Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

keiha

December 20, 2014

Permalink

Actually, the problem is that Tor isn't decentralized enough to discourage governmental shutdown.

keiha

December 20, 2014

Permalink

> I bet that this is a law enforcement operation against Tor by US FBI, Europol and UK NCA.

Yes.

> I hope these guys know what they are doing.

They are engaged in a foolish and dangerous experiment.

This is indeed a crisis, perhaps the biggest the Project has ever faced. Some thoughts:

Roger is keeping his head, which is the proper thing to do during a crisis. Let's all follow his lead and play it cool.

In a crisis atmosphere, making radical changes (e.g. incorporating namecoin into critical Tor infrastructure) seems inadvisable. Much better would be to geographically/legally diversify locations of reserve Dir Auth nodes. Similarly, for users, switching to untried alleged alternatives to Tor also seems inadvisable. If the worst happens, and enough DAs are seized by our enemies to incapacitate the Tor network, let's give the Project a chance to get it back up somehow. (Roger: any idea how long that might take, if more than five DAs are seized?)

Some true Patriot risked her/his freedom to warn Roger, so users should respect his judgment about the need to withhold some information in order to protect the identity of the source. That said, I think there is no point to keeping back the name of our enemy, since it is obvious that it is "FBI" (no other entity has the ability to attempt to seize more than one or two DAs, or is foolish/panicked enough to try).

In my heart, I agree with those who chided Roger for not listing USA at the top of the "Enemies of the Internet". But my brain reminds me of some unpleasant realities: Roger acts under his own name, and an unwritten part of his job description for many years has been talking directly with FBI and other LEA officials, seeking to educate them about why LEAs should not blindly react to Tor by trying to simply shut the network down. Further, he is a US resident, so vulnerable at all times to arrest by US "authorities". All in all, he has a legitimate need to avoid becoming too confrontational with the most lethal parts of the USG. However the users are free to call out our enemies by name, and we are doing so.

I assume the phone lines between Walpole, San Francisco, and New York City are burning up; good! Further emergency action which I assume is happening: contact key media outlets to publicize and explain what is known about the plan to seize DAs (Glenn Greenwald, Marcy Wheeler, Kim Zetter... and would Brian Krebs please comment in the usual place?). And let's start organizing a giant phone-in to the politicos by Tor users in the US and Europe; an instance of what EFF likes to call "the Internet reacts".

A hasty socio-technical suggestion: if the project needs to issue new keys or find some way to distribute emergency TBB with new hardcoded DA identifiers, can you arrange to do that with the assistance of Debian or OpenBSD? Many Tor users already have copies of their signing keys (note that these are two different cryptographic infrastructures since OpenBSD does not use GPG), and it should be possible to arrange with Debian (for example) to set up a special repository which is independent of Debian's own repositories, but whose signing keys are signed by Debian keys.

> any idea how long that might take, if more than five DAs are seized?

Hopefully within the day. We've worked through a lot of scenarios, and we'd write them up here except we're all doing too many things so the write-up has been triaged for now. The main problem in that case, as you say, is going to be Tor users who don't realize that anything's gone wrong.

But for that, we're actually in luck -- you may not have noticed, but the Tor Browser auto updater is actually in place and working as of Tor Browser 4.0. So all the Tor Browser users will get a Firefox style "there's an update available" popup.

As for the tiny fraction of Tor users who even know what Debian is or what a signing key is... they'll be fine anyway when they get their updated deb. It's the millions of totally ordinary people who are most at risk in situations like this.

Alas, this is true. It's at the level of Firefox's updater, but we really want it to be a lot safer than that. Look for better features in the upcoming releases. Or better yet, help us get there!

keiha

December 20, 2014

Permalink

Many here correctly appreciate that chief among the many (oh, so many!) nations which must be counted as "enemies of the Internet" is the USA.

But one key point about the USA which some observers tend to overlook is that the USA is controlled by a loose and often uneasy partnership between various centers of government and corporate power. It is very far from being a monolith with a well-defined militaristic command structure. It rather resembles a collection of mutually antagonistic principalities which pay a token tribute to the Sublime Porte, who in reality is more of a figurehead whose directives are routinely ignored or obstructed than a person who directs and controls major events.

Roger already hinted that USIC contacts have been expressing terror that shutting down Tor might deprive them of an invaluable tool in their efforts to continue spying on everyone, a viewpoint which was previously expressed in some of the Snowden leaks. (As already discussed, this is not inconsistent with the assumption that Tor is very far from being an NSA operation, and assumption which is also strongly supported by the Snowden leaks.) If so, this might imply that in the halls of American power, a particular viewpoint within FBI has gained ascendancy over the majority viewpoint in USIC. If this is true, and not a temporary aberration, this would constitute a remarkable sea change in the USG, comparable in its way to the recent reversal of fifty years of misguided US foreign policy regarding Cuba.

I would like to offer one possible explanation for what might lie behind the alleged plot to shut down the Tor network.

I think the Tor community (and indeed the Internet) is currently in mortal danger of becoming collateral damage in an epic collision between three of the most powerful parts of the failing American empire:

* the US entertainment industry, in the corporate person of Sony (just to add to the irony, in the past, as most readers here probably already know, Sony has admitted using to infecting its customers with a rootkit disguised as "intellectual property protection", and it has recently been accused of using DDOS attacks and illegal "investigatory" techniques against perceived enemies),

* the vast and incredibly lucrative surveillance-industrial complex, in the institutional person of the chief enemy of everyone in the entire world, NSA, one of the very few institutions in the US which has the power to crush the entertainment industry like a bug,

* Wall Street, which is arguably the most throughly corrupt and amoral institution which has ever existed, and the only institution in the world which has the power to crush NSA like a bug, or to twist a U.S. President around its bejeweled pinky finger.

All three are currently terrified, but terrified by quite different nightmare scenarios:

* Hollywood is terrified by the prospect of huge financial losses which it believes could literally eliminate Sony from the face of the Earth, which for them is like imagining the entire West Coast of the USA sinking into the Pacific ocean in some Magnitude 15 earthquake,

* NSA is terrified by the prospect of losing what little ability it still retains to surveil people the President expects them to surveil, because if its intelligence failures become too obvious to the electorate, at some point the U.S. Congress will exercise the one power it yet retains, the power of the purse, by defunding NSA's global surveillance empire on the grounds that it is no longer cost effective,

* Wall Street well appreciates the terrifying instability of the modern global economy; the real danger here is the hundreds of trillions of dollars of exposure of the big banks to "derivatives", but the psychological instability inherent in "the market" means the US economy could very quickly collapse in an over-reaction to some seemingly devastating cyberstrike on the global financial infrastructure.

Thinking back to 2008, we know that the current President fears above all else (even above nuclear detonations) the prospect of global economic collapse. And his control of FBI is more reliable than his somewhat limited influence over NSA. I suspect he has not only heard of Tor but has been persuaded by panicky bankers to "authorize" FBI to initiate an (illegal and risky) experiment by shutting down Tor entirely, following very bad and ill-informed advice such as this:

http://www.rand.org/blog/2014/12/preventing-cyber-attacks-sharing-infor…

Now, can we think of anyone who has recently attempted to switch his allegiance from the surveillance-industrial complex to the Wall Street camp? Whose personal priorities may have changed? Who has very possibly been miffed by a recent financial reverse engendered by an unexpected rebuff from the agency he formerly headed?

NSA stands as a direct enemy of every living person, and it is indeed a formidable and lethal adversary. But just as it would be serious mistake to underestimate its malevolence and duplicity, so too it would be a serious mistake to overlook the fact that it faces problems of its own, a fact which politically savvy citizens can leverage with the goal of perhaps eventually eradicating it, which would represent a giant leap toward re-establishing the rule of law in American governance, and towards reconstituting the Internet we know and need.

keiha

December 20, 2014

Permalink

There are bounties on Tor not just from the governments of the world. But also from the criminals that use Tor wanting to leverage their power. You better believe that ISIS wants complete control over the network.

keiha

December 20, 2014

Permalink

Am I betterly prepared for some temporary DA's downtime if I enable FetchUselessDescriptors option in torrc and from now on do run the tor client 24/7?

FetchUselessDescriptors won't help you any.

But keeping your Tor client running might actually help against some temporary failure to generate a consensus. It *shouldn't* help, because Tor ought to be able to handle re-using your cached info on startup, but I'm not sure whether anybody has tested that scenario well enough. (Somebody should test it please!)

keiha

December 20, 2014

Permalink

A notable quote from https://www.reddit.com/r/news/comments/2ptxws/the_tor_project_has_learn…

"Here in Thailand, the US embassy uses Tor to communicate possible risks to US expats without having to risk inadvertantly saying something offensive (therefor illegal) about the royal family or the junta over the heavily monitored net and phone traffics. While some elements of the US government are terrible enemies of privacy, others rely on Tor every day for their own safety..."

The FBI has truly gone off its rocker, if they are seriously considering seizing DA nodes.

Regarding your quote about what the US embassy in Thailand is doing with Tor.

FYI, Thailand is one of the countries which plays host to large numbers of CIA, NSA, FBI and DEA agents. The other countries are Japan, South Korea and the Philippines. When it was still under the British administration, Hong Kong also hosted large numbers of CIA, NSA, FBI and DEA agents. When it reverted to Chinese rule, the Chinese government ordered them to leave the city.

Singapore is unable to host large numbers of US spooks due to its limited geographical size. However, it is the jewel in the crown for US mass surveilance programs because of the Singaporean government's heavy investment in such activities and very solid relationships with the US government.

(When I say "large numbers", I mean their total head count amounts to about 1,500 personnel.)

It is ironic that the US embassy in Thailand uses Tor to communicate with its expatriate community.

It is noteworthy that the PRISM program and the Finfisher/FinSpy program are being actively deployed by Thailand-based US spooks.

Add to that the US recent admission that Thailand was one of the countries where secret torture chambers were established for "renditions".

If you ask the right people, they will tell you that the former US ambassador to Thailand, Ms Kristie Kenney, was complicit in the US mass surveillance programs that cover Myanmar/Burma, Vietnam, Laos, Cambodia and especially southern Thailand where Islamic fundamentalists are fighting for independence from Thailand.

It is terrific to hear about governments heavy investment in such activity. It "was" my money and i don't say i agree with how they spend them. So I have crisis but they have investments. Seems something is wrong.

keiha

December 21, 2014

Permalink

It is an interesting detail that the potential attack could take place while numerous core members of the Tor Project are not at home, but abroad attending the 31c3 in Hambourg.

keiha

December 21, 2014

Permalink

Could it be a mitigation measure to separate the hidden services in a way that a take down of hidden services and their infrastructure would not affect the Tor network as a whole? I mean, most of the "Tor is the first choice of criminals" allegations by LEA and their media whores are based on abusive use of hidden services.

keiha

December 21, 2014

Permalink

So to be clear, does this run the risk of any deanonymization attacks?

Also why hasn't the Tor network considered decentralizing the distribution of node info, such as via a DHT?

keiha

December 21, 2014

Permalink

So could the seizure of DA nodes be a step towards controlling or inserting a back door into Tor rather than shutting it down? Is there something about forcing the Tor network to add new nodes or create workarounds for the missing nodes that might create a window of opportunity for the government to infiltrate the network. I suspect that the government would prefer to have a two-tier Tor network where their communications would be secure and anonymous, but everyone else would be subject to government scrutiny. For many years GPS was two tier allowing government receivers to accurately resolve lat/long while limiting the accuracy of non-government receivers.

I have almost no technical knowledge of Tor's operation, but the NSA probably does. If any entity can figure out how to set some government hooks into the Tor network, it would be the NSA. The role of the FBI might be to give the appearance of legitimacy to the NSA's attack by cloaking it with the cover story that the seizure of DA nodes was a necessary part of an investigation into the Sony incident.

keiha

December 21, 2014

Permalink

Could a page be added to Atlas or the Tor statistics graphs showing the number of relays changing their public key over time, along with the total number of relays? That way if DSes get silently compromised, you could either look for a sharp drop in the number of useable relays or a large spike in relay key changes- assuming the purpose of a compromise is to force traffic through "known bad" relays.

keiha

December 21, 2014

Permalink

I think it would be useful to detail further steps beyond donating and educating, for both users and node admins. Those are both vital, but let's be honest, there's nothing long-term about having sections of the US government liking you and others not via education. Education is a weak tool against their interests in surveillance and censorship.

Node admins:

Assuming directory authorities go down, are there simple instructions to update the nine servers hard-coded available? Certainly updated software would be released, but it makes sense to provide people guidance in manually changing the source code and recompiling. This would be particularly relevant to those who maintain the various Tor ports and packages out there.

If downed DAs are the issue, how would the new DAs be publicized with verification for those doing above? Or even manually verifying (via logs, code review) that the DAs are correct? Even some simple tcpdump instructions might be useful.

Users

What is the widest method to notify users not plugged into this blog, mailing lists, etc? One idea might be to have a "Tor alerts" feed, something that friendly sites could host with important alerts for users. "update your software due to a significant vulnerability" "There are periodic Tor outages due to XXX event" Think wide and far, as opposed to deep and narrow.

Just my $0.02.

Clearly, we may be on the cusp of an intensification of the 'arms race' in a way we didn't imagine. Keep up the good work.

Arma for Nobel Peace Prize? His/her patience is bottomless.

Not in Munchen

keiha

December 21, 2014

Permalink

And so it begins?
http://article.gmane.org/gmane.network.tor.user/34619

From: Thomas White riseup.net>
Subject: Warning: Do NOT use my mirrors/services until I have reviewed the situation
Newsgroups: gmane.network.tor.user
Date: 2014-12-21 20:17:23 GMT (2 hours and 24 minutes ago)

Dear all,

Many of you by now are probably aware than I run a large exit node
cluster for the Tor network and run a collection of mirrors (also ones
available over hidden services).

Tonight there has been some unusual activity taking place and I have
now lost control of all servers under the ISP and my account has been
suspended. Having reviewed the last available information of the
sensors, the chassis of the servers was opened and an unknown USB
device was plugged in only 30-60 seconds before the connection was
broken. From experience I know this trend of activity is similar to
the protocol of sophisticated law enforcement who carry out a search
and seizure of running servers.

Until I have had the time and information available to review the
situation, I am strongly recommending my mirrors are not used under
any circumstances. If they come back online without a PGP signed
message from myself to further explain the situation, exercise extreme
caution and treat even any items delivered over TLS to be potentially
hostile.

The mirrors in concern are:

https://globe.thecthulhu.com
https://atlas.thecthulhu.com
https://compass.thecthulhu.com
https://onionoo.thecthulhu.com

http://globe223ezvh6bps.onion
http://atlas777hhh7mcs7.onion
http://compass6vpxj32p3.onion

77.95.229.11
77.95.229.12
77.95.229.14
77.95.229.16
77.95.229.17
77.95.229.18
77.95.229.19
77.95.229.20
77.95.229.21
77.95.229.22
77.95.229.23
77.95.224.187
89.207.128.241
5.104.224.15
128.204.207.215

I will do my best to keep this list updated on the situation as it
develops. If any of the mirrors or IPs do come back online, I would
welcome anyone who is capable of doing so checking for any malicious
code to ensure they are not used to deploy any kind of state
malware/attacks against users should my theory prove to be the case.

At this moment in time I am under no gagging orders or influence from
external parties/agencies. If no update is provided within 48 hours
you may draw your own conclusions.

Regards,
T

--
Activist, anarchist and a bit of a dreamer.

Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966

No, this is an exit relay operator, not a directory authority operator.

Also, this particular fellow has had a series of run-ins with British law enforcement. This run-in is far from his first (and won't be his last either probably).

England is really bad news these days in terms of civil liberties. I'm glad we don't have any directory authorities in England.

It affects its users not very much. It just means that there's a bit less capacity in the Tor network now, until somebody gets upset at the seizure and sets up some Tor exit relays in response. Perhaps that could be you? :)

Seizing an exit relay is mainly done either a) by ignorant law enforcement people who made a list of suspect IP addresses and went to go steal the computer at each one, in case it could provide some evidence. We've taught many of them how to check if a given IP address and timestamp is a Tor relay, but, there sure are many more that we haven't taught. Or b) by law enforcement people who are intentionally trying to harm Tor by scaring and hassling relay operators even though they know they won't get useful results.

I talk more about both of these cases in this older blog post:
https://blog.torproject.org/blog/trip-report-tor-trainings-dutch-and-be…

arma said: "It just means that there's a bit less capacity in the Tor network now, until somebody gets upset at the seizure and sets up some Tor exit relays in response. "

Strange enough, in the past few days I am experiencing a very notable increase of speed in building up pages I visit. I was already used to waiting sometimes a minute or so, but now even complex pages with lots of scripts pop up in less than ten seconds ... ?

Yes, well England is probably the worst country in the world to have a server. From what I've heard, it is a scary place to administer servers.

The question remains, why are the DAs centralized in the US and EU?

Now more than ever is a great time to start getting DAs beyond, especially in places where the US/EU 3-letter-govt-agencies have a harder time coordinating with. Yes, geo-politics moves fast, but can you imagine North and South Korea coordinating DA takedowns. That is hypothetical, but the point remains.

Angola or South Africa?

Venezuela or Nicaragua?

Not in Munich

keiha

December 21, 2014

Permalink

What if instead of seizing the directory servers the FBI alters them so that certain, specific users are fed a list of fake, government controlled nodes instead of actual ones? They could then target individual IP addresses and completely deanonymise anyone trying to connect to TOR through them.

This is possible but only if they successfully break into a majority of these directory authorities and extract their keys as described above.

There are some interesting technical fixes that people are exploring that would detect if there's ever a second consensus made for a given hour. Something like keeping a hash chain on your side of the consensuses that you've seen, and then comparing that to what others have seen. Basically, we should be able to reuse some of the various 'foo observatory' tricks that people have been working on lately for finding out whether somebody is served a personalized https certificate. More help there would be great!

Scare mongering its all crap there are many ways to stay hidden so i say the FBI and the NSA couldnt trace anything without tracing paper i have heard nothing and i would be one of the first to know.
Its the same every day cat and mouse games just relax..........

For sure if they get physical server they can alter BMC ans have full control over over that server. For example - extract private keys when hte server will go online. So beware of any returned after raid hardware.

keiha

December 22, 2014

Permalink

Oh well I run a directory server in the UK might take it down after reading this :(

No, you likely run a normal relay with a directory mirror ("DirPort") enabled. That's not the same as a directory authority.

There are nine directory authorities, run by reasonably competent and trusted people around North America and Europe.

Directory mirrors, on the other hand, are offered by most of the 6000+ relays that are running right now, and there's no reason why people would want to hassle somebody for running a directory mirror.

Hope that clears things up for you! Please ask for more help on the tor-relays list if you are still concerned:
https://www.torproject.org/docs/documentation#MailingLists

keiha

December 22, 2014

Permalink

Something tells me it will be blamed on North Korea.

FYI. I'm a Network engineer with 30 years experiance. My job is information security, penetration testing, white hat hacking, and part of that job is keeping an eye on the hacker groups forums, web pages, news goups, chat rooms, and videos, just to be prepared of anything comming my way.

I have been watching Sony and hackers in a cyber war for at least the last ten years, and this is all this is. Odds are it's an inside job; the hundreds of terabytes of data would be noticed going over the wire.

It's a trick of the Obama administration, and/or Sony.

Agreed, it seem ironic that Sony have apparently done NOTHING to strengthen data security, its not as if they don''t have the financial resources to hire the right people for the job. after all. they where quite able to insert malicious code into some of their products.so why are they not using due diligence to safeguard the mountain of personal data they hold?

keiha

December 22, 2014

Permalink

Sony was never hacked. They just fuck up things. Now they are blaming others to avoid public harakiri.

keiha

December 22, 2014

Permalink

The USIC lawyers who claim that "there is no universal right to privacy" [sic] are the same people who advised the leaders of the Land of the Free that kidnapping, torture, and assassination are "legal" [sic]. These people have ventured so far into the territory of state-sponsored criminality that their repugnant ratiocinations are comprehensible only to their ISIL brethren. It does no credit to any civilized nation which fails to apprehend and bring to justice vicious kidnappers, torturers, and assassins, even and especially those acting on the orders of a "government" gone mad.

There is a fine Urdu word to describe people who routinely engage in kidnapping, torture, and assassination: thug.

keiha

December 22, 2014

Permalink

Arma, my brothers can help you improve TOR. Will you accept help from the #CultOfSiduri? Find us in the #DarkNet. We are not hard to find ;)

More help is always appreciated! We work in public with public trac tickets, git commits, design discussions, and so on.

But fortunately, we built an anonymity tool so you're welcome to stay pseudonymous while helping. Many people do.

keiha

December 22, 2014

Permalink

I know it may be a dumb question, but is TOR still safe (secure) to use?
Thanks for your work.