*

Offline Lord Dave

  • *
  • Posts: 7653
  • Grumpy old man.
    • View Profile
Is TOR no longer anonymous?
« on: November 12, 2015, 12:37:19 PM »
http://arstechnica.com/tech-policy/2015/11/tor-director-fbi-paid-carnegie-mellon-1m-to-break-tor-hand-over-ips/


Long story short: FBI allegedly hires university to research how to unanonymize TOR users.  They may or may not have succeeded, but probably did.
If you are going to DebOOonK an expert then you have to at least provide a source with credentials of equal or greater relevance. Even then, it merely shows that some experts disagree with each other.

*

Offline xasop

  • Administrator
  • *****
  • Posts: 9776
  • Professional computer somebody
    • View Profile
Re: Is TOR no longer anonymous?
« Reply #1 on: November 12, 2015, 12:42:50 PM »
This article is very light on detail, probably because there isn't much detail available yet. There are many well-known ways of identifying Tor users that rely on user negligence rather than tracing the connections themselves, which don't break Tor so much as exploit human weakness. I would be very interested to see if and how they actually did this, and if it is a legitimate break.
when you try to mock anyone while also running the flat earth society. Lol

Re: Is TOR no longer anonymous?
« Reply #2 on: November 12, 2015, 03:35:08 PM »
Yesterday in r/IAmA, some NSA tech dude was answering questions and talked about TOR: https://www.reddit.com/r/IAmA/comments/3sf8xx/im_bill_binney_former_nsa_tech_director_worked/

Quote
Q: What's your opinion on Deep Web, Tor and other untraceable internet-browsing systems?
Do you think a user is compelled to resort to such tools to protect their privacy and information?

A: Part of the Treasuremap program includes approx 1000 trace route programs embedded in switches and servers, to trace the route of packets through the network, and they are using this to attack Tor, which I believe they still have problems following.
Google the NSA program Treasuremap for more info.

I dunno if he's right or wrong or whatever, but it's apropos.
I have visited from prestigious research institutions of the highest caliber, to which only our administrator holds with confidence.

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16073
  • (◕˽ ◕ ✿)
    • View Profile
Re: Is TOR no longer anonymous?
« Reply #3 on: November 12, 2015, 10:24:39 PM »
Tor can only anonymise the transfer of data. If the issue isn't social, as Parsifal suggested, then it could have to do with virtually any software that said users were running.

That said, no serious Tor advocate will tell you that you should trust it. A network whose significant parts are owned by intelligence agencies is something you should only use if you know what you're doing.
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume

Re: Is TOR no longer anonymous?
« Reply #4 on: November 30, 2015, 11:22:54 PM »
If used correctly from initial download through use, it will keep you anonymous. Even more so if Tails is used.
I think about 7 years ago the FBI was able to theoretically trace a connection if they could get a tracker installed before the jump to nodes. They got it to work in a closed system. TOR responded by making updates automatic, since the FBI had actually compromised an out of date version.
The FBI was still not able to actually 'track' the user, but could see where they began and where they ended.

To add something: Do not listen to those that also say PGP is compromised. There is no evidence of that; and if it had been compromised, why would the FBI and NSA make such a big deal about needing the keys? It will be cracked one day, but most non-free services have moved far beyond basic PGP.

*

Offline xasop

  • Administrator
  • *****
  • Posts: 9776
  • Professional computer somebody
    • View Profile
Re: Is TOR no longer anonymous?
« Reply #5 on: December 01, 2015, 07:48:39 AM »
To add something: Do not listen to those that also say PGP is compromised.

What does this even mean? PGP doesn't provide any cryptography by itself; it's a protocol in which cryptographic algorithms such as RSA and SHA-2 can be used. It's not possible to compromise something that doesn't offer any inherent security in the first place.
when you try to mock anyone while also running the flat earth society. Lol

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16073
  • (◕˽ ◕ ✿)
    • View Profile
Re: Is TOR no longer anonymous?
« Reply #6 on: December 01, 2015, 10:10:44 PM »
If used correctly from initial download through use, it will keep you anonymous. Even more so if Tails is used.
No. It will at best make you difficult to track.

I think about 7 years ago the FBI was able to theoretically trace a connection if they could get a tracker installed before the jump to nodes.
That's very unlikely, given Tor's structure. To the best understanding of experts in the field (NSA included, at least at the time of Snowden's leaks), your best shot at correlating Tor users to exit node activity is a timing attack or achieving control of an entire circuit.

TOR responded by making updates automatic, since the FBI had actually compromised an out of date version.
That simply didn't happen.
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume

Re: Is TOR no longer anonymous?
« Reply #7 on: December 02, 2015, 10:15:00 PM »
http://www.wired.com/2014/08/operation_torpedo/
http://www.forbes.com/sites/kashmirhill/2014/11/07/how-did-law-enforcement-break-tor/
2 links from last year, but was originally done in a closed system years ago, then was tried in real, and was a little successful. Dread from Silk Road got lazy a second time and got caught, not much more than that. It can take up to 6 months to setup a TOR hidden service that will stay hidden. Most give up on the third step and release a partially hidden service.

I use TOR daily and it auto-updates since that is how to foil the feds at this point. Maybe you should read about correct downloading and usage of TOR. If used correctly, even your ISP will not know what browser you are using to connect to their network.

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16073
  • (◕˽ ◕ ✿)
    • View Profile
Re: Is TOR no longer anonymous?
« Reply #8 on: December 11, 2015, 09:01:27 AM »
http://www.wired.com/2014/08/operation_torpedo/
This article describes the use of malware to circumvent any potential effects of Tor. It even goes as far as to explain that the operation was successful due to a misconfigured Web service. It does not, as you originally claimed, talk about "the FBI [being] able to theoretically trace a connection if they could get a tracker installed before the jump to nodes". It also does not talk about exploiting any vulnerabilities in Tor itself - rather, it reaffirms the point that Tor does not guarantee anonymity or security.

http://www.forbes.com/sites/kashmirhill/2014/11/07/how-did-law-enforcement-break-tor/
And this article explains that it would be possible to trace connections if you happened to control a significant portion of the Tor network. Exactly as I claimed:

To the best understanding of experts in the field (NSA included, at least at the time of Snowden's leaks), your best shot at correlating Tor users to exit node activity is a timing attack or achieving control of an entire circuit.

I use TOR daily and it auto-updates since that is how to foil the feds at this point.
There is nothing in Tor's code that would in any way facilitate an automatic update. In fact, one of your links explicitly states that Tor developers asked users to update their software - something that would be completely unnecessary if Tor did auto-update.

Also, it's Tor, not TOR.

Maybe you should read about correct downloading and usage of TOR.
Perhaps - if there's anything in particular that you think I should read, please post it here so I can access it.

That said, I probably have a better understanding of how Tor works than the average user. My involvement in the project might not be significant, but at least I can say with confidence that I've worked with Tor's codebase before. There is a lot I still don't understand, but deploying and using (parts of) a Tor network is not exactly arcane knowledge.

If used correctly, even your ISP will not know what browser you are using to connect to their network.
This claim doesn't even make sense. Using Tor will do nothing to conceal your Web browser, and concealing your Web browser is hardly difficult in the first place. That said, doing so would be a very bad idea. If anonymity is what you're after, you want for your browser to blend in the crowd, not stand out from all others by concealing its identity.
« Last Edit: December 11, 2015, 09:19:38 AM by SexWarrior »
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume