Tor Devs Say They've Learned Lessons From Carnegie Mellon Attack, But Worries Remain That They're Outgunned And Outmanned
from the trust-no-one dept
Early last year, Tor suffered a massive attack that compromised the anonymity of its users over a period of at least six months. Soon after, the FBI launched Operation Onymous, which dismantled yet another round of darknet markets and left Tor developers and supporters desperately wondering what went wrong. Last month, Tor then dropped a bit of a bombshell: it claimed the FBI paid researchers at Carnegie Mellon $1 million to conduct a Sybil attack on the network. Running from January to July of 2014, CERT used just $3,000 in hardware to flood the Tor network with additional new relays that then modified Tor protocol headers to do traffic confirmation attacks.
As it turns out, a new report from Kashmir Hill at Fusion notes that Tor developers had ample forewarning that something was going wrong. In fact, a Tor supporter sent a message to the Tor mailing list early in 2014 highlighting the odd behavior of these computers, but it was effectively brushed aside by Tor developers as nothing to worry about. That has of course raised concerns among the 2 million people that use Tor every day — activists, human rights workers, journalists, and security-minded computer users among them. The revelation has obviously also devastated the reputation of Carnegie Mellon and the CERT Coordination Center.
Both the FBI and the university continue to deny the claims, for whatever that’s worth:
?The allegation that we paid CMU $1 million is inaccurate,? said a FBI spokesperson.
Meaning, if you’re familiar with semantic FBI parlance, that it probably paid a few specific researchers (not the University itself) $999,999.
Regardless, Hill’s new report provides a lot more insight into the attack by Tor chief architect Nick Mathewson, who admits it wasn’t the developers’ finest hour, noting that he originally overlooked the threat because he believed it was too ham-fisted to actually be performed in the wild:
“I don?t think this is the best response we?ve ever done to an attack situation,? said Mathewson by phone… “It didn?t occur to me that they would run the attack in the wild on random users,” said Mathewson. ?The way the attack was structured, it was a bad attack for anyone to get away with it. Once detected, it was very easy to block. It didn?t seem to me like a deep threat.”
Of course, the end result of this oversight was not only the arrests and darknet site closures from Operation Onymous, but Operation Shrouded Horizon — which targeted the Darkode black marketplace. And the markets are still reeling. Though it’s always hard to differentiate an exit scam (where the site just runs away with the money held in escrow) from security concerns, numerous markets (like Middle Earth Marketplace) recently went offline claiming they’re trying to implement upgrades that will make their drug bazaars more secure.
But Mathewson is quick to make the obvious point that while these arrests primarily targeted child pornographers and drug dealers, the attacks targeted everybody. And the use of supposed objective academics as attackers, the lack of warrants, and the lack of institutional oversight by Carnegie Mellon’s Institutional Review Board sets a disgusting precedent for the security community:
“There?s an argument that this attack hurts all of the bad users of Tor so it?s a good thing,? said Mathewson. ?But this was not a targeted attack going after criminals. This was broad. They were injecting their signals into as much hidden services traffic as they could without determining whether it was legal or illegal.” “Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,? wrote Dingledine in a Tor blog post, which also questioned whether Carnegie Mellon had gotten approval from an institutional review board, a process that exists to ensure that academics don?t harm human research subjects.”
For what it’s worth, Mathewson says the Tor team has made numerous code changes to better scan the Tor network for potential threats, and are working on an as-yet unfinished revamp of the hidden services design over the last year. Tor is also working on what Mathewson calls a “new cryptographic trick” that will allow a hidden services directory to send Tor users to a hidden site — without the directory knowing where it’s sending them. The developers have also apparently learned a thing or two about trust, Mathewson stating they’re no longer “extending security researchers the benefit of the doubt on anything.” Good idea.
The central question of course is whether Tor has the manpower needed to keep such an integral technology operational and secure. Eighty percent of Tor’s $2.5 million budget still comes from the government, so Tor is operating a crowdfunding campaign to expand the funding base for obvious reasons. But Tor only has 22 full- and part-time employees, and 10 volunteers and academics who consistently contribute code, which directly contributed to the attack not being taken seriously earlier. As such we’re left wondering if Tor can be trusted moving forward and, if not, what comes next for the millions of users that depend on Tor for perfectly-legal anonymous communications?
Filed Under: anonymity, attacks, fbi, hack, surveillance, tor
Companies: carnegie mellon, tor
Comments on “Tor Devs Say They've Learned Lessons From Carnegie Mellon Attack, But Worries Remain That They're Outgunned And Outmanned”
“The allegation that we paid CMU $1 million is inaccurate”
“It was more like $2 million.”
Nothing new here...
“I don’t think this is the best response we’ve ever done to an attack situation,” said Mathewson by phone… “It didn’t occur to me that they would run the attack in the wild on random users,” said Mathewson.
This is the same as the war on terror.
When terrorism strikes the Government (Which has become the bigger terrorist now) likes to indiscriminately attack random citizens in the wild as a response as well.
Re: Nothing new here...
They learned the disproportionate attack from the Likud party doctrine.
But Mathewson’s quick to make the obvious point that while these arrests primarily targeted child pornographers and drug dealers, the attacks targeted everybody.
It’s like they were going house to house kicking everybody’s door down. Then they justified it by pointing out that they only arrested people when they found something they could prosecute.
“Oh! In that case, carry on!”
– Judge Fukemover
Re: Re:
In the comic Judge Dredd, teams of judges actually do this. The one time they find someone who isn’t breaking any laws, Dredd get’s suspicious and puts the person under extra surveillance.
Re: Re: Re:
… This is one of those times where we need a sad but true button. Because that’s a frightful thought of where this logic goes.
Re: Re: Re: Re:
Oddly enough, the Judge Dredd comics sprang to mind for me as well. Not for Dredd himself, but for a different character, Judge Death.
After all, if everyone’s dead, the crime rate drops to zero…
Note: “The allegation … is inaccurate” not that it is not true, false or completely false or hogwash, just inaccurate.
“As such we’re left wondering if Tor can be trusted moving forward and if not, what comes next for the millions of users that depend on Tor for perfectly-legal anonymous communications?”
My guess will be that DarkNet hosters will move to I2P or another DarkNet service like FreeNet. The main advantage of TOR is to be able to bypass censorship of regular internet sites using TOR as a proxy service, and the end node has always been a liability on the TOR network.
Re: Re:
We’ve always known that real-time mixing is a liability too. For services like email that can be delayed, we can do much better, but Tor and I2P don’t allow sites/users to make such tradeoffs. FreeNet was better, in theory, last I looked (the developers do seem fond of major redesigns). For anything transporting web traffic, Javascript and plugins are major concerns (along with browser behaviors that make tracking easy: user agent strings, RSS feeds, cross-site resources, telemetry, …).
Re: Re: Re:
Same poster as above…
Yeah, it’s pretty much common sense when crossing zones that security is a major issue, so I’ve never really been concerned as the major factor driving adoption is to get out of X area. IE. Bangladesh now blocking Facebook.
While you mention javascript, et al, those are at least mitigated through the client, about:config to disable javascript all together, or running unbound to block malicious sites and forwarders. I wish Tails would include a root resolver in their distro, as it’s far safer.
Telemetry will always be a problem as the source gateway will always see traffic originating, so I’m at loss but more entry points and randomly shifting entry gateways is probably the only way around it. The TOR project has already figured that out with the great firewall of China.
All in all, I’m happy with the TOR project and it’s a great tool. If your a dev, thanks for all the hard work.
This should be the end of CERT
There was a time — a brief time — when CERT served a useful purpose. We really did need a clearinghouse for security information after being caught flat-footed by the Morris worm.
But that time has long passed. CERT has now become the very enemy that it was supposed to defend against. It’s time to shut it down and blacklist the assholes who work there.
Re: You-either-die-a-hero-or-you-live-long-enough-to-see-yourself-become-the-villain
’nuff said
Re: This should be the end of CERT
Bingo.
I was about to say the same thing. CERT was founded after the Morris worm to deal with the problem of system administrators at various locations attempting to communicate at 3:00 am without being quite sure who was on the other end of the phone and what they could say to them. Everyone was suppose to be able to trust CERT.
Now, you would be a fool to trust anything coming from CERT or to tell them anything. If you are under attack, how do you know CERT is not the one doing the attacking and anything you tell them will be used against you?
Re: This should be the end of CERT
I, too, remember when the CERT was a force for good. I haven’t thought of them like that in many years, but I don’t remember when or why my attitude changed.
CMU has form on this sort of behavior
See the “Marty Rimm Usenet pornography study” of 1994-1995, where CMU administration apparently authorized an undergraduate student to conduct some questionable research which seems to have violated many of the school’s own ethics codes, and which research was loudly and synchronously publicized by the ad-hoc cartel of TIME magazine and ABC Nightly News, in a manner that would have been obvious today as clickbait (if such a term existed then).
I get the distinct impression that CMU sometimes just doesn’t have the morals or fortitude it takes to resist an opportunity to make some quick $$/PR off a hot-button social topic with a tech angle.
Re: CMU has form on this sort of behavior
Studying information gathered on any subject is of inherit interest to all of mankind. The problem lies when subjects are identified and prosecuted for such studies. This is the concept of the double blind experimental process. Neither the subject nor the experimenter should know who each other are, as that can corrupt the scientific value of the experiment. The ethical concept is to protect both parties, much like client/lawyer privilege but also to prevent snake-oil experiments that corrupt the very foundations of science itself. That the researchers let IP addresses flow into the database is contrary to the process, and next it very well might be a cancer drug that kills people. The problem in this case is that the very experiment also risked the lives of possibly thousands of innocent people, dissidents of corrupt governments, whistle blowers of the US government, even mundane people. Perhaps a Saudi Arabian official was messaging his gay lover, that could now be used as leverage by the US government. This is corruption of the very principles of the US, but que sara, sara. So yes CMU should be held accountable, not for the experiment, but the leak of information and failure to notify TOR of the exploit. And I would expect the same of Peking University as knowledge should be a global cooperative.
Re: Re: CMU has form on this sort of behavior
This is the concept of the double blind experimental process. Neither the subject nor the experimenter should know who each other are
That is not what double blind means. Double blind means neither the subject nor the administrator knows whether the subject is in the experimental or control group.
Exit nodes
TOR will always face problems because there is always an identifiable exit point. Those who maintain the exit points are taking substantial legal risks in allowing people to use their internet connection.
Remember: https://www.techdirt.com/articles/20140701/18013327753/tor-nodes-declared-illegal-austria.shtml
It is not unreasonable that wholesale adoption of TOR would lead to more of this type of prosection. When people become scared to operate exit nodes, then the whole system collapses.
Re: Exit nodes
Not when accessing .onion addresses.
The general advice these days is to avoid running exit nodes on a home connection.
The FBI’s inept sophistry speaks volumes. There’s the answer: all that taxpayer money spent hacking into a computer system, compromising the security of possibly millions, to catch a few drug dealers in the last throes of the biggest epic fail in our lifetime: the war on drugs–unwinnable but infinitely fund-able.
I wonder what they tell themselves all that money bought them, other than the right to claim that amount in next year’s budget.
Tor’s financed by the BBG (Broadcasting Bureau of Governors), the media foreign propaganda arm of the CIA where the head of the state department sits. Tor is 75 to 100% government funded. It’s all just a test.