Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM).
This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic.
However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach.
Graham faults the Tor Project for the poor uptake of its new version, though as an Ars Technica commenter points out, popular GNU/Linux distributions like Debian and its derivative Ubuntu are also to blame, since they only distribute the older, weaker version. In either event, this is a wake-up call that will likely spur both the Tor Project and the major distros to push the update.
Yesterday's revelations about the NSA's ability to decrypt 'secure' communications were taken by many to mean that the NSA had made fundamental mathematical or computing breakthroughs that allowed it to decrypt securely enciphered messages. But it's pretty clear that's not what's going on.
Read the rest
More information on the malicious software that infected Tor Browser through Freedom Hosting's servers, which were then seized by law-enforcement: it turns out that infected browsers called home to the NSA. Or, at least, to an IP block permanently assigned to the NSA.
Read the rest
Read the rest
Read the rest
HackBB is a popular underground BBS for computer criminals; last March it went down after a prominent user and administrator called Boneless stole all the funds in an escrow service used by criminals to pay each other for services; destroyed part of HackBB's database; and sent blackmail notes to many of the site's users. Prior to the theft, Boneless had been a sterling member of the community, posting well-written, useful guides to using stolen credit cards, defrauding online bookmakers, and going underground anonymously. After two years' worth of winning the community's trust, he raided them and took the site down. But it didn't last long -- today, HackBB is back up and running.
Read the rest
Read the rest
More NSA leaks: how the NSA bends the truth about spying on Americans while insisting it doesn't spy on Americans
The Guardian has published two more top-secret NSA memos, courtesy of whistleblower Edward Snowden. The memos are appendices to "Procedures used by NSA to target non-US persons" (1, 2), and they detail the systems the NSA uses to notionally adhere to the law that prohibits them from spying on Americans.
More importantly, they expose the "truth" behind NSA director James Clapper's assertion that "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress." This turns out to be technically, narrowly true, but false in its implication, as Declan McCullagh explains on CNet:
Clapper's statement was viewed as a denial, but it wasn't. Today's disclosures reveal why: Because the Justice Department granted intelligence analysts "proper legal authorization" in advance through the Holder regulations.
"The DNI has a history of playing games with wording, using terms with carefully obscured meanings to leave an impression different from the truth," Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated domestic surveillance cases, told CNET earlier this week.
Read the rest
Molly sez, "I wrote this short essay over at iO9 on what the future of civil disobedience could look like. Though in the past civil disobedience was enacted in the streets, with people placing their bodies in harm's way for their cause, now online activists can engage in digitally-based acts of civil disobedience from their keyboards. I lay out three major lines along which digitally-based civil disobedience is developing: disruption, information distribution, and infrastructure. The future of civil disobedience online lies in affinity groups combining these three styles of activism, and using a diversity of tactics to support a common cause."
Infrastructure-based activism involves the creation of alternate systems to replace those that have been compromised by state or corporate information-gathering schemes. In other words, if the government is snooping on the internet, activists build a tool to make it harder for them to see everything. Tor, Diaspora, and indenti.ca are some examples of these projects, as are the guerrilla VPNs and network connections that often spring up to serve embattled areas, provided by activists in other countries.
Similar to living off the grid, these projects provide people with options beyond the default. Open source or FLOSS software and Creative Commons use a similar tactic: when the system stops working, create a new system. The challenge is to bring these new systems into widespread use without allowing them to be compromised, either politically or technically. However, these new systems often have to fight network effects as they struggle to attract users away from dominant systems. Diaspora faced this issue with Facebook. Without being able to disrupt dominant systems, user migration is often slow and piecemeal, lacking the impact activists hope for.
Onion Pi - Convert a Raspberry Pi into a Anonymizing Tor Proxy, for easy anonymous internet browsing
About this nifty "Onion Pi" HOWTO just published at Adafruit, Phil Torrone says, "Limor and I cooked up this project for folks. We are donating a portion of any sales for the pack we sell that helps do this to the EFF and Tor."
Browse anonymously anywhere you go with the Onion Pi Tor proxy. This is fun weekend project that uses a Raspberry Pi, a USB WiFi adapter and Ethernet cable to create a small, low-power and portable privacy Pi. Using it is easy-as-pie. First, plug the Ethernet cable into any Internet provider in your home, work, hotel or conference/event. Next, power up the Pi with the micro USB cable to your laptop or to the wall adapter. The Pi will boot up and create a new secure wireless access point called Onion Pi. Connecting to that access point will automatically route any web browsing from your computer through the anonymizing Tor network.
Part of the plot in Homeland revolves around "hidden services" on the Tor network. Now, a fan of mine in Norway called Tor Inge Røttum has set up a hidden service and stashed copies of all my books there. He writes:
A hidden service in Tor is a server, it can be any server, a web server, chat server, etc. A hidden service can only be accessed through Tor. When accessing a hidden service you don't need an exit node, which means that they are more secure than accessing the "clearnet" or the normal Internet (if you want). Because then the exit nodes can't snoop up what you are browsing. Hidden services are hard to locate as most of them aren't even connected to the clearnet.
I don't have any servers or computers that I can run 24/7 to host a hidden service, but fortunately there is a free webhost that is hosting websites on Tor: http://torhostg5s7pa2sn.onion.to
After creating the domain I wrote a dirty bash script to download most of Cory's books and create a HTML file linking to them. It's available on pastebin: http://pastebin.com/3YR6j8zJ
How cool is that?
Gwern's "Using Silk Road" is a riveting, fantastically detailed account of the theory and practice of Silk Road, a Tor-anonymized drugs-and-other-stuff marketplace where transactions are generally conducted with BitCoins. Gwern explains in clear language how the service solves many of the collective action problems inherent to running illicit marketplaces without exposing the buyers and sellers to legal repercussions and simultaneously minimizing ripoffs from either side. It's a tale of remix-servers, escrows, economics, and rational risk calculus -- and dope.
But as any kidnapper knows, you can communicate your demands easily enough, but how do you drop off the victim and grab the suitcase of cash without being nabbed? This has been a severe security problem forever. And bitcoins go a long way towards resolving it. So the additional security from use of Bitcoin is nontrivial. As it happened, I already had some bitcoins. (Typically, one buys bitcoins on an exchange like Mt.Gox; the era of easy profitable "mining" passed long ago.) Tor was a little more tricky, but on my Debian system, it required simply following the official install guide: apt-get install the Tor and Polipo programs, stick in the proper config file, and then install the Torbutton. Alternately, one could use the Tor browser bundle which packages up the Tor daemon, proxy, and a web browser all configured to work together; I’ve never used it but I have heard it is convenient. (I also usually set my Tor installation to be a Tor server as well - this gives me both more anonymity, speeds up my connections since the first hop/connection is unnecessary, and helps the Tor network & community by donating bandwidth.)
Jacob Appelbaum's keynote from 29C3 -- last December's Chaos Communications Congress in Hamburg -- is a riveting hour on surveillance, freedom, and the wild, criminal lawlessness of the NSA and other spy agencies. Jacob's factual, methodical laying out of the growth of American surveillance is brilliant, terrifying and enraging, and it left me wanting to rush to a barricade. Jacob's insights into how we are coping with the surveillance state and why that needs to change are terrific. Someone make a transcript of this, please.
The latest edition of Juice Rap News, "Big Brother is WWWatching You," is a catchy little rap ditty about how the Internet is being remade as a total information awareness panopticon:
September 2012 rocks around with some crucial developments in the ongoing struggle over the future of the internet. Will it remain the one open frequency where humanity can bypass filters and barriers; or become the greatest spying machine ever imagined? The future is being decided as we type. Across Oceania, States have been erecting and installing measures to legalise the watching, tracking and storage of data of party-members and proles alike. If such plans materialize, will this place ever be the same? And what will be the evolutionary consequences for our human journey? Join our plucky host Robert Foster as he conducts an incisive analysis of the situation at hand. Joining him are newly appointed Thought Police General at the Pentopticon, Darth O'Brien Baxter, and a surprisingly lucid Terence Winston Moonseed. Once again, in the midst of this Grand Human Experiment, we are forced to ask tough questions about our future. Will it involve a free internet which will continue to revolutionise the way the world communicates with itself? Or is our picture of the future a Boot stamping on this Human InterFace forever?
I like the guest appearance from George TORwell.