4 December 2015


December 2, 2015 

Kashmir Hill has an article on the November 30, 2015 website, Fusion, discussing the recent reporting that researchers from Carnegie Mellon’s Computer Emergency Response Team (CERT), worked in concert with the FBI last year to unmask the servers and IP addresses of individuals who had migrated to the Tor site in an attempt to keep their identities hidden. She begins by noting that “massive FBI operations over the past year have busted ‘hidden sites’ for the sale of drugs, hacking tools, and child pornography — suggesting the digital criminal world,” has become more vulnerable — “with law enforcement officials bragging that criminals “can’t hide in the shadows of the Dark Web anymore. While mysterious [coy] about its tactics, law enforcement [officials] have hinted that it had found a way to circumvent the tool on which these sites [The Dark Web] relied, a software called Tor. But, criminals aren’t the only ones to rely on it,” [the Dark Web] for anonymity. 

Tor, or Onion Router, as it is known, “is a browser that lets people use the Internet without being tracked; and, [to] access hidden sites, as well as a software project that supports the ‘Dark Web,’ allowing websites (or “hidden services”) to be hosted in such a way that their location is impossible to determine,” Ms. Hill wrote. “Last year,” however, she adds, “Tor suffered a large-scale attack that compromised the anonymity of its users over a period of at least six months. The attack was launched by academic researchers affiliated with Carnegie Mellon University, whose motives remain murky — because they now refuse to talk about it. In subsequent prosecutions of people who used Tor hidden services for criminal purposes, government lawyers have said evidence came from a “university-based research institute,” meaning that the academic exploration [compromise] of the anonymity tool’s vulnerabilities may send some Tor users to prison.”

Ms. Hill contends that “a review of emails sent on Tor’s public list serv, reveals that Tor saw the attack coming; but, failed to stop it. It raises questions about Tor’s ability to maintain the privacy of 2M people, who use it every day — most of them activists, human rights workers, journalists, and security-minded computer users, not criminals — as well as how far academic researchers and law enforcement should go to undermine the privacy protections people seek online.”

Ms. Hill recently conducted a phone interview with Tor Chief Architect Nick Mathewson whereby “he explained for the first time, exactly what happened; and, what Tor is doing to try and ensure it never happens again.”

“In February 2014, Sebastian “bastik’ G, — a Tor supporter who contributes to the maintenance of the anonymity network Tor in his free time — noticed something amiss with the backbone of the Dark Web,” Mr. Mathewson explained. “Tor depends on a world-wide network of computers, to mask users’ identities by encrypting their activity, and bouncing it through a bunch of different stops on the way to its final destination; it’s like 100 people whispering secrets in gibberish to each other during a huge game of Telephone, so that it’s hard for an outsider to tell where a message started, or where it ends,” Ms. Hill wrote. “Tor relies on thousands of volunteers to run the servers that power the network — sometimes at great risk. Bastik saw that an internal monitoring called “Doc Tor,” which scans the network for “hiccups,’ was reporting that a ton of new computers from the same IP address were rapidly joining the network as new relay points.”

“Basik sent an alarmed email to the Tor mailing list saying it looked like someone was launching an attack: if a single party controls enough relay points, it could undo the anonymity of the network. It’s a phenomenon called a Sybil attack, named after a woman with multiple personalities. It’s as if in that giant gamer of Telephone [referenced earlier] above, 40 of the 100 people were actually one person, making it more likely they’d figure you were the one who told a terrible secret,’ Ms. Hill wrote.

“A Tor developer responded dismissively, saying he would loop back in a week, and that Tor wasn’t overly concerned, because they weren’t exit relays, which are the last stop in the game of whispers. Tor decided the relays didn’t pose a risk; and, ultimately did nothing to block them, a terrible mistake when it came to protecting the privacy of its users.” Overconfidence and underestimating one’s weaknesses/vulnerabilities often rears its ugly head, as it did in this case. “I don’t think this is the best response we’ve ever done to an attack situation,” said Mr. Mathewson in a telephone interview.

“Five months later, Michael McCord and Alexander Volykin, two researchers at Pittsburgh-based Carnegie Mellon, announced they had “broken” Tor, and discovered a way to identify hundreds of thousands of users and find the true locations of thousands of ‘hidden’ websites,” Ms. Hill noted. “We know, because we tested it, in the wild,” they bragged in an abstract for a security conference talk that was canceled shortly [abruptly] after it was announced. A Carnegie Mellon attorney told the Black Hat conference organizers that the [scheduled] talk relied on materials the university hadn’t been approved for public release. The researchers refused to comment, saying questions should be directed to Carnegie Mellon’s Software Engineering Institute (SEI), the Department of Defense (DoD)-funded center at which they were employed. The university refused to answer further questions about the project, or say whether the information gathered was shared with law enforcement.” “We are not able to comment on Tor,” said SEI spokesperson Richard Lynch in an email this week.

“But, the answer seemed clear,” Ms. Hill writes, “when, four months later, in November 2014, the FBI announced Operation Onymous (as in no longer anonymous) — a global crackdown on the Dark Web, that included the seizure of hidden websites; and, the arrests of dozens of Tor users involved in online drug markets. (Recent court documents, citing a “university-based research institute” support the link). And this year, in July, the crackdown continued with Operation Shrouded Horizon, in which a site for cyber criminals called Darkode, was hosted on Tor hidden services, was dismantled and hundreds around the world were arrested. The FBI said in a press release that the global case was led by its field office in Pittsburgh, where Carnegie Mellon is based. The FBI would not comment this week on whether Carnegie Mellon’s research had been used in its operations.”

For As Much As The Dark Web Relies On Tor, It’s A Rinky Dink Operation

“Mathewson and Tor founder Roger Dingledine, who met at MIT, have spent the last decade building up, and maintaining Tor, which was originally a Naval Research Lab project to protect government communications. Eighty percent of its $2.5M budget still comes from governments, including from the U.S. Defense and State Departments. For as much as the Dark Web relies on Tor, it’s a rinky dink operation,” Ms. Hill asserts. There are 22 full, and part-time employees dispersed around the world; and, about 50 volunteers and academics who contribute time, and code (just 10 of them solidly dedicated to it currently Mathewson said). Tor depends on academic researchers to identify ways to improve the technology and shore up vulnerabilities, so it regularly sees people running experiments on the network, most of which become papers like the one out now on Tor.

“It’s fairly normal for researchers to do benign but shifty looking activities,” said Mathewson. “Activity in the past has looked suspicious at the time; but, ultimately did stuff that helped advance our art.”

“The publication of the Black Hat schedule online in May 2014, was the first notice [major clue] Tor got about what Carnegie Mellon had been up to,” Ms. Hill wrote. “Tor reached out to the CMU researchers Volynkin and McCord but were told they couldn’t say more because of “institutional confidentiality issues.”
“As the summer progressed, Tor slowly began realizing just how devastating the CMU project was,” Ms. Hill notes. “”On June 12, 2014, someone from the Black Hat program committee sent Mathewson a copy of the researchers’ paper, alarmed the attack, which involved injecting signals into Tor protocol headers, might be affecting Tor. After reading the paper, Mathewson began working on a countermeasure.”

“It didn’t occur to me that they would run the attack in the wild, on random users,” Mathewson said. “The way the attack was structured, it was a bad attack for anyone to get away with it. Once detected, it was easy to block. It didn’t seem to me like a deep threat.”

“On June 23, 2014, Mathewson said the researchers sent Tor an email that described their attack; but, with fewer details than were in the paper, omissions that would have made the attack harder to block.”

“Two weeks later, on July 4, 2014, Mathewson was in Paris for a Tor developers’ meeting, an event that happens twice a year — so that Tor’s far-flung network of contributors and volunteers can meet each other and discuss pressing issues. More than 50 people gathered at Mozilla’s offices in the center of Paris,” Ms. Hill wrote. “It was a productive, but exhausting, a week of intense conversation, coding, and late nights with Internet friends rarely seen in person. On the last night of the week, Mathewson got back to his hotel room late; and, began running a test of his defense code to see if his countermeasure would work.”

“Around 1 or 2 a.m., I discovered I was under attack,” Mathewson said. “The hidden services I was visiting, were sending a signal saying what I was connecting to.” “He was shocked,” Ms. Hill says, “and immediately concerned about the danger for users.” “Everyone who worked on this, including me, were about to get on airplanes,” Mathewson said. “I contacted Roger [Dingledine], and as many core developers as I could find who were awake at that hour. Not many were. I reached out to everyone at different hotels and figured out the best, immediate defense.”

“There were only a few developers Mathewson trusted enough to work on it. They were spread thin, but got enough Tor directory authorities online — to block-list the relays and servers involved in the attack,” Ms. Hill wrote. “Dingledine emailed the CMU researchers asking, “Is that you?” “From that point on, the researchers stopped responding to emails from Tor. Their work, as it’s understood, has been decried as a huge breach of research ethics.”

“By the end of July 2014, Tor had issued a new version of its software, with fixes for the attack, and published a blog post about what had happened,’ Ms. Hill noted. “Tor’s staff still believed at that point that the researchers had simply designed a reckless experiment with no intent to out users. But, as the months went by, and law enforcement announced more and more operations that involved “breaking” the Dark Web, Tor’s anger at Carnegie Mellon grew. This month, Tor claimed, based on conversations with people it believes to be credible, that the FBI paid Carnegie Mellon $1M to hack its network — a claim the FBI and the university deny.”
“The allegation that we paid CMU $1M is inaccurate,” said an FBI spokesperson. Not exactly what one would consider to be an emphatic denial.

“In the abstract for their Black Hat talk, the researchers said the attack only cost $3,000 — presumably the hosting costs for its relay nodes. Putting aside Tor’s claim that the government ordered the attack, once it was known that the researchers were sitting on top of a bunch of IP addresses associated with the Dark Web activity, the government would certainly approach them for the evidence, which CMU could have handed over willingly, or under legal pressure,” Ms. Hill observes.

“Whether, and what they handed over exactly, we still don’t know. But, what the researchers gathered wouldn’t just be the IP addresses of child pornographers and drug dealers, but presumably anyone who used Tor between January and July 2014, which would include activists and human rights workers communicating in repressive countries, whistle-blowers trying to stay anonymous — while providing revealing documents to journalists and other noncriminals simply trying to navigate the Web privately. Journalist and documentary director said she could not have made contact with [leaker and fugitive] Edward Snowden, or made CitizenFour, without Tor,” Ms. Hill wrote.
“There’s an argument that this attack hurts all of the bad users of Tor, so it’s a good thing,” Mathewson said. “But, this was not a targeted attack going after criminals. This was broad. They were injecting their signals into as much hidden services traffic as they could, without determining whether it was legal, or illegal.”

“Civil liberties are under attack, if law enforcement believes it can circumvent rules of evidence, by outsourcing police work to universities,’ wrote Dingledine in a Tor blog post, which also questioned whether Carnegie Mellon had gotten approval from an institutional review board, a process that exists to ensure that academics don’t harm human research subjects.”

“Theoretically, Tor could sue the university and researchers for, essentially, hacking its network. Tor spokesperson Kate Krauss said Tor is in the early stages of what it’s going to do legally. “We’re evaluating our positions in this area,” she said.

“The attack was done without any regard for user privacy,” said Mathewson. “It’s the difference between studying epidemiology, by looking at a virus in skin grafts, and releasing the virus in the wild. The responsible thing to do when you come up with an attack, is to get it fixed, not carry it out on random strangers. That crosses the line from security researcher — into malicious behavior,” Ms. Krauss asserted.

“So,” Ms. Hill wonders, “the big question many security-minded people have been asking since the attack was revealed is, ‘Can you still trust Tor?’

“Mathewson says Tor has made major changes to its operation to prevent this kind of attack from working again, starting with “not extending security researchers the benefit of the doubt on anything.” “It now has a set, strict procedure for how to respond when it sees a bunch of servers join its network. It will remove them by fault, rather than taking a ‘wait and see if they do something weird’ approach,” Ms. Hill notes.

‘We Now Have A ‘Block First, Ask Questions Later’ Policy

“We seriously revamped our code that scans the network for suspicious behavior,” Mathewson said. “We now have a block first, ask questions later policy.”

“A Tor server now needs to do more to control a bunch of relay nodes, to be considered a reliable, hidden services directory,” Mathewson added. “Those are places in the Tor network that point people to otherwise “dark’ sites not exposed to the open web. Tor is also working on what Mathewson calls a “new cryptographic trick” that will allow a hidden services directory to send someone to a hidden site (which they identify with a Onion web address), without the directory knowing where it’s sending them.”

“We’ve been working on a revamp of the hidden services design over the last year,” said Mathewson said. “The implementation is in progress, but it’s not done.”

“A larger problem is a lack of manpower at Tor; this attack was successful because a concerning development didn’t get the attention it deserved,” Ms. Hill notes. “This is indicative of a larger problem,” she says, “in the security ecosystem: many of the critical tools we rely on for the privacy and security of our online activity are understaffed, and underfunded. At the same time that Tor was under attack in 2014, a researcher discovered the Heartbleed bug, a software flaw that affected a large chunk of the Internet, which stemmed from a mistake made in an OpenSSL codebase relied on by scores of Internet companies; but, supported by just one full-time, non-profit employee. Tor’s decentralized, crowd-sourced model has strengths; but, its tiny operation, with few full-time employees, has weaknesses as well — one of which was exploited here,” Ms. Hill noted.

“Tor recently launched a crowd-funding campaign to try to increase its number of individual funders — so that it has more freedom in how it spends.” “We are internally obsessed with getting more diverse with our funding; and, having unrestricted funding,” Ms. Krauss said. “We want to solve problems as we see them — as opposed to what an institutional funder is focused on.”
“As for the question of ‘Can people trust Tor? Ms. Hill asked, “Mathewson had a pragmatic response.”

“There is no computer security program out there with 100 percent confidence that everything you do is going to be safe,” Mr. Mathewson warned. “We can provide a high probability of safety; and, get better all the time. But no computer software ever written — is able to provide absolute certainty Have a back-up plan.”

This Article Raises A Lot Of Difficult Issues — With No Easy Answers

This article raises a lot of difficult issues — with no easy answers.. Privacy vs. security and where to draw the line. Were there other options that the FBI could have pursued to ‘unmask’ the individuals that were ultimately arrested? Who is watching the watchers? Is there a lessons-learned being done on this operation that will examine if the FBI went too far; or, should have handled it differently? How much freedom and privacy is too much? The Dark Web cannot be declared a sanctuary for anything goes — not in the present world we live in, with the Islamic State and al Qaeda trying to kill us. What is the proper relationship between an academic institution and federal law enforcement authorities? Can a successful relationship between the two entities be sustained; or, will CERT have to ultimately have to officially sever its academic ties? And, can Tor ever restore trust with its users/base?

Was the take-down of Silk Road the beginning of the end of the Dark Web?, or, the true beginning of a balkanized, encrypted, Dark Web, with compartments, sub-compartments, dead-ends, false ‘rooms,’ fake communities, and digital mazes with digital bobby-traps?

One thing I think we can say with certainty. This event, joint operation between CERT and the FBI and the Dark Web is very likely a significant, and ‘life-changing’ event for the Dark Web, as well as how the relationship between law enforcement and academic institutions/researchers will be viewed going forward. I do not know the answer; and, don’t know what the best course of action is going forward. These are hard, gnarly issues,and I suspect we’ll have to go through more trial and error on these kind of ‘things,’ before we know at least some of the answers.

No comments: