Possible upcoming attempts to disable the Tor network

by arma | December 19, 2014

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

Comments

Please note that the comment area below has been archived.

December 19, 2014

Permalink

Yes, my inside sources have informed me that the FBI is planning to take down parts of the Tor network as part of the investigation into the source of the Sony hack by North Korean sympathizers.

(To be clear, I don't know who this person is and as far as I know this isn't the person who tipped us off to write the blog post. That said, if you know something we need to know, please tell us!)

December 19, 2014

In reply to arma

Permalink

So it does have to do with the Sony hack? I read on CNN that the hackers were routed through severs in Asia, Europe, Latin America and even some in the US.

December 19, 2014

In reply to arma

Permalink

We know Tor probably has nothing to do with the Sony attack; the public don't. They will just believe whatever the government tell them. If the government want Tor to be down, they can put the blame on Tor (regardless of whether the attack really came from Tor), and shut down any servers or personal computers running Tor.

The government can't just "shut down" any personal computer running Tor. It would be easier to just shut down the government than that happening.

NSA in particular have been looking for a "justifiable cause" to attack TOR recently comment where made to the effect that operatives where"helping the tor team find possible weaknesses".

There are some interesting points to consider

1) many relays are high capacity high speed relays.not the sort of thing you would usually associate with a volunteer network of users.

2) "copyright" holders. have been wanting to find ways to control internet traffic to their advantage. citing"piracy" having not managed to get their way through offician channels their MO is not to try and get under the table agreements allowing them to directly interfere with DNS lockup tables at the backbone level.

3) As has already been pointed out. leaving aside outfits like the silk road drug distribution network criminals, including terrorists DO NOT use tor simple because they KNOW that doing to would bring them to the attention of the authorities .

4) Governments have increasingly been taking the assumption that they, and they alone are entitled to privacy no one else matters. the oft quoted"nothing to hide, nothing to fear" comes to mind and does not hold water.

I note that today(23/12/14 it took several attempts to establish a TOR connection, this is in itself an atypical experience for me usually i am able to establish a connection first try, within 30 seconds. 60 seconds max.

this leads me to believe two possible scenarios are in operation

a) fallback measures are being put into place
or
b) TOR is under active attack.

LOL, I think that North Korea doesn't have a unit 21 of high qualified hackers because it is too dangerous to have them.
1) North Korea is isolated from internet => there is a very little people who understand what these "hackers" do => who will supervise these men? They will be selfsupervised.
2) They have to give them unlimited access to foreign internet (because noone except them understand what they do and wheither they really need this information)
3) The hacker is a freeminded man.
4) 2) + 3) => they will understand all the shit about North Korea and will get angry.
5) because they cannot be controlled, they can start secretely destroying NK from the inside and noone can detemine that.

I think that
1) it is a psyop made to create a casus belli to put the screws on Internet in the US (see http://patch.com/california/studiocity/obama-slams-sony-north-korea-cal… )
2) NK is a voluntary scarecrow to frighten the citizens of all the countries of the world. One more reason to distract them from inner problems and remember them that if they require too much freedoms, rights and respect, the state will have to take measures like in NK such as cruel penalties for all law breaking, a collective penalty (very effective multieffect mesure), prohibition all the potentially uncontrollable means of taking freedom (arms, crypto without key escrow, computers without backdoors, radios with possibility to tune it, etc) with very cruel penalties, authoritarian/totalitarian regime enshrined in law, high taxes (to make people think only about that how to survive this taxes (paying them and surviving after it)), etc...

that is a somewhat bogus analysis. you obviously don't understand what brainwashing is, how it works, and or what motivates people to work. Your analysis of the system is done based on purely on western views. Surely if this were the case, there would be no Chineese, American, Russian, or any other nationalist hackers as well. Lets break this down.

>1) North Korea is isolated from internet => there is a very little people who understand what these "hackers" do => who will supervise these men? They will be selfsupervised.

Grew up in an isolated enviroment, being brainwashed since day one that NK is the best, and probably for a long time, that they are the elite of North Korea, and that everything else is pure propaganda. Given there is only 21 of them in a country of 7 million, there is no reason that NK can't give them special privledge that no one else gets, or other carrots, in addition to the brainwashing.

>2) They have to give them unlimited access to foreign internet (because noone except them understand what they do and wheither they really need this information)

and this gives them major leverage in North Korean society. Even if they understood how harmful NK is, they'd have to give up their status as elites. Or mabey even besides NK internet they are still not a fan of the USA and see themselves the way America does, as anti-Imperialist crusaders. Many other anti-USA nations are now sending envoys to NK to warm ties.

>3) The hacker is a freeminded man.

the American/Western hacker tradition grew out of countercultures very unique to America/the west, and its very anti-tech, very anti-intellectual cultures. "Hackers" as we know them, grew up being hated for being as such, by people who hated and feared the machines.

This is not an imperative of the computer using skill. There are no western style self-taught hackers from North Korea. Their hackers are taught, and funded by the state, and most likely developed a culture along radically diffrent lines.

People have this strange notion that everyone in North Korea is getting ready to defect at a moments notice, and that its basicly like East Germany, with no real popular support, or willpower. It is nothing more than rhetoric based on propaganda.

seems you are still trying to play "democracy == usa" card. it's just false pretend. it "was" but now it "is" police state with enormous brain washing capabilities. sure there is small nearly negligible part of usa government structures with sympathy to democracy way but en masse control is in nsa/cia/fbi hands. There is the place where main harm to internet is done and ongoing. And this unhuman structure arise on uncontrolled spending of tax players money and falsifying constitution.
and after all recent disclosures you still trying to speculate on possibility of small number of foreign hackers to "harm" whole internet already owned/controlled by nsa...

Well, actually those NK hackers were trained when they were young children.The authorities needed to do tests to choose those who had gift to study hacking skills and gave them proper educations and training, like sending them abroad (Of course cutting off the contacts of outside is very essential) and then sending them back to the university. NK has a special unit in composed of elite hackers.Their skills are no better
than super hackers from US, UK, Deutschland, Russia etc. Despite this brain wash is still vitally important~
hope can help~

Actually, NK, does have internet in several different open ad closed variations ! Furthermore, there is a Unit 21, in addition to many more dedicated sections and subsections [ with various and different responsibilities ] !
There was an excellent blog on Twitter from @cyberwar, who mapped and scanned many of the different computers and their IP addresses, even so far as to I'd a Macbook.
So, the lesson here is...don't spout unscholarly drivel just to inflate your own ego. Now that you have been properly scolded, I take my leave.
TOR ROCKS PLANET EARTH...NEVER QUIT !

whatever suck up! i have a CCC attack going on and a Hp attack,Label print attack,Power Director attack Going on ever since the X-Box360 attack on Christmas! It Looks like a clean install! But I will mention that I got a mystery update By Microcrap itsef !!!! KB 971033 , once I installed it more SHTF! Microsoftis BAD !

Complete lie. North Korea had NOTHING to do with the Sony hack.

It's just another volly in a long cyber war between Sony and hackers, that's been going on for a decade.

December 19, 2014

In reply to arma

Permalink

>U.S. officials also tell CNN the hackers routed the attack through servers in countries from Asia, Europe and Latin America, even some in the U.S.

>The hackers used common DNS masking techniques to make it look like it was coming from those places, but the National Security Agency and FBI were able to track it back to North Korea.
>North Korean internet traffic is routed through China, which is one way they are able to hide their activity, but the FBI was still able to trace it back to the origin, sources tell CNN.

This sounds like Tor is totally useless against the NSA and that they are able to see a full path through a Tor circuit back to the Tor client but if they are able to do this why would FBI need to seize Tor directory authority servers for the purpose of investigation?

Tor is not what I would describe as "common DNS masking techniques". It sounds like the Sony people used something much simpler than Tor. For example, a common bad-guy approach is to break into a computer and then route your traffic through it. And a common bad-guy slip-up is to accidentally make a direct connection once because you wanted to see if your attack is working or something like that.

December 21, 2014

In reply to arma

Permalink

I would trust more on this North Korea thing if accusations come from sources other than the U.S. Government and/or U.S. corporations. Really.

extremely useful advice. falsifier #1 is "U.S. Government and/or U.S. corporations".
bcose as they say 'national security matter, so shut up an eat'.
and it can be just a pr action before attack on nk country. btw is nk in one basket with kgb state?

The Sony hack by Sony was my first thought until they pulled the movie. Even so, if it is re-released it certainly has plenty of free press. And if the leader of North Korea weighs in with a positive review, who knows. He looks ready to enjoy some NBA games and give up on all this fearless leader business.
:-)

Sony pulled the plug because they knew the movie was going to be a flop. Instead of having the balls to admit failure they create the big hack scare and place the blame on someone other than themselves.

bottom line is never believe corporations. especial sony.
remember sony cd-virus business? or changing technology for artificial lowering life time of hardware?
they will do anything to rise profit.

There is almost no chance IMO that Sony would release 50,000 of their employees social security numbers, passwords, credit cards, the email inbox of the ceo and other people.

of course it's sony hacking sony, helped by US govt.
sony gets to test punk marketing for a movie and manipulates the public to pay for a movie they'd probably normally illegally download by 'mah stars and stripes' patriotism rant.

US govt gets another reason to ramp up sanctions against ronery korea as well as kicking TOR in the head and looking like internet supercops.

US corps play along for their own interests and the paradigm of white hats v black hats is clearly defined for the sheeple so they can go back to sleep.

mission accomplished (insert aircraft carrier)

Greetings Tor.
Your insider may wish to purchase a crash helmet..
As you know Tor was attacked by #LizardSquad @MafiaSquad.
They and #FinestSquad are part of a huge FBI/US intelligence psy op.
I will leave you to ponder upon the implications of this
Good to see the attack was a big fail.
Happy new year Tor...It's gonna be a fun packed one for sure!

S.U. Wizard.

If you know any people or groups who misunderstand the value of Tor, you can teach them why trying to undermine the Tor network would harm a lot of good people and generally cause huge collateral damage. Explain how Tor has helped you in your work. Help spread the word.

So, short answer, don't worry too much. We wanted to be safe and tell you just in case it turns into something.

a) stop using google
b) set useragent string "google go away"
c) go to real shop, buy some real beer, drink it and think who the fuck is that sony? bear?
d) change everything back and relax watching new pr show.

December 19, 2014

Permalink

Umm, who wants to and is going to seize which nodes where an why?
Stop with all the veiled silence bullshit, it makes you look stupid, and like some questionable entity.
Torproject is not the only voice and direction of tor, and you're preventing the rest of the voices from speaking freely in support.

To be sure to keep our source safe, we're not providing more details quite yet.

But actually, we don't know many more details than the ones we posted. And as for your 'why', that's an excellent question, and one we've been wrestling with too. There are nine directory authorities, spread around the US and Europe. If they're trying to hunt down particular Tor users, most possible attacks on directory authorities would be unproductive, since those relays don't know anything about what particular Tor users are doing.

Our previous plan had been to sit tight and hope nothing happens. Then we realized that was a silly plan when we could do this one instead.

December 19, 2014

In reply to arma

Permalink

What exactly is the upside of making the rumor public? Downside is the seizure doesn't actually occur for whatever reason (good so far..) and then Pando publishes a series of 'cry wolf' articles about how Tor is run by delusional paranoids with a persecution complex.

I think it depends on the definition of upside and downside. If there is no attack, then that is good for Tor users. Maybe the attack was delayed or redesigned, or maybe it never actually existed. If this happens, we may never know. There may be repercussions, but it's a necessary risk, because if there is an attack and we didn't say anything then that puts users at risk, and that goes against the purpose of this project.

Who believes that paranoiacs are delusional anymore?

All anyone has to do is point at the NSA and that argument is invalidated.

It's a real blow for mental health workers, actually.

December 19, 2014

In reply to arma

Permalink

What if they know what the person was doing, ie. which websites they were on and what they were doing and they wanted to find out what their real IP was? Would this be a way to do it?

No (but yes, kind of). The directory authorities know nothing about Tor users, so taking these servers offline or compromising them has no direct impact on the anonymity of users. However, if you control enough of the directory authorities then you can define which relays are in the network. At this point, users can potentially be deanonymized. This is a huge attack, though.

arma

December 19, 2014

In reply to sysrqb

Permalink

Yes. Two refinements to sysrqb's answer:

A) Taking over a threshold of directory authorities would tell you nothing about what Tor users did in the past. It would allow you, at worst, to make up a new fake Tor network and try to trick users into switching to it. See my comment below for more details.

B) By "huge attack" I might instead say "hugely expensive attack", at least in terms of political capital and goodwill.

they want it - to own internet and allow only marked with your id-number ip packets. they want to insert in you head identification chip with this number and to trace it (and they have done it with home animals). they want you to be part of their own internet machine. they want to harass you with if you try to not use their "services". they simply want to control you. so please try to read some uncontrolled by them sources(real books?) and think.

December 19, 2014

In reply to arma

Permalink

Surely each operator has a disaster recovery plan in place already, for more usual events like hardware failure. If the servers were seized, could you all not just execute that, and be up and running again within minutes to hours?

In practical terms, is this not simply a minor inconvenience?

December 19, 2014

In reply to arma

Permalink

Could authorities replace seized DAs with their own clones that only send users to NSA/GCHQ controlled nodes? Is this possible without knowing DA private keys if you have full control of the hosting server?

It depends what exactly they can extract from each computer. Years ago we separated the directory authority keys into a long-term (offline) key and a medium-term (online) signing key. Directory authorities have their medium-term key expiring at various times:
https://consensus-health.torproject.org/#authoritykeys

We've taken some steps recently that we hope will make it quite hard for attackers to extract the medium-term key even if they seize the computer. So for the ones where that hope turns out to be true, they get basically nothing besides disruption by seizing that authority.

If they nonetheless can extract five unexpired signing keys, then they can make up their own consensus and point people to their own relays. That would indeed be really bad. For a bit of consolation, it would be super highly illegal and places like EFF would be happy to mess them up for it. But let's hope that doesn't happen, especially now that we've made clear to them all the collateral damage involved.

In any case, even if just one is seized, we'll likely put out a new Tor release that stops trusting that one. Otherwise they could in theory keep chipping away at the directory authorities (though the expiration dates on the keys will put an upper bound on how effective that approach could be for them).

Hope that helps.

December 19, 2014

In reply to arma

Permalink

if you haven't already, you should consider auto-wiping the keys on those servers if motion is detected in their proximity. (assuming they're located somewhere where there normally isn't movement around them, like a cage, anyways.)

December 19, 2014

In reply to arma

Permalink

from a layer 7 and above perspective.. are you confident that all directory authority operators will be able to detect whether someone may have physically tampered with or replaced a directory authority box?

for example, jake's most likely not going to be in the US anytime soon, although i'm guessing he has friends who could examine the physical integrity of the directory server he runs.

physical custody of keys/boxes has been on my mind lately, since recent TBB releases were signed with erinn's key even though she doesn't work for the tor project anymore.

These are indeed all important topics to pay attention to.

As for Erinn's key signing Tor Browser packages (and she does indeed still participate in Tor Browser development stuff), check out
https://trac.torproject.org/projects/tor/ticket/13407
(And also remember that the builds are reproducible, so the signature is not as important as it would have been in the past.)

December 20, 2014

In reply to arma

Permalink

thanks for the quick reply; i agree re: signing keys. wasn't trying to cast doubts..just was pointing out that some of my own tor-related assumptions about who physically controls keys came up recently

December 20, 2014

In reply to arma

Permalink

Please in an update add a revocation so that at least any long term signing key could revoke any of the medium term keys and itself.

Then each node would only have to hear a revocation once to take that key out of service. It would greatly reduce the benefit of compromising the keys.

Agreed on the first one (though that's the sort of behavior that EFF would be excited to litigate, since it harms a huge number of ordinary people).

As for the second one, I assume you mean "seized the server got the key", but even then it's somewhat more complicated than that.

I use the torrc to select the DA I trust.
DirAuthority [nickname] [flags] address:port fingerprint

my relays can NoAdvertise
ORPort [address:port] NoAdvertise IPv4Only
but I can't find a way to add relays or include nodes not in the bad DA lists

You should learn more about the directory design and how the threshold of signatures works. I can't quite figure out what you're doing from what you've said, but it sounds likely that you're shooting yourself in the foot.

In particular, configuring your Tor client to use a subset of the current directory authorities could actually make you weaker than configuring all of them, even if you genuinely do trust only that subset.

December 20, 2014

In reply to arma

Permalink

Honestly, I agree with the poster above. With this threat and the online harassment blog post, you folks are woefully short on *facts*. To me, if you don't share the *reasons* for why you're doing what you're doing, what you're doing is of little use.

It's like the US asking us to trust them, because we can't handle the truth...and we all know how much we trust them.

For a non-profit that's all about openness, Tor sure isn't open when it comes it its own dealings.

December 19, 2014

Permalink

Couldn't Tor get rid of the directory authorities somehow ?

I hear that the Tribler network uses a Tor-like protocol without DAs. Anyone can run a bootstrap node, and that's enough to keep the network running apparently.
It looks like bridges for exemple could take on the additional role of bootstrap nodes for Tor.

Has there been any discussion on that ?
I'm not too fond of trusting a couple of servers that may or may not have been seized.
There's not even a warrant cannary page afaik.

There are a bunch of research papers looking at exactly this question.

Check out
http://freehaven.net/anonbib/#usenix11-pirtor
for one direction, and then
http://freehaven.net/anonbib/#wpes09-dht-attack
http://freehaven.net/anonbib/#ccs09-shadowwalker
http://freehaven.net/anonbib/#ccs09-torsk
http://freehaven.net/anonbib/#ccs10-lookup
for another direction to consider.

The current situation is that nobody knows of a better design that is actually better in practice. The one we have is well-studied and has well-understood downsides, so I'm not eager to move to one that is poorly-studied and has poorly-understood downsides.

As for Tribler, my current understanding is that Tribler provides *significantly* less anonymity than Tor does, and a lot of its weakness comes exactly because it has an easily attacked network discovery mechanism.

December 19, 2014

In reply to arma

Permalink

Would you care to extrapolate on why Tribler is less secure than Tor? I'm pretty new to Tribler, and haven't found any good sources on that information.

If enough directory authorities are controlled than the available hosts can be specified by an attacker and they can specify only their hosts. In your the directory authorities are trusted parties in the other one they are whoever wants and so an attacker can create a ton of those.

Somebody should actually write out the design for this and work through all the details. I bet there will be some interesting, subtle, and devastating attacks on the first couple of versions of this design. More research required!

I disagree. See my above comment.

(Part of the confusion probably is that directory authorities serve a variety of purposes in Tor, to defend against a variety of attacks. To move beyond "yes they do no they don't", somebody should write up a clear explanation of everything directory authorities need to do to serve their purposes well. The above links are a good start there, but see also
http://freehaven.net/anonbib/#danezis-pet2008 )

I feel a fork is in order.
OpenTOR will have
+local node list addition in torrc ie. private nodes or boot strap nodes
+namcoin tor/ node list option
+namecoin DNS
+node invisablity by dual socks4/https on port 443

Moar on node invisablity.

make a tls/ssl connection to port 443 tor reads first data.
if (first byte 'H') http stream to web server
if (first byte 04 & password good) relay trafic
if (password wrong) stream to web server to send back error

This is a private node if the password is private and a new type of bridge if public. aka f2f bridge

no not at all
starttls is just encrypting a port
you can have socks4 and http share a tls port

buffers.c
parse_socks(
...
switch (socksver) {
case 5: /* socks5 */
...
case 4: { /* socks4 */
...
case 'G': /* get */
case 'H': /* head */
case 'P': /* put/post */
case 'C': /* connect */
strlcpy((char*)req->reply,
"HTTP/1.0 501 Tor is not an HTTP Proxy\r\n"
"Content-Type: text/html; charset=iso-8859-1\r\n\r\n"
"\n"
"\n"
"Tor is not an HTTP Proxy\n"

just hand off http(and socks5 because hand shake is required) connection to a web server.
if socks4 has good password relay in tor else connect to web server to return error.

trust me it works! and should be part of tor

starttls is nsa invention. nobody in his mind should chance protocol after connection. it is like inviting all the spies in the path. right sequence _must_ be as in: service should wait for some information from a client to select own behavior according to that information. if something wrong - drop connection.

Ok, I'm going to cut off the namecoin thread here before it takes over the whole comment section.

Somebody should actually build an actual proposal here. Come back when you have one. Thanks! :)

(A great place to send such a proposal is the tor-dev mailing list.)

Feel free to fork -- the license lets you do so and we are big free software fans.

But please do not name your resulting thing "Tor but better" or a name like that, which will confuse users into thinking your thing is somehow written by the Tor people.

December 19, 2014

In reply to arma

Permalink

Why not use a cryptocoin like namecoin to determine authority of nameservers?

They would have to take over the whole cryptocoin system with a 50 percent attack which is very difficult to do _especially on a proof of stake coin like the newer coins.

December 19, 2014

Permalink

It's such a shame to see the country I live in among the "repressive regimes" :(

Thanks for what you're doing.

It's a shame to not see the country I live in (US) among them. I think it might turn the tide of public opinion if it were more widely accepted that the chilling effect of "passive" communication interference should be grouped with other forms of repression.

December 19, 2014

Permalink

This whole North Korean hack thing is so obviously a false flag operation. And who can trust anything the US Government says any more anyway? The worldwide political elite are a haven for crooks, liars, and murderous paedophiles.

Yeah I def think it's a false flag operation. The public has been very anti-government of late; wouldn't it be great to rally everyone behind a common enemy?

fine new name for nsa net - lizardnet. so i see headlines - "lizardnet define new dangerous trend in user behavior - before watching new daily propaganda block they visiting toilet. our new swat teams ready to fight such illegal behavior."

If its false flag then the government has been feeding our media misinformation for years about NK. Everything about the Sony hack fits perfectly and points directly at NK. Not to mention they have reason to not like Sony and lack of rationality to care about getting caught.

i do not like sony so what? and if they have some damage i will not be sorry at all.
but what about damage for everyone because of lowering ttl numbers in dns responces by many corporations? for me its more important than some problems in some corporation.

The messages sound American to me. Like in a comedy where a teenager pretends to be Korean but using cornball Engrish. At one point, the part between the parentheses, they slipped into regular American English.

Same goes for the UK government,GCHQ are known to want to get a good foothold into TOR some even argue they may have the capability to fully compromise its infrastructure.

Thanks for running an exit relay!

As for TAO hanging out on it, that seems unlikely -- not because nobody would want to watch it, but because various intelligence agencies already work to surveil large parts of the Internet, and I don't think they need the TAO group to help them there.

As for the original point about how it seems there are fewer exit relays these days, check out
https://metrics.torproject.org/bwhist-flags.html?graph=bwhist-flags&sta…
The capacity provided by exit relays is slowly growing (the capacity provide by non-exit relays is indeed growing faster).

And the *number* of exit relays (not really the best measure but it's another way to judge) has been very slowly growing too:
https://metrics.torproject.org/relayflags.html?graph=relayflags&start=2…

December 22, 2014

In reply to arma

Permalink

I see exclusively big and growing log of "We tried for 15 seconds to connect to 'xxx' using exit yyy at zzz. Retrying on a new circuit" records. So maybe many relays are just fake? Or they allow connections to to sites interesting for nsa operations only? Kind of prefiltering?

December 22, 2014

In reply to arma

Permalink

well, i don't. I know site are not down as i can use plain telnet to check tcp connection. any other comments?

You might still be seeing the 15 second timeout thing, if the site you're loading pulls in some third-party component which is unreasonable. And your telnet test to the primary site would not notice this.

December 19, 2014

Permalink

Sounds like a good case of needing to decentralize your directory services... If only there were an amazingly great invention called Bitcoin or Namecoin that could be leveraged to do such a feat.

See above:

"The current situation is that nobody knows of a better design that is actually better in practice. The one we have is well-studied and has well-understood downsides, so I'm not eager to move to one that is poorly-studied and has poorly-understood downsides."

Right. So every time you connected, your IP would be registed in a permanent blockchain, as a means of being discovered by others on the network.

You totally know what you're talking about.

Not necessarily, you could publish the most recent node list via a blockchain transaction. The publishing address would then be the "announce" address which client's would lookup. That scenario would require no writing to the blockchain. What we don't know is how secure that scenario is.

Decentralization is very much needed, but what's essential for Tor to realize such things is "Developers, developers, developers" ~Steve Ballmer

By the way, i'm not a developer.

December 19, 2014

Permalink

The funny thing is that the more they attack (or attempt to), it just teaches the devs how to strengthen the network. Govts can try to whack-a-mole TOR, but their attempts are futile.

December 19, 2014

Permalink

Is there nothing the community can do to improve the situation? Wouldn't it be possible to launch extra DAs in places that are more difficult to shut down?

Unfortunately, just adding more DAs doesn't make the system more robust. There's a significant overhead in dirauth communication and the voting process is not as robust as we'd like. We're pretty happy with the set of dirauths we have currently.

The community can do many things to improve the situation. Primarily: donate and educate. Make a financial contribution to Tor Project, be it cash or virtual currency. Educate others about right to privacy. Defend Tor from media attacks labeling it as a nothing but a merchant of death, drugs, and dissidents.

December 20, 2014

In reply to arma

Permalink

Wait, what?? Donations???
Doesn't the government pay you and your project anymore? Or did you already burn the $100k+ you got and the multi million $ the NSA/DoD/HomelandSec donated to the project this year?

The funding we have from various government agencies comes in the form of specific deliverables. For example, everybody likes funding work on pluggable transports and censorship circumvention (it's uncontroversial to help with providing freedom for "over there"). But nobody cares much about funding stronger anonymity, since they think we have a great handle on it and thus there's no need to work on it. So donations are how we are able to spend developer and researcher time on the things that the world needs but it's hard to find funders for.

For other background and explanations, see
https://blog.torproject.org/blog/transparency-openness-and-our-2013-fin…
and also our 30c3 talk which discusses funders and funding:
https://www.youtube.com/watch?v=CJNxbpbHA-I

December 19, 2014

Permalink

Did I miss something?
"Our previous plan had been to sit tight and hope nothing happens. Then we realized that was a silly plan when we could do this one instead."

What plan / action is, "this one instead?"
Other than announcing the possible attack, or the already "built in Tor network redundancy," what plan are we talking? But those are good, on their own.
Thanks.

December 19, 2014

In reply to sysrqb

Permalink

Thanks. And Roger is probably busy right now (should be), so can't answer.
But while announcing it on a blog & tor-talk may? be a good idea, it isn't really a "plan" at all. That's why I thought I'd missed something.

"Wait & see" is sometimes prudent, but not a plan.

December 19, 2014

Permalink

I live in the United States. I use Tor for my everyday web surfing because I believe any record of my web activity to be a violation of privacy. I have nothing to hide, but hiding is my choice. Online privacy is a right for all.

The threat to internet security is pregnable systems, not a network that allows anonymous access to those systems. The threat to our nation is not the threats of anonymous hackers, but adhering to their demands. Sony Pictures, Regal Entertainment, AMC Entertainment and others have put our nation at risk by rolling over at the demand of terrorists. By refusing to release that movie they have set a dangerous precedent and opened the door to future attacks.

nice addition to the nudist company "We have nothing to hide"TM. EVERYBODY have. Otherwise you are controlled by by some inter-terrestrial government because they have something to hide. How this something can appear if it was nothing?

I live in the United States. I use Tor for my everyday web surfing because I believe any record of my web activity to be a violation of privacy. Online privacy is a right for all.

100% agreed. I'm also using Tor for each and everything I do on the internet.

I have nothing to hide.

If one has nothing to hide, why would one put their letters in envelops?
If one has nothing to hide, why wouldn't one walk naked through the streets?

Someone who has nothing to hide is an "exhibitionist", which is considered to be a state of psychological disorder.

December 19, 2014

Permalink

Roger: As far as I can tell there are 9 servers that are listed in the Tor source as directory authorities. Let's say that 4 of them were be seized and taken offline indefinitely.

How would this affect the remainder of the Tor network? My guess is that it would increase the load on the other nodes, but if they have sufficient spare capacity it would not result in an outage. Is that generally correct? (I apologize for not knowing as much about Tor's internals as I probably should.)

(Sorry, not Roger)

Correct, there are currently 9 directory authorities. More than half of the authorities must be online and they must reach a consensus on the current state of the network every hour for them to create and publish the hourly networkstatus-consensus (the list of all the known relays). If four out of the 9 dir auths were compromised and taken offline, then the remaining 5 will continuing publishing the consensus and the network will continue operating normally. If more than 5 are taken offline then this was a horrendously large operation and the necessary corrective actions will be taken to ensure the network remains operational.

The one performance impact will be seen by new clients. When they first try connecting to the network (download and launch Tor Browser for the first time) they will try connecting to one of the directory authorities and download the networkstatus consensus from it. If some of the directory authorities are offline, it may take some time for each connection to timeout (while the client connects to an unavailable authority), but eventually the client will reach an operational authority and it will then be able to use the Tor network as usual.

This sounds like a possible denial of service attack would be to seize a single server, leave it online, and program it to never agree with the other eight thereby preventing the hourly networkstatus-consensus publication.

December 19, 2014

Permalink

What if this isn't happening and they only passed this information in hopes of finding the source of other leaks...

What if Tor Project *knows* it's a decoy leak, but published it as a credible report anyway to avoid revealing that they've compromised the adversary's leak-detection operation...

December 19, 2014

Permalink

'countries such as Iran, Syria, and Russia'

You forgot to include USA and UK and UAE.

December 19, 2014

Permalink

So without these DA's, these servers that you control and everyone entrusts their anonymity to, Tor can be killed? Great design you have there.

Thanks for the insightful and productive comment. No, it's not the best design; but it is the best design we have right now. Also, The Tor Project doesn't control the directory authorities. They are run independently by individuals and groups Tor trusts.

December 20, 2014

In reply to sysrqb

Permalink

I can't claim to have a very good idea of how the physical infrastructure looks behind tor, but by the sound of this comment it sounds like it would scale well horizontally? Is the tor project in need of hardware? I can't contribute with colo's but i have access to used ibm x-series servers and similar. See you guys at 31c3

Those servers have absolutely no ability to compromise any Tor user's anonymity. They're each just a directory of where all the nodes in the network can be found at any given hour.

December 19, 2014

Permalink

Best wishes, appreciation for your hard work, and hopes for peace in these hyper-annoying times. I say good things about you folks, often with passion, and sometimes using strong language. :-)

-bobmah

December 19, 2014

Permalink

I'm sorry, but the "right to privacy" does not mean what you assert it means here, at all, even in those jurisdictions that (unlike the US) have that right enshrined in law or constitution.

If you are going to rely on political explanations for your actions, I think it is fair to ask that you get your politics right.

The meaning of the right to privacy is quite clear. It does not give you a right to Tor-like services; it never has, and you'll find very little in Brandeis or even current EU law to justify this.

You might argue that it should include Tor-like services, but it currently does not.

Live in the world you want to live in. (Think of it as a corollary to 'be the change you want to see in the world'.)

We're not talking about any particular legal regime here. We're talking about basic human rights that humans worldwide have, regardless of particular laws or interpretations of laws.

I guess other people can say that it isn't true -- that privacy isn't a universal human right -- but we're going to keep saying that it is.

December 20, 2014

In reply to arma

Permalink

Just as the Second Amendment to the US Constitution does not grant a right ... it merely acknowledges it as pre-existing ... the most any other political "grant" of rights can do is acknowledge pre-existing rights and agree not to infringe upon them. Whether the Second Amendment has been infringed or not is not the point under consideration but the issue of whether a right exists outside of any declaration by a government that it does.

There is a right to privacy. There is a right to speak freely. There is a right to defend oneself and neighbors from attack regardless of the source of the attack. These rights await no dictum from any source. They are rights possessed by all mankind at the moment of birth.

Arma is correct. If "rights" depend on grants by authority, then there are no rights to be had anywhere for anyone. If a "right" must first be granted and can later be withdrawn, it is not a right ... it is a privilege.

Free men and women assert rights, servants seek privileges. Might I suggest that the rallying cry of "Live Free or Die" remains the essence of all freedoms all over the globe?

"RINO" takes on a new meaning: "Right In Name Only".

don't forget to put on your pants when leaving government premises. should i talk with my children as we are in jail? fuck you "law" which justify this.
I'm sorry, but i don't need your interpretation of humanity.

December 19, 2014

Permalink

So is the aim of this attack to disable the network or to de-anonymize users en masse? If the latter then how? If the former then what would be the point, since I assume you guys will just establish new DAs and be on your merry way?

Thanks for all your great work!

December 19, 2014

Permalink

This cyber attack has really spooked the govt...it seems they have -finally- realized just how vulnerable we are to cyber attack. One can only imagine the scene if someone does this to the electrical grid.

Speculation here but I wonder if the prez has authorized for Tor to be nuked? Given this and the recent drugs and cp busts the FBI may have convinced him that the downsides outweigh the upsides. Man the DoD is gonna be pissed.

Re the electrical grid, you're right that there sure is a lot of vulnerability going around.

As for the speculation part... while we're speculating, I'll counter-speculate that Obama has never even heard of Tor. The DoJ is full of people trying to make a name for themselves, who get unhappy when something slows that down. And those people are super unhappy that companies like Apple and Google have been working on architecture changes that make compliance harder.

At the same time as we're freaking out that all the intelligence agencies have spiraled out of control and are illegally watching everything, these people are freaking out that they're about to become unable to see anything and unable to fight any crimes. It's an odd contradiction, but here we are.

December 20, 2014

In reply to arma

Permalink

Obama never heard of TOR??? wtf? I bet he never heard of Edward Snowden either
please don't tell me the people behind TOR are this naive

December 19, 2014

Permalink

If 5 or 6 directory servers are compromised would that mean all trafic could be routed to bad nodes?

December 19, 2014

Permalink

Have the tor devs considered the possibility of using satellite technology? I'd like to see the FBI try to go up there as seize a satellite. I know that sounds prohibitively expensive but I think it would be possible to raise funds.

December 19, 2014

Permalink

I'd say something about the epic irony here regarding your last update here, but your censor comments. Also ironic.

The epic irony of "Tor matters to a lot of people and we wanted to let people know of this possible upcoming attack"? Thanks for your understanding I guess.

As for censoring comments, we've disabled all the parts of the blog comment system that report your IP address and other details to recaptcha or other spam engines. That's a feature in my book, but the downside is that we get a bunch of spam that we have to manually delete.

Oh, and yes, we also delete the small number of comments that are deliberately hateful or harmful. I'm a fan of free speech, but in this case those people should go take their free speech elsewhere.

December 20, 2014

In reply to arma

Permalink

Yes, the flood of spam comments for shoes and Chinese herbs.

December 19, 2014

Permalink

What prevents the united states government from using the resources discovered in the seized servers to permanently infiltrate the network?

December 19, 2014

Permalink

In North Korea we have ways to make you talk, ARMA! We will now turn all of your blog pages upside-down so you get headache.

December 19, 2014

Permalink

Going public probably averted a catastrophe. OTOH, law enforcement types don't like to be outdone. They may just go after you personally now. By hook or by crook...

Well, I'd like to think it wouldn't have been a catastrophe no matter how it played out.

But it could be a big distraction, especially since we've all got more important things to do next week (31c3 is coming up, with no doubt more embarrassment for governments about how they've broken their own laws and done horrible things).

December 20, 2014

In reply to arma

Permalink

It is obvious that there are many out there who would like to see the network disrupted as it undermines and in some cases directly threatens what they do (or would like to do).

The removal of DA's will not prevent Tor working per-se but it will cause significant issues with maintaining the integrity of the relay list and communication of that to client instances and indeed other relays.

We would question the motivation behind such an attack though, is it just short term disruption? Or a nefarious attempt to propagate a longer term sybil-a-like attack? Or something else completely?

In any case it is clear that some consideration must be given to the DA function within the network and how to hold the census together in a more resilient manner but at the same time avoid creating exposure to sybil attacks. The mechanism used for maintaining the Hidden Service directories using a DHT is an obvious candidate but again just opens up the DA function to a different class of attack.

love

El Presidente

December 20, 2014

In reply to arma

Permalink

Roger,

is there a possible pre-emptive action that can be taken - in the open light - to render such a move futile ?

For instance ask the nice people from CCC and their freedom minded supporters working at freedom minded companies to set up another three directory authorities? Which would work on a short time scale.

A suggestion for the longer term, would be that the developers take some lessons from the freenet design and ask your bridges (& perhaps users along) into lending some harddisk space (1mb for example) and distribute broken up lists in an encrypted way over these channels (key served later).

And perhaps let bridges turn into DAs themselve, distribute an encrypted "fortune cookie", and when the DAs shout a special key throughout tor then only certain(random) bridges & users can turn into DAs(minimizing the chance of a hostile takeover of tor).

I suspect that a fast reaction that would take place within a few days might be difficult.

The directory authorities (DAs) almost certainly need to handle massive amounts of bandwidth, need to be on colocated hardware, and need to be security hardened. This means that establishing a new DA would take some time - and even then, I suspect (but do not know for certain) that the DA would then have to be hard coded into Tor. So, users would then half to upgrade to get the advantages of establishing a new DA.

Additionally, the people that run any new DAs need to be trusted to keep the network secure.

As far as the more technical solutions you mention, you should consider creating a proposal for a more complete idea so it can be evaluated in full. While doing so, it is helpful if you can suggest some advantages and disadvantages that your approach provides.

December 20, 2014

Permalink

I said this on another forum once. If I know anything about the US Navy and the DoD (not talking about 5os and other feds, only military) that tells them what to do and how to think; They have thier own damn tor network, despite what dingledongs and applegay say.

when on earth have you seen the military activly operate where civis are? sure they may have several bases where we live but really now, do they launch any real attacks from them? only excercises and in times of emergency... the military isn't exactly fond of emergencies.

Good luck on reloacting your DAs. Just, try to do it right. I have no idea of your situation so I can't know what right is; but you can figure it out by taking a moment to think. If they bothered to ask you before hand, you may have some time to plan. I don't know who exactly wants your DAs but it can not be for peace or for our benefit.

Don't matter if the military thing is true or not Tor is our own real anonimity system that works on the regular internet. Although don't act surprised if it is true because and I will say this ahead of time... I told you so.

Suggestion: why not let people voulunteer DAs (that work on a distro like tails) you will find out about them via email, in person, and or the same way to find out about hidden bridges... then you could just cherry pick the DAs you need, as you need and see fit (for consensus voting and the such) until someone comes up with a more suitable replacement for "decentralizing" your DAs. (namecoin sounds interesting but... bitcoin is not anonymous everyone, everywhere would know when you search for something or 'bought' a domain name; I have other ideas such as dark/anoncoin but dingledong is right, we still need to do our homework)

p.s. I know the nicknames sound like insults but as a TG, they are what I find sexy about you two. ;)
Seriously, thank you for tor. I am not like some high profile person you have saved. I mean you have helped me keep my transition secret until I feel ready from my family (by using tails). I was just really ashamed what they would think about me if I was searching for these things and I thought I was alone and what I was doing was selfish.

December 20, 2014

Permalink

If $people think, one or more additional directory authorities in Germany make sense, please contact me (use the contact info of exit node 6B3209C88923A80A4DF4C86F585ED4A8643DEF89 or relay 868A253C330F40FBE435D9320849397F85823E86). Immediate action and/or meeting at 31C3 is possible.

What I think is desirable is having one or two DA in South America, probably Brazil and/or Argentina, which are more or less independent from the US, but I don't know how exactly are DAs chosen.

December 20, 2014

Permalink

It’s unconscionable that you don’t include the United States on your list of “repressive regimes.” That country must top such a list.

December 20, 2014

Permalink

We should make little clusters of networks that connect to each other so the whole world can be the tor network. So you can't shutdown the whole network. You would need to take it down computer by computer and that would be almost impossible.

December 22, 2014

In reply to arma

Permalink

How about the I2P network? Couldn't we incorporate some of their ideas into Tor?
I2P doesn't have directory authorities, after all.

I don't want to promote I2P here, but I'm genuinely curious: Has this been seriously considered?

It has been considered, but that doesn't mean everybody has all the answers.

I believe I2P's network discovery mechanism falls to various more complicated attacks. I'd rather stick with the simpler design where we understand the flaws and we understand the attacks.

That said, there's a great opportunity here for researchers to step in and do some analysis on the I2P design -- one of its huge problems right now is that they've for whatever reason failed to get researchers to care enough to break it, except in rare cases like
http://freehaven.net/anonbib/#pets2011-i2p

yes and as tor is just a distributed (tcp) switch nothing can prevent building a "new internet" say on family/company basis.

December 20, 2014

Permalink

There's no democracy nor privacy in the country were I resign.
If this last privacy services end, I will damn all the neat American technologies which only supports my authorities to monitor their citizens, and will abandon the internet and cellular communication forever.

December 20, 2014

Permalink

Wouldn't it make sense, in the short-term at least, to get more directory servers up, particularly outside of the US and EU?

I was going to mention Wyoming, but not sure if anyone would get the "Dog Day Afternoon" reference.

Not in Munchen

No, that paper isn't relevant here.

In fact, that paper was misinterpreted by the media: see
https://blog.torproject.org/blog/quick-summary-recent-traffic-correlati…
and for many more details,
https://blog.torproject.org/blog/traffic-correlation-using-netflows

In particular, look at the comments by Sambuddho (the author) about how his paper does not mean what people are thinking it means.

December 20, 2014

Permalink

Imagine the boring time from Christmas to New Year without Tor! Disaster! Fuck the United Stasi of America and their Gestapo scum!

December 20, 2014

Permalink

It would seem Tor has been a thorn in side of NSA for a while. This Sony thing is as good a pretence as any to seriously harm it.

Is there a canary system?
How good is physical security of servers?
If you get a National security letter barring discussion there should be fail safe alert.

In the long term is there anyway to use stenography concepts (browsing in plain site) combined with Tor to make it exponentially more difficult to track?

I'd like to think that our architecture makes national security letters not as dangerous for us. For example, delivering a national security letter to The Tor Project won't affect the directory authorities, since The Tor Project doesn't run any of the directory authorities. Similarly, sending a national security letter to just one directory authority doesn't do anything by itself no matter their response.

And *that* said, if any directory authority operator gets a national security letter, they should simply shut down their directory authority:
https://lists.torproject.org/pipermail/tor-talk/2014-December/035952.ht…
There are no letters that demand changes in behavior where you can't instead just choose to stop. Other people will pick up the baton.

As for steganography, you should learn about Tor's pluggable transports:
https://www.torproject.org/docs/pluggable-transports
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPlugga…

December 22, 2014

In reply to arma

Permalink

How do directory authorities become authorities, a hard-coded list somewhere or are they chosen by the network ? An NSL or other court order could force a change to a hard-coded list.

No, they're manually chosen by the Tor community (i.e. us), and everybody can see the ilst. Most of the directory authority operators are high-profile figures in the security community, so many people get the chance to meet them in person and evaluate them.

As for a national security letter that would ask us to modify the Tor source code... we will never do that. See also this thread:
https://lists.torproject.org/pipermail/tor-talk/2014-December/035952.ht…

December 20, 2014

Permalink

A bit of troll...

Please consider alternate hosts for Tor bundle download. It is blocked in my country which is an US aly and therefore no media bothers to criticze it when it comes to human rights violations and abuse.

December 20, 2014

Permalink

Hi Roger,

I am deeply concerned. But I have still hope for Tor. We all should beware our hope in these dark times.

I have two questions for you, Roger.

1. How is it possible that there are still good people within the potential attacker's organization? Your source - that warned you - seems to be in favor of Tor.

2. Do you feel confident that you (the Tor Project and its community) will be able to fight back this potential attack? There is so much brilliance and expertise in this community. If I had one single wish for Christmas, I would love to see Tor being the David winning against Goliath.

December 20, 2014

Permalink

Well my Christmas vacation is gone now, thanks for the nerd snipe guys!
oblig ref: http://xkcd.com/356/

With the recent talk here about integrating namecoin, etc. I think we hit on a better solution to the problem. One that tries to maintain backwards compatibility.
https://github.com/vivalibra/norproject

Note that there is talk of a coin in the README document, that is mostly the result of chatting with some other devs in the crypto world. Considering the timetable we will be working under, I don't think a coin could realistically launch at the same time as the rest of the system.

I'm going to start building this right away, hope is to launch a beta before DA servers are pulled out. Anyone that feels like they would like to participate is welcome to join up. Even pointing out design flaws could be helpful.
Please keep any discussion on the page for the project, though I don't want to spam this blog with it.

December 20, 2014

Permalink

Maybe you could consider toning down the propaganda ? Just a thought. Maybe add a few of the more egregious privacy-raping nations to this list:

' who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia'

How about every second posting you substitute USA and UK and their allies in place of 'Iran, Russia, Syria'. Might just make you a little less offessive and more credible.

No, it's (probably) not Russia.

The Russian word for this was more like asking researchers to propose for research grants. The translation 'bounty' or 'contest' was a bad translation and caused a string of misleading articles.

It is like saying that the National Science Foundation is holding a contest for Tor research.

December 20, 2014

Permalink

It's totally unrelated. Boa as been wanting to do this for a while, he's talked about it before but never took action. Now he has an excuse.

December 20, 2014

Permalink

My technical expertise is low which might be why it isn't obvious to me how taking down part of the Tor network would facilitate an investigation into the Sony incident by the FBI. What makes more sense to me is hacking into Tor to develop tools to better handle the next attack. The advanced warning makes the hack look friendlier – something like those “this is only a test” announcements the government makes on the radio and television.

Tor and Tails are two applications that I rely on every day and I don't even have anything to hide. I use these tools daily to maintain a small footprint and to keep proficient for a time when the tools and skills are truly necessary. The dedication and helpfulness of the staff of these two development teams is amazing. The other day I posted a question regarding Tor on the Tor IRC channel and quickly received a concise and helpful response by arma. I didn't know who arma was until I began reading this blog, but I must say that I am pleasantly surprised that arma would take the time to help an ordinary Tor user.

I would consider it to be a near catastrophe if Tor or Tails is compromised because I know of no other easy to use combination that provides the level of anonymity.

December 20, 2014

Permalink

I can only say one thing about this: "Too big to fail". I don't think anyone can shut down Tor. We all need it, even if some people don't realise it yet. "You can not kill an idea." I believe you/we will find a way to keep Tor alive. Too much is at stack here. Never underestimate the power of the people.

December 20, 2014

Permalink

If I was the CEO of Sony, I would teach those hackers a lesson and upload my movie "The Interview" to a bunch of torrent servers so that everyone would watch it!

Might there be a interpretation of The Interpreter for every Country of the World? Surely most all would really appreciate.

December 20, 2014

Permalink

Does this effect anyone who doesn't commit any crimes, doesn't go to any illegal sites, in the United States, ISP doesn't know my activities, and I only use Tor to conceal my IP because of stalkers I've encountered?

Affect? Yes -- if somebody attacks the Tor network they end up endangering all the Tor users, including the vast majority of them who use Tor for exactly the sorts of good and ordinary reasons you do.

In particular, attacking the directory authorities has huge collateral damage exactly along these lines. That's why it would be silly for them to do it. Let's hope they change their mind.

December 21, 2014

In reply to arma

Permalink

Is this a case about servers keeping logs? I don't know how it actually works. How far back can anyone get the server logs to identify average non-criminal users?

Correctly configured Tor relays have no logs that are useful to attackers. So no, this should not be an issue.

(Of course, that doesn't mean there are no places on the Internet that log information about traffic flows. That's a lot of what the NSA / GCHQ surveillance fuss is about. But that is a separate topic, I hope.)

December 20, 2014

Permalink

I bet that this is a law enforcement operation against Tor by US FBI, Europol and UK NCA. I hope these guys know what they are doing. The collateral damage will be tremendous and it will raise new waves of hate against state-sponsored oppression of human rights.

Every agency in the so-called free world should know: we are watching back and judge your actions. Instead of endangering the good users of Tor, these agencies should work with us to make the world a better place (including Tor).

December 20, 2014

Permalink

Actually, the problem is that Tor isn't decentralized enough to discourage governmental shutdown.

December 20, 2014

Permalink

> I bet that this is a law enforcement operation against Tor by US FBI, Europol and UK NCA.

Yes.

> I hope these guys know what they are doing.

They are engaged in a foolish and dangerous experiment.

This is indeed a crisis, perhaps the biggest the Project has ever faced. Some thoughts:

Roger is keeping his head, which is the proper thing to do during a crisis. Let's all follow his lead and play it cool.

In a crisis atmosphere, making radical changes (e.g. incorporating namecoin into critical Tor infrastructure) seems inadvisable. Much better would be to geographically/legally diversify locations of reserve Dir Auth nodes. Similarly, for users, switching to untried alleged alternatives to Tor also seems inadvisable. If the worst happens, and enough DAs are seized by our enemies to incapacitate the Tor network, let's give the Project a chance to get it back up somehow. (Roger: any idea how long that might take, if more than five DAs are seized?)

Some true Patriot risked her/his freedom to warn Roger, so users should respect his judgment about the need to withhold some information in order to protect the identity of the source. That said, I think there is no point to keeping back the name of our enemy, since it is obvious that it is "FBI" (no other entity has the ability to attempt to seize more than one or two DAs, or is foolish/panicked enough to try).

In my heart, I agree with those who chided Roger for not listing USA at the top of the "Enemies of the Internet". But my brain reminds me of some unpleasant realities: Roger acts under his own name, and an unwritten part of his job description for many years has been talking directly with FBI and other LEA officials, seeking to educate them about why LEAs should not blindly react to Tor by trying to simply shut the network down. Further, he is a US resident, so vulnerable at all times to arrest by US "authorities". All in all, he has a legitimate need to avoid becoming too confrontational with the most lethal parts of the USG. However the users are free to call out our enemies by name, and we are doing so.

I assume the phone lines between Walpole, San Francisco, and New York City are burning up; good! Further emergency action which I assume is happening: contact key media outlets to publicize and explain what is known about the plan to seize DAs (Glenn Greenwald, Marcy Wheeler, Kim Zetter... and would Brian Krebs please comment in the usual place?). And let's start organizing a giant phone-in to the politicos by Tor users in the US and Europe; an instance of what EFF likes to call "the Internet reacts".

A hasty socio-technical suggestion: if the project needs to issue new keys or find some way to distribute emergency TBB with new hardcoded DA identifiers, can you arrange to do that with the assistance of Debian or OpenBSD? Many Tor users already have copies of their signing keys (note that these are two different cryptographic infrastructures since OpenBSD does not use GPG), and it should be possible to arrange with Debian (for example) to set up a special repository which is independent of Debian's own repositories, but whose signing keys are signed by Debian keys.

> any idea how long that might take, if more than five DAs are seized?

Hopefully within the day. We've worked through a lot of scenarios, and we'd write them up here except we're all doing too many things so the write-up has been triaged for now. The main problem in that case, as you say, is going to be Tor users who don't realize that anything's gone wrong.

But for that, we're actually in luck -- you may not have noticed, but the Tor Browser auto updater is actually in place and working as of Tor Browser 4.0. So all the Tor Browser users will get a Firefox style "there's an update available" popup.

As for the tiny fraction of Tor users who even know what Debian is or what a signing key is... they'll be fine anyway when they get their updated deb. It's the millions of totally ordinary people who are most at risk in situations like this.

December 21, 2014

In reply to arma

Permalink

I thought it does not yet support checking the hash during auto update. Has that been fixed?

Alas, this is true. It's at the level of Firefox's updater, but we really want it to be a lot safer than that. Look for better features in the upcoming releases. Or better yet, help us get there!

December 20, 2014

Permalink

Many here correctly appreciate that chief among the many (oh, so many!) nations which must be counted as "enemies of the Internet" is the USA.

But one key point about the USA which some observers tend to overlook is that the USA is controlled by a loose and often uneasy partnership between various centers of government and corporate power. It is very far from being a monolith with a well-defined militaristic command structure. It rather resembles a collection of mutually antagonistic principalities which pay a token tribute to the Sublime Porte, who in reality is more of a figurehead whose directives are routinely ignored or obstructed than a person who directs and controls major events.

Roger already hinted that USIC contacts have been expressing terror that shutting down Tor might deprive them of an invaluable tool in their efforts to continue spying on everyone, a viewpoint which was previously expressed in some of the Snowden leaks. (As already discussed, this is not inconsistent with the assumption that Tor is very far from being an NSA operation, and assumption which is also strongly supported by the Snowden leaks.) If so, this might imply that in the halls of American power, a particular viewpoint within FBI has gained ascendancy over the majority viewpoint in USIC. If this is true, and not a temporary aberration, this would constitute a remarkable sea change in the USG, comparable in its way to the recent reversal of fifty years of misguided US foreign policy regarding Cuba.

I would like to offer one possible explanation for what might lie behind the alleged plot to shut down the Tor network.

I think the Tor community (and indeed the Internet) is currently in mortal danger of becoming collateral damage in an epic collision between three of the most powerful parts of the failing American empire:

* the US entertainment industry, in the corporate person of Sony (just to add to the irony, in the past, as most readers here probably already know, Sony has admitted using to infecting its customers with a rootkit disguised as "intellectual property protection", and it has recently been accused of using DDOS attacks and illegal "investigatory" techniques against perceived enemies),

* the vast and incredibly lucrative surveillance-industrial complex, in the institutional person of the chief enemy of everyone in the entire world, NSA, one of the very few institutions in the US which has the power to crush the entertainment industry like a bug,

* Wall Street, which is arguably the most throughly corrupt and amoral institution which has ever existed, and the only institution in the world which has the power to crush NSA like a bug, or to twist a U.S. President around its bejeweled pinky finger.

All three are currently terrified, but terrified by quite different nightmare scenarios:

* Hollywood is terrified by the prospect of huge financial losses which it believes could literally eliminate Sony from the face of the Earth, which for them is like imagining the entire West Coast of the USA sinking into the Pacific ocean in some Magnitude 15 earthquake,

* NSA is terrified by the prospect of losing what little ability it still retains to surveil people the President expects them to surveil, because if its intelligence failures become too obvious to the electorate, at some point the U.S. Congress will exercise the one power it yet retains, the power of the purse, by defunding NSA's global surveillance empire on the grounds that it is no longer cost effective,

* Wall Street well appreciates the terrifying instability of the modern global economy; the real danger here is the hundreds of trillions of dollars of exposure of the big banks to "derivatives", but the psychological instability inherent in "the market" means the US economy could very quickly collapse in an over-reaction to some seemingly devastating cyberstrike on the global financial infrastructure.

Thinking back to 2008, we know that the current President fears above all else (even above nuclear detonations) the prospect of global economic collapse. And his control of FBI is more reliable than his somewhat limited influence over NSA. I suspect he has not only heard of Tor but has been persuaded by panicky bankers to "authorize" FBI to initiate an (illegal and risky) experiment by shutting down Tor entirely, following very bad and ill-informed advice such as this:

http://www.rand.org/blog/2014/12/preventing-cyber-attacks-sharing-infor…

Now, can we think of anyone who has recently attempted to switch his allegiance from the surveillance-industrial complex to the Wall Street camp? Whose personal priorities may have changed? Who has very possibly been miffed by a recent financial reverse engendered by an unexpected rebuff from the agency he formerly headed?

NSA stands as a direct enemy of every living person, and it is indeed a formidable and lethal adversary. But just as it would be serious mistake to underestimate its malevolence and duplicity, so too it would be a serious mistake to overlook the fact that it faces problems of its own, a fact which politically savvy citizens can leverage with the goal of perhaps eventually eradicating it, which would represent a giant leap toward re-establishing the rule of law in American governance, and towards reconstituting the Internet we know and need.

December 20, 2014

Permalink

There are bounties on Tor not just from the governments of the world. But also from the criminals that use Tor wanting to leverage their power. You better believe that ISIS wants complete control over the network.

December 20, 2014

Permalink

Am I betterly prepared for some temporary DA's downtime if I enable FetchUselessDescriptors option in torrc and from now on do run the tor client 24/7?

FetchUselessDescriptors won't help you any.

But keeping your Tor client running might actually help against some temporary failure to generate a consensus. It *shouldn't* help, because Tor ought to be able to handle re-using your cached info on startup, but I'm not sure whether anybody has tested that scenario well enough. (Somebody should test it please!)

December 20, 2014

Permalink

A notable quote from https://www.reddit.com/r/news/comments/2ptxws/the_tor_project_has_learn…

"Here in Thailand, the US embassy uses Tor to communicate possible risks to US expats without having to risk inadvertantly saying something offensive (therefor illegal) about the royal family or the junta over the heavily monitored net and phone traffics. While some elements of the US government are terrible enemies of privacy, others rely on Tor every day for their own safety..."

The FBI has truly gone off its rocker, if they are seriously considering seizing DA nodes.

Regarding your quote about what the US embassy in Thailand is doing with Tor.

FYI, Thailand is one of the countries which plays host to large numbers of CIA, NSA, FBI and DEA agents. The other countries are Japan, South Korea and the Philippines. When it was still under the British administration, Hong Kong also hosted large numbers of CIA, NSA, FBI and DEA agents. When it reverted to Chinese rule, the Chinese government ordered them to leave the city.

Singapore is unable to host large numbers of US spooks due to its limited geographical size. However, it is the jewel in the crown for US mass surveilance programs because of the Singaporean government's heavy investment in such activities and very solid relationships with the US government.

(When I say "large numbers", I mean their total head count amounts to about 1,500 personnel.)

It is ironic that the US embassy in Thailand uses Tor to communicate with its expatriate community.

It is noteworthy that the PRISM program and the Finfisher/FinSpy program are being actively deployed by Thailand-based US spooks.

Add to that the US recent admission that Thailand was one of the countries where secret torture chambers were established for "renditions".

If you ask the right people, they will tell you that the former US ambassador to Thailand, Ms Kristie Kenney, was complicit in the US mass surveillance programs that cover Myanmar/Burma, Vietnam, Laos, Cambodia and especially southern Thailand where Islamic fundamentalists are fighting for independence from Thailand.

It is terrific to hear about governments heavy investment in such activity. It "was" my money and i don't say i agree with how they spend them. So I have crisis but they have investments. Seems something is wrong.

December 21, 2014

Permalink

It is an interesting detail that the potential attack could take place while numerous core members of the Tor Project are not at home, but abroad attending the 31c3 in Hambourg.

December 21, 2014

Permalink

Could it be a mitigation measure to separate the hidden services in a way that a take down of hidden services and their infrastructure would not affect the Tor network as a whole? I mean, most of the "Tor is the first choice of criminals" allegations by LEA and their media whores are based on abusive use of hidden services.

December 21, 2014

Permalink

So to be clear, does this run the risk of any deanonymization attacks?

Also why hasn't the Tor network considered decentralizing the distribution of node info, such as via a DHT?

December 21, 2014

Permalink

So could the seizure of DA nodes be a step towards controlling or inserting a back door into Tor rather than shutting it down? Is there something about forcing the Tor network to add new nodes or create workarounds for the missing nodes that might create a window of opportunity for the government to infiltrate the network. I suspect that the government would prefer to have a two-tier Tor network where their communications would be secure and anonymous, but everyone else would be subject to government scrutiny. For many years GPS was two tier allowing government receivers to accurately resolve lat/long while limiting the accuracy of non-government receivers.

I have almost no technical knowledge of Tor's operation, but the NSA probably does. If any entity can figure out how to set some government hooks into the Tor network, it would be the NSA. The role of the FBI might be to give the appearance of legitimacy to the NSA's attack by cloaking it with the cover story that the seizure of DA nodes was a necessary part of an investigation into the Sony incident.

December 21, 2014

Permalink

Could a page be added to Atlas or the Tor statistics graphs showing the number of relays changing their public key over time, along with the total number of relays? That way if DSes get silently compromised, you could either look for a sharp drop in the number of useable relays or a large spike in relay key changes- assuming the purpose of a compromise is to force traffic through "known bad" relays.

December 21, 2014

Permalink

I think it would be useful to detail further steps beyond donating and educating, for both users and node admins. Those are both vital, but let's be honest, there's nothing long-term about having sections of the US government liking you and others not via education. Education is a weak tool against their interests in surveillance and censorship.

Node admins:

Assuming directory authorities go down, are there simple instructions to update the nine servers hard-coded available? Certainly updated software would be released, but it makes sense to provide people guidance in manually changing the source code and recompiling. This would be particularly relevant to those who maintain the various Tor ports and packages out there.

If downed DAs are the issue, how would the new DAs be publicized with verification for those doing above? Or even manually verifying (via logs, code review) that the DAs are correct? Even some simple tcpdump instructions might be useful.

Users

What is the widest method to notify users not plugged into this blog, mailing lists, etc? One idea might be to have a "Tor alerts" feed, something that friendly sites could host with important alerts for users. "update your software due to a significant vulnerability" "There are periodic Tor outages due to XXX event" Think wide and far, as opposed to deep and narrow.

Just my $0.02.

Clearly, we may be on the cusp of an intensification of the 'arms race' in a way we didn't imagine. Keep up the good work.

Arma for Nobel Peace Prize? His/her patience is bottomless.

Not in Munchen

December 21, 2014

Permalink

And so it begins?
http://article.gmane.org/gmane.network.tor.user/34619

From: Thomas White riseup.net>
Subject: Warning: Do NOT use my mirrors/services until I have reviewed the situation
Newsgroups: gmane.network.tor.user
Date: 2014-12-21 20:17:23 GMT (2 hours and 24 minutes ago)

Dear all,

Many of you by now are probably aware than I run a large exit node
cluster for the Tor network and run a collection of mirrors (also ones
available over hidden services).

Tonight there has been some unusual activity taking place and I have
now lost control of all servers under the ISP and my account has been
suspended. Having reviewed the last available information of the
sensors, the chassis of the servers was opened and an unknown USB
device was plugged in only 30-60 seconds before the connection was
broken. From experience I know this trend of activity is similar to
the protocol of sophisticated law enforcement who carry out a search
and seizure of running servers.

Until I have had the time and information available to review the
situation, I am strongly recommending my mirrors are not used under
any circumstances. If they come back online without a PGP signed
message from myself to further explain the situation, exercise extreme
caution and treat even any items delivered over TLS to be potentially
hostile.

The mirrors in concern are:

https://globe.thecthulhu.com
https://atlas.thecthulhu.com
https://compass.thecthulhu.com
https://onionoo.thecthulhu.com

http://globe223ezvh6bps.onion
http://atlas777hhh7mcs7.onion
http://compass6vpxj32p3.onion

77.95.229.11
77.95.229.12
77.95.229.14
77.95.229.16
77.95.229.17
77.95.229.18
77.95.229.19
77.95.229.20
77.95.229.21
77.95.229.22
77.95.229.23
77.95.224.187
89.207.128.241
5.104.224.15
128.204.207.215

I will do my best to keep this list updated on the situation as it
develops. If any of the mirrors or IPs do come back online, I would
welcome anyone who is capable of doing so checking for any malicious
code to ensure they are not used to deploy any kind of state
malware/attacks against users should my theory prove to be the case.

At this moment in time I am under no gagging orders or influence from
external parties/agencies. If no update is provided within 48 hours
you may draw your own conclusions.

Regards,
T

--
Activist, anarchist and a bit of a dreamer.

Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966

arma

December 21, 2014

In reply to by Anonymous (not verified)

Permalink

No, this is an exit relay operator, not a directory authority operator.

Also, this particular fellow has had a series of run-ins with British law enforcement. This run-in is far from his first (and won't be his last either probably).

England is really bad news these days in terms of civil liberties. I'm glad we don't have any directory authorities in England.

December 21, 2014

In reply to arma

Permalink

Should we add those IP's to the ExcludeNodes of torrc conf? or are they even active relays?

December 21, 2014

In reply to arma

Permalink

How does an exit relay seizure like this effect it's users? Thanks.

It affects its users not very much. It just means that there's a bit less capacity in the Tor network now, until somebody gets upset at the seizure and sets up some Tor exit relays in response. Perhaps that could be you? :)

Seizing an exit relay is mainly done either a) by ignorant law enforcement people who made a list of suspect IP addresses and went to go steal the computer at each one, in case it could provide some evidence. We've taught many of them how to check if a given IP address and timestamp is a Tor relay, but, there sure are many more that we haven't taught. Or b) by law enforcement people who are intentionally trying to harm Tor by scaring and hassling relay operators even though they know they won't get useful results.

I talk more about both of these cases in this older blog post:
https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-be…

December 22, 2014

In reply to arma

Permalink

arma said: "It just means that there's a bit less capacity in the Tor network now, until somebody gets upset at the seizure and sets up some Tor exit relays in response. "

Strange enough, in the past few days I am experiencing a very notable increase of speed in building up pages I visit. I was already used to waiting sometimes a minute or so, but now even complex pages with lots of scripts pop up in less than ten seconds ... ?

December 21, 2014

In reply to arma

Permalink

Yes, well England is probably the worst country in the world to have a server. From what I've heard, it is a scary place to administer servers.

The question remains, why are the DAs centralized in the US and EU?

Now more than ever is a great time to start getting DAs beyond, especially in places where the US/EU 3-letter-govt-agencies have a harder time coordinating with. Yes, geo-politics moves fast, but can you imagine North and South Korea coordinating DA takedowns. That is hypothetical, but the point remains.

Angola or South Africa?

Venezuela or Nicaragua?

Not in Munich

December 21, 2014

Permalink

What if instead of seizing the directory servers the FBI alters them so that certain, specific users are fed a list of fake, government controlled nodes instead of actual ones? They could then target individual IP addresses and completely deanonymise anyone trying to connect to TOR through them.

This is possible but only if they successfully break into a majority of these directory authorities and extract their keys as described above.

There are some interesting technical fixes that people are exploring that would detect if there's ever a second consensus made for a given hour. Something like keeping a hash chain on your side of the consensuses that you've seen, and then comparing that to what others have seen. Basically, we should be able to reuse some of the various 'foo observatory' tricks that people have been working on lately for finding out whether somebody is served a personalized https certificate. More help there would be great!

December 22, 2014

In reply to arma

Permalink

If Tor is hardening the network against corrupted DAs, maybe this is "pull the trigger now, while we still can"?

December 22, 2014

In reply to arma

Permalink

Scare mongering its all crap there are many ways to stay hidden so i say the FBI and the NSA couldnt trace anything without tracing paper i have heard nothing and i would be one of the first to know.
Its the same every day cat and mouse games just relax..........

For sure if they get physical server they can alter BMC ans have full control over over that server. For example - extract private keys when hte server will go online. So beware of any returned after raid hardware.

December 22, 2014

Permalink

Oh well I run a directory server in the UK might take it down after reading this :(

No, you likely run a normal relay with a directory mirror ("DirPort") enabled. That's not the same as a directory authority.

There are nine directory authorities, run by reasonably competent and trusted people around North America and Europe.

Directory mirrors, on the other hand, are offered by most of the 6000+ relays that are running right now, and there's no reason why people would want to hassle somebody for running a directory mirror.

Hope that clears things up for you! Please ask for more help on the tor-relays list if you are still concerned:
https://www.torproject.org/docs/documentation#MailingLists

December 22, 2014

Permalink

Something tells me it will be blamed on North Korea.

FYI. I'm a Network engineer with 30 years experiance. My job is information security, penetration testing, white hat hacking, and part of that job is keeping an eye on the hacker groups forums, web pages, news goups, chat rooms, and videos, just to be prepared of anything comming my way.

I have been watching Sony and hackers in a cyber war for at least the last ten years, and this is all this is. Odds are it's an inside job; the hundreds of terabytes of data would be noticed going over the wire.

It's a trick of the Obama administration, and/or Sony.

Agreed, it seem ironic that Sony have apparently done NOTHING to strengthen data security, its not as if they don''t have the financial resources to hire the right people for the job. after all. they where quite able to insert malicious code into some of their products.so why are they not using due diligence to safeguard the mountain of personal data they hold?

December 22, 2014

Permalink

Sony was never hacked. They just fuck up things. Now they are blaming others to avoid public harakiri.

December 22, 2014

Permalink

The USIC lawyers who claim that "there is no universal right to privacy" [sic] are the same people who advised the leaders of the Land of the Free that kidnapping, torture, and assassination are "legal" [sic]. These people have ventured so far into the territory of state-sponsored criminality that their repugnant ratiocinations are comprehensible only to their ISIL brethren. It does no credit to any civilized nation which fails to apprehend and bring to justice vicious kidnappers, torturers, and assassins, even and especially those acting on the orders of a "government" gone mad.

There is a fine Urdu word to describe people who routinely engage in kidnapping, torture, and assassination: thug.

December 22, 2014

Permalink

Arma, my brothers can help you improve TOR. Will you accept help from the #CultOfSiduri? Find us in the #DarkNet. We are not hard to find ;)

More help is always appreciated! We work in public with public trac tickets, git commits, design discussions, and so on.

But fortunately, we built an anonymity tool so you're welcome to stay pseudonymous while helping. Many people do.

December 22, 2014

Permalink

I know it may be a dumb question, but is TOR still safe (secure) to use?
Thanks for your work.

December 22, 2014

Permalink

Roger, is this a correct summary of the essential facts as currently known?

* Tor Project was tipped by a reliable source and is holding back some knowledge to protect your source,

* The IP addresses of the 10 current DAs are hard-coded in latest TBB and Tails,

* If 4 or fewer DA nodes are captured, Tor may be slightly slower to start for some users, but will still work,

* If more than 4 DA nodes are captured, the enemy can shut down the Tor network, or even direct unsuspecting users to a fake Tor network,

* Even in the worst case scenario, people who used genuine Tor in the recent past will not be deanonymized simply because the enemy captured our DA nodes,

* At least 4 DA nodes are physically located in the US; the others are all located in countries subject to US intimidation,

* In the current design of Tor, increasing the number of DAs wouldn't help in protecting against HVT (high value targeting) "decapitation strikes", but geographical/jurisdictional variety would probably help,

* The attack has not occurred as of the evening of Monday 26 December 2014 GMT,

* If it does happen, Tor Project will quickly be aware that specific DA nodes have been captured, and will notify the public by all available means,

* To bring authentic Tor back up, TBB and Tails users would need to either,

(i) find a message with the IP addresses of the new DA nodes

(ii) authenticate the message

(iii) be told how to edit their torrc to use the new IP addresses

or download new TBB tarball or Tails iso (using non-Tor channels, which could be dangerous if our enemies have decided to declare Tor effectively illegal).

Question: for those who currently use Tor exclusively,

(a) how sure are you that Tor can be brought back up even if five or more DA nodes are captured?

(b) any advice how we can ensure that we are using genuine Tor post-apocalypse, if the network is brought down and then brought up again hours or days later by unknown actors?

Mostly right. For your question (a), it really depends how this hypothetical attack plays out. If we were all online at the time, I think we'd have it back up and working in a matter of hours. But it's such an unusual event that it's hard to guess exactly how it might happen if it does.

(b) When we put out a new Tor version, check the signatures on the packages you download. You should be doing this anyway.
https://www.torproject.org/docs/verifying-signatures
I'm sorry it is so hard on Windows -- please help make it easier!

As for how to detect if somebody else is generating fake consensus documents... I think the whole Internet will be screaming if this happens. One answer is that you can look at the relays in the current consensus document and the relays in later consensus documents and see how much turnover there is. But that is alas hard for ordinary users to do.

December 28, 2014

In reply to arma

Permalink

What makes it so hard? Is there no documentation on the consensus documents?

December 22, 2014

Permalink

Dont panic anons dont belive all you read or hear on here, the FBI and the NSA can only trace with tracing paper just remember always be one step ahead there are many ways to stay invisible.
Panic and you will do something stupid and reveal yourself, if you ask me its scare mongering as i have not heard anything and i would be one of the first to know ; )

December 22, 2014

Permalink

Following up on Roger's remark

"And as for your 'why', that's an excellent question, and one we've been wrestling with too. There are nine directory authorities, spread around the US and Europe. If they're trying to hunt down particular Tor users, most possible attacks on directory authorities would be unproductive, since those relays don't know anything about what particular Tor users are doing."

Here is an attempted summary of informed speculation about who might be planning to attack us, and why:

* Only USG is capable to attempting to seize 4 or more DA nodes,

* A collaboration between USG and EU governments would be particularly dangerous for Tor,

* Such a scenario is not implausible; according to The Intercept's sources, Belgium seems to be permitting NSA spying on Belgacom to continue with only token hindrance, and Germany's efforts to reduce NSA spying on Germans also seems to be halfhearted (some would suggest that the proper word for such passive collaboration is "treason"),

* Within USG, Snowden leaks confirm that at least until recently, the majority view in NSA/CIA was that killing Tor would be counterproductive to their self-defined mission, which implies that the threat most likely comes from DOJ/FBI, unless NSA/CIA have revised their attitude toward Tor,

* There is no known *plausible* rational reason for USIC to capture DAs other than to try to bring down the Tor network entirely,

* In principle, NSA (or even DOJ/FBI) might try to replace genuine Tor with a fake version in order to pursue deanonymization of Tor users whom they believe pose a threat to USIC, or to US "strategic interests", but it seems doubtful that would be effective for more than a few hours,

* In the current political context their immediate motivation for taking down Tor entirely might be

(i) FBI might be attempting a direct (and fantastically foolish) experiment seeking to find out whether the most dangerous attacks on Western banking infrastructure suddenly fall off when the Tor network is brought down; if so, the world can see how they rate the respective value of the lives of overseas USG personnel and other persons who will be endangered if Tor is brought down, versus the value of Wall Street derivatives,

(ii) NSA might perhaps be attempting a "real world" experiment seeking to verify their ability (well practiced in "cyberranges") to shut down parts of the global internet,

(iii) In principle, NSA might want to take over Tor network to employ it as a global botnet in a retaliatory cyberattack, but this seems highly implausible since they already have several other botnets with much larger net bandwidth (this is confirmed in detail by multiple Snowden leaks),

(iv) Perhaps the least implausible rationale for NSA/CIA trying to take down Tor entirely might be that someone in NSA/CIA thinks this might force some HVT in some (newly or secretly declared?) war zone to use non-Tor lines of communication, possibly rendering said HVT susceptible to a targeted drone strike; among the likely targets would be

(a) ISIL leadership

(b) Boko Haram leadership

(c) (possibly) unnamed major drug traffickers

(d) (very unlikely, one hopes) unnamed torrenteers whose continued existence is repugnant to MPAA

* There may (also?) be some connection with

(i) intense political pressure on FBI to rapidly uncover some "smoking gun" fingering DPRK for the Sony cyberattack, which so far they have clearly been unable to do (but watch out for attempts to invent evidence should none be obtainable through honest detective work),

(ii) the recent cyberattack on a German steel mill, which appears to be one of less than five known cyberattacks to date which have caused extensive physical damage (the first being the US/Israel Stuxnet attack on Iranian nuclear enrichment plants; many might assume some other actor must be responsible for the attack on the steel plant, but that would underestimate the nastiness of USIC leadership which is probably seeking ways to remind Angela Merkel of what they can do the nation she governs if Germany ceases cooperating with USIC),

(iii) increasing hysteria in CIA and NSA aroused by the possibility (likelihood?) that some of their personnel may face prosecution in the EU for war crimes, resulting from multiple criminal acts including kidnapping, torture, and assassination,

(iv) increasing hysteria among US/UK police commands that assassinations of police officers might become a "new normal" (no-one seems to be keeping statistics, but my impression is that what numbers are available suggest that someone like Mr. Bratton would do very well to emulate our own leader by keeping his cool),

(v) recurrent hysteria inside various governments regarding Wikileaks (which has just published new documents leaked from CIA),

(vi) growing fear in certain USG circles of a literal revolution in the US; most observers seem to assess this possibility as unlikely, but they are clearly not taking global financial instability into account, and recent US Army manuals do seem to announce that the US Army general staff expects to occupy major cities (New York City is on their list of targets) during the coming decade, and is thinking hard about how they might try to control an urban population of millions with a military force numbering in the tens of thousands,

(vii) announcements in the press that US/UK/EU are planning another large scale seizure related to supposed child pornography rings; all well informed observers seem to agree that such announcements are very likely nothing but a laughably transparent "smoke screen" attempting to distract public attention from the real motivation for attacking Tor, but these announcements have in the past proven a reliable harbinger of the seizure of Tor nodes,

* When attempting to identify possible "rational" motivations for USG attempting to take down the Tor network entirely, we must bear in mind the all too plausible possibility that they have no idea what they are doing; some Snowden leaks show clear evidence that as recently as 2011, NSA leadership suffered from a seriously flawed understanding of key technical features of Tor; there is plenty of recent historical evidence suggesting that technical (or political) misconceptions might very well play a decisive role in USG "strategic planning" for eternal global cyberwarfare,

* The possibility cannot be discounted that the USIC leadership, frightened by the prospect of their own prosecution for war crimes, is simply lashing out with irrational ferocity.

December 22, 2014

Permalink

"Thailand is one of the countries which plays host to large numbers of CIA, NSA, FBI and DEA agents."

And don't forget SOCCOM operatives. Bangok is one of seven megacities profiled in the following unclassified report (surely intended to intimidate the political leadership in certain countries and certain US cities), which was commissioned by Gen. Ray Odierno, chief of the general staff of the U.S. Army:

https://publicintelligence.net/usarmy-megacities/

(The authors state that their report simply summarizes classified detailed war plans.)

It seems noteworthy in connection with a recent incident in Bedford-Stuyvesant that the U.S. Army is frightened by the favela: Rio and Sao Paulo are also on the list of cities which the Army is planning to occupy (if it feels a need to do so). The document candidly explains that the goal is likely to be replacing an anti-US gang with a pro-US gang, rather than trying to build a credible government which respects democracy and the rule of law in urban regions which are currently "alternatively governed".

Imperial cynicism indeed.

December 22, 2014

Permalink

" Angola or South Africa? Venezuela or Nicaragua?"

Brazil? Iceland?

It is important to distinguish between physical location of the servers and the national address under which they are registered.

December 22, 2014

Permalink

"The attackers appear to have used TOR exit nodes and VPNs to help cover their tracks, which indicates some awareness of operational security (OPSEC)."

It is Tor not TOR.

Whenever FBI hits a roadblock, they must be tempted to speculate like so:

bounce bounce VPN bounce tor-circuit bounce bounce

But the reports I've seen suggest that state-sponsored attacks, in particular alleged DPRK attacks, rarely go to such lengths to obstruct attribution. The fact is, reliable attribution is very difficult even if only a few bounces are used. In fact, it can be difficult to distinguish between "hacktivism" and state-sponsored cyberespionage.

One point which could easily be lost in all the hoopla over DPRK's alleged responsibility for the recent cyberattack on Sony, but which bears emphasis: the human rights records of DPRK is very considerably more appalling than that of the USA (which is really saying something, given what has already come out concerning NSA-enabled kidnapping, torture, and assassinations by CIA):

http://www.hrw.org/nkorea
http://en.rsf.org/internet-enemie-north-korea,39755.html

Blaine Hardin makes a similar point (in Foreign Policy):

http://foreignpolicy.com/2014/12/19/when-all-else-fails-hack-hollywood-…

but he accepts at face value the allegation that DPRK planned, executed or assisted the cyberattack on Sony. In contrast, a number of respected techie journalists (including Kim Zetter), alarmed by the prospect of the US and DPRK going to war over the attack, and mindful of past mis-attributions which were used as a pretext for previous wars, have pointed out that the published evidence is not strong:

http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/

From:

http://arstechnica.com/security/2014/12/malware-believed-to-hit-sony-st…

"The FBI and White House have pinned the attack directly on North Korea, but so far have provided little proof"

Xeni Jardin (at BoingBoing) seems to agree that despite the FBI claims, the consensus view among informed observers is that DPRK does not yet stand convicted:

http://boingboing.net/2014/12/19/fbi-north-korea-is-responsibl.html

Tim Cushing (at Techdirt) and Trevor Timm (at the Guardian) argue that even if DPRK assumed responsibility for the cyberattack on Sony, this event would not constitute an act of war:

https://www.techdirt.com/articles/20141218/18192929485/ridiculousness-t…

http://www.theguardian.com/commentisfree/2014/dec/19/sony-hack-cyberwar…

Brian Krebs has laid out a circumstantial case for DPRK involvement:

https://krebsonsecurity.com/2014/12/fbi-north-korea-to-blame-for-sony-h…

Among the evidence he cites is a report from HP Security Research, dated August 2014 and titled "Profiling an enigma: The mystery of North Korea’s cyber threat landscape". This report profiles the current President of DPRK, Kim Jong Un (the real one, not the fictionalized one in the largely unseen feature film at the center of the controversy) as follows:

"Kim Jong Un officially rose to power in April 2012, following the death of his father Kim Jong Il in December 2011. While his age remained a mystery for quite some time, it was later revealed that he was born in January 1983, making him age 31 at present. This makes Kim Jong Un the world’s youngest leader of an established nation. The young leader’s rise to power brought about several changes in North Korea. First, Kim Jong Un’s personal life is more public and more extravagant than that of his father. Unlike his father, the young Kim is often accompanied by his wife when making public appearances. Second, the young Kim, who is more high-tech than his predecessor, is reported to have an affinity for luxury items and is an avid gamer and basketball fan. Third, Kim Jong Un is more totalitarian than his father. Following his rise to power, the regime reportedly expanded its labor camps, and more military resources were allocated to target those attempting to defect. Kim also executed his own uncle, a high-ranking official who did not share his ideals. These moves indicate the regime’s priority to deter internal destabilization and dissent, which is perceived to be a greater threat than outside adversity. According to Phil Robertson, deputy Asia director at Human Rights Watch, 'The government now recognizes that the accounts of escaping North Koreans reveal Pyongyang’s crimes – so it is doing what it can to stop people from fleeing.' Under Kim Jong Un’s rule, the regime has stepped up its nuclear materials production, and the propaganda distributed by state media has become more menacing."

This provides evidence that the surveillance-industrial complex is very displeased by the thought of young men making decisions which affect international politics (one recalls some overwrought comments from that camp concerning the chronological youth of Edward Snowden), but provides no evidence for the notion that Tor is in any way involved in the recent cyberattack on Sony. Indeed, the 75 page report does not even mention Tor. It does describe a "wiper" malware which it attributes to DPRK, but the report provides only very weak evidence to support that.

It is certainly intriguing that Kim the youngest is described as an "avid gamer" (but no evidence is provided).

Momentarily assuming for the sake of argument that the current presidents of DPRK and USA have both authorized destructive cyberattacks, which hardly seems a stretch although publicly available evidence currently falls short of that required for conviction, and assuming further that both men were eventually charged and convicted by the ICC, which seems unlikely, it is interesting to imagine that they might spend some of their sentences playing basketball.

Now, to be fair to President Obama, nobody is accusing him of executing his own uncle. But it seems to me that the evidence tending to implicate Obama in authorizing criminally destructive cyberattacks is currently much stronger than that implicating Kim of such crimes. Regarding the question of who might be responsible for Gamergate, and assuming for the same of argument that this is state-sponsored "information operation", it seems to fair to say that there exists the outlines of a circumstantial case (establishing both motive and opportunity) for both Kim and Obama:

http://boingboing.net/2014/12/19/fbi-is-investigating-gamergat.html

Several writers point out that if ever a corporation has gone begging for abuse, that would be Sony:

https://www.techdirt.com/articles/20141219/10343429489/fbi-formally-acc…

A useful history of cyberattacks on Sony through 2011 makes the point that this is a corporation which has made a lot of enemies, and committed a lot of network security mistakes:

attrition.org/security/rant/sony_aka_sownage.html

December 22, 2014

Permalink

"They have thier own damn tor network"

The Snowden leaks suggest that this is not quite true: it would be more correct to say that they have their own botnets (with more bandwidth than the entire Tor network), but also use the Tor network (and then, hiding amongst the noise provided by the rest of us generally works to their advantage). However, it seems they directly operate few Tor nodes because they generally have little need to do that. But it is possible that they might try to systematically break into every operating Tor node in order to covertly add an IP logger. That would be a hazardous enterprise because people who operate Tor nodes are likely to have ways of detecting even sophisticated intrusions, and to have a better than average ability to document claims about attribution.

"when on earth have you seen the military activly operate where civis are?"

It is established, from documents leaked or obtained under FOIA, that
US military intelligence undercovers have in recent years actively infiltrated domestic US peace and social justice groups, and also that SOCCOM maintains an active presence in a number of cities (both US and non-US) where they anticipate future major US military operations.

December 23, 2014

In reply to arma

Permalink

Why not 20, instead of 9? Why did you choose 9? If it takes at lest half of the DA's to be comprised to affect Tor, why not make it 100 DAs?

December 23, 2014

Permalink

Can someone please confirm that there was a legitimate reason (ie Tor Update) for every relay to be rebooted within the last 12 hours. Otherwise why all the relays are rebooted???

December 23, 2014

Permalink

In the case that the DirAuth's are seized is there something that the relay operators can do to temporarily mitigate the damage? I've briefly read through the docs and don't see and option for a sort of RelayRecognizedLastGoodConsensus that we could use to 'freeze' the consensus we send out. This would add an attack avenue but since I understand the consensus to be time limited in its validity this might give relays the ability to give more time to the DA's to recover while protecting some users against hostile signed consensuses. Users that connect directly to the DA's would have no additional protection but previous tor clients with caches may be lucky and connect to a relay with a frozen consensus.

No, the attack hasn't started. All is quiet so far, and at this point it is likely to remain quiet. Great.

It sounds like you've got something misconfigured or some other problem.

December 24, 2014

In reply to arma

Permalink

i have made a new installation without any settings and i get the same message
may be other person have same problem ,

December 24, 2014

Permalink

If this could bring more users and serves as a way to promote
tor it would be great !
See how much publicity some movie makers can generate
through a hack.

December 24, 2014

Permalink

"No, the attack hasn't started. All is quiet so far, and at this point it is likely to remain quiet. Great."

Excellent! But why is the warning not covered in Tor Weekly News?

Something in the related tor-talk thread confuses me: despite mention of AuthDirReject in the quote below, is it correct to date to say: "at no time have any DA nodes been seized; the project has ways to detect at least some tampering with any DA node, and no alarms have gone off."

From:

https://lists.torproject.org/pipermail/tor-talk/2014-December/036074.ht…

# torrrc changes
# thecthulhu reports unknown compromise December 21st, 2014
AuthDirReject 77.95.224.187
AuthDirReject 89.207.128.241
AuthDirReject 5.104.224.15
AuthDirReject 128.204.207.215

# approved-routers changes
# thecthulu reports compromise december 21st, 2014
!reject D78AB0013D95AFA60757333645BAA03A169DF722
!reject 6F545A39D4849C9FE5B08A6D68C8B3478E4B608B
!reject 5E87B10B430BA4D9ADF1E1F01E69D3A137FB63C9
!reject 0824CE7D452B892D12E081D36E7415F85EA9988F
!reject 35961469646A623F9EE03B7B45296527A624AAFD
!reject 1EA968C956FBC00617655A35DA872D319E87C597
!reject E5A21C42B0FDB88E1A744D9A0388EFB2A7A598CF
!reject 5D1CB4B3025F4D2810CF12AB7A8DDDD6FC10F139
!reject 722B4DF4848EC8C15302C7CF75B52C65BAE3843A
!reject 93CD9231C260558D77331162A5DC5A4C692F5344
!reject A3C3D2664F5E92171359F71931AA2C0C74E2E65C
!reject 575B40EF095A0F2B13C83F8485AFC56453817ABF
!reject 27780F5112DEB64EA65F987079999B9DC055F7C0
!reject 54AA16946DB0CF7A8FA45F3B48A7D686FD1A1CEF
!reject 1EB8BDA15D27B3F9D4A2EDDA58357EA656150075
!reject 17A522BC05A0D115FC939B0271B8626AAFB1DDFF
!reject 1324EC51FBFA5FD1A11B94563E8D2A7999CD8F57

Regarding Thomas White's mirrors and Tor nodes, it seems noteworthy that the question of how to distinguish between malicious interference and simple router failure also arose in the question of why DPRK's (tiny) internet traffic flow recently "dropped off a cliff".

Correct: "at no time have any DA nodes been seized; the project has ways to detect at least some tampering with any DA node, and no alarms have gone off."

December 24, 2014

Permalink

"Why not 20, instead of 9? Why did you choose 9? If it takes at lest half of the DA's to be comprised to affect Tor, why not make it 100 DAs?"

I thought Roger already said (but right now I cannot find the citation) that without untried changes in the current design of Tor, nine or eleven is close to the upper limit.

@ Roger: you said that while it might be possible to locate a DA in Brazil, this might be counterproductive because of how Brazil currently connects to the rest of the Internet. I think I have some clue what you might mean, but would like to hear a more complete explanation speaking to the role played by DAs in the Tor network.

December 24, 2014

Permalink

One problem with the original blog post was that Roger didn't make it clear what if anything Tails users (as opposed to TBB users) might need to do if the Tor network had been taken down for hours or days as the result of the seizure of five or more DAs. Yes, I know Tails is a separate project but in an emergency you can't stand upon ceremony.

In future episodes, please offer any appropriate technical advice specific to both TBB and Tails users.

December 25, 2014

Permalink

I think the attack performed by Sony themselves.consider this if FBI can trace it through the North Korean and the NK internet must pass through the Chinese network, state owned network. Ring a bell or not? I think if the FBI or NSA must penetrate through the Chinese network then the FBI, NSA and CIA must fight against the Chinese cyber armies. There's no way that the Chinese cyber armies will allow this attack without any retaliation at all if this attack is truly perform by CIA, NSA and FBI, no way Jose. Now that film "The Interview now reach almost block buster level on selling and launching. This is a marketing strategy of Sony Pictures a long with Obama aka Barry Soetoro plan to stop the free speeches of the people that are now more and more against him. This is made to let the freedom of Internet to be shattered down. Yes of course they will put the scape goats. TOR as usual scape goats. But they not notice the proxy chain of SSH servers around the world. In South East Asia particularly Indonesia, the Indonesian hackers are known as the best carders, crackers and phreakers who love to use SSH in various numbers to disguise their true ID. They also capable to use SSH servers and emulate them like the way the TOR network work.

December 25, 2014

Permalink

Just while I'm here.

Re TBB 4.0.2:

Spell check function is disabled.

Works fine on regular Mozilla.

Kindly look into this AFTER the holidays please...

December 25, 2014

Permalink

Is anyone running Tor relays on cargo ships that travel worldwide? Cargo ships that can access the Internet by satellite and bypass submarine cables controlled by " Five Eyes" countries?

Such services are quite expensive.
Furthermore the NSA runs a number of listening stations around the world to intercept satellite communication worldwide. Much easier to intercept than anything that runs through cables. Look up ECHELON.

December 26, 2014

Permalink

There are over 10000 nodes now and maybe 3500+ with 20KB/s speeds and named LizardNSA###... Is this a joke or The Attack?

Example:
LizardNSA1000129629 (Online)
Location:
United States
IP Address:
130.211.63.102
Bandwidth:
20.00 KB/s
Uptime:

Last Updated:
2014-12-26 13:24:03 GMT

More like a joke. That attack was unrelated and never had any impact on Tor's safety.

See http://www.twitlonger.com/show/n_1sjg365
"This looks like a regular attempt at a Sybil attack: the attackers have signed up
many new relays in hopes of becoming a large fraction of the network.
But even though they are running thousands of new relays, their relays
currently make up less than 1% of the Tor network by capacity. We are
working now to remove these relays from the network before they become
a threat, and we don't expect any anonymity or performance effects based
on what we've seen so far."

December 26, 2014

Permalink

i am havung the WARNING icon when connecting to tor with windows browser bundle.

26/12/2014 18:44:52.110 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit
26/12/2014 18:44:52.882 [WARN] Your Guard Bazinga ($B198C0B4B8C551F174FBB841A172616E3DB3124D) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself. Success counts are 73/162. Use counts are 78/79. 154 circuits completed, 1 were unusable, 81 collapsed, and 4 timed out. For reference, your timeout cutoff is 60 seconds.
26/12/2014 18:44:53.364 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working.
26/12/2014 18:44:53.365 [NOTICE] Bootstrapped 100%: Done

also, in WHONIX, bootstrap hangs on 5% and tor do not connect.

Also, TAILS does not connect.

I live in Brazil, South America, and i use NET VIRTUA ISP.

December 26, 2014

Permalink

Connecting to tor today, I was pleased to see the count of exit nodes at last exceed 7,000. Woo hoo! ... until it went to 10,099. 3,000+ new exit nodes called "LizardNSA[0-9]+". All of them have an advertised bandwidth of 20kB/s.

Then this ...

http://gizmodo.com/hackers-who-shut-down-psn-and-xbox-live-now-attackin…

Is this attack really *the* attack? Is it even *an* attack?

Not sure. I'm trying sooo hard to get myself deanonymised, but my tor client just simply refuses to use such low bandwidth nodes. Sigh!

December 26, 2014

Permalink

How come there's nothing here about the LizardSquad attack?

Is this the attack that Roger was warning about?

Good thing Tor weights by bandwidth, not uniformly across all relays, when doing path selection. Running half the relays, while running less than 1% of the bandwidth, has basically no effect.

December 26, 2014

Permalink

The official (?) tweet on the 26 December 2014 Sybil attack on the Tor network:

"This looks like a regular attempt at a Sybil attack: the attackers have signed up many new relays in hopes of becoming a large fraction of the network.
But even though they are running thousands of new relays, their relays
currently make up less than 1% of the Tor network by capacity. We are
working now to remove these relays from the network before they become
a threat, and we don't expect any anonymity or performance effects based
on what we've seen so far."

If I understand correctly, the Dec 2014 Sybil attack is probably far less dangerous than the July 2014 Sybil attack, even though it involves more nodes, because it captured less bandwidth:

http://www.techweekeurope.co.uk/workspace/tor-us-attack-identity-privac…

December 26, 2014

Permalink

Cargo ships: probably a very bad idea.

Search eff.org for several Snowden leaks describing systems by which NSA surveils communications (including satphones) from all cargo ships.

Possibly a better idea: replacing the internet with short range radio communications, using software defined radio.

December 27, 2014

Permalink

BE FOREWARNED

It is Boxing Day and it appears that the Lizard Squad is attacking the Tor network.

December 28, 2014

Permalink

It seems that Tor Project needs to relocate to a country with more freedoms than the United States

December 28, 2014

Permalink

An attempt to attack the tor network may be ongoing for a long time:

http://www.spiegel.de/media/media-35538.pdf

These documents were written in the past. If there is one old document, saying that tor poses a major problem but not a catastrophic failure, and then there is another document, saying

"have shown deanonymisation attack for tor. Requires tor collection from exit nodes we own. Hope to get this running live..."

Then one has to assume that GCHQ is now running this live...

http://www.spiegel.de/media/media-35542.pdf

shows that they are doing correlation attacks and tor traffic shaping already, and they are reporting success with it.

And here they are describing their tor de-anonymization attempt in more detail:

http://www.spiegel.de/media/media-35543.pdf

Note that this was written in the past. One has to assume that they are running this technique now after they reported their successful research in the notes above...

.

I believe the attack described in the detailed document would not actually work at scale.

This is a subtle but important point: I'm not saying that the general type of attack would not work (I think it does), but I am saying that the specific attack described in the paper wouldn't.

I talked about the topic a little bit more in our 31c3 talk this year.

December 28, 2014

Permalink

On the Tor Metrics Portal> Users> Graph: Bridge users by transport, could you provide separate graphs for meek-google, meek-amazon and meek-azure in addition to meek ( total )?

January 04, 2015

Permalink

One thing that "frustrates" me is that there does not seem to be any versions of TOR that do not have StartPage guarding the gateway. StartPage acts kind of like a "nanny" that won't let a person do anything "controversial" on the Deep Web. Any thoughts?

One thing that "frustrates" me is that there does not seem to be any versions of TOR that do not have StartPage guarding the gateway. StartPage acts kind of like a "nanny" that won't let a person do anything "controversial" on the Deep Web. Any thoughts?

In my opinion that's exactly how it should be - a simple portal to a privacy-friendly search engine. Unfortunately, the Tor Project has to deal with a huge amount of negative propaganda, continually churned out by those who see personal anonymity as a threat to their dystopian vision of "total information awareness". The mainstream media are all too happy to parrot the misrepresentations and misleading statistics fed to them by "the powers that be" because hyperbolic scare-stories are big sellers.

It's deeply disheartening to see such an important and legitimate tool being pilloried and deliberately misrepresented for political gain or a convenient scapegoat. But this is just what we have to deal with and we'll have to deal with it for a long time to come.

With that in mind, the last thing we want to do is give "the powers that be" any more ammunition for their disinformation campaigns. Can you imagine the field-day they'd have if the Tor start-page provided an idiot-proof portal to hidden services, censored material or indeed anything that is liable to stir up controversy?

Those who wish to explore the more "controversial" aspects of Tor can very easily do so with minimum research. But shoving it under everybody's nose as the first thing they see when they launch the Tor Browser Bundle is almost tantamount to promoting it and that will surely provide yet more ammunition for those that wish to see Tor dead and buried.

I think the start-page and the default config are pretty decent out-the-box (apart from enabling JavaScript - I thought we were trying to limit attack-vectors, not multiply them). But basically it's a good balance and it gives the user immediate access to anonymised browsing, which is all most users want. Those who wish to dig deeper have every ability to do so (they are, after all, on the internet - great research tool).

I'm speaking from "educated guesswork" here but I believe the current start-page has been very deliberately designed to be as innocuous as possible. Tor is for everyone - some users haven't even reached their teens while others are old enough to draw a pension. Many such users don't even know what a "hidden service" is, they just want a bit of anonymity in their day-to-day browsing habits. They neither need nor want to see controversy in any form, much less engage in it. And those who do want to engage in controversy will easily find it for themselves.

I do empathise with you, I'd love it if the start-page provided a comprehensive portal into Tor-land. But it's an entirely political decision; Tor has some very powerful enemies who will seize upon any opportunity to discredit the system. The Tor Project is under constant scrutiny; they need to be very careful, they need to do everything "by the book", they need to keep many people on-side... it's a hard job and it's inevitable that compromises need to be made. I think the TBB start-page does a good job of playing to its strengths whilst underplaying those aspects that stir controversy.

We can only hope that the BS politics are not too much of a distraction from Tor's truly life-changing mission. But there's no doubt that it makes a lot of things a lot harder for them.