Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Yes, my inside sources have informed me that the FBI is planning to take down parts of the Tor network as part of the investigation into the source of the Sony hack by North Korean sympathizers.

(To be clear, I don't know who this person is and as far as I know this isn't the person who tipped us off to write the blog post. That said, if you know something we need to know, please tell us!)

So it does have to do with the Sony hack? I read on CNN that the hackers were routed through severs in Asia, Europe, Latin America and even some in the US.

"routed through severs"

what are they, the fuckin teenage mutant ninja turtles?

severs != sewers

he's behind 7 proxies!

PUBLIC WI-FI!!!!!!!!

And more than likely involved some disgruntled ex Sony employees.

The sony hack was almost certainly determined to be state-sponsored North Korean hackers.
Probably totally unrelated.

Yes, I also currently think it's unrelated.

(Criminals don't need Tor; they've got lots of other options, and in some cases better options:

We know Tor probably has nothing to do with the Sony attack; the public don't. They will just believe whatever the government tell them. If the government want Tor to be down, they can put the blame on Tor (regardless of whether the attack really came from Tor), and shut down any servers or personal computers running Tor.

The government can't just "shut down" any personal computer running Tor. It would be easier to just shut down the government than that happening.

Of course they can. They can fake up an imaginary crime, they can hack it, or they can DoS it.

NSA in particular have been looking for a "justifiable cause" to attack TOR recently comment where made to the effect that operatives where"helping the tor team find possible weaknesses".

There are some interesting points to consider

1) many relays are high capacity high speed relays.not the sort of thing you would usually associate with a volunteer network of users.

2) "copyright" holders. have been wanting to find ways to control internet traffic to their advantage. citing"piracy" having not managed to get their way through offician channels their MO is not to try and get under the table agreements allowing them to directly interfere with DNS lockup tables at the backbone level.

3) As has already been pointed out. leaving aside outfits like the silk road drug distribution network criminals, including terrorists DO NOT use tor simple because they KNOW that doing to would bring them to the attention of the authorities .

4) Governments have increasingly been taking the assumption that they, and they alone are entitled to privacy no one else matters. the oft quoted"nothing to hide, nothing to fear" comes to mind and does not hold water.

I note that today(23/12/14 it took several attempts to establish a TOR connection, this is in itself an atypical experience for me usually i am able to establish a connection first try, within 30 seconds. 60 seconds max.

this leads me to believe two possible scenarios are in operation

a) fallback measures are being put into place
b) TOR is under active attack.

Lets see the evidence.

LOL, I think that North Korea doesn't have a unit 21 of high qualified hackers because it is too dangerous to have them.
1) North Korea is isolated from internet => there is a very little people who understand what these "hackers" do => who will supervise these men? They will be selfsupervised.
2) They have to give them unlimited access to foreign internet (because noone except them understand what they do and wheither they really need this information)
3) The hacker is a freeminded man.
4) 2) + 3) => they will understand all the shit about North Korea and will get angry.
5) because they cannot be controlled, they can start secretely destroying NK from the inside and noone can detemine that.

I think that
1) it is a psyop made to create a casus belli to put the screws on Internet in the US (see http://patch.com/california/studiocity/obama-slams-sony-north-korea-calls-congress-act )
2) NK is a voluntary scarecrow to frighten the citizens of all the countries of the world. One more reason to distract them from inner problems and remember them that if they require too much freedoms, rights and respect, the state will have to take measures like in NK such as cruel penalties for all law breaking, a collective penalty (very effective multieffect mesure), prohibition all the potentially uncontrollable means of taking freedom (arms, crypto without key escrow, computers without backdoors, radios with possibility to tune it, etc) with very cruel penalties, authoritarian/totalitarian regime enshrined in law, high taxes (to make people think only about that how to survive this taxes (paying them and surviving after it)), etc...

that is a somewhat bogus analysis. you obviously don't understand what brainwashing is, how it works, and or what motivates people to work. Your analysis of the system is done based on purely on western views. Surely if this were the case, there would be no Chineese, American, Russian, or any other nationalist hackers as well. Lets break this down.

>1) North Korea is isolated from internet => there is a very little people who understand what these "hackers" do => who will supervise these men? They will be selfsupervised.

Grew up in an isolated enviroment, being brainwashed since day one that NK is the best, and probably for a long time, that they are the elite of North Korea, and that everything else is pure propaganda. Given there is only 21 of them in a country of 7 million, there is no reason that NK can't give them special privledge that no one else gets, or other carrots, in addition to the brainwashing.

>2) They have to give them unlimited access to foreign internet (because noone except them understand what they do and wheither they really need this information)

and this gives them major leverage in North Korean society. Even if they understood how harmful NK is, they'd have to give up their status as elites. Or mabey even besides NK internet they are still not a fan of the USA and see themselves the way America does, as anti-Imperialist crusaders. Many other anti-USA nations are now sending envoys to NK to warm ties.

>3) The hacker is a freeminded man.

the American/Western hacker tradition grew out of countercultures very unique to America/the west, and its very anti-tech, very anti-intellectual cultures. "Hackers" as we know them, grew up being hated for being as such, by people who hated and feared the machines.

This is not an imperative of the computer using skill. There are no western style self-taught hackers from North Korea. Their hackers are taught, and funded by the state, and most likely developed a culture along radically diffrent lines.

People have this strange notion that everyone in North Korea is getting ready to defect at a moments notice, and that its basicly like East Germany, with no real popular support, or willpower. It is nothing more than rhetoric based on propaganda.

seems you are still trying to play "democracy == usa" card. it's just false pretend. it "was" but now it "is" police state with enormous brain washing capabilities. sure there is small nearly negligible part of usa government structures with sympathy to democracy way but en masse control is in nsa/cia/fbi hands. There is the place where main harm to internet is done and ongoing. And this unhuman structure arise on uncontrolled spending of tax players money and falsifying constitution.
and after all recent disclosures you still trying to speculate on possibility of small number of foreign hackers to "harm" whole internet already owned/controlled by nsa...

Well, actually those NK hackers were trained when they were young children.The authorities needed to do tests to choose those who had gift to study hacking skills and gave them proper educations and training, like sending them abroad (Of course cutting off the contacts of outside is very essential) and then sending them back to the university. NK has a special unit in composed of elite hackers.Their skills are no better
than super hackers from US, UK, Deutschland, Russia etc. Despite this brain wash is still vitally important~
hope can help~

certainly it's like the new 911 secret service rise. nsa new mind control chip is ready.

Actually, NK, does have internet in several different open ad closed variations ! Furthermore, there is a Unit 21, in addition to many more dedicated sections and subsections [ with various and different responsibilities ] !
There was an excellent blog on Twitter from @cyberwar, who mapped and scanned many of the different computers and their IP addresses, even so far as to I'd a Macbook.
So, the lesson here is...don't spout unscholarly drivel just to inflate your own ego. Now that you have been properly scolded, I take my leave.

Sony wasn't hacked by north Korea, evidence of that will come

Evidence is out, but it is being heavily censored by Youtube/Google, and others.

whatever suck up! i have a CCC attack going on and a Hp attack,Label print attack,Power Director attack Going on ever since the X-Box360 attack on Christmas! It Looks like a clean install! But I will mention that I got a mystery update By Microcrap itsef !!!! KB 971033 , once I installed it more SHTF! Microsoftis BAD !

You forgot Japan and the fact that they gained access via the Sony Picture building itself initially.

Complete lie. North Korea had NOTHING to do with the Sony hack.

It's just another volly in a long cyber war between Sony and hackers, that's been going on for a decade.

>U.S. officials also tell CNN the hackers routed the attack through servers in countries from Asia, Europe and Latin America, even some in the U.S.

>The hackers used common DNS masking techniques to make it look like it was coming from those places, but the National Security Agency and FBI were able to track it back to North Korea.
>North Korean internet traffic is routed through China, which is one way they are able to hide their activity, but the FBI was still able to trace it back to the origin, sources tell CNN.

This sounds like Tor is totally useless against the NSA and that they are able to see a full path through a Tor circuit back to the Tor client but if they are able to do this why would FBI need to seize Tor directory authority servers for the purpose of investigation?

Tor is not what I would describe as "common DNS masking techniques". It sounds like the Sony people used something much simpler than Tor. For example, a common bad-guy approach is to break into a computer and then route your traffic through it. And a common bad-guy slip-up is to accidentally make a direct connection once because you wanted to see if your attack is working or something like that.

FWIW, this blog post states:

The attackers appear to have used TOR exit nodes and VPNs to help cover their tracks, which indicates some awareness of operational security (OPSEC).


Indeed! Thank you. I will investigate more. Other people should please investigate more too.

I would trust more on this North Korea thing if accusations come from sources other than the U.S. Government and/or U.S. corporations. Really.

extremely useful advice. falsifier #1 is "U.S. Government and/or U.S. corporations".
bcose as they say 'national security matter, so shut up an eat'.
and it can be just a pr action before attack on nk country. btw is nk in one basket with kgb state?

>The hackers used common DNS masking techniques to make it look like it was coming from those places,

Sounds like advanced hacking (yeah I'm sarcastic).

Considering the hackers did not hack it from Korea, but rather a hotel in Thailand, all that info is bull.

You mean the Sony hack by Sony as a publicity stunt?

The Sony hack by Sony was my first thought until they pulled the movie. Even so, if it is re-released it certainly has plenty of free press. And if the leader of North Korea weighs in with a positive review, who knows. He looks ready to enjoy some NBA games and give up on all this fearless leader business.

Sony pulled the plug because they knew the movie was going to be a flop. Instead of having the balls to admit failure they create the big hack scare and place the blame on someone other than themselves.

bottom line is never believe corporations. especial sony.
remember sony cd-virus business? or changing technology for artificial lowering life time of hardware?
they will do anything to rise profit.

There is almost no chance IMO that Sony would release 50,000 of their employees social security numbers, passwords, credit cards, the email inbox of the ceo and other people.

They have nothing to hide.

The movie is to be released.

of course it's sony hacking sony, helped by US govt.
sony gets to test punk marketing for a movie and manipulates the public to pay for a movie they'd probably normally illegally download by 'mah stars and stripes' patriotism rant.

US govt gets another reason to ramp up sanctions against ronery korea as well as kicking TOR in the head and looking like internet supercops.

US corps play along for their own interests and the paradigm of white hats v black hats is clearly defined for the sheeple so they can go back to sleep.

mission accomplished (insert aircraft carrier)

Problem, reaction, solution.

It is Anonymous.

Greetings Tor.
Your insider may wish to purchase a crash helmet..
As you know Tor was attacked by #LizardSquad @MafiaSquad.
They and #FinestSquad are part of a huge FBI/US intelligence psy op.
I will leave you to ponder upon the implications of this
Good to see the attack was a big fail.
Happy new year Tor...It's gonna be a fun packed one for sure!

S.U. Wizard.

TOR is criminal.. destroyed the files on my computer.Want a fee or use their browser to get them back


Thank you all for the warning, and thank you for your work.

What can we do?

If you know any people or groups who misunderstand the value of Tor, you can teach them why trying to undermine the Tor network would harm a lot of good people and generally cause huge collateral damage. Explain how Tor has helped you in your work. Help spread the word.

So, short answer, don't worry too much. We wanted to be safe and tell you just in case it turns into something.

a) stop using google
b) set useragent string "google go away"
c) go to real shop, buy some real beer, drink it and think who the fuck is that sony? bear?
d) change everything back and relax watching new pr show.

To the bat mobile... Swoosh!

Umm, who wants to and is going to seize which nodes where an why?
Stop with all the veiled silence bullshit, it makes you look stupid, and like some questionable entity.
Torproject is not the only voice and direction of tor, and you're preventing the rest of the voices from speaking freely in support.

To be sure to keep our source safe, we're not providing more details quite yet.

But actually, we don't know many more details than the ones we posted. And as for your 'why', that's an excellent question, and one we've been wrestling with too. There are nine directory authorities, spread around the US and Europe. If they're trying to hunt down particular Tor users, most possible attacks on directory authorities would be unproductive, since those relays don't know anything about what particular Tor users are doing.

Our previous plan had been to sit tight and hope nothing happens. Then we realized that was a silly plan when we could do this one instead.

What exactly is the upside of making the rumor public? Downside is the seizure doesn't actually occur for whatever reason (good so far..) and then Pando publishes a series of 'cry wolf' articles about how Tor is run by delusional paranoids with a persecution complex.

Because they believe its more than just a rumor? Why not share that information?

Don't reply to this jerkoff. He's probably some self-interested party (poorly) masquerading as a neutral observer.

Oh my god is it the Pando guy who wrote that article exposing Tor's BIG SECRET: that it receives government funding?

I think it depends on the definition of upside and downside. If there is no attack, then that is good for Tor users. Maybe the attack was delayed or redesigned, or maybe it never actually existed. If this happens, we may never know. There may be repercussions, but it's a necessary risk, because if there is an attack and we didn't say anything then that puts users at risk, and that goes against the purpose of this project.

Who believes that paranoiacs are delusional anymore?

All anyone has to do is point at the NSA and that argument is invalidated.

It's a real blow for mental health workers, actually.

fine words. sick and tied of such spynet blowjob.

What if they know what the person was doing, ie. which websites they were on and what they were doing and they wanted to find out what their real IP was? Would this be a way to do it?

No (but yes, kind of). The directory authorities know nothing about Tor users, so taking these servers offline or compromising them has no direct impact on the anonymity of users. However, if you control enough of the directory authorities then you can define which relays are in the network. At this point, users can potentially be deanonymized. This is a huge attack, though.

Yes. Two refinements to sysrqb's answer:

A) Taking over a threshold of directory authorities would tell you nothing about what Tor users did in the past. It would allow you, at worst, to make up a new fake Tor network and try to trick users into switching to it. See my comment below for more details.

B) By "huge attack" I might instead say "hugely expensive attack", at least in terms of political capital and goodwill.

they want it - to own internet and allow only marked with your id-number ip packets. they want to insert in you head identification chip with this number and to trace it (and they have done it with home animals). they want you to be part of their own internet machine. they want to harass you with if you try to not use their "services". they simply want to control you. so please try to read some uncontrolled by them sources(real books?) and think.

Surely each operator has a disaster recovery plan in place already, for more usual events like hardware failure. If the servers were seized, could you all not just execute that, and be up and running again within minutes to hours?

In practical terms, is this not simply a minor inconvenience?

Could authorities replace seized DAs with their own clones that only send users to NSA/GCHQ controlled nodes? Is this possible without knowing DA private keys if you have full control of the hosting server?

It depends what exactly they can extract from each computer. Years ago we separated the directory authority keys into a long-term (offline) key and a medium-term (online) signing key. Directory authorities have their medium-term key expiring at various times:

We've taken some steps recently that we hope will make it quite hard for attackers to extract the medium-term key even if they seize the computer. So for the ones where that hope turns out to be true, they get basically nothing besides disruption by seizing that authority.

If they nonetheless can extract five unexpired signing keys, then they can make up their own consensus and point people to their own relays. That would indeed be really bad. For a bit of consolation, it would be super highly illegal and places like EFF would be happy to mess them up for it. But let's hope that doesn't happen, especially now that we've made clear to them all the collateral damage involved.

In any case, even if just one is seized, we'll likely put out a new Tor release that stops trusting that one. Otherwise they could in theory keep chipping away at the directory authorities (though the expiration dates on the keys will put an upper bound on how effective that approach could be for them).

Hope that helps.

if you haven't already, you should consider auto-wiping the keys on those servers if motion is detected in their proximity. (assuming they're located somewhere where there normally isn't movement around them, like a cage, anyways.)

from a layer 7 and above perspective.. are you confident that all directory authority operators will be able to detect whether someone may have physically tampered with or replaced a directory authority box?

for example, jake's most likely not going to be in the US anytime soon, although i'm guessing he has friends who could examine the physical integrity of the directory server he runs.

physical custody of keys/boxes has been on my mind lately, since recent TBB releases were signed with erinn's key even though she doesn't work for the tor project anymore.

These are indeed all important topics to pay attention to.

As for Erinn's key signing Tor Browser packages (and she does indeed still participate in Tor Browser development stuff), check out
(And also remember that the builds are reproducible, so the signature is not as important as it would have been in the past.)

thanks for the quick reply; i agree re: signing keys. wasn't trying to cast doubts..just was pointing out that some of my own tor-related assumptions about who physically controls keys came up recently

hope you've mitigated cold boot attacks on all the dirauth machines!

Please in an update add a revocation so that at least any long term signing key could revoke any of the medium term keys and itself.

Then each node would only have to hear a revocation once to take that key out of service. It would greatly reduce the benefit of compromising the keys.

>>Could authorities replace seized DAs with their own clones
>>Is this possible without knowing DA private keys
seized the key got the server

Agreed on the first one (though that's the sort of behavior that EFF would be excited to litigate, since it harms a huge number of ordinary people).

As for the second one, I assume you mean "seized the server got the key", but even then it's somewhat more complicated than that.

I use the torrc to select the DA I trust.
DirAuthority [nickname] [flags] address:port fingerprint

my relays can NoAdvertise
ORPort [address:port] NoAdvertise IPv4Only
but I can't find a way to add relays or include nodes not in the bad DA lists

You should learn more about the directory design and how the threshold of signatures works. I can't quite figure out what you're doing from what you've said, but it sounds likely that you're shooting yourself in the foot.

In particular, configuring your Tor client to use a subset of the current directory authorities could actually make you weaker than configuring all of them, even if you genuinely do trust only that subset.

Honestly, I agree with the poster above. With this threat and the online harassment blog post, you folks are woefully short on *facts*. To me, if you don't share the *reasons* for why you're doing what you're doing, what you're doing is of little use.

It's like the US asking us to trust them, because we can't handle the truth...and we all know how much we trust them.

For a non-profit that's all about openness, Tor sure isn't open when it comes it its own dealings.

I agree totally! Tor, "Stop with all the veiled silence bullshit, it makes you look stupid, and like some questionable entity."

Couldn't Tor get rid of the directory authorities somehow ?

I hear that the Tribler network uses a Tor-like protocol without DAs. Anyone can run a bootstrap node, and that's enough to keep the network running apparently.
It looks like bridges for exemple could take on the additional role of bootstrap nodes for Tor.

Has there been any discussion on that ?
I'm not too fond of trusting a couple of servers that may or may not have been seized.
There's not even a warrant cannary page afaik.

There are a bunch of research papers looking at exactly this question.

Check out
for one direction, and then
for another direction to consider.

The current situation is that nobody knows of a better design that is actually better in practice. The one we have is well-studied and has well-understood downsides, so I'm not eager to move to one that is poorly-studied and has poorly-understood downsides.

As for Tribler, my current understanding is that Tribler provides *significantly* less anonymity than Tor does, and a lot of its weakness comes exactly because it has an easily attacked network discovery mechanism.

Would you care to extrapolate on why Tribler is less secure than Tor? I'm pretty new to Tribler, and haven't found any good sources on that information.

If enough directory authorities are controlled than the available hosts can be specified by an attacker and they can specify only their hosts. In your the directory authorities are trusted parties in the other one they are whoever wants and so an attacker can create a ton of those.

How about making the directory authorities P2P using blockchain technology?

Somebody should actually write out the design for this and work through all the details. I bet there will be some interesting, subtle, and devastating attacks on the first couple of versions of this design. More research required!

Namecoin solved this years ago!

I disagree. See my above comment.

(Part of the confusion probably is that directory authorities serve a variety of purposes in Tor, to defend against a variety of attacks. To move beyond "yes they do no they don't", somebody should write up a clear explanation of everything directory authorities need to do to serve their purposes well. The above links are a good start there, but see also
http://freehaven.net/anonbib/#danezis-pet2008 )

agreed directory AUTHORITIES know what is best for me not crypto!

Was 'tor/' was ment to resolve .onion or nodes?

1. uh ya was namecoin was ah du

You should blockchain the infrastructure it runs on as well: http://utter.io/

namecoin or torcoin her we come.

I feel a fork is in order.
OpenTOR will have
+local node list addition in torrc ie. private nodes or boot strap nodes
+namcoin tor/ node list option
+namecoin DNS
+node invisablity by dual socks4/https on port 443

Moar on node invisablity.

make a tls/ssl connection to port 443 tor reads first data.
if (first byte 'H') http stream to web server
if (first byte 04 & password good) relay trafic
if (password wrong) stream to web server to send back error

This is a private node if the password is private and a new type of bridge if public. aka f2f bridge

Hey, look, you're trying to reinvent STARTTLS.

no not at all
starttls is just encrypting a port
you can have socks4 and http share a tls port

switch (socksver) {
case 5: /* socks5 */
case 4: { /* socks4 */
case 'G': /* get */
case 'H': /* head */
case 'P': /* put/post */
case 'C': /* connect */
"HTTP/1.0 501 Tor is not an HTTP Proxy\r\n"
"Content-Type: text/html; charset=iso-8859-1\r\n\r\n"
"Tor is not an HTTP Proxy\n"

just hand off http(and socks5 because hand shake is required) connection to a web server.
if socks4 has good password relay in tor else connect to web server to return error.

trust me it works! and should be part of tor

starttls is nsa invention. nobody in his mind should chance protocol after connection. it is like inviting all the spies in the path. right sequence _must_ be as in: service should wait for some information from a client to select own behavior according to that information. if something wrong - drop connection.

DA can be changed in torrc.

Oh fuck! namecoin & invisibility? The NSA shils are asleep today!

Ok, I'm going to cut off the namecoin thread here before it takes over the whole comment section.

Somebody should actually build an actual proposal here. Come back when you have one. Thanks! :)

(A great place to send such a proposal is the tor-dev mailing list.)

Feel free to fork -- the license lets you do so and we are big free software fans.

But please do not name your resulting thing "Tor but better" or a name like that, which will confuse users into thinking your thing is somehow written by the Tor people.

Why not use a cryptocoin like namecoin to determine authority of nameservers?

They would have to take over the whole cryptocoin system with a 50 percent attack which is very difficult to do _especially on a proof of stake coin like the newer coins.

But blockchains by their nature record a history of all transactions. It seems to me you're just creating a new risk, here.

It's such a shame to see the country I live in among the "repressive regimes" :(

Thanks for what you're doing.

It's a shame to not see the country I live in (US) among them. I think it might turn the tide of public opinion if it were more widely accepted that the chilling effect of "passive" communication interference should be grouped with other forms of repression.

who and why should believe in "passive"? who can catch them if its not correct?

This whole North Korean hack thing is so obviously a false flag operation. And who can trust anything the US Government says any more anyway? The worldwide political elite are a haven for crooks, liars, and murderous paedophiles.

Yeah I def think it's a false flag operation. The public has been very anti-government of late; wouldn't it be great to rally everyone behind a common enemy?

It's a reptilian conspiracy.

This tbh

I wondered how long it would be before someone said that. Lizards hate onions.

fine new name for nsa net - lizardnet. so i see headlines - "lizardnet define new dangerous trend in user behavior - before watching new daily propaganda block they visiting toilet. our new swat teams ready to fight such illegal behavior."

If its false flag then the government has been feeding our media misinformation for years about NK. Everything about the Sony hack fits perfectly and points directly at NK. Not to mention they have reason to not like Sony and lack of rationality to care about getting caught.

i do not like sony so what? and if they have some damage i will not be sorry at all.
but what about damage for everyone because of lowering ttl numbers in dns responces by many corporations? for me its more important than some problems in some corporation.

The messages sound American to me. Like in a comedy where a teenager pretends to be Korean but using cornball Engrish. At one point, the part between the parentheses, they slipped into regular American English.

LulzSec probably left backdoors. This is just a huge troll, and delayed revenge.

Same goes for the UK government,GCHQ are known to want to get a good foothold into TOR some even argue they may have the capability to fully compromise its infrastructure.

It feels like there are fewer exit nodes these days.

I've got my little 10Megabit exit node running, so I'm doing my part. I bet the TAO are hanging out on my network watching it though....

Thanks for running an exit relay!

As for TAO hanging out on it, that seems unlikely -- not because nobody would want to watch it, but because various intelligence agencies already work to surveil large parts of the Internet, and I don't think they need the TAO group to help them there.

As for the original point about how it seems there are fewer exit relays these days, check out
The capacity provided by exit relays is slowly growing (the capacity provide by non-exit relays is indeed growing faster).

And the *number* of exit relays (not really the best measure but it's another way to judge) has been very slowly growing too:

I see exclusively big and growing log of "We tried for 15 seconds to connect to 'xxx' using exit yyy at zzz. Retrying on a new circuit" records. So maybe many relays are just fake? Or they allow connections to to sites interesting for nsa operations only? Kind of prefiltering?

Or the site you're trying to visit is down or flaky. Lots of options. Don't jump to too many conclusions too quickly!

well, i don't. I know site are not down as i can use plain telnet to check tcp connection. any other comments?

You might still be seeing the 15 second timeout thing, if the site you're loading pulls in some third-party component which is unreasonable. And your telnet test to the primary site would not notice this.

Just noticed while running distro updates on node smitty that tor had been down for 3 days. Only a disk space issue, however.

Sounds like a good case of needing to decentralize your directory services... If only there were an amazingly great invention called Bitcoin or Namecoin that could be leveraged to do such a feat.

See above:

"The current situation is that nobody knows of a better design that is actually better in practice. The one we have is well-studied and has well-understood downsides, so I'm not eager to move to one that is poorly-studied and has poorly-understood downsides."

Right. So every time you connected, your IP would be registed in a permanent blockchain, as a means of being discovered by others on the network.

You totally know what you're talking about.

Not necessarily, you could publish the most recent node list via a blockchain transaction. The publishing address would then be the "announce" address which client's would lookup. That scenario would require no writing to the blockchain. What we don't know is how secure that scenario is.

Wrong block chain has public list of nodes. All "thay" know is you downloaded namecoin block chain.

Decentralization is very much needed, but what's essential for Tor to realize such things is "Developers, developers, developers" ~Steve Ballmer

By the way, i'm not a developer.

I. Love. This. Company. Yeaaaaahhhh.

The funny thing is that the more they attack (or attempt to), it just teaches the devs how to strengthen the network. Govts can try to whack-a-mole TOR, but their attempts are futile.

HN thread: https://news.ycombinator.com/item?id=8774833

Is there nothing the community can do to improve the situation? Wouldn't it be possible to launch extra DAs in places that are more difficult to shut down?

Unfortunately, just adding more DAs doesn't make the system more robust. There's a significant overhead in dirauth communication and the voting process is not as robust as we'd like. We're pretty happy with the set of dirauths we have currently.

The community can do many things to improve the situation. Primarily: donate and educate. Make a financial contribution to Tor Project, be it cash or virtual currency. Educate others about right to privacy. Defend Tor from media attacks labeling it as a nothing but a merchant of death, drugs, and dissidents.

Yes please! We need you, the Tor community, to help with education, advocacy, and awareness.

(And donations are great too. 'Tis the season and all.)

Wait, what?? Donations???
Doesn't the government pay you and your project anymore? Or did you already burn the $100k+ you got and the multi million $ the NSA/DoD/HomelandSec donated to the project this year?

The funding we have from various government agencies comes in the form of specific deliverables. For example, everybody likes funding work on pluggable transports and censorship circumvention (it's uncontroversial to help with providing freedom for "over there"). But nobody cares much about funding stronger anonymity, since they think we have a great handle on it and thus there's no need to work on it. So donations are how we are able to spend developer and researcher time on the things that the world needs but it's hard to find funders for.

For other background and explanations, see
and also our 30c3 talk which discusses funders and funding:

Did I miss something?
"Our previous plan had been to sit tight and hope nothing happens. Then we realized that was a silly plan when we could do this one instead."

What plan / action is, "this one instead?"
Other than announcing the possible attack, or the already "built in Tor network redundancy," what plan are we talking? But those are good, on their own.

The plan of doing this announcement.

Indeed, there is not much else we can do; so now we sit and wait. Let's see what happens.

Thanks. And Roger is probably busy right now (should be), so can't answer.
But while announcing it on a blog & tor-talk may? be a good idea, it isn't really a "plan" at all. That's why I thought I'd missed something.

"Wait & see" is sometimes prudent, but not a plan.

I live in the United States. I use Tor for my everyday web surfing because I believe any record of my web activity to be a violation of privacy. I have nothing to hide, but hiding is my choice. Online privacy is a right for all.

The threat to internet security is pregnable systems, not a network that allows anonymous access to those systems. The threat to our nation is not the threats of anonymous hackers, but adhering to their demands. Sony Pictures, Regal Entertainment, AMC Entertainment and others have put our nation at risk by rolling over at the demand of terrorists. By refusing to release that movie they have set a dangerous precedent and opened the door to future attacks.

nice addition to the nudist company "We have nothing to hide"TM. EVERYBODY have. Otherwise you are controlled by by some inter-terrestrial government because they have something to hide. How this something can appear if it was nothing?

I live in the United States. I use Tor for my everyday web surfing because I believe any record of my web activity to be a violation of privacy. Online privacy is a right for all.

100% agreed. I'm also using Tor for each and everything I do on the internet.

I have nothing to hide.

If one has nothing to hide, why would one put their letters in envelops?
If one has nothing to hide, why wouldn't one walk naked through the streets?

Someone who has nothing to hide is an "exhibitionist", which is considered to be a state of psychological disorder.

Roger: As far as I can tell there are 9 servers that are listed in the Tor source as directory authorities. Let's say that 4 of them were be seized and taken offline indefinitely.

How would this affect the remainder of the Tor network? My guess is that it would increase the load on the other nodes, but if they have sufficient spare capacity it would not result in an outage. Is that generally correct? (I apologize for not knowing as much about Tor's internals as I probably should.)

(Sorry, not Roger)

Correct, there are currently 9 directory authorities. More than half of the authorities must be online and they must reach a consensus on the current state of the network every hour for them to create and publish the hourly networkstatus-consensus (the list of all the known relays). If four out of the 9 dir auths were compromised and taken offline, then the remaining 5 will continuing publishing the consensus and the network will continue operating normally. If more than 5 are taken offline then this was a horrendously large operation and the necessary corrective actions will be taken to ensure the network remains operational.

The one performance impact will be seen by new clients. When they first try connecting to the network (download and launch Tor Browser for the first time) they will try connecting to one of the directory authorities and download the networkstatus consensus from it. If some of the directory authorities are offline, it may take some time for each connection to timeout (while the client connects to an unavailable authority), but eventually the client will reach an operational authority and it will then be able to use the Tor network as usual.

This sounds like a possible denial of service attack would be to seize a single server, leave it online, and program it to never agree with the other eight thereby preventing the hourly networkstatus-consensus publication.

Fortunately, we've got that particular issue covered. The directory authorities look at the votes and signatures and produce a consensus around the votes and signatures that they all agree about.


is timeout really essential? everybody in path can open/close tcp connection without actual service.

It sounds like you're talking about a different thing. But I have no idea what.

What if this isn't happening and they only passed this information in hopes of finding the source of other leaks...

What if Tor Project *knows* it's a decoy leak, but published it as a credible report anyway to avoid revealing that they've compromised the adversary's leak-detection operation...

This is my fear as well. I would hope the source would ask that the information remain private, if there is such dangers from early disclosure.

'countries such as Iran, Syria, and Russia'

You forgot to include USA and UK and UAE.

Those were examples, it was not an authoritative list of oppressive countries. Sadly, it seems more countries are added to the list every year.

Well,you forgot to include China.

yeah, and Turkmenistan, Singapore, Burma, Vietnam, Saudi Arabia....

lets restrict the list to big countries. say more then nnnM people. all "nk hackers" are just section 12345 nsa team to compare with.

So without these DA's, these servers that you control and everyone entrusts their anonymity to, Tor can be killed? Great design you have there.

Thanks for the insightful and productive comment. No, it's not the best design; but it is the best design we have right now. Also, The Tor Project doesn't control the directory authorities. They are run independently by individuals and groups Tor trusts.

I can't claim to have a very good idea of how the physical infrastructure looks behind tor, but by the sound of this comment it sounds like it would scale well horizontally? Is the tor project in need of hardware? I can't contribute with colo's but i have access to used ibm x-series servers and similar. See you guys at 31c3

Those servers have absolutely no ability to compromise any Tor user's anonymity. They're each just a directory of where all the nodes in the network can be found at any given hour.

Best wishes, appreciation for your hard work, and hopes for peace in these hyper-annoying times. I say good things about you folks, often with passion, and sometimes using strong language. :-)


I'll second that.

Thanks Bob!

I'm sorry, but the "right to privacy" does not mean what you assert it means here, at all, even in those jurisdictions that (unlike the US) have that right enshrined in law or constitution.

If you are going to rely on political explanations for your actions, I think it is fair to ask that you get your politics right.

The meaning of the right to privacy is quite clear. It does not give you a right to Tor-like services; it never has, and you'll find very little in Brandeis or even current EU law to justify this.

You might argue that it should include Tor-like services, but it currently does not.

Live in the world you want to live in. (Think of it as a corollary to 'be the change you want to see in the world'.)

We're not talking about any particular legal regime here. We're talking about basic human rights that humans worldwide have, regardless of particular laws or interpretations of laws.

I guess other people can say that it isn't true -- that privacy isn't a universal human right -- but we're going to keep saying that it is.

brilliant comment, roger

Just as the Second Amendment to the US Constitution does not grant a right ... it merely acknowledges it as pre-existing ... the most any other political "grant" of rights can do is acknowledge pre-existing rights and agree not to infringe upon them. Whether the Second Amendment has been infringed or not is not the point under consideration but the issue of whether a right exists outside of any declaration by a government that it does.

There is a right to privacy. There is a right to speak freely. There is a right to defend oneself and neighbors from attack regardless of the source of the attack. These rights await no dictum from any source. They are rights possessed by all mankind at the moment of birth.

Arma is correct. If "rights" depend on grants by authority, then there are no rights to be had anywhere for anyone. If a "right" must first be granted and can later be withdrawn, it is not a right ... it is a privilege.

Free men and women assert rights, servants seek privileges. Might I suggest that the rallying cry of "Live Free or Die" remains the essence of all freedoms all over the globe?

"RINO" takes on a new meaning: "Right In Name Only".

Actually, you're mistaken: a right to anonymity is enshrined in many laws around the world.

don't forget to put on your pants when leaving government premises. should i talk with my children as we are in jail? fuck you "law" which justify this.
I'm sorry, but i don't need your interpretation of humanity.

So is the aim of this attack to disable the network or to de-anonymize users en masse? If the latter then how? If the former then what would be the point, since I assume you guys will just establish new DAs and be on your merry way?

Thanks for all your great work!

The short answer is we don't know.


This cyber attack has really spooked the govt...it seems they have -finally- realized just how vulnerable we are to cyber attack. One can only imagine the scene if someone does this to the electrical grid.

Speculation here but I wonder if the prez has authorized for Tor to be nuked? Given this and the recent drugs and cp busts the FBI may have convinced him that the downsides outweigh the upsides. Man the DoD is gonna be pissed.

Re the electrical grid, you're right that there sure is a lot of vulnerability going around.

As for the speculation part... while we're speculating, I'll counter-speculate that Obama has never even heard of Tor. The DoJ is full of people trying to make a name for themselves, who get unhappy when something slows that down. And those people are super unhappy that companies like Apple and Google have been working on architecture changes that make compliance harder.

At the same time as we're freaking out that all the intelligence agencies have spiraled out of control and are illegally watching everything, these people are freaking out that they're about to become unable to see anything and unable to fight any crimes. It's an odd contradiction, but here we are.

Obama never heard of TOR??? wtf? I bet he never heard of Edward Snowden either
please don't tell me the people behind TOR are this naive

which one obama? before or after words "forget all i promise before it was just joke". newest design obama for sure will say "never heard of internet."

If 5 or 6 directory servers are compromised would that mean all trafic could be routed to bad nodes?

Why not use namecoin as a DA?

price spiked last week

Have the tor devs considered the possibility of using satellite technology? I'd like to see the FBI try to go up there as seize a satellite. I know that sounds prohibitively expensive but I think it would be possible to raise funds.

just bounce it off the moon

this is my favorite Tor blog comment.

Large antennas are very hard to hide.

expensive for FBI, perhaps, but probably not for NRO

even more expensive for NRO -- it would reveal the capability very publicly

I'd say something about the epic irony here regarding your last update here, but your censor comments. Also ironic.

The epic irony of "Tor matters to a lot of people and we wanted to let people know of this possible upcoming attack"? Thanks for your understanding I guess.

As for censoring comments, we've disabled all the parts of the blog comment system that report your IP address and other details to recaptcha or other spam engines. That's a feature in my book, but the downside is that we get a bunch of spam that we have to manually delete.

Oh, and yes, we also delete the small number of comments that are deliberately hateful or harmful. I'm a fan of free speech, but in this case those people should go take their free speech elsewhere.

Yes, the flood of spam comments for shoes and Chinese herbs.

Or Chinese herb shoes. Ooo, new band name.

What prevents the united states government from using the resources discovered in the seized servers to permanently infiltrate the network?



In North Korea we have ways to make you talk, ARMA! We will now turn all of your blog pages upside-down so you get headache.

Going public probably averted a catastrophe. OTOH, law enforcement types don't like to be outdone. They may just go after you personally now. By hook or by crook...

Well, I'd like to think it wouldn't have been a catastrophe no matter how it played out.

But it could be a big distraction, especially since we've all got more important things to do next week (31c3 is coming up, with no doubt more embarrassment for governments about how they've broken their own laws and done horrible things).

It is obvious that there are many out there who would like to see the network disrupted as it undermines and in some cases directly threatens what they do (or would like to do).

The removal of DA's will not prevent Tor working per-se but it will cause significant issues with maintaining the integrity of the relay list and communication of that to client instances and indeed other relays.

We would question the motivation behind such an attack though, is it just short term disruption? Or a nefarious attempt to propagate a longer term sybil-a-like attack? Or something else completely?

In any case it is clear that some consideration must be given to the DA function within the network and how to hold the census together in a more resilient manner but at the same time avoid creating exposure to sybil attacks. The mechanism used for maintaining the Hidden Service directories using a DHT is an obvious candidate but again just opens up the DA function to a different class of attack.


El Presidente


is there a possible pre-emptive action that can be taken - in the open light - to render such a move futile ?

For instance ask the nice people from CCC and their freedom minded supporters working at freedom minded companies to set up another three directory authorities? Which would work on a short time scale.

A suggestion for the longer term, would be that the developers take some lessons from the freenet design and ask your bridges (& perhaps users along) into lending some harddisk space (1mb for example) and distribute broken up lists in an encrypted way over these channels (key served later).

And perhaps let bridges turn into DAs themselve, distribute an encrypted "fortune cookie", and when the DAs shout a special key throughout tor then only certain(random) bridges & users can turn into DAs(minimizing the chance of a hostile takeover of tor).

I suspect that a fast reaction that would take place within a few days might be difficult.

The directory authorities (DAs) almost certainly need to handle massive amounts of bandwidth, need to be on colocated hardware, and need to be security hardened. This means that establishing a new DA would take some time - and even then, I suspect (but do not know for certain) that the DA would then have to be hard coded into Tor. So, users would then half to upgrade to get the advantages of establishing a new DA.

Additionally, the people that run any new DAs need to be trusted to keep the network secure.

As far as the more technical solutions you mention, you should consider creating a proposal for a more complete idea so it can be evaluated in full. While doing so, it is helpful if you can suggest some advantages and disadvantages that your approach provides.

Well, by their breaking of their own laws, they are certainly crooks.

Stay safe, Tor team.

Why is this happening?!!!

I said this on another forum once. If I know anything about the US Navy and the DoD (not talking about 5os and other feds, only military) that tells them what to do and how to think; They have thier own damn tor network, despite what dingledongs and applegay say.

when on earth have you seen the military activly operate where civis are? sure they may have several bases where we live but really now, do they launch any real attacks from them? only excercises and in times of emergency... the military isn't exactly fond of emergencies.

Good luck on reloacting your DAs. Just, try to do it right. I have no idea of your situation so I can't know what right is; but you can figure it out by taking a moment to think. If they bothered to ask you before hand, you may have some time to plan. I don't know who exactly wants your DAs but it can not be for peace or for our benefit.

Don't matter if the military thing is true or not Tor is our own real anonimity system that works on the regular internet. Although don't act surprised if it is true because and I will say this ahead of time... I told you so.

Suggestion: why not let people voulunteer DAs (that work on a distro like tails) you will find out about them via email, in person, and or the same way to find out about hidden bridges... then you could just cherry pick the DAs you need, as you need and see fit (for consensus voting and the such) until someone comes up with a more suitable replacement for "decentralizing" your DAs. (namecoin sounds interesting but... bitcoin is not anonymous everyone, everywhere would know when you search for something or 'bought' a domain name; I have other ideas such as dark/anoncoin but dingledong is right, we still need to do our homework)

p.s. I know the nicknames sound like insults but as a TG, they are what I find sexy about you two. ;)
Seriously, thank you for tor. I am not like some high profile person you have saved. I mean you have helped me keep my transition secret until I feel ready from my family (by using tails). I was just really ashamed what they would think about me if I was searching for these things and I thought I was alone and what I was doing was selfish.

If $people think, one or more additional directory authorities in Germany make sense, please contact me (use the contact info of exit node 6B3209C88923A80A4DF4C86F585ED4A8643DEF89 or relay 868A253C330F40FBE435D9320849397F85823E86). Immediate action and/or meeting at 31C3 is possible.

What I think is desirable is having one or two DA in South America, probably Brazil and/or Argentina, which are more or less independent from the US, but I don't know how exactly are DAs chosen.

As if we believe anything the FBI or CIA says . It was prob them who hacked Sony

It’s unconscionable that you don’t include the United States on your list of “repressive regimes.” That country must top such a list.

Choose your battles.

I would rather write and deploy software to let other people change the balance of power, than smack the US government in the nose repeatedly.

Then why pen such a list at all?

A sad time. Tor is needed as a stronghold against totalitarian countries. :-(

We should make little clusters of networks that connect to each other so the whole world can be the tor network. So you can't shutdown the whole network. You would need to take it down computer by computer and that would be almost impossible.

Sounds good in theory. But there are many details to work out, and many designs like this in the past have been broken.

For something kind of related, check out Herbivore:

And for attacks on a Tor design where not all the relays can reach all the other relays, look at

How about the I2P network? Couldn't we incorporate some of their ideas into Tor?
I2P doesn't have directory authorities, after all.

I don't want to promote I2P here, but I'm genuinely curious: Has this been seriously considered?

It has been considered, but that doesn't mean everybody has all the answers.

I believe I2P's network discovery mechanism falls to various more complicated attacks. I'd rather stick with the simpler design where we understand the flaws and we understand the attacks.

That said, there's a great opportunity here for researchers to step in and do some analysis on the I2P design -- one of its huge problems right now is that they've for whatever reason failed to get researchers to care enough to break it, except in rare cases like

yes and as tor is just a distributed (tcp) switch nothing can prevent building a "new internet" say on family/company basis.

There's no democracy nor privacy in the country were I resign.
If this last privacy services end, I will damn all the neat American technologies which only supports my authorities to monitor their citizens, and will abandon the internet and cellular communication forever.

Wouldn't it make sense, in the short-term at least, to get more directory servers up, particularly outside of the US and EU?

I was going to mention Wyoming, but not sure if anyone would get the "Dog Day Afternoon" reference.

Not in Munchen


No, that paper isn't relevant here.

In fact, that paper was misinterpreted by the media: see
and for many more details,

In particular, look at the comments by Sambuddho (the author) about how his paper does not mean what people are thinking it means.

Imagine the boring time from Christmas to New Year without Tor! Disaster! Fuck the United Stasi of America and their Gestapo scum!

It would seem Tor has been a thorn in side of NSA for a while. This Sony thing is as good a pretence as any to seriously harm it.

Is there a canary system?
How good is physical security of servers?
If you get a National security letter barring discussion there should be fail safe alert.

In the long term is there anyway to use stenography concepts (browsing in plain site) combined with Tor to make it exponentially more difficult to track?

I'd like to think that our architecture makes national security letters not as dangerous for us. For example, delivering a national security letter to The Tor Project won't affect the directory authorities, since The Tor Project doesn't run any of the directory authorities. Similarly, sending a national security letter to just one directory authority doesn't do anything by itself no matter their response.

And *that* said, if any directory authority operator gets a national security letter, they should simply shut down their directory authority:
There are no letters that demand changes in behavior where you can't instead just choose to stop. Other people will pick up the baton.

As for steganography, you should learn about Tor's pluggable transports:

How do directory authorities become authorities, a hard-coded list somewhere or are they chosen by the network ? An NSL or other court order could force a change to a hard-coded list.

No, they're manually chosen by the Tor community (i.e. us), and everybody can see the ilst. Most of the directory authority operators are high-profile figures in the security community, so many people get the chance to meet them in person and evaluate them.

As for a national security letter that would ask us to modify the Tor source code... we will never do that. See also this thread:

A bit of troll...

Please consider alternate hosts for Tor bundle download. It is blocked in my country which is an US aly and therefore no media bothers to criticze it when it comes to human rights violations and abuse.

You might like https://blog.torproject.org/blog/say-hi-new-gettor

Also, be sure to look at our mirrors page (which you can find from e.g. google cache).

And see also https://www.torproject.org/docs/faq#GetTor

Good luck!

Hi Roger,

I am deeply concerned. But I have still hope for Tor. We all should beware our hope in these dark times.

I have two questions for you, Roger.

1. How is it possible that there are still good people within the potential attacker's organization? Your source - that warned you - seems to be in favor of Tor.

2. Do you feel confident that you (the Tor Project and its community) will be able to fight back this potential attack? There is so much brilliance and expertise in this community. If I had one single wish for Christmas, I would love to see Tor being the David winning against Goliath.

Well my Christmas vacation is gone now, thanks for the nerd snipe guys!
oblig ref: http://xkcd.com/356/

With the recent talk here about integrating namecoin, etc. I think we hit on a better solution to the problem. One that tries to maintain backwards compatibility.

Note that there is talk of a coin in the README document, that is mostly the result of chatting with some other devs in the crypto world. Considering the timetable we will be working under, I don't think a coin could realistically launch at the same time as the rest of the system.

I'm going to start building this right away, hope is to launch a beta before DA servers are pulled out. Anyone that feels like they would like to participate is welcome to join up. Even pointing out design flaws could be helpful.
Please keep any discussion on the page for the project, though I don't want to spam this blog with it.

Maybe you could consider toning down the propaganda ? Just a thought. Maybe add a few of the more egregious privacy-raping nations to this list:

' who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia'

How about every second posting you substitute USA and UK and their allies in place of 'Iran, Russia, Syria'. Might just make you a little less offessive and more credible.

It's Russia:

Putin Sets $110,000 Bounty for Cracking Tor as Anonymous Internet Usage in Russia Surges

No, it's (probably) not Russia.

The Russian word for this was more like asking researchers to propose for research grants. The translation 'bounty' or 'contest' was a bad translation and caused a string of misleading articles.

It is like saying that the National Science Foundation is holding a contest for Tor research.

It's totally unrelated. Boa as been wanting to do this for a while, he's talked about it before but never took action. Now he has an excuse.

Just FYI: www.heise.de the most important german IT news site reports about your blog posting http://bit.ly/1DVicBe (german).

My technical expertise is low which might be why it isn't obvious to me how taking down part of the Tor network would facilitate an investigation into the Sony incident by the FBI. What makes more sense to me is hacking into Tor to develop tools to better handle the next attack. The advanced warning makes the hack look friendlier – something like those “this is only a test” announcements the government makes on the radio and television.

Tor and Tails are two applications that I rely on every day and I don't even have anything to hide. I use these tools daily to maintain a small footprint and to keep proficient for a time when the tools and skills are truly necessary. The dedication and helpfulness of the staff of these two development teams is amazing. The other day I posted a question regarding Tor on the Tor IRC channel and quickly received a concise and helpful response by arma. I didn't know who arma was until I began reading this blog, but I must say that I am pleasantly surprised that arma would take the time to help an ordinary Tor user.

I would consider it to be a near catastrophe if Tor or Tails is compromised because I know of no other easy to use combination that provides the level of anonymity.

I can only say one thing about this: "Too big to fail". I don't think anyone can shut down Tor. We all need it, even if some people don't realise it yet. "You can not kill an idea." I believe you/we will find a way to keep Tor alive. Too much is at stack here. Never underestimate the power of the people.

If I was the CEO of Sony, I would teach those hackers a lesson and upload my movie "The Interview" to a bunch of torrent servers so that everyone would watch it!

Might there be a interpretation of The Interpreter for every Country of the World? Surely most all would really appreciate.

Does this effect anyone who doesn't commit any crimes, doesn't go to any illegal sites, in the United States, ISP doesn't know my activities, and I only use Tor to conceal my IP because of stalkers I've encountered?

Affect? Yes -- if somebody attacks the Tor network they end up endangering all the Tor users, including the vast majority of them who use Tor for exactly the sorts of good and ordinary reasons you do.

In particular, attacking the directory authorities has huge collateral damage exactly along these lines. That's why it would be silly for them to do it. Let's hope they change their mind.

Is this a case about servers keeping logs? I don't know how it actually works. How far back can anyone get the server logs to identify average non-criminal users?

Correctly configured Tor relays have no logs that are useful to attackers. So no, this should not be an issue.

(Of course, that doesn't mean there are no places on the Internet that log information about traffic flows. That's a lot of what the NSA / GCHQ surveillance fuss is about. But that is a separate topic, I hope.)

if you read the front page of https://www.torproject.org/ Who Uses Tor?

As an human I would assume you have valid reason to use tor regardless if i agree with you or not.

sadly, it seems the governments fear the people and try to "divide and conquer" to meet it own greeds or agendas ):

Yes - after 911 its YOU who need to show your asshole in airport. It is THE purpose of such operations. To make you as small as insect.

How can we help?




I bet that this is a law enforcement operation against Tor by US FBI, Europol and UK NCA. I hope these guys know what they are doing. The collateral damage will be tremendous and it will raise new waves of hate against state-sponsored oppression of human rights.

Every agency in the so-called free world should know: we are watching back and judge your actions. Instead of endangering the good users of Tor, these agencies should work with us to make the world a better place (including Tor).

This may very well be the case, it was only a week ago that Cameron announced that GCHQ is to teaming up with the UK's National Crime Agency in a new effort to crack down on Tor users.


Goodness, arma, the patience you are having...

Actually, the problem is that Tor isn't decentralized enough to discourage governmental shutdown.

> I bet that this is a law enforcement operation against Tor by US FBI, Europol and UK NCA.


> I hope these guys know what they are doing.

They are engaged in a foolish and dangerous experiment.

This is indeed a crisis, perhaps the biggest the Project has ever faced. Some thoughts:

Roger is keeping his head, which is the proper thing to do during a crisis. Let's all follow his lead and play it cool.

In a crisis atmosphere, making radical changes (e.g. incorporating namecoin into critical Tor infrastructure) seems inadvisable. Much better would be to geographically/legally diversify locations of reserve Dir Auth nodes. Similarly, for users, switching to untried alleged alternatives to Tor also seems inadvisable. If the worst happens, and enough DAs are seized by our enemies to incapacitate the Tor network, let's give the Project a chance to get it back up somehow. (Roger: any idea how long that might take, if more than five DAs are seized?)

Some true Patriot risked her/his freedom to warn Roger, so users should respect his judgment about the need to withhold some information in order to protect the identity of the source. That said, I think there is no point to keeping back the name of our enemy, since it is obvious that it is "FBI" (no other entity has the ability to attempt to seize more than one or two DAs, or is foolish/panicked enough to try).

In my heart, I agree with those who chided Roger for not listing USA at the top of the "Enemies of the Internet". But my brain reminds me of some unpleasant realities: Roger acts under his own name, and an unwritten part of his job description for many years has been talking directly with FBI and other LEA officials, seeking to educate them about why LEAs should not blindly react to Tor by trying to simply shut the network down. Further, he is a US resident, so vulnerable at all times to arrest by US "authorities". All in all, he has a legitimate need to avoid becoming too confrontational with the most lethal parts of the USG. However the users are free to call out our enemies by name, and we are doing so.

I assume the phone lines between Walpole, San Francisco, and New York City are burning up; good! Further emergency action which I assume is happening: contact key media outlets to publicize and explain what is known about the plan to seize DAs (Glenn Greenwald, Marcy Wheeler, Kim Zetter... and would Brian Krebs please comment in the usual place?). And let's start organizing a giant phone-in to the politicos by Tor users in the US and Europe; an instance of what EFF likes to call "the Internet reacts".

A hasty socio-technical suggestion: if the project needs to issue new keys or find some way to distribute emergency TBB with new hardcoded DA identifiers, can you arrange to do that with the assistance of Debian or OpenBSD? Many Tor users already have copies of their signing keys (note that these are two different cryptographic infrastructures since OpenBSD does not use GPG), and it should be possible to arrange with Debian (for example) to set up a special repository which is independent of Debian's own repositories, but whose signing keys are signed by Debian keys.

> any idea how long that might take, if more than five DAs are seized?

Hopefully within the day. We've worked through a lot of scenarios, and we'd write them up here except we're all doing too many things so the write-up has been triaged for now. The main problem in that case, as you say, is going to be Tor users who don't realize that anything's gone wrong.

But for that, we're actually in luck -- you may not have noticed, but the Tor Browser auto updater is actually in place and working as of Tor Browser 4.0. So all the Tor Browser users will get a Firefox style "there's an update available" popup.

As for the tiny fraction of Tor users who even know what Debian is or what a signing key is... they'll be fine anyway when they get their updated deb. It's the millions of totally ordinary people who are most at risk in situations like this.

I thought it does not yet support checking the hash during auto update. Has that been fixed?

Alas, this is true. It's at the level of Firefox's updater, but we really want it to be a lot safer than that. Look for better features in the upcoming releases. Or better yet, help us get there!

Many here correctly appreciate that chief among the many (oh, so many!) nations which must be counted as "enemies of the Internet" is the USA.

But one key point about the USA which some observers tend to overlook is that the USA is controlled by a loose and often uneasy partnership between various centers of government and corporate power. It is very far from being a monolith with a well-defined militaristic command structure. It rather resembles a collection of mutually antagonistic principalities which pay a token tribute to the Sublime Porte, who in reality is more of a figurehead whose directives are routinely ignored or obstructed than a person who directs and controls major events.

Roger already hinted that USIC contacts have been expressing terror that shutting down Tor might deprive them of an invaluable tool in their efforts to continue spying on everyone, a viewpoint which was previously expressed in some of the Snowden leaks. (As already discussed, this is not inconsistent with the assumption that Tor is very far from being an NSA operation, and assumption which is also strongly supported by the Snowden leaks.) If so, this might imply that in the halls of American power, a particular viewpoint within FBI has gained ascendancy over the majority viewpoint in USIC. If this is true, and not a temporary aberration, this would constitute a remarkable sea change in the USG, comparable in its way to the recent reversal of fifty years of misguided US foreign policy regarding Cuba.

I would like to offer one possible explanation for what might lie behind the alleged plot to shut down the Tor network.

I think the Tor community (and indeed the Internet) is currently in mortal danger of becoming collateral damage in an epic collision between three of the most powerful parts of the failing American empire:

* the US entertainment industry, in the corporate person of Sony (just to add to the irony, in the past, as most readers here probably already know, Sony has admitted using to infecting its customers with a rootkit disguised as "intellectual property protection", and it has recently been accused of using DDOS attacks and illegal "investigatory" techniques against perceived enemies),

* the vast and incredibly lucrative surveillance-industrial complex, in the institutional person of the chief enemy of everyone in the entire world, NSA, one of the very few institutions in the US which has the power to crush the entertainment industry like a bug,

* Wall Street, which is arguably the most throughly corrupt and amoral institution which has ever existed, and the only institution in the world which has the power to crush NSA like a bug, or to twist a U.S. President around its bejeweled pinky finger.

All three are currently terrified, but terrified by quite different nightmare scenarios:

* Hollywood is terrified by the prospect of huge financial losses which it believes could literally eliminate Sony from the face of the Earth, which for them is like imagining the entire West Coast of the USA sinking into the Pacific ocean in some Magnitude 15 earthquake,

* NSA is terrified by the prospect of losing what little ability it still retains to surveil people the President expects them to surveil, because if its intelligence failures become too obvious to the electorate, at some point the U.S. Congress will exercise the one power it yet retains, the power of the purse, by defunding NSA's global surveillance empire on the grounds that it is no longer cost effective,

* Wall Street well appreciates the terrifying instability of the modern global economy; the real danger here is the hundreds of trillions of dollars of exposure of the big banks to "derivatives", but the psychological instability inherent in "the market" means the US economy could very quickly collapse in an over-reaction to some seemingly devastating cyberstrike on the global financial infrastructure.

Thinking back to 2008, we know that the current President fears above all else (even above nuclear detonations) the prospect of global economic collapse. And his control of FBI is more reliable than his somewhat limited influence over NSA. I suspect he has not only heard of Tor but has been persuaded by panicky bankers to "authorize" FBI to initiate an (illegal and risky) experiment by shutting down Tor entirely, following very bad and ill-informed advice such as this:


Now, can we think of anyone who has recently attempted to switch his allegiance from the surveillance-industrial complex to the Wall Street camp? Whose personal priorities may have changed? Who has very possibly been miffed by a recent financial reverse engendered by an unexpected rebuff from the agency he formerly headed?

NSA stands as a direct enemy of every living person, and it is indeed a formidable and lethal adversary. But just as it would be serious mistake to underestimate its malevolence and duplicity, so too it would be a serious mistake to overlook the fact that it faces problems of its own, a fact which politically savvy citizens can leverage with the goal of perhaps eventually eradicating it, which would represent a giant leap toward re-establishing the rule of law in American governance, and towards reconstituting the Internet we know and need.

There are bounties on Tor not just from the governments of the world. But also from the criminals that use Tor wanting to leverage their power. You better believe that ISIS wants complete control over the network.

how can it help criminals if they will read your mail? Wait, maybe its new us government intelligence agency "Criminals"?

Am I betterly prepared for some temporary DA's downtime if I enable FetchUselessDescriptors option in torrc and from now on do run the tor client 24/7?

FetchUselessDescriptors won't help you any.

But keeping your Tor client running might actually help against some temporary failure to generate a consensus. It *shouldn't* help, because Tor ought to be able to handle re-using your cached info on startup, but I'm not sure whether anybody has tested that scenario well enough. (Somebody should test it please!)

A notable quote from https://www.reddit.com/r/news/comments/2ptxws/the_tor_project_has_learned_that_there_may_be_an/

"Here in Thailand, the US embassy uses Tor to communicate possible risks to US expats without having to risk inadvertantly saying something offensive (therefor illegal) about the royal family or the junta over the heavily monitored net and phone traffics. While some elements of the US government are terrible enemies of privacy, others rely on Tor every day for their own safety..."

The FBI has truly gone off its rocker, if they are seriously considering seizing DA nodes.

Regarding your quote about what the US embassy in Thailand is doing with Tor.

FYI, Thailand is one of the countries which plays host to large numbers of CIA, NSA, FBI and DEA agents. The other countries are Japan, South Korea and the Philippines. When it was still under the British administration, Hong Kong also hosted large numbers of CIA, NSA, FBI and DEA agents. When it reverted to Chinese rule, the Chinese government ordered them to leave the city.

Singapore is unable to host large numbers of US spooks due to its limited geographical size. However, it is the jewel in the crown for US mass surveilance programs because of the Singaporean government's heavy investment in such activities and very solid relationships with the US government.

(When I say "large numbers", I mean their total head count amounts to about 1,500 personnel.)

It is ironic that the US embassy in Thailand uses Tor to communicate with its expatriate community.

It is noteworthy that the PRISM program and the Finfisher/FinSpy program are being actively deployed by Thailand-based US spooks.

Add to that the US recent admission that Thailand was one of the countries where secret torture chambers were established for "renditions".

If you ask the right people, they will tell you that the former US ambassador to Thailand, Ms Kristie Kenney, was complicit in the US mass surveillance programs that cover Myanmar/Burma, Vietnam, Laos, Cambodia and especially southern Thailand where Islamic fundamentalists are fighting for independence from Thailand.

It is terrific to hear about governments heavy investment in such activity. It "was" my money and i don't say i agree with how they spend them. So I have crisis but they have investments. Seems something is wrong.

It is an interesting detail that the potential attack could take place while numerous core members of the Tor Project are not at home, but abroad attending the 31c3 in Hambourg.

Could it be a mitigation measure to separate the hidden services in a way that a take down of hidden services and their infrastructure would not affect the Tor network as a whole? I mean, most of the "Tor is the first choice of criminals" allegations by LEA and their media whores are based on abusive use of hidden services.

So to be clear, does this run the risk of any deanonymization attacks?

Also why hasn't the Tor network considered decentralizing the distribution of node info, such as via a DHT?

So could the seizure of DA nodes be a step towards controlling or inserting a back door into Tor rather than shutting it down? Is there something about forcing the Tor network to add new nodes or create workarounds for the missing nodes that might create a window of opportunity for the government to infiltrate the network. I suspect that the government would prefer to have a two-tier Tor network where their communications would be secure and anonymous, but everyone else would be subject to government scrutiny. For many years GPS was two tier allowing government receivers to accurately resolve lat/long while limiting the accuracy of non-government receivers.

I have almost no technical knowledge of Tor's operation, but the NSA probably does. If any entity can figure out how to set some government hooks into the Tor network, it would be the NSA. The role of the FBI might be to give the appearance of legitimacy to the NSA's attack by cloaking it with the cover story that the seizure of DA nodes was a necessary part of an investigation into the Sony incident.

Could a page be added to Atlas or the Tor statistics graphs showing the number of relays changing their public key over time, along with the total number of relays? That way if DSes get silently compromised, you could either look for a sharp drop in the number of useable relays or a large spike in relay key changes- assuming the purpose of a compromise is to force traffic through "known bad" relays.

I think it would be useful to detail further steps beyond donating and educating, for both users and node admins. Those are both vital, but let's be honest, there's nothing long-term about having sections of the US government liking you and others not via education. Education is a weak tool against their interests in surveillance and censorship.

Node admins:

Assuming directory authorities go down, are there simple instructions to update the nine servers hard-coded available? Certainly updated software would be released, but it makes sense to provide people guidance in manually changing the source code and recompiling. This would be particularly relevant to those who maintain the various Tor ports and packages out there.

If downed DAs are the issue, how would the new DAs be publicized with verification for those doing above? Or even manually verifying (via logs, code review) that the DAs are correct? Even some simple tcpdump instructions might be useful.


What is the widest method to notify users not plugged into this blog, mailing lists, etc? One idea might be to have a "Tor alerts" feed, something that friendly sites could host with important alerts for users. "update your software due to a significant vulnerability" "There are periodic Tor outages due to XXX event" Think wide and far, as opposed to deep and narrow.

Just my $0.02.

Clearly, we may be on the cusp of an intensification of the 'arms race' in a way we didn't imagine. Keep up the good work.

Arma for Nobel Peace Prize? His/her patience is bottomless.

Not in Munchen

And so it begins?

From: Thomas White
Subject: Warning: Do NOT use my mirrors/services until I have reviewed the situation
Newsgroups: gmane.network.tor.user
Date: 2014-12-21 20:17:23 GMT (2 hours and 24 minutes ago)

Dear all,

Many of you by now are probably aware than I run a large exit node
cluster for the Tor network and run a collection of mirrors (also ones
available over hidden services).

Tonight there has been some unusual activity taking place and I have
now lost control of all servers under the ISP and my account has been
suspended. Having reviewed the last available information of the
sensors, the chassis of the servers was opened and an unknown USB
device was plugged in only 30-60 seconds before the connection was
broken. From experience I know this trend of activity is similar to
the protocol of sophisticated law enforcement who carry out a search
and seizure of running servers.

Until I have had the time and information available to review the
situation, I am strongly recommending my mirrors are not used under
any circumstances. If they come back online without a PGP signed
message from myself to further explain the situation, exercise extreme
caution and treat even any items delivered over TLS to be potentially

The mirrors in concern are:



I will do my best to keep this list updated on the situation as it
develops. If any of the mirrors or IPs do come back online, I would
welcome anyone who is capable of doing so checking for any malicious
code to ensure they are not used to deploy any kind of state
malware/attacks against users should my theory prove to be the case.

At this moment in time I am under no gagging orders or influence from
external parties/agencies. If no update is provided within 48 hours
you may draw your own conclusions.


Activist, anarchist and a bit of a dreamer.

Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966

No, this is an exit relay operator, not a directory authority operator.

Also, this particular fellow has had a series of run-ins with British law enforcement. This run-in is far from his first (and won't be his last either probably).

England is really bad news these days in terms of civil liberties. I'm glad we don't have any directory authorities in England.

Should we add those IP's to the ExcludeNodes of torrc conf? or are they even active relays?

They're not active relays, and if they come back they've been blacklisted by identity key. So, nothing you need to do.

They are already marked bad as per:


If you check out the relevant IPs on globe.torproject.org, their "running" status should be marked "false."

Not in Munich

How does an exit relay seizure like this effect it's users? Thanks.

It affects its users not very much. It just means that there's a bit less capacity in the Tor network now, until somebody gets upset at the seizure and sets up some Tor exit relays in response. Perhaps that could be you? :)

Seizing an exit relay is mainly done either a) by ignorant law enforcement people who made a list of suspect IP addresses and went to go steal the computer at each one, in case it could provide some evidence. We've taught many of them how to check if a given IP address and timestamp is a Tor relay, but, there sure are many more that we haven't taught. Or b) by law enforcement people who are intentionally trying to harm Tor by scaring and hassling relay operators even though they know they won't get useful results.

I talk more about both of these cases in this older blog post:

arma said: "It just means that there's a bit less capacity in the Tor network now, until somebody gets upset at the seizure and sets up some Tor exit relays in response. "

Strange enough, in the past few days I am experiencing a very notable increase of speed in building up pages I visit. I was already used to waiting sometimes a minute or so, but now even complex pages with lots of scripts pop up in less than ten seconds ... ?

Check out the "Tor network too fast" thread:

The short version is "Great! Things have indeed been getting much better over the past few years. But there's still a huge amount of variance in performance."

Yes, well England is probably the worst country in the world to have a server. From what I've heard, it is a scary place to administer servers.

The question remains, why are the DAs centralized in the US and EU?

Now more than ever is a great time to start getting DAs beyond, especially in places where the US/EU 3-letter-govt-agencies have a harder time coordinating with. Yes, geo-politics moves fast, but can you imagine North and South Korea coordinating DA takedowns. That is hypothetical, but the point remains.

Angola or South Africa?

Venezuela or Nicaragua?

Not in Munich

What if instead of seizing the directory servers the FBI alters them so that certain, specific users are fed a list of fake, government controlled nodes instead of actual ones? They could then target individual IP addresses and completely deanonymise anyone trying to connect to TOR through them.

This is possible but only if they successfully break into a majority of these directory authorities and extract their keys as described above.

There are some interesting technical fixes that people are exploring that would detect if there's ever a second consensus made for a given hour. Something like keeping a hash chain on your side of the consensuses that you've seen, and then comparing that to what others have seen. Basically, we should be able to reuse some of the various 'foo observatory' tricks that people have been working on lately for finding out whether somebody is served a personalized https certificate. More help there would be great!

If Tor is hardening the network against corrupted DAs, maybe this is "pull the trigger now, while we still can"?

No, we took some steps before even putting up the blog post.

But that said, there are plenty more steps to be taken. If only we had more people, more time, more resources.

This is a great topic of discussion for PETS:

Scare mongering its all crap there are many ways to stay hidden so i say the FBI and the NSA couldnt trace anything without tracing paper i have heard nothing and i would be one of the first to know.
Its the same every day cat and mouse games just relax..........

For sure if they get physical server they can alter BMC ans have full control over over that server. For example - extract private keys when hte server will go online. So beware of any returned after raid hardware.

Oh well I run a directory server in the UK might take it down after reading this :(

No, you likely run a normal relay with a directory mirror ("DirPort") enabled. That's not the same as a directory authority.

There are nine directory authorities, run by reasonably competent and trusted people around North America and Europe.

Directory mirrors, on the other hand, are offered by most of the 6000+ relays that are running right now, and there's no reason why people would want to hassle somebody for running a directory mirror.

Hope that clears things up for you! Please ask for more help on the tor-relays list if you are still concerned:

Hi there,

here's a French translation of this post : http://kos-blog.no-ip.org/index.php?article5/traduction

Something tells me it will be blamed on North Korea.

FYI. I'm a Network engineer with 30 years experiance. My job is information security, penetration testing, white hat hacking, and part of that job is keeping an eye on the hacker groups forums, web pages, news goups, chat rooms, and videos, just to be prepared of anything comming my way.

I have been watching Sony and hackers in a cyber war for at least the last ten years, and this is all this is. Odds are it's an inside job; the hundreds of terabytes of data would be noticed going over the wire.

It's a trick of the Obama administration, and/or Sony.

Agreed, it seem ironic that Sony have apparently done NOTHING to strengthen data security, its not as if they don''t have the financial resources to hire the right people for the job. after all. they where quite able to insert malicious code into some of their products.so why are they not using due diligence to safeguard the mountain of personal data they hold?

Why is Tor recently so slow?

Sony was never hacked. They just fuck up things. Now they are blaming others to avoid public harakiri.

The USIC lawyers who claim that "there is no universal right to privacy" [sic] are the same people who advised the leaders of the Land of the Free that kidnapping, torture, and assassination are "legal" [sic]. These people have ventured so far into the territory of state-sponsored criminality that their repugnant ratiocinations are comprehensible only to their ISIL brethren. It does no credit to any civilized nation which fails to apprehend and bring to justice vicious kidnappers, torturers, and assassins, even and especially those acting on the orders of a "government" gone mad.

There is a fine Urdu word to describe people who routinely engage in kidnapping, torture, and assassination: thug.

http://arstechnica.com/security/2014/12/cluster-of-tor-servers-taken-down-in-unexplained-outage/ Lord Ronin, they already threw the first shot, more are lined up. #SiduriFamily #DarkNetFamily we need to help decentralize TOR or it is going to go down :( OneLove #CultofSiduri

I kind of wish the journalist had taken the time to understand, and explain, the difference between directory authorities and exit relays here.

Arma, my brothers can help you improve TOR. Will you accept help from the #CultOfSiduri? Find us in the #DarkNet. We are not hard to find ;)

More help is always appreciated! We work in public with public trac tickets, git commits, design discussions, and so on.

But fortunately, we built an anonymity tool so you're welcome to stay pseudonymous while helping. Many people do.

I know it may be a dumb question, but is TOR still safe (secure) to use?
Thanks for your work.

Yes, Tor remains safe to use. We even said this in the blog post in hopes that you would see it! :)

Syndicate content Syndicate content