Attackers have breached Tor's system to reveal the identities of its users
Tor, a network used by people to cloak their identities and Internet activities, published a blog post today stating that attackers had breached its system in an apparent attempt to de-anonymize users. The breach occurred between January 30 of this year and July 4, and Tor advises that anybody who used its "hidden services" during that time may have been "affected" -- though it's unsure exactly what "affected" means.
It's unlikely, a Tor blogger writes, that the attackers were able to view what pages the users visited or whether they even followed through on visiting the page they looked up. However, the service recommends that any user operating or accessing the network's hidden services should upgrade to the most recent Tor release immediately.
So who was behind the attack? Tor isn't sure but it suspects a group of Carnegie Mellon researchers who were scheduled to present research at next month's Black Hat conference that would purportedly reveal how to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months.” Well the shoe certainly fits. That talk has since been canceled by Carnegie Mellon's lawyers because one of the researchers allegedly did not have permission from the university to present the findings. Meanwhile, Tor and the Department of Homeland Security both denied having anything to do with the talk being pulled.
As Yasha Levine has written extensively for Pando, Tor has a fairly shady history:
Tor was developed, built and financed by the US military-surveillance complex. Tor’s original — and current — purpose is to cloak the online identity of government agents and informants while they are in the field...So why would the government allow everyday users on the network? Roger Dingledine, co-founder of the Tor Network, explains:
The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, “Oh, it’s another CIA agent.” If those are the only people using the network.Meanwhile, the NSA has reportedly targeted users of the network, creating a Catch-22 for anyone hoping to hide her identity using the service. And now that it's proven certain components of the network can be cracked, users of the site should be that much more cautious.
It bears noting that Tor received $1.8 million from the US government last year to beef up its security, so perhaps attacks like this will be prevented in the future. But between the network's close ties with the military-industrial complex, the fact that using it can make you a target of the NSA, and now the revelation that researchers found ways to de-anonymize users, Internet-goers looking to hide their digital tracks may not want to get too comfortable on Tor.
[illustration by Brad Jonas]