Sections

Services

Information

UK United Kingdom

Sorry NSA, but the Tor network is secure – and it’s here to stay

You may have seen reports over the weekend about yet another instalment of the US National Security Agency’s (NSA) surveillance system - this time a set of slides focused on cracking the Tor network, a…

There are still places to hide online. nataliej/Flickr

You may have seen reports over the weekend about yet another instalment of the US National Security Agency’s (NSA) surveillance system - this time a set of slides focused on cracking the Tor network, a popular method of staying anonymous online.

Developed at different stages with financing from the US military’s Defence Advanced Research Projects Agency (DARPA) and the Electronic Frontier Foundation (EFF), Tor is a network of mutual anonymity.

But now it seems even this seemingly uncrackable network is under some degree of surveillance by the NSA and its British counterpart, the Government Communications Headquarters (GCHQ).

So how much surveillance, exactly?

You’re always being watched

Many companies track your patterns of movement online. You can be sure Facebook, Twitter, Google, and YouTube are doing their best to make money from your online activities.

Former NSA employee Edward Snowden recently revealed some of the operations of the US security apparatus, and the extent of their data capture is – to put it mildly – frightening.

It’s frightening because none of us can effectively do anything about being automatically captured by the covert surveillance of NSA’s PRISM infrastructure. If you are electronically within three degrees of separation from anyone who has travelled through the US, then you’re under assessment.

Thanks to journalists such as Glenn Greenwald, the details of the NSA are fast becoming a matter of public record. Events like 9/11 and the Boston Marathon bombings mean that, for some, the NSA’s operations are a perfectly appropriate and necessary part of the modern state.

But other users - assuming something similar to the NSA was already in operation - have developed networks like Tor to protect against surveillance.

Tor: total anonymity?

Tor was designed, apparently, to protect communication between political dissidents, and to allow everyday users to avoid location-based snooping.

It is because of Tor that you are aware of the death tolls and atrocities in the wars in Iraq and Afghanistan; it is through Tor that civilian video in Syria gets uploaded to LiveLeak. Tor is used by hackers in Mexico to combat drug cartels.

It has also been put towards all sorts of illegal activity – online criminal syndicates, child pornography, terrorism networks, drug cartels (notably the now-defunct Silk Road), and even the shady end of police departments are accessible through Tor.

Regular users aren’t very good at keeping things secret. ceridwen/Flickr

Tor is such an effective anonymisation device for criminals that it makes the surveillance of regular individuals through Facebook and Google largely ridiculous.

Tor operates by transferring data between members using many layers of encryption to hide the contents. The encrypted data is sent along a randomly determined path. Each computer along the path unwraps a layer of encryption, and then determines who is next to get the data packet. Eventually, the data request makes it to the correct computer, and a response is sent back in the same manner.

Any sort of internet connection can be made through a Tor network – HTML web browsing, piracy torrents, email, Internet Relay Chat, and so on and so forth. To an external observer, the network looks like a game of Chinese whispers. For someone observing a computer acting as a relay for these messages, it isn’t possible to determine which messages going in correspond to which messages going out.

At an exit node, however, all connections are “in the clear”. This is the point where surveillance operations have managed to intervene so far. Now there is concern that government surveillance may be able to expand beyond this, and crack the whole Tor network wide open.

Completely cracked, or just a scare campaign?

The most recent news pieces detail how Tor is “close” to being compromised, or that it can be hacked or cracked.

The disclosures include PowerPoint slides from the NSA in 2007 referring to the Tor problem (or, according to the slides, “Tor Stinks”), and then again in 2012 noting the continuing difficulty that Tor poses for surveillance.

Michael Kappel

The messages around these stories are largely the same as stories of security breaches from 2010, but with some indication that there has been a small degree of success.

The NSA admits in their slides that it will be impossible to do anything other than track a very very small number of users.

Metrics on the Tor network have absolutely skyrocketed in the past two months, more than quadrupling since mid-August. This coincides with the release of the custom-made Pirate Browser – a free and easy way to connect to the Tor network.

This is possibly the reason for the recent press releases about the cracking of the network – it may be easier to scare people away from Tor, rather than cracking the network itself.

As the takedown of a Tor hidden service operator company Freedom Hosting shows, Tor is most vulnerable to external attacks, such as physically removing servers.

It’s worth keeping in mind that the NSA is simply one of many organisations attempting to subvert the Tor network.

As much as the US government has become the nemesis of many privacy advocates, it is worth remembering that governments in Russia and China are well-known for their surveillance operations, and their frankly brutish response to dissident activity.

So while it isn’t 100% secure, Tor seems to be a pretty secure way to keep your online movements private.

Join the conversation

56 Comments sorted by

  1. George Burns

    logged in via email @incybr.com.au

    Although I am not connected with or a user of TOR thank you for helping publicize the TOR networks efforts to enhance online privacy. In my perhaps imperfect opinion protection against overzealous corporate state surveillance is far more important than the detection, or enhancement, of online criminal activity.

    My main quibble is that there is no effort made to localize the article. There has been absolutely no media reportage or speculation as to ASIO's activities under the "Five Eyes" agreement…

    Read more
  2. Stephen H

    In a contemplative fashion...

    I'm amazed that a story on the Tor network doesn't mention that it was originally developed to protect US Navy communications. That navy still uses it to gather intelligence - as do other government organisations.

    There are two major threats to Tor users' anonymity (apart from stupidity - such as connecting through Tor and then using a credit card):

    1. Using outdated browsers, which enabled the FBI to insert malware and take down a company called Freedom Hosting, which among other things…

    Read more
    1. George Burns

      logged in via email @incybr.com.au

      In reply to Stephen H

      TOR is open source which allows many highly motivated developers the opportunity to independently audit the code. It is highly probable that any malware inserted into the code base would be quickly discovered and neutralized.

      P.S. Casting aspersions at TOR on the grounds of funding sourced from the Amerikan Navy is simply attempting to cast FUD. After all the internet itself was developed and funded by a branch of the Amerikan DOD and look at where that got them.

      report
    2. Stephen H

      In a contemplative fashion...

      In reply to George Burns

      Ops (if that IS your real name), you appear to have read my post through an interesting prism.

      1. Malware was inserted using Firefox, which is part of the Tor Browser Bundle. You can read a bit more at http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

      2. I am not casting aspersions upon Tor based on its government use, I am saying that it is used by governments. My post may not have been clear enough in stating that it is used by governments to keep in contact with their agents - not to uncover people using Tor. And yes, it was developed with the assistance of DARPA - the same US agency that was responsible for initial Internet development.

      report
  3. Jeff Payne

    PhD in Political Science and Masters in Public Policy

    It has been confirmed that Google at least is doing much more than "doing their best to make money from your online activities." As was leaked to wikileaks, Google has been implicated in regime change in Egypt and ongoing attempts to change the Iranian government

    http://wikileaks.org/Op-ed-Google-and-the-NSA-Who-s.html

    Google is not only political but appears to be active in realizing a particular vision of the world, especially in the Middle East. The government that was realized in Egypt…

    Read more
    1. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      Well, nothing is perfect. And I think using TOR for my Internet traffic would be a bottleneck, and a pain in the *** myself. But it's good that it exist. If one really want to protest then one can use asymmetric encryption as PGP or better still http://www.gnupg.org/ to encrypt whatever one write in ones ordinary mails. The encryption should be good (128 or 256 bits) enough to make NSA and others tear their hair out if we all did it :)

      The problem with that is that you need your recipients to…

      Read more
    2. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      Actually, make a nice user interface for Gnupgp, simplifying encryption, like dragging your unencrypted text into a window on your computer that then deliver the encrypted. Then tell folks to use it, sharing their 'open (public) keys' with all their friends over a normal mail. Sooner or later we should have a world wide encrypted mail system, making NSA and those others cry. In a world of encrypted fishes, which one will you target?

      report
    3. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      It doesn't solve 'meta information' though. But it will teach them that people do not accept getting their integrity, and privacy, stolen from them. It's total BS telling me that I should trust someone that doesn't trust me.

      report
    4. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      There is 'no security' only 'in security' inda org ?

      It's been ages since I did any rapping, but....

      If you create a cypher, translate everything into it, then create a new cypher, translate everything into it....... now, repeat the previous translations, until, you run into a buffer overflow, then, sub tract two translations, and encrypt the final cypher text into some crappy AES or similar, 2048 bit encryption, in a sub process, forked from each cypher translation...2,3,4,5...N-2.

      ;)

      report
    5. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      Although "They also claim that the agency has actually deployed custom-built computers designed to break encryption. Schneier theorizes these could be quantum computers capable of performing the heavy calculations, but highly unlikely." shows that they do not understand what a quantum computer is. It's not about 'heavy calculations' at all.

      It's more like a sort of interference phenomena in where, if you succeed to put your question stringently, gets a immediate answer, as the computer then only will have one solution that fits the question

      report
    6. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      So what do we get from the new American policy of 'surveying the net'? Well, about the same idiocraty as we get from stopping developing, and protecting, a national defense, instead adopting NATO as some new 'world police'.

      Seems as too many naive politicians, world wide, more interested in presenting a 'balanced budget' than in defending their national values, and democracy, for their citizens found this idea a perfect solution.

      And the same goes for the way Internet now is being exploited…

      Read more
    7. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      Or we will get an apology, and a changed behavior from NSA, and their 'employer', the American government. That government in where you can buy political posts by contributions, if you're rich enough, telling me that it 'defends democracy' too, no less.

      Geopolitics my ass. Stupidity galore.

      report
    8. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      The policy is not new.

      Even in Australia, The Telecommunications Act, from 1993 or so, has provisions, for surveillance in it.

      No one cares

      about privacy, breaches by the NSA that were executed under a court order.

      report
    9. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      That 'topsececret' link to Brazil is rather bad. Here's one, more informative I think. http://www.thehindu.com/news/international/world/brazil-plans-to-go-offline-from-uscentric-internet/article5137689.ece

      It's 'old news', multiple months old, which in some ways makes it ancient :) on the Internet. But with more Countries going this way, and I'm sure Russia, and other parts of East Europe, will change the way they communicate, we at last should get to a new cold cyber war, in where we 'exchange' views over some nodes, but otherwise behave as China, having our own 'intra nets'.

      That kills the Internet.

      report
    10. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      And what it finally boils down to is trust. Without trust it's every man for himself. And telling me to trust someone that clearly does not trust me? No way to handle a country, in fact no way to handle anything, except possibly a tyranny, at its worst.

      report
    11. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Localised intranets, only add a layer of complexity, to the internet. It's been like that for over a decade, so whats the big deal about extending it further at a country layer ?

      Its not that 'they' or 'et al' surveil the internet, its more the problem, that they take advantage ( like most companies, governments or organisations do ) of operating systems, firewalls, web services, routers, etc, which have had back doors, either maliciously or by accident, to control and manipulate, public opinion…

      Read more
    12. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber
    13. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Seems that there is a high proportion of images, created in the jpg-2000 format with arbitrary code, floating around, linked to stories, etc about security, NSA, Snowden, etc .....;)

      CVE-2014-1319

      report
    14. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      You're correct, but what it does to an idea of democracy is exactly what I'm stating To me it's the difference between being clever, and being wise Maybe the only thing that can work for us is the idea of a representative democracy, practically But we had the glimmer of a real democracy, with the Internet The very reason why so many attack it in so many ways I think.

      report
    15. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      Well, they may have problems there. Wonder how it goes with JAS 39 digital techniques. Don't know what security protocol's they use there. On the other hand I don't think that's a real problem. The thing is that USA deliver 'broken software' to some weapon systems, at least I know did. You need to get 'authority' from for example NATO, or USA directly, to then get the 'updates' enabling the hardwares full use.

      The same goes for the digital 'death star' techniques they use, ,which Sweden has agreed…

      Read more
    16. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      "Most of Brazil’s global internet traffic passes through the United States, so Ms. Rousseff’s government plans to lay underwater fibber optic cable directly to Europe and also link to all South American nations to create what it hopes will be a network free of US eavesdropping. "

      Most all Internet traffic today goes through some few major nodes/backbones. http://forums.speedguide.net/showthread.php?280197-US-Internet-backbone-maps

      "Inside some of the major data hubs that control the flow of…

      Read more
    17. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      It's not enough. You may be able to do it with a quantum computer, depending on ones ability's, possibility, of formulating a correct question, as I understands it. Had a really good description somewhere, (as usual not now) of the techniques involved in formulating it

      "As a general rule, then, PCs in 2005 can perform 240 calculations in a few minutes.[citation needed] A few thousand PCs working for a few years could solve a problem requiring 264 calculations, but no amount of traditional computing…

      Read more
    18. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Having built, supported, upgraded, analysed, some of the highest volume websites in Australia ? unsure of their current rank ( Sensis : white pages, yellow pages, Search, Trading Post, Telstra : Online Billing, Foxtel's, etc ) getting hold of the server's ssl info, or stored meta data, to break, captured intercepted traffic, legally, is rather simple. It's called, tcpdump / snoop / snort / etc, some where between the requesting user, and the key board, of the Administrator / Engineer, looking after…

      Read more
    19. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Well, I think its been proven, that 20+% of the 99% quoted below, had an exploit in it for 2.25 years, which leaked, the keys, etc...

      quote : 'Almost all of the public-key encryption that is currently used would be breakable in principle by a quantum computer. [A public-key, or asymmetric, encryption algorithm uses a "public key" that is published to the world and a "private key" known only to the recipient. Public-key algorithms are widely used online.]
      That includes RSA, Diffie-Hellman, ElGamal, elliptic curve cryptography, and several other things also. That accounts for 99.9 percent of public key cryptography that anyone uses. That's all breakable by a quantum computer.'

      report
    20. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      You know.

      If I was the NSA I would do three things.

      1. I would tell everyone that you can't trust asymmetric encryption, and that it is breakable.

      2. I would insert backdoors in open standards, at least making them 'weak', as well as in 'closed proprietary' standards Some of the standards, open as closed, as well as software, for encryption are from NSA via NIST.

      3. I don't remember at the moment but there is something more you could do

      The first two I would refer to as shooting yourself…

      Read more
    21. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      The point of this might be that when one see security agencies encouraging you to use certain encryption standard, it may not necessarily be to ones benefit to follow such advice. The other may be that if you're going to use 'open standards', make sure they are open standards too, no encrypted proprietary little code hidden it it.

      And this has never been a problem for me, until now. I've always considered NIST one of the best organizations I know of, of good integrity and with interesting ideas and experiments. To me it's about trust, and how much you're willing to bet on that trust. A lot of 'innocents' should be prepared to get soiled by NSA:s choice of attitude. It's a little of a spy's wet dream this new era of communications, like a boys book, in black and white

      report
    22. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      And this: https://webcache.googleusercontent.com/search?q=cache:www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

      Doesn't help if NIST is protesting I would suspect. As long as it is a matter of 'National Security'. The problem with USA is that they are the hub for a lot of the stuff we use today. And so their National Security becomes our, which is okay with them as long as we agree :) When we don't though?

      report
    23. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      When it comes to this I can't really tell?
      Usually I would start with looking at who's the members evaluating etc. Doing so you get a shortcut to whose interests it will protect, more than the consumers. A pretty cynical shortcut I know, but it works.

      report
    24. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Climate modelling is rather, computational, heavy. Some of the systems, I worked on @ The Victorian Partnership for Advanced Computing [ https://www.vpac.org ], on secondment to the Victorian eResearch Strategic Initiative [ http://www.versi.edu.au ], out at the Australian Synchrotron [ https://www.synchrotron.org.au ], mostly focused on life sciences [ http://www.versi.edu.au/versi-projects/life-science-projects ] and data [ http://www.versi.edu.au/versi-projects/research-data ] as opposed to…

      Read more
    25. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      Interesting. And it all goes back to trust, wouldn't you agree? You could say, or at least I will say, that democracy is an idea of transparency and trust in the end. Whereas a tyranny, or anything similar, will go the other way, building a system where no one will be able to trust anything, or anyone (i.e STASI)

      We live by trust.

      report
    26. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Question :

      Going by the principle of trust, why do you need to utilise a service, which is based on the principle that there is 'no trust' and you need to hide ?

      Answer :

      Greed.

      This was my 'reality' last week.

      http://fookey.weebly.com/1/post/2014/04/psa-and-bone-scan-results.html

      This week, I get follow up tests done.

      This week, I battle with my financial institutions.

      This week, I battle with relatives regarding my insecure living arrangements.

      This week, I battle with…

      Read more
    27. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      Trust is what Internet was based on, once. It lead to all sorts of things, like criminality and people abusing it. Same as on the street actually. But you do not see agencies tracking you wherever you go, do you? Unless you use a (smart) phone, constantly connected to the phone net. You can use the exact same standards, and demands, for a 'cyber police' as you use for a 'real police' as I see it. But you do not need a cyber STASI, no matter if it use silk gloves, or iron gloves.

      report
    28. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      As for "TOR, unfortunately, makes it harder for the authorities to perform their function. That also includes, the admins / engineers who build / support / patch computers / networks / infrastructure who have to deal with those problems as well."

      Sure, it is meant for making it harder for 'authorities'. that's the whole idea behind it. Enabling spies etc to transfer information, hopefully untraceable. It is also used by others, amongst them whistle blowers, so it fulfill a purpose from a lot of point of views.

      As for why admins would find TOR a problem I'm not sure? What are you thinking of there?

      report
    29. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      Buffer overflows seems a never ending problem, doesn't it :) Think I read about them from almost the beginning of my computerate (read literate) period, so to speak. Anything can be manipulated, as everything we see, or read, consist of the same binary bits, treated differently depending on its outcome, as a text, or a photo, or a *exe file, ad infinitum.

      report
    30. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      It was once upon a time. eComerce changed the net, which also, brought along the wave of worms, virus, trojans, spam, bots, cyber armies, cyber police, etc. Government, corporate and consumer reliance on the internet, has unfortunately, brought in line with what most countries deem as critical infrastructure.

      Whats the latest $ value, assigned to the availability of the net ?

      Excuse the reference, but unfortunately, the STASI, ( well according to my in built encyclopaedia : ended in 1989 ) and to add a randomised search of the same year and country, about the same time, as Karl was found [ http://en.wikipedia.org/wiki/Karl_Koch_(hacker) ].

      All policing authorities, observe human behaviour, whether it be over hearing a conversation in the street in an ambiguous language, or via a secure, encrypted, medium via the internet, or a phone, or a modem, etc.

      report
    31. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Intentional ones, yes.

      Although, I'm sure, some exploit code, in a crafted jpg-2000 image, being emailed, or placed on a website, etc does, bring joy and excitement, to at least the person / corporation / group who wrote the software that is being targeted with the buffer overflow. Seeing and experiencing the effects of that code, exploit, etc, keeps a lot of people, and corporations in business.

      It's funny how every Operating System Manufacture, software developer, in the world, tries to disclaim responsibility for their products by caveats, etc, etc, etc....;)

      report
    32. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      'As for why admins would find TOR a problem I'm not sure? What are you thinking of there?'

      There has been well documented criminal cases from around the world, where Admins / Engineers, have been compromised, either directly by 'criminal' activity, either to obtain information, insert bugs, etc, etc, etc .....

      report
    33. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      Yoron :

      if you look up this case in the County Court of Victorian : CR-10-02256, you will find, multiple references to the 'criminal' having psychosis, etc, and susposidly she was under investigation by the FBI, CIA & ASIO. You will also find, that the person, she tried to kidnap, and kill, had a family member, who was involved in doing in-depth, security and risk assessment on Australia's telecommunications providers, etc, for a major U.S. I.T. Corporation.

      report
    34. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      et al ?

      Last weeks's P.I.R. and follow up results are available @

      http://fookey.weebly.com/

      Unfortunately, due to my viral infection, I'm unable to reverse engineer and de construct the centrelink, express iPhone application, to see if it was using, any publicly disclosed exploits. Mind you, it does, crash every now and then, with some really 'funny' dumps...!

      report
    35. Yoron Hamber

      Thinking

      In reply to Mark A. Lane

      Not acceptable.

      The one thing you have is a right to privacy and integrity. From that statement a lot of other thing are implied as your right to free speech. There is no such thing as a 'one way street of trust' as the new surveillance techniques demands of me. The only Country that may, just may, be able to demand such is my own, and only in a state of total war, happening in my own country.

      Otherwise every state official, every agency, every power abuser, better respect my integrity and right to privacy, as I think :) As long as we live in 'democracies' that is. Without a representative democracy a STASI is inevitable, 'cyber' as well as on the street.

      report
    36. Yoron Hamber

      Thinking

      In reply to Yoron Hamber

      Hmm, my Country involved fighting a occupying force, that means :) Not a civil war, because in such the state already is questionable, and questioned.

      report
    37. Mark A. Lane

      Unemployed Information and Communications Technology Professional. at A dole queue near you.

      In reply to Yoron Hamber

      I updated, http://fookey.weebly.com/

      If you would like to fund an Open Source KORN Shell based cyclical encryption hardening script, let me know. Its been a frozen project, since April 2013 and looking for funding, since April, 2013.

      I'm still un employed.

      I'm still getting tested for relapse of my Prostate Cancer.

      I'm also, financially f**ked.

      Don't worry about the STARSI, mate.

      It's the Machiavellian's that end up biting people in the arse. ( @ a country or global scale ).

      report