Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

victorhck

December 22, 2014

Permalink

Roger, is this a correct summary of the essential facts as currently known?

* Tor Project was tipped by a reliable source and is holding back some knowledge to protect your source,

* The IP addresses of the 10 current DAs are hard-coded in latest TBB and Tails,

* If 4 or fewer DA nodes are captured, Tor may be slightly slower to start for some users, but will still work,

* If more than 4 DA nodes are captured, the enemy can shut down the Tor network, or even direct unsuspecting users to a fake Tor network,

* Even in the worst case scenario, people who used genuine Tor in the recent past will not be deanonymized simply because the enemy captured our DA nodes,

* At least 4 DA nodes are physically located in the US; the others are all located in countries subject to US intimidation,

* In the current design of Tor, increasing the number of DAs wouldn't help in protecting against HVT (high value targeting) "decapitation strikes", but geographical/jurisdictional variety would probably help,

* The attack has not occurred as of the evening of Monday 26 December 2014 GMT,

* If it does happen, Tor Project will quickly be aware that specific DA nodes have been captured, and will notify the public by all available means,

* To bring authentic Tor back up, TBB and Tails users would need to either,

(i) find a message with the IP addresses of the new DA nodes

(ii) authenticate the message

(iii) be told how to edit their torrc to use the new IP addresses

or download new TBB tarball or Tails iso (using non-Tor channels, which could be dangerous if our enemies have decided to declare Tor effectively illegal).

Question: for those who currently use Tor exclusively,

(a) how sure are you that Tor can be brought back up even if five or more DA nodes are captured?

(b) any advice how we can ensure that we are using genuine Tor post-apocalypse, if the network is brought down and then brought up again hours or days later by unknown actors?

Mostly right. For your question (a), it really depends how this hypothetical attack plays out. If we were all online at the time, I think we'd have it back up and working in a matter of hours. But it's such an unusual event that it's hard to guess exactly how it might happen if it does.

(b) When we put out a new Tor version, check the signatures on the packages you download. You should be doing this anyway.
https://www.torproject.org/docs/verifying-signatures
I'm sorry it is so hard on Windows -- please help make it easier!

As for how to detect if somebody else is generating fake consensus documents... I think the whole Internet will be screaming if this happens. One answer is that you can look at the relays in the current consensus document and the relays in later consensus documents and see how much turnover there is. But that is alas hard for ordinary users to do.

victorhck

December 22, 2014

Permalink

Dont panic anons dont belive all you read or hear on here, the FBI and the NSA can only trace with tracing paper just remember always be one step ahead there are many ways to stay invisible.
Panic and you will do something stupid and reveal yourself, if you ask me its scare mongering as i have not heard anything and i would be one of the first to know ; )

victorhck

December 22, 2014

Permalink

Following up on Roger's remark

"And as for your 'why', that's an excellent question, and one we've been wrestling with too. There are nine directory authorities, spread around the US and Europe. If they're trying to hunt down particular Tor users, most possible attacks on directory authorities would be unproductive, since those relays don't know anything about what particular Tor users are doing."

Here is an attempted summary of informed speculation about who might be planning to attack us, and why:

* Only USG is capable to attempting to seize 4 or more DA nodes,

* A collaboration between USG and EU governments would be particularly dangerous for Tor,

* Such a scenario is not implausible; according to The Intercept's sources, Belgium seems to be permitting NSA spying on Belgacom to continue with only token hindrance, and Germany's efforts to reduce NSA spying on Germans also seems to be halfhearted (some would suggest that the proper word for such passive collaboration is "treason"),

* Within USG, Snowden leaks confirm that at least until recently, the majority view in NSA/CIA was that killing Tor would be counterproductive to their self-defined mission, which implies that the threat most likely comes from DOJ/FBI, unless NSA/CIA have revised their attitude toward Tor,

* There is no known *plausible* rational reason for USIC to capture DAs other than to try to bring down the Tor network entirely,

* In principle, NSA (or even DOJ/FBI) might try to replace genuine Tor with a fake version in order to pursue deanonymization of Tor users whom they believe pose a threat to USIC, or to US "strategic interests", but it seems doubtful that would be effective for more than a few hours,

* In the current political context their immediate motivation for taking down Tor entirely might be

(i) FBI might be attempting a direct (and fantastically foolish) experiment seeking to find out whether the most dangerous attacks on Western banking infrastructure suddenly fall off when the Tor network is brought down; if so, the world can see how they rate the respective value of the lives of overseas USG personnel and other persons who will be endangered if Tor is brought down, versus the value of Wall Street derivatives,

(ii) NSA might perhaps be attempting a "real world" experiment seeking to verify their ability (well practiced in "cyberranges") to shut down parts of the global internet,

(iii) In principle, NSA might want to take over Tor network to employ it as a global botnet in a retaliatory cyberattack, but this seems highly implausible since they already have several other botnets with much larger net bandwidth (this is confirmed in detail by multiple Snowden leaks),

(iv) Perhaps the least implausible rationale for NSA/CIA trying to take down Tor entirely might be that someone in NSA/CIA thinks this might force some HVT in some (newly or secretly declared?) war zone to use non-Tor lines of communication, possibly rendering said HVT susceptible to a targeted drone strike; among the likely targets would be

(a) ISIL leadership

(b) Boko Haram leadership

(c) (possibly) unnamed major drug traffickers

(d) (very unlikely, one hopes) unnamed torrenteers whose continued existence is repugnant to MPAA

* There may (also?) be some connection with

(i) intense political pressure on FBI to rapidly uncover some "smoking gun" fingering DPRK for the Sony cyberattack, which so far they have clearly been unable to do (but watch out for attempts to invent evidence should none be obtainable through honest detective work),

(ii) the recent cyberattack on a German steel mill, which appears to be one of less than five known cyberattacks to date which have caused extensive physical damage (the first being the US/Israel Stuxnet attack on Iranian nuclear enrichment plants; many might assume some other actor must be responsible for the attack on the steel plant, but that would underestimate the nastiness of USIC leadership which is probably seeking ways to remind Angela Merkel of what they can do the nation she governs if Germany ceases cooperating with USIC),

(iii) increasing hysteria in CIA and NSA aroused by the possibility (likelihood?) that some of their personnel may face prosecution in the EU for war crimes, resulting from multiple criminal acts including kidnapping, torture, and assassination,

(iv) increasing hysteria among US/UK police commands that assassinations of police officers might become a "new normal" (no-one seems to be keeping statistics, but my impression is that what numbers are available suggest that someone like Mr. Bratton would do very well to emulate our own leader by keeping his cool),

(v) recurrent hysteria inside various governments regarding Wikileaks (which has just published new documents leaked from CIA),

(vi) growing fear in certain USG circles of a literal revolution in the US; most observers seem to assess this possibility as unlikely, but they are clearly not taking global financial instability into account, and recent US Army manuals do seem to announce that the US Army general staff expects to occupy major cities (New York City is on their list of targets) during the coming decade, and is thinking hard about how they might try to control an urban population of millions with a military force numbering in the tens of thousands,

(vii) announcements in the press that US/UK/EU are planning another large scale seizure related to supposed child pornography rings; all well informed observers seem to agree that such announcements are very likely nothing but a laughably transparent "smoke screen" attempting to distract public attention from the real motivation for attacking Tor, but these announcements have in the past proven a reliable harbinger of the seizure of Tor nodes,

* When attempting to identify possible "rational" motivations for USG attempting to take down the Tor network entirely, we must bear in mind the all too plausible possibility that they have no idea what they are doing; some Snowden leaks show clear evidence that as recently as 2011, NSA leadership suffered from a seriously flawed understanding of key technical features of Tor; there is plenty of recent historical evidence suggesting that technical (or political) misconceptions might very well play a decisive role in USG "strategic planning" for eternal global cyberwarfare,

* The possibility cannot be discounted that the USIC leadership, frightened by the prospect of their own prosecution for war crimes, is simply lashing out with irrational ferocity.

victorhck

December 22, 2014

Permalink

"Thailand is one of the countries which plays host to large numbers of CIA, NSA, FBI and DEA agents."

And don't forget SOCCOM operatives. Bangok is one of seven megacities profiled in the following unclassified report (surely intended to intimidate the political leadership in certain countries and certain US cities), which was commissioned by Gen. Ray Odierno, chief of the general staff of the U.S. Army:

https://publicintelligence.net/usarmy-megacities/

(The authors state that their report simply summarizes classified detailed war plans.)

It seems noteworthy in connection with a recent incident in Bedford-Stuyvesant that the U.S. Army is frightened by the favela: Rio and Sao Paulo are also on the list of cities which the Army is planning to occupy (if it feels a need to do so). The document candidly explains that the goal is likely to be replacing an anti-US gang with a pro-US gang, rather than trying to build a credible government which respects democracy and the rule of law in urban regions which are currently "alternatively governed".

Imperial cynicism indeed.

victorhck

December 22, 2014

Permalink

" Angola or South Africa? Venezuela or Nicaragua?"

Brazil? Iceland?

It is important to distinguish between physical location of the servers and the national address under which they are registered.

victorhck

December 22, 2014

Permalink

"The attackers appear to have used TOR exit nodes and VPNs to help cover their tracks, which indicates some awareness of operational security (OPSEC)."

It is Tor not TOR.

Whenever FBI hits a roadblock, they must be tempted to speculate like so:

bounce bounce VPN bounce tor-circuit bounce bounce

But the reports I've seen suggest that state-sponsored attacks, in particular alleged DPRK attacks, rarely go to such lengths to obstruct attribution. The fact is, reliable attribution is very difficult even if only a few bounces are used. In fact, it can be difficult to distinguish between "hacktivism" and state-sponsored cyberespionage.

One point which could easily be lost in all the hoopla over DPRK's alleged responsibility for the recent cyberattack on Sony, but which bears emphasis: the human rights records of DPRK is very considerably more appalling than that of the USA (which is really saying something, given what has already come out concerning NSA-enabled kidnapping, torture, and assassinations by CIA):

http://www.hrw.org/nkorea
http://en.rsf.org/internet-enemie-north-korea,39755.html

Blaine Hardin makes a similar point (in Foreign Policy):

http://foreignpolicy.com/2014/12/19/when-all-else-fails-hack-hollywood-…

but he accepts at face value the allegation that DPRK planned, executed or assisted the cyberattack on Sony. In contrast, a number of respected techie journalists (including Kim Zetter), alarmed by the prospect of the US and DPRK going to war over the attack, and mindful of past mis-attributions which were used as a pretext for previous wars, have pointed out that the published evidence is not strong:

http://www.wired.com/2014/12/evidence-of-north-korea-hack-is-thin/

From:

http://arstechnica.com/security/2014/12/malware-believed-to-hit-sony-st…

"The FBI and White House have pinned the attack directly on North Korea, but so far have provided little proof"

Xeni Jardin (at BoingBoing) seems to agree that despite the FBI claims, the consensus view among informed observers is that DPRK does not yet stand convicted:

http://boingboing.net/2014/12/19/fbi-north-korea-is-responsibl.html

Tim Cushing (at Techdirt) and Trevor Timm (at the Guardian) argue that even if DPRK assumed responsibility for the cyberattack on Sony, this event would not constitute an act of war:

https://www.techdirt.com/articles/20141218/18192929485/ridiculousness-t…

http://www.theguardian.com/commentisfree/2014/dec/19/sony-hack-cyberwar…

Brian Krebs has laid out a circumstantial case for DPRK involvement:

https://krebsonsecurity.com/2014/12/fbi-north-korea-to-blame-for-sony-h…

Among the evidence he cites is a report from HP Security Research, dated August 2014 and titled "Profiling an enigma: The mystery of North Korea’s cyber threat landscape". This report profiles the current President of DPRK, Kim Jong Un (the real one, not the fictionalized one in the largely unseen feature film at the center of the controversy) as follows:

"Kim Jong Un officially rose to power in April 2012, following the death of his father Kim Jong Il in December 2011. While his age remained a mystery for quite some time, it was later revealed that he was born in January 1983, making him age 31 at present. This makes Kim Jong Un the world’s youngest leader of an established nation. The young leader’s rise to power brought about several changes in North Korea. First, Kim Jong Un’s personal life is more public and more extravagant than that of his father. Unlike his father, the young Kim is often accompanied by his wife when making public appearances. Second, the young Kim, who is more high-tech than his predecessor, is reported to have an affinity for luxury items and is an avid gamer and basketball fan. Third, Kim Jong Un is more totalitarian than his father. Following his rise to power, the regime reportedly expanded its labor camps, and more military resources were allocated to target those attempting to defect. Kim also executed his own uncle, a high-ranking official who did not share his ideals. These moves indicate the regime’s priority to deter internal destabilization and dissent, which is perceived to be a greater threat than outside adversity. According to Phil Robertson, deputy Asia director at Human Rights Watch, 'The government now recognizes that the accounts of escaping North Koreans reveal Pyongyang’s crimes – so it is doing what it can to stop people from fleeing.' Under Kim Jong Un’s rule, the regime has stepped up its nuclear materials production, and the propaganda distributed by state media has become more menacing."

This provides evidence that the surveillance-industrial complex is very displeased by the thought of young men making decisions which affect international politics (one recalls some overwrought comments from that camp concerning the chronological youth of Edward Snowden), but provides no evidence for the notion that Tor is in any way involved in the recent cyberattack on Sony. Indeed, the 75 page report does not even mention Tor. It does describe a "wiper" malware which it attributes to DPRK, but the report provides only very weak evidence to support that.

It is certainly intriguing that Kim the youngest is described as an "avid gamer" (but no evidence is provided).

Momentarily assuming for the sake of argument that the current presidents of DPRK and USA have both authorized destructive cyberattacks, which hardly seems a stretch although publicly available evidence currently falls short of that required for conviction, and assuming further that both men were eventually charged and convicted by the ICC, which seems unlikely, it is interesting to imagine that they might spend some of their sentences playing basketball.

Now, to be fair to President Obama, nobody is accusing him of executing his own uncle. But it seems to me that the evidence tending to implicate Obama in authorizing criminally destructive cyberattacks is currently much stronger than that implicating Kim of such crimes. Regarding the question of who might be responsible for Gamergate, and assuming for the same of argument that this is state-sponsored "information operation", it seems to fair to say that there exists the outlines of a circumstantial case (establishing both motive and opportunity) for both Kim and Obama:

http://boingboing.net/2014/12/19/fbi-is-investigating-gamergat.html

Several writers point out that if ever a corporation has gone begging for abuse, that would be Sony:

https://www.techdirt.com/articles/20141219/10343429489/fbi-formally-acc…

A useful history of cyberattacks on Sony through 2011 makes the point that this is a corporation which has made a lot of enemies, and committed a lot of network security mistakes:

attrition.org/security/rant/sony_aka_sownage.html

victorhck

December 22, 2014

Permalink

"They have thier own damn tor network"

The Snowden leaks suggest that this is not quite true: it would be more correct to say that they have their own botnets (with more bandwidth than the entire Tor network), but also use the Tor network (and then, hiding amongst the noise provided by the rest of us generally works to their advantage). However, it seems they directly operate few Tor nodes because they generally have little need to do that. But it is possible that they might try to systematically break into every operating Tor node in order to covertly add an IP logger. That would be a hazardous enterprise because people who operate Tor nodes are likely to have ways of detecting even sophisticated intrusions, and to have a better than average ability to document claims about attribution.

"when on earth have you seen the military activly operate where civis are?"

It is established, from documents leaked or obtained under FOIA, that
US military intelligence undercovers have in recent years actively infiltrated domestic US peace and social justice groups, and also that SOCCOM maintains an active presence in a number of cities (both US and non-US) where they anticipate future major US military operations.

victorhck

December 22, 2014

Permalink

After all these years, Tor still relies on nine centralized directory servers?

victorhck

December 23, 2014

Permalink

Can someone please confirm that there was a legitimate reason (ie Tor Update) for every relay to be rebooted within the last 12 hours. Otherwise why all the relays are rebooted???

victorhck

December 23, 2014

Permalink

In the case that the DirAuth's are seized is there something that the relay operators can do to temporarily mitigate the damage? I've briefly read through the docs and don't see and option for a sort of RelayRecognizedLastGoodConsensus that we could use to 'freeze' the consensus we send out. This would add an attack avenue but since I understand the consensus to be time limited in its validity this might give relays the ability to give more time to the DA's to recover while protecting some users against hostile signed consensuses. Users that connect directly to the DA's would have no additional protection but previous tor clients with caches may be lucky and connect to a relay with a frozen consensus.

No, the attack hasn't started. All is quiet so far, and at this point it is likely to remain quiet. Great.

It sounds like you've got something misconfigured or some other problem.

victorhck

December 24, 2014

Permalink

If this could bring more users and serves as a way to promote
tor it would be great !
See how much publicity some movie makers can generate
through a hack.

victorhck

December 24, 2014

Permalink

"No, the attack hasn't started. All is quiet so far, and at this point it is likely to remain quiet. Great."

Excellent! But why is the warning not covered in Tor Weekly News?

Something in the related tor-talk thread confuses me: despite mention of AuthDirReject in the quote below, is it correct to date to say: "at no time have any DA nodes been seized; the project has ways to detect at least some tampering with any DA node, and no alarms have gone off."

From:

https://lists.torproject.org/pipermail/tor-talk/2014-December/036074.ht…

# torrrc changes
# thecthulhu reports unknown compromise December 21st, 2014
AuthDirReject 77.95.224.187
AuthDirReject 89.207.128.241
AuthDirReject 5.104.224.15
AuthDirReject 128.204.207.215

# approved-routers changes
# thecthulu reports compromise december 21st, 2014
!reject D78AB0013D95AFA60757333645BAA03A169DF722
!reject 6F545A39D4849C9FE5B08A6D68C8B3478E4B608B
!reject 5E87B10B430BA4D9ADF1E1F01E69D3A137FB63C9
!reject 0824CE7D452B892D12E081D36E7415F85EA9988F
!reject 35961469646A623F9EE03B7B45296527A624AAFD
!reject 1EA968C956FBC00617655A35DA872D319E87C597
!reject E5A21C42B0FDB88E1A744D9A0388EFB2A7A598CF
!reject 5D1CB4B3025F4D2810CF12AB7A8DDDD6FC10F139
!reject 722B4DF4848EC8C15302C7CF75B52C65BAE3843A
!reject 93CD9231C260558D77331162A5DC5A4C692F5344
!reject A3C3D2664F5E92171359F71931AA2C0C74E2E65C
!reject 575B40EF095A0F2B13C83F8485AFC56453817ABF
!reject 27780F5112DEB64EA65F987079999B9DC055F7C0
!reject 54AA16946DB0CF7A8FA45F3B48A7D686FD1A1CEF
!reject 1EB8BDA15D27B3F9D4A2EDDA58357EA656150075
!reject 17A522BC05A0D115FC939B0271B8626AAFB1DDFF
!reject 1324EC51FBFA5FD1A11B94563E8D2A7999CD8F57

Regarding Thomas White's mirrors and Tor nodes, it seems noteworthy that the question of how to distinguish between malicious interference and simple router failure also arose in the question of why DPRK's (tiny) internet traffic flow recently "dropped off a cliff".

victorhck

December 24, 2014

Permalink

"Why not 20, instead of 9? Why did you choose 9? If it takes at lest half of the DA's to be comprised to affect Tor, why not make it 100 DAs?"

I thought Roger already said (but right now I cannot find the citation) that without untried changes in the current design of Tor, nine or eleven is close to the upper limit.

@ Roger: you said that while it might be possible to locate a DA in Brazil, this might be counterproductive because of how Brazil currently connects to the rest of the Internet. I think I have some clue what you might mean, but would like to hear a more complete explanation speaking to the role played by DAs in the Tor network.

victorhck

December 24, 2014

Permalink

One problem with the original blog post was that Roger didn't make it clear what if anything Tails users (as opposed to TBB users) might need to do if the Tor network had been taken down for hours or days as the result of the seizure of five or more DAs. Yes, I know Tails is a separate project but in an emergency you can't stand upon ceremony.

In future episodes, please offer any appropriate technical advice specific to both TBB and Tails users.

victorhck

December 25, 2014

Permalink

I think the attack performed by Sony themselves.consider this if FBI can trace it through the North Korean and the NK internet must pass through the Chinese network, state owned network. Ring a bell or not? I think if the FBI or NSA must penetrate through the Chinese network then the FBI, NSA and CIA must fight against the Chinese cyber armies. There's no way that the Chinese cyber armies will allow this attack without any retaliation at all if this attack is truly perform by CIA, NSA and FBI, no way Jose. Now that film "The Interview now reach almost block buster level on selling and launching. This is a marketing strategy of Sony Pictures a long with Obama aka Barry Soetoro plan to stop the free speeches of the people that are now more and more against him. This is made to let the freedom of Internet to be shattered down. Yes of course they will put the scape goats. TOR as usual scape goats. But they not notice the proxy chain of SSH servers around the world. In South East Asia particularly Indonesia, the Indonesian hackers are known as the best carders, crackers and phreakers who love to use SSH in various numbers to disguise their true ID. They also capable to use SSH servers and emulate them like the way the TOR network work.

victorhck

December 25, 2014

Permalink

Just while I'm here.

Re TBB 4.0.2:

Spell check function is disabled.

Works fine on regular Mozilla.

Kindly look into this AFTER the holidays please...

victorhck

December 25, 2014

Permalink

Is anyone running Tor relays on cargo ships that travel worldwide? Cargo ships that can access the Internet by satellite and bypass submarine cables controlled by " Five Eyes" countries?

Such services are quite expensive.
Furthermore the NSA runs a number of listening stations around the world to intercept satellite communication worldwide. Much easier to intercept than anything that runs through cables. Look up ECHELON.

victorhck

December 26, 2014

Permalink

There are over 10000 nodes now and maybe 3500+ with 20KB/s speeds and named LizardNSA###... Is this a joke or The Attack?

Example:
LizardNSA1000129629 (Online)
Location:
United States
IP Address:
130.211.63.102
Bandwidth:
20.00 KB/s
Uptime:

Last Updated:
2014-12-26 13:24:03 GMT

More like a joke. That attack was unrelated and never had any impact on Tor's safety.

See http://www.twitlonger.com/show/n_1sjg365
"This looks like a regular attempt at a Sybil attack: the attackers have signed up
many new relays in hopes of becoming a large fraction of the network.
But even though they are running thousands of new relays, their relays
currently make up less than 1% of the Tor network by capacity. We are
working now to remove these relays from the network before they become
a threat, and we don't expect any anonymity or performance effects based
on what we've seen so far."

victorhck

December 26, 2014

Permalink

i am havung the WARNING icon when connecting to tor with windows browser bundle.

26/12/2014 18:44:52.110 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit
26/12/2014 18:44:52.882 [WARN] Your Guard Bazinga ($B198C0B4B8C551F174FBB841A172616E3DB3124D) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself. Success counts are 73/162. Use counts are 78/79. 154 circuits completed, 1 were unusable, 81 collapsed, and 4 timed out. For reference, your timeout cutoff is 60 seconds.
26/12/2014 18:44:53.364 [NOTICE] Tor has successfully opened a circuit. Looks like client functionality is working.
26/12/2014 18:44:53.365 [NOTICE] Bootstrapped 100%: Done

also, in WHONIX, bootstrap hangs on 5% and tor do not connect.

Also, TAILS does not connect.

I live in Brazil, South America, and i use NET VIRTUA ISP.

victorhck

December 26, 2014

Permalink

Connecting to tor today, I was pleased to see the count of exit nodes at last exceed 7,000. Woo hoo! ... until it went to 10,099. 3,000+ new exit nodes called "LizardNSA[0-9]+". All of them have an advertised bandwidth of 20kB/s.

Then this ...

http://gizmodo.com/hackers-who-shut-down-psn-and-xbox-live-now-attackin…

Is this attack really *the* attack? Is it even *an* attack?

Not sure. I'm trying sooo hard to get myself deanonymised, but my tor client just simply refuses to use such low bandwidth nodes. Sigh!

victorhck

December 26, 2014

Permalink

How come there's nothing here about the LizardSquad attack?

Is this the attack that Roger was warning about?

Good thing Tor weights by bandwidth, not uniformly across all relays, when doing path selection. Running half the relays, while running less than 1% of the bandwidth, has basically no effect.

victorhck

December 26, 2014

Permalink

The official (?) tweet on the 26 December 2014 Sybil attack on the Tor network:

"This looks like a regular attempt at a Sybil attack: the attackers have signed up many new relays in hopes of becoming a large fraction of the network.
But even though they are running thousands of new relays, their relays
currently make up less than 1% of the Tor network by capacity. We are
working now to remove these relays from the network before they become
a threat, and we don't expect any anonymity or performance effects based
on what we've seen so far."

If I understand correctly, the Dec 2014 Sybil attack is probably far less dangerous than the July 2014 Sybil attack, even though it involves more nodes, because it captured less bandwidth:

http://www.techweekeurope.co.uk/workspace/tor-us-attack-identity-privac…

victorhck

December 26, 2014

Permalink

Cargo ships: probably a very bad idea.

Search eff.org for several Snowden leaks describing systems by which NSA surveils communications (including satphones) from all cargo ships.

Possibly a better idea: replacing the internet with short range radio communications, using software defined radio.

victorhck

December 27, 2014

Permalink

BE FOREWARNED

It is Boxing Day and it appears that the Lizard Squad is attacking the Tor network.

victorhck

December 28, 2014

Permalink

It seems that Tor Project needs to relocate to a country with more freedoms than the United States

victorhck

December 28, 2014

Permalink

An attempt to attack the tor network may be ongoing for a long time:

http://www.spiegel.de/media/media-35538.pdf

These documents were written in the past. If there is one old document, saying that tor poses a major problem but not a catastrophic failure, and then there is another document, saying

"have shown deanonymisation attack for tor. Requires tor collection from exit nodes we own. Hope to get this running live..."

Then one has to assume that GCHQ is now running this live...

http://www.spiegel.de/media/media-35542.pdf

shows that they are doing correlation attacks and tor traffic shaping already, and they are reporting success with it.

And here they are describing their tor de-anonymization attempt in more detail:

http://www.spiegel.de/media/media-35543.pdf

Note that this was written in the past. One has to assume that they are running this technique now after they reported their successful research in the notes above...

.

I believe the attack described in the detailed document would not actually work at scale.

This is a subtle but important point: I'm not saying that the general type of attack would not work (I think it does), but I am saying that the specific attack described in the paper wouldn't.

I talked about the topic a little bit more in our 31c3 talk this year.

victorhck

December 28, 2014

Permalink

On the Tor Metrics Portal> Users> Graph: Bridge users by transport, could you provide separate graphs for meek-google, meek-amazon and meek-azure in addition to meek ( total )?

victorhck

January 04, 2015

Permalink

One thing that "frustrates" me is that there does not seem to be any versions of TOR that do not have StartPage guarding the gateway. StartPage acts kind of like a "nanny" that won't let a person do anything "controversial" on the Deep Web. Any thoughts?

One thing that "frustrates" me is that there does not seem to be any versions of TOR that do not have StartPage guarding the gateway. StartPage acts kind of like a "nanny" that won't let a person do anything "controversial" on the Deep Web. Any thoughts?

In my opinion that's exactly how it should be - a simple portal to a privacy-friendly search engine. Unfortunately, the Tor Project has to deal with a huge amount of negative propaganda, continually churned out by those who see personal anonymity as a threat to their dystopian vision of "total information awareness". The mainstream media are all too happy to parrot the misrepresentations and misleading statistics fed to them by "the powers that be" because hyperbolic scare-stories are big sellers.

It's deeply disheartening to see such an important and legitimate tool being pilloried and deliberately misrepresented for political gain or a convenient scapegoat. But this is just what we have to deal with and we'll have to deal with it for a long time to come.

With that in mind, the last thing we want to do is give "the powers that be" any more ammunition for their disinformation campaigns. Can you imagine the field-day they'd have if the Tor start-page provided an idiot-proof portal to hidden services, censored material or indeed anything that is liable to stir up controversy?

Those who wish to explore the more "controversial" aspects of Tor can very easily do so with minimum research. But shoving it under everybody's nose as the first thing they see when they launch the Tor Browser Bundle is almost tantamount to promoting it and that will surely provide yet more ammunition for those that wish to see Tor dead and buried.

I think the start-page and the default config are pretty decent out-the-box (apart from enabling JavaScript - I thought we were trying to limit attack-vectors, not multiply them). But basically it's a good balance and it gives the user immediate access to anonymised browsing, which is all most users want. Those who wish to dig deeper have every ability to do so (they are, after all, on the internet - great research tool).

I'm speaking from "educated guesswork" here but I believe the current start-page has been very deliberately designed to be as innocuous as possible. Tor is for everyone - some users haven't even reached their teens while others are old enough to draw a pension. Many such users don't even know what a "hidden service" is, they just want a bit of anonymity in their day-to-day browsing habits. They neither need nor want to see controversy in any form, much less engage in it. And those who do want to engage in controversy will easily find it for themselves.

I do empathise with you, I'd love it if the start-page provided a comprehensive portal into Tor-land. But it's an entirely political decision; Tor has some very powerful enemies who will seize upon any opportunity to discredit the system. The Tor Project is under constant scrutiny; they need to be very careful, they need to do everything "by the book", they need to keep many people on-side... it's a hard job and it's inevitable that compromises need to be made. I think the TBB start-page does a good job of playing to its strengths whilst underplaying those aspects that stir controversy.

We can only hope that the BS politics are not too much of a distraction from Tor's truly life-changing mission. But there's no doubt that it makes a lot of things a lot harder for them.