[cryptome] Re: 3 Cryptographers at Dinner Mathematical Model

  • From: doug <douglasrankine2001@xxxxxxxxxxx>
  • To: cryptome@xxxxxxxxxxxxx
  • Date: Tue, 18 Nov 2014 17:30:19 +0000

On 18/11/14 16:50, Jason Iannone wrote:
It looks like the high performance exit node weakness has been exploited.


Hi Jason,
Tx for bringing that up.
A little while back I read the same article on Cryptome...but I didn't really understand it, low latency and high latency el al, and couldn't find it when I came back from holiday.

However, in another article on Cryptome, the FBI had been monitoring Sabu and correlating his stay at home with his use of TOR on his computer and comparing the outcome with someone else who was being monitored as a target agent of operations. Traffic and statistical software being used to correlate the transmission of the information and its reception. They managed to tie in the information from Sabu to the recipient. They did the same thing with the transmissions and receptions in the Silk Road case.

Combine that with large scale monitoring and access to cables by the security and intelligence services and it might become a viable proposition to be able to crack or regularly break into who is communicating with whom on TOR. On looking further at the TOR website, I discovered that the maximum amount of users at any one time is 250,000. They also break down the users into categories, for instance a lot more bots have been using TOR which has pushed up the usage figures quite dramatically.
see url: https://metrics.torproject.org/

It isn't beyond the realms of possibility that one of those large warehouses of intelligence, be it state or private, can, or have set up networks of virtual or real computers on the hardware they can afford and do experiments with TOR, encryption and Bitcoin in an internal form of internet, or virtual private network. Over a period of time, such an experiment could reveal what is possible and not possible regarding synchronising inputs to TOR with outputs from TOR, particularly using those very cribs and other sources of information which they have.

I notice too, that on reading the FBI affadavit regarding the 2nd Silk Road, that it states that as well as tapping into foreign servers and getting foreign governments to give information to aid their case, they also say that they had an insider at work, who used various methods to check that the CEO was on line and using a certain computer. They also followed him and homed in on his use of a computer at an hotel and, I think at his home, which also tied in with his TOR transmissions to the servers...which the FBI were able to monitor one way or another. In law, it is a question of how one gets information of course and in the US if it is deemed to be illegal it usually cannot be used in court. However, illegal information, say gained form the CIA, can be useful and allow law enforcement to gather the information in another, legal way, suitable for submission to the courts. The criminals, after all, cannot expect to get away carte blanche with illegal or criminal activity, and expect the law enforcement agencies to use purely legal ways of gathering information. In the real world, that doesn't happen and has never happened...

On Tue, Nov 11, 2014 at 2:10 PM, Jason Iannone <jason.iannone@xxxxxxxxx> wrote:

While I have no direct information, history and common sense suggest that
a failure of operational security rather than a failure of tools is to
blame. Your scenario talks to that as well. Investigative techniques can
validate and deanonymize users of a tool before they make use of it.
That¹s not to discredit the very interesting attack surface presented by
the exit node selection criteria that Tor utilizes, but any exploits
utilizing such a feature would likely be added to the pile rather than
represent a key point of entry. Driving known targets to your sniffer box
is more valuable when you know which flows are theirs.


-----Original Message-----
From: doug <douglasrankine2001@xxxxxxxxxxx>
Reply-To: <cryptome@xxxxxxxxxxxxx>
Date: Tuesday, November 11, 2014 at 10:35 AM
To: <cryptome@xxxxxxxxxxxxx>
Subject: [cryptome] 3 Cryptographers at Dinner Mathematical Model

Hi Jason,

Not being a mathematician or a logician, I can't argue the
point...wouldn't know how to.
However, the problem I have with mathematical modelling is that it is
limited by its nature...i.e. the limitation of numbers compared with
words.  It's like computer modelling of the environment. Global warming
and Doomsday all rolled into one, depending on how one sets the
parameters.  it is no good having anonymity and unbreakable encryption
if the anonymity is not secure.  Over a period of time, as the scenario
develops, along comes one system, only to be outdone by another system.

I notice that the article is getting on a bit.  Let me put a different
scenario.  3 cryptographers decide to have a secret dinner at a secret
hotel.  They are going to discuss software like TOR and decide to prove
that TOR works by using it anonymously and one of them, yet to be
decided will be paying it via Bitcoin. They have used anonymising
software and a variety of methods to communicate with one another.  they
are all experts in TOR...which means that each one of them must have
used it.  As they have all used it, then they all went to the website to
download it, or find out more about it.

Unbeknownst to them, the NSA, The CIA, The FBI and the Chinese
Intelligence State Corporation, already knows that they are having a
meeting, when it is, and what the topic is, and even have copies of the
menu.  Accordingly, they have arranged for the waiter to listen in, and
for the Maitre D'Hotel to take the payment on his card machine, which
has been compromised by all 4 intelligence services.  The windows are
bugged, the dinner table is bugged, their cars bugged with travel
information Not only that, but one of the cryptographers works for GCHQ,
the other for Mossad and the third one for the Chinese intelligence
Agency.  The French have got wind of it and a honey trap set up for
after the meeting, for the one who has paid the bill....

As happened at Bletchley, it wasn't just the cracking of the codes,
using brute force, Collossus, or the bombes...it was the cribs and all
the other methods which was used.  Some encryption was easy to break, it
wasn't all that important, other encryption was much more difficult,
particularly that at the highest governmental decision making levels.
See url:
for some stuff on Hitler and his leading Chamberlain up the garden path
pre Second world War, or the fact that Churchill and Roosevelt's secure
communication system was broken by the Germans.

I see on cryptome that the FBI and the CIA use and trust TOR to get them
anonymity on social networks.  The more people that use TOR, then the
more credibility it gets and the more they can hide behind the nodes.
They trust it.  It allows them to work on the dark web.  I can see why
they trust it...because, unlike most of the rest of us they are the only
ones who have the tools, the resources and the facilities to break it.
It is a crypto-war between the world's intelligence and security
services, and if any of them puts a back door into any of their secure
software, then it isn't long before the others either get to hear about
it, or find out for themselves.


On 11/11/14 16:21, Jason Iannone wrote:
The author of the Pando article spends a great deal of time discussing
the motivation for developing tor and tying the developers to defense.
While those ties are interesting and notable, saddling the first
thirty paragraphs with this information leaves a bad taste in my
mouth.  The discussion of exit node management and the protocol's
focus on performance are key.  NSA's efforts to build in weakness are
well known and it's not much of a stretch to associate built-in
weakness to the decision to favor high performance nodes[1].

The fact that tor has many use cases doesn't mean its broken.  In
fact, the government use case may be one of its more valuable selling
points.  If it's good enough for CIA, it's good enough for me.  The
foundation is, so far as we know, solid[2].



On Tue, Nov 11, 2014 at 7:49 AM, Shaun O'Connor
<capricorn8159@xxxxxxxxx> wrote:
that was a good one Douggie and I agree entirely with your sentiments on
privacy, security  etc.
what bothers me is the way people are being misled into entrusting their
privacy to third parties in the mistaken belief that so doing will give
more freedom to get on with whatever they are doing.

Personally my view is if one wants to maximise operational security (
call it opsec in future) then it behoves them to get their hands dirtly
learn the craft rather then rely on someone else to do it for them.
there is
always a tradeoff between convenience and control.

Will look at the links later .

On 11/11/2014 13:08, doug wrote:


I thought that this was an interesting article.  I don't use TOR, I have
never tried it because I know its origins...and I can't think of any
knowledge or activities I pursue as being so valuable or secret as to
be a
threat to the state.
    Using technology for hiding the online activities of spooks is a
ball game from ordinary users using it thinking that their activities,
or otherwise will be anonymous, is a product of too much cannabis oil.
has different functions for different people and organisations.  It is
to hide the activities of spooks behind the activities of other users,
thinking is that the more of the public that use it, the easier it is
them to hide.  rAnother advantage is that if enough of the security
community is convince, then they will recommend its use to every one
The US government gives such stuff away to liberation fighters and
revolutionaries whilst its private enterprise sells the antidotes to the
software to those very secret services to which it is opposed.  And the
politicians, in my view, know very little about it, believing that they
spreading human rights, American, British and Western style, all over
dictatorial world.  However, the growth of the technology, the
cheapness of
software and storage and the increasing sophistication and wealth
on intelligence and security in the world community has undermined any
superficial safety in using such software as TOR, truecrypt and some
operating systems, in my view.  I am not an expert in such matters,
particularly the technical side, but so often in history people have
misled into thinking that their communications are secure that they have
been sorely decieved when "the weel laid plans o' mice and men,  gang
astray..."  as Robert Burns said in "To A Mouse", and they finish up
their homes, their lives and their families, as well as their dreams

   Apart from communications with my banks, I don't use encryption,
though I
have experimented with it a little bit. I know of old that if the
or intelligence agencies want to access such information then they can.
encrypted communications are recorded until they are deciphered...as
All TOR communications, from going to the website, downloading and
installing, as well as using are monitored. Wouldn't you, if your
put you in charge of the safety security and intelligence on  behalf of
people and government?  It's a bit naive to think otherwise, in my

    When using the internet, one has to access it at some point, and
that is
generally through an ISP and an i.p. address, the same thing occurs
when one
receives a communication. It doesn't matter whether it is a phone, or a
laptop, even a wireless connection.  As soon as one goes onto the
then the activity is recorded, if not acknowledged. Those are the
points in my view.   When one boils a kettle one knows where the energy
comes from, one knows that the kettle is a container, and, though one
not know exactly where the bubbles arise when the container boils, one
when it will boil, the length of time it takes to boil and one can
the degree of entropy and the physical emergence of the bubbles of gas
the liquid topography.  Doesn't take a lot to find out the cause and

Studying the materials at Bletchley Park methods are still of much
in my view.   see url:
There is plenty of stuff on the website, well worth a visit and lots of
links to all sorts of information, from books to memoirs and memories.
Encryption wasn't the only system which got cracked there.  It was the
which were really important, everything from user mistakes and habits,
user locality, from timing and types of coding, from frequency of
transmission and patterns within the signals, to different kinds of
and encyphering machinery.  It wasn't all about betrayal by agents.
All of
those, and more, were collated, subjected to  analysis and disparate
findings put together, to provide a cohesive picture of the intentions,
habits and wherewithalls of the enemy (or friendly and not so friendly
alien).  I dare say that there are even more sophisticated methods
today, particularly mathematically and statistically, the software and
storage are so cheap, and many brilliant and educated minds are put
collectively in huge warehouses and think tanks to solve the problems.
Poachers become gamekeepers and vikki verki.

  From recent utterings by various personalities, political leaders and
officers of agencies involved in the collection of information and its
analysis, they aren't about to stop any time soon, and I cannot see a
situation in the near future where personal privacy and security are
to improve.   The safety of the system compared with the privacy and
security of the individual is deemed more important, though they would
that they are protecting both. The fear and the pressure is too great
all information, all data not to be collected so that governments aren't
taken by surprise.  We also know of course, that governments, more often
than not, often do get taken by surprise, even when the information is
presented to them on a plate...they don't believe it, much in the same
as analytical thinking can sometimes get in the way of truth and
Belief systems play a very important role, compared with evidence based,
factual analysis, I have noticed.

Also, the temptation to go that one step further and to continue
in the natural processes of historical development in the name of
anti-communism, anti-Cuba, anti-Sovietism and now anti-Russia and
and anti Islam and pro western democratic belief systems means, just
that "Inside the CIA" book of the 1970's about Latin America, the world
international politics will remain a morass and a jungle, with the rule
law, international, or national, playing little role, with plots and
blowing up in the faces of the perpetrators as well as destroying the
of the innocent.  Did the US intervention in Latin America change the
of history?  Did it save the world from Communism and bring about human
rights and democracy to the peoples of the world?  Did it leave the
of the United States in a better world economic, political and
and cultural position in the world of today...who knows.  Hollywood has
the answers.
Just a few thoughts on the current developments.


Other related posts: