Pando

If you still trust Tor to keep you safe, you're out of your damn mind

By Paul Bradley Carr , written on December 26, 2014

From The News Desk

Earlier today, a group of hackers who had previously shut down Playstation Network and Xbox Live turned their sights on a bigger target: the Tor network.

That news isn't, of itself, surprising. Hackers gon' hack, right? But what is truly shocking -- and what has to shoot a spike of fear through of any tinker, gamer, solider or spy who relies on Tor to hide his online activity -- is that the hackers actually stand a fighting chance of compromising the network.

Reports Gizmodo:

The hacker group appears to be attempting to dominate Tor's relays to the point where it can comprise anonymity. Tor keeps you anonymous by bouncing your communications around a network of volunteer nodes. But if one group is controlling the majority of the nodes, it could be able to eavesdrop on a substantial number of vulnerable users. Which means Lizard Squad could gain the power to track Tor users if it infiltrates enough of the network.

So far, they have already established over 3000 relays, nearly half of the total number. That's very not good. Adds the Washington Post:

 Earlier this year, the Tor Project reported that an unknown attacker had used malicious relays to potentially capture data using far fewer nodes.
If you've been following Tor long enough -- which in my case means just a few months -- you'll have noticed phrases like "very not good" cropping up with increasing regularity. The fact that a group of hacker kidz, likely hacking Playstation and Xbox for the lulz, can pose a serious threat to the anonymity of Tor is very not good. Likewise last week, when Tor's founder admitted that government agents would only need to seize five Tor directory authority servers to completely hickack the network, he described that possibility as "really bad."
“If [attackers] can extract five unexpired signing keys, then they can make up their own consensus and point people to their own relays. That would indeed be really bad.”
Also "bad," from Tor's point of view are the increasingly regular media reports of authorities unmasking Tor users who operate illegal services, and the growing paranoia of Tor exit node hosts that at any moment the cops are going to come crashing through the door and shut them down.

Just a few months back, the story was very different. No lesser authority than Edward Snowden (who ran a major Tor exit relay in Hawaii, while working as an NSA contractor) was promoting Tor as a super-secure way for whistleblowers to trade secrets without ending up in jail. Journalist Glenn Greenwald, acting in his capacity as Snowden's Boswell, told the world that, despite the NSA's best efforts, Tor remained secure. Greenwald's colleagues at the Intercept agreed, with Micah Lee assuring whistleblowers that Tor was the browser they should use to stay safe. Julian Assange is also apparently a fan, despite a Wikileaks volunteer once boasting of intercepting Chinese Tor traffic to siphon off secrets.

Those secrecy advocates seemed to have plenty of supporting evidence on their side: Snowden's own leaks showed the NSA having tried and failed to unencrypt Tor traffic, having only secured "access to very few nodes."

But that was then and this was now. Whereas once the mighty NSA was unable to seize enough Tor exit nodes to de-anonymize its users, now a group of Playstation hackers has shown how easy it is to simply create a vast number of new nodes. (This time the hackers were very public with their attack, allowing Tor to take precautions -- the next group might not be so helpful.)

Not that law enforcement needs to go to that much effort: We now know that a far easier approach is for authorities to hijack Tor traffic by seizing a small number of directory authority servers. As Yasha Levine wrote last week, Tor's developers chose to hardcode details of those servers into the Tor browser -- seizing the servers would potentially expose every single user of the network until they download an updated version of the Tor software. (Imagine the logistics of a product recall that requires contacting most of the world's dissidents and you'll understand how hard that vulnerability is for Tor to fix.)

And, where once Tor's developers were bullish about the security of their network, now they're far more circumspect. When Tor creator Roger Dingledine reported the apparent threat from law enforcement to seize Tor directories, he admitted that the only thing stopping them would be bad publicity, and maybe a lawsuit from the Electronic Frontier Foundation (because fear of bad publicity has always stopped the NSA in the past.)

...it would be super highly illegal and places like EFF would be happy to mess them up for it...
Likewise, when Thomas White, host of "a large exit node cluster" noticed suspicious activity on his server it took him more than 24 hours to determine that the feds probably weren't involved. Initially he wrote "I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers." Translation: I have no idea if Tor is under attack or not.

In hindsight, perhaps there were clues that Tor wasn't entirely confident in its own technology. When Yasha first wrote about the project's ties with the US government, the reaction from Tor developers shocked me. Rather than calmly reassuring users that no amount of government funding could compromise Tor's highly secure network, Tor's advocates went on the attack. I watched in amazement as some of the project's leading figures accused Yasha of being a CIA stooge, planted stories in newspapers accusing him of a harassment campaign against female Tor developers and even tried to smear other Pando writers as child rapists. The smears became so violent that Tor's executive director, Andrew Lewman, had to reassure me personally that his organization did not condone attacks on journalists for doing their job.

At the time it made no sense to either me or Yasha that the people who knew Tor best would choose to smear the messenger simply for pointing out that the project's leaders are cozy with the government. Did The Onion Router really have such a thin skin? Or was there some other reason why Tor's leaders had to do everything they could to ward off media scrutiny?

We invited several Tor advocates to explain why Tor's government funding wasn't a big deal but only one, Quinn Norton, agreed to do so. In an intelligent, measured guest post here on Pando, Norton agreed that it's important to ask questions about Tor but insisted that Tor's encryption remained secure, as it was based on maths not politics.

And that's certainly true, assuming the only concern is that law enforcement (or hackers) might be trying to crack Tor's underlying encryption technologies. Unfortunately, as recent threats against Tor make clear, the maths required to destroy Tor's ability to keep information secret is far simpler. There are nine directory authorities which direct all of Tor's traffic. Hijacking more than half of those would allow a government agency to redirect all of Tor's traffic anywhere it likes. Nine plus one, divided by two equals Tor is completely screwed.

There remain a lot of unanswered questions about Tor -- questions we're going to keep asking in 2015. For example, is the vulnerability of Tor just the result of a bunch of smart people making stupid decisions? Did it really not occur to them that having such a small number of directory authorities in such a small number of countries (all friendly to the US) might make it really easy for the government to hijack Tor? Did the leaked NSA documents lull them into a false sense of security that no one could take over enough exit nodes to undermine the network, leaving the way clear for today's hackers?

Or is something more sinister at play here? In 2005, Tor boasted on its website that (emphasis theirs):

 "We are now actively looking for new contracts and funding. Sponsors of Tor get personal attention, better support, publicity (if they want it), and get to influence the direction of our research and development!"
Even if, despite that promise, Tor wasn't directly influenced by its US government and military sponsors when constructing its network in a way that left it vulnerable to law enforcement, is it at least possible that they avoided making changes that might upset those sponsors? After all, as Yasha points out, leaked NSA documents show that the government had identified directory authorities as a good way to target Tor as far back as 2006. Perhaps Tor's developers thought that by sticking close to the US government they would be safe from that kind of attack?

Unfortunately, when we ask Tor's leading advocates for answers to those questions the result is more smears, more innuendo, more obfuscation. After distancing his organization from the attacks on Pando, Tor's Andrew Lewman promised to be responsive to our inquiries in future -- but when both Yasha and I contracted to ask him for more information about a recent attack, he didn't reply. It seems increasingly likely that even Tor's leaders don't really know how secure their network is.

Here's what I know for sure: Tor promotes itself as a way for dissidents and whistleblowers to keep safe from hostile governments. As a result, thousands of users around the world rely on the network's integrity to keep men with guns from their door.

Tor's developers are asking those users to continue trusting their lives to a network that we now understand can easily be compromised by a small group of hackers or a handful of G-men with a warrant. Moreover, no one in the Tor community seems to fully understand where the network's vulnerabilities lay, nor do they have any concrete plan for fixing them.

For all those reasons, as it currently stands, I would hesitate before trusting the security of Tor to organize a surprise party, let alone anything more important. It staggers belief that any intelligent person would continue to trust it with his or her life.