Tor (The Onion Router) is a military-grade, secure tool for increasing the privacy and anonymity of your communications; but it's been the subject of plenty of fear, uncertainty and doubt.
The Electronic Frontier Foundation's 7 Things You Should Know About Tor debunks some of the most common myths about the service (which even the NSA can't break) and raises some important points about Tor's limitations.
Before Edward Snowden went on the run and effected the first-ever leak of documents from the NSA, he threw a cryptoparty in Hawai'i, coordinating with Runa Sandvik from the Tor Project and Asher Wolf from the Cryptoparty movement to plan an event where everyday people were taught to use crypto. He gave a lecture for his neighbors on Truecrypt, and told people that he ran at least two Tor exist nodes to help people keep their anonymous traffic moving (Boing Boing also runs a Tor exit node). Apparently, his girlfriend videoed the event -- I'd love to see it!
Read the rest
Snowden used the Cincinnatus name to organize the event, which he announced on the Crypto Party wiki, and through the Hi Capacity hacker collective, which hosted the gathering. Hi Capacity is a small hacker club that holds workshops on everything from the basics of soldering to using a 3D printer.
“I’ll start with a casual agenda, but slot in additional speakers as desired,” write Cincinnatus in the announcement. “If you’ve got something important to add to someone’s talk, please share it (politely). When we’re out of speakers, we’ll do ad-hoc tutorials on anything we can.”
When the day came, Sandvik found her own way to the venue: an art space on Oahu in the back of a furniture store called Fishcake. It was filled to its tiny capacity with a mostly male audience of about 20 attendees. Snowden spotted her when she walked in and introduced himself and his then-girlfriend, Lindsay Mills, who was filming the event.
Michael from Beta Boston writes, "The privacy protections offered by tools like Tor aren't just for journalists and spies; they're important for everyone. Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that, and we took a long look at the work cut out for them."
This is an important point: when you make it so that no one can keep secrets from the state and its enforcement arm, you also make it so that no one can keep secrets from crooks, thugs, stalkers, and every other kind of bad guy. Read the rest
TAILS -- The Amnesiac Incognito Live System -- is a highly secure operating system intended to be booted from an external USB stick without leaving behind any trace of your activity on either your computer or the drive. It comes with a full suite multimedia creation, communications, and utility software, all configured to be as secure as possible out of the box.
It was Edward Snowden's tradecraft tool of choice for harvesting and exfiltrating NSA documents. Yesterday, it went 1.0. If you need to turn a computer whose operating system you don't trust into one that you can use with confidence, download the free disk image. (Note: TAILS won't help you defend against hardware keyloggers, hidden CCTVs inside the computer, or some deep malware hidden in the BIOS). It's free as in speech and free as in beer, and anyone can (and should) audit it.
Two of my friends contributed afterwords to my novel Homeland: Aaron Swartz and Jacob Appelbaum. In this outtake from the independently produced Homeland audiobook (which you can get for the next week exclusively through the Humble Ebook Bundle), Jake reads his afterword at The Hellish Vortex Studio in Berlin, where he is in exile after several harrowing adventures at the US border. Hellish Vortex is run by Alec Empire, founding member of Atari Teenage Riot. Alec recorded this clip (MP3), and also mixed an alternate version.
Originally Jake had intended for his afterword to be anonymous (I didn't understand this at the time, and there was no harm done!). In keeping with this, Alec mixed this vocoder edition (MP3), that is pretty awesome.
In Censorship in the Wild: Analyzing Web Filtering in Syria [PDF], researchers from INRIA, NICTA and University College London parse through 600GB worth of leaked logfiles from seven Blue Coat SG-9000 proxies used by the Syrian government to censor and surveil its national Internet connections. They find that the Assad regime's censorship is more subtle and targeted than that of China and Iran, with heavy censorship of instant messaging, but lighter blocking of social media. They also report on Syrians' use of proxies, Tor, and Bittorrent to evade national censorship. It's the first comprehensive public look at the network censorship practiced in Syria.
Censorship in the Wild: Analyzing Web Filtering in Syria [PDF] (Thanks, Gary!) Read the rest
The lesson of the Silk Road takedown isn't that Ulbricht was sloppy about security. It's that the idea of a world famous, anonymous illegal market is fatally contradictory. Ullbricht made some technical mistakes, but his biggest one was conceptual: buying his own hype that high-tech tricks would let him implement a radical free market fundamentalism that could never work politically.Read the whole piece. Related: Chen's profile of Ross William Ulbricht. Read the rest
Top-secret documents leaked to the Guardian by former US intelligence contractor Edward Snowden reveal details of repeated attempts by the US and UK governments to crack Tor, the "onion router" that was originally funded in by the US government, and used widely by dissidents and activists around the world. Tor's core network security remains intact, but the NSA has had some success attacking users' computers, according to the report.
Looks like the government shutdown didn't stop federal agents from shutting down the most popular "deep web" illegal drug market. In San Francisco, federal prosecutors have indicted Ross William Ulbricht, who is said to be the founder of Silk Road. The internet marketplace allowed users around the world to buy and sell drugs like heroin, cocaine, and meth.
The government announced that it seized about 26,000 Bitcoins worth roughly USD$3.6 million, making this the largest Bitcoin bust in history. There were nearly 13,000 listings for controlled substances on the Silk Road site as of Sept. 23, 2013, according to the FBI, and the marketplace did roughly USD$1.2 billion in sales, yielding some $80 million in commissions.
According to the complaint, the service was also used to negotiate murder-for-hire: "not long ago, I had a clean hit done for $80k," the site's founder is alleged to have messaged an associate.
Ulbricht, 29, is also known as "Dread Pirate Roberts." Read the rest
Jacob Appelbaum of the Tor Project and Wikileaks addressed the European Parliament on the issue of surveillance and freedom. It was a remarkable speech, even by Appelbaum's high standards. An amateur transcript gives you a sense of what's going on, but the video is even better: "Is it used for coercion? Is data passed to autocratic regimes? Is it used to study groups? Is it used to disrupt? Yes, yes, and yes. Might they force or forge data? Absolutely." Read the rest
Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM).
This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic.
However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach.
Graham faults the Tor Project for the poor uptake of its new version, though as an Ars Technica commenter points out, popular GNU/Linux distributions like Debian and its derivative Ubuntu are also to blame, since they only distribute the older, weaker version. In either event, this is a wake-up call that will likely spur both the Tor Project and the major distros to push the update.
Yesterday's revelations about the NSA's ability to decrypt 'secure' communications were taken by many to mean that the NSA had made fundamental mathematical or computing breakthroughs that allowed it to decrypt securely enciphered messages. But it's pretty clear that's not what's going on. Read the rest
More information on the malicious software that infected Tor Browser through Freedom Hosting's servers, which were then seized by law-enforcement: it turns out that infected browsers called home to the NSA. Or, at least, to an IP block permanently assigned to the NSA. Read the rest