On being targeted by the NSA

As quoted in the original article on Das Erste:

We've been thinking of state surveillance for years because of our work in places where journalists are threatened. Tor's anonymity is based on distributed trust, so observing traffic at one place in the Tor network, even a directory authority, isn't enough to break it. Tor has gone mainstream in the past few years, and its wide diversity of users -- from civic-minded individuals and ordinary consumers to activists, law enforcement, and companies -- is part of its security. Just learning that somebody visited the Tor or Tails website doesn't tell you whether that person is a journalist source, someone concerned that her Internet Service Provider will learn about her health conditions, or just someone irked that cat videos are blocked in her location.

Trying to make a list of Tor's millions of daily users certainly counts as widescale collection. Their attack on the bridge address distribution service shows their "collect all the things" mentality -- it's worth emphasizing that we designed bridges for users in countries like China and Iran, and here we are finding out about attacks by our own country. Does reading the contents of those mails violate the wiretap act? Now I understand how the Google engineers felt when they learned about the attacks on their infrastructure.

Granted, AES128 seems to work just fine. I've read a while on mozilla's site about timing-attack-resistance and AES128 seems to be more resistant. Is it? What will we prefer, what works better?
The changelog of tor 0.2.4.22 says it prefers AES256 over AES128 and that this preference is chosen mainly for anti-fingerprinting purposes. Surely this wasn't done on a whim.

Relays now trust themselves to have a better view than clients of
which TLS ciphersuites are better than others. (Thanks to bug
11513, the relay list is now well-considered, whereas the client
list has been chosen mainly for anti-fingerprinting purposes.)
Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over AES128. Resolves ticket 11528.
https://blog.torproject.org/blog/tor-02422-released

Yeah. But if the alternative is 1024-bit DH using a group that they also helped select? We don't have many great options here.

It increasingly seems like we want to ditch TLS and move to our own new thing, e.g. based on some of djb's work.

Or maybe the TLS standards people will decide to accept curve25519 in their TLS suite, and then make it sufficiently ubiquitous that we can use it and also blend in with all its other users?

Fortunately, link encryption in Tor is one layer among many, so even if the link encryption is totally broken, things don't go that badly.
https://www.torproject.org/docs/faq#KeyManagement

'For Firefox goto about:config, search for "ssl3" and leave only lines enabled with "256" in it, problem solved.' Toggle all the non-128 lines ( except 256 ) to 'False' also? There are lines that are not 128 or 256. I toggled all the 128 to 'False' and Tor takes a looooong time to load and access websites. Once on the website, Tor runs normal speed.

Yes, as i'm a german citizen I have the strong feeling that "Das Erste" is heavily compromised from governmental obligations and definitely has a habit to spread uncertainty and confusion about everything that has potential to lower public trust in state policies is or potential threats on national security or secret intelligence predominance. Do they ever made suggestions about scientific findings that would actually improve the power of people? No, they want to spread the opinion that the state officials and their government administrations know the problems. They want you to believe you can not trust everyone else. It's the policy of fear.

Anonymous

July 04, 2014

Permalink

Would it be possible for torproject to send lists of bridge addresses to bitmessage addresses as opposed to emails? Would that be practical?

From the bitmessage website, "Bitmessage is in need of an independent audit to verify its security." Yes, folk are chosing to use bitmessage & previously folk were using truecrypt but auditing is important & just as worthy to donate toward to help support something you value or contribute to the audit itself if you can. Many hands make light work amigos!

It would be better to send the request alongside with your PGP public key (or its ID) so Tor's bot can encrypt the email before sending it.

It's impossible to design a way for the bridges to both be relatively easy to find for dissidents and at the same time impossible/very hard for the NSA to find, so I don't really see the point to be honest.

Well, I sure wouldn't do it blindly. Didn't you read all the previous articles about how VPN services are targets too? And VPN services are centralized single-hop proxies -- easy to match up the incoming flows to the outgoing ones, if you're watching them.
https://svn.torproject.org/svn/projects/articles/circumvention-features…

If you somehow have a magical VPN that they have chosen not to watch, sounds great. Otherwise, you're adding a component onto the beginning of your path that could *increase* the chance that they can see your traffic as it enters the Tor network (and thus do correlation attacks on it).

I got a bit confused from the articles and don't claim to understand Tor past the pictures I've seen showing data passing through the nodes however do the NSA need to have users connecting to one of their nodes in the first hop and the last hop so they get the destination and point of origin IP? If so does using a bridge stop this attack?

Check out
https://blog.torproject.org/blog/being-targeted-nsa#comment-64351
I worry much more about the NSA watching somebody else's relays than I do about them operating their own relays.

A bridge would indeed stop the attack, *if* the connection from the user to the bridge doesn't end up in their big database. It seems they have some rules to make lists of bridge addresses. Also, what if they watch, or operate, the bridge that you use?

So the very short answer is "it's complicated, but it's not an obvious win."

Anonymous

July 04, 2014

Permalink

Any recommendations regarding uProxy (once it becomes available, based on what is already known)?

It really depends what it is once it exists. The uProxy people seem like nice people, and I'm a huge fan of the stuff Will Scott et al are doing with freedom.js and librtc. But how you put the components together is critical to what security and privacy properties you get from the system. Let's hope they build something worth using!

Anonymous

July 04, 2014

Permalink

In light of the article that phobos's post refers to, it's interesting to observe that there's only 1 other comment here so far :)

Anonymous

July 04, 2014

Permalink

How about having prospective bridge users send their PGP public key, and the Tor Bridge Project send any details back unencrypted? One cannot trust email these days -we have to assume it's being monitored and that TLS SMTP is being MITM'd by interested adversaries, where desired.

Sounds great except "get PGP and learn how to use it" is a high bar for our users in Syria, Iran, etc. They already pass by Tor in favor of other tools that appear simpler, even when those tools end up harming them down the road.

Usable security sure is a hard combination to get right.

Anonymous

July 04, 2014

Permalink

So If I donated $60 could someone setup an additional exit relay on digital ocean (or other VPS provider)? My thoughts is a few thousand people are willing to pay $60 annually (via cryptocurrency), wouldnt that deplete the NSA's ability to poison the network ?

There are two attacks to worry about: one is that the NSA could run a bunch of relays, and the other is that the NSA could *watch* a bunch of relays.

Yes, as we add more relays and more capacity to the network, the effort and cost required to launch a pile of relays and become a large fraction of the network goes up. That's one of the main goals behind the EFF Tor Relay challenge:
https://www.eff.org/torchallenge/ (please join!)

But that said, if we put all of those relays at a small number of VPS providers, then the number of places on the Internet the adversary needs to watch doesn't go up much. So it has to do with diversity of relay locations, not just number of relays. For more information about that, see
https://blog.torproject.org/blog/research-problem-measuring-safety-tor-…

As for donating to help people run relays, please do!
https://www.torproject.org/docs/faq#RelayDonations

Anonymous

July 04, 2014

Permalink

I'm surprised the NSA gave them such a detailed statement:
http://daserste.ndr.de/panorama/aktuell/nsa230_page-5.html

It even includes a brief description of XKeyScore: "XKeyscore is an analytic tool that is used as a part of NSA's lawful foreign signals intelligence collection system. Such tools have stringent oversight and compliance mechanisms built in at several levels. The use of XKeyscore allows the agency to help defend the nation and protect U.S. and allied troops abroad."

Anonymous

July 04, 2014

Permalink

Tails hacked?
Here is my experience. I downloaded tails ISO using tor. Booted and ran it ok. When I went back to my normal PC, (windows) Secure anywhere claims that 4 files had been modified on my C: drive, and the threat was that a user was added. When I tried to have the program do a repair, I just ended up with blue screen of death. Is it possible that a man in the middle attack gave me a bogus ISO and they installed a hack onto my PC?
Anyway, I had to re-write my drive with my clean image.... Now, who would do such a thing, especially after releasing the warning about tor and tails???

Here is what I got
c:\windows\system32\smss.exe - win32.user added

Bottom line, run tails on a PC with no other drives installed.

No I did not. Please do not infer that tails or TOR is compromised. The analysis has not been done. I thought however that someone out there would want to think about this event and perhaps try to reproduce it. For others, disconnecting your hard drives can't hurt.

Anonymous

July 04, 2014

Permalink

"Such tools have stringent oversight and compliance mechanisms built in at several levels."

... which are summarily ignored.
LOL.

Anonymous

July 04, 2014

Permalink

The Tor network servers in Germany and other countries needs to be completely revamped with new cryptology. Let the world know when you've fixed the problem. Tor "you've been compromised".

Huh? "You've been compromised" because "You use the Internet and people can watch Internet traffic"? And we should let the world know when we've fixed the fact that people can watch Internet traffic?

Sorry, this makes little sense. Tor is designed to be robust to somebody watching traffic at one point in the network -- even a directory authority. That was one of the main points of the quote I gave them.

Anonymous

July 05, 2014

Permalink

Help. I felt like i am caught in the middle of a two gigantic rocks colliding each other.

Basically, i am a simple person who have financial difficulties and aiming to have a peaceful and private life. So i protect my privacy. I don't know much about codes, and programs, and all these computer stuffs. I can be easily deceived. But i recently learned encryption and file verification, thanks to Tor and the peoples behind it. That 30c3 video months back was very helpful. I tried running relay before but i suspected something was wrong.

Any advice? Just wanting Tor community to know there are people like me and maybe a lot others out there. Using Tor, indeed, i am one of the target.

You're one of the millions of people every day who use Tor. And because of the diversity of users (see the quote at the top of this article), just because they know you use Tor doesn't mean they know *why* you use Tor, or what you do with it. That's still way better than letting them watch all of your interactions with all websites on the Internet.

I also like Sebastian's answer (Q 2) on
https://wwwcip.cs.fau.de/~snsehahn/Tor-Fragen.en.txt

I want to add that under this current total information awareness like concept you will never be able to say or do anything that will put you in good standing for all the future. Under this concept you cannot prove that you are one of ours, one of the good guys, and the matter of surveillance would be settled for you.

Even if you are a hard working church going farm girl in Utah you might one day unknowingly give bed and breakfast to a terrorist.
Therefore your phone, facebook pictures and emails must be monitored for unusual signs.

Or being bored tending the stables our farm girl and her friend may start watching Youtube videos of extremist organisations and visiting their web forums. And we all can imagine her Daddy has a shed full of fertilizer.

Thank heaven we did not have the Internet a generation ago. Otherwise I would not have been able to sleep-under this concept.

Every time a VPN provider has promised "no logs" in the past, there's a newspaper article a year later about how they turned over their users due to pressure from some agency. The problem is that the centralization makes their users vulnerable -- they have all the data necessary to screw you, and they promise not to do it. That's very different from a technical architecture where no single point knows both who you are and also what you do.

https://svn.torproject.org/svn/projects/articles/circumvention-features…

(Also, I assume people here will be smart enough to see a for-profit company trying to advertise themselves here, and draw reasonable conclusions.)

Anonymous

July 05, 2014

Permalink

Have Roger Dingledine--whose CV notes he was briefly an NSA intern a long time ago--or any other employee/consultant/other paid recipient of Tor Project funding--held or sought any government security clearances for any reason within the past five years?

For an organization last known to be receiving about 30% of its funding via a surveillance-related US Department of Defense grant passed through an intermediary organization that its staff are contractually prohibited from discussing, it's an important question asked in good faith and that deserves an answer.

I haven't had a clearance since that summer 14 years ago, and as far as I know no other Tor developers (employees, contractors, committers) have had one (or tried to get one) either. Having a clearance these days as a Tor developer would be crazy risky, first because they can use it to control what you can say, but second because they would make your life miserable in this post Snowden world of ours.

That said, we work with researchers, like Paul Syverson's group at NRL, some of whom do have clearances. I'm happy to talk to all sorts of smart people and try to learn more about how to build safe anonymity and privacy systems. (After all, isn't talking to people with clearances how we got to this blog post in the first place? :)

We don't even sign NDAs, much less get clearances. And we try to do as much of our work as we can in public, even though that causes many distractions as journalists et al pick through our work and try to publicize things that we're only part-way done working on.

As for grants, check out some details here:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Yea…
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Yea…
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Yea…
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Yea…

Let me know if you have further questions and I'll try to answer them usefully.