On the recent Black Hat 2014 Talk Cancellation

by phobos | July 21, 2014

As posted by Roger on the Tor-Talk mailing list:

Hi folks,

Journalists are asking us about the Black Hat talk on attacking Tor that got cancelled. We're still working with CERT to do a coordinated disclosure of the details (hopefully this week), but I figured I should share a few details with you earlier than that.

1) We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.

2) In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat Webpage.

3) We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks. Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with.

[Edit 30 July 2014: here is the security advisory we posted.]

Comments

Please note that the comment area below has been archived.

Or maybe because SOMEONE who earns big money from the government for his work at the Tor project used his connections doesn't want the public disclosure, and want to keep secret about this generical bug

July 28, 2014

In reply to arma

Permalink

Conspiracy or not, time will tell...

I'm just wondering about the fact that 'coincidentally' your colleagues* disallowed the publication. I never claimed it was you personally who intervened. But there are a bit to many coincidences in this whole story in my humble opinion.

I call the CMU lawyers "your colleagues" because 'coincidentally' the CMU is sponsored by the Department of Homeland Security, which is -oh wonder- a part of the government that remunerates you and your Tor Project not quite bad.

July 22, 2014

Permalink

Hi, looking forward to hear about the paper.
Before you stopped Vidalia I used to have 2 browsers, he TBB without modifying it, and another one which I edited the proxy settings so it uses the normal connection. So I called this the secure browser, it worked great and it felt safe. Until you replaced TBB with TorBrowser and I no longer have the secure browser because each time I edited the proxy settings like above it stopped working completely. My question is where can I find the torBROWSER standalone? without the proxy settings? If it doesn't exist may I request you make it happen please? it would mean alot to me and to everyone else, since we'd have the opportunity to use a secure browser with settings we trust.

July 22, 2014

Permalink

Could you please clarify your blog post?

"..we were informally shown some materials" seems to directly contradict "...beyond what was available on the Black Hat Webpage."

Regardless of what happened here, this generally laudable attempt at transparency is not helped by overly dense and unclear writing.

Trust me, they knew before these researchers did.

That would also explain the deanonymization techniques they allude to in their "Tor Stinks" presentation - they've been able to deanonymize a particular target who's actively using the network.

July 22, 2014

Permalink

Looks like someone bought this Tor deanonymization technique. Otherwise there would be no reason for not giving the Tor team full disclosure.

July 23, 2014

In reply to arma

Permalink

"I think I have a handle on what they did"
Or maybe your assumption is wrong?

I don't think this technique is so complex that they can left out the magic ingredient without voiding the whole talk.

July 23, 2014

In reply to arma

Permalink

Cool heads and tireless work on behalf of the community as always. A big thank you to arma et al.!

July 28, 2014

In reply to arma

Permalink

I don't like their wordering there. It makes it sound so much more dramatic and accusational. But then again, "Bug found in Tor, developers going to fix it" doesn't sound as dramatic.

July 23, 2014

Permalink

TOR uses a number of servers. Why not go gown to MESH (as defined by how to run a mobile-phone newtwork without towers) i.e. every member is a TINY server. Not enough to noticeably but to increase paths by orders of magnitudes. If the system deals with out of order packets - make sure some ARE.

Pity PGP is too slow (ATM) so data is different every time and harder to follow...

July 23, 2014

Permalink

I'm curious about the real-life implications of this, speculation aside. What do you recommend those of us who may have been targeted by either the BlackHat researchers or governments do now? Shut down my hidden service and talk to a lawyer or sit tight and do damage assessment? Basically, how likely is it that I'm screwed?

July 23, 2014

Permalink

Maybe they collaborated with law enforcement to use their experiments to catch drug dealers and stuff, and they aren't allowed to talk about it yet because the investigation is still happening.

I doubt it. They were able to tell enough to Tor devs which they would not be allowed to do if they collaborated with law enforcement. Also that doesn't seem like them, it's out of character for someone who's trying to break and tell the devs how to fix tor to also tell law enforcement how. They could not do the vigilantee thing and only give over IP addresses of people they deem worthy of deanonymization because law enforcement could not legally do anything with that list of IPs unless they collected it themselves, which would require being told the bug.

July 24, 2014

Permalink

Now hotmail keeps bugging users to input a mobile number when using tor to sign in!
Irritating!
Yahoo also, but hotmail is worst.

Well since an ex NSA person got appointed what do you expect. They are such idiots they assume everyone in the world has a mobile phone. I do but screw giving them my number, better to dump the yahoo and hotmail accounts, groups, etc.

July 25, 2014

Permalink

I have never abused Tor or used it for anything illegal in my western country, but to put it into perspective, how worried should I be if I were a terrorist using Tor, plotting to kill 10,000 people?

No terrorist in history has ever managed to kill 10000 people. Hence you must either be an incompetent (and harmless) or a state actor (and then deanonymizing you does not help).

$111k

One could be tempted to say "Come on, that's not enough, it's only half of what arma gets annually from the government to hush up possible exploits like this..."

July 27, 2014

Permalink

I agree. Russia is surely behind this. They offered $ 111.000 for cracking Tor network.

Sorry, but this doesn't make any sense to me. Is the theory that the CERT researchers noticed the Russian announcement, so they got the CMU lawyers to cancel the talk so they could secretly sell the topic of their talk to the Russians instead?

Remember that CERT's primary funder is the US Department of Defense.

Also, why cancel it and draw all this attention to themselves?

Also also, the Russian thing apparently can only be bid on by qualified people inside the Russian defense department equivalent.

It's hot to write about Tor these days, but that doesn't mean that every thing people find to write about is related.

July 28, 2014

In reply to arma

Permalink

Sorry, but I can't leave that uncommented:

"Remember that CERT's primary funder is the US Department of Defense"

arma, Remember that YOUR (primary?) funder is the US Department of Defense as well.

Yes, and this is a great reason for you to conclude that we're probably not being instructed by our funders to secretly sell our results to the Russians. :)

July 27, 2014

Permalink

Arma,

Why is it that when I exclude the major western countries from being used to build circuits via "ExcludeNodes" and "StrictNodes" I am not able to access hidden services ?

Is this so that one cannot try to avoid NSA owned exit and entry nodes ?

Each hidden service picks a set of relays at random to perform various components of the hidden service rendezvous (in particular, hidden service directory points and introduction points). Most Tor relays are in these major western countries (heck, most of the Internet is too). So when you tell your Tor never to interact with any of those relays, but it needs to talk to one in order to do the hidden service rendezvous steps, it's stuck.

https://sedvblmbog.tudasnich.de/docs/hidden-services

As for NSA owned exit and entry nodes -- assuming they exist, how do you know what countries they're in? Seems like a tough gamble to win, especially when the cost is building circuits that look wildly different from the ones that normal Tor users build.

July 27, 2014

In reply to arma

Permalink

Thank you for your reply Arma.

So are you saying that regardless, the hidden service you are attempting to connect to controls the specifics of the circuit to be built without regard to ones local torcc config and that that will almost certainly include western countries owing to those being the most prevalent place to that tor nodes are located ?

I think no sensible argument can be made that USA based agencies like the NSA etc face certain inherent difficulties in establishing, administering and maintaining the integrity of tor exit and entry nodes in those countries that are not sympathetic to US plans to enslave their citizens in terms of many legal difficulties in doing so and so on.

Therefore, why not change the tor source to allow users to use torcc config entries to not use western countries and have the hidden services (and all tor nodes) respect that criteria when building a circuit ?

For otherwise why even offer the excludenodes switch anyway if it is of no consequence ?

The hidden service you're connecting to controls the specifics of the circuits it builds, including the introduction points it uses. Your client controls the specifics of the circuits on your side. During the hidden service rendezvous, you connect to relays that the hidden service has chosen, and ultimately the two circuits get glued together.

Really, you should go look at the URL I gave describing the protocol. Hidden services don't work the way you seem to think they do.

As for why excludenodes exists in the first place,
A) Hidden services are a tiny fraction of Tor use, and they haven't gotten much development attention, well, ever:
https://ocewjwkdco.tudasnich.de/blog/hidden-services-need-some-love
and B) You're right; that's why the FAQ entry recommends against using those torrc options for normal users:
https://sedvblmbog.tudasnich.de/docs/faq#ChooseEntryExit

July 28, 2014

In reply to arma

Permalink

Thank you Arma for your time to respond with further details, I shall look at the pages that you suggest to gain a better understanding.

July 27, 2014

Permalink

Hi, i has found the Tor bug, it is some kind of obscure bug, but there is: First, in your web server select with a click the IP of the tor exit node which is connected to your server,and press in your keyboard the keys: Up,Up,Down,Down,Left,Left,Right,Right,A,B and enter, this will show you the real IP of the client connected to your server.

July 28, 2014

Permalink

tor has its good points it stops people from being beaten unrecognisable. But the postings on here are from mentally defectives who have nothing of any interest to anybody they are transparent mentally defectives with their lizard people and flying saucers. Tor can stop somebody from being shot in the head or hacked to pieces with a machete. Or tortured and locked up in prison indefinitely in the U.S. without trial. It has its life-saving side but it's such a pity about these postings on here.

I'm not the OP, but I'd guess he's saying there's a healthy level of paranoia and then there's the clinical version, and that some of the posts here veer more towards the latter.

That said, I'm looking forward to more details on the bug and how soon it will be addressed!

July 29, 2014

Permalink

I'd like to try to interject some common sense into the discussion.

First, to quote from a marketing flier put out by one of our enemies (a zero-day vendor which sells to oppressive governments), the things people say when they think they are talking among their own kind offers the most reliable insight into their real capabilities and intentions. And the Tor-related documents from the Snowden trove which have been published so far are unequivocal. From the "Tor Stinks" presentation:

"We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user in response to a TOPI request/on demand"

Note that this presentation was first presented in 2007 and then updated in 2012, so the quoted paragraph succinctly summarizes NSA's (lack of) capabilities over the period 2007-2012.

Someone wrote above "That would also explain the deanonymization techniques they allude to in their "Tor Stinks" presentation - they've been able to deanonymize a particular target who's actively using the network." This claim is directly contradicted by slide which I just quoted.

What NSA presenters actually said was that in a small number of cases, they were able some years ago to de-anonymize particular targets who were not using Tor properly (not using up to date Tor Browser bundle or Tails), or made "Epic Fail" errors such as logging into an unencrypted non-anonymous social media account while using Tor. The presenters specifically said that they CANNOT deanonymize a particular target (unless said target made some elementary error while using Tor).

"Looks like someone bought this Tor deanonymization technique. Otherwise there would be no reason for not giving the Tor team full disclosure."

The most likely reason for the sudden cancellation is that the "researchers" probably violated the US "Wiretap law", and Carnegie-Mellon lawyers stepped in to prevent them from publishing their alleged list of (some) Tor users's IP addresses. Another possible explanation is that the claims were so overblown that they amounted to a disinformation campaign.

I suggest that whenever Tor users read about some startling claim to "de-anonymize the Tor network", they should bear in mind these considerations:

1. Abstracts to "computer insecurity" talks generally overstate what was actually achieved and also the novelty of the reported research. The researchers are often competing against other talks held at the same time at the same conference, and they want a large audience with extensive media coverage, in order to keep their grant money coming in.

2. Researchers have claimed for years that "heavy" Tor users can be de-anonymized by governments, or even by individuals running a few fast Tor nodes.

3. Newly discovered de-anonymization methods are unlikely to be "universal" in scope. Almost always they are only effective under certain circumstances, such as Windows users, users whose Tor is mis-configured, or who have downloaded some insecure add-on for their Tor Browser, or who enable Javascript), or against a particular subset of Tor users, such as frequent users of particular hidden services.

4. National police services around the world (including USA and the Netherlands) have been complaining for years that they are losing the ability to wiretap persons they wish to spy on, and keep demanding increased authority to punt malware to all Tor users, in order to try to see what they are doing. Such heartfelt alarmism is fully consistent with the picture presented in the leaked NSA/GCHQ documents: our enemies are having great trouble deanonymizing Tor users.

5. Few if any nations have more draconian national cybersurveillance systems, anti-privacy and anti-dissenter laws than Russia. Yet the Russian government has been forced to ask for help from private sector experts (for which we should read: Russian cybercriminals) because, it seems, they too are having great trouble controlling the Tor using public inside their borders.

6. Experienced detectives are fond of saying "police work is 90% bluff", and the same goes for intelligence agencies. This claim also finds a great deal of support in published documents from the Snowden trove. For example, the recently published "Chinese Menu" of tools offered by JTRIG (a GCHQ cyberwar unit) includes about two dozen items which are intended for "information operations" characterized by disinformation, impersonation, and social media manipulation. To this one should add the well-oiled news media manipulation machinery which is often employed by the US/UK security services.

7. The single most important lesson from the most authoritative sources (such as the Snowden leaks, whistleblowers like William Binney, and historians like Matthew Aid and David Kahn) is that the War on US is an ongoing conflict. Sometimes one side gains a momentary advantage before the other pulls ahead again. In any arms race, it is good advice to avoid panic when the other side appears to have won a battle.

8. Never make the mistake of viewing the War on US only in terms of technological tools. Think strategically. Consider not only possible technical innovations (for good or evil), but economic and political aspects, and bear in mind lessons from history. When one studies the Snowden leaks and surveys the War in a broader context, there is much reason to think that the authoritarians are on the wrong side of history, that the reason they feel such desperation that they know they are losing. One reason for this is that the notions of the nation state and of the rule of law are rapidly becoming irrelevant. It is a strange irony that even while the security services rant against "anarchist elements", in fact it is the governments themselves which are increasingly abdicating the idea that governments should try to govern, in favor of the idea that governance is best left to multinational corporations like Comcast.

www.governingalgorithms.org
www.policyreview.info/articles/analysis/governance-algorithm

July 29, 2014

Permalink

"Therefore, why not change the tor source to allow users to use torcc config entries to not use western countries"

Currently, most Tor nodes are in Western countries, which is a problem but not easy to fix by purely technological means. The Tor Project is actively working on increasing the geopolitical variety of Tor nodes, and has made considerable progress in the past year, but there is still much to be done.

However, any TBB or Tails user can edit their torrc to exclude certain countries. But to repeat a commonly heard warning: modifying your torrc is likely to make you stand out from the general population of Tor users, so you should try to learn about the most important technical considerations before deciding what changes if any make sense for you.

In the War on US, the People suffer from an intrinsic disadvantage: computer security and anonymity tend to be, to some extent, conflicting goals. The most commonly cited example is the question: to enable Javascript, or to disable it? The former enhances security while harming anonymity; the latter enhances anonymity, all other things being equal, but greatly increases your attack surface. Indeed, several the recently claimed methods of de-anonymizing Tor users appear to be effective only if a TBB or Tails user has left Javascript enabled in their Tor browser.

However, our authoritarian enemies suffer from intrinsic problems of their own, and in my opinion their problems are more intractable and likely to in the end lead to their downfall.

July 29, 2014

Permalink

"Also, why cancel it and draw all this attention to themselves?"

Maybe their claims were mostly fake, and they never had any intention of giving a talk at all?

GCHQ and similar agencies often engage in disinformation campaigns.

Here is one journalist's attempt at a skeptical appreciation:

http://phys.org/news/2014-07-tor-cops.html
Can you really be identified on Tor or is that just what the cops want you to believe?
28 Jul 2014
Eerke Boiten

July 29, 2014

Permalink

"That said, I'm looking forward to more details on the bug and how soon it will be addressed!"

It seems that there are at least three recent claims to "de-anonymize Tor users" which are currently being discussed, all too often with a generous dollop of FUD:

1. The UK's National Crime Agency recently arrested 660 people ("Operation Notarise"), claiming to have used some undisclosed vulnerability. This claim is probably mostly disinformation, but may suggest some zero-day affecting hidden services. The Tor Project has warned for years that hidden services are less secure than simply web-browsing with TBB.

From

http://phys.org/news/2014-07-tor-cops.html
Can you really be identified on Tor or is that just what the cops want you to believe?

"[NCA] also said that it would not reveal how it identified the suspects so that it could use the same method to track them down in the future. There was a clear message sent out to wrongdoers in the official press release, though: "We want those offenders to know that the internet is not a safe anonymous space for accessing indecent images, that they leave a digital footprint, and that law enforcement will find it"."

This is an almost perfect echo of a recent comment from the Thai national police, "we wanted to show we can find you". Referring to a prominent blogger critical of the government who had been on the lam until his recent arrest.

I suspect that the real targets of the current intimidation campaign by US/UK "authorities" are political dissidents, not consumers of "indecent images". In every country, the latter pose no threat to the regime, but the former truly threaten the power and prerogatives of the ruling elite.

https://www.eff.org/deeplinks/2014/07/nsa-surveillance-chilling-effects

http://www.theguardian.com/commentisfree/2014/jul/22/muslims-sting-oper…

https://www.eff.org/deeplinks/2014/06/why-you-should-use-tor

2. Two researchers affiliated with Carnegie Mellon University in the USA (which has close ties to the USIC), Alexander Volynkin and Michael McCord, announced a talk to be given at the Black Hat conference (to be held this August in Las Vegas). The abstract claimed that they have used $3000 of kit to de-anonymize "thousands" of the millions of Tor users worldwide. The talk was suddenly pulled, allegedly by CMU lawyers, possibly because the researchers hinted they planned to publish the identities of real Tor users, which drew attention to the fact that (like much similar research) the researchers probably broke US law in collecting data in order to spy on real Tor users.

The researchers appeared to claim they have found a "fundamental flaw" in Tor's protocols, but this is similar to previous claims which turned out to be overstated or misleading. Without further details it is impossible to say anything with assurance, but I suspect that their method won't work unless users have enabled Javascript or use hidden services or do something the Tor Project advises against (such as install an extra add-on or try to use torrents over Tor).

My understanding is that the Tor Project team took an educated guess and fixed what they presume is the flaw used by the CMU researchers in TBB 2.6.3, the current version.

Please correct me if I am wrong about that!

3. The "offensive security" company Exodus Intelligence, LLC (Austin, TX) announced they have found a flaw in i2p, a software package for anonymous file sharing which is included in Tails. This has NOT been fixed in Tails 1.1, the current version, but the Tails team posted advice for a temporary workaround on their website.

On their blog, Exodus wrote:

"We publicized the fact that we’ve discovered these issues for a very simple reason: no user should put full trust into any particular security solution."

Well, obviously. Pretty much the same warning has been made, repeatedly, by Tails and Tor people, by Edward Snowden, and other observers. That said, we know from the Snowden leaks that Tor remains "the king of advanced privacy systems", so the sensible view is that political dissidents should continue using the most up-to-date versions of Tor and Tails, with due caution and perhaps a certain fatalism.

"By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others."

Indeed, Exodus sells zero-days in a variety of popular software systems to its customers, which presumably include multinational corporations who wish to spy on union organizers as well as governments which consider themselves at war with their own citizens (and maybe, those same multinational corporations, whose power is increasingly eclipsing the role and relevance of governments everywhere). So this is a rather pointed intimidation aimed at "the Tails user base", presumably including such people as activists in Belarus, whose effective use of Tails was recently described in a published research paper.

However, Exodus is not really saying anything the userbase does not already know. Every government with a large budget is actively targeting its political dissidents with cyberespionage and cyberwar techniques, in addition to more traditional methods of authoritarian control, such as undercover informants, mass arrests, and in many cases, torture and long prison terms.

What to do? Giving up is not the answer. The answer is to redouble our determination to fight even harder and to resolutely oppose the forces of totalitarianism wherever they may be found.

August 19, 2014

Permalink

I have been seeing bug after bug. First heartbleed in SSL. Then the JavaScript Malware in TBB, and now this.

It is very ironic the fact that the Tor Project works funded by the first and most powerful global adversary in the world. Getting secure communication is something that we all should have.

Tor aims to be easy to use, however encryption is never user friendly. You can use Tor but you have to be very careful using it because "everybody is watching you, even more". This is how we live in fear, not fear of doing something wrong, fear of being watched by somebody. This is not paranoia, is reality, our sad reality.

Our utopia is a world were encryption can be easy, all the users may access to it, and even the most unskilled user without extra effort. It does not mean knowing the command line, or using Linux, it has to be for everyone.

This new vulnerability is no more than a zero-day bug used for a long time. Currently Tor is absolutely insecure, even more because you are being targeted just by using it.

I have used Tor for many years, and now I must say that this will be the last time that I will use Tor at and I will take my exit node with me. Is very hard for me to trust and contribute to something that can be defective by having a major flaw that can cripple the foundations of the main objective of Tor, unless is proven otherwise.

As far as I am concerned, the ethical and responsible thing to do is to have a Warning that should be posted in the Main Project page,TAILS, the Tor Check page and everywhere to warn users to STOP USING TOR in red bold letters, until the issue is resolved.

I had to read it in the newspaper to know about this problem. Now you know how disappointed I am.

If by any chance you have a hidden server, shut it down, I does not matter if it is a simple blog, the reality is that if you are hosting something in Tor you are not helping your visitors at all.

Good Luck and Godspeed Everyone!

August 19, 2014

Permalink

Wow, if NSA does it, it is okay. If a researcher team do it is illegal. The laws in the US are so fair for everyone.