Hackers promise to break Tor on a $3,000 budget

Discussion in 'privacy technology' started by lotuseclat79, Jul 6, 2014.

Thread Status:
Not open for further replies.
  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It seems to me that most of the attacks against Tor are not attacks against the Tor software or Tor itself, but are either:

    1, Attacks against the applications that use Tor like the browser.
    or
    2, Attacks that require substantial numbers of compromised or malicious relays in order to obtain users traffic.

    IMO, Tor itself is reasonably safe. OTOH, the Tor browser bundle is caught between conflicting goals on multiple fronts. Examples:
    The browser bundle is intended to make all TBB users look the same. In the process of doing so, it also makes it fairly easy to identify them all as TBB users.

    By making TBB more user friendly, it's being made more vulnerable to de-anonymization. Javascript for instance is necessary to make many sites usable. That same javascript opens up many ways for identifying or de-anonymizing a user. It's extremely difficult for an extension like NoScript to allow needed javascript while blocking the nosy scripts without assistance from the user, assistance that most users aren't able to provide. With entire nations and 3 letter agencies in concert with the private sector combining against anonymity, the days of a user friendly bundle that can resist de-anonymization are ending.

    I don't see anonymous browsing ending. It will still be possible but not by relying on a pre-assembled package, and not for the casual TBB user. It's going to require more from the user, like configuring an outbound firewall to prevent the browser from connecting through anything other than Tor. It will require the ability to filter or modify browser headers and javascript requests for identifying data and make them agree so that it's not obvious what you're actually using.
     
  3. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks for posting noone and putting it so succinctly. What we really need though is a resource where people, or those so inclined, can get a concise list of exactly what to do.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Like the TBB, building and configuring your own package is a two edged sword. If you get it right, you can be much more difficult to de-anonymize. If you make a configuration mistake or overlook certain details, you could end up being easy to identify and track. More so than most things, the devil is in the details. With a non-standard package, the user has to provide their own support. There's no way that the Tor team can do it. They've already got too much to do thanks to Firefox and its addiction to constant updating.

    A user who assembles their own package needs to examine their browsers behavior very closely. Does the browser, its components, features, extensions, etc send anything that qualifies as a unique identifier? The features that keep providing more and more reasons for browsers to call home have to be identified and disabled. The TBB comes preconfigured to direct the browsers traffic to Tors socks port, including the DNS. The user will need to make certain that the browser they use will route all of its traffic to the Tor socks port without exception. Better yet, the user should use an outbound firewall that allows good control over localhost (loopback) traffic, configure it to prevent the browser from making any other connections, and to alert the user if the browser attempts to. If the users wants the ability to use java or flash, the ability to enforce "click to play" is a necessity, as is the ability to enable/disable them easily.

    Those considering building their own package should look at this old thread. Setting up Tor/Proxomitron+SocksCap. On the XP and 98 systems I use, SocksCap works very well. I have no idea if it will work on Vista or newer systems. Proxomitron is very capable of replacing NoScript and offers more fine grained control, especially with the ProxBlox filter. Proxomitron can modify browser headers, fake user agents and referrers, convert iFrames into links, make flash/java click to play, block ETags, defeats the newest HTML5 canvas issue, and much more. On XP, Proxomitron will run with "drop my rights" on a constrained setting. It can be severely restricted with classic HIPS and still work properly. Unlike NoScript, Proxomitron requires that the user knows what they're doing. There's some very good filter sets available, with good documentation. Like rule based firewalls and classic HIPS, Proxomitron requires a user that's comfortable with rule based apps. Using apps that are chained together like a browser>Proxomitron>SocksCap>Tor requires that the user not only be able to properly configure that chain, but to also create firewall rules that can enforce that chain and alert the user if something tries to connect outside of that chain.

    Using a separate filtering proxy like Proxomitron in place of a browser extension has several advantages. Browser updates will never break the filtering proxy. They can and do break extensions. Separate filtering proxies work with all browsers that allow proxy settings. The filtering proxy effective replaces the browser in the attack surface. Attacks that target browsers have to pass through the filtering proxy first. If the exploit code is known, the filtering proxy can remove it. The filtering proxy is far less useful to an attacker as a target, especially if used with Drop My Rights in constrained mode. If an attacker manages to crash or terminate the filtering proxy, the browser loses internet access, is out of the attackers reach, and the user knows almost immediately.

    On my system, I have 2 instances of Proxomitron installed. The first is used for normal internet access. The second is chained with SocksCap and Tor. Both instances have different configuration files. Switching from direct internet access to Tor is as simple as closing one instance of Proxomitron, starting the other, and restarting the browser. At the Panopticlick test site, it looks like 2 completely different systems. The site gets very little data from either instance, and most of what it reports is wrong.
     
  5. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Wow thankyou for all that effort you put into your post noone. I really enjoy your posts even though I don't understand everything. I still think unfortunately the things you've described are pretty much over my head, though I'd love to try it too, but the time needed to study this may be prohibitive. As you've implied, you're going to have to be very dedicated to pull this off, and yet going from what you've said on OS's above XP (which I have no trouble at all believing) I'm in two minds. Your post generates for me many questions. Ive pretty much heard all the terms used but many I don't understand how they fit in and work or how they relate to other things.
    Thanks again.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Thanks. The type of assembled package I'm describing wouldn't conflict with TBB. It would be completely separate. The user could have both and use one while they learn the other. To start, a user could limit the use of their own package to test sites and sites where anonymity doesn't matter. With test sites, you could check what data it reveals in comparison to the TBB.

    Proxomitron is the most difficult component to learn. I've used it for nearly 10 years and haven't come close to making full use of its abilities. IMO, one would have to be a master webpage builder in order to take full advantage of it. Proxomitron is one of those rare works that's timeless. It will be effective as long as websites use HTML and javascript. IMO, it's more valuable and useful now than when its developer was alive. All that said, it's not necessary for a user to fully understand Proxomitron in order to use it. The filters it came with are still relevant even though they're over 10 years old. Another old filter set, JDList is an excellent demonstration of Proxomitrons abilities and a great teaching aid. Unlike many security apps, Proxomitron doesn't invade your system. Everything is in one folder, no services, nothing in the registry. Installing is as simple as unpack Proxomitron, configure your browsers proxy settings to use it, (127.0.0.1 port 8080 is the default setting) fire it up and go.

    Chaining the apps used is fairly straight forward. The screenshots in Setting up Tor/Proxomitron+SocksCap describe the process pretty well. The chain basically establishes the path that the web traffic has to follow. All traffic from the browser is routed through Proxomitron. Proxomitron is launched via SocksCap which converts the traffic to Socks 5 format, then directs it to Tors socks proxy port. Most of this won't change regardless of what OS or browser you use.

    Configuring a firewall to restrict the traffic to this chain gets more complicated. Some firewalls don't filter loopback or localhost traffic properly. With Kerio 2.1.5, I can show a user how to write the necessary rules. With another firewall, I can't. This aspect of the process requires that the user knows their firewall, especially its limitations. Quite a few of the security suites (firewall, HIPS, kitchen sink combination units) emphasize the ability of the HIPS but neglect the internet firewall component. Others forgot about or incorrectly filter localhost traffic. If I understand correctly, Sygate firewall has this problem.

    I'll try to answer any questions you have. There is no escaping that there is a learning curve here. That said, unless your internet activities actually require anonymity or you're a person of interest for some other reason, there's no real penalty if you don't get it right. Some would argue that using Tor makes you a person of interest. As far as I can see, anyone who doesn't favor global surveillance is a person of interest. If you value life and liberty, you're a person of interest. I'm quite certain that I've been on their lists since the Diebold Accuvote scandal. Running a Tor exit probably keeps me on their watch lists which is fine by me. It's my way of saying "screw you and your surveillance" and doing it legally. Even if you never use Tor for anything that requires anonymity, the traffic alone adds to their workload. They can't tell if it's of value until they look at it. Maybe that's the best thing the average user can do. The NSA and others are already looking for needles in a big haystack. Lets keep piling on more hay.
     
  7. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Mirmir do you remember XBSteve use to talk about multipllexing and lag obfuscation, and that sort of thing? The reason I am mentioning this is because if there was some way to change the connection between the entry and exit nodes so that they looked different, wouldn't that be an answer? I don't know how it could be done but maybe ad some variable random content sometime after it enters the entry node and before it exits. Could Tor be manipulated to do something like this?
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    That's more what JonDo does. I can't speak to what's possible with Tor.

    But do see Feigenbaum and Ford (2014) Seeking Anonymity in an Internet Panopticon
    http://arxiv.org/abs/1312.5307
     
  9. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Again, an exemplary post. Thankyou.
    1/ That's encouraging me to have a go
    2/ You may or may not remember in past posts, but yes I use Kerio 2.1.5
    3/ I really appreciate that offer. Thankyou.
    4/ What you are saying here really makes sense. As Ive said in times past they'll get bored looking at me, unless of course they want to nitpick, which I believe they do, but that's another story. Since the big fiasco with that vulnerability in TBB, to be honest, I just backed off and haven't used TOR since. There's been so many things said against TOR lately I've found it confusing. Because I don't understand things happening at grass roots level, that means I can't verify one way or the other for myself. As we all know, it is NOT prudent to just blindly trust a 3rd party, but we can find other ways to up the chances that they are legit and clean, for example, listening to reputable people and their recommendations. It takes time to call someone reputable.

    I'm going to give Proxomitron a try, plus get the latest TBB. Will probably make a start next week.
     
  10. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Oh wow!! I guess this is still under development and not yet available. But it sounds amazing! Thanks.
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Why were CERT researchers attacking Tor?.

    -- Tom
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    That's an excellent summary.

    What I'm wondering, though, is whether this was an inadvertent leak of an NSA etc exploit. I can imagine, for example, a casual conversation over lunch between the CERT guys and someone knowledgeable about the NSA's toolkit.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I wonder how many are honeypots ;)
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    While that's an interesting article, it doesn't offer much beyond speculation, albeit perhaps better informed.

    Also, it repeats the acronym error: "Tor, which stands for The Onion Router ...".

    Here's what Paul Syverson has to say about that:
    http://www.syverson.org/entropist-final.pdf
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.