Tor Devs Say They've Learned Lessons From Carnegie Mellon Attack, But Worries Remain That They're Outgunned And Outmanned
from the trust-no-one dept
Early last year, Tor suffered a massive attack that compromised the anonymity of its users over a period of at least six months. Soon after, the FBI launched Operation Onymous, which dismantled yet another round of darknet markets and left Tor developers and supporters desperately wondering what went wrong. Last month, Tor then dropped a bit of a bombshell: it claimed the FBI paid researchers at Carnegie Mellon $1 million to conduct a Sybil attack on the network. Running from January to July of 2014, CERT used just $3,000 in hardware to flood the Tor network with additional new relays that then modified Tor protocol headers to do traffic confirmation attacks.As it turns out, a new report from Kashmir Hill at Fusion notes that Tor developers had ample forewarning that something was going wrong. In fact, a Tor supporter sent a message to the Tor mailing list early in 2014 highlighting the odd behavior of these computers, but it was effectively brushed aside by Tor developers as nothing to worry about. That has of course raised concerns among the 2 million people that use Tor every day -- activists, human rights workers, journalists, and security-minded computer users among them. The revelation has obviously also devastated the reputation of Carnegie Mellon and the CERT Coordination Center.
Both the FBI and the university continue to deny the claims, for whatever that's worth:
“The allegation that we paid CMU $1 million is inaccurate,” said a FBI spokesperson.Meaning, if you're familiar with semantic FBI parlance, that it probably paid a few specific researchers (not the University itself) $999,999.
Regardless, Hill's new report provides a lot more insight into the attack by Tor chief architect Nick Mathewson, who admits it wasn't the developers' finest hour, noting that he originally overlooked the threat because he believed it was too ham-fisted to actually be performed in the wild:
"I don’t think this is the best response we’ve ever done to an attack situation,” said Mathewson by phone... "It didn’t occur to me that they would run the attack in the wild on random users," said Mathewson. “The way the attack was structured, it was a bad attack for anyone to get away with it. Once detected, it was very easy to block. It didn’t seem to me like a deep threat."Of course, the end result of this oversight was not only the arrests and darknet site closures from Operation Onymous, but Operation Shrouded Horizon -- which targeted the Darkode black marketplace. And the markets are still reeling. Though it's always hard to differentiate an exit scam (where the site just runs away with the money held in escrow) from security concerns, numerous markets (like Middle Earth Marketplace) recently went offline claiming they're trying to implement upgrades that will make their drug bazaars more secure.
But Mathewson is quick to make the obvious point that while these arrests primarily targeted child pornographers and drug dealers, the attacks targeted everybody. And the use of supposed objective academics as attackers, the lack of warrants, and the lack of institutional oversight by Carnegie Mellon's Institutional Review Board sets a disgusting precedent for the security community:
"There’s an argument that this attack hurts all of the bad users of Tor so it’s a good thing,” said Mathewson. “But this was not a targeted attack going after criminals. This was broad. They were injecting their signals into as much hidden services traffic as they could without determining whether it was legal or illegal." "Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,” wrote Dingledine in a Tor blog post, which also questioned whether Carnegie Mellon had gotten approval from an institutional review board, a process that exists to ensure that academics don’t harm human research subjects."For what it's worth, Mathewson says the Tor team has made numerous code changes to better scan the Tor network for potential threats, and are working on an as-yet unfinished revamp of the hidden services design over the last year. Tor is also working on what Mathewson calls a "new cryptographic trick" that will allow a hidden services directory to send Tor users to a hidden site -- without the directory knowing where it's sending them. The developers have also apparently learned a thing or two about trust, Mathewson stating they're no longer "extending security researchers the benefit of the doubt on anything." Good idea.
The central question of course is whether Tor has the manpower needed to keep such an integral technology operational and secure. Eighty percent of Tor's $2.5 million budget still comes from the government, so Tor is operating a crowdfunding campaign to expand the funding base for obvious reasons. But Tor only has 22 full- and part-time employees, and 10 volunteers and academics who consistently contribute code, which directly contributed to the attack not being taken seriously earlier. As such we're left wondering if Tor can be trusted moving forward and, if not, what comes next for the millions of users that depend on Tor for perfectly-legal anonymous communications?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymity, attacks, fbi, hack, surveillance, tor
Companies: carnegie mellon, tor
Reader Comments
Subscribe: RSS
View by: Time | Thread
“The allegation that we paid CMU $1 million is inaccurate”
[ link to this | view in thread ]
Nothing new here...
This is the same as the war on terror.
When terrorism strikes the Government (Which has become the bigger terrorist now) likes to indiscriminately attack random citizens in the wild as a response as well.
[ link to this | view in thread ]
It's like they were going house to house kicking everybody's door down. Then they justified it by pointing out that they only arrested people when they found something they could prosecute.
"Oh! In that case, carry on!"
- Judge Fukemover
[ link to this | view in thread ]
[ link to this | view in thread ]
My guess will be that DarkNet hosters will move to I2P or another DarkNet service like FreeNet. The main advantage of TOR is to be able to bypass censorship of regular internet sites using TOR as a proxy service, and the end node has always been a liability on the TOR network.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
This should be the end of CERT
But that time has long passed. CERT has now become the very enemy that it was supposed to defend against. It's time to shut it down and blacklist the assholes who work there.
[ link to this | view in thread ]
You-either-die-a-hero-or-you-live-long-enough-to-see-yourself-become-the-villain
[ link to this | view in thread ]
Re: This should be the end of CERT
I was about to say the same thing. CERT was founded after the Morris worm to deal with the problem of system administrators at various locations attempting to communicate at 3:00 am without being quite sure who was on the other end of the phone and what they could say to them. Everyone was suppose to be able to trust CERT.
Now, you would be a fool to trust anything coming from CERT or to tell them anything. If you are under attack, how do you know CERT is not the one doing the attacking and anything you tell them will be used against you?
[ link to this | view in thread ]
CMU has form on this sort of behavior
I get the distinct impression that CMU sometimes just doesn't have the morals or fortitude it takes to resist an opportunity to make some quick $$/PR off a hot-button social topic with a tech angle.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: This should be the end of CERT
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
Yeah, it's pretty much common sense when crossing zones that security is a major issue, so I've never really been concerned as the major factor driving adoption is to get out of X area. IE. Bangladesh now blocking Facebook.
While you mention javascript, et al, those are at least mitigated through the client, about:config to disable javascript all together, or running unbound to block malicious sites and forwarders. I wish Tails would include a root resolver in their distro, as it's far safer.
Telemetry will always be a problem as the source gateway will always see traffic originating, so I'm at loss but more entry points and randomly shifting entry gateways is probably the only way around it. The TOR project has already figured that out with the great firewall of China.
All in all, I'm happy with the TOR project and it's a great tool. If your a dev, thanks for all the hard work.
[ link to this | view in thread ]
Re: CMU has form on this sort of behavior
[ link to this | view in thread ]
Exit nodes
Remember: https://www.techdirt.com/articles/20140701/18013327753/tor-nodes-declared-illegal-austria.shtml
It is not unreasonable that wholesale adoption of TOR would lead to more of this type of prosection. When people become scared to operate exit nodes, then the whole system collapses.
[ link to this | view in thread ]
I wonder what they tell themselves all that money bought them, other than the right to claim that amount in next year's budget.
[ link to this | view in thread ]
Re: Re: Re:
After all, if everyone's dead, the crime rate drops to zero...
[ link to this | view in thread ]
Re: Exit nodes
[ link to this | view in thread ]
Re: Re: CMU has form on this sort of behavior
That is not what double blind means. Double blind means neither the subject nor the administrator knows whether the subject is in the experimental or control group.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Nothing new here...
[ link to this | view in thread ]