The Onion Router is being cut up and making security pros cry IBM is warning corporates to start blocking TOR services from their networks, citing rising use of the encrypted network to deliver payloads like ransomware. The advice comes in the company's latest X-Force research team report (PDF). IBM claims there were around 180,000 malicious traffic “events” in the USA between January 1 …
This post has been deleted by its author
.... on what you're using TOR for I guess.
If you're moving serious quantities of illegal products then , yeah, you may have a problem. If you're buying small personal use levels of products to get yourself f***ed up, well, the cost of going after you is probably higher than the perceived value of a prosecution.
If you're using TOR to hack major companies, you've possibly got an issue. If you're tyring to SQL inject some mon & pop dry cleaners half a world away, for non-destructive research purposes, you're probably too small fry to worry about.
If you're using TOR to avoid advertising, censorship in a benign jurisdiction etc then you're probably just peachy.
How about if you're using TOR to buy software in dollars, to avoid paying exactly the same number in Euros or Sterling if the site detects you're from Europe/UK.
£99.99 for Brits
€99.99 for Europeans
$99.99 for Americans.
I hate that shit. It's not only rude, it's going on the assumption that Brits and Europeans are too stupid to notice they're being bilked.
You forgot rustlers, cut throats, murderers, bounty hunters, desperados, mugs, pugs, thugs, nitwits, halfwits, dimwits, vipers, snipers, con men, Indian agents, Mexican bandits, muggers, buggerers, bushwhackers, hornswogglers, horse thieves, bull dykes, train robbers, bank robbers, ass-kickers, shit-kickers and Methodists.
I wonder how many non-TOR-based "malicious traffic events" have taken place in the same period.
As per the security of the network, it would take more than a tweet to convince me that TOR is not one of the best solutions to date, to the problem it strives to adress (routine all-encompassing surveillance).
What about the reports that the Five Eyes and other Big-Brother-wannabes are trying to set up a critical mass of TOR exit nodes (likely through shills) so that they can pick up enough end-to-end traffic to make connections? What about improvements in browser fingerprinting attacks that can help make correlations even when all the traffic is encrypted (and TOR can't use a lot of padding due to latency issues)?
Five Eyes and other Big-Brother-wannabes are trying to set up a critical mass of TOR exit nodes (likely through shills) so that they can pick up enough end-to-end traffic to make connections?
First you'll notice that the claim in the tweet referredt to TOR hidden services, no exit node involved in these, but fair enough, I'm game.
Protectiong against end-to-end attacks is not an aim of TOR. Anyone watching both the user's traffick to TOR and the exit node can, with timing correlations, determine that this user connected to that external ressource. However, this is rather computationally intensive compared to just watching packet streams at a big Net node and registering "to" and "from" IPs; it requires close monitoring and matching of both specific connections, something that is at present almost impossible to automatize on a large scale, notably because the vulnerable path between the user and the TOR network is typically short, and the TOR route changes every 10 minutes or so (which would disrupt timing attacks), with a lot of exit nodes in diplomatically adverse regions of the world. i.e. it works if you have a warrant against an individual target AND a way to direct traffic to exit nodes under your control. Not impossible, but you'd have to be an identified target to worry about that, it's certainly no "routine surveillance" as I intended to mean it.
What about improvements in browser fingerprinting attacks that can help make correlations even when all the traffic is encrypted (and TOR can't use a lot of padding due to latency issues)
The padding is irrelevant to browser fingerprinting. It is always possible to come up with new techniques to create a user's "virtual fingerprint". Info leaked, actively or passively, by the browser are a part of it; writing/typing patterns are another. That is not a TOR vulnerability, but the guys at the TOR project do offer advice to mitigate this. It was always advised that you used a different browser for TOR and non-TOR traffic, partly to make it more difficult to match your TOR fingerprint to your non-anonymous clearnet one. A step further, and available for a while now, the TOR bundle should help a great deal in making your traffic look just like that of any other Bundle user.
The other "patterning" issues remains; it is up to you to use different writing styles if you wish. As for the typing patterns, you could always hook up a Dvorak USB keyboard for your TOR session should you feel this is a problem, that should disrupt your pattern enough!
Well, you'd have to have a direct tap into every client device's Internet connection, and into every exit node's Internet connection; definitely not trivial.
Then assuming you had collected all this data, you'd have to store it and then cross correlate any and all of the former with any and all of the latter, with a 10-minutes moving window for each correlation... in real time!
All in all that'd require quite a few hundred targetted -and agile- taps in "hostile" territory, pipes and servers able to move and store in real time what would basically be your country's traffic plus the entire world's TOR exit traffic, and then quite a few "huge black project data center" worth of computing power. In other words: unless the NSA has secret ALIEN TECHNOLOGY FROM OUTER SPACE there's still some hope.
Of course, as previously mentionned, if you manage to selectively target a few individuals of interest then it's entirely feasible (if not easy). But then it's no longer really blanket surveillance. TOR does not claim to be able to thwart nation-state-backed targetted spying (it does make it harder though). For that you could setup a friend-to-friend network -possibly within TOR- or a TOR hidden service (which is basically the same only made a tad more vulnerable by the need for a centralized server).
Or you could use a decidedly asynchronous system, not really compatible with Web-browsing. Usenet could perhaps do, there are a couple PGP-encrypted relays to Usenet, e.g. mixnym, but I don't really know if their security has been checked. In any case you could always post PGP-encrypted messages to the relevant group yourself, if done well only the intended recipient can tell what is inside or who is the intended recipient.
(in addition to the "patterning" discussed earlier, keep in mind that the timing of your connections will often leak a lot about where you live and what you do for a living, for example)
"All in all that'd require quite a few hundred targetted -and agile- taps in "hostile" territory, pipes and servers able to move and store in real time what would basically be your country's traffic plus the entire world's TOR exit traffic, and then quite a few "huge black project data center" worth of computing power. In other words: unless the NSA has secret ALIEN TECHNOLOGY FROM OUTER SPACE there's still some hope."
Or perhaps computing tech an order or two of magnitude more powerful than is known publicly? Perhaps a working quantum computer? That's the thing with black projects: anyone in them has to deny they even exist. That's how stealth aircraft was kept under wraps for a few decades.
You seem to be focussing solely on the computing power part... that's only the last step. You're also assuming a working quantum computer that would have "makes everything possible" specs... when we don't know what to expect from one, and when we know for a fact that the US don't have a working quantum computer, of any specs, to begin with. The proof? You can't get one from Alibaba.
Also, keep in mind that technology can only protect you so much:
https://xkcd.com/538/
Knowing that you need to register an account to post and/or view stuff on Twitter, Facebook, LinkedIn, Reddit, Skype, Myspace or whatever the current "compete with your friends" app-of-the-month is, and they all keep helpful tabs on who is connected to whom and who viewed whose profile...
Crucially, we're talking about the kind of people who detain and deport tourists for making Vegas party jokes on twitter there. That big data center in Utah is probably just using the quantum computers to run very advanced Twitter-parsing routines...
Thing is, we don't know exactly what the US government is capable of in their black projects, and something like this they would take GREAT pains to keep secrets much as they did with the F-117 and SR-71 back during the Cold War. And we know they can tap undersea cables in situ with help from a submarine.
"IBM claims there were around 180,000 malicious traffic “events” in the USA between January 1 and May 10 this year, with 150,000 in the Netherlands, and more than 50,000 in each of Romania, France, Luxembourg and Uraguay."
150,00 + (4 x 50,000) = 350,000 in my book. Can someone please explain how 180,000 = 350,000? Or did I misread something?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
