden does not know everything

As much secretive files that Snowden has collected, we must realize that there are still files that are out of reach of Snowden

The government of the United States of America has a vast network of operatives, and many of those are operating under strict compartmentalized structure - and many of those cells simply do not share their operational detail with others

Re:would this unnamed group share its initials wit

[mgcarley]

I have it on good authority that the FBI give plenty of shits about Tor.

Who are you trying to fool?

It's easy to have tons of sockpuppets that "kowtow to the party line" here on /., and then to use the modpoints gained on each sockpuppet to trash *anyone's* so-called "reputation" score here. Think TOR is a fucked up system? The one here is JUST AS BAD, if not worse. Ever wonder WHY they won't let you see who downmodded you here? That IS why! It speaks worlds of those who designed and run this place: They are, to put it bluntly, little hit and run sneaks and punks, no better than any TOR "criminal", which this "feature" of their forums ware blatantly exposes for that very reason. When you write software, parts of you yourself are exposed in it. Remember that.