Entries Tagged "Tor"
Page 2 of 4
Network-attached storage devices made by Synology are being attacked, and their data encrypted, by ransomware that demands $350 in bitcoins (payable anonymously via Tor) for the decryption key. As of this moment, there’s no patch.
Russia has put out a tender on its official government procurement website for anyone who can identify Tor users. The reward of $114,000 seems pretty cheap for this capability. And we now get to debate whether 1) Russia cannot currently deaonymize Tor users, or 2) Russia can, and this is a ruse to make us think they can’t.
Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria has been found guilty as an accomplice, because someone used his computer to transmit child porn. Even more recently, Tor has been named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.
Here’s the EFF: “Seven Things You Should Know About Tor.”
EDITED TO ADD (7/16): It seems that article about Tor in Austria was wrong.
Jake Appelbaum et al., are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.
This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “firstname.lastname@example.org”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.
It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.
There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 126.96.36.199, a server located on the MIT campus.
It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.
Whatever the case, this is very disturbing.
And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.
EDITED TO ADD (7/3): Here is the code. In part:
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
or viewing websites that detail TAILs.
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
EDITED TO ADD (7/4): EFF points out that it is illegal to target someone for surveillance solely based on their reading:
The idea that it is suspicious to install, or even simply want to learn more about, tools that might help to protect your privacy and security underlies these definitions — and it’s a problem. Everyone needs privacy and security, online and off. It isn’t suspicious to buy curtains for your home or lock your front door. So merely reading about curtains certainly shouldn’t qualify you for extra scrutiny.
Even the U.S. Foreign Intelligence Surveillance Court recognizes this, as the FISA prohibits targeting people or conducting investigations based solely on activities protected by the First Amendment. Regardless of whether the NSA is relying on FISA to authorize this activity or conducting the spying overseas, it is deeply problematic.
Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It’s just a coincidence that I was on the Harvard campus that day.) Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed the Tor network, and went through them one by one to find the one who sent the threat.
This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn’t have to break Tor; they just used conventional police mechanisms to get Kim to confess.
Tor didn’t break; Kim did.
Safeplug is an easy-to-use Tor appliance. I like that it can also act as a Tor exit node.
EDITED TO ADD: I know nothing about this appliance, nor do I endorse it. In fact, I would like it to be independently audited before we start trusting it. But it’s a fascinating proof-of-concept of encapsulating security so that normal Internet users can use it.
Sidebar photo of Bruce Schneier by Joe MacInnis.