Did Carnegie Mellon Attack Tor for the FBI?

There’s pretty strong evidence that the team of researchers from Carnegie Mellon University who cancelled their scheduled 2015 Black Hat talk deanonymized Tor users for the FBI.

Details are in this Vice story and this Wired story (and these two follow-on Vice stories). And here’s the reaction from the Tor Project.

Nicholas Weaver guessed this back in January.

The behavior of the researchers is reprehensible, but the real issue is that CERT Coordination Center (CERT/CC) has lost its credibility as an honest broker. The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project. Instead, the researchers apparently used this vulnerability to deanonymize a large number of hidden service visitors and provide the information to the FBI.

Does anyone still trust CERT to behave in the Internet’s best interests?

EDITED TO ADD (12/14): I was wrong. CERT did disclose to Tor.

Tags: , , ,

Posted on November 16, 2015 at 6:19 AM128 Comments

Comments

Ferris November 16, 2015 7:49 AM

I usually agree with you 100%, but not in this case. The researcher’s behavior was not “reprehensible”. Academics work in concert with the government all the time. I begrudging support an encrypted internet even though it provides safe harbor for criminals, but if that encrypted internet turns out to be flawed, I have no sympathy for the criminals that are found there, nor do I particularly care how those flaws were discovered.

Echo Nolan November 16, 2015 8:01 AM

Hey Bruce. The link to the second follow on Vice story is broken.

Thanks for the story, I missed this last Wednesday.

Bardi November 16, 2015 8:01 AM

Ferris : It is not the act itself, it is allowing a Federal Agency to harvest everyone’s data, contravening the 4th Amendment by doing it without any form of oversight whatsoever. The group should be separated in all ways imaginable. In a healthy republic, the FBI should get their pee-pees whacked, at least.

Jan November 16, 2015 8:04 AM

@Ferris: Don’t confuse Tor users with criminals. Thats the same rethoric as “only people who have something to hide use encryption”.

If CERT delays closing security holes, it is harming all internet users.

Ferris November 16, 2015 8:24 AM

Jan, Bardi
I definitely did not conflate Tor users with criminals. But the CMU researchers – tell me why they are “reprehensible” because of the FBI’s actions, or CERT’s?

dragonfrog November 16, 2015 9:18 AM

@Ferris: The researchers are not reprehensible because of the FBI’s or CERT’s actions. They’re reprehensible because of their own actions.

They broadly de-anonymized huge numbers of Tor users, then picked through their findings (which they never should have had at all, since none of those people consented to take part in their research), and decided whose identities to turn over to the FBI (an act that would have been permissible only if the FBI presented a warrant for those specific records, assuming there was any conceivable ethical way they could have possessed the records in the first place).

r November 16, 2015 9:35 AM

this is the full disclosure vs responsible disclosure vs bug bounties argument.

it’s depressing imb.

Sam November 16, 2015 9:36 AM

There’s a separate US-CERT which acts for the USA: CERT are supposed to be an organisation with global interests, but this makes it apparent they’ve chosen a side and can no longer pretend to be impartial.

https://en.wikipedia.org/wiki/CERT_Coordination_Center#Confusion_with_US-CERT_and_other_CERTs

Secondly, Tor was started by the NRL and funded by DARPA “with the purpose of protecting U.S. intelligence communications online”:

https://en.wikipedia.org/wiki/Tor#History

That’s what was being compromised. Maybe you want to assume that no other nation could implement that attack, but assumptions like that are not how risk mitigation works.

Nony November 16, 2015 9:40 AM

Whether it’s “reprehensible” or not depends on a few questions, and CMU/CERT’s refusal to comment is only making matters worse. Here are some questions, assuming the core parts of the story have been reported correctly:

Did the FBI obtain a court order, authorizing them and/or people working on their behalf to monitor electronic communications in and out of the Tor network? Without a court order, there’s a good chance that such “research” would violate wiretap laws. That would be reprehensible.

Did the CMU or CERT researchers have a human subjects protocol approved by their IRB? If not, they were involving people in their “research” who had not given consent. That would be reprehensible.

But think about certain answers to these questions: What if the FBI had gotten a court order to target specific individuals engaged in illegal activity, contracted with CMU/CERT for experts to help track down those specific individuals, and the CERT researchers had an appropriate protocol approved by their IRB that destroyed any incidentally-collected information that was not about the legally-targed individuals. That is also consistent with the story, and is certainly not “reprehensible.”

Reprehensible or not – frankly, it could be either, and as long as CMU refuses to comment, many people are going to assume the worst.

MrC November 16, 2015 9:46 AM

A. It’s not enough for a positive ID, but I note that Ferris shows several hallmarks of a “persona management” sock puppet — new user; first poster; anti-Constitution, pro-police state ideology; picked a fight immediately.

B. Ferris, if you do mean that question earnestly (rather than to troll or to cast the illusion of a two-sided debate over a plainly one-sided issue), here’s your answer:

  1. The CMU researchers are reprehensible because they knowingly helped the FBI end-run the 4th Amendment by conducting a large number of illegal searches, the vast majority of which were against innocent people. This is reprehensible because (a) they directly violated the civil rights and privacy of a bunch of innocent people, (b) they directly violated the civil rights and privacy of a handful of criminals, and (c) they encouraged and enabled illegal behavior by the FBI. The reprehensibility of item (a) is self-evident. You don’t seem to care about item (b), but you should. There is no reliable method for distinguishing a criminal from an innocent person who pissed off a corrupt cop or prosecutor. One cannot open the door to railroading the former without also opening the door to railroading the latter (and, yes, “opening the door to railroading” is exactly what you do when you deny procedural rights to the accused). Item (c) is the most important: Over time, law enforcement authorities who believe themselves to be “above the law” inevitably become corrupt, abusive, and ultimately oppressive. Every time the citizenry enables, encourages, or condones illegal acts by law enforcement, we send the message that, yes, they are “above the law,” and our society takes one more foolish step towards a police state.

  2. The CMU researchers are reprehensible because their attack revealed the traffic of all of their victims — including the vast majority of innocent people — to everyone in the world, not just the FBI. As detailed in TOR’s blog post from back when they discovered the attack, the tags they injected into the victims’ traffic were not encrypted. Anyone who (a) knew about the tags at the time and observed the traffic, or (b) recorded the traffic and learned about the tags later, could correlate all the traffic for all of the victims — most of whom, again, were innocent of any crimes, and all of whom were using TOR specifically because they wanted privacy.

  3. The CMU researchers are reprehensible because they violated one of the most basic ethical rules of scientific research: No research on human subjects without the subjects’ informed consent.

r November 16, 2015 10:03 AM

@sam,

CERT may have been an an afterthought and a recommendation by the fbi or cmu lawyers.

if there was any real interest in reporting this vulnerability it wouldn’nt have been reported to USCERT but the torproject directly i’d think.

Sam November 16, 2015 10:09 AM

The thing is, if the FBI gave CERT a National Security Letter, there’s nothing CERT can do about it – they can’t even comment – maybe they’re not even allowed to tell their ethics board.

If this is the case there’s not a whole lot of point in trying to figure out who is the most reprehensible party, the only sensible move is to figure out how to re-arrange the internet so that there’s no bottleneck entirely within the jurisdiction of a single nation state.

Further, in this case, it’s less of a full disclosure vs responsible disclosure thing and more like the Milgram Experiment.

CMU Snitch Sciences Program November 16, 2015 10:10 AM

The Ntrepid personas are standing by to keep you safe! Ntrepid first-comment responder Ferris Buehler up there is on it, disseminating slogans for morons. First, unsupported contradiction of your argument. Then, ‘[irrelevant generality] all the time.’ Then, ‘[words words words] criminals [words words words] criminals.’ Lots of ‘I this,’ ‘I that’ to model the canned opinion, so dopes can pick it up verbatim. Not even a pretense of reasoning.

This is low-quality glavlit unsuited for its target. Unacceptable. The COTR should withhold Ntrepid’s award fee. She won’t, of course, she’s too crooked, she’s feathering her nest. But face it, the military/paramilitary pukes who man the internet battle stations are not smart enough to influence my parrot.

r November 16, 2015 10:12 AM

@sam,

either way, at this point NSL or not depending on one’s definition of “responsible” USCERT can no longer be considered a reasonable component of a transparent disclosure process.

Freddy November 16, 2015 10:14 AM

Sorry guys but USA CERT do not provide timely vulnerability information to many non American vendors. The foreign vendors get it the moment the vulnerability goes public. So for all the USA Washington bullshit about improving security, collaboration, blah blah blah the reality is America uses vulnerability information to its own advantage. So sad

Dirk Praet November 16, 2015 10:25 AM

@ Ferris

tell me why they are “reprehensible” because of the FBI’s actions, or CERT’s?

Their research in itself was not reprehensible. The fact that they failed to disclose it to the Tor Project is. As with most technologies, Tor can be used for either good or bad. Withholding from the project critical information about serious flaws and that on behalf of a government known to engage in indiscriminate mass surveillance, violates any notion of academic impartiality and for all practical purposes makes the CMU researchers government butt boys or hired guns, whatever fits best ones definition.

I guess there would have been less discussion if they had done work for Volkswagen and then subsequently withheld the results from authorities or the public at large.

As to CERT, us over here in Europe have assumed most, if not all US organisations of that type are government pwned ever since the first stories about NSA influencing NIST standards broke out. We trust them about as much as we would their Chinese or Russian counterparts.

Sam November 16, 2015 10:42 AM

@r

That’s about it, yes.

There’s US-CERT and there’s CERT/CC, and it’s almost like they were named to be confusing. I don’t think that US-CERT was ever part of any international disclosure process, it’s a DHS creation.

Most of this drama is about CERT/CC – which is supposed to be the international version – though now, anything with “CERT” in the name coming out of CMU should be seen as purely in the American interest. And this is fine for US-CERT because that’s their mission, but less good for CERT/CC, which I think is the “CERT” of Bruce’s last paragraph.

albert November 16, 2015 11:17 AM

Welcome to ‘post-Constitutional’ America:

http://www.counterpunch.org/2015/11/13/life-in-post-constitutional-america-the-obama-factor/

‘Constitutional issues’ are now simply theoretical exercises in political double-speak. Note: the articles scathing indictment of Obama and his minions can be applied to most of the previous presidents, and future ones.

Mark well my words: When Hil’ry gets elected, she’ll be worse than Willie or Dubya, I guarantee. “Heaven has no rage like love to hatred turned, Nor hell a fury like a woman scorned,” – William Congreve.

. .. . .. _ _ _ ….

Daniel November 16, 2015 11:27 AM

“Their research in itself was not reprehensible. The fact that they failed to disclose it to the Tor Project is. ”

This.

Imagine a neighbor walks by your home on her daily walk around the hood and notices that the door is ajar and your car is not in the driveway, and she knows you live alone. She has several choices but they boil down to permutations on three: she can either do something to secure your home in your absence OR she can engage in criminal activity either by herself or in concert with others OR she can ignore the situation.

Now, the case in Brcue’s post is a little more nuanced. In this case the neighbor (the researchers) have reason to believe that the reason the door is open to your residence is because you have druggie friends and she thinks they are in there getting high. So before she secures the residence she walks in to see if any criminal activity is afoot. Low and behold there is criminal activity so she calls the cops. The problem here is that even though she meant well she is still trespassing. “Entering” a home (as in breaking and entering) without permission is still a crime. So two wrongs do not make a right.

But the situation here is even worse for the neighbor. Because in the example above the neighbor is well-meaning and innocent. But the researchers were not well-meaning or innocent. In this specific case it as if the neighbor were bribed by law enforcement to go into the home for the specific purpose of looking for a crime. The neighbor does not stumble on the door ajar accidentally on her daily walk, she goes looking for the open door. She hangs around her window waiting for the her neighbor to make a mistake and then it’s “gotcha”.

So we see that the essence of Ferris’s argument is that the means justify the ends: Yes, the researcher were, in the parlance of the street, rat finks but so what, any price to nab a crook. The scumminess of the researches is not the FBI’s problem. The problem is that this logic is used to uphold the law is actually an example of lawlessness–for any excuse will serve a tyrant.

The researchers in this case are morally and ethically bad people. They went out of their way to hurt society and presumably enjoyed doing so. The only thing the researches have on their side is power: a corrupt and defunctive legal system that only cares about its onanistic recrudescences. Being a toady to power might have got them a cool million dollars but it’s no surprise it has also garnered them a lot of condemnation.

rgaff November 16, 2015 12:07 PM

@Daniel

No, it’s as if the neighbor was bribed by law enforcement to go into ALL HOMES IN THE WHOLE NEIGHBORHOOD looking for crimes…. just because they were sure there had to be some crimes in that neighborhood somewhere…

House to house searches by police looking for criminal activity will bring a great nation into a holocaust! Mark my words! This is why it’s so reprehensible!

And all you apologists who are like “welp, how else would we catch crime? the ends justifies any means” are also just as reprehensible as if you were Hitler himself. You are promoting this. You are death to our future.

us_cert_is_not_cert November 16, 2015 12:27 PM

US CERT is not CERT. Check.
US CERT’s role is to find exploits and use them. Everything else is secondary. Check.
The TOR identifying project was never “research.” Check.

The story is, then, some people figured out an exploit as a part of their job as a spying contractor and wanted to share the exploit with other infosec functionaries at Black Hat.

Either no one at CME’s business knew about the offer to discuss the crack, or a bunch of bad decisions at CME’s domestic spying shop led to an initiation of contact with Black Hat before someone with a working brain shut sharing the idea down.

It makes one wonder what the engineers are told their job is at CME’s spying shop. How much does one get paid to mine for exploits in high value targets at CME? I’d assume whomever funds CME’s spying shop is providing a list of priorities/applications to crack. How are those priorities handed down?
Anyone publicly admitting to working in CME’s spying shop?

Just passin' thru November 16, 2015 12:29 PM

I think you’re spot on, Bruce.

While CERT/CC is deserving of its loss of trust, I think merely emphasizing an institution name (and its researchers) is insufficient.

Companies and institutions don’t do things, people do. Who are these researchers? If they’d done something good, I’d want to know who they were.

Well, quoting the archived black hat presentation’s precis…

Alexander Volynkin is a Research Scientist at the CERT Cyber Security Solutions directorate.

Michael McCord is a software vulnerability analyst on the Forensic Operations and Investigations team at Carnegie Mellon University’s CERT.

Though I’ve been following your blog for many years, I don’t recall seing their names before. I’ll guess they read your blog too. Maybe they’ll comment.

https://web.archive.org/web/20140706225703/https://www.blackhat.com/us-14/speakers/Alexander-Volynkin.html

https://web.archive.org/web/20140706235404/https://www.blackhat.com/us-14/speakers/Michael-McCord.html

Who? November 16, 2015 1:16 PM

@Ferris

A work done by a University in concert with a government is not automatically “something good”. In fact, I feel ashamed of a lot of work done in this way in the last decades.

I use tor lots of times, does it turns me into a criminal?

I use encryption, in fact very strong encryption for both communications and data storage, am I a criminal?

I had been a developer on one of the most important open source projects in computing security for more than a decade; does it make me a criminal?

I have something to hide, in fact, lots of things to hide (this one is the first reason a lot of people on this forum use strong cryptography); are we subversives?

rgaff November 16, 2015 1:38 PM

@Who? Yep. If you close the blinds on your windows you are automatically a criminal too. Just ask our government or one of their lackeys, they’ll set the record straight. Same if you wear clothes. Definitely a criminal.

You are aware that every American commits an average of 3 felonies per day, right? This is not because a few commit so many they balance out the rest of us “law-abiding” citizens, this is because there are so many laws on the books that lots of normal everyday behavior is in fact highly illegal, just not always regularly enforced (yet). There is in fact no such thing as a “law-abiding” citizen. And THIS is why things like the 4th and 5th Amendments exist… This is why “privacy” is supposed to be a fundamental human right of all humans worldwide regardless of citizenship. This is why those who usurp that right are reprehensible, and why I will not cease to call them Hitler-like.

slippery November 16, 2015 1:46 PM

And more…

After Paris, ISIS moves propaganda machine to Darknet

“The new propaganda hub was discovered by researcher Scot Terban, who shared his findings with Salted Hash. Terban came across the new Al-Hayat hub while performing jihadi research over the weekend.
space rocket launch
CSO salaries expected to sky rocket

Recent report says CSO salaries could reach a quarter of a million dollars.
Read Now

In a post on the Shamikh forum (a known jihadi bulletin board), someone posted the new address and instructions for reaching it.”

http://www.csoonline.com/article/3004648/security-awareness/after-paris-isis-moves-propaganda-machine-to-darknet.html

rgaff November 16, 2015 2:10 PM

@slippery

So what are you saying, it’s inevitable that the world eventually plunges into one massive worldwide dictatorship, persecuting people for closing their blinds, or for being a certain non-mainstream race or religion? Torturing people, leaving them to rot in prisons without a trial? Executing people by remote control for the crime of using the wrong phone? Then executing the medical workers trying to help? This is inevitable? Really? I disagree, a worldwide holocaust is only inevitable if you make it inevitable by your willful or ignorant apathy. Relax little frog, the warm water feels good doesn’t it… you will not even notice when you are boiled alive. Delicious you shall be.

slippery November 16, 2015 2:17 PM

” Executing people by remote control for the crime of using the wrong phone?”

@rgaff that seems like a leap from what I said to some more self-serving imagined societal meltdown in order to prop up our own agenda. Without details you can’t pass blanket judgement on what did or did not occur and you certainly can’t point to a broad misuse of authority by the FBI. So far I haven’t seen anything pointing to people being swept up because of this. On the other hand I am always hearing about people being visited by the Feds because they run an exit node. This is normally because the exit node pops up in a child pornography investigation. Should the Feds stop caring at all or going after bad guys?

Justin November 16, 2015 2:36 PM

@ Bruce, Just passin’ thru

The behavior of the researchers is reprehensible
…While CERT/CC is deserving of its loss of trust, I think merely emphasizing an institution name (and its researchers) is insufficient.
…[naming names of individuals]

All this for assisting the FBI. Subtle, implicit threat against the named individuals. I don’t like where this is going.

You can’t research ways to protect anonymity on the internet and expect others not to research ways to break that anonymity. Maybe it’s an arms race, but that’s what security research is all about. Universities get funding from all kinds of dubious sources for various dubious research, but when it’s from the FBI, all of a sudden it’s taboo for the in crowd here.

There’s this demonization of the FBI, but trust me, there are far worse people than the FBI out there. Just a guess, don’t you think some of those organized crime cartels can crack TOR?

Everybody wants to name and shame anybody who cooperates with the FBI (e.g., Al Sharpton) but nobody’s naming and shaming the mob bosses who are out there ordering hits…

Stop whining about it and continue to research and improve your product. You’re not the only ones. There’s competition, not that I have much opinion about it either way.

rgaff November 16, 2015 4:13 PM

@slippery

Search for “drone” and “metadata” to see how people are targeted for killing for using phones! No, don’t do it, you want to believe that all is well. You want to be an ostrich with your head in the sand, along with the rest of the government-employed or government-deceived lackeys.

Yes, there should be limits to HOW we can “go after the bad guys”… we should NOT be giving authorities a blank check to do ANYTHING TECHNICALLY POSSIBLE to catch bad guys. That’s what gives rise to horrifying abuse of authority.

@ Justin

“when it’s from the FBI, all of a sudden it’s taboo”

Yes, it SHOULD BE taboo to help the FBI go against the constitution and basic human rights! It should be taboo for the FBI to do it in the first place too, but we seem almost to have slipped well beyond the point of no return for a cruel global dictatorship on that, everyone just accepts that… What’s the matter with people?? You have to wait till there is literal blood running in every street from the government mowing down large masses of innocent people before you hear an “I told you so”? Or would you rather stay away from any road that leads in that direction? Just becomes criminals do something doesn’t make it ok for everyone.

The Fighting Stool Pigeons of CMU November 16, 2015 5:30 PM

DoD persona Ferris, having crashed & burned, has whipped himself up a new persona, Slippery. Sadly, this one’s a moron too.

Ntrepid clearly needs some artificial intelligence to make up for the lack of the real thing. Telltale indications include the childish cops-and-robbers locution ‘bad guys,’ which the government uses to short-circuit the ethical scruples of guard-labor proles like Slippery, and his continued fixation on child pornography. Funny how Slippery and his superiors are frantic to stop child abuse on the Internets, but when it happens in real life right under their nose, like at Penn State and at Jeffrey Epstein’s pedo harems, they don’t do jack shit.

No, actually, it’s not funny or strange at all. CIA uses pedophile/ephebophile blackmail to control key personnel like Scott Ritter and Donald Sachtleben and Dennis Hastert and Mark Foley and Bill Clinton, so pawns like Ferris aren’t allowed to touch it – unless they’re using it to destroy dissidents like Ritter or Matt DeHart. If Ferris/Slippery actually impeded the internet porn trade CIA would crush him like a bug.

Harry Johnston November 16, 2015 5:38 PM

@MrC:

The CMU researchers are reprehensible because their attack revealed the traffic of all of their victims

That doesn’t seem to be true:

We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up).

I also don’t see any evidence to suggest that all hidden services (as opposed to just illegal hidden services) were being targeted by the attack.

On the whole, the evidence that anyone did anything wrong here seems thin on the ground to me. They may have done, but people seem to be jumping to conclusions rather too quickly.

Alex November 16, 2015 6:07 PM

@Justin

It’s not about helping the FBI vs. the mob. It’s about helping everyone keep their data safe. Vulnerabilities should be fixed, not exploited.

You seem to be arguing that it’s better not to fix vulnerabilities, if the “good guys” can make use of them. That’s the problem.

Cheesy Mediocrity U. November 16, 2015 6:15 PM

You can kind of understand why Carnegie Mellon whored themselves out to the feds. CMU has an endowment per student of .122M, pitifully scanty, particularly for a vocational/technical type school that needs lots of engineering investment. $73M of DoD contracts top that up for them. They’re 14th in national security funding. That means CMU can’t compete for the best talent – Harvard undergrads don’t do windows, and they don’t do black work – but DoD is famously OK with second- and third-rate people.

As working for the FBI Stasi becomes increasingly disgraceful, CMU’s standing will slide but at least they will survive, sucking the federal tit. They will inhabit the same market niche as those fine institutions American Military University, American Intercontinental University, Excelsior College, and Cochise College. Kudzu League, you might say. Not for the offspring of the dominant class – they want real educations. But solvent if a bit malodorous.

Jim November 16, 2015 6:20 PM

Instead, the researchers apparently used this vulnerability to deanonymize a large number >of hidden service visitors and provide the information to the FBI.

Wow, this used to be called being a good corporate citizen helping to remove the criminal element from society. Now we are vilifying people who are trying to do good. I think you are starting to go senile, Bruce.

rgaff November 16, 2015 7:07 PM

@Jim

when was breaking into every neighborhood home looking for crime and calling the cops when eventually found considered “good citizenship”?

Clive Robinson November 16, 2015 7:15 PM

@ Alex,

It’s about helping everyone keep their data safe. Vulnerabilities should be fixed, not exploited.

And part of systems being “fixed” is not to design them to be vulnerable to “known classes of attack”.

@ ALL,

Ignoring the moral issues for now and sticking with the technical issues, this attack falls wellband truly into a “Known Class of Attack” that I have warned about in the past (and for some reason I appear to have been the only person warning about it publicaly).

If you look back on this blog you will find I have repeatedly coughed out my mantra about “Efficiency-v-Security” and how it makes systems “transparent” to timing and other side channel attacks.

Further I’ve also pointed out it alows a down stream attack to be visable against the flow of data upstream.

That is an outsider can reach back through most security devices such as one way firewalls, guards, pumps, sluices and some data diodes into the secure heart of your systems to communicate to malware and the like.

The simple example I’ve given in the past is via creating faults such that error correction propergates back up into the secure areas. I’ve also indicated it’s why the EmSec design rule of “fail hard and long” exists, because it stoppers the bandwidth of this reverse channel down a long way. Fairly easily to less than 1/100,000Hz if you hold off for a little over a day on each error.

The ToR design team did not take the idea of a reverse channel due to the way their protocol worked into consideration.

Now I don’t know if either the CMU researchers or ToR developers read this blog, but if they did and thought about things then after examining the protocol the attack would have been obvious.

Incidently if either party is reading this, the game is far from over the tempory fix the ToR developers have put in will not stop the reverse side channel issue.

So once again I will say ToR is not fit for use against an omnipresent adversary or even one who can just monitor some of the “choke points”. Thus as the FiveEyes straddle the majority of choke points, and the majority of traffic ends up going across US jurisdiction networks you are not safe from US or FiveEye observation at any time…

The problem of transparancy giving reverse side channels can be solved but the current ToR architecture is most definitely not the way you want to go to do it. But I’ve been saying that for years as well…

@ Dirk Praet,

The previous suggestions I made in response to your request will fix the transparency issue, but not one of deliberatly adding the equivalent of transport level tagging into the protocols (what were they thinking…).

jim November 16, 2015 7:22 PM

@rgaff
No one is breaking into your house or your computer. This activity is happening in the commons of the internet. This is monitoring a common area used by lots of different people. This is just another example of the Tragedy of the Commons.

rgaff November 16, 2015 7:39 PM

@jim

ok, how about breaking into all cars as they drive down the commons of public roads? when was that considered “good citizenship”?

C- November 16, 2015 8:47 PM

Jim plucks a phrase out of the air, “tragedy of the commons.” He doesn’t know what it means. This is Carnegie-Mellon grade discourse.

Certain words you’ll never hear from Jim. He doesn’t know what they mean either. But that’s because he never heard of them. He never heard word one of it because it’s above his current and future pay grades as a Stasi cadet.

HRC General Comment 16, paragraph 8. It’s the interpretive authority for the supreme law of the land protecting privacy rights. Jim does not need to know this because his designated role in life is to attack dissenters for the authorities. He will be trained but not educated. The artes liberales are kept out of his reach because he’s born and bred to be a tool.

Is Jim satisfied with that? Or is he going to start thinking for himself?

Hal Lockhart November 16, 2015 9:43 PM

I would like to understand what is the basis for Bruce’s statement that:

“The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project.”

This was also stated by a commenter (J Doe) above, but reading the original articles I see nothing that states that both 1) the researchers reported the bug officially to CERT and 2) CERT prevented or delayed informing the Tor project and/or the public. I can find no CERT Advisory on Tor in 2014. (There is one issued by the Tor Project.)

What is the original source of Bruce’s statement? I am not saying it is not true, but it a serious accusation and as of yet I don’t see the proof.

Justin November 16, 2015 9:51 PM

@The Fighting Stool Pigeons of CMU

… the childish cops-and-robbers locution ‘bad guys,’ …

I see. The ‘bad guys’ who harm children, and view for their own gratification content that by its nature entails harm to children to produce. Come out in force on this forum, all in a panic that some college researchers are threatening to expose them to the dreaded FBI.

The more I read about this “Dark Web,” the less I want to do with it. If this is what you’re hiding on TOR, I really don’t care any more than Ferris how you get caught.

http://fortune.com/2014/09/14/biggest-organized-crime-groups-in-the-world/

CarpetCat November 16, 2015 10:05 PM

Does CMU have a football team that can refuse to play to bring attention to these issues?
I’m so tired and inundated that I really cannot tell what the priorities should b- oh the Kardashians are on bbl…

rgaff November 16, 2015 10:33 PM

@ Justin

“I really don’t care any more than Ferris how you get caught.”

So… you don’t really care if you are personally dragged out in the street at gunpoint, along with all your neighbors, cause we know someone along that block is committing a crime? We’re just ransacking all the houses to figure out who and which crime…

Might I entreat you to move to a traditional dictatorship where that’s common, not pollute my country with that pretty please?

@ CarpetCat

Yeah, I’m aware of that, why do you think I keep going back to this “analogy”… I just wish people like Justin would figure out that this isn’t the best thing before it has to literally happen to, well, EVERYONE…

r November 16, 2015 11:33 PM

@Jimmy!, Jimmy Bob!!, James!!!
RE: BAD MANNERS

Where ya been old buddy? You really should pay me a visit sometime dude.
I desperately need the attenuation.

Anways,
Here’s looking at you Fort Meade.

    You might be a terrorist if:

  1. You reserve the right to peacefully assemble.
  2. You reserve the right to freely express your opinion.
  3. You reserve the right to be forgotten.
  4. You reserve the right to not be tracked.
  5. You reserve the right to use encryption.
  6. You reserve the right to secure your home and PROPERTY against theft.
  7. You reserve the right to not be spied upon by your neighbors.
  8. You reserve the right against unreasonable searches and seizures.
  9. You reserve the right to use obfuscation.
  10. You reserve the right to not be disciminated against by the banking system.

P.S.
Before ISIS was beheading, they were doin’ it down in Mexico.
AND they were doing it pre-Snowden, without tor AND over their own private networks.

Justin November 16, 2015 11:36 PM

@rgaff

So… you don’t really care if you are personally dragged out in the street at gunpoint, along with all your neighbors, cause we know someone along that block is committing a crime? We’re just ransacking all the houses to figure out who and which crime…

Might I entreat you to move to a traditional dictatorship where that’s common, not pollute my country with that pretty please?

Interesting. Is that a threat now?

@others, lurkers

Does anyone ever discuss computer security for other purposes than to engage in crime?

r November 17, 2015 12:13 AM

@Justin,
If that’s what you get out of this, I feel sorry for you.

Discussing security in any form can only improve the situation.
Discussing security openly can massively improve the situation, it can force the vendors hand.
Discussing security responsibly[?] can improve the situation without compromising the security of others if the vendor is listening or cares, if not please see “full/open disclosure”.

How happy would you be if part of the data set CMU has was CIA?
And how happy would you be if instead of them talking to USCERT about it, they went to russia?
I believe Putin offered his 4,000,000 ruble bounty during the time frame that exploit was running, makes you wonder.

The researchers made alot of bad decisions, but what do you expect from someone looking to publish at “blackhat”. ?

Is that a mentality you want at CERT?

P.S. Justin
The gf and I can’t access facebook or ebay at home, we use tor for that (very carefully).

rgaff November 17, 2015 1:04 AM

@ Justin

If you took that as a threat from me, you might want to look up the definition of “entreat” and “threat” and compare.

Not caring in the slightest what lengths are gone to in order to catch criminals is the biggest threat to free society there is. You are the threat, not me.

Justin November 17, 2015 1:37 AM

@r

You do raise some good points. Discussing security in particular can be good for the reasons you state.

How happy would you be if part of the data set CMU has was CIA?

That is no doubt the case, and I’m not happy about that, but the CIA really needs to go old school like the Russians are smart enough to do. Don’t hide in a necessarily weak online anonymity network among child abusers, drug dealers, and hit men if you don’t want the FBI and other law enforcement (not to mention competing criminal syndicates) to pull out all stops looking for you. Put this data together with the OPM leak, fingerprints, and other inevitable leaks, and it’s all but over for CIA.

And how happy would you be if instead of them talking to USCERT about it, they went to russia?
I believe Putin offered his 4,000,000 ruble bounty during the time frame that exploit was running, makes you wonder.

The Russian mob is number one on that Fortune link I posted. (Солнцевская братва.) The thieves in law go all the way to Putin. I don’t believe for a minute they hadn’t or haven’t obtained the goods on TOR somehow or another.

The researchers made alot of bad decisions, but what do you expect from someone looking to publish at “blackhat”. ?

Is that a mentality you want at CERT?

Perhaps those researchers were looking for some notoriety. You don’t say which of their decisions were bad. The FBI appears to be distancing itself from the whole story. http://www.theregister.co.uk/2015/11/17/milliondollar_hole_in_fbi_tor_story/ The TOR people to their credit have warned all along that the service is experimental and not to rely on it for strong anonymity. But what do people do? Rely on it anyways, and blame those that continue to research it.

Technology advances, and it is more and more difficult for anyone to hide these days, whether from cops or from criminals or from foreign spies.

@rgaff

Those criminal syndicates I mentioned are exactly the ones who drag people out of their homes at gunpoint and leave bodies piled up as a warning. What keeps them from doing that in the U.S., if it isn’t the fear of getting caught?

Marcos El Malo November 17, 2015 2:23 AM

Is it possible that the FBI or (more likely) another agency already had an exploit for this vulnerability and needed the CMU researchers for parallel construction? CMU might be gagged by a NSL or FISA court order, although that doesn’t excuse their unethical and possibly illegal acts.

A tangent: someone stated above that CMU was a second or third rate school, in contrast to Harvard (?) which, it is implied, is a first rate school. Is the poster exhibiting ignorance? Harvard is not a renowned engineering school. CMU, while not as well known as Cal Tech, MIT, or Stanford, most certainly is a top school.

Clive Robinson November 17, 2015 5:01 AM

@ rgaff, r,

On the assumption that Justin is not “Trolling for fun or profit”, you have to look at his axioms for his arfuments and test their validity.

I won’t go through all of them but needless to those I have looked at are flawed, thus not axioms but at best flawed assumptions.

To take one example, Justin’s view on the so called “Dark Web”. Firstly Justin appears not to ubderstand what the dark web is and thus conflates it and ToR as a single entity.

Secondly Justin’s apparent view that the “Dark Web” is some how evil personified, and it’s thus only used for evil. This view appears to be very close to the FUD that various politicians on the make peddle and is in turn based on certain vested interests –such as those that IP exploiters– push for to have significant legislative changes in their favour, that are detrimental if not directly harmful to the majority of people.

Thirdly Justin does not appear to be cognizant of who originally developed ToR and why, and further why the US Government sponsored it and pushed it’s use for humanitarian and other freedom issues.

Thus my conclusion as I indicated is, if Justin is not “Trolling for fun and profit” then Justin’s premises are “false assumptions”.

Furthermore as Justin does not appear to want to listen to counter argument against the false assumptions… You have to ask as to the reason…

Thus I would advise disengaging from further debate with Justin as it would appear to be a pointless and frustrating endeavor. Thus just state disagrement with Justin’s viewpoint and no more.

Nick P November 17, 2015 8:44 AM

I for one am not worried at all that researchers attacked Tor for the U.S.. Research has always been toward a goal with a solid chance of benefiting whoever is funding it or providing a payoff the funder seeks. Companies fund research for I.P. they lock away. Drug industry especially is willing to kill people over the results of R&D. Private researchers, esp of DEFON fame, are happy to produce all kinds of force multipliers for attackers that they likely wouldn’t have figured out themselves. Not massively, anyway. DOD often does research to improve its military offensive or defensive capabilities. All pretty normal without much complaining by people worried about liberties or life.

So, we find that a group DOD funds let their research benefit DOD in surveilling their targets. (shrugs) We should’ve expected it. I expected foreign universities to have done it before ours but Americans are brought up to respond to financial incentives, eh? 😉 The real worry here is that all it took was one research institute at one University to breach Tor. Just how fragile Tor is against High Strength Attackers is something I’ve warned about for a while. The amount paid ($1mil) and size of the team were pathetically small, too.

In light of that, people should either discourage reliance on Tor if HSA’s are in the threat profile and/or evangelize academics who are ideological to put lots of effort into finding remaining Tor flaws for submission to Tor project. Like with FOSS, it comes down to things not improving unless people work to improve them. There’s a labor element here where the labor is currently on the side of the opponents. The defence has to put up millions of dollars worth of extra vulnerability analysis, too, in hopes of finding these things before opponents. It’s not happening so they opponents will keep finding them first.

B613 November 17, 2015 10:08 AM

A lot of people can be bought, unfortunately.

Look at the overwhelming bias we find in leaders with defense contracting ties. They hope for people who do not have reasoning faculties to listen to them. They preach instinctive fear, and that is it.

The Silk Road case was bunk, and I doubt the ‘1 case of child pornography’ is a valid case. Reeks of a lie they threw on there to make their efforts have the appearance of legitimacy.

If they had a warrant, they had a warrant to surveil one system. Not to attack or surveil all those other, innocent systems. That is breaking multiple federal laws for every instance of attack against every innocent system and every innocent person behind those systems.

Tor is mainstream. It is not a back alley system. People are advised to use high security, and Tor offers that. Had Brennan or OPM used higher security, they would not have been hacked. Had Sony used higher security, they would not have been hacked.

Even if it were not mainstream, there is no justification to break so many federal laws. There is no justification to harm or potentially harm so many innocent people.

If the devil comes to you in the officer uniform with a badge, don’t sell your soul to him for money. Don’t sell yourself for money to anyone.

Cheesy Mediocrity U. November 17, 2015 10:12 AM

@Marcos a Malo, an arc tangent re CMU. CMU does do passable technical work. Where it fails as a reputable institution is the unethical and illegal conduct that you mention. Name brand schools of Harvard’s sort (the Ivy League, the colonial colleges, etc.) have the advantage of being older, richer, and freer. They don’t suffer from CMU’s slavish dependence on Big Brother. CMU’s business model is the same as a shopping mall: the so-called university puts up buildings and rents them out to entrepreneurs. These entrepreneurs subsist on classified contracts, doing the dirty work that the government can’t legally do. This is a pervasive disease. In addition to attacking your privacy rights, Carnegie Mellon apparatchiki help the government disrupt your right to free association:

http://www.hks.harvard.edu/netgov/files/complexity/carley%20paper.pdf

This is an institution you can’t trust. No integrity. Covert support for state repression taints every department in the school. You don’t go there for an education. What you’ll get is state indoctrination. That’s why dominant-class princelings and sharp city kids pass it up.

rgaff November 17, 2015 10:28 AM

@ Justin

You say you’re willing to go to ANY lengths to catch criminals… I ask if you are willing to be yanked out of your house at gunpoint by your government, because police are ransacking all houses in your neighborhood trying to figure out what crimes everyone has committed, and you refuse to answer? Just redirect and imply that that’s ok because the “terrorists” use such tactics? You are obviously just trolling. You refuse to see if it’s plain as the nose on your face. What department do you work for? Why is absolute power so important to you? What is your position?

@ Clive Robinson

Yep, I’ve come to the same conclusion, I’m just a little slower than you. At this point, I think my only engagement should be for the sake of other passers-by reading, similar to how we should treat Skeptical.

Justin November 17, 2015 2:40 PM

To take one example, Justin’s view on the so called “Dark Web”. Firstly Justin appears not to ubderstand what the dark web is and thus conflates it and ToR as a single entity.

And I2P, and no doubt others? I think all of us here, myself include are quite aware of the analogous distinction between the “World Wide Web” and the “Internet.” The point of emphasizing this is … ???

You say you’re willing to go to ANY lengths to catch criminals…

There are definitely criminals who will go to ANY lengths to obtain or deliver crack cocaine, compel prostitution, carry out hits, torture, theft, burglary, arson, etc., etc., etc.

Perhaps you are privileged to live where law enforcement protects you from such things…

The Silk Road case was bunk,

You people are afraid of law enforcement yet you see nothing wrong with a drug dealer committing murder by hire… Perhaps you are naïve, idealistic, and haven’t been exposed to, or victimized by, serious organized crime. I leave you with a quote for now:

“And the light shineth in darkness; and the darkness comprehended it not.”

Harry Johnston November 17, 2015 2:54 PM

@All: is it really necessary to accuse people of being dishonest for no better reason than that they disagree with you?

Relevant.

Also, a question: given Tor’s original purpose (as I remember the history, and as described on the overview on their web site) it is obvious how anonymous browsing fits in, but how do anonymous sites (“hidden services”) fit in? I don’t see any obvious legitimate use – I don’t see why dissidants in Iran, say, need to run a hidden service in Iran rather than a normal web site in the US or Switzerland (administered and accessed via Tor).

I’d also be interested in argument (links are fine) as to how running a hidden service constitutes a human right and/or a civil right via the US constitution. (Ideally, for the latter, I’d like to see an analogous legal precedent from the pre-internet era.)

Nick P November 17, 2015 3:05 PM

@ Harry Johnston

The idea is to make it difficult to connect point A to B in terms of whose doing what. This reduces chance of targeted attacks or retribution. A website hosted in the U.S. certainly doesn’t. This should be obvious after so many defacements and damage to people in real life by hackers that started with online accounts or web site. Anonymous’s trolls and vigilantes are particularly known for being experts at it.

Far as legitimate uses, there are many that apply to all sorts of people. This includes intelligence operatives, too. So, not only does Tor security protect many legitimate uses: leaving in Tor vulnerabilities puts police and intelligence officers using it at risk in event foreign governments can find them. Throwing away a whole country or network’s worth of security/safety to eavesdrop on a select few is the kind of moral calculus I’ve come to expect of Five Eyes agencies, though.

The public November 17, 2015 3:26 PM

@Harry, we don’t have to justify our activities to you, as we are exercising our right to freedom of association under ICCPR Article 22. Let me guess, you’ve never heard of that, right?

Dirk Praet November 17, 2015 4:23 PM

@ Harry Johnston

I’d also be interested in argument (links are fine) as to how running a hidden service constitutes a human right and/or a civil right via the US constitution.

I also don’t know of any laws that regulate the right to play a guitar. In most civilised countries, the general principle for the public is that everything that is not explicitly forbidden is allowed, while conversely for governments everything which is not explicitly allowed is forbidden.

As to running a Tor hidden service, I believe that falls under freedom of speech and freedom of expression from government interference, as guaranteed under your own 1st Amendment to the United States Constitution. That’s pretty basic stuff, actually.

Henry November 17, 2015 7:30 PM

@ Justin, others

“Does anyone ever discuss computer security for other purposes than to engage in crime?”

As we’ve seen with full disclosures, revealing of security holes isn’t ideal for the sake of security sometimes especially when left unfixed. But for the sake of discussions, people are discreet when it comes to. Most “discussions” on the net I think are coming from hobbyists who does not practice their said art as their profession but find it entertaining, because for professional work there are tech bulletins and conferences to attend. so IMHO, yes.

There’s this demonization of the FBI, but trust me, there are far worse people than the FBI out there. Just a guess, don’t you think some of those organized crime cartels can crack TOR?”

I think so and there are those quietly selling solutions for profits I assume, but I doubt its a crack on the TOR but rather sort of side channel attack outside or within the tor nodes. What do you think?

rgaff November 17, 2015 8:03 PM

Hey, just because criminals will go to ANY LENGTH to commit crimes, doesn’t make it ok to go to ANY LENGTH to stop them… I mean… nuking whole cities will stop them, you want to do that? That’s ANY LENGTH…… So don’t be stupid.

rgaff November 17, 2015 8:26 PM

By the way, just because there are far worse people out there than X doesn’t mean I should shut up about the horrible crimes X is committing. Especially when X is my very own government! Use some logic…

Nick P November 17, 2015 8:42 PM

@ Justin

“Perhaps you are privileged to live where law enforcement protects you from such things…”

Nah, I actually have lived in and around one of the areas of the U.S. that stays all over the top 10 in those things. I get to see the damage they do, the damage the cops do, the tactics of each, and so on. I’ll say first-hand the cops worry me more than the organized crime. Crooks mostly focus on the things and areas that benefit them. Most people are unaffected. Whereas police overreach affects everyone in my area(s) mostly to the financial benefit of those areas’ governments. National news shows this isn’t an exception rather than a rule for many parts of the country.

So, I’m speaking from the perspective of having dealt with law enforcement that had the same high and mighty viewpoint you share. They, similarly to federal LEO’s/TLA’s, have very little accountability. The results have been them being much scarier than the crooks themselves and able to make a victim out of anyone. That’s not even considering all the profitable deals that build up between such immune-to-scrutiny-or-prosecution police and organized crime. Strange your comments haven’t forseen the fact that such power and secrecy benefits partnerships with criminals more than prosecuting them. Things just get worse from there as one digs in.

So, given two options, I prefer a world where we balance liberty against protection. I also assume that secrecy + money + power = corruption in almost every scenario given that almost every organization (including U.S. LEO’s) proved that true. Still are. So, I’m willing to take on risk from mere criminals (see concealed carry for self-defence) to keep the police and intelligence agencies of the nation from becoming the corrupt force they are where I’m at. The arbitrary power + difficulty of prosecution is a tough combo when it targets an individual.

Anyone who thinks they’ll stay perfect boy scouts in such an environment watches entirely too much TV.

Sina November 17, 2015 9:14 PM

To First comment: are you sure that every single ip that was handed to the FBI belonged to a criminal? And FBI only visited criminals?

Justin November 17, 2015 10:36 PM

@Nick P

I’ll say first-hand the cops worry me more than the organized crime. Crooks mostly focus on the things and areas that benefit them. Most people are unaffected.

Wow. That’s a complacent attitude. And it shows whose side you are on, what side of the law you hold yourself to.

I was working on a job one time, and I was filing one of those innumerable government forms, (which happened to be called a Statement of Intent to Pay Prevailing Wages,) and it came to light that the general contractor on the job was not licensed, bonded, or insured. Strange, because the state governor had been personally involved in approving the project. Some officials from the Army (I heard they were colonels,) ended up being fired, because in a felony violation of the Miller Act, they had improperly disbursed government funds to a contractor who was not properly bonded for payment and performance. They retaliated for the discovery of their crime by burning my boss’s office down, and for cover they burned the neighbors’ barn down, too.

Maybe you tolerate crime and corruption in the M.I.C. or look the other way when it happens. I don’t. When the victim is Uncle Sam, the victim is all of us.

So, I’m willing to take on risk from mere criminals (see concealed carry for self-defence)…

That part I agree with.

Perhaps part of the reason you perhaps see my point of view as harsh is that (by little more than being in the wrong place at the wrong time) I’ve made enemies of organized crime, and they continue to harass me from time to time in various ways. So I am not one of those “most people” who are “unaffected.”

Clive Robinson November 18, 2015 2:02 AM

@ Harry,

… but how do anonymous sites (“hidden services”) fit in? I don’t see any obvious legitimate use – I don’t see why dissidants in Iran, say, need to run a hidden service in Iran rather than a normal web site in the US or Switzerland

There is a perfectly legitimate use for them technicaly, to do with network topology, for the same reason as clients.

ToR is susceptible to choke point attacks of various kinds. Not just in theory but in practice ToR traffic can be identified and stopped at a choke point. Thus a server in Switzerland ToR ot otherwise can be cut off from Iran or China or anywhere else by a “National Firewall” choke point.

So to prevent being cut off the server needs to be “in hostile country” on the client side of the choke point.

Thus the server is made “part of the ToR network, which is what should also be done with the clients but is currently not with ToR.

For mix networks to be secure from the likes of traffic analysis there should be amoungst other things no “end points” that an attacker can see and thus instrument to make correlations. The legandry “Gordian Knot” was, like this because you could not find an end point/thread to pick at.

Clive Robinson November 18, 2015 4:32 AM

@ Justin,

Wow. That’s a complacent attitude. And it shows whose side you are on, what side of the law you hold yourself to.

You’ve kind of shot your self in the foot there.

@Nick P made other commets you chose to ignore to the effect that sufficient numbers of cops were not just on the same side of the fence as the crooks but actively in bed with them. Further that the secrecy (sometimes called “The Blue Oath of Brotherhood”) kept the other cops siding with them, thus in effect the cops are on the same side as the criminals and actively praying on the rest of society that sees it’s as on the other side of the fence as does Nick P.

Thus one might conclude that you actually see your self on the same side as the criminals/cops.

Would you care to rethink and restate based on what has actually been said?

And before you ask, as for me my Scottish ancestors had the view of “Me and Mine”, in that “If you do not threaten or harm me and mine, then go peacefully, lest you earn my ire.” It is perhaps a simple view on life but actually at the end of the day boils down to the most equitable for all.

Nick P November 18, 2015 5:43 AM

@ Justin

“Maybe you tolerate crime and corruption in the M.I.C. or look the other way when it happens. I don’t.”

Did you even read my comment? I expected you’d reply after doing that and with assumption that I supported U.S. Constitution. The latter is significant because it establishes legitimate bounds for government plus rights for people. Past that, people trampling on law in or outside of government are to be charged, given a fair trial, and sentenced if convicted.

Had you read that, you’d see my problem with eliminating Amendments on silence, search, and due process with police state-like legislation. You’d understand my problem with secret police immune to prosecution, secret courts, secret interpretations of law, parallel construction undermining due process (seen first hand), torture flights that skirt local law, and so on. The MIC you mentioned are main ones doing all that and with immunity.

That’s on top of local police corruption aimed to line their city’s pockets or max a prosecutor’s conviction rate. Collectively terrifying for people on my side of the law: law abiding citizens regularly shook down for cash or threatened with imprisonment without due process or ability to confront accuser. At least I havent been robbed with “civil forfeiture” where they’ve stolen billions from citizens without charges or trial.

So, you dodged my points (which were clear to Clive), assumed all cops are innocent, assumed I’m a crook cuz I thought otherwise, accused me of wanti g corruption in MIC, then supported secrecy/immunity that maintains that (huh?), and then continued your original assumption that Tor is relevant to the problems you have with organized crime. Because the Mafia, etc appeared after and exclusively exists with tech like Tor. Lmao…

You seem to live in an alternate reality from the rest of us. Feel free to comment on some things I actually said this time. Keep in mind the context of a balance of power between potential criminals in government and in the public whose rights/responsibilities re in Constitution.

L Jean Camp November 18, 2015 2:50 PM

What made the attacks immoral is that they are in direct violation of the most basic ethical governing requirements. It is called the “Common Rule” for a reason.

Certainly their actual refusal to provide information on the vulnerability, when asked point blank, by the Tor developers was unethical. It does not violate long-standing research practice or well-known oversight and compliance requirements. The vulnerability disclosure argument is ORTHOGONAL to the ethical issues.

Certainly National Security letters are a threat. Potential harm to subjects is why we have the Common Rule. Keeping data such that the experimental subjects were harmed is something that would have been prevented by following basic ethical, professional standards.

The Common Rule, now, under law, if CMU violated this Federal funding could be stopped. So this is, in fact, a big deal. As more research is done on IoT where physical harm is an issue it becomes more important that researchers engage in careful harm prevention. The Common Rule applies because the research was on people, not on an isolated implementation of Tor in the lab.

“(ii) any disclosure of the human subjects’ responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects’ financial standing, employability. or reputation.”

is clearly the case here.

§46.101 To what does this policy apply?
(a) Except as provided in paragraph (b) of this section, this policy applies to all research involving human subjects conducted, supported or otherwise subject to regulation by any federal department or agency which takes appropriate administrative action to make the policy applicable to such research. This includes research conducted by federal civilian employees or military personnel, except that each department or agency head may adopt such procedural modifications as may be appropriate from an administrative standpoint. It also includes research conducted, supported, or otherwise subject to regulation by the federal government outside the United States.

(1) Research that is conducted or supported by a federal department or agency, whether or not it is regulated as defined in §46.102, must comply with all sections of this policy.
(2) Research that is neither conducted nor supported by a federal department or agency but is subject to regulation as defined in §46.102(e) must be reviewed and approved, in compliance with §46.101, §46.102, and §46.107 through §46.117 of this policy, by an institutional review board (IRB) that operates in accordance with the pertinent requirements of this policy.

Harry Johnston November 18, 2015 3:15 PM

@Nick, the only example of hidden services I could see in the list you provided was the military seeking to hide the physical location of their command and control bases. Which I suppose makes sense given Tor’s history, so that answers that part of the question, but is not quite what I was looking for. (But see Clive’s answer.)

I’m not sure I understand what you mean about targeted attacks. Couldn’t Anonymous hack a hidden service nearly as easily as a public web server?

@”The public”, I didn’t ask you to justify anything. But since you’ve mentioned it, how exactly does article 22 guarantee you the right to a hidden service? Put another way, what do hidden services have to do with freedom of association?

… in the real world, freedom of association doesn’t exempt (for example) Mason meeting lodges from having building plans properly registered with the local council. In most of the world I don’t think it makes it illegal for a surveillance camera put in a public place to cover their front door, either. (I’d be delighted, however, if you can point to a legal decision saying that article 22 does in fact prohibit that.)

@Dirk, that’s a fair point, but I wasn’t suggesting that hidden services were or should be illegal. As for the 1st Amendment, I don’t see it. The government needs a warrant to find out who authored a web page (at least in theory!) so I’d have thought that would be considered sufficient free speech protection; I’m not sure the argument that without hidden services you can’t have free speech would stand up in court.

Finally, for the record, it isn’t my 1st Amendment; I’m a New Zealand citizen, and we don’t even have a constitution, never mind a 1st Amendment to it. 🙂

@Clive: OK, that makes sense. (Although I don’t see what’s stopping repressive governments from stopping people from running servers at all, or requiring a license.)

In the Shadow of a Murder of Ravens November 18, 2015 3:32 PM

@Harry Johnston

All: is it really necessary to accuse people of being dishonest for no better reason than that they disagree with you?

Harry, yes, I disagree with Robert Hanssen, a FBI spy for Russia who broke many laws. I disagree he should have broken those laws.

I disagree with ‘dirty cops’, in general, be they federal or local or state — or anything else.

And there are and have been a lot of dirty cops.

It is a constant problem. There is a related problem: a lot of their co-workers will often cover for them. Even if they themselves are not involved.

I am not talking about speeding, or double parking when you do not have to. Hell, I am used to seeing all sorts of transgressions, many which might make you puke. And I do not have a problem with them.

I do not mind saying that. And I will be right with you saying, “Hey. They are public servants trying to do their job. So give them some slack.”

Some transgressions, they just have to go down for.

Some transgressions just ruin cases.

This case? The only reason it was not immediately thrown out because of the behavior here is because the lawyers clearly did not understand the law. They do not understand the technical details involved, and they are probably pretty slow on the technical law its’ self.

Because this was done, there is a very good chance for the case to be thrown out on appeal.

All that aside, I can get the parties involved being ignorant of the details. But, if you have come this far, hopefully you have read the articles and followed up on the case. And so you know a lot of federal laws were broken here when they hacked the network up.

Maybe they were smarter then this. Maybe they are expecting for that to not be able to be proven. After all, who is going to confirm these hacks, with specific data that proves identities of who was hacked, and what data was hacked. Maybe they will get away with it.

Even if that is the case, no, the FBI, above all, should not be breaking federal wiretap and computer hacking laws. This sends a very bad message to the world.

It sets a very bad precedent for citizens, for other FBI agents, for agents and officers of other national, state, and local authorities.

So, yeah, I agree to disagree there.

Controlling unauthorized computer hacking and wiretapping is important to me, and it is important in my industry. Last thing we need is when the federal authorities are saying, “It is not important” by disregarding the law.

Also, a question: given Tor’s original purpose (as I remember the history, and as described on the overview on their web site) it is obvious how anonymous browsing fits in, but how do anonymous sites (“hidden services”) fit in? I don’t see any obvious legitimate use – I don’t see why dissidants in Iran, say, need to run a hidden service in Iran rather than a normal web site in the US or Switzerland (administered and accessed *via* Tor).

I’d also be interested in argument (links are fine) as to how running a hidden service constitutes a human right and/or a civil right via the US constitution. (Ideally, for the latter, I’d like to see an analogous legal precedent from the pre-internet era.)

Whenever I hear this sort of argument, I think: you know, I know you would not like me to hack your system unlawfully.

You think it is okay to hack others, but not yours.

That is what it boils down to.

I have worked at a lot of places where there is a lot of information at my disposal. I have handled a lot of significant zero security vulnerabilities. And, this sort of thing you are talking about? I would never do.

I have seen a lot of private data, lawfully. And I do not go, “Oh, look at this sex video, guys”. I treat it professionally and objectively. And with appropriate seriousness.

See, you are squirming around with definitions, trying to justify hacking. Arguing stuff, which is not true, but you want to believe it. “Oh, well, probably just pedophiles and terrorists use tor”. That is crap. That is what Saudi Arabia, North Korea, China says.

Tor is strong security and it is mainstream. Not in your age group? Okay. Teenagers, twenty somethings use it. We should all be able to use it, or something like it.

Should you downgrade your security, so we can view what porn you view? Maybe you have an affair? What are your secrets? Surely you don’t tell everyone all of your secrets? Surely, you have layers to your self. There is the business you, the home you, the best friend you… layers of intimacy. You have a right to privacy, right? Why fight against that for others? Because doing so you are fighting against that for your own self.

That is the law of hypocrisy, ‘what you allow done to others, you allow to be done to your own self’.

By my book, anyway, a ‘good person’ is one who tries to be as little of a hypocrite as possible.

Now… I know a lot of people have different moral standards then me.

Some find that very unimportant. They are more interested in lists of rules which they can apply to others. It is robotic, but works for them.

As for these questions “anonymous servers”, “who uses tor”, really, it is all just: why should Americans and Westerners, or other ‘free nation’ folks be allowed to have maximum security?

What do you have to hide? Nobody cares about your sexting between you and your spouse, or your political and religious views you may not want your coworkers to know about. How about your ‘drunk face’, or some opinion you gave in private you would not everyone else knowing?

Reality is, everyone has a lot of very legitimate reasons for privacy.

I, btw, have been in plenty of situations where there is zero privacy. It is something I believe everyone can adapt to. With great difficulty. But, for others to fathom this or be forced to be subjected to it? I would not think that is reasonable.

And never mind in all of this the right for your private personal and business data to not be made public.

SSL or Tor… both security systems.

“Dark web servers”? That is another issue. But, as I know it is trivial to hack such servers or identify them, because, as I have said, had thousands of zero day in my hands before… this is a non-issue.

I also know for a fact that the FBI has zero day. I know where they farm their zero day, one of the firms anyway.

I do not name that, because both parties have a right to privacy. Contrary to what skeptics like your self would say. (And FYI, it would not be unlawful for me to do so. Just, a thing called “honor”, perhaps? Anyone? Are some generations just that jaded?)

The Public November 18, 2015 5:19 PM

@Harry, stop arguing like a manipulative weasel. The burden of proof and the presumption of overreach lies on you statist apparatchiks. If you presume to restrict my freedom of association, get to work and justify your repression based on one of the four specified and precisely delimited criteria for derogating free association rights. Be sure you meet legality and necessity tests, and bear in mind that the public order criterion entails respect and protection for all human rights including privacy and information freedom.

Even as a subject of a 5-eyes satellite state, you ought to know this. I’m not your remedial-education tutor. This has been your law in New Zealand since 1978. Or does New Zealand keep its proles in the dark about their rights, USA-style?

Harry Johnston November 18, 2015 6:16 PM

@In the Shadow of a Murder of Ravens,

And so you know a lot of federal laws were broken here when they hacked the network up.

I couldn’t find any evidence to support this claim, which is why I originally suggested Bruce had jumped the gun on this one. But if sufficient evidence has since turned up, then a criminal complaint should be laid. Or a lawsuit. Or a research ethics complaint, if it turns out it really was a research project. That’s all fine with me.

But I think you missed my point when I talked about dishonesty – it wasn’t anything to do with this case, I was talking about the way some people here (not you) were treating Justin and others. In particular, I don’t think it is appropriate to accuse other posters of being government PR agents for no better reason than that they dared to disagree with you.

See, you are squirming around with definitions, trying to justify hacking.

No, you’re jumping to conclusions. I just asked some questions.

@The public:

So what crawled up your butt and died? All I did was ask some questions. (And I don’t have a burden of proof, for the bloody obvious reason that I’m not trying to prove anything.)

Did you read the link I posted before? It might help.

(And no, I’m not trying to “presume to restrict” your freedom to be an asshole. I’m just suggesting that it isn’t really a great way to convince people of the rightness of your position.)

Dirk Praet November 18, 2015 6:19 PM

@ Harry Johnston

I’m not sure the argument that without hidden services you can’t have free speech would stand up in court.

Because the argument in itself is flawed. A hidden service by all means is a form or method of free speech. Forbidding it because it can also be used for bad or illegal purposes would constitute prior restraint which again is unconstitutional under the 1st Amendment to the US Constitution.

I have no idea whatsoever what Kiwi law says about this but I would welcome any effort on your behalf to do some research on the subject and educate us about it. After all, I just did you the favour of explaining how I believe it would be interpreted under US law.

Clive Robinson November 18, 2015 6:26 PM

@ Harry,

Although I don’t see what’s stopping repressive governments from stopping people from running servers at all, or requiring a license.

It falls to what is and is not practical for a government to do (represive or otherwise).

For the reasons of “economic development” most governments allow foreign companies to work with their citizens within their boarders (even North Korea has done this). No matter what is publicaly said there is often little or no trust between the company and the government (Google & China etc). Because of this the company will insist on VPN’s etc to protect trade secrets etc and the government in effect has to Kow-Tow or not get the economic development and it’s benifits.

The more foreign companies there are the harder it is for a government to keep tabs on them. For a small government it quickly becomes impractical to do more than occasional random sampling.

It’s also possible for the tech savey to hide a masquerading server using the same IP address, up stream of a real server. You just insert a router box that acts as a Network and Port address translation device with the hidden server actually being on the router box or hanging off of one of it’s spare host adapters etc. Up stream of this box the two seperate servers appear as one [1] for most practical examination thus if the ToR traffic is run over a VPN link of the same type as the company VPN it would be easy for the government techs to make the mistake of thinking that they are the same server (even though they are not).

There are other tricks you can use to hide a server as a shadow of another, even hiding the shadow traffic within the server traffic using the same IP address and port number [2].

So it’s more than possible to hide a server such that it can not easily be found by the government, thus does not require they be notified or the server licensed.

I hope that helps you see what can be done to make a server invisable to a government by sufficiently savvy technical bods with suitable access. Look on it as being the flip side of what the NSA did with US and other Nations telcos.

[1] There is a way by examining TCP time stamps to see the “clock drift” and thus determin that two seperate servers are in use as they have different clock drift rates. However if you are smart enough you can arange for your hidden service to be slaved to the company server drift rate [2].

[2] As in all good text books the solution to this “Will be left as an excercise for the reader”.

Nick P November 18, 2015 7:15 PM

@ Harry Johnston

“the only example of hidden services I could see in the list you provided was the military seeking to hide the physical location of their command and control bases.”

Others have responded and I haven’t read the comments as they’re long. I’ll give you the short version: many use cases that can be protected with Tor can be better protected with hidden services. It’s just more effective anonymity. Remember that a main principle of Tor is getting lost in crowds, which means pervasive deployment is a goal. So, you’d see the communication tech, controversial blogs, help sites for abused women, and so on accessible as hidden services instead of Tor connecting to websites. And the anonymity/security would improve significantly over stuff coming out exit nodes.

That’s the idea. The use cases you’re not seeing are often just incidental to currently, low uptake by app/site/service users and creators. That’s all. As usual, work continues on and supporters protect hidden services anyway because it’s better to have and promote something strong than accept something weak on basis of present popularity.

Harry Johnston November 18, 2015 7:34 PM

OK, not sure what was going on there.

@Dirk,

Because the argument in itself is flawed. A hidden service by all means is a form or method of free speech. Forbidding it because it can also be used for bad or illegal purposes would constitute prior restraint which again is unconstitutional under the 1st Amendment to the US Constitution.

I suspect your argument proves too much. If that were true, time, place, and manner restrictions would also be unconstitutional, as would be regulations covering cellphones and so on.

Ensuring that warrants can be served would seem a significant government interest, so I’d have thought it could pass intermediate scrutiny. But I’m not a lawyer, I just read Popehat a lot. 🙂

As for New Zealand, we have no constitution, so if our government were to outlaw hidden services there would be no realistic avenue to challenge that law in the courts. We’d have to wait until the next elections and try to vote in a party willing to change the law. (There is already a law against anonymous election campaigning, one I strongly disagree with.)

@Clive,

Thanks, again very helpful. I’m surprised though at the idea that foreign companies would risk their business in China (for example) in order to establish (putatively) illegal Tor nodes. It should also be straightforward for the government to firewall them off so that their internet connection is only good for international traffic and/or unencrypted local traffic. (However, the fact that China hasn’t done this strongly suggests that there are good technical reasons not to.)

@Nick: that makes sense. Thanks.

The Public November 18, 2015 7:49 PM

@Harry, stuff your link. You are not the tone police. That is a hackneyed passive-aggressive trick for obtruding authoritarian frames (like yours: are civil society associations ‘legitimate,’ are they needed…) The italicized exactly is an asshole hallmark. Of course you’re not trying to prove anything, you’re demanding that other people prove stuff to you. You don’t give assignments here.

Ergo manipulative. Look it up in the google.

Your deep-seated confusion is more concerning. The idea that privacy interference is okey-dokey unless human rights law prohibits it makes your antipodean enclave sound pitifully totalitarian. Your concept is entirely bass-ackwards.

The Kiwis enacted Public Act 1987 No 86. You were the last US satellite with balls. What happened to you?

Harry Johnston November 18, 2015 8:03 PM

You are not the tone police.

Are you the question police? If you can complain about the questions I ask, I think can complain about your tone.

And I haven’t made any demands. I simply asked questions, which have been for the most part satisfactorily answered. (You should notice that their tactic of answering my questions was far more effective than your tactic of questioning my motives for asking them. That’s pretty much what Scott’s article is all about, but hey, if you don’t care to learn to communicate effectively all I can say is good luck with that.)

[Everybody else: I’m going to try to ignore this guy from now on, but my GAD may get the better of me. If so, please accept my apology in advance.]

Dirk Praet November 18, 2015 8:07 PM

@ Harry Johnston

If that were true, time, place, and manner restrictions would also be unconstitutional, as would be regulations covering cellphones and so on.

Not at all. If a hidden service is violating existing legislation or regulation (e.g. used to sell drugs), then it is only logic itself that legal action is undertaken and a warrant served. The entire idea behind the hidden service, however, is to prevent it from being traced back to the owner, just like encryption is preventing a message to be read by anyone but the intended recipient.

Since both can be used for either good or bad – which @Nick P has tried to explain to you – and ultimately are a method of free speech, it is impossible under the 1st Amendment to ban either.

Harry Johnston November 18, 2015 8:45 PM

@Dirk, am I mistaken in thinking that cellphones in the US have to comply with FCC regulations? If not, what distinguishes your argument from “non-compliant cellphones are a method of free speech, so it is impossible under the 1st amendment to ban them”? It seems a close analogy; the practical answer is that you can use a compliant cellphone instead, just as you can use use an ordinary web site instead of a hidden service.

(United States v. O’Brien also seems relevant. But again, I’m not a lawyer.)

The Public November 18, 2015 9:00 PM

Lookit Harry hamming it up with the tsk-tsk, fishing for group support of his sea lioning and denying everything when he gets busted for it. Digging in deeper with the manipulation.

Funny how you question privacy and freedom of association but you don’t question why you kiwis bend over for full XKEYSCORE take in breach of New Zealand’s own GCSB Act and NZSID 7.

What kind of kiwi are you?

Clive Robinson November 19, 2015 3:04 AM

@ Harry,

I’m surprised though at the idea that foreign companies would risk their business in China (for example) in order to establish (putatively) illegal Tor nodes

You are making the assumption that the company managment knows and condones it.

That may well not be the case, in fact recent history shows that management rarely knows what is going on at the lower levels especially when it involves a field of endeavor they have little interest or knowledge of.

Even when they do their may be other incentives to turn a blind eye.

I suspect that when a well known expert retires he might write a book on such things. Having had personal experiance, of a major company doing things that were at best shady if not down right immoral can cause you a bit of a reality shock. I’ve been through it after a take over and to say you feel upset when the customers are deliberately exploited by senior managment in an underhanded and deceitful way and managment expect you to pretend to the customers “all is well in the world” whilst what you built up is destroyed in front of your eyes, is an experiance I would not wish on anyone. In my case after leaving I subsiquently found out the company very deliberately pretended I was still working there and had set about ruining my name in the industry. Lawyers had to get involved but I did not have the finances to fight one of the largest publishing houses, so they just sacked other staff and guess what blaimed it on me to the parent company managment and various other managers within…

In the Shadow of a Murder of Ravens November 19, 2015 10:08 AM

@Harry Johnston • November 18, 2015 6:16 PM

And so you know a lot of federal laws were broken here when they hacked the network up.I couldn’t find any evidence to support this claim, which is why I originally suggested Bruce had jumped the gun on this one. But if sufficient evidence has since turned up, then a criminal complaint should be laid. Or a lawsuit. Or a research ethics complaint, if it turns out it really was a research project. That’s all fine with me.

Okay, so you are not a researcher, and not IT security or something — so, nobody requires a license to be a “researcher” under DMCA. All sorts find security vulnerabilities and so perform “computer security research”. Including criminal hackers.

So, security bug finders have a right to test applications on their own systems, but not on other’s systems. And, really? That is as simple as it gets. So, no license needed. If you are smart enough to know how to find vulnerabilities, you are surely smart enough to know the really very simple laws.

It is even simpler then owning and using a gun. Actually, much simpler.

Did they break laws? Yes, as the evidence denotes, they certainly did breaking laws regarding unauthorized computer access (hacking) and wiretapping — both federal laws. And for each case of each system they did this to.

Why? Because they certainly did not get warrants for those systems.

Can this be pursued? As I noted, ‘maybe not’. What I did not note is that primarily, the FBI needs to be ethical, lawful and present the manner in which they performed these tests.

Further, the FBI is a division of the DoJ, and this means the prosecutors are in their same branch of government. The prosecutors took this bust as a high value political bust. They have ample reason not to pursue any irregularities.

Further problem is, it is difficult to understand material, so it is difficult to get a wide public concern enough to overturn that.

It might be leverage, still, however, for the defendant’s on appeal.

Break the law… not break the law… they certainly broke the law. And they did it in a very, very bad way for authorities to do this, frankly. They did it so everyone sees it.

While the widespread public won’t get it, everyone hacker sees it. Every hacker who their own selves might break the very same computer hacking laws.

That, obviously, sends a bad message.

‘When the authorities break laws the people are corrupted’ — as the old saying goes.

Further, this sends a message to all other US authorities about disregarding hacking and wiretapping laws. With the signature “Department of Justice” and “FBI” across it. And it speaks of something else — when criminals are at the stage of intentionally leaving clues instead of hiding those clues, they are at an advanced stage of their actions. They are flaunting.

That means they are on a powertrip and believe they can not be caught. (reference, Robert K Resseler, fmr FBI BSU, ‘how to interview a cannibal’, etc)

Though I just add that reference ironically. It is certainly disturbing to see federal authorities getting out of control and running amok.

My alarm here is because there is a significant pattern of this in the FBI cybercrime division.

You can see tip of the iceberg shadows of the corruption going on in federal domestic, by noting not one, but at least two federal officers were shown to be significantly dirty and specifically involving this case.

These sorts of messages, therefore do have influence. People say, “Others are cheating, why not me”.

In another very large case, involving Anonymous, “Sabu”, a Chicago pen testing consultant was under FBI control – literally in their custody, they were in an ‘next door’ (vertical) apartment 24/7 – when Sabu quite oddly ordered and watched over attack on Stratfor, on a police department, on an infragard, on foreign embassies… and other targets. And doxxed them, in many cases.

This was all also documented well by Vice and Daily Dot.

It looks highly sketchy. Those targets look really specific. Why didn’t they raise these charges against Sabu when he was brought to court? Were they ordered by the FBI? Why? Was it some kind of revenge? Was it a poorly planned counterintelligence operation? The details are not yet fully known to the public.

Maybe they weren’t guarding him as they were supposed to and just let all that fly to avoid embarrassment, even though it was reported in the news. It did not make mainstream. The details are just too technical for mainstream to cover.

Like many things, just takes time for the slow wheels of justice to turn.

But I think you missed my point when I talked about dishonesty – it wasn’t anything to do with this case, I was talking about the way some people here (not you) were treating Justin and others. In particular, I don’t think it is appropriate to accuse other posters of being government PR agents for no better reason than that they dared to disagree with you.

You could have said to what you were referring to in the post.

If it was implied in your link — please just be forthcoming and clear, or do not be upset when people get upset. Especially when talking about a highly volatile subject like dirty cops.

Not everyone just winks at dirty cops or buys the whole “oh they are just cutting red tape to bust bad guys” line.

Silk Road was a political brownie points case. And there is endemic corruption in some parts of the FBI at this time.

FYI, clicking on sketchy, not very mainstream links from people posters do not know, is unwise at such a forum. It can help reveal their identity.

Proper authorities can obtain my identity, I do not use a proxy, except sometimes a roughly static business proxy when using my work system. I state this often to the mods. Not interested however in making it easy for non-authorities or “authorities” skirting the lines of legality.

Not so hard to see what posters connect to this site at what times, for how long, either, from an ISP view.

See, you are squirming around with definitions, trying to justify hacking.No, you’re jumping to conclusions. I just asked some questions.

Okay, fair enough. I think the facts are pretty clear. I clarified them.

Is there more clarification needed?

You understand it is unlawful to attack an unauthorized system, right? You have to have either a lawful warrant or authorization from the owner of that system. This includes DoS. You also understand breaking someone’s encryption to get their data is equivalent to wiretapping, even if that data “is only” some form of “metadat”, right?

But, I am wondering, is this really fair of you? I mean, you surely understand these laws, though not a researching. You follow computer crime cases. They are very simple laws. You have found this blog and posted deep in here, and are offering opinions with confidence. You are over thirty, I would guess. So, I think you are understanding these laws… but pretending not to. Isn’t that squirmy? Or is there another word? Squirely? Sketchy? Catchy? Shady?

Everyone does this on some things, sure.

Sometimes they even deny it when they do.

Maybe the issue is you believe if the perpetrator is likely to get away with it – say they are running from Estonia or Romania – that then it is not unlawful? Like the Lufthansa heist was not unlawful because they got away with it?

Because that is the only thing here I could say is “unlawful”, in that weird, twisted sense foreign hackers and others do when they are flaunting the law. After all, you even taunted saying, “Why doesn’t someone pursue the case then”.

Seems like you already know it would be very difficult to pursue.

I mean, can you be polite and specific and clarify this confusion? If so, my apologies, it is a heated subject. Corrupt cops and all.

I hope they are not thinking this is even good to get off on appeal? Appeal acquittals are often quiet. You get the publicity from the first case. Budget increases, promotions.

But, what really bothers me here is: there is a distinct possibility that, on appeal, the corrupt DHS agents could get off on their charges, too.

Free get out of jail card from the Department of Justice.

Do you even care if they get out of jail?

In the Shadow of a Murder of Ravens November 19, 2015 10:20 AM

Worth repeating:

Tor is being used by a lot of innocent teenagers and twentysomethings. I am sure not a few innocent thirtysomethings and fortysomethings.

Only reason I rarely use it is because of the hassle of the exit nodes being noted as malicious, because of the hacking abuse on the network. IMO, they need to prevent such behavior on their system. It can be done anonymously.

There are competing systems, of course, and will be.

A lot of my peers in computer security use TOR and similar systems. We have for years. It provides superior security then “just SSL”. And this is what should be stated about it: it provides superior security

If the folks at OPM – and all the so very many branches of government that have been feeding in documents to OPM all these years at an organization they failed to ensure was secure (is it because it is in the side of a friggin mountain?) – if Brennan used good security, if Patraeus, if Target, Heartland Payment Systems, NY Times, Stratfor, HBGary Federal…on and on and on and on… wouldn’t the internet be a much better place?

China does not want their citizens to have good security.

Saudi Arabia does not want their citizens to have good security.

Iran does not want their citizens to have good security.

And so on.

These are totalitarian nations. They are not even “free” in quotes nations. They do not have the same very high standards “free” nations try and hold up to.

The founding papers didn’t say a whole lot about the dangers of terrorists or foreign enemies. They did say a whole lot about the dangers of unchecked authorities and powers — corrupt authorities and powers.

And we saw this, a lot, in the last century. We see it in this century.

Bad leaders, bad militia, bad governments.

A great many people in free nation’s governments are good.

But the few who are not can ruin it for everyone else.

They probably will not listen to appeals to their conscience, however.

I would – and am sure everyone else would – far, far rather they smoke pot, speed, cut off mattress tags, double park — hell, so very much more else then this kind of crap.

Have affairs. Own and use a machine gun without a license. Use prostitutes.

But don’t abuse these authorities and powers against your own government and people.

And definitely do not take money on the side while doing so. Doing it to get money from your own corporations and people you are supposed to be protecting or surrendering to the courts is way, way over the line. Like what these DHS boys did in the Silk Road case we are talking about here. Who probably will get off when these facts come to trial in appeals.

Justin November 19, 2015 5:15 PM

@In the Shadow of a Murder of Ravens

You are extremely wordy.

But I think you missed my point when I talked about dishonesty – it wasn’t anything to do with this case, I was talking about the way some people here (not you) were treating Justin and others. In particular, I don’t think it is appropriate to accuse other posters of being government PR agents for no better reason than that they dared to disagree with you.

You could have said to what you were referring to in the post.

If it was implied in your link — please just be forthcoming and clear, or do not be upset when people get upset. Especially when talking about a highly volatile subject like dirty cops.

Not everyone just winks at dirty cops or buys the whole “oh they are just cutting red tape to bust bad guys” line.

Oh, well, I’m not a cop and I just took a bath, but I’m nevertheless curious, because it seems my name was mentioned in such an odd context. These “dirty” cops, are they dirty in a way that would be of concern to the IA department of whatever jurisdiction they’re from, or are they dirty simply because they are effective? There’s nothing stopping you from making a complaint at the appropriate jurisdiction. …

A lot of my peers in computer security use TOR and similar systems. We have for years. It provides superior security then “just SSL”. And this is what should be stated about it: it provides superior security

How does going through TOR provide superior security to just a straight SSL connection to any given site? True, it somewhat cloaks the source of the connection, but it also routes those connections through one of those notorious exit nodes in the control of criminals who have no problem forging an SSL certificate for any given site. Maybe if you have a .onion site, but those are S..L..O..W, they don’t validate for SSL, and if they get any significant traffic they don’t stay hidden for long. Plus there’s no protection against the server just plain getting hacked, and in turn infecting your browser with malware, which will quickly uncloak your identity. I repeat, don’t use TOR/I2P or anything like that for anything mission- or life-critical. Go old school.

… surrendering to the courts is way, way over the line. …

Whatever you’re involved in, you’re in way, way, too deep if that’s your attitude. Because I’d say that intimidating investigators, witnesses, jurors, and other court participants is way, way over the line.

Have affairs. Own and use a machine gun without a license. Use prostitutes.

Interesting what you can find out on those sketchy sites: http://www.spokeo.com/is-he-cheating http://phone.instantcheckmate.com/livewire http://778wiyolz8ug0gzl.tk/guy-spy-phone-number/ (Oh yeah, you don’t know me, so you probably don’t want to click on some of those links.) Some people have “backgrounds.”

And other people panic and start posting way too many words and using bold print, …

In the Shadow of a Murder of Ravens November 19, 2015 6:37 PM

@Justin

I am “wordy” sometimes, yes. Clearly you could not understand a word I was saying, but got angry because you saw your name in there and got confused about what I was saying.

Your comment on Tor is a little worth rebutting: Tor is good security, obviously not for everything. As, I wrote (which Justin failed to read, but just must have stared at the page blankly), it adds to security for many users in many circumstances. Updated browsers and servers solve SSL MITM exit node issues, but you have to consider that if your browser is not updated and you do not know the basics of SSL MITM attacks — you can get MITM’d.

In general, as I also wrote, there are solutions “like Tor” that will be better – but require payment – for more serious folks.

Justin, I won’t go into this more, because your quoting back verbatim simple information you “read on the internet” or “heard of tv” will get in the way.

As for you “having a background”, no, I do not think you do. I do not think you have accomplished anything, studied much, worked much of anywhere, and are not employed today.

But, FYI, not that I actually even made any comment about you… or said anything about your or anyone else’s background until now…

… surrendering to the courts is way, way over the line. …
Whatever you’re involved in, you’re in way, way, too deep if that’s your attitude. Because I’d say that intimidating investigators, witnesses, jurors, and other court participants is way, way over the line.

As for your slicing and dicing of my comment to make it look like I said something I did not, which you then claimed was some kind of “threat”… I really do not like that. Is that what you do when you get angry? Try and misquote people, have them make all sorts of ludicrous threats to intimidate them or something?

Would work if I were you, I suppose, right?

I won’t stoop to that sick level, however.

I did not write “surrendering to the courts is way, way over the line”, fyi. Not even sure what he thinks that means, but apparently it means “intimidating investigators, witnesses, jurors, and other court participants”.

Clearly, Justin got angry, and is a very angry, vindictive man.

Not a way to go through life, Justin…

In the Shadow of a Murder of Ravens November 19, 2015 6:57 PM

On Justin:

Revisiting this, as this Justin fellow just trolled me:

Harry Johnstone wrote:

But I think you missed my point when I talked about dishonesty – it wasn’t anything to do with this case, I was talking about the way some people here (not you) were treating Justin and others. In particular, I don’t think it is appropriate to accuse other posters of being government PR agents for no better reason than that they dared to disagree with you.

Frankly, I did not read any of Justin’s posts. He usually mutters something about “gangstalking” [which is a ludicrous conspiracy theory only paranoid schizophrenics and bipolars buy into], and is usually very angry at people.

As one can note, he had no moral qualms about attempting to put very nasty words in my mouth, even threatening words. Which is deplorable.

What I stated:

And definitely do not take money on the side while doing so. Doing it to get money from your own corporations and people you are supposed to be protecting or surrendering to the courts is way, way over the line. Like what these DHS boys did in the Silk Road case we are talking about here. Who probably will get off when these facts come to trial in appeals.

What Justin spat out:

… surrendering to the courts is way, way over the line. …
Whatever you’re involved in, you’re in way, way, too deep if that’s your attitude. Because I’d say that intimidating investigators, witnesses, jurors, and other court participants is way, way over the line.

Implying my statement was “intimidating investigators, witnesses, jurors, and other court participants”. Which he probably learned from television is a federal crime. And, I certainly did not do.

Cunning way to take free speech on a privacy speech and try and twist into something that is a crime.

Kind of makes me wonder why he is thinking this way, trying to catch people on something that he can report.

Thinks like a CI.

[That is short for “confidential informant”, Justin. LOL. If you are able to make it through my big posts.]

[Not to “blow your cover” Justin, but maybe stick with your anonymous friends you got busted with?]

[FYI, just because you are a criminal, doesn’t mean anyone else on here is.]

Harry Johnston November 19, 2015 7:15 PM

@In the Shadow of a Murder of Ravens,

Did they break laws? Yes, as the evidence denotes, they certainly did breaking laws regarding unauthorized computer access (hacking) and wiretapping — both federal laws.

The evidence that I’ve seen (most notably the blog post from the Tor Project) doesn’t make this clear. If I understand the vulnerability correctly, the attackers offered their own servers for use as part of the Tor network, and everything they did was on those servers.

It isn’t clear to me that looking at or modifying the data that someone else has voluntary sent by a route that goes through your own server is wiretapping. Nor is it obvious that they accessed any computer, other than those they owned, in an unauthorized way. Is there a law against offering computing services with malicious intent? I don’t know.

Much of the rest of your post depends on this, so I’ll skip over most of it and just hit a few high points:

Because they certainly did not get warrants for those systems.

How do you know? (And are you talking about the researchers or the law enforcement? I was only really interested in the legal/ethical issues as applied to the researchers, I wasn’t thinking about the law enforcement side much.)

You could have said to what you were referring to in the post.

Well, it seemed perfectly clear at the time. And I still don’t see how that sentence could possibly make sense with law enforcement as the subject. But in any case I apologize for the confusion.

You have found this blog and posted deep in here, and are offering opinions with confidence.

Not sure what you’re thinking of here. If anything I said on the original subject matter could be interpreted as a confident opinion, that was unintentional! (I admit to being confident in my opinion that politeness and respect are preferable to manipulation and aggression in online discussion. Oh, and I’m reasonably confident of my interpretation of the state of New Zealand law.)

One final comment – it sounds as if you’re confusing my questions about Tor hidden services with my doubt about the evidence regarding this particular incident. Those are two distinct subjects.

PS: just read your last post (after having composed the above but before posting it; still having trouble with the comment system). Actually looking back I was thinking of “slippery”, not Justin. Which should not be taken as an opinion on your quarrel, I don’t want to get in the middle of that one.

Steve November 19, 2015 7:50 PM

OK let me get this straight. Carnegie Mellon receives government funding (say maybe from the FBI) to do research on Tor security, then somehow the FBI and Justice department knew just what to subpoena from the Carnegie Mellon researchers who were running the tor nodes (which they shut down when caught) off their servers used to unmask a wide swath of users both guilty and innocent. Is the government allowed to hire a proxy to do it’s warantless dragnet searches? I heard Tor project is now asking that question about how the FBI came to know what to subpoena.

Dirk Praet November 19, 2015 8:03 PM

@ Harry Johnston

If not, what distinguishes your argument from “non-compliant cellphones are a method of free speech,

FCC are technical specifications a cellphone (or other device) has to comply with. Just like there’s an RFC out there that says www traffic goes over http/https. Banning .onion websites because they add a layer of anonimity while for all other practical purposes complying with technical specifications would be the equivalent of banning a cellphone capable of adding an encryption layer (like zrtp) to your communications. And which would also constitute a prior restraint to free speech.

Justin November 19, 2015 8:11 PM

@In the Shadow of a Murder of Ravens

As for you “having a background”, no, I do not think you do. I do not think you have accomplished anything, studied much, worked much of anywhere, and are not employed today.

Bummer. I don’t have enough felonies on my record. I guess I’ll just never be a “made man.”

It is certainly disturbing to see federal authorities getting out of control and running amok.

I suppose that would be disturbing from your point of view. Are they really running amok? Maybe they are just doing their jobs.

And this little bit…

Have affairs. Own and use a machine gun without a license. Use prostitutes.

[FYI, just because you are a criminal, doesn’t mean anyone else on here is.]

Oh yeah, that’s right. You would be a criminal then.

And you’ve accepted I’m not a “dirty cop.” But now I’m a “CI” and you’re going to “blow my cover.” Why are you worried about CIs, anyway? You sound paranoid yourself that someone will inform on you.

And why do you bring up my posts about “gangstalking” from a completely different thread? To “smear” me with it somehow? Seems like plain vanilla criminal stalking to me.

@Harry Johnston

Actually looking back I was thinking of “slippery”, not Justin. Which should not be taken as an opinion on your quarrel, I don’t want to get in the middle of that one.

That’s probably a good idea. No offense intended. More power to you as long as you can stay on topic and engage with Unkindness of Ravens.

Or someone can address the recent comment by Steve that is more on topic. Otherwise, really not much to see here, moving right along.

@Dirk Praet

Who’s banning .onion websites? I’m merely suggesting they’re not as hidden as they claim to be. Which of Harry Johnston’s comments are you replying to in that regard?

Dirk Praet November 19, 2015 8:46 PM

@ Justin

Which of Harry Johnston’s comments are you replying to in that regard?

The ones where @Harry and myself were discussing some legal aspects of .onion websites. You can find them by scrolling up or down the page.

Harry Johnston November 19, 2015 8:58 PM

@Justin, I was indeed questioning whether the US constitution (and/or international law, or whatever) would actually make it impossible to criminalize hidden services. I’m not making a claim that it would not, mind you, it just isn’t obvious to me why it would. For the record, I have no motivation for the question other than curiosity.

@Dirk, but technical specifications exist for a reason, and it’s the reason that matters. I’m sure the government could come up with technical specifications that would make hidden services impossible if it wanted to, and I don’t see why “because otherwise we wouldn’t be able to find the owners of a web site” would be an invalid reason for a specification if “because otherwise it might interfere with other people’s equipment” is an acceptable one. (Note that I’m speaking in legal terms rather than ethical ones. Ethically, the two rationales are entirely different.)

[Incidentally, I don’t want this to drag out indefinitely, so if you choose not to reply at this or any later point, I will not interpret it as a concession.]

Justin November 19, 2015 9:25 PM

Now I don’t want to barge in on your argument, either, but Harry wasn’t banning .onion sites. He seems to have been merely asking,

I’d also be interested in argument (links are fine) as to how running a hidden service constitutes a human right and/or a civil right via the US constitution.

I admit I’m curious, too. Speaking only for myself, I feel skeptical, but I’m not a priori opposed to such an argument.

On a more practical note: maybe some examples of .onion sites that are (arguably) politically or culturally valuable, need to stay hidden for a reason, and have successfully been able to hide themselves. This seems to me to necessitate an almost inhuman level of OPSEC and high-assurance cybersecurity…and faith in the TOR infrastructure.

I will not interpret it as a concession.

I wouldn’t either. I believe there is such an argument to be made.

In the Shadow of a Murder of Ravens November 19, 2015 11:09 PM

@Justin

As for you “having a background”, no, I do not think you do. I do not think you have accomplished anything, studied much, worked much of anywhere, and are not employed today. Bummer. I don’t have enough felonies on my record. I guess I’ll just never be a “made man.”

No, you don’t have a felony, and I am not sure what you mean by being a “made man” — perhaps you have a mafia fetish?

My post was garbled words to you because you have never worked in the Department of Justice, and certainly not for the FBI. You have never served in the military, nor worked for any government organization at all.

Therefore, you did not understand what I was saying.

It was all “words” to you. Gobbldegook.

But, why speak up Justin? You don’t deserve to, not having any experience.

You have an unexceptional career. I can understand the fantasies.

You have never even advanced beyond basic computer security knowledge. Despite being in the field for around twenty years. Still at simply running corporate software and trying to figure out manuals that explain how to use it.

Not only do you have zero legal or government experience… you have zero security research experience.

So, why again, did you cough up a rude answer to me?

So, you are hitting middle age, never did anything with your life, due to your highly introverted personality… and so now, what? Want to be a fed, so because you could not, you lash out at perceived enemies of feds?

Contrary to your wannabe opinion, I am certainly not an enemy of feds.

And, contrary to your deplorable little “clever” adjustment of my words, with your clever little attempt at intimidation… boy you wish you carried a gun, don’t you! LOL.

I did not state what you wanted me to state.

You twisted my statement to imply I was intimidating “juries”, “judges”, “federal witnesses”, “prosecutors”, “investigators”. Knowing full and well that would be illegal to do. How clever. Because in your mind, my daring to state that the case probably would be thrown out on appeal was “intimidation”.

Sick shit, buddy. You aren’t as you seem, are you. What other little secrets do you hide?

I don’t appreciate people cunningly slandering me and playing Christian and patriot. Especially not trying to forge a federal charge on me.

That is some low, low, dirty crap.

But, we can be friends again, if you admit your sin and apologize.

I will ask Jesus for forgiveness for your slanderous soul.

And, probably not, right? Sinners don’t repent do they? False witnesses are a friend of God, huh, buddy?

It is certainly disturbing to see federal authorities getting out of control and running amok.I suppose that would be disturbing from your point of view. Are they really running amok? Maybe they are just doing their jobs.

I was there speaking of the two DHS agents who were convicted of severe federal crimes.

That is doing their job?

You are one dark son of a bitch, loving to twist people’s words around, aren’t you?

I hardly think you are the mid-level, boring as ass career, “Christian”, pseudo-moderate conservative you paint your self as being.

What, exactly, do you do for fun?

Slander people? Try and play cop, like you see on tv?

Even innocent people? Because… unless you are on crack, I did not state any of that crap you said I did. Are you stupid, or whacked in the heart?

You do know it is too late for you to become a fed. PLEASE do not sign up and become a cop. Ugh. One of those cops that shoot people cause he is on a power trip and feels so powerless and a nobody sorts.

And this little bit…

Have affairs. Own and use a machine gun without a license. Use prostitutes.…[FYI, just because you are a criminal, doesn’t mean anyone else on here is.]Oh yeah, that’s right. You would be a criminal then.

Again, the devil boy whacks my words way out of context to slander.

Sucking on the tit of Satan, he speaks his slanderous accusations… tsk, tsk.

No, you whacked my words out of context. Less severe. I have known a cop who has used prostitutes. It was legal where he was. I have known a cop who owned a machine gun. Frankly, he probably had a license for it. But, my statement was I would rather you do that then illegally wiretap and hack people and then get a major case thrown out that would free to very corrupt DHS agents.

Do you fail to understand context or english?

And you’ve accepted I’m not a “dirty cop.” But now I’m a “CI” and you’re going to “blow my cover.” Why are you worried about CIs, anyway? You sound paranoid yourself that someone will inform on you.

Dude — get over your self. You are not even remotely a cop, not even a security guard with a gun.

OKAY?

Stop pretending to be a big boy. Don’t let that middle age crisis start to set in now.

You are a corporate drone, you have very basic level security knowledge. You have not advanced in your knowledge despite working in IT Security for nearly twenty years. You have zero accomplishments. You work at an incredibly boring firm. And it is not a cover.

You are highly introverted.

I would be really angry, if I were you to.

Sheesh, talk about a wasted life. Why didn’t you ever do anything interesting? Sign up, for Christ’s sake.

Well, too late for that, too, though… isn’t it. Sheesh.

I feel for you. Thank God, I look up to Heaven, I don’t have as boring of a life as you have!

And why do you bring up my posts about “gangstalking” from a completely different thread? To “smear” me with it somehow? Seems like plain vanilla criminal stalking to me.

Because it was all I remembered about you. You otherwise have entirely unremarkable posts. You muttered some shit about “gangstalking”, so in my mind you were the “gangstalking” kid.

Apologies for thinking you were some twenty something wash out.

Never looked you up until you decided to randomly fuck with me and try and make me out to be saying crap that would be federal charges. That was a threat of yours, and I had to.

I went, “who the fuck is this guy and why is he fucking around with my words like this”.

You shouldn’t fuck with random people online. I am not sure what your agenda is.

Care to explain why you are twisting my words like that?

If you think I am worried that your word twisting could get me in trouble… guess what?

Bzzzt. Wrong.

But, I am wondering, “Who is he”, “why did he do that”, “that is a really nasty, ruthless, low blow for a mid level nobody security bureaucrat”… “what is his agenda”.

I also noticed you started posting here about the same time I did.

FYI — buzz off, freak.

If you can’t understand my posts, buzz off. I am not talking to you. Never noticed you before except your weird gangstalking fetish.

Now here you are making threats and trying to set me up. Obviously, you can’t. Or I would not have dug in all the closer. But, I am wondering, what is your game?

You attacked me — I didn’t even post about you. I quoted what doofus cagey-ass Harry said about you. Why?

In the Shadow of a Murder of Ravens November 20, 2015 1:09 AM

@Justin, Harry

Anyway, just to be clear: contrary to you two wannabe fed’s depictions of me, I will be clear (and stay on topic)…

Justin stated “I am a criminal” because I was privy to a cop who had an unauthorized machine gun, and a cop who had slept with prostitutes.

Fact is the guy maybe had a license. And I don’t give a fuck about a cop sleeping with hookers. Not a crime for me not to say anything. But, Justin twisted around my words, and I am a man of principle.

To be brief: I did state I said I have winked at crap that would make you puke. I was talking about assassinations. Not prostitutes and fun with machine guns in the woods or speeding or double parking.

Those were euphemisms.

I am a man of principle. Maybe my principles are psychopathic, but they are very strict.

I was manipulating both of you, of course. I was not really angry. Just pushing your buttons.

But, I do have strict principles.

Am I guilty of any crime for being privy to assassinations? No. No evidence. What can I say?

You two are so willing to show your hard dicks for the US Gov, being such prentious, wannabe “patriots”, wouldn’t you wink-wink at necessary assassinations? Whistleblowers, contractors handling cover identities who discovered too much, difficult leaders who were in the way and causing many deaths, and so on?

Heck, Justin went so far as to say I was saying that breaking federal laws was upsetting me because it was effective. Apparently missing the whole promise that I could make him puke with the stuff I okay’d.

If you conservative pro-gov folks are so uber for the team, I would say, probably 1 percent of those with clearance have been assassinated because of problems.

Now, being a psychopath, which I admit – God help me for my weaknesses – that means as much to me as when I am hungry for a sandwich. Actually, I want the sandwich.

So, I keep by principles.

If X death is less then Y deaths, then X death must happen.

Where is my sandwich.

Principle — wrong message is sent out in the Sabu case and in the Silk Road case.

The CMU hack was a case of “Burn Before Reading”. Watch the movie. That and Fargo is more real life then you will ever know.

Everyone fucked up and sent the wrong message to the public.

Bad principle.

This? Crazy idiots on the internet no one reads, but some idiot fuck with heart problems.

That? Big, loud message to a lot of people that causes a lot of damage.

Don’t agree? Use your words. Twist mine around, that is bad principle.

Or STFU and sit down. Change jobs.

In the Shadow of a Murder of Ravens November 20, 2015 1:33 AM

“Justin” wrote:

On a more practical note: maybe some examples of .onion sites that are (arguably) politically or culturally valuable, need to stay hidden for a reason, and have successfully been able to hide themselves. This seems to me to necessitate an almost inhuman level of OPSEC and high-assurance cybersecurity…and faith in the TOR infrastructure.

Before there was Tor there was the Cult of the Dead Cow and Hacktivismo distributred p2p system.

First, “hacktivismo”, then “6/4”.

Then, afterwards came some good systems, then Tor.

Justin has pointed out he is a mid level executive with little security knowledge, despite working in IT Security for about twenty years. And he claims “most of Tor traffic is malicious”. Not true. Of course, Justin has never worked on any of these systems, or gives a flying fuck about totalitarian countries.

I worked on some of these systems and worked heavily with dissidents. Easy to prove, as it is easy to prove Justin’s identity, but I won’t.

To the problem: is there ever a reason for any of these estimated four thousand “dark web” servers to exist?

Yes, there is. Is there a reason for any server to exist where people wish to post information with harassment and from legal speech without intrusion from slanderous wannabe witch catchers? Yes there is.

We have thousands of years of individuals who have persecuted people because of what they say, what they post to the public, what they believe.

In the Silk Road case, what do you have? A server that was full of security vulnerabilities, easy to exploit. So where is the case there for arguing anything else?

As for “malicious traffic” being 100 percent, confirmation bias. “She or he is a witch”. Truth be told, servers and clients are heavily used by everyday citizens. Hitting at singular cases does not prove a point. Looking at negative evidence while refusing to look at all evidence is symptomatic of the sort of “science” that had people treating disease with blood letting and leeches.

Now, why did I put so many years and so much effort into such systems, my own self? Well, while assholes were sitting around spending all their time learning “DLP” and trying to figure out crap — doing God knows what with their empty minds. I, and my peers, coworkers, were concerned about dumb ass nobodies willing to persecutor innocent people in totalitarian countries – or God forbid – here, because of our beliefs and opinions. Twisting them to burn them at the stake.

So, Justin, bow down before the cow.

And please stop slandering people working against totalitarianism with rhetoric not based on hard science.

In the Shadow of a Murder of Ravens November 20, 2015 1:44 AM

@”Harry Johnstone”

Justin, I was indeed questioning whether the US constitution (and/or international law, or whatever) would actually make it impossible to criminalize hidden services. I’m not making a claim that it would not, mind you, it just isn’t obvious to me why it would. For the record, I have no motivation for the question other than curiosity.

Basically, yeah, it ain’t happening.

So, besides founding some distributed encrypted proxying systems… I also founded a core team XYZ labs that created vulnerabilities for the FBI. The problem the FBI had was everyone else was not working for them. Our language was “they were not getting love”. So, a certain company hired a bunch of the top folks and started a very good farm for the FBI to sell them security vulnerabilities.

So, will criminalizing hidden services happen?

Frankly, from the opinion of the Department of Justcie?

Not mine. Just what I heard.

No.

And…?

FYI, I stated this to Justin – though you post both about the same time, and your name is surely fake – Silk Road was very trivial to hack. Not even sure why CMU besirched their name in this. Just made themselves look like immoral fools.

But, since you are so Mr I Have An Opinion, is your linkedin linked with your “real name” to your blog? Because I would love to check out your supposed resume, after all, no offense, but your statements here are entirely vacuous of any experience whatsoever.

And, to be fair, as I expect you are trying to stir up some facts with your BS, I did put in some lie with some truth in the above.

None of it, regardless, would get you anywhere.

Clive Robinson November 20, 2015 4:52 AM

@ Harry,

The difference between technical legislation (standards etc) and sociatal legislation, is that the former are “agnostic to use” whilst the other is not.

Technical standards and the resulting legislation are about “safety to all”, “interoprability to all” and usually “consensus of domain experts”, it’s rarely if ever to change societal behaviour.

Most societal legislation is to change the behaviour of people such that they do not actively harm society. The primary root is “moral behaviour” which can be found in most religious texts and involve not bring harm to others and respecting them their family and property.

For Christians the “ten commandments” and “lords prayer” encapsulate the main idea with the sentance that starts “Give us this day our daily bread; and forgive us our trespasses, as we forgive those…” with the commandments listing the trespasses (the then societal ills of the time).

With time the idea that the state could trespasses against individuals brought about the likes of the first “grand charter” a thousand years agi which limited the power of an English King for a few weeks (until he could get the pope to annul it, which is a sufficent reason alone to segregate the executive, legislature and church).

Have a think on the “entropy of power” societal legislation is about changing the rate of power devolving from self appointed Kings and tyrants to the people. Those in power spend much of their time guarding power unto themselves jealously (hence guard labour). Whilst those with little or no power, fight for the right to self determination which requires them to have sufficient power to counteract those with excesive and often repressive power. The modern battle ground for this fight being the legislature and it’s control via the executive, or civil war when that fails.

Dirk Praet November 20, 2015 7:23 AM

@ Harry Johnston

I’m sure the government could come up with technical specifications that would make hidden services impossible if it wanted to, and I don’t see why “because otherwise we wouldn’t be able to find the owners of a web site” would be an invalid reason for a specification

Way back in time, people used to send each other paper letters in an envelope that on the front had a destination name and address, and most of the time on the back the name and address of the sender too. I may be totally wrong, but I know of no instances where a government imposed some technical specification on post office services that such letters (or post cards) could only be delivered if indeed on the back they had the name and address of the sender so that it could be traced back to him/her.

Whilst there is no doubt in my mind that certain “technical” specifications are indeed in place for societal reasons, they can never override constitutionally or otherwise guaranteed rights of the citizenry. In this particular case, it can easily be argued by the defense that the technical control is nothing more than a not even cleverly disguised facade for something entirely different, adoption of which would intentionally infringe on free speech.

A while ago, the FCC issued a draft of some new rules, wording of which in essence could be interpreted as forbidding people to re-flash their home routers with alternative firmwares like DD-WRT or OpenWRT. This created quite some commotion which eventually forced the FCC to issue a clarification and to back down. Or at least for now.

Henry Charles Albert David November 20, 2015 12:07 PM

Why is an internet plumber in New Zealand so fixated on repressing private freedom of association with legal rationales that are way above his pay grade? And if he actually does care about security, then why is he wasting his life with a hopelessly porous black box full of spyware like Windows? And why would he preemptively try to circumscribe responses to his tendentious authoritarian arguments? His sparse social media pocket litter does not pass the sniff test.

Cory November 20, 2015 8:04 PM

Technical standards and the resulting legislation are about “safety to all”, “interoprability to all” and usually “consensus of domain experts”, it’s rarely if ever to change societal behaviour.

But ever so often they do, because people shape their lives around technology. With advant of email, internet, cellphones, mobile apps, etc., social behavior had progressed into what we have now ‘social networks’ which is built on tops of layers and layers of technical standards.

Clive Robinson November 21, 2015 3:49 AM

@ Cory,

But ever so often they do, because people shape their lives around technology.

I Think you are trying to put the cart befor the horse on this….

Usually a “technology becomes possible” technicaly and various technology organisations jump on it and develop it. It’s generally only after the initial “free for all” has established a need for the technology that standards get introduced and then the technology comes of age.

Of the top of my head I can think of two occasions in recent times when the UK Gov has tried to introduce a technology under their control, that show how badly it can go,

1, Digital Satellite Brodcasting.
2, Digital Audio Brodcasting.

Both were rigged from the very start so that the UK Gov had an “unseen hand” manipulating the system to their propaganda needs, via “friends”.

With DSB they put in fairly onerous licence requirments but like the true bureaucrats they are, they used the usuall “politicaly favoured” advisors that “cann’t think hinky” and thus left a bunch of loop holes through which Rupert Murdoch who could, marched and put those who had followed the “Gov Rules” out of business, or took them over.

DAB is another more insidious technology where those that be had a very thorny problem to solve which is “illegal broadcasts”. I won’t go through the in’s and outs of it but your DAB receiver is not “user tuned” in the conventional sense. It can only pick up stations that are “In the Matrix” control system and they have locked that down to only four “trusted friends” in who’s intrest it is to ensure illegal broadcasters can not get slots. Even though the UK Gov keeps talking up DAB and has used draconian techniques to force it’s use it’s a failure. They actually try to hide this failure by saying as they did just a couple of days ago that “digital audio” is now 40% of the market, but neglect to mention that this includes the much higher audio quality Freeview and Internet the use of both dwarfing DAB. Oh and the UK Gov’s figures are further distorted in that if you buy a combined FM & DAB receiver they count it as a DAB lister not as is very much more the case an FM listener. As far as I’m aware of the very many “DAB only” start up stations few if any survive and those that do have been taken over by mixed service broadcasters. The only survivors I can think of had a highly specific market segment that had very significant political activism behind it and do not fund by normal mainstream methods (LBG and Religious communities etc).

If you have examples of where in a deregulated market the technology push for social change came initialy from Gov and has been and continues to be functioning in the way the Gov wanted, I and others will be interested in seeing them.

Wael November 21, 2015 4:11 AM

@Clive Robinson,

Usually a “technology becomes possible”

A conceited professor was traveling by boat one day. He wanted to show off his knowledge so he asked the poor sailor:
Do you know Biology?
The poor sailor: Nope, what’s that?
Professor: You know Zoology?
Sailor: Nope
Professor: How about Geography, ecology, physiology?
Sailor: Nope!
Professor: I have a certificate in all of these. You’ll die of illiteracy you useless sob!

Then the boat started rocking and sinking. The professor curled at the end of it and looked very scared. The sailor asked the professor:
Sailor: What’s wrong professor? Haven’t you studied swimology?
Professor: Nope!
Sailor: How about escapeology from sharkology?
Professor: Ummm, nope!
Sailor: Well, sharkology and crocodilogy will eat your assology, and you will dieology because of you mouthology!

Harry Johnston November 21, 2015 4:31 PM

@Clive, not entirely sure what your point is – you seem to be talking about the ethics of outlawing hidden services rather than the legalities, and, well, duh. Of course it would be unethical! But thank you anyway … at least you’re not trying to shut down the discussion by insulting me or questioning my motives or identity. 🙂

@Dirk, that seems like a reasonable analogy. Not really what I was hoping for, but I guess I’m in the wrong place for a legal analysis. At any rate, consider your point made.

@In The Shadow, I usually post under my real name. Anonymously, on occasion, but I’ve never seen any need to use a fake identity or pseudonym. Oh, I did go by the handle “Silver Omega” when I first discovered USENET back in, oh, 92 I guess, and kept that up for six months or so before I realized it was kind of tacky. (What can I say? I was young.) My posts here are linked to my blog, though granted I don’t post there regularly. I don’t use LinkedIn or FaceBook or similar services (I don’t see the point) but am active on Stack Exchange.

In particular, I am indeed using my real name in this thread, though I’m starting to regret it.

I’m a system administrator at a University, looking after a half dozen servers and a few hundred PCs. I can also program fairly well, but not to professional standards. I’m not a cryptographer or IT security expert and don’t claim to be. I’m definitely not a legal expert, but find law – and constitutional law in particular – fascinating, in an incomprehensible sort of way. Not sure what any of this has to do with anything, by the way, but since you asked.

Cory November 21, 2015 5:52 PM

@ Clive Robinson

I Think you are trying to put the cart befor the horse on this….
Both were rigged from the very start so that the UK Gov had an “unseen hand” manipulating the system to their propaganda needs, via “friends”.
If you have examples of where in a deregulated market the technology push for social change came initialy from Gov and has been and continues to be functioning in the way the Gov wanted, I and others will be interested in seeing them.

I don’t have any specific examples but I’ve enjoyed reading yours. The “Gov” certainly reserve its hand when it comes to tilting the playing field. However, the Gov doesn’t have a monopoly on standards, most of which is built on top of one another, and closely held by industry/corporate “domain experts”.

Ever so often, new technology becomes possible because of previous ones, e.g. analog to digital. Sometimes, new technology makes regulation more efficient, sometimes it requires a new set of tinkerings.

But like you said, the Gov doesn’t have to play its hand early, or initially, because it has the ultimate hand. It prefers to wait and see, and send the wink-winks ever so often.

Harry Johnston November 21, 2015 5:53 PM

… oh, sorry, I forgot you didn’t want to follow any links. Under these circumstances, I don’t see any way to prove that I exist – I may be foolish, but I’m not quite foolish enough to post a picture of my driver’s license or anything like that.

But I don’t see that it really matters, I have no strong opinions on the subject and am too old and tired to expect to change anyone’s mind even if I did. I’ve already unsubscribed from this blog, so I guess you can count that as a win if you like.

Clive Robinson November 21, 2015 7:47 PM

@ Harry,

not entirely sure what your point is – you seem to be talking about the ethics of outlawing hidden services rather than the legalities

Err not the ethics as such no.

A hidden service can not be stopped by “societal modifing” legislation. The reason is subtal but put simply if they can not see it or detect it –the essence of hidden– then they can not tell if it’s there or not. The prime –but bad– example of this is stego. What they can do is “cut the cable” or “modify the traffic” in some way as a precautionary measure.

However cutting the cable effects all including the gov so they are not going to want to lose the economic benifit by going that far. So the next step is to somehow modify the data to reduce the likelihood of hidden services. But this follows the law of diminishing returns. The simple fact is that as long as traffic flows there are covert side channel tricks you can exploit to carry covert/hidden data. All “modifying the data” does is reduce the bandwidth of both the overt and covert channels.

I don’t know if you are familiar with DRM as done by Digital Watermarking? In essence the IP holder adds a low bandwidth signal via Spread Spectrum techniques, that without a secret looks just like ordinary noise to everybody else. The noise is in effect an encrypted signiture, and is the equivalent of a covert/hidden service. As long as some of the noise gets through any processing then the IP holder can by using their secret key prove their rights. Somebody trying to beat the DRM has to be able to remove or modify the noise without knowledge of the key which is at best difficult at worst not possible. There is a fair amount of published papers on Digital Watermarking so it can give you an idea of the ideas involved, which in turn tells you the issues a gov faces trying to stop a hidden service.

Covert side channels are one of those “security issues” that make a secure systems designers life a nightmare when it comes to the leaking of information. And this is exactly the same problem a gov would have trying to stop hidden services.

No amount of legislation is going to stop this, and any one who tries might as well try stoping the tides following the moon with legislation… Not that that will stop some idiots trying, after all we’ve had legislation to make Pi=3 in the past…

Wael November 21, 2015 8:46 PM

@Clive Robinson,

Not that that will stop some idiots trying, after all we’ve had legislation to make Pi=3 in the past…

You’re such a trouble-maker 🙂

In the Shadow of a Murder of Ravens November 22, 2015 3:46 PM

@Harry Johnston

… oh, sorry, I forgot you didn’t want to follow any links. Under these circumstances, I don’t see any way to prove that I exist – I may be foolish, but I’m not quite foolish enough to post a picture of my driver’s license or anything like that.

But I don’t see that it really matters, I have no strong opinions on the subject and am too old and tired to expect to change anyone’s mind even if I did. I’ve already unsubscribed from this blog, so I guess you can count that as a win if you like.

Devil’s advocates like Skeptical, are good. He at least sticks to some sembelance of reasoning, even if ultimately he does not make that final step. But, Justin and your self do not. Very different approaches, admittedly, Justin is way out there in terms of speaking, to the point to where my impression is he has been hit on the head and has problems with socialization and thinking straight at all.

But, really, the fight against freedom, every one who leave is good. We need more for freedom.

I had not read before Justin’s problems you spoke of, but since then I have, and it had nothing to do with “difference of opinion”. He was twisting everyone’s words around, and in general acting extremely anti-social.

The few “defenders” on this thread are all deplorable to me. Stuff like “stick by the cops regardless of what they do, even breaking the law”, or “who cares what anyone does to bust pedophiles” (only this was not a pedophile case, it was Silk Road, drug dealing, which is a bogus social issue that has done immense damage to society and no good,aka, the “drug war”.)

But, here is the real deal: Unlike you, Justin, or any of those defenders, guess here who actually works for the government? Guess who here has actually hacked pedophiles, and that using zero day he himself found, and custom made exploits — and that in the 90s, because client side hacking was a thing? Yes, back in the 90s, I took over pedophile usenet groups, mailing lists… and neo-nazi. With client side zero day and client side attack code not made popular for another good ten years. And what did I do with those systems? Gave them to the FBI.

So, I hear these armchair cheerleaders, rah rah rahing, and I go, ‘who do you think you are?’

It is exactly like when I see people do this with Afghanistan or Iraq. And similar response. Like when folks quickly defended the bombing of the hospital the other week. Saying it was accidental. I realized it was not and was okay with that. I think about what that means. I am aware of what that means. They never get to that stage.

I worked at the main lab that supplied zero day to the FBI. FYI.

Does this mean I believe it is OK to shut down TOR? No. Which the US Government funded. And they funded earlier systems like TOR. Covertly.

Is it okay to attack TOR? No. Not legally, at all.

Research laws do not allow that.

I see since these posts some pundits talking about this subject, oblivious to the fact it is not okay to test other people’s systems. Amazing ignorance.

Point is? You folks are lazy. You don’t do your homework. Your opinions are morally crap. They are odious. Mine? I deal with stuff that is very serious. Not moral crap, just because one has to really work through the implications. You guys don’t do that, so you are making immoral decisions.

You are hypocrites and false in your arguments.

Take more time thinking things out and researching before reflexively arguing ‘rah rah rah’.

Harry Johnston November 22, 2015 6:20 PM

Yeah, that’s all well and good, except that I still don’t see what I’m supposed to have said that has you so upset. I never once defended the cops or the US government. I did defend the researchers, but only to the extent that the evidence that had been presented seemed too skimpy to start vilifying them – you know, innocent until proven guilty?

And I realize I’m beating a dead horse here, but succeeding in driving people who disagree with you (or, in my case, a person who agrees with you but apparently not strongly enough) away from the internet spaces you frequent doesn’t actually achieve anything. It just means that you’re living in an echo chamber, exposed to no new ideas or thoughts, and at risk of dangerously misjudging public opinion.

(As for my original, admittedly unwise, complaint about the tone of this forum, do you really think that comments like “DoD persona Ferris, having crashed & burned, has whipped himself up a new persona, Slippery. Sadly, this one’s a moron too.” or “Why is an internet plumber in New Zealand so fixated on repressing private freedom of association with legal rationales that are way above his pay grade?” are actually helpful?)

Dirk Praet November 22, 2015 6:33 PM

@ Harry Johnston

For what it’s worth, I found your question about the legality of Tor hidden services perfectly valid, and to which I replied as well as I could. Some people here tend to get itchy really fast, so don’t take it personal.

Moderator November 23, 2015 12:15 PM

@In the Shadow of a Murder of Ravens : Would you please refrain from personal insults and cut down on the profanity.

Moderator November 24, 2015 8:53 AM

Upon further review of this thread, I broaden the scope of my reminder re civility to everyone posting here. Personal insults, namecalling and accusations of sockpuppeting are unproductive, unpersuasive, and create a hostile atmosphere.

randomfktrd November 24, 2016 8:24 AM

Posts resulting from an output of using a spell checker gives away that four people in this comment thread are the same person, his third and forth were interacting and had this conversation continued his forth would have further aligned his views with his third.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.