[private] Re: [tor-talk] http://jacobappelbaum.net/

[Steve Kinney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 06/06/2016 02:47 PM, juan wrote:
> On Mon, 6 Jun 2016 18:23:17 +0000 (UTC) jim bell
> <jdb10987@yahoo.com> wrote:
> 
> 
>> 
>> Apparently there are a number of easy-to-describe improvements
>> which could be made to the TOR protocol, such as increasing the
>> number of hops, generating fake extra traffic, etc, which would
>> improve it greatly.  TOR is a net positive,
> 
> Or let's try this :
> 
> Tor is a crass example of controlled opposition. No doubt 
> controlled opposition is a net positive...for the establishment.
> And so it must be a net negative for the opposition.

Since nobody asked, here's a description of why neither TOR nor any
other existing or presently planned anonymizing protocol I know of can
be relied on to conceal a user's identity from the Five Eyes or any of
several other hostile actors.  I surface this concept every year or
so, but so far nobody seems interested in discussing it.  Maybe it's
just too discouraging to think about.  No matter who created it or
why, TOR and similar mix networks are at best security theater,
relative to top tier State adversaries.

Quoting myself from an earlier post:

Anonymized routing protocols are designed to defeat passive
observation and limited traffic manipulation by hostile actors.  But
what if an effectively unlimited number of compromised routers,
subject to realtime observation and internal manipulation, were
available to hostile actors?  Game over, I think.

About 15 years ago I used online traceroute utilities and whois
lookups to determine (roughly) where all the high performing Mixmaster
remailers were physically located.  Over half of them, including most
with "exotic sounding" TLDs, were apparently in the state of Texas.

Then I used my data to construct "hard to compromise" chains, routing
Mixmaster messages through national jurisdictions not likely to have
comprehensive data sharing between their security services, and
started sending test messages.  None of these test messages ever made
it back to me.

So I concluded that, despite its major technical superiority to other
anonymized networking protocols, the Mixmaster network was most likely
compromised by passive observation (one owner for a majority of
reliable remailers) and active intervention (traffic between
uncontrolled remailers interrupted in transit).

Owning enough of the routers in an anonymizing network to negate its
security is largely a question of money:  How much budget to you have,
how certain do you want to be that nobody is really anonymous?

If I had to neutralize an anonymous routing network, my approach would
be to set up a cloud server running thousands of instances of the
router software in question, customized to facilitate monitoring by a
hypervisor.  Each of these routers would be connected via VPN to a
unique remote host, which would function as a transparent proxy.  The
proxy hosts could be machines owned by "friendly" actors, rooted
consumer grade routers, purpose built appliances, conventional Windows
botnets or some combination of these.

I have not seen this method of attack described and named; I call it a
"hydra" attack, because one body, many heads.  I think this mode of
attack deserves competent attention (i.e., not by me) because realtime
observation and manipulation of any desired quantity of routers would
provide solutions to any distributed anonymous routing protocol.

The only defense I can think of is to assure that message traffic
passes back and forth between mutually hostile national jurisdictions
before delivery.  This would be a bit of a hairball to implement, lots
of slippery variables and potential counter-actions by hostiles would
have to be taken into account.  But this approach could increase the
cost and reduce the reliability of Hydra attacks against anonymizing
protocols.  Somewhat.  Probably not enough for "life safety" application
s.

Long story short:  If you want to be /really/ anonymous in the
presence of hostile State sponsored actors, do not rely on a
software-only approach:  Use physical security measures to conceal
your identity from the physical router that connects you to the
Internet, because most or all of the anonymizing routers your traffic
passes through may be owned and controlled by the very people you are
hiding from.

:o/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXVhSNAAoJEECU6c5Xzmuqc4UH/A0eQjkZgAu7vwyiPZrMzBEC
H94bqFcewk38iok92fMjHpb5YLg6eYlBr4lShTZsDM2JX+MU9ds5rzpWgs0grkmF
P1fikgA5ETRx1WSi87yNbuhSu3mdSJwMnGrpk+b2NeagsHrlIgO4WrMXDWGPb03J
4efRo54mntY+pSIflfw+AKkhR8UxHKVCKSsABnCrXC0OxbV3BgDWyUJ1tunm6Rdg
EvDsHLjJsMe0M0AzAw2mJwxX6aQ2dIMiHnCy8ZF3Gvn0ri8IliA/vFVjj/RkZMk0
MmUYcFRy3h0RbPBW2pGCLPiYtiIhvyW3XR1/Yzli5VlqkXpQbkvrel+XtNLj2Rc=
=1cfu
-----END PGP SIGNATURE-----