Zoz has got some great points on the ways of using Tor securely, providing real-world fail examples and underscoring that Tor is not really for encryption.Let’s go multi-hop. Don’t fuck it up when you use Tor. Hopefully everyone here knows what Tor is and the main way you fuck it up when you use Tor, which is thinking that Tor encrypts your traffic by default. It doesn’t. Tor is for anonymization, not for encryption. The layers of encryption are just to protect the routing within the Onion, not to protect your base traffic you need to encrypt as well. Tor is very-very important, I think. There’s been a lot of talk recently about “Oh my God, is Tor broken?”, or “Is Tor a honeypot developed by spooks because they have federal funding?” I don’t think either of those things is true, but we are going to talk about some of that now because I think it’s really important that we do, because Tor is the main way, for example, dissidents get out and communicate out of oppressive regimes. It’s how researchers can look up suspicious information without themselves being targeted. It’s how ordinary people can search and communicate without being tracked and monitored. And it’s how all of you can do a search after DEF CON for catastrophic liver damage without raising your insurance premiums.
It pisses me off when people say that Tor is only for illegal acts. Don’t fuck up Tor by only using it when you’re doing sketchy shit. Pump a whole bunch of your normal traffic through it. Even if you are completely squeaky-clean and you are not doing anything wrong, still use Tor because that helps out everyone else. Also, the nature of Tor is for anonymity. It’s really tough to tell people that you’re using Tor for good. But if you can, if you’ve got the use that you can talk about – get it out there, tweet, hashtag something like “Tor for good”. The Tor devils will appreciate it.But let’s talk a little bit about people who should know better, who fucked it up using Tor. We all remember this: Sabu, LulzSec and AntiSec (see right-hand image), 4chan anons trolling the web for SQL injection vulnerabilities, DDoS’ing websites, dumping user account databases, and taking down high-profile things that were going to really get them in trouble, like the CIA’s website. They were coordinating in IRC channels accessed by Tor. The feds discovered that, monitored the channels, and waited for someone to fuck it up. Sabu committed the sin of packet origin, logs in just once without using Tor, gets owned immediately (see left-hand image). Immediately, a few seconds later, he gets turned into a snitch because what’s he going to do, right? He’s facing decades of federal imprisonment. So, even though he’d been doxed for months prior, at that point it’s confirmed – he goes snitch.
That’s not the interesting part. The interesting part is what happened to Jeremy Hammond. He gets identified from information in recorded chat logs with Sabu. The feds logged that packet metadata from his WiFi access point. They get a regular pen register, trap and trace order , standard wiretapping. They match the MAC address of his computer to packets going through a Tor entry node; correlate the times of Tor access, his Tor access on his WiFi access point, to his presence, his ID in the IRC channel. So a traffic correlation attack, but not of the normal kind that we think of when we think about Tor. So there’s not compromise necessary of Tor to acquire the circumstantial evidence that eventually put Jeremy Hammond away.So, the moral of that story is: don’t fail unsafe with Tor – that’s the Sabu moral (see right-hand image). If it’s going to matter that you’re doing this, then don’t have two browsers open even, in case you accidentally typed something into something that’s not the Tor Browser. Make sure everything, even your DNS, goes through Tor. Use a separate machine that’s proven to only connect through Tor – it’s a very good idea. Or, if you want to firewall it, use a firewall like pfSense to make sure that all the traffic from your network goes through Tor. And then check what you’re exposing. Go to something like ip-check.info and make sure that things are not being exposed. And of course, don’t only use Tor for operations; don’t provide the correlation of Tor usage with doing bad things. And of course, OPSEC is 24/7. This is a chat or reddit with Sabu after he was a snitch, saying: “… keep your OPSEC up 24/7. Friends will try to take you down if they have to.” Yes, never a truer word spoken by a fed snitch at that time. Another one we’ve all heard about – Harvard student (see left-hand image). A bomb threat gets called in to Harvard during exams. It takes a matter of hours before the purpose uncovered as a student is freaking out about exams. He used Tor to connect to Guerilla Mail which adds an originating IP header. So a lot of OPSEC fails in this case, but mainly the folly of only using privacy tools when you’re up to no good. Privacy should be had for breakfast, for lunch and for dinner. Privacy is like bacon: it makes everything better. Here’s how he fucked it up (see left-hand image). Harvard’s network requires you to register your MAC address, and that’s one of the reasons why MIT is better than Harvard, because we don’t do that. But Harvard requires registration tied to MAC address, and they log the outgoing traffic. These things provided multiple potential vectors for this guy to fuck it up. Again, no compromise of Tor necessary. This is kind of a microcosm at one university of pervasive surveillance and pervasive correlation, because there’s lots of ways that those two things put together could have fucked it up for him. For example, investigators could look at who went and downloaded the Tor Browser Bundle right before the bomb threat got called in; or look at everyone who connected to a known Tor entry node at that time, or who accessed the Tor directory servers.
So, when I think about this I think about what we’ve already got in this country, a model for pervasive surveillance that everyone is familiar with. And that’s the credit agencies. And we do a kind of OPSEC with the credit agencies. We get credit before we expect to need it to build up a rep. Use privacy tools before you need them. We don’t cancel credit cards even when we don’t need them anymore, because they just sit there, keeping on building up our reputation. So don’t stop using the privacy tools when you finish doing something bad.
Just like with a credit agency, Tor usage can get you on a list. But you’ve got a good reason for being on that list. So there’s a lot of ways that this guy could have not fucked it up. For a start, he should have done, as we said in our tradecraft, key assumptions check and high impact / low probability analysis, being prepared for that inevitable interview with the cops as a Tor user. Or he could have used a bridge relay to connect to Tor, but more on this later. We know that the NSA has been tracking bridge relays, too. He could have been prepared for traffic analysis on his entry point, so if he’d gone off campus and used the Starbucks or used a burner cell phone with a data plan, then he probably wouldn’t have got busted. People do swattings and bomb threats all the time and there aren’t the resources to really track it down. You just have to make it hot. And of course he could have used a mail service that didn’t IP-identify, exposing his Tor exit node.So, what do we know about how vulnerable ordinary Tor users are at the state surveillance? What we do know is that Tor was troublesome enough for NSA and GCHQ that they had at least two anti-Tor symposia, Reanimation 1 and Reanimation 2, most recently Reanimation 2 in 2012 (see left-hand image). So probably that’s not a straightforward backdoor. That’s good news that they had to have a conference on it. We do know that using Tor is obvious. Tor is designed to make Tor users look alike, not Tor users look like non-Tor users. So fingerprinting is already done for you. We know that attacking Tor seems to be challenging enough in 2012 that they went for the browser instead, delivering a native exploit to the version of Firefox used in the Tor Browser Bundle. I think that’s a good sign too. This is from the famous “Tor Stinks…” presentation (see right-hand image), which I’m sure you’ve also seen, so this is going to be quick. But we have an admission that de-anonymizing all Tor users all the time is not able to be done. De-anonymizing is possible but not trivial. So you’ve got to practice your COMSEC inside of your Tor sessions. Of course they’re doing traffic correlation attacks – this doesn’t seem to be on a big scale though, and staining of Tor users either by storing cookies or by using Quantum man-on-the-side attacks to force the browser to give up identifying cookies, like Yahoo cookies, Google cookies. This is one reason why, even if you are putting everything through Tor, using the Tor Browser is good because it doesn’t store those cookies. And also there are Quantum methods for delivering exploits to the computer, like the FoxAcid program. Some of that certainly should give you an idea of how safe Tor is as a single solution. Don’t ever use single solutions. But the good news for regular Tor usage is that it makes things harder, and this is the third document released at the same time (see left-hand image), saying: the system, as far as low latency anonymity goes, is still the king. Similarly, a lot of counter-Tor efforts go into client side exploitation. So, Tails (see right-hand image) gets a positive review from the secret police: “Adds severe computer network exploitation misery to the equasion.” So, what does all this tell me? Tor does put you on the radar. And Tor entails “Do make these people’s lives harder.” And that’s a risk tradeoff you need to think about. So, how I think about it is that using it puts you on a list, a big list. And if your disobedient acts would put you on a much smaller list, the list of people warranting serious attention, then it’s probably worth being on that big list as well. And the more people who are on that big list, the better it is.
Also, security of your whole system is still more important in the big picture than any one single element. Or, to put it another way, there doesn’t seem to be a critical flaw in Tor that makes all these other attacks unnecessary. But if your life or your freedom depends on it, don’t ever trust one single element. This includes Tor and lots of other tools in your communications chain. Do your tradecraft. I like how it says on Cryptocat’s website: you should never trust your life or your freedom to software. I think that’s slightly overstating the problem, because we trust lives to software pretty much every day: every time we get in a car or in an airplane. But when you get in a car, you also put on your seat belt. It’s like the old Islamic proverb: “Trust in Allah but tie up your camel.”
Read previous: Don’t Fuck It Up 3: The Ins and Outs of VPNs