The Trouble with CloudFlare

Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare's system.

We're interested in hearing CloudFlare's explanation of how they arrived at the 94% figure and why they choose to block so much legitimate Tor traffic. While we wait to hear from CloudFlare, here's what we know:

1) CloudFlare uses an IP reputation system to assign scores to IP addresses that generate malicious traffic. In their blog post, they mentioned obtaining data from Project Honey Pot, in addition to their own systems. Project Honey Pot has an IP reputation system that causes IP addresses to be labeled as "malicious" if they ever send spam to a select set of diagnostic machines that are not normally in use. CloudFlare has not described the nature of the IP reputation systems they use in any detail.

2) External research has found that CloudFlare blocks at least 80% of Tor IP addresses, and this number has been steadily increasing over time.

3) That same study found that it typically took 30 days for an event to happen that caused a Tor IP address to acquire a bad reputation and become blocked, but once it happens, innocent users continued to be punished for it for the duration of the study.

4) That study also showed a disturbing increase over time in how many IP addresses CloudFlare blocked without removal. CloudFlare's approach to blocking abusive traffic is incurring a large amount of false positives in the form of impeding normal traffic, thereby damaging the experience of many innocent Tor and non-Tor Internet users, as well as impacting the revenue streams of CloudFlare's own customers by causing frustrated or blocked users to go elsewhere.

5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).

CloudFlare disagrees with our use of the word "block" when describing its treatment of Tor traffic, but that's exactly what their system ultimately does in many cases. Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs, many of which require the user to understand English in order to solve correctly. For users in developing nations who pay for Internet service by the minute, the problem is even worse as the CAPTCHAs load slowly and users may have to solve dozens each day with no guarantee of reaching a particular site. Rather than waste their limited Internet time, such users will either navigate away, or choose not to use Tor and put themselves at risk.

Also see our new fact sheet about CloudFlare and Tor: https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf

Anonymous

April 01, 2016

Permalink

Thank you for finally addressing this problem.

In my view services like cloudflare are by far the greatest threat for the tor project. What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

Furthermore I doubt most of cloudflare's customers understand that they agree to a man-in-the-middle attack on their traffic.

The two main problems with cloudflare are
1)They get to decide who is 'good' or 'bad' and filter trafffic by intransparent means
2)They at least theoretically have the ability to view, collect and analyze their clients https traffic
This gives them enormous power over an increasingly large part of the internet.
Do we really want to let such companies decide who is allowed to view a certain website and who is not? Their approach must not be left unchallanged.

But as said the problem is of course bigger than cloudflare.
Nowadays anything even a little outside of the norm is being flagged as malicious traffic and subsequently blocked.

I think the best approach would be to get civil rights organizations like the EFF involved in this. They have the necessary legal and PR ressources and would provide a more neutral point of view than the tor project team.

> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

That is a good point. CloudFlare could eventually make make Tor almost unusable for most surfers, which would thwart our attempts to convert a sizable fraction of ordinary citizens into regular users of Tor Browser and other TP products. Which is crtically important to
*wean TP from the USG teat,
* grow our user base and thus our political leverage,
* better protect anonymity.

But I can't agree with this:

> In my view services like cloudflare are by far the greatest threat for the tor project.

I think the biggest threat is by far the very real possibility that the USG will attempt to outlaw Tor Browser, and to designate Tor Project as an "illegal organization". Currently, I believe the most worrisome scenario involves intolerable pressure being brought upon Debian Project (upon which Tails and much of Tor development work relies), Tor Project, or individual developers to abuse their cryptographic signing keys by "authenticating" a Debian software update or a Tor Browser bundle tarball which have been maliciously modified by state-sponsored attackers--- today USG; tomorrow India, Kazakhstan, Nigeria...

>today USG; tomorrow India, Kazakhstan, Nigeria

ha! there's that formula again!

"the real concern is that all this nastiness will later end up in the hands of
because even when the USA has the most developed surveillance apparatus on earth, it isn't actually oppressive, we are good guys you know, we have our checks and balances after all!"

yanks seriously are brainwashed, xD

The Debian project has already recognized this threat. This is part of the reason they are so interested in reproducible builds.

> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

Well, we have our internal onion network, remember? This is yet another good opportunity to emphasise its goodness.

> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

The solution, ironically, is more Tor. If Tor were as ubiquitous, then CloudFare would have no choice but to re-engineer their security to address legitimate issues without taking draconian shortcuts. Otherwise, they would risk losing everyone's traffic.

actually the solution is maidsafe, a distributed internet that cant be ddosd or censored since everyone is both a client and a server. Its like if bittorrent went 2.0 but everyone held an encrypted chunk of a file instead of an unencrypted whole file and no one knew which chunk they had and therefore could not be held accountable or actively censor it.

This is also serves as a replacement for Tor.

Anonymous

April 01, 2016

Permalink

@ Mike Perry:

Thanks so much for your prompt response to CloudFare's latest scare-mongering!

I surfed to TP intending to try to post a suggestion that TP respond and was delighted to find that you have already had done so--- this is exactly the kind of fast response TP needs to ensure, at a time when TP is apparently facing an existential threat of a political nature (on top of all the technical threats from Hacking Team, CMU/SEI, GCHQ/NSA, etc), exemplified by the ongoing intensive top-priority PR offensive by FBI, aka CWII, which continues unabated:

http://www.theregister.co.uk/2016/03/30/fbi_aims_to_win_war_w_apple/
The FBI lost this round against Apple – but it aims to win the war
Courts or Congress – Hobson's choice on privacy
Iain Thomson
30 Mar 2016

> While fans of strong crypto and privacy are celebrating the US Department of Justice decision to back down in the San Bernardino case against Apple, it's important not to get too giddy – this is going to be a long battle and the FBI has nothing but time.

http://arstechnica.com/tech-policy/2016/03/us-says-it-would-use-court-s…
US says it would use “court system” again to defeat encryption
Feds say they can force entire tech sector, not just Apple, to disable security.
David Kravets
29 Mar 2016

> ...
> The Justice Department now says it will not hesitate to invoke the precedent it won in its iPhone unlocking case. The authorities had obtained a court order weeks ago ordering Apple to write code to help the authorities unlock Farook's phone, all in hopes that data on it could stop another terror attack or shed light on the one that killed 14 people in San Bernardino in December. On Monday, however, the authorities said they didn't need Apple's help, asking the judge presiding over the case to withdraw the order because they had cracked the phone and obtained the desired information, all with the help of an "outside" party.

A big problem for we who support privacy technologies is that the international public's understanding of Tor (and of on-line privacy and cybersecurity generally) is very poor, according to a recently released CIGI survey:

http://www.theregister.co.uk/2016/03/30/internet_users_dont_understand_…
Internet users don't understand security or privacy, says survey
'Shut down the dark net, give governments backdoors', CIGI study finds
Richard Chirgwin
30 Mar 2016

> Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims more than 70 per cent want the “dark net” shut down (which rests on the assumption that 70 per cent of people actually know what the “dark net” is). Dark net hostility is greatest in Indonesia, India and Mexico (all above 80 per cent saying it should be eliminated), with the US and Australia tied at 72 per cent.
>
> At the same time, an average of more than 26 per cent of users don't trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases; The Register pulled out those numbers from the survey data.).

Tor Project needs to work tirelessly to try to work with reporters to correct our image problem, since our enemies are working tirelessly to promote the kind of false/misleading claims made by Cloudfare. This should be one aspect of TP's efforts to help organize the kind of SOPA fight against "rubberhosing" which Sen. Ron Wyden (D-OR) is urging:

http://www.theregister.co.uk/2016/03/30/senator_wyden_bid_to_defeat_enc…
Senator Wyden recalls SOPA fight in bid to defeat encryption-weakening efforts
It's not privacy versus security; it's security versus more security
Kieren McCarthy
30 Mar 2016

> Senator Ron Wyden (D-OR) has put out a call to arms to digital rights activists, asking them to join in a SOPA-style effort to defeat upcoming efforts to weaken encryption.
>
> In a wide-ranging speech that covered J Edgar Hoover, Miranda Rights, the Founding Fathers and the Amazon Echo, the Oregon Senator warned that despite the recent decision by the FBI to drop its case against Apple, "as sure as night follows day," the issue is going to return and it will be necessary to fight legislative efforts to reduce the effectiveness of encryption.
>
> "I will block any plan that would weaken strong encryption," he told the RightsCon conference in San Francisco.
>
> "The expected legislation will be a lose-lose for all of us: less security and less liberty."

(Wyden is referring to a long-threatened bill from Sens. Feinstein/Burr, which would mandate that hardware/software providers--- presumably including TP--- "assist" USIC/FBI/LEOs by putting in various kinds of backdoors.)

"It is all of them (government agencies) against all of us (The People)."

A senior FBI official has dramatically confirmed the truth of this statement in the following letter published by Buzzfeed:

> Since recovering an iPhone from one of the San Bernardino shooters on December 3, 2015, the FBI sought methods to gain access to the data stored on it. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention generated by the litigation with Apple, others outside the US government continued to contact the US government offering avenues of possible research. In mid-March, an outside party demonstrated to the FBI a possible method for unlocking the iPhone. That method for unlocking that specific iPhone proved successful.

> We know that the absence of lawful, critical investigative tools due to the "Going Dark" problem is a substantial state and local law enforcement challenge that you face daily. As has been our longstanding policy, the FBI will of course consider any tool that might be helpful to our partners. Please know that we will continue to do everything we can to help you consistent with our legal and policy constraints. You have our commitment that we will maintain an open dialogue with you. We are in this together.

> Kerry Sleeper
> Assistant Director
> Office of Partner Engagement
> FBI

See:

http://arstechnica.com/tech-policy/2016/04/fbi-offers-crypto-assistance…
FBI offers crypto assistance to local cops: “We are in this together”
After iPhone unlock in San Bernardino, FBI re-assures police it will try to help.
Cyrus Farivar
2 Apr 2016

And for another stark indication of FBI's naked-duplicity-as-routine-policy, see this:

https://www.techdirt.com
FBI Won't Tell Apple How It Got Into iPhone... But Is Apparently Eager To Help Others Break Into iPhones
Tim Cushing
31 Mar 2016

>> as iPhone forensics guru Jonathan Zdziarski succinctly summarized:

>>> FBI: You should do it, it's just one phone
>>> Apple: No it isn't
>>> FBI: We got in
>>> Apple: You should say how, it's just one phone
>>> FBI: No it isn't

But FBI must take second place to USIC for sheer audacity in misleading/inaccurate official statements. ODNI GC Robert Litt has been assuring inquiring reporters that NSA's new information sharing rules (which remove restrictions on sharing of raw "full take" NSA data trawls of the communications and data, e.g. PC disk drive content, of US citizens) only apply to "intelligence". But FBI has rebranded itself as an "intelligence agency", and DEA has always considered itself both an intelligence agency and an LEO. This is worrisome because DEA has for decades treated every citizen of at least some countries as a felony suspect, and one receives the impression that NSA is trying to disguise the fact that DEA/FBI now treats all US citizens as felony suspects, and thus, treats them as suitable targets for warrantless intrusive espionage. See for example the Snowden leaked documents on how NSA abuses national telecom contracts with US companies such as ATT to illegally record the full content of every telephone call to or from or within Bahamas and then gives DEA free access to all this stolen information, and see:

https://www.techdirt.com/articles/20160401/odni-lawyer-bob-litt-says-th…
ODNI Lawyer Bob Litt Says There's No NSA Data Sharing With Law Enforcement... If You Don't Count The FBI, DEA, Etc.
1 Apr 2016

Meanwhile, it seems that various "Western" LEOs are joining the national police forces of nations like Uzbekistan in exploiting the terrorism card to demand access to devices used by investigative reporters. For example, RCMP:

https://www.techdirt.com/articles/20160331/canadian-court-says-vice-mag…
Journalism
Tim Cushing
1 Apr 2016

A Canadian court -- granting a request made by the Royal Canadian Mounted Police (RCMP) -- is in the process of dismantling protections for Canadian journalists. The case involves a Skype interview by Vice Magazine with an alleged terrorist currently located in Syria. The interview, in which the self-avowed terrorist (Farad Mohamed Shirdon) claimed an attack in New York City was imminent, appeared back in October 2015 and led directly to his being charged in absentia with several terrorism-related offenses.

See also this from a tech-savvy resident of Brussels:

http://arstechnica.com/tech-policy/2016/04/brussels-terror-attacks-surv…
Brussels terror attacks: Why ramping up online surveillance isn’t the answer
Op-ed: Brief moratorium needed on calls for new spying laws after atrocities.
Jennifer Baker
2 April 2016

> I am in Brussels. And I am scared. Very scared... of the probable security backlash following last month’s terrorist attacks.

It's all of them (governments) against all of us (The People).

Anonymous

April 01, 2016

Permalink

Maybe provide a viable alternative suggestion to how CloudFlare should be detecting and blocking malicious traffic that would accommodate Tor?

One really easy alternative, that they could do immediately, is to stop preventing Tor users from accessing static pages. How could "GET /index.html" be malicious?

But I find your question odd. Are CloudFlare only hiring people too incompetent to get jobs at other CDNs? I don't believe that, which means they can think of a better solution themselves: every major competitor did. I'll stop short of claiming they have some anti-Tor agenda, for now—but at best, they just don't give a shit. (Maybe I'm overlooking something explained in their blog post, but that's hosted by CloudFlare, so...)

Maybe provide a less stupid question?
Maybe properly define "malicious traffic"?
Maybe question if any such wholesale blocking is necessary at all?
Maybe Tor Project should receive payment if they are to provide implementations for Cloudflare's bullshit "protection" product?

As the original post above already pointed out that Cloudflare's competitors manage to do this successfully but somehow Cloudflare does not, it makes you sound like a Cloudflare employee attempting image mitigation.

Good to see someone is looking for a compromise.

Tor is understandably upset that their legitimate use is being blocked, but has no way to measure or control their abuse. Companies like CloudFlare have no choice but to block when the abuse gets too high.

This is a stalemate. Suggesting that CloudFlare whitelist all Tor traffic is just as silly as suggesting that all Tor traffic should be blocked. We need a viable solution (javascript challenges and captchas are the best anyone's found so far).

Ask the site owner to setup a hidden service. In most cases, it only takes a few commands and can be done in literally about one minute. The Tor protocol already has protections against network-level DDoS attacks built-in, because the designers recognized long ago that Tor would be a prime tool for those kinds of attacks.

If protecting against network-level DDoS attacks is your only concern, then an HS can coexist just fine with CloudFlare. You just point the hidden service at your server's (secret) IP just like you do with CF, and your server will remain hidden and protected yet accessible to Tor users. Unfortunately many Tor users will not know about the .onion address if they are blocked by CF the first and every time they try to access your site by its domain name. (Do I hear a need for a ".onion Everywhere" extension for Firefox/TB?)

The downside (or upside, depending on who you ask) here is that the HS will bypass CloudFlare entirely, and sites wanting features other than network-level DDoS protection will have to use something on their local server.

Just to be clear: this is **not** a technical limitation. If CloudFlare wanted to, they could set up their own Tor hidden service addresses (one for each site behind them), and terminate the Tor connection there, scan the traffic and forward it to the site (according to its "Host:" header or addr:port pair). You'd be trading privacy for accessibility, but it's your choice. The site could even get a TLS certificate with the .onion address on it and pass only end-to-end encrypted traffic, but that would defeat the purpose of CloudFlare-over-Tor entirely!

If it works for Facebook, it can work for anyone. I see no reason why a Tor hidden service address is not a good idea for any site.

Or provide the site operators with an alternative, such as Akamai, Amazon Cloudfront, Google Shield, and numerous other CDNs and reverse proxies. Not that they'll take any advice from a mere Tor user.

Anonymous

April 01, 2016

Permalink

We now have some answers about the infamous CMU/SEI breakage of Tor (or maybe just hidden services?): it seems that Army Research Laboratory (ARL) hired SEI (Software Engineering Institute) to "research" dragnet style Tor breakage, and FBI then subpoenaed CMU to get the "experimental" data.

This procedure (agency A commissions "research" then agency B subpoenas the raw data) could quickly become commonplace since many recently passed laws contains very broad exceptions to privacy rules for "research" (not further specified).

Here are the most relevant portions of the document (a ruling by Judge Richard A. Jones in the Farrell case being heard in Seattle, WA) which contains the revelations:

> the defendant’s IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”). The government previously produced information to the defense that Farrell’s IP address was observed when SEI was operating its computers on the Tor network.
> ...
> SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny.
> ...
> In the instant case, it is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties’ submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.

Ars asked some lawyers to comment and they made some useful points:

http://arstechnica.com/tech-policy/2016/02/judge-confirms-what-many-sus…
Judge confirms what many suspected: Feds hired CMU to break Tor
A 1992 case about paper shredders may also shed some light on Tor privacy question.
Cyrus Farivar
24 Feb 2016

> A federal judge in Washington has now confirmed what has been strongly suspected: that Carnegie Mellon University (CMU) researchers at its Software Engineering Institute were hired by the federal government to do research into breaking Tor in 2014. The judge also made a notable statement in his court order that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."
> ...
> Neil Richards, a law professor at Washington University in St Louis, said that this "reasonable expectation of privacy" for Internet users is "an open one." The so-called third-party doctrine, which stemmed from the 1979 Supreme Court decision Smith v. Maryland, found that telephone users do not have a privacy interest in the phone numbers that they dial, as the phone company has access to them.
>
> "Law enforcement have argued that this sharing rationale applies to all Internet and digital data held by third parties—ISPs, e-mail providers, fitness trackers, cloud storage providers, etc," Richards told Ars. "The strong form of this argument is nonsense. Law enforcement in the past also argued that they didn’t need warrants to open mail or tap telephones, and ultimately lost on both counts. The Supreme Court hasn’t ruled on e-mail yet, but lower courts require a warrant for e-mail, and the Supreme Court has made clear in recent cases that a majority of Justices are very concerned about digital privacy and are eager to extend the Fourth Amendment to that, just like they did for telephone calls in the 1960s."
>
> Mark Rumold, an attorney with the Electronic Frontier Foundation, concurred.
>
> "The expectation of privacy analysis has to change when someone is using Tor," he said. "Rotely applying precedent leads to bad results, like courts finding that someone 'clearly' lacks a privacy interest in their IP address, even though they're using technology specifically designed to protect that privacy interest."

Vice has cited Mike Perry's previous post in an update to its story on the ARL/CMU/SEI revelation:

https://motherboard.vice.com/read/carnegie-mellon-university-attacked-t…
Confirmed: Carnegie Mellon University Attacked Tor, Was Subpoenaed By Feds
Joseph Cox
24 Feb 2016

> Update 25 Feb: In a statement, the Tor Project told Motherboard that "the Tor network is secure and has only rarely been compromised. The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it. The Tor network remains the best way for users to protect their privacy and security when communicating online."

Not surprisingly, FBI is refusing to divulge how the SEI attack worked:

http://www.theregister.co.uk/2016/03/29/fbi_tor/
FBI: Er, no, we won't reveal how we unmask and torpedo Tor pedos
No NIT software exploit code for you
Iain Thomson
29 Mar 2016

ACLU has uncovered at least 63 other cases in which DOJ has invoked the All Writs Act of 1789 to force "technical assistance" in unlocking smart phones:

http://arstechnica.com/tech-policy/2016/03/feds-used-1789-law-to-force-…
Feds used 1789 law to force Apple, Google to unlock phones 63 times
"These cases predominantly arise out of investigations into drug crimes."
David Kravets
30 Mar 2016

> ...
> the law allows for judges to issue orders for people or companies to do something despite Congress not passing laws to cover specific instances. The All Writs Act is the law that led a federal magistrate ordering Apple to write code and unlock Farook's phone, an order that was no longer necessary because the authorities said Monday they cracked the phone without Apple's assistance. The government also said it wouldn't hesitate to use the "court system" to require other tech companies to weaken their security, too.
>
> According to the American Civil Liberties Union, the US government has cited the All Writs Act in 63 cases since 2008 to compel Apple or Google to assist in accessing data stored on an iPhone or Android device. Most of the orders involved Apple. "To the extent we know about the underlying facts, these cases predominantly arise out of investigations into drug crimes," said Eliza Sweren-Becker, an ACLU attorney.

For the court documents uncovered by ACLU, see:

https://www.aclu.org/court-documents-related-all-writs-act-orders-techn…
Court Documents Related to All Writs Act Orders for Technical Assistance
All Writs Act Orders for Assistance from Tech Companies

And new cases are rapidly arising. I urge TP to track these and continually formulate how TP would respond legally if a (politically/legally, not technically) similar situation to these smart phone cases arises which involves Tor:

http://thehill.com/policy/cybersecurity/274884-fbi-not-sure-it-can-unlo…
FBI not sure it can unlock iPhone in Arkansas homicide
Cory Bennett
1 Apr 2016

> The case is being closely watched as it comes on the heels of the FBI announcing it had been able to hack into an iPhone used by one of shooters in the San Bernardino, Calif., terrorist attack. The FBI had previously claimed such a hack was impossible without Apple’s help, even seeking a court order compelling the tech giant to assist. The bureau’s success has raised questions about what other devices it may now be able to access. Police have hundreds of seized iPhones around the country they would like to access. The Arkansas request was quickly taken up as the potential first test case of the FBI’s method, although it was not clear the same tactic would work for the devices in the homicide case.

http://arstechnica.com/tech-policy/2016/03/father-begs-apple-ceo-to-hel…
Father begs Apple CEO to help unlock his dead 13-year-old son’s iPhone
"I think Apple should offer solutions for exceptional cases like mine."
Cyrus Farivar
31 Mar 2016

> An Italian father has reportedly written to Apple CEO Tim Cook, pleading for help to unlock his dead 13-year-old son’s iPhone 6 so that he can retrieve the photos stored on it.
> ...
According to the AFP, Fabbretti’s son Dama was diagnosed with bone cancer in 2013, and he passed away in September 2015.
>
> In a February 2016 interview with the Italian newspaper La Repubblica (Google Translate), Fabbretti said that Dama had given his father access to the phone via TouchID fingerprint authentication, which was saved on the phone, but that wasn’t enough, as the phone was powered off when he found it. Newer iPhones running iOS 8 or later, including this one, require the full passcode after reboot.
>
> Fabbretti said that he has contacted Apple tech support, which told him they were sorry for his plight but lamented that there was nothing they could do.

In a somewhat analogous case in the UK, Lauri Love has been ordered by the UK's principal state-sponsored-criminality agency, NCA (National Crime Authority), to divulge the passphrases to the encrypted devices seized back in 2013:

http://arstechnica.com/tech-policy/2016/03/uk-cops-tell-suspect-to-hand…
UK cops tell suspect to hand over crypto keys in US hacking case
Lauri Love faces extradition to US over hitting Federal Reserve, among others.
J.M. Porup
31 Mar 2016

> At a court hearing earlier this month, the UK's National Crime Authority (NCA) demanded that Lauri Love, a British computer scientist who allegedly broke into US government networks and caused "millions of dollars in damage," decrypt his laptop and other devices impounded by the NCA in 2013, leading some experts to warn that a decision in the government's favor could set a worrisome precedent for journalists and whistleblowers.

https://theintercept.com/2016/04/01/british-authorities-demand-encrypti…
British Authorities Demand Encryption Keys in Case With “Huge Implications”
Ryan Gallagher
1 Apr 2016

> BRITISH AUTHORITIES are attempting to force a man accused of hacking the U.S. government to hand over his encryption keys in a case that campaigners believe could have ramifications for journalists and activists.
> ...
> Naomi Colvin, a campaigner for transparency advocacy group the Courage Foundation, told The Intercept that she believed the case could have “huge implications for journalists, activists, and others who need to guard confidential information” — potentially setting a precedent that could make it easier in the future for British police and security agencies to gain access to, or to seize and retain, encrypted material.
>
> Colvin said that the Courage Foundation, which is raising funds for Love’s legal defense, is backing him because “his case fits in to a pattern of political prosecutions of hacktivists and other truthtellers.” She added: “From our work with some of our other beneficiaries — particularly Jeremy Hammond and Barrett Brown — we’re very familiar with the prosecutorial overreach, inflated damage figures, absurd sentencing, and discriminatory prison treatment, including frequent spells in solitary confinement, that is common in these kinds of cases.”
>
> The encryption key demand is set to be the focus of an April 12 court hearing, at which a judge is expected to rule on whether Love should be ordered to turn over his passwords. But regardless of the hearing’s outcome, Love has no intention of turning over his encryption keys.
>
> “I don’t have any alternative but to refuse to comply,” he told The Intercept. “The NCA are trying to establish a precedent so that an executive body — i.e., the police — can take away your computers and if they are unable to comprehend certain portions of data held on them, then you lose the right to retain them. It’s a presumption of guilt for random data.”

I applaud his courage, and urge all Tor staffers to consider how they would act if they encounter "rubberhose cryptanalysis".

Sen. Ron Wyden, Rep. Ted Lieu, and others in the US Congress have been warning that the public does not understand the nature of the recent loosening of NSA's rules for sharing the personal information of US citizens gleaned from its dragnet with FBI.

https://theintercept.com/2016/04/01/intelligence-community-olive-branch…
Intelligence Community Olive Branch on Data Sharing Greeted With Skepticism
Jenna McLaughlin
1 Apr 2016

> In a post on one of the intelligence community’s favorite blogs on Wednesday, [Robert] Litt, general counsel for the Office of the Director of National Intelligence, outlined new intelligence data-sharing guidelines that he said will be released soon. The post, on Just Security, was essentially a response to reporting last month from the New York Times’s Charlie Savage that the NSA would soon be sharing with other government agencies the raw, unfiltered intelligence from the depths of its massive overseas spying programs.
> ...
> Patrick Toomey, staff attorney for the ACLU’s National Security Project, questioned Litt’s assumptions. “The premise of Litt’s response seems to be that there is an impermeable barrier — or ‘wall’ — between the FBI’s intelligence and law-enforcement roles. But that’s the wall the [intelligence community] spent the last 15 years tearing down,” Toomey wrote in an email. In fact, ever since the September 11 terror attacks, the intelligence community has been working to get information out of agency “stovepipes” so that it can be better used to stop terrorist attacks — even though that was not actually the problem pre-9/11. When conducting criminal investigations, the FBI can currently search through data the NSA gives it from programs run under Section 702 of the Foreign Intelligence Surveillance Act. Those programs are designed to target the communications of overseas persons, but “incidentally” grab some American communications, too. Those FBI searches have been likened to “backdoor surveillance.” “It seems very likely that the new 12333 procedures will permit the same thing, giving the FBI nearly unfettered access to an even bigger pool of data,” wrote Toomey.

An essential point for Tor users: NSA documents leaked by Snowden show that NSA regards all Tor users as "un-American" by default, a policy which I believe they eventually admitted in public.

USG spokespersons, including Litt, claim that "privacy is respected" and "civil liberties are protected", but Wyden and Lieu says quite the opposite is true:

http://thehill.com/policy/national-security/274773-spy-office-denies-al…
Spy office denies allegations that NSA data will be used for policing
Julian Hattem
31 Mar 2016

> A top lawyer for the nation’s intelligence agencies is pushing back on mounting criticism about new plans to widely share intercepted data throughout the federal government. Robert Litt, the general counsel for the Office of the Director of National Intelligence, confirmed that the change in policy is “in the final stages of development and approval,” in a post on national security legal blog Just Security on Wednesday. But Litt denied allegations that the change would allow the FBI and other agencies to use the sensitive data for domestic law enforcement matters, which members of Congress had speculated could be unconstitutional.
> ...
> Earlier this month, a bipartisan pair of House lawmakers warned that the potentially “unconstitutional” and “dangerous” move might allow law enforcement agencies like the FBI to use the NSA’s data — which is collected in the course of its foreign intelligence work — for policing matters within the U.S. “NSA’s mission has never been, and should never be, domestic policing or domestic spying,” Reps. Blake Farenthold (R-Texas) and Ted Lieu (D-Calif.) wrote.

This new controversy may explain the sudden resignation of the head of the PCLOB (Privacy and Civil Liberties Oversight Board):

https://www.truthdig.com/eartotheground/item/david_medine_leading_us_pr…
David Medine, Leading U.S. Privacy Watchdog, Resigns Unexpectedly
31 Mar 2016

> After years of service, David Medine is resigning as chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). The board was established after the 9/11 attacks to bolster counterterrorism efforts in the United States and protect Americans’ privacy rights in the face of expanding surveillance.

It would be impossible to overstress the fact that the threat faced by The People in CWII can be characterized in decreasing order of importance as:

* political
* legal
* technical

Anonymous

April 01, 2016

Permalink

When not visiting a specific site, but browsing and opening multiple tabs from a search result or a news collector site, I often just close the tabs with Cloudflare. I wonder if they have any statistics about users like me, who "see a captcha and leave".

Anonymous

April 01, 2016

Permalink

One thing cloudflare could do is provide an onion proxy service with javascript disabled like how startpage does it so we can at least view the sites. I would be happy with the freedom to read.

Since disabling JS increases risk I like many others just close the tab when a CF site comes up.

As always peace love and respect to the tor team and everyone fighting the good fight.

Nice idea!

Enabling JS for cloudflare also allows JS for the site you will visit after solving the captcha. This renders noscript ineffective for those sites. Thats a bad thing.

Just close the tab when you are asked for captchas. The site is not part of the internet then.

Actually, disabling JS doesn't really protect the site at all, and if anything the site will want it enabled for user experience reasons. As such, the decision to disable JS should be left to the user.

You might be confusing JS with something else startpage does which is blocking POST requests. By definition (according to the HTTP RFC) a GET request must not alter the site in any persistent way, and thus they are mostly harmless, save application-level DDoS attacks and certain web application exploits. This is a valid, albeit read-only, means of thwarting spam, and would certainly be one step closer to equality for Tor users.

Anonymous

April 01, 2016

Permalink

Here is one of the 94% evil content scrapers - not.

I visit a web site that has about 50 new pages every day.
They have about 15 images on each page. These images are hosted on another domain that uses Cloudflare.

For a Tor user all these pages are displayed without images. Because Cloudflare serves a captcha page for each image and the browser silently drops those as invalid images.

So skimming through the new pages my browser tries to load around 750 images, which cannot be displayed. And Cloudflare pads itself on the shoulder and says it has stopped an evil scraper from taking that content. Their evidence - not one captcha has been solved for all these requests!

This is not an isolated case. I have seen other sites hosting their images on a seperate domain managed by Cloudflare. Must add up to millions of "attacks" by Tor users each day that Cloudflare fends off ;D

More problematic is Javascript libraries. Some of the CDN domains that serve JS libraries apparently block/captcha Tor, which breaks many websites.

Anonymous

April 01, 2016

Permalink

I will never stop using Tor for any reason. I circumvent things like cloudflare by using proxies additional to Tor. Pages are loading fast enough despite of it. Pages that don't work this way are abandoned. So cloudflare may as well keep their services for themselves. They couldn't stop me so far. Those captchas are useless, i am not wasting time like that.

But it is not a real solution. To dispose of cloudflare would be far better.

> I will never stop using Tor for any reason.

You won't have the choice if TP does not relocate and if encryption becomes illegal in the US, because Tor Project would then become an illegal organization.

The Burr-Feinstein anti-encryption bill soon to be introduced in the US Senate (the draft text was just leaked to The Hill and is available at cryptome.org) would appear to make Tor illegal in any US jurisdiction. Also, serving Tor from any US jurisdiction to anyone in any other jurisdiction.

Tor Project must as a matter of urgency prepare contingency plans to relocate all crucial people, headquarters, and NRO registration to another country. Considering the response of the Icelandic people to the revelations from The Panama Papers, Iceland might be one possibility. Norway might be another. Sweden and Germany might also be worth looking into.

Anonymous

April 01, 2016

Permalink

I'm glad you're addressing this at last.

But I've noticed two things in my own experience. Cloudflare makes the web less interesting in Tor. YouTube not working properly in Tor makes the web less interesting. As I'm not willing to give in and use my other browsers, or at least not too much, I find I'm being conditioned into thinking maybe I'll just get rid of the internet and not make it such a big part of my life. I like to see the positive. Slow Tor, no Cloudflare sites, YouTube trashed, my custom is being lost not to some deanonymising browser but rather to books and thinking about other things to do with my time. The slow death of a free internet is closer than I ever thought possible.

I like the spin you put in it. "Books and thinking about other things to do with my time" seems a clear victory.

Cheers :-)

(Not to spoil your new found meaning outside of the internet but things like youtube work absolutely fine over Tor. Maybe you just need to change some habits? See for example youtube-dl.)

What
do you mean by youtube not working properly? I am a new tor user here, I
install html5 everywhere and everything works fine even if javascript
is forbidden.

Anonymous

April 01, 2016

Permalink

The can be no doubt that Cloudfare is doing this out of the goodness of their hearts, and that their vagueness is just a silly mistake.
Right, guys?

guys?

Anonymous

April 01, 2016

Permalink

The cloudflare blog post contains this statement:

Unfortunately, to solve that, we'd need to track Tor users across sites which would sacrifice Tor’s anonymity so we’ve deemed it unacceptable."

...which makes it sound like they could track Tor users across the web if they wanted to.

Is there anything in this?

(If they can track Tor users across sites and could reduce CAPTCHAs by doing so, then they should go ahead and do it; not doing so would only give a false sense of anonymity)

Anonymous

April 01, 2016

Permalink

Perhaps part of the problem is also that the binary distinction between malicious and non-malicious is too simplistic.

Some kinds of abuse aren't really feasible with Tor, e.g. DDOS. Other kinds are feasible with Tor, but are only a concern for some sites, e.g. scraping. In cases like comment spam, completely blocking access to the site before the user enters a CAPTCHA is an overkill.

Systems would do well to distinguish between different kinds of malicious behavior and allow sites to take countermeasures only in those cases they are concerned about.

Anonymous

April 01, 2016

Permalink

CloudFlare needs to let website owners choose whether to inconvenience Tor users or not. Just like they have other web application firewall settings (a myriad in fact), they should have a big switch somewhere to let Tor exit nodes access the site unhindered.

The use cases for Tor are broad and deep. Cutting it off universally is potentially exposing your clients to privacy-related lawsuits.

Anonymous

April 01, 2016

Permalink

One thing that I absolutely detest, and that spurred rabid killing impulses when I read it in Cloudflare's post (which, incidentally, I had to read on web.archive.org, because, of course, it's behind the CF firewall), one thing I detest I was saying, is people to casually equate "automatic" requests or traffic (quaintly referred to as "bot" activity) with "maliciousness" (whatever that means) or "illegitimacy".

Since fucking when does HTTP _require_ a human to be sitting behind the monitor for it to work??? How in hell is my cronjob for retrieving a page, or making a post, or firing an xmlrpc call illegitimate??? In which goddamn way are the automatic fetches of my newsreader suddenly "malicious"???

Turing tests like captchas have zero (ZERO, YOU HEAR ME?!), relationship with determining the "legitimacy" (whatever that even means?) of some protocol exchange.

Your type of traffic represents less than .00001% of legitimate webtraffic and for 59% of all malicious webtraffic and bot stealing data traffic. No one gives a shit if they block you, well no one except you

> one thing I detest I was saying, is people to casually equate "automatic" requests or traffic (quaintly referred to as "bot" activity) with "maliciousness" (whatever that means) or "illegitimacy".

Yes, for example, even some USG agencies would most likely disagree with CloudFlare's unstated premise, because they want to automatically scrape web forums and such, without paying a human analyst to do it manually, because not infrequently their intention is to only look at the scraped data after the fact, if "something happens".

But taking a wider view, unexamined false assumptions such as the one you describe permeate the algorithmic prediction software used by USG (and other governments) to make the majority of decisions in how to treat individual citizens: who to hire, fire, counsel, sponsor, investigate, audit, watchlist, charge, parole. Likewise by banks which want to decide whom to loan money to, landlords who wish to decide who to rent to, employers who want to decide whom to hire, etc. The CN and US governments are leading the charge in replacing human bureaucrats with computer algorithms. This may downsize their social service and law enforcement employees, but it is very likely to ultimately prove enormously costly in terms of human suffering. Who can defend himself against a judgment made in secret by proprietary software hidden behind an NDA? Whom can muckraking journalists name and shame when all the most horrific bad governmental decisions are made by a computer? What defense lawyer can cross-examine a neural net? How many public defenders even understand enough about probability theory and computer science to even try?

I concur, but the point we tend to forget is that the web is not ours. It's built from millions of sites that are their respective owners' property, just like an apartment or a shop. And they decide who can visit and who can't, that's entirely legitimate. The fact that many people in the old internet were used to know that they can practically do anything in a website does not mean that's a legal or god given right, unfortunately. The bastards changed the rules, and they are fully entitled to do so. They can shut down their sites, they can password protect them, they can require ID or phone verification, they can do whatever their like because that's their private property you are trying to access.

Not to forget that they are the ones leveling automatic weapons against humans ... servers eating up our valuable time by DDOSing us human readers with CAPTCHAs ... how ironic.

Malicious users, possibly backed by a competing business, might have the money to distribute their "attacks" and evade detection.

People trying to just collect statistics or do something cool with a website's data for fun might not necessarily have the money to evade detection and are prevented from doing so. Imagine all the cool things we haven't seen because CloudFlare prevented it.

Anonymous

April 01, 2016

Permalink

Cloudflare reminds me of Antabuse for alcoholics. Breaking internet addiction site by site. Cloudflare must the the NSA's wet dream, I bet they wish they'd thought of such a simple solution. Hang on....