It looks like the high performance exit node weakness has been exploited. https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf&; On Tue, Nov 11, 2014 at 2:10 PM, Jason Iannone <jason.iannone@xxxxxxxxx> wrote: > Dougie, > > While I have no direct information, history and common sense suggest that > a failure of operational security rather than a failure of tools is to > blame. Your scenario talks to that as well. Investigative techniques can > validate and deanonymize users of a tool before they make use of it. > That¹s not to discredit the very interesting attack surface presented by > the exit node selection criteria that Tor utilizes, but any exploits > utilizing such a feature would likely be added to the pile rather than > represent a key point of entry. Driving known targets to your sniffer box > is more valuable when you know which flows are theirs. > > Jason > > -----Original Message----- > From: doug <douglasrankine2001@xxxxxxxxxxx> > Reply-To: <cryptome@xxxxxxxxxxxxx> > Date: Tuesday, November 11, 2014 at 10:35 AM > To: <cryptome@xxxxxxxxxxxxx> > Subject: [cryptome] 3 Cryptographers at Dinner Mathematical Model > > > > Hi Jason, > > Not being a mathematician or a logician, I can't argue the > point...wouldn't know how to. > However, the problem I have with mathematical modelling is that it is > limited by its nature...i.e. the limitation of numbers compared with > words. It's like computer modelling of the environment. Global warming > and Doomsday all rolled into one, depending on how one sets the > parameters. it is no good having anonymity and unbreakable encryption > if the anonymity is not secure. Over a period of time, as the scenario > develops, along comes one system, only to be outdone by another system. > > I notice that the article is getting on a bit. Let me put a different > scenario. 3 cryptographers decide to have a secret dinner at a secret > hotel. They are going to discuss software like TOR and decide to prove > that TOR works by using it anonymously and one of them, yet to be > decided will be paying it via Bitcoin. They have used anonymising > software and a variety of methods to communicate with one another. they > are all experts in TOR...which means that each one of them must have > used it. As they have all used it, then they all went to the website to > download it, or find out more about it. > > Unbeknownst to them, the NSA, The CIA, The FBI and the Chinese > Intelligence State Corporation, already knows that they are having a > meeting, when it is, and what the topic is, and even have copies of the > menu. Accordingly, they have arranged for the waiter to listen in, and > for the Maitre D'Hotel to take the payment on his card machine, which > has been compromised by all 4 intelligence services. The windows are > bugged, the dinner table is bugged, their cars bugged with travel > information Not only that, but one of the cryptographers works for GCHQ, > the other for Mossad and the third one for the Chinese intelligence > Agency. The French have got wind of it and a honey trap set up for > after the meeting, for the one who has paid the bill.... > > As happened at Bletchley, it wasn't just the cracking of the codes, > using brute force, Collossus, or the bombes...it was the cribs and all > the other methods which was used. Some encryption was easy to break, it > wasn't all that important, other encryption was much more difficult, > particularly that at the highest governmental decision making levels. > See url: > http://chris-intel-corner.blogspot.gr/2013/04/decoding-prime-minister-chamb > erlains.html > for some stuff on Hitler and his leading Chamberlain up the garden path > pre Second world War, or the fact that Churchill and Roosevelt's secure > communication system was broken by the Germans. > > I see on cryptome that the FBI and the CIA use and trust TOR to get them > anonymity on social networks. The more people that use TOR, then the > more credibility it gets and the more they can hide behind the nodes. > They trust it. It allows them to work on the dark web. I can see why > they trust it...because, unlike most of the rest of us they are the only > ones who have the tools, the resources and the facilities to break it. > It is a crypto-war between the world's intelligence and security > services, and if any of them puts a back door into any of their secure > software, then it isn't long before the others either get to hear about > it, or find out for themselves. > > ATB > Dougie. > > On 11/11/14 16:21, Jason Iannone wrote: >> The author of the Pando article spends a great deal of time discussing >> the motivation for developing tor and tying the developers to defense. >> While those ties are interesting and notable, saddling the first >> thirty paragraphs with this information leaves a bad taste in my >> mouth. The discussion of exit node management and the protocol's >> focus on performance are key. NSA's efforts to build in weakness are >> well known and it's not much of a stretch to associate built-in >> weakness to the decision to favor high performance nodes[1]. >> >> The fact that tor has many use cases doesn't mean its broken. In >> fact, the government use case may be one of its more valuable selling >> points. If it's good enough for CIA, it's good enough for me. The >> foundation is, so far as we know, solid[2]. >> >> [1] >>http://csrc.nist.gov/groups/ST/crypto-review/documents/dualec_in_X982_and_ >>sp800-90.pdf >> >> >>[2]https://dl.dropboxusercontent.com/u/23931727/Dining%20Cryptographers%20 >>-%20Chaum.pdf >> >> >> On Tue, Nov 11, 2014 at 7:49 AM, Shaun O'Connor >><capricorn8159@xxxxxxxxx> wrote: >>> that was a good one Douggie and I agree entirely with your sentiments on >>> privacy, security etc. >>> what bothers me is the way people are being misled into entrusting their >>> privacy to third parties in the mistaken belief that so doing will give >>>them >>> more freedom to get on with whatever they are doing. >>> >>> Personally my view is if one wants to maximise operational security ( >>>i'll >>> call it opsec in future) then it behoves them to get their hands dirtly >>>and >>> learn the craft rather then rely on someone else to do it for them. >>>there is >>> always a tradeoff between convenience and control. >>> >>> ATB >>> Shaun >>> ps >>> Will look at the links later . >>> >>> On 11/11/2014 13:08, doug wrote: >>> >>> http://pando.com/2014/07/16/tor-spooks/ >>> >>> I thought that this was an interesting article. I don't use TOR, I have >>> never tried it because I know its origins...and I can't think of any >>> knowledge or activities I pursue as being so valuable or secret as to >>>be a >>> threat to the state. >>> Using technology for hiding the online activities of spooks is a >>>different >>> ball game from ordinary users using it thinking that their activities, >>>legal >>> or otherwise will be anonymous, is a product of too much cannabis oil. >>>TOR >>> has different functions for different people and organisations. It is >>>used >>> to hide the activities of spooks behind the activities of other users, >>>the >>> thinking is that the more of the public that use it, the easier it is >>>for >>> them to hide. rAnother advantage is that if enough of the security >>> community is convince, then they will recommend its use to every one >>>else. >>> The US government gives such stuff away to liberation fighters and >>> revolutionaries whilst its private enterprise sells the antidotes to the >>> software to those very secret services to which it is opposed. And the >>> politicians, in my view, know very little about it, believing that they >>>are >>> spreading human rights, American, British and Western style, all over >>>the >>> dictatorial world. However, the growth of the technology, the >>>cheapness of >>> software and storage and the increasing sophistication and wealth >>>expended >>> on intelligence and security in the world community has undermined any >>> superficial safety in using such software as TOR, truecrypt and some >>>secure >>> operating systems, in my view. I am not an expert in such matters, >>> particularly the technical side, but so often in history people have >>>been >>> misled into thinking that their communications are secure that they have >>> been sorely decieved when "the weel laid plans o' mice and men, gang >>>aft >>> astray..." as Robert Burns said in "To A Mouse", and they finish up >>>with >>> their homes, their lives and their families, as well as their dreams >>> destroyed. >>> >>> Apart from communications with my banks, I don't use encryption, >>>though I >>> have experimented with it a little bit. I know of old that if the >>>security >>> or intelligence agencies want to access such information then they can. >>> All >>> encrypted communications are recorded until they are deciphered...as >>>policy. >>> All TOR communications, from going to the website, downloading and >>> installing, as well as using are monitored. Wouldn't you, if your >>>mission >>> put you in charge of the safety security and intelligence on behalf of >>>the >>> people and government? It's a bit naive to think otherwise, in my >>>humble >>> opinion. >>> >>> When using the internet, one has to access it at some point, and >>>that is >>> generally through an ISP and an i.p. address, the same thing occurs >>>when one >>> receives a communication. It doesn't matter whether it is a phone, or a >>> laptop, even a wireless connection. As soon as one goes onto the >>>internet >>> then the activity is recorded, if not acknowledged. Those are the >>>weakest >>> points in my view. When one boils a kettle one knows where the energy >>> comes from, one knows that the kettle is a container, and, though one >>>may >>> not know exactly where the bubbles arise when the container boils, one >>>knows >>> when it will boil, the length of time it takes to boil and one can >>>record >>> the degree of entropy and the physical emergence of the bubbles of gas >>>into >>> the liquid topography. Doesn't take a lot to find out the cause and >>>effect. >>> >>> Studying the materials at Bletchley Park methods are still of much >>>relevance >>> in my view. see url: >>> http://www.bletchleypark.org.uk/ >>> There is plenty of stuff on the website, well worth a visit and lots of >>> links to all sorts of information, from books to memoirs and memories. >>> Encryption wasn't the only system which got cracked there. It was the >>>cribs >>> which were really important, everything from user mistakes and habits, >>>to >>> user locality, from timing and types of coding, from frequency of >>> transmission and patterns within the signals, to different kinds of >>>coding >>> and encyphering machinery. It wasn't all about betrayal by agents. >>>All of >>> those, and more, were collated, subjected to analysis and disparate >>> findings put together, to provide a cohesive picture of the intentions, >>> habits and wherewithalls of the enemy (or friendly and not so friendly >>> alien). I dare say that there are even more sophisticated methods >>>around >>> today, particularly mathematically and statistically, the software and >>> storage are so cheap, and many brilliant and educated minds are put >>>together >>> collectively in huge warehouses and think tanks to solve the problems. >>> Poachers become gamekeepers and vikki verki. >>> >>> From recent utterings by various personalities, political leaders and >>>senior >>> officers of agencies involved in the collection of information and its >>> analysis, they aren't about to stop any time soon, and I cannot see a >>> situation in the near future where personal privacy and security are >>>going >>> to improve. The safety of the system compared with the privacy and >>> security of the individual is deemed more important, though they would >>>say >>> that they are protecting both. The fear and the pressure is too great >>>for >>> all information, all data not to be collected so that governments aren't >>> taken by surprise. We also know of course, that governments, more often >>> than not, often do get taken by surprise, even when the information is >>> presented to them on a plate...they don't believe it, much in the same >>>way >>> as analytical thinking can sometimes get in the way of truth and >>>reality. >>> Belief systems play a very important role, compared with evidence based, >>> factual analysis, I have noticed. >>> >>> Also, the temptation to go that one step further and to continue >>>interfering >>> in the natural processes of historical development in the name of >>> anti-communism, anti-Cuba, anti-Sovietism and now anti-Russia and >>>anti-China >>> and anti Islam and pro western democratic belief systems means, just >>>like >>> that "Inside the CIA" book of the 1970's about Latin America, the world >>>of >>> international politics will remain a morass and a jungle, with the rule >>>of >>> law, international, or national, playing little role, with plots and >>>plants >>> blowing up in the faces of the perpetrators as well as destroying the >>>lives >>> of the innocent. Did the US intervention in Latin America change the >>>course >>> of history? Did it save the world from Communism and bring about human >>> rights and democracy to the peoples of the world? Did it leave the >>>people >>> of the United States in a better world economic, political and >>>sociological >>> and cultural position in the world of today...who knows. Hollywood has >>>all >>> the answers. >>> Just a few thoughts on the current developments. >>> ATB >>> Dougie. >>> >>> >>> >>> -- >>> PRIVACY IS A BASIC RIGHT - NOT A CONCESSION >> > > >