[cryptome] Re: 3 Cryptographers at Dinner Mathematical Model

  • From: Jason Iannone <jason.iannone@xxxxxxxxx>
  • To: "cryptome@xxxxxxxxxxxxx" <cryptome@xxxxxxxxxxxxx>
  • Date: Tue, 18 Nov 2014 09:50:39 -0700

It looks like the high performance exit node weakness has been exploited.


On Tue, Nov 11, 2014 at 2:10 PM, Jason Iannone <jason.iannone@xxxxxxxxx> wrote:
> Dougie,
> While I have no direct information, history and common sense suggest that
> a failure of operational security rather than a failure of tools is to
> blame. Your scenario talks to that as well. Investigative techniques can
> validate and deanonymize users of a tool before they make use of it.
> That¹s not to discredit the very interesting attack surface presented by
> the exit node selection criteria that Tor utilizes, but any exploits
> utilizing such a feature would likely be added to the pile rather than
> represent a key point of entry. Driving known targets to your sniffer box
> is more valuable when you know which flows are theirs.
> Jason
> -----Original Message-----
> From: doug <douglasrankine2001@xxxxxxxxxxx>
> Reply-To: <cryptome@xxxxxxxxxxxxx>
> Date: Tuesday, November 11, 2014 at 10:35 AM
> To: <cryptome@xxxxxxxxxxxxx>
> Subject: [cryptome] 3 Cryptographers at Dinner Mathematical Model
> Hi Jason,
> Not being a mathematician or a logician, I can't argue the
> point...wouldn't know how to.
> However, the problem I have with mathematical modelling is that it is
> limited by its nature...i.e. the limitation of numbers compared with
> words.  It's like computer modelling of the environment. Global warming
> and Doomsday all rolled into one, depending on how one sets the
> parameters.  it is no good having anonymity and unbreakable encryption
> if the anonymity is not secure.  Over a period of time, as the scenario
> develops, along comes one system, only to be outdone by another system.
> I notice that the article is getting on a bit.  Let me put a different
> scenario.  3 cryptographers decide to have a secret dinner at a secret
> hotel.  They are going to discuss software like TOR and decide to prove
> that TOR works by using it anonymously and one of them, yet to be
> decided will be paying it via Bitcoin. They have used anonymising
> software and a variety of methods to communicate with one another.  they
> are all experts in TOR...which means that each one of them must have
> used it.  As they have all used it, then they all went to the website to
> download it, or find out more about it.
> Unbeknownst to them, the NSA, The CIA, The FBI and the Chinese
> Intelligence State Corporation, already knows that they are having a
> meeting, when it is, and what the topic is, and even have copies of the
> menu.  Accordingly, they have arranged for the waiter to listen in, and
> for the Maitre D'Hotel to take the payment on his card machine, which
> has been compromised by all 4 intelligence services.  The windows are
> bugged, the dinner table is bugged, their cars bugged with travel
> information Not only that, but one of the cryptographers works for GCHQ,
> the other for Mossad and the third one for the Chinese intelligence
> Agency.  The French have got wind of it and a honey trap set up for
> after the meeting, for the one who has paid the bill....
> As happened at Bletchley, it wasn't just the cracking of the codes,
> using brute force, Collossus, or the bombes...it was the cribs and all
> the other methods which was used.  Some encryption was easy to break, it
> wasn't all that important, other encryption was much more difficult,
> particularly that at the highest governmental decision making levels.
> See url:
> http://chris-intel-corner.blogspot.gr/2013/04/decoding-prime-minister-chamb
> erlains.html
> for some stuff on Hitler and his leading Chamberlain up the garden path
> pre Second world War, or the fact that Churchill and Roosevelt's secure
> communication system was broken by the Germans.
> I see on cryptome that the FBI and the CIA use and trust TOR to get them
> anonymity on social networks.  The more people that use TOR, then the
> more credibility it gets and the more they can hide behind the nodes.
> They trust it.  It allows them to work on the dark web.  I can see why
> they trust it...because, unlike most of the rest of us they are the only
> ones who have the tools, the resources and the facilities to break it.
> It is a crypto-war between the world's intelligence and security
> services, and if any of them puts a back door into any of their secure
> software, then it isn't long before the others either get to hear about
> it, or find out for themselves.
> Dougie.
> On 11/11/14 16:21, Jason Iannone wrote:
>> The author of the Pando article spends a great deal of time discussing
>> the motivation for developing tor and tying the developers to defense.
>> While those ties are interesting and notable, saddling the first
>> thirty paragraphs with this information leaves a bad taste in my
>> mouth.  The discussion of exit node management and the protocol's
>> focus on performance are key.  NSA's efforts to build in weakness are
>> well known and it's not much of a stretch to associate built-in
>> weakness to the decision to favor high performance nodes[1].
>> The fact that tor has many use cases doesn't mean its broken.  In
>> fact, the government use case may be one of its more valuable selling
>> points.  If it's good enough for CIA, it's good enough for me.  The
>> foundation is, so far as we know, solid[2].
>> [1]
>> On Tue, Nov 11, 2014 at 7:49 AM, Shaun O'Connor
>><capricorn8159@xxxxxxxxx> wrote:
>>> that was a good one Douggie and I agree entirely with your sentiments on
>>> privacy, security  etc.
>>> what bothers me is the way people are being misled into entrusting their
>>> privacy to third parties in the mistaken belief that so doing will give
>>> more freedom to get on with whatever they are doing.
>>> Personally my view is if one wants to maximise operational security (
>>> call it opsec in future) then it behoves them to get their hands dirtly
>>> learn the craft rather then rely on someone else to do it for them.
>>>there is
>>> always a tradeoff between convenience and control.
>>> ATB
>>> Shaun
>>> ps
>>> Will look at the links later .
>>> On 11/11/2014 13:08, doug wrote:
>>> http://pando.com/2014/07/16/tor-spooks/
>>> I thought that this was an interesting article.  I don't use TOR, I have
>>> never tried it because I know its origins...and I can't think of any
>>> knowledge or activities I pursue as being so valuable or secret as to
>>>be a
>>> threat to the state.
>>>    Using technology for hiding the online activities of spooks is a
>>> ball game from ordinary users using it thinking that their activities,
>>> or otherwise will be anonymous, is a product of too much cannabis oil.
>>> has different functions for different people and organisations.  It is
>>> to hide the activities of spooks behind the activities of other users,
>>> thinking is that the more of the public that use it, the easier it is
>>> them to hide.  rAnother advantage is that if enough of the security
>>> community is convince, then they will recommend its use to every one
>>> The US government gives such stuff away to liberation fighters and
>>> revolutionaries whilst its private enterprise sells the antidotes to the
>>> software to those very secret services to which it is opposed.  And the
>>> politicians, in my view, know very little about it, believing that they
>>> spreading human rights, American, British and Western style, all over
>>> dictatorial world.  However, the growth of the technology, the
>>>cheapness of
>>> software and storage and the increasing sophistication and wealth
>>> on intelligence and security in the world community has undermined any
>>> superficial safety in using such software as TOR, truecrypt and some
>>> operating systems, in my view.  I am not an expert in such matters,
>>> particularly the technical side, but so often in history people have
>>> misled into thinking that their communications are secure that they have
>>> been sorely decieved when "the weel laid plans o' mice and men,  gang
>>> astray..."  as Robert Burns said in "To A Mouse", and they finish up
>>> their homes, their lives and their families, as well as their dreams
>>> destroyed.
>>>   Apart from communications with my banks, I don't use encryption,
>>>though I
>>> have experimented with it a little bit. I know of old that if the
>>> or intelligence agencies want to access such information then they can.
>>> All
>>> encrypted communications are recorded until they are deciphered...as
>>> All TOR communications, from going to the website, downloading and
>>> installing, as well as using are monitored. Wouldn't you, if your
>>> put you in charge of the safety security and intelligence on  behalf of
>>> people and government?  It's a bit naive to think otherwise, in my
>>> opinion.
>>>    When using the internet, one has to access it at some point, and
>>>that is
>>> generally through an ISP and an i.p. address, the same thing occurs
>>>when one
>>> receives a communication. It doesn't matter whether it is a phone, or a
>>> laptop, even a wireless connection.  As soon as one goes onto the
>>> then the activity is recorded, if not acknowledged. Those are the
>>> points in my view.   When one boils a kettle one knows where the energy
>>> comes from, one knows that the kettle is a container, and, though one
>>> not know exactly where the bubbles arise when the container boils, one
>>> when it will boil, the length of time it takes to boil and one can
>>> the degree of entropy and the physical emergence of the bubbles of gas
>>> the liquid topography.  Doesn't take a lot to find out the cause and
>>> Studying the materials at Bletchley Park methods are still of much
>>> in my view.   see url:
>>> http://www.bletchleypark.org.uk/
>>> There is plenty of stuff on the website, well worth a visit and lots of
>>> links to all sorts of information, from books to memoirs and memories.
>>> Encryption wasn't the only system which got cracked there.  It was the
>>> which were really important, everything from user mistakes and habits,
>>> user locality, from timing and types of coding, from frequency of
>>> transmission and patterns within the signals, to different kinds of
>>> and encyphering machinery.  It wasn't all about betrayal by agents.
>>>All of
>>> those, and more, were collated, subjected to  analysis and disparate
>>> findings put together, to provide a cohesive picture of the intentions,
>>> habits and wherewithalls of the enemy (or friendly and not so friendly
>>> alien).  I dare say that there are even more sophisticated methods
>>> today, particularly mathematically and statistically, the software and
>>> storage are so cheap, and many brilliant and educated minds are put
>>> collectively in huge warehouses and think tanks to solve the problems.
>>> Poachers become gamekeepers and vikki verki.
>>>  From recent utterings by various personalities, political leaders and
>>> officers of agencies involved in the collection of information and its
>>> analysis, they aren't about to stop any time soon, and I cannot see a
>>> situation in the near future where personal privacy and security are
>>> to improve.   The safety of the system compared with the privacy and
>>> security of the individual is deemed more important, though they would
>>> that they are protecting both. The fear and the pressure is too great
>>> all information, all data not to be collected so that governments aren't
>>> taken by surprise.  We also know of course, that governments, more often
>>> than not, often do get taken by surprise, even when the information is
>>> presented to them on a plate...they don't believe it, much in the same
>>> as analytical thinking can sometimes get in the way of truth and
>>> Belief systems play a very important role, compared with evidence based,
>>> factual analysis, I have noticed.
>>> Also, the temptation to go that one step further and to continue
>>> in the natural processes of historical development in the name of
>>> anti-communism, anti-Cuba, anti-Sovietism and now anti-Russia and
>>> and anti Islam and pro western democratic belief systems means, just
>>> that "Inside the CIA" book of the 1970's about Latin America, the world
>>> international politics will remain a morass and a jungle, with the rule
>>> law, international, or national, playing little role, with plots and
>>> blowing up in the faces of the perpetrators as well as destroying the
>>> of the innocent.  Did the US intervention in Latin America change the
>>> of history?  Did it save the world from Communism and bring about human
>>> rights and democracy to the peoples of the world?  Did it leave the
>>> of the United States in a better world economic, political and
>>> and cultural position in the world of today...who knows.  Hollywood has
>>> the answers.
>>> Just a few thoughts on the current developments.
>>> ATB
>>> Dougie.
>>> --

Other related posts: