Statement from the Tor Project re: the Court's February 23 Order in U.S. v. Farrell

Journalists have been asking us for our thoughts about a recent pdf about a judge deciding that a defendant shouldn't get any more details about how the prosecutors decided to prosecute him. Here is the statement we wrote for them:

"We read with dismay the Western Washington District Court's Order on Defendant's Motion to Compel issued on February 23, 2016, in U.S. v. Farrell. The Court held "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network." It is clear that the court does not understand how the Tor network works. The entire purpose of the network is to enable users to communicate privately and securely. While it is true that users "disclose information, including their IP addresses, to unknown individuals running Tor nodes," that information gets stripped from messages as they pass through Tor's private network pathways.

This separation of identity from routing is key to why the court needs to consider how exactly the attackers got this person's IP address. The problem is not simply that the attackers learned the user's IP address. The problem is that they appear to have also intercepted and tampered with the user's traffic elsewhere in the network, at a point where the traffic does not identify the user. They needed to attack both places in order to link the user to his destination. This separation is how Tor provides anonymity, and it is why the previous cases about IP addresses do not apply here.

The Tor network is secure and has only rarely been compromised. The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it. The Tor network remains the best way for users to protect their privacy and security when communicating online."

IANAL but this reminds me of Kyllo v. United States, where the Supreme Court ruled that thermal imaging of a home was a search that, if performed without a warrant, was unreasonable and hence unconstitutional. The reasoning was that there is an expectation of privacy in a home, and a thermal imaging camera is not commonly available to the public.

The discovery of IP addresses of Tor users can't be done with publicly available equipment either. The attack carried out by CMU SEI was performed with software they designed specifically to conduct surveillance on the Tor network. Also, Tor is designed to prevent identifiable information from leaving a person's home, through its use of encryption. It seems therefore at least some of the reasoning from Kyllo v. US could be applied to this and similar cases.

"a thermal imaging camera is not commonly available to the public".

SCOTUS could hardly say that today, unfortunately.

1. Some smart phone makers are already offering thermal cameras in their consumer products.

2. At least one Chinese maker of consumer drones is offering a drone equipped with a thermal camera (cost: less than 2000 USD).

Speaking of China, one model of phone unlocking copware device which is becoming very popular with US cops (because it is a kind of "Swiss Army knife" which can unlock most any device, in contrast to better known devices which can often only unlock Apple phones, or only unlock particular models) is made by a Chinese company. And when the cops boot it up, it contacts servers back in China and even shares data found in the unlocked devices with the Chinese manufacturers. So when FBI or another US LEA unlocks your phone, they may be sharing your data, not only with American and British spooks (CIA, NSA/GCHQ), but with Chinese spooks.

MI5 is being granted to trawl directly through NSA's database for information on US persons communications, by the way.

With little fanfare, hidden cameras and microphones are quickly becoming ubiquitous in US homes. Although consumers are not being informed that their consumer devices may contain hidden spies you didn't ask for and probably don't want in your home. Examples include Samsung Smart TVs. Other items have microphones which listen and transmit your in-home utterances (often via unencrypted WiFi connections) to corporate servers, such as Google Nest "Smart Home" devices. Companies which make IoT devices are all agog about LED lightbulbs which will contain microphones and other bugs to enable "targeted adverts" and "cross platform tracking" (identifying particular WiFi devices such as phones and laptops with particular known individuals who can be bombarded with instant messages or worse).

I could say much more along these lines. To mention just two:

1. some people affiliated with CSAIL (MIT's once respected Computer Science and Artificial Intelligence Lab) are selling to the general public a $300 consumer device which nosy neighbors can use to image people right through the walls of an apartment.

2. some US researchers are touting a bundle of microscopic fibers which can be pushed through microscopic pores in just about anything (fiberboard, say), and which can be attached to an inexpensive small device which can form a sharp optical image without any need for lenses. This is nothing like a "camera" as the public understands that word, but LEAs are already rushing to exploit it for inhome covert surveillance of "suspicious" persons.

For CSAIL, links were given in comments to another blog post on this website.

For the microscopic fibers with free ends which can be used to form sharp images without any need for lenses or focusing by using software to compensate for light travel time differences to/from bits of objects to be imaged and the ends of the various freely moving microscopic fibers, look at

If you can't find them, please ask again and I'll dig out the links for you.

> At least one Chinese maker of consumer drones is offering a drone equipped with a thermal camera (cost: less than 2000 USD).

And Now Drones Can Take Pictures At Night
Justin Peters
11 Dec 2015

The company is DJI, maker of the most common consumer drones in the US (according to FAA registry, at least, and also according to tech writers who write about consumer device exhibitions). The particular model is the Zenmuse XT.

If you look at the FAA drone register, you will see that private investigators, insurance companies, construction companies, and "urban mapping companies" are among those rushing to exploit the latest in on-drone surveillance technologies, such as multispectral imaging, thermal imagining, electro-optical cameras, low light cameras, IR laser designators/taggers, i.e. air-to-ground laser pointers which pose unknown health risks to people on the ground since no-one is bothering to check the manufacturers's assurances that these lasers are harmless to human eyesight under all conditions, FLIR, sideband radars, etc.

As these companies ramp up their expertise in supposedly non-abusive activities (for example, a utility might want to identify private houses with poor roof insulation using a thermal camera in order to attempt carrot/stick inducements to homeowners to buy better insulation, in order to use less energy), they will be tempted by incessant demand from darker forces to "diversify" to sell their data to people who may not have beneficent intentions toward a particular homeowner, for example. Further, just as FBI subpoenaed the "research" data collected by CMU/SEI on Tor use, so to we must expect that FBI and other US federal agencies will demand access to such data sets.

> some people affiliated with CSAIL (MIT's once respected Computer Science and Artificial Intelligence Lab) are selling to the general public a $300 consumer device which nosy neighbors can use to image people right through the walls of an apartment.
X-ray vision? New Technology Making It A Reality
Scott Eisen
22 Dec 2015
MIT team shows system that tracks people through walls
Nancy Owano
15 Oct 2013
Low-power Wi-Fi signal tracks movement--even behind walls
28 Jan 2013

> some US researchers are touting a bundle of microscopic fibers which can be pushed through microscopic pores in just about anything (fiberboard, say), and which can be attached to an inexpensive small device which can form a sharp optical image without any need for lenses. This is nothing like a "camera" as the public understands that word, but LEAs are already rushing to exploit it for inhome covert surveillance of "suspicious" persons.
New imaging system uses an open-ended bundle of optical fibers-- no lenses, protective housings needed
Larry Hardesty
12 Feb 2016

This is from another group of MIT researchers. They anticipate using their device for medical imaging, pushing about 1000 optical fibers (with free ends) right through the abdominal wall. Since the fibers are microscopic, this is feasible. But people interested in growing an in-home surveillance industry have already taken note that inquisitive people can easily push such fibers through a pinhole noiselessly made in fiberboard (for example with a pin).

Another example of a kind of search which has long been exploited by US cops, is very creepy and is rapidly becoming ubiquitous in US/UK as local governments place more and more requirements on garbage disposal (so they want to check that citizens are complying with their rules):
Local Governments Increasingly Looking Through Your Garbage
Jenna McLaughlin
28 Jul 2015

Technological innovations are already being exploited in this area, including IP cameras inside dumpsters, RF readers near dumpsters, and WiFi mesh devices which inventory nearby electronic devices (using central databases, raw data showing that a specific phone was within a few metres of a specific geolocation can later be correlated with IRL identities by local governments and indeed by private companies).

> one model of phone unlocking copware device which is becoming very popular with US cops (because it is a kind of "Swiss Army knife" which can unlock most any device, in contrast to better known devices which can often only unlock Apple phones, or only unlock particular models) is made by a Chinese company.

You can verify this yourself. You'll need a phone and other devices to attack, a packet sniffer and a so-called "iP-BOX", the Chinese made copware cited in the quoted text, which can can be ordered here:

You'll need to obtain an account on gsmforum in order to download the software needed to use the iP-BOX device.

You'll find that the device frequently receives "firmware updates" (a very good idea of course if that's really all they are) from a server in China, presumably operated by the maker of the device, but presumably vulnerable to the kind of "legal terror" by the Chinese government which would be encouraged by an FBI victory in FBI-v-Apple.

(Again, FBI's demands go far beyond anything the RU or CN government have yet made upon US/EU based hardware/software vendors such as Apple or Google.)

Further, at least sometimes when you attack a device, the IP-BOX contacts additional servers in China and appears to possibly share some recovered data.

The makers of IP-BOX claim it can unlock almost any iPhone or other device running IOS6 and related operating systems, by exploiting unpatched zero-day exploits.

For more on the general issue, see
Another reasons Adopting 'Collect It All' Was a Bad Idea: Chine May Now Be Applying It To US Citizens Personal Data
Glyn Moody
17 Jul 2015
Hacked in the USA: China's Not So Hidden Infiltration Op
Chris Stone, Michael Riley, Jordan Robertson
12 Jul 2015

Please, participate in making Tor better!…

(That said, the 1024-bit identity keys for onion services are only used for identity, not for actual interaction like encryption of traffic. So a bad person would need to do a multi-step active attack to be bad. Still, yes, please help implement the new design.)

Tor use 1024 bit RSA 'truncated' SHA1 hash as the onion address, it is very bad, and makes it very easy to impersonate the user. The 'truncated' SHA1 name is NOT even up SHA1 hash collision strength...

this is the SOLE reason why facebook can generate facebookcore.onion far easier than true bruteforce, and pretty sure 3-letter agencies are impersonating onion services RIGHT NOW

Plz. somehow ditch 1024bit RSA ASOP

I think you misunderstand collision attacks. A collision attack is not the ability to brute-force an existing hash, but rather to generate two identical hashes *yourself* from random input. What you are thinking of is a preimage attack, which unlike collision attacks, is not accelerated by the birthday paradox. We are still far away from that being feasible with SHA-1, even a truncated version.

Furthermore, even though it is truncated, it still provides 80 bits of security. Yes, that means 40 bits of collision resistance, but still a full 80 bits of preimage resistance. While this is not ideal, it is certainly not trivial to crack. As for what facebook was able to do, it had nothing to do with cryptographic attacks against the hash function. They used the same methods which we can use to generate vanity addresses. They just had more processing power available. And they didn't think "hey, let's brute force facebookcorewwwi.onion", they thought "hey, let's look for facebook.onion". They generated a massive list, and manually looked through for the best. They probably also got facebookcpu444ai.onion or something similar as well (with "cpu" and "444" and "ai" being memorable chunks), but decided with facebookcorewwwi.onion instead.

I think you're overreacting. Yes, it's not great that it's using 1024-bit RSA. Yes, it's not great that it's using SHA-1. But no, it's not the end of the world. It's just suboptimal.

Just an added note. There use to be a search engine on Tor with the url xycpusearchon2mc.onion. xy cpu search on2mc . onion. Apparently some guy with a little hardware was able to generate that. Now facebook with a big server cluster could easily get something that sounds easy to memorize like what they got.

I think you are entirely missing the point: mathematical law trumps human law, but lawfare trumps cryptographic defenses. If FBI gets its way, Tor Project and any other provider of "secure" software/firmware/hardware could be coerced (despite arma's slogan "no backdoors ever") to cryptographically sign malicious "updates" prepared by the government or their contractors, disguised as a legitimate "security upgrade", and accepted as such by you and your devices because the upgrades are signed with the genuine signing key.

Take a close look the Tor Browser Bundle download page in this website. I'm talking about the detached signatures you use to verify (if you are wise) the tarball before you unpack it in your laptop or PC.

It's open source. Where would they hide the backdoor? It would not be easy to hide a featureful backdoor at all. They might be able to hide a bug, but even that would be hard and would not last. And before you say "but who reads the source?", a lot of people do. Even I go through and read parts of it.

There was recently some discussion in the comments to another post in this blog of "post-quantum cryptography". If I recall correctly, it was pointed out that currently the cryptographic algorithms believed to be endangered by state of the art advances in cryptanalysis are public/private-key cryptosystems (such as RSA), which are used to guarantee that messages ("data in motion") are authentic, not maliciously modified, and private. Block ciphers such as AES used to encrypt disks and other "data at rest" are said to be less immediately endangered.

That said, all the security experts (see the recent whitepaper "Don't Panic" coauthored by Bruce Schneier and Susan Landau, among others) agree with Snowden that most of us are much more vulnerable to malicious interference with our devices (cyberattack) than to cryptanalysis.

The thesis of "Don't Panic" is that rather than mandated backdoors in encryption products (attacking "data in motion"), FBI and NSA would be wiser to focus on the technically far easier (if legally no less objectionable) strategy of cyberattacking their "targets", no doubt including some (or all?) Tor users.

And what is your conclusion? Because it is more likely that they use cyberattacks than cryptoanalysis we should not strive for maximium security in crypto?

In my opinion it is not a "cyberattack or cryptoanalysis" question. In every aspect we should aim for maximium security.
That beeing said, when we are talking about crypto, we should use the strongest crypto out there, even if it is unlikely that "medium strong" crypto can be broken any time soon.


Prepare for the worst, hope for the best.

> And what is your conclusion? Because it is more likely that they use cyberattacks than cryptoanalysis we should not strive for maximium security in crypto?

It seems that I did not make myself clear, so let me try again:

o my impression is that Tor developers are actively exploring incorporating the latest and bestest cryptology into future editions of Tor,

o all other things being equal, stronger cryptography is obviously desirable,

o all other things are not equal, even if one focuses purely on technology (for example, introducing a new protocol here might break something there, so developers need to be cautious),

o FBI is demanding the "authority" [sic] to perform "rubber hose cryptanalysis" on Apple, and Tor developers will no doubt be next (assuming they have not already been served with NSLs or otherwise threatened by USG agencies),

o all other things being equal, "rubber hose cryptanalysis" trumps even the best cryptographic protocols.

It follows that currently, Tor Project is facing a dire existential threat, which is not technological but political.

I am begging the Project to urgently prepare and test defenses, such as dispersing key people and key pieces of cryptographic signing keys to diverse geolocations. At present it seems our only hope (unless we are willing to go underground) is to disperse key people and data in jurisdictions (EU, China, Russia) which we hope will not all collaborate with each other in some act of simultaneous arrest and torture until developers give up their share of a signing key.

Yes, in terms of "post-quantum cryptography" you are right. AES is fine as long as it is used with 256bit!

General question: Was there any discussion on increasing the amounts of Tor relays, through which the traffic is routed?
Currently the traffic of any Tor user is routed through 3 relays.

How much would the security/anonymity (in terms of correlation attacks etc) be increased when the amount of relays through which the traffic gets routed is 4 instead of only 3?

Would it be possible to make Tor users choose the amount of relays by themselves? So paranoid users could get their traffic routed through e.g. 5 relays?

Was this ever discussed by the developers?

Hidden services are already accessed through 6 hops (3 yours and 3 theirs). I've sometimes noticed 4 to 5 hops in regular (exit) circuits under Orbot in its default configuration. The number is chosen by the client, so it could be adjusted by modifying the source, or perhaps the right tool pointed at Tor's control port. Relays are able to detect one-hop circuits though, and recently a default-disabled option was added to allow them, so it is hard to build one-hop circuits in practice. Not sure if there is any maximum outside the client itself.

Would it help? I don't think so. The CMU attack used a large number of guard-eligible exit nodes combined with the RELAY_EARLY flag to uniquely identify circuits which happened to be both entering and exiting CMU-controlled nodes at the same time. Thus the source and destination of a particular circuit were known to CMU. The number of middle nodes would have been irrelevant. But I would also be interested in hearing about this from a developer.

For multiple reasons. A few reasons I can think of:
1) It's unnecessary. 256 bits is plenty. 512 does not make you meaningfully less likely to be deanonymized.
2) It's very slow. Unlike AES (where it can be accelerated with AES-NI) or ChaCha20 (which is very fast in software), Threefish is practically a snail. It's fine for data-at-rest security, but when the main bottleneck for many relays is CPU speed, switching to something slower is a bad idea.
3) It's not supported by openssl, which Tor uses for encryption. Supporting it would as a result require using additional libraries and increasing complexity of the code.
4) It's not as well analyzed as AES, or even ChaCha20 (which at least benefits from prior analysis of the Salsa family of ciphers).
5) They key exchange algorithms used by Tor cannot fit a 512-bit key. Tor would need to switch to a much more bloated and slow key exchange algorithm to actually give 512-bits worth of security to this cipher.

So in general, the solution is not just to increase bit size. That's a very small aspect of a cipher's security. A *very* small aspect. Just go with >=128 bits (if avoiding classical attacks) or >=256 bits (if avoiding quantum attacks).

Not the OP, but thanks for replying, I find this sort of summary helpful in understanding design decisions (the *what* as well as the *why*).

I recognize that this would be an enormous task and best done as an academic paper, but I think it would be very useful for someone at Tor Project to help outside experts write a critical review of

o how specific encryption protocols/algorithms are used in *current* Tor for various purposes

o strengths and weaknesses of particular protocols as used in current Tor

o what design considerations led to particular choices

o pros and cons of possible future changes in how Tor uses encryption protocols

o how to maximize "future proofing" and resistance to quantum cryptanalysis

Then Roger or Nick could carefully write and post in this blog a layperson's summary (hopefully Ars Technica would offer their own summary too).

thank you for this. Are you basically saying, the advice by the aformentioned experts is that to stay encrypted is a very safe and reliable measure - so use it - and infiltration is much easier - so be careful of that?

> Are you basically saying, the advice by the aformentioned experts is that to stay encrypted is a very safe and reliable measure - so use it - and infiltration is much easier - so be careful of that?

Sorry for the confusion. Let me try again:

I think it is fair to say that there is a general consensus among cryptographers that:

o properly implemented end-to-end encryption works (math trumps Comey's "wishing it were so should make it happen"),

o properly implementing strong encryption can be very tricky, so wise developers will stick to already used and well-tested implementations (but this tends to reduce the chance they will use the latest and bestest),

o endpoint insecurity (putting WiFi in every device, backdoored routers, insecure BIOS, vendor provided insecure firmware which is never updated, unfixable hard wired flaws in chips, well hidden severe software vulnerabilities lurking in complex software such as a modern web-browser, insecure peripherals) generally makes it practical, even easy, for criminals, spooks, and other bad guys to break into devices and evade encryption intended to protect both "data in motion" and "data at rest",

o it is impossible to provide USG (or another government) with a "NOBUS" (nobody but us) "backdoor",

o deliberately weakening cybersecurity in any way inevitably increases the already dire risk posed to the US economy, critical infrastructure, and national security (not to mention individual security and privacy against identity theft, stalkers, doctor-patient confidentiality violators, lawyer-client confidentiality violators, babycam pervs, etc) by pervasive cyber insecurity,

o the already dire state of global cyber insecurity is rapidly growing worse with the USIC-encouraged growth of IoT, ipv6, "cloud computing", ever wider sharing and Big Data analysis of everyone's "data exhaust",

o thanks to Director Comey, "rubber hose cryptanalysis", which until recently was something only a few privacy advocates tried to warn open source software projects such as Debian and Tor to urgently protect against, is now very much a reality, not only in Syria or Uzbekistan but also in the so-called "Western world".

For a far more authoritative study of these issues, see "Don't Panic", the recent whitepaper from the Berkeman Center, which was coauthored by Bruce Schneier and Susan Landau, among others. The title references Director Comey's current state of Torschlusspanik.

"Block ciphers such as AES used to encrypt disks and other "data at rest" are said to be less immediately endangered."

Yes, BUT:
Quantum computer will be able to reduce the strenght of symetric ciphers by 50%.
So AES256 will be as strong as AES128 and AES128 as strong as AES64.

So why would anybody today want to use AES with 128bit? Would you trust AES with 64 bit today? No, I certainly would not.

So why would you trust it in max. 20-30 years, when quantum computers will become reality?!
So people please always use AES and Twofish with 256bit!
Do not forget that the NSA records as much encrypted stuff as they have the capacity for, to decrypt it later when they are able to.
The Future is near.

You raise a number of valid points, such as future proofing against quantum crypto, which as you say may be much nearer than defenders would like to believe.

It would be very helpful to have an authoritative and readable review of

o how various kinds of cryptography are used in Tor,

o what level of danger each is currently believed to pose,

o what future Tor versions might do instead.

This would probably require an academic paper from someone like Nick, followed by a "laypersons summary" in post in this blog.

However, it seems clear that Tor is currently facing a dire existential threat (Apple-v-FBI and related cases) which is not technological but political.

Put another way, it appears that "rubber hose cryptography" may be the most serious threat currently facing Tor Project. There exist currently practical technological defenses (such as Shamir's secret sharing system), but these require the Project to make possibly painful and political astute decisions to disperse key people and data in various national jurisdictions, not all of which may be particularly nice places to live if you are a privacy advocate.

Basically, USG has grabbed us where it hurts, and they are twisting hard.

It's a lot more than 50%. AES128 reduced by 50% is "AES127". For the same reason, AES256 is not twice as strong as AES128. Its key space is 2^128 times stronger.

The quantum grover's algorithm is able to reduce a cipher's keyspace to 2^(n/2). Now, shor's algorithm on the other hand... that's something to worry about. It can break almost all modern public key crypto almost instantly. No need to break AES128 when you can just break ECDHE!


February 25, 2016


Please, use Curve41417 (Bernstein)

Curve25519 is not large enough.

As you probably know, in general, keysize alone is not what makes a cipher strong.

In a recent tortalk post, arma cited a link to the (publicly readable) "internal discussions" of Tor developers, which shows that they are thinking very hard about adopting alternative cryptographic algorithms, such as NTRU, or particular curves for elliptic curve cryptography. So I don't think there is any grounds for suggesting (yes?) that they are not considering other cryptographic mechanisms for possible incorporation into future editions of tor client/server software.

"in general, keysize alone is not what makes a cipher strong."

agreed, but in this case with all other factors equal it is exactly like that:

using Curve41417 is more secure than Curve25519

I agree, the strongest encryption possible should always be utilized. I'd be happy to wait longer for a web request to be received to ensure it is utilizing the strongest possible encryption! Hell, the Blackphone already utilizes Cutve41417!!!!

yes, totally agree! people's life depend on Tor! it should always use the strongest possible encryption! maxiumum security should be the standard!

yes, SilentCircle already uses the great Curve41417. and they also switched from AES to Twofish! i think Tor should consider that too.

Twofish was also an AES finalist and in terms of security is superior to AES(Rijndael).

was a change to Twofish discussed by the Tor developers? any reason against it??

Curve review by Bernstein:

Like Tor Project, Silent Circle is under imminent threat from FBI. From a document (not classified, but marked "LEO sensitive") which was recently published by Public Intelligence:

> Open source reporting in India has noted the existence of several “hacking groups” within India.

IOW, some FBI contractor reads cybernews from India.

> Thus far, such reporting has identified group names like “Indian Cyber Army” or “Shakti Campaign” and referenced such groups as having worked on behalf of the Indian government against Pakistan. To date, we have yet to see any validated reporting as to the capabilities of such groups or been able to confirm their existence. It does stand to reason; however, criminal hacking activity, whether by individuals or from organized groups exists in India and could potentially target US companies both for financial gain and for general acclaim.

> Technical Details
> The FBI assesses most pro-ISIL hacktivist groups use relatively unsophisticated methods and tools to scan for and exploit well-known Web site vulnerabilities.

So presumably, it would follow that they can be assumed to be cryptographically unsophisticated, eh?

> Structured Query Language (SQL) injection, Cross Site Scripting (XSS), and social engineering tactics to obtain account credentials are assessed to be in the capability range of pro-ISIL cyber actors.
> The recruited Indian hackers are reportedly communicating on Internet based services like Skype, Silent Circle, Telegram, and WhatsApp. Pro-ISIL hackers use social media platforms like Twitter to make public announcements and release PII. Larger PII releases have been uploaded to online text sharing sites such as and

It cannot be emphasized too strongly that the US Military-Industrial Complex (principle architect of the global Surveillance State) and IS are effectively partners in fear-mongering, if occasionally opponents in terms of small scale "kinetic actions" (to use the USG euphemism for firing a gun in the general direction of a targeted person). They need each other to exist. Without USG orchestrating invasions and occupations of Muslim majority countries, without USG conducting incessant bombings and cyberstrikes targeting people it dislikes, IS would be unable to easily recruit a steady influx of new fighters to replace battlefield losses. Without IS constantly orchestrating/encouraging people to carry out acts of small scale low level violence in the homeland of the "Western aggressors", the US Military-Industrial Complex would have to look hard to find new enemies whose very existence supposedly poses an "existential threat" [sic] to the US heartland.

Interestingly enough, US President Obama recently echoed a sensible statement recently made in this blog, presumably by someone else, that IS does not pose an existential threat to the US. Which some of us might take as a virtual admission that the US is killing people in other countries mostly in order to keep the DOD/USIC and their contractor horde gainfully employed.

It is also interesting that both Tor and Silent Circle are products of people associated with the US Navy. The very organization which has recently been so busy converting the "rebellious" West Coast into an active fire training zone (in terms of cyberwar). Kind of makes you wonder just what the US military is prepared to do to Cupertino should Apple remain intransigent:
How the FBI will lose its iPhone fight, thanks to 'West Coast Law'
Uncle Sam can't argue against science
Dana Blankenhorn
4 Mar 2016

> ...
> there is a higher law beyond what FBI director James Comey sought to enforce on Apple last month.
> It was described by Harvard professor Larry Lessig almost 20 years ago, when he was then unknown, in a book called Code and Other Laws of Cyberspace, since updated as Code v2. Lessig called law as defined in computer code "West Coast Law." This is as opposed to "East Coast Law," which is defined by statute.
> Encryption is one such West Coast Law. It was defined by Whitfield Diffie and Martin Hellman 40 years ago in a paper called "New Directions in Cryptography." Their Diffie-Hellman protocol brought us the concept of public key cryptography, messages encrypted first with a key everyone knows, then decrypted with a private key controlled by the recipient. Or vice versa.
> East Coast Law is analog. It changes and it has exceptions. Arguments can be made – on either side of a question – that define or change East Coast Law or that shift its interpretation, as happens in courts. West Coast Law, like encryption, is binary. It's science. It uses facts that can't be denied or altered through the relative strength or weakness of an argument. So we have learned from that day to this.

Well, here's the thing: the US political/financial elite has suddenly become very concerned about rebellions from both the "socialist left" (e.g. Bernie Sanders) and "radical right" (e.g. Donald Trump and Ted Cruz), both of which threaten the ancien regime, albeit in very different ways. So suddenly they are taking very seriously longstanding warnings about the unrestrained growth of "algorithmic governance".

Algorithmic governance is exemplified most famously by NSA/CIA using predictive analysis to algorithmically compile profiles of people to be named in this week's Death List. But arguably the most worrisome application is far more mundane: governments have to constantly make decisions about what to do, or not to do, to various specific citizens. Hire? Fire? Sponsor? Evict? Charge? Parole? And algorithms, not low level human bureaucrats, now play a dominant role in determining how the USG treats any given US citizen. Indeed, regardless of the identity of the next US President, USG may soon radically downsize its nonmilitary personnel, because the most burdensome work of the Dpts of Agriculture, Education, etc, is now done by computers.

This won't be a surprise to anyone who follows the tech news. Nor that AI is posing a very real imminent threat to tens of millions of US jobs.

And the political leadership has also suddenly woken up to the fact that AI is not just threatening the low-paying jobs of lowly janitors, Uber drivers, and nursing home attendants, but also the obscenely high paying jobs of middle and upper level executives. But of course they should have known that the quants would enthusiastically (and rather foolishly) rush to replace themselves with AI bots. It's not like they were not warned.

Which brings me back to the question of why the USN is acting exactly like a military service preparing itself for war on the West Coast. Perhaps they are not only planning for a coup toppling The Donald (because it seems the admirals don't think "the football" would be safe in his insufficiently sizable hands), but also for a coup toppling "West Coast Law".

>the strongest encryption possible should always be utilized

That's a very naive statement. In Tor's case, one of the biggest bottlenecks is CPU power. My own Tor relay has a fast 100/100 internet connection, but can only contribute a tiny fraction of that to the network because the CPU is always maxed out doing the crypto. If Tor switched to stronger but slower algorithms, you would notice a rather large decrease in the Tor network's capacity, and subsequent decrease in anonymity.

Why? They are both elliptic curve algorithms, and therefore both would be breakable be quantum computers in the near (or far) future.

Because size of the elliptic curve does matter! Look into quantum computing and how they work. There is not 1 type of quantum computer that breaks crypto with all bit lenght.
The first quantum computer might just break crypto with 128 bit lenght. a further development might break 256 etc.
All other things beeing equal we can say: elliptic curves with higher bit sizes are stronger and stay secure longer even if quantum computers appear.


February 25, 2016


When I saw the reviews of this judgment I thought: This judge does not have the slightest idea of how Tor works!

The much older half brother of Judge Richard Jones is the well known composer Quincy Jones, who attended Garfield High School in Seattle, Washington, USA.

Social media accounts belonging to teenaged students at that school were apparently cyberattacked some years ago by the CEO of HB Gary Federal, according to documents published by Wikileaks, who obtained them from hacktivists. The authenticity of these documents were admitted by the CEO of the parent company, HB Gary.

The reason why the HB Gary Federal cyberattacked the students was to find sufficient information to impersonate them while attempting to phish former classmates who were working at a US Army intelligence unit in Texas. The goal was not to spy on the US Army but to provide a demonstration which the CEO hoped would convince a well connected law firm (involved in the campaigns of at least two current US Presidential candidates) to hire HB Gary Federal for such actions as cyberattacks on Wikileaks. Because one of the clients of that firm was a huge US bank which believed that Wikileaks was about to publish damning documents which could have led to criminal charges against the executives of the bank. Another person whom HBGary Federal wannted to cyberattack was the journalist Glenn Greenwald. Another was Jacob Appelbaum, Tor Project's "asset" in Berlin.

This is exactly the kind of abuse (against children, even!) which civil libertarians are fighting against, using legal means such as speaking out anonymously in blogs such as this. We don't condone "hacktivism", but it is undeniable that two of the most valuable sources of information about how our enemies are behaving have been the publication of documents from HB Gary and from Hacking Team.

(Hacking Team SRL, the very company which is cited in the case at hand, maker of "RCS Gallileo".)

A common tactic used by "the authorities" in the former Soviet Union and also in post-communist China, is incarcerating people who oppose some governmental policy in "special psychiatric hospitals", on the grounds that "anyone who opposes the State must be insane" [sic]. In this context, another interesting tidbit from Wikipedia:

> When the boys were young, their mother suffered from a schizophrenic breakdown and was committed to a mental institution.

As I understand it, Richard and Quincy share a father, not a mother, but the more I read about the case, the more I wonder how Judge Jones could possibly have arrived at the factually mistaken and horrendously anti-American beliefs he espouses in his decision.

FBI wants to deny all citizens the right to define themselves, to protect some reserve of private life, even from the Government. FBI/NSA/etc are seeking to obtain the 21st century version of the Writs of Assistance. To write the detailed second by second narrative of all our lives, even inside our own homes. This ongoing concerted effort to establish oppression as the law of the land parallels moves which would give the government the power to monitor and control over all financial transactions made by US citizens.

What people are not permitted to write the narrative of their own lives? To enjoy some private relationships (for example between husband and wife) which not even the government can break? To own their own money?

History calls these people "slaves".

> A common tactic used by "the authorities" in the former Soviet Union and also in post-communist China, is incarcerating people who oppose some governmental policy in "special psychiatric hospitals
no, you are wrong , it is not a communist or a Chinese idea ; but certainly an European archaism coming from Freud/Jews few centuries ago and it does not come from "the authorities" : every one can ask and obtain even worst ...

> A common tactic
no, it is a perversity used by a mafia group.

you should drink less and think better.



February 25, 2016


If the FBI had subpoena'd the exit, middle, and guard nodes to get IP addresses at a very specific time, would you object in the same way?

Interesting question. You'll want to nail down the scenario a bit more.

Do you mean if they had sent subpoenas to honest and correctly behaving Tor relays? In that case the answer would have been "Sorry, we do not have any logs that are helpful to you. Can I take this opportunity to teach you more about Tor?" (See this question and its answer on )

Do you mean if they had asked some cooperative attacker to run some misbehaving relays that log traffic, and then asked for a copy of the logged traffic? Then yes, I think exactly the reasoning above still holds -- it is inaccurate to conclude that the user did not want privacy because he gave his IP address to the entry node.

Isnt it in someway legally possible to forbid certain actions of Tor relay providers?
Like a legally binding code of conduct.
e.g. no logging, no saving or extracting data, no tampering with data etc etc.

If a provider would breach these rules (like CMU did) they could be sued?!

When I remeber correctly, Phil Zimmerman talked about ZRTP and its safety provision:

The ZRTP protocol can be licensed free of charge, but they have a provision in the license that nobody is allowed to put a backdoor in it. This would breach the license agreement.
They could be sued.
So everbody can use it for free, but no backdoor is allowed.

A breach of EULA would let them be sued, but would not be illegal per se. It is not illegal to break such a contract, but it is likewise not illegal to sue for it. In that case, you'd pit Tor Project against an entity like the FBI with nearly bottomless pockets. The only solution would be to make it illegal for them to do what they did, in which case the evidence they gather could be thrown out of court. But there's no such law. And CFAA doesn't seem to apply to them...