Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

It is obvious that there are many out there who would like to see the network disrupted as it undermines and in some cases directly threatens what they do (or would like to do).

The removal of DA's will not prevent Tor working per-se but it will cause significant issues with maintaining the integrity of the relay list and communication of that to client instances and indeed other relays.

We would question the motivation behind such an attack though, is it just short term disruption? Or a nefarious attempt to propagate a longer term sybil-a-like attack? Or something else completely?

In any case it is clear that some consideration must be given to the DA function within the network and how to hold the census together in a more resilient manner but at the same time avoid creating exposure to sybil attacks. The mechanism used for maintaining the Hidden Service directories using a DHT is an obvious candidate but again just opens up the DA function to a different class of attack.

love

El Presidente

Roger,

is there a possible pre-emptive action that can be taken - in the open light - to render such a move futile ?

For instance ask the nice people from CCC and their freedom minded supporters working at freedom minded companies to set up another three directory authorities? Which would work on a short time scale.

A suggestion for the longer term, would be that the developers take some lessons from the freenet design and ask your bridges (& perhaps users along) into lending some harddisk space (1mb for example) and distribute broken up lists in an encrypted way over these channels (key served later).

And perhaps let bridges turn into DAs themselve, distribute an encrypted "fortune cookie", and when the DAs shout a special key throughout tor then only certain(random) bridges & users can turn into DAs(minimizing the chance of a hostile takeover of tor).

I suspect that a fast reaction that would take place within a few days might be difficult.

The directory authorities (DAs) almost certainly need to handle massive amounts of bandwidth, need to be on colocated hardware, and need to be security hardened. This means that establishing a new DA would take some time - and even then, I suspect (but do not know for certain) that the DA would then have to be hard coded into Tor. So, users would then half to upgrade to get the advantages of establishing a new DA.

Additionally, the people that run any new DAs need to be trusted to keep the network secure.

As far as the more technical solutions you mention, you should consider creating a proposal for a more complete idea so it can be evaluated in full. While doing so, it is helpful if you can suggest some advantages and disadvantages that your approach provides.

Seth Schoen

December 20, 2014

Permalink

I said this on another forum once. If I know anything about the US Navy and the DoD (not talking about 5os and other feds, only military) that tells them what to do and how to think; They have thier own damn tor network, despite what dingledongs and applegay say.

when on earth have you seen the military activly operate where civis are? sure they may have several bases where we live but really now, do they launch any real attacks from them? only excercises and in times of emergency... the military isn't exactly fond of emergencies.

Good luck on reloacting your DAs. Just, try to do it right. I have no idea of your situation so I can't know what right is; but you can figure it out by taking a moment to think. If they bothered to ask you before hand, you may have some time to plan. I don't know who exactly wants your DAs but it can not be for peace or for our benefit.

Don't matter if the military thing is true or not Tor is our own real anonimity system that works on the regular internet. Although don't act surprised if it is true because and I will say this ahead of time... I told you so.

Suggestion: why not let people voulunteer DAs (that work on a distro like tails) you will find out about them via email, in person, and or the same way to find out about hidden bridges... then you could just cherry pick the DAs you need, as you need and see fit (for consensus voting and the such) until someone comes up with a more suitable replacement for "decentralizing" your DAs. (namecoin sounds interesting but... bitcoin is not anonymous everyone, everywhere would know when you search for something or 'bought' a domain name; I have other ideas such as dark/anoncoin but dingledong is right, we still need to do our homework)

p.s. I know the nicknames sound like insults but as a TG, they are what I find sexy about you two. ;)
Seriously, thank you for tor. I am not like some high profile person you have saved. I mean you have helped me keep my transition secret until I feel ready from my family (by using tails). I was just really ashamed what they would think about me if I was searching for these things and I thought I was alone and what I was doing was selfish.

Seth Schoen

December 20, 2014

Permalink

If $people think, one or more additional directory authorities in Germany make sense, please contact me (use the contact info of exit node 6B3209C88923A80A4DF4C86F585ED4A8643DEF89 or relay 868A253C330F40FBE435D9320849397F85823E86). Immediate action and/or meeting at 31C3 is possible.

What I think is desirable is having one or two DA in South America, probably Brazil and/or Argentina, which are more or less independent from the US, but I don't know how exactly are DAs chosen.

Seth Schoen

December 20, 2014

Permalink

As if we believe anything the FBI or CIA says . It was prob them who hacked Sony

Seth Schoen

December 20, 2014

Permalink

It’s unconscionable that you don’t include the United States on your list of “repressive regimes.” That country must top such a list.

Seth Schoen

December 20, 2014

Permalink

We should make little clusters of networks that connect to each other so the whole world can be the tor network. So you can't shutdown the whole network. You would need to take it down computer by computer and that would be almost impossible.

How about the I2P network? Couldn't we incorporate some of their ideas into Tor?
I2P doesn't have directory authorities, after all.

I don't want to promote I2P here, but I'm genuinely curious: Has this been seriously considered?

It has been considered, but that doesn't mean everybody has all the answers.

I believe I2P's network discovery mechanism falls to various more complicated attacks. I'd rather stick with the simpler design where we understand the flaws and we understand the attacks.

That said, there's a great opportunity here for researchers to step in and do some analysis on the I2P design -- one of its huge problems right now is that they've for whatever reason failed to get researchers to care enough to break it, except in rare cases like
http://freehaven.net/anonbib/#pets2011-i2p

yes and as tor is just a distributed (tcp) switch nothing can prevent building a "new internet" say on family/company basis.

Seth Schoen

December 20, 2014

Permalink

There's no democracy nor privacy in the country were I resign.
If this last privacy services end, I will damn all the neat American technologies which only supports my authorities to monitor their citizens, and will abandon the internet and cellular communication forever.

Seth Schoen

December 20, 2014

Permalink

Wouldn't it make sense, in the short-term at least, to get more directory servers up, particularly outside of the US and EU?

I was going to mention Wyoming, but not sure if anyone would get the "Dog Day Afternoon" reference.

Not in Munchen

No, that paper isn't relevant here.

In fact, that paper was misinterpreted by the media: see
https://blog.torproject.org/blog/quick-summary-recent-traffic-correlati…
and for many more details,
https://blog.torproject.org/blog/traffic-correlation-using-netflows

In particular, look at the comments by Sambuddho (the author) about how his paper does not mean what people are thinking it means.

Seth Schoen

December 20, 2014

Permalink

Imagine the boring time from Christmas to New Year without Tor! Disaster! Fuck the United Stasi of America and their Gestapo scum!

Seth Schoen

December 20, 2014

Permalink

It would seem Tor has been a thorn in side of NSA for a while. This Sony thing is as good a pretence as any to seriously harm it.

Is there a canary system?
How good is physical security of servers?
If you get a National security letter barring discussion there should be fail safe alert.

In the long term is there anyway to use stenography concepts (browsing in plain site) combined with Tor to make it exponentially more difficult to track?

I'd like to think that our architecture makes national security letters not as dangerous for us. For example, delivering a national security letter to The Tor Project won't affect the directory authorities, since The Tor Project doesn't run any of the directory authorities. Similarly, sending a national security letter to just one directory authority doesn't do anything by itself no matter their response.

And *that* said, if any directory authority operator gets a national security letter, they should simply shut down their directory authority:
https://lists.torproject.org/pipermail/tor-talk/2014-December/035952.ht…
There are no letters that demand changes in behavior where you can't instead just choose to stop. Other people will pick up the baton.

As for steganography, you should learn about Tor's pluggable transports:
https://www.torproject.org/docs/pluggable-transports
https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPlugga…

No, they're manually chosen by the Tor community (i.e. us), and everybody can see the ilst. Most of the directory authority operators are high-profile figures in the security community, so many people get the chance to meet them in person and evaluate them.

As for a national security letter that would ask us to modify the Tor source code... we will never do that. See also this thread:
https://lists.torproject.org/pipermail/tor-talk/2014-December/035952.ht…

Seth Schoen

December 20, 2014

Permalink

A bit of troll...

Please consider alternate hosts for Tor bundle download. It is blocked in my country which is an US aly and therefore no media bothers to criticze it when it comes to human rights violations and abuse.

Seth Schoen

December 20, 2014

Permalink

Hi Roger,

I am deeply concerned. But I have still hope for Tor. We all should beware our hope in these dark times.

I have two questions for you, Roger.

1. How is it possible that there are still good people within the potential attacker's organization? Your source - that warned you - seems to be in favor of Tor.

2. Do you feel confident that you (the Tor Project and its community) will be able to fight back this potential attack? There is so much brilliance and expertise in this community. If I had one single wish for Christmas, I would love to see Tor being the David winning against Goliath.

Seth Schoen

December 20, 2014

Permalink

Well my Christmas vacation is gone now, thanks for the nerd snipe guys!
oblig ref: http://xkcd.com/356/

With the recent talk here about integrating namecoin, etc. I think we hit on a better solution to the problem. One that tries to maintain backwards compatibility.
https://github.com/vivalibra/norproject

Note that there is talk of a coin in the README document, that is mostly the result of chatting with some other devs in the crypto world. Considering the timetable we will be working under, I don't think a coin could realistically launch at the same time as the rest of the system.

I'm going to start building this right away, hope is to launch a beta before DA servers are pulled out. Anyone that feels like they would like to participate is welcome to join up. Even pointing out design flaws could be helpful.
Please keep any discussion on the page for the project, though I don't want to spam this blog with it.

Seth Schoen

December 20, 2014

Permalink

Maybe you could consider toning down the propaganda ? Just a thought. Maybe add a few of the more egregious privacy-raping nations to this list:

' who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia'

How about every second posting you substitute USA and UK and their allies in place of 'Iran, Russia, Syria'. Might just make you a little less offessive and more credible.

No, it's (probably) not Russia.

The Russian word for this was more like asking researchers to propose for research grants. The translation 'bounty' or 'contest' was a bad translation and caused a string of misleading articles.

It is like saying that the National Science Foundation is holding a contest for Tor research.

Seth Schoen

December 20, 2014

Permalink

It's totally unrelated. Boa as been wanting to do this for a while, he's talked about it before but never took action. Now he has an excuse.

Seth Schoen

December 20, 2014

Permalink

My technical expertise is low which might be why it isn't obvious to me how taking down part of the Tor network would facilitate an investigation into the Sony incident by the FBI. What makes more sense to me is hacking into Tor to develop tools to better handle the next attack. The advanced warning makes the hack look friendlier – something like those “this is only a test” announcements the government makes on the radio and television.

Tor and Tails are two applications that I rely on every day and I don't even have anything to hide. I use these tools daily to maintain a small footprint and to keep proficient for a time when the tools and skills are truly necessary. The dedication and helpfulness of the staff of these two development teams is amazing. The other day I posted a question regarding Tor on the Tor IRC channel and quickly received a concise and helpful response by arma. I didn't know who arma was until I began reading this blog, but I must say that I am pleasantly surprised that arma would take the time to help an ordinary Tor user.

I would consider it to be a near catastrophe if Tor or Tails is compromised because I know of no other easy to use combination that provides the level of anonymity.

Seth Schoen

December 20, 2014

Permalink

I can only say one thing about this: "Too big to fail". I don't think anyone can shut down Tor. We all need it, even if some people don't realise it yet. "You can not kill an idea." I believe you/we will find a way to keep Tor alive. Too much is at stack here. Never underestimate the power of the people.

Seth Schoen

December 20, 2014

Permalink

If I was the CEO of Sony, I would teach those hackers a lesson and upload my movie "The Interview" to a bunch of torrent servers so that everyone would watch it!

Might there be a interpretation of The Interpreter for every Country of the World? Surely most all would really appreciate.

Seth Schoen

December 20, 2014

Permalink

Does this effect anyone who doesn't commit any crimes, doesn't go to any illegal sites, in the United States, ISP doesn't know my activities, and I only use Tor to conceal my IP because of stalkers I've encountered?

Affect? Yes -- if somebody attacks the Tor network they end up endangering all the Tor users, including the vast majority of them who use Tor for exactly the sorts of good and ordinary reasons you do.

In particular, attacking the directory authorities has huge collateral damage exactly along these lines. That's why it would be silly for them to do it. Let's hope they change their mind.

Correctly configured Tor relays have no logs that are useful to attackers. So no, this should not be an issue.

(Of course, that doesn't mean there are no places on the Internet that log information about traffic flows. That's a lot of what the NSA / GCHQ surveillance fuss is about. But that is a separate topic, I hope.)

if you read the front page of https://www.torproject.org/ Who Uses Tor?

As an human I would assume you have valid reason to use tor regardless if i agree with you or not.

sadly, it seems the governments fear the people and try to "divide and conquer" to meet it own greeds or agendas ):

Seth Schoen

December 20, 2014

Permalink

I bet that this is a law enforcement operation against Tor by US FBI, Europol and UK NCA. I hope these guys know what they are doing. The collateral damage will be tremendous and it will raise new waves of hate against state-sponsored oppression of human rights.

Every agency in the so-called free world should know: we are watching back and judge your actions. Instead of endangering the good users of Tor, these agencies should work with us to make the world a better place (including Tor).