Did the FBI Pay a University to Attack Tor Users?

The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:

Here is the link to their (since withdrawn) submission to the Black Hat conference:
along with Ed Felten's analysis at the time:

We have been told that the payment to CMU was at least $1 million.

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

When we learned of this vulnerability last year, we patched it and published the information we had on our blog:

We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research".

Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent.


November 19, 2015


CMU is claiming they helped FBI per subpoena and were not paid anything for this

The important thing is that TOR is less vulnerable as a result of all this, its just too bad that CMU couldnt disclose this to the project before announcing to the FBI


November 19, 2015


Petition CMU to release details of it's findings. Appeal to insiders, whistleblowers, etc etc

> Is Tor safe no more?

Tor, if used wisely, has never been stronger!

The Internet is a very dangerous place, yet everyone needs to use it to survive. Tor is the best tool currently available to protect ordinary people against some of the worst dangers.

Think of the Internet like Oxygen. We need it to live, but Oxygen is rather dangerous (explosive, fire hazard). As more and more people adopt Tor, it can function like the Nitrogen which helps keep the atmosphere from exploding every time some idiot strikes a match.


November 22, 2015


Sounds like someone used a nice payday as an excuse to dispose of their own morals...que pena! Oldest story in the book: if you can't figure out your own dirty-work, pay someone else a handsome sum to make them forget their own moral compass and do your dirty-work for you!

What's really f***ed up is that this is *law enforcement* that did this, not criminals (or are they really? It begs the question, doesn't it? Is the FBI really just nothing more than a gang of criminals, or not?). Ethics were just thrown right out the window!


November 22, 2015


Oh wow. Look the government breaking the laws to "protect us". When they get bored of their main goal to kill brown people overseas with laser guided bombs and advanced scoped rifles this is what they do.

> Oh wow. Look the government breaking the laws to "protect us". When they get bored of their main goal to kill brown people overseas with laser guided bombs and advanced scoped rifles this is what they do.

Brother, the USG is also killing brown-skinned people in the US just as fast the their semi-automatic police pistols will shoot. That's what the Black Lives Matter movement is all about.

Totally agree that the signature drone strikes and US military's habit of actively targeting fully functionally trauma centers (at least three MSF hospitals so far have been targeted) is a war crime and the people who order such strikes must be brought to justice in the ICC.

I too wish more Americans were doing more to try to persuade their government to stop carrying out war crimes. But that said, some of the most eloquent voices speaking out against war crimes being committed by the USG have been Americans such as Glenn Greenwald and Chris Hedges, so at least *some* Americans understand that they are ruled by a criminal regime.


November 23, 2015


Tor network needs a better encryption for example a 8000 bytes key using Aes or RC4 on the entry + exit node


November 24, 2015


CMU might not have been the first university with an internationally known and respected computer science studies program that certain agencies have approached for assistance. CMU happened to be the one discovered doing the assisting. Maybe CMU was being trolled for possible future agency computer analysts. Give them a problem and see what solutions they find. "You did great!" "Come work with us!"


November 24, 2015


@ arma, ailanthus:

You made major statements just before the Friday 13 attacks then fell silent, which worries me.

Is the Tor Project being threatened by US federal agencies? Censored by its USG "letterman" sponsors? Does your "no backdoors" pledge still hold? Is Tor Project aware of any vulnerabilities which USG/HMG wont allow your devs to fix?


November 24, 2015


> Maybe CMU was being trolled for possible future agency computer analysts. Give them a problem and see what solutions they find. "You did great!" "Come work with us!"

CIA agents are openly stationed in "think tanks" in key US university campuses. DARPA and NSA fund a startling proportion of math/CS research in these same universities. These facts are not secret, but few students seem to be aware of the situation. I urge Tor Project to try to help privacy advocates organize boycotts of these agencies and funding sources on US campuses.

This proposal is fully consistent with Tor Project urging universities to construct IRBs for CS research on the data of real people such as Facebook users and (more ominously given the potentially life-or-death stakes) Tor users.


November 25, 2015


Is the Human Species experiment a dismal failure? Will we destroy each other with our self serving behavior? Must we change our ways to prevent the extinction of the Species? Look into a mirror (deep into your own eyes), and ask yourself these questions.


November 25, 2015


The sooner you learn that SECRETS are govt number 1 priority,the sooner you will accept that LAW does NOT apply to the lawmakers/enforcers .No, its not fair.US govt does not need to pay universities but they will...Why?Cause they are 50yrs ahead of main stream.These relationship tentacles are to make sure any new TECH RE-INVENTED is shut down and to constantly test new talent. Measure THE EXTENT OF SPYING, US spies on UK,Shares the info with UK. UK spies on US gives the info to US. No law is broken.Govt fears that of which it does not know..It will be a constant battle and Tor will lose every fight.The above poster is 100% right.


November 26, 2015


I comment here fairly often. It seems like my comments often don't appear, but all sorts of crazy things do. Is what I have to say really of lower quality?


November 27, 2015


To recapitulate: the attack by the CMU "researchers" on live Tor traffic of real people apparently ran from Jan 2014 to July 2014.

The researchers submitted an abstract to Black Hat in Feb 2014 but this was apparently not immediately published. Later that spring Tor Project apparently heard about the attack and asked the researchers for details, but got nothing back. Then Tor people discovered that the CMU attack was still ongoing, so on 4 Jul 2014, arma posted an advisory about the "relay early" attack:

Tor security advisory: "relay early" traffic confirmation attack
30 Jul 2014

The next day (apparently), the abstract was finally published and it was rather boastful:

You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget
Alexander Volynkin & Michael McCord

> The Tor network has been providing a reasonable degree of anonymity to individuals and organizations worldwide. It has also been used for distribution of child pornography, illegal drugs, and malware. Anyone with minimal skills and resources can participate on the Tor network. Anyone can become a part of the network. As a participant of the Tor network, you can choose to use it to communicate anonymously or contribute your resources for others to use. There is very little to limit your actions on the Tor network. There is nothing that prevents you from using your resources to de-anonymize the network's users instead by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so. Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild...
> In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity. In our analysis, we've discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months. The total investment cost? Just under $3,000. During this talk, we will quickly cover the nature, feasibility, and limitations of possible attacks, and then dive into dozens of successful real-world de-anonymization case studies, ranging from attribution of botnet command and control servers, to drug-trading sites, to users of kiddie porn places. The presentation will conclude with lessons learned and our thoughts on the future of security of distributed anonymity networks.

On 21 Jul 2015, Black Hat announced the cancellation of the talk, without explanation. Smart reporters were quick to notice the possible implications:

Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps Because It Broke Wiretapping Laws
Mike Masnick
21 Jul 2014

Active attack on Tor network tried to decloak users for five months
Attack targeted "Tor hidden services" used to protect IDs of website operators.
Dan Goodin
30 Jul 2014

On 30 Jul, the vulnerability believed to have been exploited by the CMU attackers was fixed by the Tor Project.

In Jan 2015, increased aerial surveillance and operational "Stingrays" were observed, consistent with a major urban operation by one or more US agencies. Soon thereafter, one or more people were apparently arrested using information "developed" by FBI from the CMU data of unmasked IPs. The arrests were trumpeted by FBI as a major takedown of the "darknet" and were widely covered by the US and international media.

A week later the first hints of the connection between the CMU attack and the court cases emerged:

Did feds mount a sustained attack on Tor to decloak crime suspects?
Court doc suggests investigators spent six months last year exploiting anonymity bug.
Dan Goodin
21 Jan 2015

Then earlier this month, Vice Motherboard published court documents revealing that a "university" had provided FBI with key information used to develop evidence against one or more suspects. These revelations and arma's post accusing CMU of taking a payoff were widely covered over the next two days:

Tor Says Feds Paid Carnegie Mellon $1M to Help Unmask Users
Andy Greenberg
11 Nov 2015

Did Carnegie Mellon Attack Tor for the FBI?
Bruce Schneier
Nov 2015

The Tor project alleged that the FBI paid Carnegie Mellon University researchers to attack Tor hidden services last year.
Robert Abel
12 Nov 2015

Report Claims FBI Paid Carnegie Mellon University $1M to Attack Tor
Jamie Condliffe
12 Nov 2015

Academics 'Livid,' 'Concerned' Over Allegations that CMU Helped FBI Attack Tor
Joseph Cox
12 Nov 2015

Carnegie Mellon may have ratted out Tor users to the FBI
Steve Dent
12 Nov 2015

FBI: “The allegation that we paid CMU $1M to hack into Tor is inaccurate”
Revelation raises more questions than it answers, Carnegie Mellon still silent.
Cyrus Farivar
13 Nov 2015

Then the Friday 13th attacks in Paris happened, and the story hasn't been heard from since.

The Project needs to change that. Right now the last word in these articles is from FBI denying that they "paid CMU". Some reporters say FBI told them, additionally, that CMU had been hit with a "subpoena". (Accompanied by a gag order? Why did CMU not fight it?)

It is known that USG agencies fund the CERT with which the two researchers apparently have dual affiliation. FBI appears to be leveraging the complicated and confusing nature of public/private/university partnerships to confuse the issue of who paid how much to whom, and for what purpose. Pressure should be brought to bear on CMU to be much more forthcoming about exactly what happened.

The nicest possible version which may be consistent with the known facts seems to be this: the two researchers did some very dangerous and possibly illegal "research" targeting millions of Tor users around the world, and when FBI learned about their alleged "achievement"*, they rushed to slap CMU with a secret "subpoena"--- or possibly an NSL letter, which comes with a gag order and is generally written by a supervisory FBI agent, not by a judge. If it was an NSL letter, CMU lawyers might well have concluded that if the researchers gave their talk they could be charged with violating the gag order. If the FBI's aim in misuing an NSL was to prevent Tor Project from quickly fixing the vulnerability, they only gained about a weeks "grace period" (since the bug was fixed a week after the talk was cancelled).

Because of the vexed nature of who owns/operates the CERT, and what facilities and affiliations the researchers used when performing the attack, the hypothesis sketched above is not incompatible with the claim that in some sense FBI paid CMU more than one million dollars for "research". Slapping the "researchers" with an NSL may have just been a way to hush up the mysterious payments. That someone or something was paid a huge amount for some "research" or data seems clear, and FBI certainly seems to be in no hurry to clarify exactly what happened.

(* Just how many users the CMU researchers really unmasked, and whether they really unmasked web surfers as well as visitors to hidden service websites, remains mysterious, but until further evidence is provided, it seems wise to assume the percentage was far smaller than "all Tor users".)


November 30, 2015


> So the take away aside from all the CMU fiasco is that it would be wiser to visit non-onion sites?

My gosh no, not at all. The take away is that the world needs *more* hidden services, and as the project continues to make it easier to set up hidden service sites, we all need to use them in novel and creative ways!

For example, members of groups allied to

o Occupy movement
o Black Lives Matter movement
o anti-fracking and anti-coal movements
o anti-trade-treaty activism
o socialist alternative movement
o human rights issues
o animal rights issues
o anti-corruption activism (for example, in Kenya or Nigeria)
o union activism (for example, on US college campuses)

are intensely spied on by various OSI-as-a-service companies as well as by a hundred or so US federal, state and local intelligence agencies (including OSI analysts working in Fusion Centers), and legions of similar agencies hailing from places as diverse as the Czech Republic and Nigeria. (These days, an activist in New York can very easily come under surveillance or even attack from someone working for the current Syrian government.) It can increase the effectiveness of such groups if they have safer places to discuss ideas, by allowing them to in effect give advance notice to local spooks and cops of planned sit-ins (for example), without divulging their internal discussions of ideas and plans for mobilizing the public.

I hear that some people involved in the grass-roots effort to bring to justice at the ICC the US leaders who order "signature drone strikes", the Syrian leaders who order artillery barrages, gas attacks, and the dropping of "barrel bombs", CIA "dirty wars" assassins, etc, etc, are using hidden services to share information and coordinate their research.

I could go on:

o civilian cryptography researchers
o climate scientists
o engineers working for telecoms
o etc.

The beneficial uses of hidden services are limited only by your imagination.

Hidden services are for everyone. That comes with a cost, but the benefits for The People very obviously far outweigh the costs.

None of us could possibly be happy with everything someone else might use a hidden service for. For example, they are ideal for oil/mineral resource exploitation explorers who need to stay in touch with colleagues in a secure fashion, just as human rights workers traveling in dangerous locations need safe ways to exchange information and ideas.

But consider this: in the early days of the automobile, there were quite serious calls from police chiefs to forbid cars on the grounds that some early adopters were using cars as getaway vehicles from bank robberies. It might have been better for the climate if they had gotten their way, but imagine how different the world would be in other ways if those misguided officials had managed to outlaw the Model T.


November 30, 2015


Hidden services could offer a more secure way to anonymously report bugs without immediately revealing to the ever-listening spooks working for often mutually hostile governments around the world the unpatched security vulnerabilities of your personal LAN.

We know from the Snowden leaks that NSA exploits such information to attack people like you and me, and no doubt other spooks are actively doing the same thing.

Its all of them against all of us.


December 01, 2015


Julia Angwin's book Dragnet Nation (Henry Holt, 2014) opens with a terrific example of the kind of bulletin board which should be

o nonprofit

o hosted as a hidden service to protect the anonymity of posters

She describes the experience of two posters at PatientLikeMe.com, and her account (and the entire book) are well worth reading.

The book focuses on the dangers posed to us all by corporate databases full of dangerous and detailed personal information, and it's important not to forget that misuse of such information by private interests can be almost as devastating, in some cases, as misuse of Big Data trawls by governments.

Some related applications for which VOIP plus HS would be perfect:

o anonymous suicide hotlines

o anonymous mental health or substance abuse counseling lines

Currently such services are typically

o tied in to local emergency response services

o completely unencrypted, inviting routine monitoring by LEAs

Bulletin boards set up by activist groups, law firms, medical practices, etc, should also be hosted as HS.

Many governments sponsor organizations which offer information to people possibly suffering from sensitive medical conditions or substance abuse issues. Their websites should instruct visitors how to obtain Tor in order to visit their HS, so that it will be difficult for government agencies to track which persons think they or a family member may have a particular STD or drug abuse problem. Because people should have a chance to address such issues themselves, before the government starts intruding into their lives.


December 01, 2015


One possible application for which HS+TM would be perfect is highly ironical: if entities like DHS were really serious about preserving anonymity in its "See Something, Say Something" tip lines, they would provide these as TM accessible hidden services. Needless to say, the only good thing which civil libertarians have to say about this kind of application is that they seem to waste a lot of the FBI's time.


December 01, 2015


I would love to see more activist groups such as climate-change activists adopt TM and use HS to set up bulletin boards which might be more resistant to OSI surveillance (and more secure against intrusions into insecure software such as VB) than current boards.

The French activists currently under house arrest by the French "authorities" might use their confinement (hopefully temporary) to learn how to do this.

Technology is politically neutral. HS boards would also seem to be ideal for disreputable political intelligence activities such as this:

The Koch intelligence agency
As the billionaires’ network works to reshape U.S. politics, it keeps a close eye on the left.
Kenneth P. Vogel

> The political network helmed by Charles and David Koch has quietly built a secretive operation that conducts surveillance and intelligence gathering on its liberal opponents, viewing it as a key strategic tool in its efforts to reshape American public life.

Take home lesson: the far right is already using technology to spy on "leftists", so leftists would be wise to adopt technology which can counter the efforts of people like the Koch brothers.


December 01, 2015


Who could benefit from Tor Browser, Tor Messenger, and Hidden Services? Whistleblowers like Gerry Gallacher:

Snooping Scottish plod to be taken to tribunal by spied-on detective
Talking about a bungled murder inquiry? You'll be targeted under terror powers
Alexander J Martin
30 Nov 2015

> A former detective for Police Scotland who raised concerns regarding a bungled murder inquiry, and was subsequently targeted by anti-terrorism powers, has stated he will follow his complaint through to the Investigatory Powers Tribunal.
> According to the Scottish Sunday Mail, which had pursued the initial story, Gerry Gallacher was among those targeted under RIPA without the force having attempted to obtain a judicial warrant.
> ...
> Gallacher had raised concerns about the investigation of a murdered woman, Emma Caldwell. The Sunday Mail had reported that Police Scotland had ignored a significant suspect in the inquiry, instead wrongly focusing their two-year investigation on Turkish suspects. Charges against those suspects were eventually dropped, and nobody has yet been brought to justice for the murder.

So why are the producers of "real-crime" tell-all shows not championing TM and HS?


December 01, 2015


UN agencies whose activities might not always be favorably viewed by host governments should consider using text messages sent by TM and perhaps also bulletin boards hosted as HS (so they can check their recollection of data while traveling in a dangerous location).

Many human rights investigators already use Tor for such purposes.

For much the same reason, FBI investigators working on a terrorism investigation in a county such as Kenya would be wise to use TM and other strongly end-to-end encrypted anonymity-preserving tools.


December 01, 2015


Internal bulletin boards set up by law firms would also be suitable candidates for being set up as HS in order to make it harder for adversaries to track who lawyers are talking to.

It is known from several independent leaks over the past few years that both GCHQ and FBI do specifically target at least some law firms.

Doctors and nurses frustrated by hard-to-use systems set up by hospitals and clinics for sharing the personal medical information of patients with other medical providers often bypass them by emailing or texting unencrypted messages. This practice horrifies both privacy advocates and hospital administrators who are cognizant of the enormous potential cost (often in the tens of millions USD) of breaches of medical information. While there are legitimate reasons to worry about people sharing sensitive information evading the system their employers have told them to use, if they really feel they have to do this, there is a case to be made that TM+HS would be a much better modality. Especially once TM can send files such as medical imagery and other diagnostic results.

Further, conversations between private citizens and

o their doctor
o their lawyer
o their spouse
o their political representatives

should always be properly encrypted end to end and difficult to track by potential adversaries (and these days, no person is too innocent, no target is too small to receive attention from one or more intelligence agencies), and tunneling these through HS might help.

As an example, some concerned citizens in the US and UK may try to communicate to their political representatives their concerns about the very real potential for accidental (or malicious) partial or complete detonation of the W-88 warheads carried in the Trident II missiles on board the ballistic missile submarines based in Scotland and the US. There is good reason to think that NSA and GCHQ try very hard to monitor such communications. FBI in particular appears to assume that everyone trying to "lobby" a legislature on any issue connected with nuclear weapons must be a "foreign agent" acting on behalf of Israel or some other nation with skin in the game. See for example:

Spookception: US spied on Israel spying on US-Iran nuke talks
25 Mar 2015
John Leyden

> Israel spied on the recent US-Iran nuclear talks, alleges America. And the US knows enough about it to say it publicly because the NSA is spying on Israel, along with everyone else. The Wall Street Journal reports that Israel handed over confidential information from the negotiations to friendly members of the US Congress in a bid to derail any deal.

I acknowledge that FBI has a legitimate need to investigate possible public corruption by judges or legislators, or--- if they have probable cause and obtain a freaking search warrant from a judge--- suspected unregistered agents of foreign powers, but they certainly shouldn't routinely monitor communications between anti-nuclear activists and their legislators.

In the absence of meaningful restraints upon such warrantless full-content collection of communications between private citizens and their political representatives, there is a case to be made that legislators should also offer end-to-end encrypted communications tunneled through HS.

Concerns about warrantless surveillance extend far beyond "national security" issues to such controversies as citizens demanding municipal broadband, or organizing employees of Walmart:

Walmart spied on workers' Tweets, blogs before protests
Defence contractor Lockheed Martin provided intelligence services before Black Friday
30 Nov 2015

> Walmart has recruited aerospace, defence and security concern Lockheed Martin to comb open source intelligence in the lead up to Black Friday union protests, Bloomberg reports. The super-colossal retailer has a difficult history with unions and engaged the defence contractor to keep tabs on its employees in the run up to the national fire sale.

One recalls also the apparent involvement of the US Chamber of Commerce in a campaign to discredit Wikileaks and reporter Glenn Greenwald, which apparently enlisted the services of HB Gary Federal, a now defunct subsidiary of HB Gary, a (previously reputable) cybersecurity contractor:


Aaron Barr would have been wise to use TM and HS rather than a poorly protected unencrypted email server to make it harder for cyberactivists to target his now defunct company.

(Spell check humor: a software tool helpfully inquires whether by "HBGary" one means "Buggery". Well yes, in a way one does.)

We can't prevent the bad guys from misusing Tor. But we can and must not let this possibility, or government intimidation, prevent us from helping the Project to make Tor, TB, TM, and HS software freely available, and from using these powerful tools for good purposes.

Power to the People!


December 01, 2015


> If you *really* want to be safe from The State online, don't go online.

Says the Thought Police.

The governments, the corporations, the point oh oh something per cent are afraid of the People. Terribly afraid. They desperately want the general population to be intimidate, cowed, afraid to take risks to speak out, to organize, to resist.

The proposition that citizens have no remaining avenues of effective resistance is simply not true. But even if it were, consider how contemporary writers treat people living as slaves in pre-Civil-War America. Do we honor the memory of the compliant slaves who bowed their heads in obedience to the shackle and the whip? Or do we honor those slaves who took every opportunity to make the slave-holding economy less sustainable, who engaged in "unauthorized recreation", who visited in secret relatives at neighboring plantations, who attempted to escape at the very real risk of summary extralegal execution?

Rough Crossings,
Simon Schama
Harper-Collins, 2006

Rhys Isaac,
Landon Carter's Uneasy Kingdom,
Oxford U Press, 2004

Consider how we remember the people slaughtered in the Holocaust. Do we admire most the ones who allowed themselves to become so terrorized that they never uttered a murmur of protest as they were herded into the gas chambers? Or the few youthful rebels who organized "hopeless" physical resistance to their genocidal captors?

Do we kindly remember those German citizens who failed to speak out against Hitler, in the early years when he could have been stopped? Or do we honor the memory of Rosa Luxemburg?


Many people who have listened to the rantings of a number of current candidates for President of the USA are seriously concerned by their unapologetic embrace of fascistic notions. Those of us who have attempted to warn for years that America could very possibly become a fascist nation, if moderates do not join us in sounding the alarm, take no comfort in our "paranoid" fears being vindicated. Because we have also warned for years that America too can commit genocide.

And we know this is true for the worst of reasons. We know it is true because Americans have committed past genocides. Against the native Americans, and then again against the Filipinos (the conflict which gave birth to the torture technique now called waterboarding). And then again, in Vietnam. Some of us suspect that the drone strikes are coming close to constituting a new genocide. And we take note when the USG time and again pointedly declines to rule out drone strikes against American citizens *inside the US*.

If you are an American, you should be very worried about the path down which your country is hurtling, because the destination is totalitarian genocide.

Did the FBI Pay a University to Attack Tor Users?

if you are writing and reading the others with good faith and sincerely ; you should better make a donations than to pray at the top of the blue mountain waiting the end of the star wars ( us go home ).


December 01, 2015


> but I am sorry. because I live in a religious totalitarism country(Iran) and I can not donate or pay money for tor...we are on your side.

Understood. Even if you can't send money, saying that you are with us helps more than you might think.

Increasingly, the US, UK, and EU appear to be moving toward the status of prison-states where journalists are imprisoned for doing journalism, where citizens cannot speak out against governmental policies or try to expose corruption.

For many decades, the US was a place to which you could try to escape, if you had the misfortune to be living in the USSR while Jewish. Now it is a place which rejects you, if you have the misfortune to be living in Syria, full stop. Or even a nation which (come 2016) may try to kick you out, should you have the misfortune to be living in the US while Muslim.

It's terribly sad, but it's always possible that a grass-roots popular movement might even yet reverse these trends.


December 01, 2015


> Tor should not have written flawed software. Not cool, Tor.

Don't be absurd. The devs try to discover and fix flaws before each release (what did you think those testing release announcements are for, anyway?), but inevitably some get through. Sometimes dangerous flaws get through. But when the Project learns of them, they fix them, and a lot faster than any company would.

And the security situation appears to be rapidly improving. Tor doesn't exist in a vacuum. TB builds on Iceweasel, the Debian version of Mozilla's Firefox. TM builds on other open source software. Tails is a security-hardened amnesiac version of Debian. And after years of neglect (in the opinion of some loyal Debian users), Debian Project has seen the light and is developing important projects like reproducible builds. Thanks to Snowden, the entire software community is working towards more rigorous security audits of critical security/anonymity software. Assuming the FBI does not succeed in making research illegal, in making encryption illegal, in making cybersecurity itself illegal, things will get better for us all.


December 02, 2015


Everyone who has followed this story will want to read this:

The attack that broke the Dark Web—and how Tor plans to fix it
Kashmir Hill
30 Nov 2015

See also

Tor Devs Say They've Learned Lessons From Carnegie Mellon Attack, But Worries Remain That They're Outgunned And Outmanned
Karl Bode
1 Dec 2015

These stories are good references to cite when GCHQ shills post claims that "Tor is broken" [sic] or "Tor cannot be trusted" [sic].

Yes, even one mistake can be devastating, but clearly Tor Project has learned many valuable lessons from this one incident. And it still seems possible that FBI actually got much less abusable information for their million dollars than we fear.

Thanks for all your hard work continuing to debug and improve Tor, TB, TM, your advisory role for ACLU, EFF, etc., your advocacy of projects like Reproducible Builds, etc!


December 04, 2015


Who might want to set up an anonymous blog using hidden services (HS)?

Many publicity-aware celebrities maintain some kind of carefully controlled media presence, in which every attributable post is pre-vetted by a publicist. But sometimes they are thoughtful people who might want to express a political or social viewpoint which is not easily tied to their real life identity. A HS blog would be ideal for such activity.

Chinese government officials cannot safely criticize official policies, but it would be a mistake to assume that no Chinese government official has a thoughtful view on any subject which differs in some respect from official government policy.

For example, the Chinese government officially acknowledges that during the next decade, advances in AI and robotics will lead to massive job losses, as society transitions from the adult default being "employed" to the default being "unemployable". (The USG and most EU governments refuse to even discuss this issue.) But the official Chinese position is that it is not the role of the government to address this transition. Rather, they insist that the People must figure out a solution. I suspect that some Chinese government officials who have thought hard about this issue would like to (anonymously, safely) publish a contrary viewpoint. Others might have something thoughtful to say about the possible dangers lurking in the government's plan to adopt "citizenship scores" by 2020.

And some Chinese government officials might want to publish family-oriented non-political blog posts not easily tied to their real identities, in which they simply gush over how amazingly cute their grandkids are when they read aloud their Berestain Bears books.

There are so many reasons why all kinds of people might want to use HS for reasons which almost never have anything remotely resembling "criminal intent" or "terrorism-enabling".

Tough decisions await China's pollution battle
Some coal-fired power stations face closure as country slowly begins to wean itself off its addiction to fossil fuels.
Adrian Brown
12 Dec 2015

> [China] is a heavy polluter but is also probably spending more on efforts to combat pollution than any other country... Beijing authorities were forced to issue their first red alert due to the smog levels earlier this month... For much of the past two weeks, the city has been blanketed by a poisonous pall that has closed schools and disrupted life for the millions that live there. But China's government has been unusually open about the problem and has been encouraging public awareness.

I sense another opportunity here for Tor to post an explainer for Chinese government officials who might want to anonymously speak their mind on an issue which is, perhaps, adversely affecting the health of their own family.

So how do you set up an anonymous blog as a HS if you are a non-computer-expert living in China?


December 04, 2015


The CMU attack has focused attention on the critical role played by entry nodes in ensuring the user's anonymity.

@ tor devs:

Does current Tor provide good protection against mandatory root certificates installed to enable dragnet style state-sponsored MITM/DPI?

Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?
Come on, guys. Don't go giving the Russians any ideas
Shaun Nichols
3 Dec 2015

> Kazakhstan may be about to intercept and decrypt its citizens' internet traffic – by ordering them to install rogue security certificates.
> On Monday, the nation's dominant telco Kazakhtelecom JSC said it and other operators are "obliged" by law to crack open people's HTTPS connections, and that this surveillance will begin from January 1.
> This spying will be made possible by insisting everyone installs a "national security certificate" on their computers and mobile gadgets – most likely a root CA certificate just like the ones found in Lenovo's Superfish and Dell's Superfish 2.0 scandals.

A notable point here is that superfish began as a corporate-sponsored MITM to enable dragnet style adware campaigns, which is being adopted by at least some governments as a key element of technologically-enabled population-control schemes.

Regarding the critical role of entry nodes, be sure you've read
because it's exactly the same topic.

Tor does not have any silver bullets for policy-mandated insecurity. If they ("they") tell you that you must install some spyware, or else, then we don't have a magic fix for that. I think that means it's wisest to solve the problem before it gets to that point. Hopefully they will recognize that mandating the spyware also involves mandating certain OSes, configurations, etc, and that's crazy-talk at a national scale.

Following your comment below about the SSL certs, if core Tor uses its own PKI, wouldn't that be totally incompatible with mandatory MITM certificates? Even if the cert itself was compatible, it would be nontrivial for a regular user to insert it into Tor, not to mention pointless to even use Tor at that point.

Without knowing the details, I'm assuming the ISP would block any connection that's not HTTP, or HTTPS with the MITM cert. Even so, it might still be possible to tunnel Tor inside of a MITM SSL connection, for example via a pluggable transport. The old but good talk "How Governments Have Tried to Block Tor" is probably relevant.


December 06, 2015


> The Tor community might be up in arms about this but there are also victims every day getting doxed, getting their sexual abuse shared, getting their money stolen, and this sort of thing [dragnet surveillance? state-sponsored cyberintrusions, bugs and burglaries?] is sometimes the only way to get justice for the victims.

Assuming I correctly understood what you were trying to say, I think you have entirely missed the point.

Doxing, breaches of medical information, cybertheft are all enabled by the poor cybersecurity (in particular, poor encryption) which was for decades actively fostered by NSA in order to ensure that they could spy on everyone's private lives. While the cybersecurity mess we all face is not *entirely* NSA's fault, all the experts appear to agree that there is no organization more to blame. Even former NSA officials who remain generally supportive of dragnet surveillance appear to now acknowledge this.

Something else for you to think about: if I see a man standing outside my living room window peering in at my family, sneering as he records us peacefully living our private lives using his video camera, would I not ask him to move along? If he doesn't respond, would I not draw the blinds? Or call the cops? And if he is wearing a government uniform, would I not be justified in asking him what the heck he thinks he is doing? And if he refuses to explain his actions, if he does not present a valid search warrant, would I not be justified in drawing the blinds, even though the mysterious snoop is wearing a government uniform?

Spying on people is immoral. A government which spies on all of the People all of the time "for the duration" of an endless and unwinnable war on Who Knows Whom doesn't sound like government for the People, does it?

These thoughts may explain why so many citizens think the USG has gone off the rails. The question now is what to do about that.

> Doxing, breaches of medical information, cybertheft are all enabled by the poor cybersecurity (in particular, poor encryption) which was for decades actively fostered by NSA in order to ensure that they could spy on everyone's private lives.

CISA-omnibus, the dragnet surveillance bill disguised as a cybersecurity bill folded into a must-pass spending bill, makes all this much worse.

At ProPublica, Charles Ornstein has been explaining how ordinary citizens are being hit the hardest by breaches of their personal medical records:

Farrah Fawcett Was Right: We Have Little Medical Privacy
Charles Ornstein
30 Dec 2015

New Jersey Psychology Practice Revealed Patients’ Mental Disorders in Debt Lawsuits
Charles Ornstein
23 Dec 2015

Small-Scale Violations of Medical Privacy Often Cause the Most Harm
Charles Ornstein
10 Dec 2015

The next big story in this field: HIPAA has been neutered by a lethal combination of

o EHRs copied to HIEs (better known to cyberspies as "watering hole" sites) became mandatory under the "Administrative Simplification" of the HIPAA Privacy Rule some years ago,

o the 21st Century Cures Act, which was enacted just a few months ago, mandates that medical providers release personal medical records to "researchers"--- the law says "researchers", not "medical researchers", in an apparent attempt to encourage FBI/NCTC/DEA and state and local LEAs to run amok among the personal medical records of all Americans.

o the phrase "notwithstanding other provisions of law" also appears in the 21st Century Cures Act, in the section putting into law incentives for medical providers to sell personal medical records of their patients to Big Pharma and other industries; this language appears to be intended to repeal the Privacy Rule entirely.

US persons are left with not even the illusion of Doctor-Patient confidentiality. The entirely predictable consequence: Americans are starting to avoid medical care entirely, just when other legislation promises to ensure they can afford to seek care should they choose to accept the privacy risks.


December 06, 2015


> My daughter just told me she read the news and that she's leaving her PhD work at CMU for another university because of it. She's some kind of computer designer.

She has my thanks, and my best wishes for her future career (maybe designing dragnet-resistant gear for the ordinary citizen?).

I hope Tor Project will reach out to its academic friends and to civil liberties groups like ACLU and EFF, seeking to organize academic boycotts of irresponsible "research", CIA "think tanks" on American campuses, etc.


December 07, 2015


Thanks for replying. If I misunderstand I plead exhaustion.

> because it's exactly the same topic.

Great overview of four major issues in the problem of choosing Entry guards (how many, how often), but no discussion of the potential danger posed by nation-mandated root trusted certs allowing easy MITM, agreed?

> Tor does not have any silver bullets for policy-mandated insecurity. If they ("they") tell you that you must install some spyware, or else, then we don't have a magic fix for that.

If I understand what you are saying, Tor users in Kazakhstan are gravely endangered right now. And the rest of us tomorrow?

How can we search our trusted cert cache (in Tails version of Tor browser, say) to ensure that no rogue certs are there? If I see certs from various governments, does that mean any of them can MITM my connection to any Entry node?

Ah. Tor (the program called "tor") does not care about your certs or your cert store. The bad guys can't give you a cert that will mitm your connection to your entry guard. That's because Tor uses its own public key infrastructure, completely independent of the Certificate Authority mafia.

Now, all of that said, there is another program, called Tor Browser, which is based on Firefox and *does* rely on the certificate authority mafia for deciding for example whether https websites are legit.

If somebody forced you to change your Tor Browser so it would believe bad CAs, then it would believe the bad CAs, and then somebody on the Internet in between the Tor network and Facebook could pretend to be https://facebook.com/ and your modified Tor Browser would believe it.

The fix of course is to not let people force you to run the wrong software.

> If somebody forced you to change your Tor Browser so it would believe bad CAs, then it would believe the bad CAs, and then somebody on the Internet in between the Tor network and Facebook could pretend to be https://facebook.com/ and your modified Tor Browser would believe it.

Please bear with me, I still don't understand.

Here are the parts I think I *do* understand:

1. I am in some country possibly subject to state-sponsored breakage of PKI, and my tor client builds a Tor circuit which looks a bit like this:

tor-client <==> entry-node <==> relay <==> exit-node <==> https-website

where all connections are encrypted since I am surfing to an https website.

2. DNS lookup and OCSP lookup is done by the exit-node, which is in some country and possibly subject to state-sponsored breakage of PKI.

3. Also running on my computer: TBB, which is based on Firefox, and which contains a store of "trusted" certs used to "verify" that an https site is genuine.

4. The actual connection to an imposter website would be made by the exit node.

I think you might be saying that the initial hop from my tor client to the entry node is not easily MITM'd by a government mandated rogue cert. I think you might be saying that Kazakhstan or McCaulistan might try to insert a rogue cert into the store trusted by my Tor Browser (how?). I think you are saying that the false claim that some IP is facebook.com is tunneled back down through the Tor circuit, where it is incorrectly trusted by my TB (even if the exit node knows better?). Am I getting warm?

Would the bad cert be (overtly? covertly?) inserted into the tarball? Or could it be covertly inserted into a running genuine previously-unmunged TB? And then covertly re-inserted each time I start a new TB process?

And what if I am using Tails booted from a read-only DVD, not TBB running under some too-trusting OS?

Assume I have made every effort to verify all cryptographic signatures of latest edition of TBB or Tails, but have no idea how to try to use Verifiable Builds.


December 07, 2015


> The memo explicitly stated that an "untoward event" could be exploited to push through hasty laws mandating back doors. Such an event has just been provided by that other notable Enemy of the People, ISIS/L. (IS claims to a government, and is in fact functioning as the government ruling most of Syria, so the People should regard it as an established government, however barbaric, not as an underground terror group.)

The Isis papers: leaked documents show how Isis is building its state
Shiv Malik
7 Dec 2015

> A leaked internal Islamic State manual shows how the terrorist group has set about building a state in Iraq and Syria complete with government departments, a treasury and an economic programme for self-sufficiency, the Guardian can reveal.
> The 24-page document, obtained by the Guardian, sets out a blueprint for establishing foreign relations, a fully fledged propaganda operation, and centralised control over oil, gas and the other vital parts of the economy...[The memo] builds up a picture of a group that, although sworn to a founding principle of brutal violence, is equally set on more mundane matters such as health, education, commerce, communications and jobs. In short, it is building a state.


They are not all three working in concert, but the effect is the same.

It's all of them against all of us.


December 09, 2015


It's called the USA Patriot Act.. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001

Read it and weep. Carte blanche for FBI.

it was 15 years ago and it was a response in front of a real hostility coming from eu / israel / france .
usa forgive easily their enemies as soon as they have benefits.
2016 : turkey(3 000 000000 $ from eu) vs russia and what about tor ?

Not sure whether the "forgiven enemy" you have in mind is Russia or Turkey. Both of those countries are regarded as enemies of press freedom and as nations which freely abuse the civil rights of their citizens, unfortunately.