As knowledgeable users of the Internet in 2024, we would do well to assume that nothing is 100% “safe” (I.e. there’s no such thing as perfect security/privacy).
However, some things, like Tor, can make your use of the Internet safer.
If all you’re doing is arguing that Tor shouldn’t be used because it isn’t/was never “safe”, then you might as well not use the Internet at all.
Agreed – you can never truly be completely "safe", but Tor remains the most privacy-preserving tool we've got.
When people say they're distrustful of Tor (for various reasons) to the extent they refuse to use it, they seldom suggest alternative tools/measures that provide anywhere near the level of safety offered by Tor.
But that's half the point. If someone has an intention to undergo some illegal activities with full intention not to be caught, only 100% "safe" solution works for them. Normally we talk about risk tolerance, but this particular use case is a bit special.
There are no "100% safe" solutions. There will always be weaknesses and vulnerabilities in any system. The sort of criminal who requires or expects 100% safety is quickly going to be caught due to being a dullard. Knowing you're never truly "safe" is what good criminals are keenly aware of at all times: you can plan and prepare for certain eventualities. Once you think you're "safe", it's the beginning of the end.
The entire conversation has to be about risk tolerance, because that's all there is. There never has been, and never will be, a 100% safe solution.
As someone who's actually used Tor for illegal activities(buying drugs) this is completely missing the point. Criminals generally are not thinking about doing something completely risk free. The dumb ones don't consider risk at all, because they're desperate/addicted, and just hope/assume they won't get caught. More clever ones assume they'll be caught and try to make conviction less likely.
For instance, for buying drugs, the ordering isn't the risky bit. Receiving it in the mail is. Even if tor was magically "100% safe" the crime overall wouldn't be. The point of using tor is not to eliminate all risk, it's just to decouple payment from reception. I had my drugs intercepted by customs once, but they couldn't prove I ordered them, so they dropped the case. I'm sure it might've been possible for them to prove it if they spent a lot of resources trying to trace crypto transfers and so on, but police only do that if the fish is big enough because they're resource constrained.
Tor is just another tool criminals can use to reduce risk. It's not perfect, but for most things it's the best thing available.
Here is what I don't understand: Let's say I as a private individual fund 1000 tor nodes (guard and exit nodes included) and have them all log everything. This could cost less than $5000 for a month, with some time needed to get guard node status.
I want to find a certain kind of person so I look for people that access a specific hidden service or clearnet url.
Surely eventually I'm going to get a hit where all three nodes in the circuit are my nodes that are logging everything? It will take a long time, and I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control, no?
>This could cost less than $5000 for a month
I ran a bunch of nodes for a couple years and that's optimistic by perhaps an order of magnitude. No $5 a month VPS provides enough bandwidth to sustain the monthly traffic of a Tor node, and nodes need to be continuously online and serving traffic for about 2-3 months[1] before they will be promoted to guard relays. Throttling traffic to stay in your bandwidth allocation will just get you marked as a slow node and limit the number of connections you get. Sustaining just 1 Mbps will blow your monthly transfer allocation on the cheap tiers of both Digital Ocean or Linode.
Now to add additional problems. 1000 tor nodes on a single platform would be very noticeable and geographically limited. Platforms also have different weight attached to them in the consensus, which adds further time requirements before a node is promoted. The developers do not want a single platform provider to be able to observe a large portion of all the traffic, so there are counter measures.
The attacker could try to create a handful of accounts on hundreds of platforms in as many countries as possible, assuming one verify that the platforms accepts tor and do not share underlying providers and data centers. The cost would then be the average price of said providers, which is going to be a fair bit more than the cheapest providers out there. Managing and spreading them out is also going to cost a lot of man hours. Also the secops need to be fairly on the point and need to be maintained quite strictly across all the providers.
Pagers and the next day handheld radios exploded on their users! This can be done.
> Let's say I as a private individual fund 1000 tor nodes
Was the operation against Hezbollah funded by a private individual? Otherwise I'm not sure the relevance of your statement to the comment that started this thread.
I think the news about that particular counter example is too recent to be easily understood.
https://www.schneier.com/blog/archives/2024/09/remotely-expl...
Still, I think your point is excellent. The sort of group interested in tracking someone(s) over Tor certainly might have the capability to do so despite the difficulty.
Yeah, too recent to understand (though I've also been out of the loop a bit) - so thank you, that's...a good one.
Considering multiple world governments have already shown in leaked documents that this is exactly what they do, I personally wouldn't trust my secrets with tor.
I started a tor relay on a spare vps about a month ago and it got guard status around 2-3 weeks in, so that info seems to be out of date.
Pardon my ignorance, but I thought it fruitful to ask: Are there any issues that can arise by doing this on a VPS?
I ask because I know of stories of law enforcement sending inquiries to owners of, say, exit nodes requiring certain information about given traffic. I don't know if this happens for middle-nodes (or whatever they're called).
Moreover, are there any issues with associating a node to, you know, your name and billing information?
I don't know much about this, and although I could look it up, I think that my questions - and your respective answers or those of others - might do some public service of information sharing here.
I never operated a TOR node, but as far as I know and heard from other sources, TOR realays don't get much attention from law enforcement, it any attention at all. Which makes sense: all they're doing is getting encrypted traffic in and giving encrypted traffic out. It would hard for them to link a relay node to a specific connection, and even if they do, you can't help them in any way: even you as the node operator are only able to see encrypted traffic.
Edit: there's a youtuber called "Mental Outlaw" that published a while ago some videos about setting up and operating TOR nodes. He sometimes gives inaccurate information regarding more theoretical topics, so I don't follow him much. But I think he can be trusted for this practical topics.
Just a quick note on the Youtube channel you mention: I follow his videos for a while and it seems to me, that he's half a shill. My impression is, that he re-models popular HN threads into Youtube videos. Just watch the latest video on the MrBeast topic and you'll basically get the same info as all the popular 'root' comments (was on HN front page last week). Not the first time I noticed a suspicious connection.
It would be funny if he makes a new video about TOR and ends up mentioning your comment :D
While that is a crappy thing to do, I bet tons of YouTubers are doing just that. Hell, most political YouTubers just read articles and make stupid comments about them.
It would be impossible to create daily content if you weren't just rehashing, or taking, information from somewhere. Again, not defending it at all, just saying it's probably a very common thing. Like how some crappy news articles are just a bunch of reddit comments, like that qualifies as news.
Agreed. Extra: I'd generally say, that comments on HN are often interesting and insightful (that's why we're here, no?). With the current state of social media, I'd wish for a little more HN flavor. But at least credit your source. The information you provide doesn't get less valuable only because someone else did the work.
If you ever fall into "hustler-get-rich-quick" shorts/reels/tik-toks, it is full of people laying out the same exact scheme:
Make a channel
Find popular reddit/social media post
Use AI tools for text to speech
Use AI tools to generate pictures
Stitch it all together
Post on channel.
> While that is a crappy thing to do,
I haven't watched this particular channel so maybe it's obviously shady, but I'm curious: why is this conceptually a crappy thing to do?
I mean, if you take the IP of others and redistribute it verbatim then I definitely see the ethical issue. So if the claim is that he's reading peoples' comments or posts verbatim without credit then yeah that's crappy. Don't get me wrong.
But if all we're talking about is "mining" websites like HN for topics and then creating original content that covers those topics in a different format for a different audience... where's the issue?
A few years ago I was feeling pretty burned out in the tech industry and created a tongue in cheek "luddite" channel called TechPhobe where I took an overly pessimistic view of the industry. At the time Elizabeth Holmes was on trial and a lot my videos involved me reading ArsTechnica articles on the subject (credited) while offering my personal opinions on the matter. While not successful, those videos got more views than anything else I ever created. Was that a crappy thing to do? I didn't think so at the time and I don't think so now.
I didn't stick with the channel because I realized pretty quickly that if I'm dealing with burnout the last thing I should be doing in my spare time is focusing on tech content lol
Wow, I was about to comment the same thing. Glad to have my assumptions validated by someone else.
I ran tor exit nodes on Linode and Digitalocean for years. No real issues, but you will get regular abuse complaints.
The support teams always understood once I explained it was a tor exit node. I co-operated with the Cloud provider and added any IP-address that requested it to my list of exempt addresses.
> The support teams always understood
But they don't have to. It could also be against their ToS, and many other providers would not have been ok with it. Accounts and domains have been taken away for much less.
Right, which is why it's informative to hear a report that DO and linode did!
So read the ToS and ask support beforehand?
There was a recent HN topic where person running exit nodes run into quite a lot of issues because of it.
I'm not an exit node.
You can buy a vps with xmr if you're worried about privacy from law enforcement.
most vps don't support xmr though. any suggestions to whom I can trust (I basically only trust hetzner in vps space)
>I basically only trust hetzner in vps space
What's more alarming to me is that they (the jabber operators) seemingly stopped caring about it. Whatever this intercepting proxy did (including from the sound of it, spoofing ACME challenges from their domain to get a certificate) could be illegal and they didn't even attempt to do anything about it, AND they are assuming that continuing to use the service after the attack stopped is somehow safe now.
Either they are grossly negligent/incompetent (IMO unlikely given the extent of their research), or they knew it was intercepted on purpose (either by law enforcement, the provider itself or one of their upstreams) and intentionally aren't saying so. They could also be withholding or lying about any number of things, including the exact response from the hosting providers.
Some do though. I got started a minecraft server the other month that i paid for in xmr. You can go to like a VPS aggregator like serverhunter.com and filter those that allow altcoins as payment
https://www.serverhunter.com/#query=stock%3A%28in_stock+OR+u...
ctrl-f for web hosting
Non-exit nodes are generally considered safe to run. it's only exit nodes that system enforcement keeps trying to shut down.
Still easily within the budget of the US, Russia, China, Israel, etc. I wouldn't be surprised if a majority of nodes are ran by intelligence agencies.
They say the internet is just someone else's computer. With Tor it's the computer of a person who wants you to think it's not their computer, and also that they aren't paying attention to (or somehow can't see) what you're doing on it.
The interesting thing is, the more agencies that run relays, the more they interfere with each other. So having something like US, Russia, and China a each running 25% of the network reduces the chances of any one getting all three relays.
This would help negate that interference. https://en.wikipedia.org/wiki/Five_Eyes
Specifically what I chose US (allies implied), China, and Russia. These should be three competing factions.
Russia and China are allies. And I'm not sure if Beijing would even be interested in spying on TOR users since it's blocked so thoroughly it's basically unusable for Chinese residents.
China and Russia are decidedly not allies.
They are neighbors with some overlapping interests and sort of similar goals if you squint. It wasn't very long ago that they were killing each other over border conflicts and annexed territory.
China right now is just using Russia for cheap energy, they don't actually care about the health of the state.
China is for sure interested in spying on people in the US. I'm not sure if TOR users are of special interest though.
I don't know they are that aligned to be sharing bulk data like that. I don't think the are considered formal allies.
I think even Russia and the US still do intelligence sharing on a lot of stuff - and that's before you consider that the US seems to be in everybody's networks anyhow, so non-sharing is probably just sharing with a bit more skullduggery.
I don't think they share on the bulk data. I would highly doubt they routinely cooperate on cyber crimes given Russia's stance on the matter (basically encouraging it).
I think the threat model is that the majority are not run by cooperating malicious parties.
Russia, china and usa all dont like each other much so are probably not sharing notes (in theory).
Or perhaps they _are_ sharing notes about tor users with each other, as part of a global club of intelligence agencies (a sort of new world order) who would rather not be overthrown. How are we to know?
Or perhaps someone with secret quantum computing can break all our encryption and has full transparency on all communications on the internet. Perhaps extraterrestrials are eavesdropping on everything I say in my living room, and sharing it with the KGB. How are we to know?
Because if they each only have incomplete information, they each wouldn't know whether the information they have is relevant to preventing overthrow of their collective order, or intelligence that is only going to help their geopolitical adversary.
Basically, a variation of the prisoner's dilemma.
Also, those nukes we have pointed at each other are a pretty healthy hint.
the last sentence really just gave me a chuckle
Before 2020 when /r/privacy stimulated conversation that was worthy of good discussion you learned Tor the software made less available nodes accessible with newer deployments, that’s why it got faster. Regardless of how many nodes existed. The routing shifted. Now it’s way faster and there's specifically designated guard nodes seemingly pinged repeatedly out to the same allied nations.
In fact, you should assume they are. This doesn't imply the network doesn't have utility for a given actor.
You don’t technically need separate nodes, just separate IP addresses. Although Tor has some marginal protections against circuits sharing relays with similar IP, so you couldn’t just get a /24 and hope they all get the same circuit.
Not only would you need the node to expose IPs with a wide enough distribution to allow the right path selection, you'd also need to have enough bandwidth available to look like distinct hosts, and ensure any losses in connectivity aren't correlated enough to draw attention (people monitor metrics.torproject.org pretty diligently, and would notice if there was a chunk of bandwidth coming and going in lockstep). At that point, the difference in cost to just actually running legitimately separate hosts is negligible. All empirical evidence points towards the status quo that has existed for most all of Tor's existence: if you want to identify Tor users, there are cheaper ways to do it than dominating the network (and those ways are expensive enough to be outside most people's threat models).
That said, any bandwidth anyone wants to contribute to mitigate such attacks is always appreciated, even if it's more useful for performance reasons in practice. ;)
This is what providers such as https://www.vultr.com/ are for:
If it’s that expensive to run Tor nodes, who is actually paying for them? I’ve heard individuals getting doors kicked in for participating in the network, so it’s not individuals. Corporates too wouldn’t want this type of burden… so is it really just spy-vs-spy
Many individuals contribute to running relays. And there are non-profit organizations collecting donations to operates Tor exit nodes:
only exit nodes get there door kicked in and they are the minority and not needed for the tor network to function
> I’ve heard individuals getting doors kicked in for participating in the network, so it’s not individuals.
It's individuals
I run a non-exit node any time I have the spare resources. I2P too. This means they're on the same popular providers that have too many other nodes, though.
Sometimes I set it up as a bridge (hidden entry node) instead.
These costs explain why most of the nodes are probably run by the FBI.
>Surely eventually I'm going to get a hit where all three nodes in the circuit are my nodes that are logging everything?
The word "eventually" is doing a lot of heavy lifting here. Let's say you actually manage to add 1000 servers to the tor network somehow without getting detected. The network currently sits at just under 8000 nodes. For simplicity, lets also ignore that there are different types of nodes and geographical considerations and instead just ask what is the probability that someone randomly chooses three nodes that you own. The answer is less than 0.14%. If that someone decided to use 4 nodes to be extra-safe, that number goes down to 0.015%. And it decreases exponentially for every additional relay he adds. Combine this with the fact that tor nodes are actively monitored and regularly vetted for malicious behaviour[1], and these attacks become increasingly difficult. Could someone like the NSA with limitless resources do it? Quite probably, sure. But could you or any other random guy do it? Almost certainly not.
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
Edit: For all the cynics and doomsayers here, consider this: Tor has been around for a long time, but there has never been an uptick in arrests that could be correlated to cracking the core anonymity service. If you look closely at the actual high profile cases where people got busted despite using tor, these people always made other mistakes that led authorities to them.
75% [0] of all Tor nodes are hosted within 14 Eyes [1] countries, so it would actually be quite trivial for the NSA to de-anonymize a Tor user.
It baffles me that Tor Browser doesn't provide an easy way to blacklist relays in those countries.
[0] Here, you can do the math yourself: https://metrics.torproject.org/rs.html#aggregate/all
[1] https://en.wikipedia.org/wiki/Five_Eyes#Fourteen_Eyes
> Edit: For all the cynics and doomsayers here, consider this: Tor has been around for a long time, but there has never been an uptick in arrests that could be correlated to cracking the core anonymity service. If you look closely at the actual high profile cases where people got busted despite using tor, these people always made other mistakes that led authorities to them.
Maybe someone, somewhere, has decided that allowing petty criminals to get away with their crimes is worth maintaining the illusion that Tor is truly private.
It's also worth noting that it's significantly easier to find the mistakes someone has made that could lead to their identity if you already know their identity.
The original purpose of TOR was to provide agents and handlers with a means of secure communication, allowing them to organize subversive or espionage activities. It was created by the Department of Defense to propagate their interests and spread democracy around the world using these secure capabilities. Given this context, it's not unreasonable to assume that TOR is still being used in a similar manner today.
Because of its origins, access to the identities of users on the TOR network—even if they could be de-anonymized—would likely be extremely restricted, compartmentalized, and classified. This would make it much more difficult for such information to be used in law enforcement proceedings. Perhaps that, rather than a technical limitation, is the reason most high-profile arrests related to TOR involve criminals making some other mistake, rather than the security of the network itself being compromised.
Additionally, it’s interesting to speculate that some of the secure private defense and intelligence networks—parallel or classified world internets—could themselves be implemented as possibly enhanced forms of TOR. It would make sense that nation-states, through shell companies and other disguises, might run and control many seemingly innocuous machines acting as secure relays in these parallel networks. While I have no data to back this up, it seems logical, given that TOR was originally created by the DoD and then open-sourced.
Why wouldn’t they keep something that works, build on it, and enhance it as a means to secure their own global communications?
>spread democracy
i have to say that i love that phrase, it is peak propaganda that just works.
> The original purpose of TOR was to provide agents and handlers with a means of secure communication, allowing them to organize subversive or espionage activities. It was created by the Department of Defense to propagate their interests and spread democracy around the world using these secure capabilities.
Do you think the EFF was in on it, duped, or just thought multiple competing interests could be served?
After talking to my Democracy Officer I have to say I love managed democracy!
Ah yes, 'spread democracy around the world'
Its important to realize that TOR is primarily funded and controlled by the US Navy. The US benefits from the TOR being private.
It provides a channel for operatives to exfiltrate data out of non-NATO countries very easily.
> It provides a channel for operatives to exfiltrate data out of non-NATO countries very easily.
I'm not convinced this is the case. For example China's gfw has been very effective at blocking TOR traffic, and any TOR connection in other countries is like announcing to the government that you are suspicious.
It’s a little silly to say “for example” and then intentionally pick what is widely known as the most sophisticated and pervasive system for controlling Internet traffic ever created.
The parent said “non-NATO countries”… there are 162 of those that are not China.
(It’s also a little silly to specify “non-NATO” since U.S. intelligence services have to exfiltrate data from NATO countries too…)
To get data out of China, the U.S. undoubtedly has special systems, which are worth the special investment because it’s China.
If weight it by population and importance then China is probably in the top though.
I bet western spies spend more time on China than some micro island in the middle of the ocean. Same for Chinese spies probably focus on USA first.
Also realistically probably everyone spies everyone and they spy on those micro islands too. But priorities are clear...
How do they see TOR traffic in a TLS tunnel?
If you can find TOR nodes, so can the Chinese government. They can then just block these addresses.
Furthermore, the great firewall is quite advanced, they use machine learning techniques to detect patterns, so even if it is TLS on port 443, they may be able to detect it after they have gathered enough traffic. There are workarounds of course, but it is not as simple as just using a TLS tunnel.
> the US Navy
For Tor to be effective for hiding spies it has to be used by the public. Even if it's only nefarious actors (say spies + drug dealers + terrorists) it adds noise that the adversary needs to sort through.
What I fucking hate about many of these conspiracies is how silly it is once you ever work with or for any government entities. You can't get two police agencies in neighboring cities to communicate with one another. The bureaucrats are fucking slow as shit and egotistical as fuck.
It's important to remember that the government and even a single agency (like the NSA) is just as chaotic, disconnected, and full of competing entities as any big tech company has (if not worse). Yeah, most of the NSA is focused offense, but there's groups working on defense. Those groups are 100% at odds. This is true for the 18 intelligence agencies. They have different objectives and many times they are at odds with one another and you bet each one wants to be getting credit for anything.
The US involvement should warrant suspicion and with any technology like Tor you should always be paranoid. But it's not proof. Because guess what, the US wants people in other countries to use high levels of encryption to hide from their authoritarian governments while the US can promote democracy movements and help put a friendly leader into a position of power. AT THE SAME TIME they also want to spy on their own people (and there are plenty of people in the gov that don't want this). Inconsistency is the default because it's a bunch of different people with different objectives. So the US gov both wants Tor to be secure and broken at the same time.
> The US benefits from the TOR being private.
Slight correction: The US benefits from TOR being private to _everyone but the US_
I’m glad I didn’t have to scroll too far to see your comment.
In fact, A major power wins by creating a mote just big enough that only they can cross.
everybody does such shenanigans, bro.
you don't have to be a major power to do such stunts.
everybody and their uncle are already doing it. look into your life to see the truth of this.
I dont see how TOR is better than just spinning up a server on the public cloud for each asset. Since each asset would have a different IP they couldnt use one assets knowledge to catch the others. Non-NATO countries tend to monitor internet traffic and so would know if you access TOR.
Servers in the public cloud are a lot easier to do traffic analysis on.
TOR as it exists now is a honeypot simple as. Same as that documentary called "Benedict Cumberbniamnatch's Great Work" where they cracked the radio signals of the Frenchmen but they had to let the submarine sink so that they knew that the other guy doesn't know that they knew. NSA uses ROT which is TOR-inspired but takes the techniques and incognito aspects 7 or 8 steps ahead.
You do know Hitler was the German Reichskanzler, not French?
I'm assuming the "documentary" was the movie The Imitation Game staring Benedict Cumberbatch. If that's an intentional mistake, I'd guess by "French" they meant Austrian (as Hitler was born in Austria).
What? Tor is a honeypot? I don't think so. What do you instead expect me to use instead of tor?
I2P, possibly
This entirely ignores the fact that traffic to and from onion sites never leaves the Tor network, never utilizes an exit node. It doesn’t matter if a bad actor has control of every exit node if your communications are within the network unless the underlying encryption protocols have been compromised.
But not all traffic goes to onion sites.
> petty criminals to get away with their crimes
Like human rights activists, journalists and dissidents in totalitarian countries.
> what is the probability that someone randomly chooses three nodes that you own. The answer is less than 0.14%.
You calculated the probability that a specific person randomly chooses three nodes of the 1,000.
But that's not the scenario you're responding to.
>> I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control
Tor estimates that 2.5 million people use the network per day.
Let's assume that in a month, 10 million people use it.
Let's also assume that 80% of monthly users are not committing crimes, while the 20% who are criminals make an average of four Tor connections per month.
With those assumptions we could expect a malicious operator who controls 1,000 nodes could capture the sessions of 10,940 criminals in a given month.
Spending less than fifty cents per suspect is less than trivial.
> could capture the sessions of 10,940 criminals in a given month
Let’s say to do that, and now you have found 10k people accessing pirate bay in countries where it is blocked.
Also you captured someone who lives in Siberia and watches illegal porn, now what?
Many of these will not be actionable, like not criminals you would have interest in.
An autocratic regime of a large nation locks up its critics and other undesirables in camps.
100,000 activists who haven't been caught yet switch to Tor for anonymity.
For $60,000, the regime monitors Tor for a year, identifies 6,500 activists, and marches them off to the camps.
And by discrediting Tor the regime pushes the other 93,500 activists even farther underground, constraining their ability to recruit, limiting their ability to coordinate with each other, and reducing what they can publish about what's happening to their country.
> reducing what they can publish about what's happening to their country.
To what audience? It isn't quite what you're getting at in your post but this is worth saying: graffiti, zines, contact with journalists, radio operations like pirate radio, all of it is much more established and less uncertain in risk profile than being online. Crucially it may also be more effective.
> could capture the sessions of 10,940 criminals
What does that mean? The way I understand it you would be getting traffic correlations -- which means an IP that requested traffic from another IP and got that traffic back in a certain time period. What does that tell you, exactly, about the criminal? If you aren't looking for a specific person, how would you even know they are doing crimes?
Activists fighting an autocratic regime use a large social media site to recruit, coordinate and publish so they can reach the broadest number of people possible.
The billionaire owner of the site supports the strongman leader and provides IP addresses for those who post wrongthink on his platform.
Now the regime can link social media activity of anonymous activists to their real IP addresses, devices and locations.
> Edit: For all the cynics and doomsayers here, consider this: Tor has been around for a long time, but there has never been an uptick in arrests that could be correlated to cracking the core anonymity service. If you look closely at the actual high profile cases where people got busted despite using tor, these people always made other mistakes that led authorities to them.
During WW2, the British cracked the German codes. They would create pretexts for "discovering" where German ships would be, so that the Germans wouldn't suspect that they cracked their codes.
It's impossible for us to know if the US government have cracked Tor, because the world would look identical to us whether they had or hadn't. If the only evidence they have is via Tor, and the individual is a small fry, they will prefer they get away with it rather than let people know that Tor has been cracked.
I just assume the NSA are spending their budgets on something, although maybe it is stuff like side channel attacks.
These pretexts for "discovering" are a "bedrock principle" in law enforcement called parallel construction.
The NSA sharing data with the DEA becomes a "routine traffic stop" that finds the drugs. The court would not allow the NSA evidence or anything found as a result, but through parallel construction, the officer lies in court that it was a "routine stop", and judicial review never occurs.
> these people always made other mistakes that led authorities to them.
Says who? The intelligent community entity that busted them? If they're using a tool to discover X or Y they're not to let anyone know that.
For example, I live in the NYC area. A couple of times per year there's a drug bust on the New Jersey Turnpike of a car headed to NYC. The story is always a "random" police stop ends up in a drug bust.
Random? My arse. Of the thousands of cars on the NJTP the cops just happened to pick the one loaded with drugs? A couple times a year? I don't buy it. But what are they going to say? They have someone on the inside that tipped them off? That's not going to happen.
The intelligence community doesn't deal in truth and facts. It deals in misinformation and that the ends justify the means. What they're doing and what they say they're doing are unlikely the same.
You're ironically vastly overestimating the cops. It's not that they have good intel, it's that it's copaganda.
They'll just make something up for publicity if they don't get something useful.
What you say is reasonable and I agree and hold that position.
> Tor has been around for a long time, but there has never been an uptick in arrests that could be correlated to cracking the core anonymity service.
If I were an intelligence agency that had "cracked" tor -- I'd probably make sure nobody would notice I had access, so I could keep eavesdropping. Not do anything that could expose my access.
It certainly could be happening. Nothing is 100%. Nothing. Just a fact. Tor is probably pretty good at what it does.
(and keep in mind, for what we're talking about in this kind of attack, all I get access to is network contacts, not the actual messages, right?)
You know what's easier than waiting around to get really lucky?
Using those same network-health dashboards as DDoS target lists, to temporarily degrade/shut down the whole network except for your own nodes.
Also, big nodes route more Tor circuits each. Costs more to run them, and they intentionally don't function as exit nodes (to avoid the "obvious" attack) — but just having a bunch of these big nodes in the network handling only middle hops, biases the rest of the network away from handling middle hops, toward handling end hops. Which means that if you then run a ton of tiny nodes...
> Could someone like the NSA with limitless resources do it? Sure
Yes, this is obviously the sort of adversary we would be discussing.
> , lets also ignore that there are different types of nodes
causing your number to be an underestimate
> The answer is less than 0.14%.
So almost certainly thousands of people
>Yes, this is obviously the sort of adversary we would be discussing.
OP explicitly asked about himself, not some government organisation.
>causing your number to be an underestimate
Not necessarily. It might even be an overestimate if the attacker fails to supply enough nodes of the right kind.
>So almost certainly thousands of people
We're talking about a targeted attack. Of course the statistics game works better when you don't target specific people and just fish randomly. But there are probably more cost effective methods as well.
> We're talking about a targeted attack
From OP: " I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control, no"
> Not necessarily. It might even be an overestimate if the attacker fails to supply enough nodes of the right kind.
Assuming they match the existing distribution of nodes, they will only have better results.
That's assuming a lot given the rest of the statement.
If someone would do the thing-to-be-detected (e.g. accessing CSAM) every day, then that 0.14% probability of detection turns out to be 40% for a single year (0.9986^365) or 64% over two years, so even that would deanonymize the majority of such people over time.
That assumes you could run thousands of malicious tor nodes for several years without being detected. Unless you have vast resources and time, this is unlikely.
My point is that it doesn't require "vast resources". A VPS is $5 a month. A thousand of them would be in the disposable income budget of a single FAANG engineer never mind a nation state.
Pay people on Fiverr to set them up for you at different ISPs so that all the setup information is different. You can use crypto to pay if you want anonimity (this is actually the main reason I used to use bitcoin - I'd pay ISPs in Iceland to run TOR exit nodes for me without linking them to my identity).
This isn't a difficult problem. A single individual with a good job could do it.
And sure, each connection only has a very small chance of being found, but aggregate it over a year or two and you could catch half of the users of a site if they connected with a new circuit one time per day.
I honestly can't see why a nation state or two hasn't already done this.
> A VPS is $5 a month.
With insignificant data caps. To get the data needed I believe you're looking at a couple hundred a month, to start.
Running exit nodes is also likely to result in getting booted from most VPS or even bare metal providers, maybe unless you BYOIP.
And if you BYOIP, and run a large node, Tor volunteers will try to contact you and verify...
But it doesn't seem unfeasible for a state actor that wants to track their population then?
The comment that spawned this chain starts with:
>Let's say I as a private individual
Yes that's why I said 'but'. It still seems relevant to the discussion and I wasn't aware that such attack was possible.
But given the attack is just logging the cleartext at the ends how are you going to detect that the servers are malicious?
What detection? A malicious node is only different from a non-malicious node because all the traffic is being logged. If that's our definition of a malicious node in this case then there is no way to detect one.
>What detection?
Not speaking to the effectiveness of the detection (it's hard!), but there's information available, for example:
https://blog.torproject.org/malicious-relays-health-tor-netw...
https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
I can't think of anyone with vast resources and time that would want to deanonymize cybercriminals
Top commenter specifically asked about himself.
Outside of 3 letter agencies which is obvious, I have known people who would do this for fun or whatever other personal motivation.
A lot of "hacker" mentality projects involve putting a tremendous amount of effort into something with questionable utility.
People climb mountains because they're there.
That is why in tor it picks a specific guard node and sticks with it. To prevent this kind of attack where you change nodes until you hit a bad one.
The attack Germany is thought to have actually used was to flood the network with middle nodes and wait until the victim connects to their middle node. Then, it knows the guard node's IP. Then, it went to an ISP and got logs for everyone who connected to that IP.
> Could someone like the NSA with limitless resources do it? Quite probably, sure.
If you're not worried about a fairly well-resourced government agency uncovering whatever network activity you believe needs to be anonymized, why would you be using Tor at all?
Because you're an enemy of the Iranian, Saudi, North Korean, etc. gov't.
Because your ex-spouse wants to murder you.
Because you just escaped Scientology, or another cult.
Because you're a criminal. The NSA doesn't handle that.
Because you're a journalist talking to sources in the industry you're investigating.
Because your ISP is selling your traffic logs.
Because you want to avoid creepy targeted ads.
Because you live in a country that blocks many legitimate websites.
Because you are looking for information about abortion and live in countries like Iran or US
Those second and third points are pretty laughably paranoid-fantasy reasons to use Tor—even if one found oneself in either situation.
Respectfully, a large number of people rightfully fear for their lives, safety, and freedom due to being stalked or abused by a current or former partner. I have personally known several.
Using victims' devices and communications in order to locate, and then harass, trap, or attack them, is commonplace for stalkers.
If you can use victim's device, then Tor or any network level protection will not help you. If you can use their network, then just about everything uses https these days... and you still need to know their location to snoop in the first place. GP raised a good point of Tor not helping in those two cases.
Those are situations that people deal with, but suggesting they use Tor is not going to help them. (Apart from some very specific situations)
How many of these people are justified (by evidence, not merely paranoia) in thinking that Tor would circumvent whatever communications interception may or may not have been put in place?
And of those people, how many people have ever even heard of Tor, let alone know how to use it?
What fraction of domestic violence shelter occupants are paranoid rather than reasonably fearful? What fraction are paranoid, vs. those who are reasonably afraid of being spied on in general? Probably some, but I believe many have well founded reasons to want to be anonymous and in hiding.
I concede that tor is probably not a useful tool in general for these people. I meant to point out only that one needn't be paranoid to fear one's spouse.
I think you just unintentionally highlighted the need for the tor project and outreach to inform people about it.
Not to make too much light of a morbid topic but the idea of someone having a murderous yet tech-savvy ex who has methodically installed all sorts of elaborate digital surveillance measures in their former spouse's personal tech stack in service of premeditated homicide, sitting in a dark room somewhere, howling in anger upon realizing his murder plan has (somehow...?) been thwarted by said former spouse unexpectedly using Tor is pretty funny (because of how outlandish it is). "I almost got away with it too, if it weren't for you kids and that onion routing software!"
You are lucky to have not experienced stalking. It's not like some big nefarious plan, it's a relentless obsessed hunter who will use whatever the lowest-hanging fruit is to get to you. If they have IT savvy they will use that. If they are charming they will use that. If they are brutal they will use that. They don't need to be murderous obviously, just obsessed with you.
Knowing that there's one thing they can't get to you on is huge peace of mind. Not needing to think about your stalker, because there's no way for them to hunt you there.
Stop thinking about cloak and dagger shit and start thinking about things ordinary people could do if they had a psychotic obsession, and nothing better to do with 120 hours a week of their time.
Stalkers want to make it impossible to live a normal life. They try to make it impossible to go to work or school, to use phones, email, messaging services, etc. Already knew my contact info, and got new ones by asking mutual friends. Called the the landline and cell and work phone and hung up or heavy-breathed into the phone hundreds of times a day. Telco won't help with this or admit who's doing it w/o a subpoena, which I couldn't realistically get. They tried to get various online accounts, including employer provided, to be flooded/brigaded/spamed/banned.
You don't have to be a leet haxor to do social engineering, sim swapping, and other crying on the phone to customer service type of attacks on other people's accounts. You just have to be pissed off and risk tolerant.
Not saying tor is a good-fit solution to these problems, just saying that "Because your ex-spouse wants to murder you", and also you have a day-to-day practical necessity to find a secure, hard to block way to communicate on, or access, the internet is not actually an exotic problem.
It's like a series of onions!
tor-browser comes with other privacy-boosting features, beyond its method of talking to the network. That might make a difference too, if someone is likely to look at your browser history etc.
The second to last point is laughable since it's long been authorized in executive order that if the NSA stumbles upon information relating to criminal activity while searching for other stuff that they can report that info to the FBI.
Heck - FBI is allowed to do the same damn thing with the data they're given by the NSA. Y'know, the whole "backdoor search loophole" which amounts to laundering authorities across agencies to get access to data they wouldn't otherwise be permitted to have.
Depends on what you’re doing. The NSA isn’t going to expose themselves by tipping off law enforcement about small time drug deals. If you’re sharing CSAM or planning terrorist attacks, it might be different.
>If you’re sharing CSAM or planning terrorist attacks, it might be different.
They'll just employ parallel construction to avoid exposure.
> If you look closely at the actual high profile cases where people got busted despite using tor, these people always made other mistakes that led authorities to them.
Assuming tor always was or became broken and is exploitable by law enforcement, authorities would try to maintain a false believe of tor's integrity so as to crack high profile cases for as long as possible.
Within this scenario, it is plausible to assume that authorities can decipher and discover information that can be used as the official pretextual charge / minor reason ("they made the mistake to use their public email address on the dark net forum") in order to not spill the beans on the actual means (here, tor being broken).
So if there are greater than only 357 people on topics the GP is interested in that's better than 50/50 odds.
1/ if a user sends 10,000 requests, you're saying 14 of them might see 3 compromised nodes?
2/ Police can use parallel construction. Although, given enough time (in theory) parallel construction is eventually exposed.
> given enough time (in theory) parallel construction is eventually exposed.
Parallel construction has existed for decades. It's even in "The Wire". It has never been tested in court, probably because it is nearly impossible to discover outside of being the agents that implement it.
The police used self-powered GPS devices[1] to track criminals. These devices are used in various situations, such as when someone violates parole. The police don’t need to report the violation immediately. Instead, they wait for the person to re-enter their jurisdiction, then catch and arrest them.
Parallel construction wasn't tested, but the means of them catching criminals this way was tested in court.
[0] - https://www.gps.gov/news/2012/01/supremecourt/
[1] - if the device got power from the vehicle, it would be considered "break and entering" and thus would require a warrant.
it's not been tested in court, but it's not some crazy Internet theory. https://arstechnica.com/tech-policy/2013/08/us-drug-agency-g...
1/ tor-browser by default sticks to the same circuit for one origin for the session, so that'd have to be 10,000 separate sites or 10,000 separate sessions.
I think the FBI/CIA/NSA could afford 8000 nodes if they wanted to.
You don’t need all the middle nodes. Just the entry and exit, and enough data to do packet timing analysis to correlate them. It’s in fact shockingly easy for a well provisioned actor to trace tor traffic, and this is something the TOR project openly admits.
They’re financed by the US Government after all…
Sounds like https://arxiv.org/abs/1808.07285
Onion sites do not utilize an exit node.
There is a node that delivers your packet to the target server, is there not?
If the server is on the Tor network, an onion server, then it is encrypted end to end and no traffic or identity is exposed to either the onion server or any intermediary.
That is to say, if I started an onion server on one side of the world, then connected to it from somewhere else, my connection to it would be anonymous and encrypted to any external entity.
How are you imagining the penultimate node in the chain connects to the target server without knowing anything about them?
This is well understood public knowledge.
Tor does have padding defenses to protect against that.
Also, according to their latest blog post on their finances, while it is true they have money from the US Government, that was only ~50% of their income (I think that was 2023). For the FUD part of that comment, see the "U.S. Government Support" section of https://blog.torproject.org/transparency-openness-and-our-20...
“Only half” is hilarious. Thanks for that.
And if you trust the NSA can’t overcome correlation in the presence of “padding defenses”, then sure: TOR is secure.
I wonder how many tor users actually know this. tor would probably not exist in the same capacity without that funding
>Edit: For all the cynics and doomsayers here, consider this: Tor has been around for a long time, but there has never been an uptick in arrests that could be correlated to cracking the core anonymity service. If you look closely at the actual high profile cases where people got busted despite using tor, these people always made other mistakes that led authorities to them.
Yeah, the stated reason is always something else. But this just reminds me of "parallel construction" - what if they were found in on way and then (to hide the source) the claim was that they were found in another way?
> there has never been an uptick in arrests
If it was effective, would there have been a down tick in arrests at some point?
Or if the arrest rate stayed the same, would that suggest it never “worked” to begin with?
It’s like the movie trope of the detective who finds out the truth via some questionable means which isn’t admissible in court. When you know the truth you can push harder and call every bluff until you get admissible evidence.
Or you can use more... underhanded means that never result in an arrest.
>The answer is less than 0.14%.
Is this per circuit? So if someone switches circuits every X hours, the chance of being caught after a year is actually quite high?
And even catching 0.14% of pedophiles would probably be worth it to the FBI or whatever, nevermind Iran catching dissidents or whatever.
My point is that is seems very cheap to do this (I as a random staff engineer could do it myself) and catch some people. A nation state could easily catch a much higher percentage if they increased the number of logging nodes slowly and carefully and deliberately did things like use many isps and update the servers gradually etc.
The happy equilibrium is that if you have enough adversary nation-state intelligence services doing this and not sharing information, they'll cancel each other out and provide free node hosting.
You're misusing probability and ignoring critical information.
There's 1000 red marbles added to a jar with 8000 blue marbles (9000 total). Take three marbles from the jar randomly, one at a time. The odds of getting three red marbles is ~0.14%. That's all.
Tor nodes are not randomly picked marbles. The Tor network is not a jar.
they’re using probability correctly. if you have a critique state it clearly
You only need to control the entry and exit node - since you know the next and previous hop for all traffic you touch, and default chains are 3 long. With circuits changing every 10 mins, within a few days you would have deanonymized at least some percentage of traffic for nearly every user.
I'd call tor broken against any adversary with a little technical skill and willingness to spend $5000.
I'm 80% sure Tor is designed as a US supported project to focus those needing anonymity into a service only governments with global security apparatus (who can grab a good chunk of internet traffic) can access.
I imagine most exit nodes are likely controlled by the US government and/or its close allies. Who else wants to have their IP address banned from most of the internet and potentially get visits from their country's equivalent of the FBI?
If most Tor users ran exit nodes and most people used Tor, it would effectively make internet traffic anonymous. But without those network effects, it is vulnerable by design to deanonymization attacks by state actors.
I run an exit node, and I know several people who do, I dont suspect any of them to be anything but people who care about privacy, surveillance, and helping people get access to the free internet from restrictive locations. I admit, I bristled at your comment, because I do not like myself, the EFF, and many of my close friends being imagined as part of the US Government.
I ran an exit node for a while, and found myself auto-banned from so many services that I stopped running the node and threw away my IP range (which now would be worth $$$ - oh well!)
I ran Tor nodes, had a bunch of blacklisted IPs, and just stopped running them and it was fine? Blacklisting Tor nodes requires updating the data often, so it falls off pretty quickly. To discard an entire /24 would be pretty funny over that!
Most people just use a DNSBL to block Tor exit nodes. They're pretty trivial to find online and presumably, very easy to set up because the list of Tor exit nodes is publicly available.
This also means the expiry time is usually tied to however long a Tor exit node stays on the DNSBL + 3 or so days (depends on how long the software is configured, but 3 days is typically the assumed default for IPs that tend to get mixed up with automated spam, of which Tor is also a massive purveyor.)
It's recommended to put an exit node on its own dedicated IP address.
How do you control an exit node?
I had the impression, with onion services they are a thing of the past.
Ah, there are people who use Tor to access non-onion services. Got it.
Seemed like onion services were created to solve the security issues that exit nodes bring, so I assumed people stopped using them and started running onion services instead.
For the more scummier or illegal elements on the network, that is true. For onion services, lasering attacks and takeovers plus honeypot are the chief danger.
This came out yesterday: https://www.youtube.com/watch?v=Gs0-8ZwZgwI
Apparently in germany they caught a pedo like that. Watching certain nodes and the sizes of files that are sent between them to identify the admin of a pedophile image sharing forum. Took them 1 1/2 years to identify the specific person, but they got him.
Considering this I would imagine it's pretty safe for the average user since they have to specifically target you for a long time, however it seems like with enough effort it's possible to identify someone even without Clearnet slip-ups like it was the case with Silkroad.
Once they have your address they will just storm your house and catch you on the computer, then you are done for.
Using Tor, like all security and privacy tools, must be balanced against what it is being used for. We will always live in a world of limited resources for policing, and systems of privacy work by increasing the difficulty and cost to deanonymize someone. They don't have to be perfect, they just have to be expensive.
If you want basic anonymity while researching someone powerful or accessing information, it's extremely unlikely anyone is going to go the lengths people are bringing up here as a way to compromise Tor. The intersection of expertise, funding and time required is too great for such a low value target.
If you're an international terrorist leader wanted in multiple countries, a prolific criminal, or enemy #1 of an authoritarian state though? Those who can go to those lengths absolutely will go to those lengths.
The problem with this assumption, that all possible attacks have been narrowed down to expensive only attacks i.e nation station level. These are complex systems and its not possible to prove that the only form of attacks are within these overton Windows. There may be much simpler forms of attack that aren't expensive, but the experts aren't aware of them, and therefore not focusing on. This is one of the big reasons for provably secure systems like Sel4 and other functional programming paradigms. We can't prove that all the problems are in this expensive box we put ourselves in, and all it takes is a 12 year old to discover one of these cheap attacks with a tooth pick or kids toy undermine very expensive defence systems.
Take for example, John Draper who discovered in the 60's that a Captain Crunch whistle toy could be used to make free phone calls on the telephone systems. Or the discovery of Side Channel attacks by an engineer at Bell Telephone company who noticed that a Bell Telephone model 131-B2 would produce distinct spikes for each key pressed on the oscilloscope across the room. Therefore not requiring nation station level expense to break the encryption used by Navy and Army's encryption systems. Or during the Afghan war, the US was deploying armored vehicles that they assumed would provide good protection, and would be expensive to attack by the enemy. Turned out they could make IEDs from inverted copper cheaply and within locals kitchens. That proved very successful. Or the kid who discovered he could bypass the mint screensaver by smashing random keys on the keyboard (https://github.com/linuxmint/cinnamon-screensaver/issues/354). The list of these types of cheap attacks are throughout history.
>If you want basic anonymity while researching someone powerful or accessing information, it's extremely unlikely anyone is going to go the lengths people are bringing up here as a way to compromise Tor. The intersection of expertise, funding and time required is too great for such a low value target.
Doesn't a solid VPN service also satisfy this exact need? Tor seems to occupy a narrow niche in which you have to care much more about privacy than the average person, but not at a nation state level. I think that is how it got associated with that 2nd tier of internet crime like buying drugs on the dark web or sharing CSAM. The truly sophisticated internet criminals probably know better and the people who only really care about anonymizing themselves are probably doing something simpler.
> Doesn't a solid VPN
Finding a solid one is the hard part. With tor, you kind of know what you are buying. The risks are in the open. With VPN maybe the operator is selling your data to advertizers. Maybe they are keeping logs. You kind of have to just trust them and have no way to verify.
This hypothetical was about "a low value target" looking for "basic anonymity". Just get Mullvad and assume the entire company wasn't a 15 year long con set up to better target ads at you specifically.
Tor Project has a team that looks at relays and checks if relays are engaging in bad practices or any suspicious activity like a lot of nodes run by one operator.
how do you protect yourself from botnets? lets say just monkrus release was infected and now N-thousand teens are running infested windows installations and software tools..
Iran probably has enough money that it could pay a thousand different isps in a thousand different ways with a thousand different os versions and tor versions. This could all be automated pretty easily.
When you think about countries that have the resources to "pay a thousand different isps in a thousand different ways with a thousand different os versions and tor versions" your first thought was Iran?
My first thought was actually "I could probably do that myself given some motivation"
Hiring people on something like fiverr could take care of most of the manual part.
My point is that if I could do it, a nation state cracking down on dissidents could likely do it too.
If your nodes disclose their affiliation that's fine but the client will avoid using multiple. If you try to do this in secret the tor project will attempt to catch you by looking for suspicious nodes that use the same isp and update their tor version at the same time and things like that, to questionable success.
But an adversary with enough money could just buy servers from multiple ISPs, right?
State-level actors (five eyes) should have no problem with avoiding that kind of detection.
I think so.
And of course for a state-level actor, they can afford a couple orders of magnitude more spend prob too.
The issue that TOR has is that it's a layered routing concept that won't respect ASN based spreading/scattering of traffic.
Circuits are temporary but the traffic is not scattered across the network to make MITM fingerprinting of request/payload sizes/timestamps impossible.
A typical MITM like the FBI surveillance van next door can identify you by observing the network packets and by _when_ they were requested and by _how large_ the payloads were. There was a famous court case where this was enough evidence to identify a user of an onion service, without the FBI having access to the Wi-Fi of the user. But they had access to the exit node logs that were encrypted, the pcap logs to the onion service from that exit node, and the encrypted Wi-Fi packets of the user.
(Also TLS lower than 1.3 and SNI related problems are relevant here, because DNS TTL 0 effectively makes everyone's privacy compromised, shame on you if you set a DNS TTL to 0)
My point is that with more randomized hops across the network and across ASNs it would be less likely that a threat actor can control both guard and exit nodes.
(Assuming that they parse RIR datasets to map organizations across ASNs, which the datasets already provide)
Would an Ethernet cable plugged into your ISP router defend against the above mentioned surveillance (i.e., no WiFi snooping)? Or did the FBI PCAP at the ISP?
The problem is also that different network stack implementations have different MTU values and different TCP headers.
There's a lot of tools available that can fingerprint different applications pretty well these days. For example, Firefox and TOR Browser can be fingerprinted because of their custom network library that's OS independent.
It gets worse if you use a DSL2 connection with scaling because that will uniquely make your packets fingerprintable because they have a specific MTU size that's dependent of the length of the cable from modem to the next main hub. Same for cable internet, because the frequencies and spectrums that are used are also unique.
(I'm clarifying this, because an FBI van not having access to your Wi-Fi still has access to the cable on the street when there's a warrant for surveillance / wire tapping issued)
[1] https://github.com/NikolaiT/zardaxt (detects entropies of TCP headers and matches them with applications)
[2] https://github.com/Nisitay/pyp0f (detects the OS)
[3] https://github.com/ValdikSS/p0f-mtu (detects the VPN provider)
Yes, there aren’t that many tor nodes. It’s not the safe haven protocol or transport suite people make it out to be.
It’s then best we’ve got for achieving actually meaningful privacy and anonymity. It has a huge body of research behind it that is regularly ignored by those coming up with sexy or off-the-cuff alternatives.
It’s the most popular so it gets the most attention: from academics, criminals, law enforcement, journalists, …
Why not just have greater number of relays by default? Internet bandwidth tends to increase over time, and the odds of this correlation attack are roughly proportional to the attacker's share of relays to the power of the number of relays used.
So latency issues permitting, you would expect the default number of relays to increase over time to accommodate increases in attacker sophistication. I don't think many would mind waiting for a page to load for a minute if it increased privacy by 100x or 1000x.
If you’re advocating for a bigger network… we need more relay operators. Can’t wave a magic wand. There’s like 8000 relays. Haven’t looked in a while.
Or if you were arguing for increasing the number of relays in a circuit, that doesn’t increase security. It’s like one of the OG tor research papers deciding on 3. Bad guy just needs the first and the last. Middle irrelevant.
> we need more relay operators. Can’t wave a magic wand. There’s like 8000 relays. Haven’t looked in a while.
The reason that there are so few relays and exit nodes is that everyone that runs an exit node believes, for very good reason, that they'll be opening themselves up to subpoenas and arrest for operating one. You know who never has to worry about getting arrested? Surveillance agencies tasked with running exit nodes.
Consider the two classes of relay and exit operators:
1. People who operate relays and exit nodes long term, spending money to do so with no possibility or expectation of receiving money in return, and opening themselves up to legal liability for doing so, whose only tangible benefit comes from the gratification of contributing to an anonymous online network
2. Government agencies who operate relays and exit nodes long term, spending government allocated money to operate servers, with no material risk to the agencies and whose tangible benefit comes from deanonymizing anonymous users. Crucially, the agencies are specifically tasked with deanonymizing these users.
Now, I guess the question is whether or not you think the people in group 1 have more members and more material resources than the agencies in group 2. Do you believe that there are more people willing to spend money to run the risk of having equipment seized and arrest for no gain other than philosophical gratification than there are government computers running cost and risk free, deanonymizing traffic (which is their job to do)?
>Or if you were arguing for increasing the number of relays in a circuit, that doesn’t increase security. It’s like one of the OG tor research papers deciding on 3. Bad guy just needs the first and the last. Middle irrelevant.
Because of timing attacks? There are ways to mitigate timing attacks if you are patient (but I think clearnet webservers are not very patient and my drop your connection)
Yes timing attacks.
And yeah mitigation gets you into a huge body of research that’s inconclusive on practical usability. Eg so much overhead that it’s too slow and 10 people can use a 1000 relay network and still get just 1 Mbps goodput each. Contrived example.
People need to actually be able to use the network, and the more people the better for the individual.
There’s minor things tor does, but more should somehow be done. Somehow…
Any idea what consideration keeps the tor team from making the client also act as a relay node by default?
Clients aren’t necessarily good relays. Reachability. Bandwidth. Uptime. I’ll-go-to-prison-if-caught-and-idk-how-to-change-settings-this-needs-to-just-work.
it was used by Snowden to leak documents...
Snowden got caught.
>It’s then best we’ve got for achieving actually meaningful privacy and anonymity
...while being practical.
One could argue that there is i2p. But i2p is slow, a little bit harder to use, and from what I can remember, doesn't allow you to easily browse the clearnet (regular websites).
These sort of “Tor evangelism” comments are so tiring, frankly. There are quite a few like it in this thread, in response to…not people poo-pooing Tor, or throwing the baby out with the bathwater, rather making quite level-headed and reasonable claims as to the shortcomings and limitations of the network / protocol / service / whatever.
One should be able to make these quite reasonable determinations about how easy it’d be to capture and identify Tor traffic without a bunch of whataboutism and “it’s still really good though, ok!” replies which seek to unjustifiably minimise valid concerns because one feels the need to…go on and bat for the project that they feel some association with, or something.
The self-congratulatory cultiness of it only makes me quite suspicious of those making these comments, and if anything further dissuades me from ever committing any time or resources to the project.
The issue is that the people making 'level headed' claims have read none of the literature and their mathematical ability seems to end at multiplying numbers together.
It sounds reasonable to anyone who hasn't read the papers, to anyone that has these comments are so wrong that you can't even start explaining what's going wrong without a papers worth of explanation that the people don't read.
> Surely eventually I'm going to get a hit where all three nodes in the circuit are my nodes that are logging everything?
If you're looking for static assets, why would you need to see the whole chain? Wouldn't a connection to a known website (page) have a similar fingerprint even if you wrap it in 3 layers of encryption? Does Tor coalesce HTTP queries or something to avoid having someone fingerprint connections based on the number of HTTP requests and the relative latency of each request?
I've always assumed that, if a global adversary attack works, you'd only need to watch one side if you're looking for connections to known static content.
I don't know much beyond the high level idea of how Tor works, so I could be totally wrong.
If I don't know the whole chain (or I don't use a timing attack with a known guard and exit node) then I don't see how I'd know who sent the packet in the first place. The person in the chain would connect to a random tor guard node, which would connect to another random node which would connect to my evil exit node. My evil exit node would only know which random TOR node the connection came from but that's not enough to tell who the original person was.
Say there are only 2 sites on Tor. Site 'A' is plain text and has no pages over 1KB. You know this because it's public and you can go look at it. Site 'B' hosts memes which are mostly .GIFs that are 1MB+. You know this because it's also a public site.
If I was browsing one of those sites for an hour and you were my guard, do you think you could make a good guess which site I'm visiting?
I'm asking why that concept doesn't scale up. Why wouldn't it work with machine learning tools that are used to detect anomalous patterns in corporate networks if you reverse them to detect expected patterns.
The point is that there aren't only two sites available on the clearnet. Is the idea that you find a unique file size across every single site on the internet?
My understanding (that may be totally wrong) is that there is some padding added to requests so as to not be able to correlate exact packet sizes.
> Is the idea that you find a unique file size across every single site on the internet?
Not really. I'm thinking more along the lines of a total page load. I probably don't understand it well enough, but consider something like connecting to facebook.com. It takes 46 HTTP requests.
Say (this is made up) 35 of those are async and contain 2MB of data total, the 36th is consistently a slow blocking request, 37-42 are synchronous requests of 17KB, 4KB, 10KB, 23KB, 2KB, 7KB, and 43-46 are async (after 42) sending back 100KB total.
If that synchronous block ends up being 6 synchronous TCP connections, I feel like that's a pretty distinct pattern if there isn't a lot of padding, especially if you can combine it with a rule that says it needs to be preceded by a burst of about 35 connections that transfer 2MB in total and succeeded by a burst of 4 connections that transfer 100KB combined.
I've always assumed there's the potential to fingerprint connections like that, regardless of whether or not they're encrypted. For regular HTTPS traffic, if you built a visual of the above for a few different sites, you could probably make a good guess which one people are visiting just by looking at it.
Dynamic content getting mixed in might be enough obfuscation, but for things like hidden services I think you'd be better off if everything got coalesced and chunked into a uniform size so that all guards and relays see is a stream of (ex:) 100KB blocks. Then you could let the side building the circuit demand an arbitrary amount of padding from each relay.
Again, I probably just don't understand how it works, so don't read too much into my reply.
? tor reroutes the packets so how would you identify who is visiting who? it's not just 'layers of encryption' it is layers of redirection
If I visit facebook.com it's about 45 requests and 2.5MB of data. Are you saying that if I did that via Tor I would get a different circuit for each request or each individual packet?
Eventually the guard has to send the whole payload to me, right? Wouldn't that look similar every time if there's no obfuscation?
you mean inferring the website based on packet traffic pattern if you are the guard? yeah maybe possible, not sure how distinct each website footprint would be in practice
seems like it would also be challenging to hold up in actual legal proceedings
> you mean inferring the website based on packet traffic pattern if you are the guard?
Yeah, basically, but I was thinking that if you're analyzing a pattern going to the client, all you'd need is any point between the guard and the client (ie: an ISP).
With v3 hidden services, relays can no longer see the plaintext of the hidden service's url.
I wholeheartedly agree, the 'dragnet' methodology is already documented and well-known and that should factor into your security assessments.
Wasn't there a thing years ago where the NSA only needed 2 out of the 3 nodes if they got the right ones? Not sure if that was fixed with guard nodes or is still a thing.
You didn't think someone would notice if the Tor network has 1000 new nodes setup similarly? Or, I suppose, if you find enough heterogenous people and pay them to log their nodes, you're not going to get noticed?
Your 1000 Tor nodes would quickly be detected as bad relays and be removed from the network. It would also cost you far more than $5,000 a month.
But the more who use it and/or host tor nodes...
If you thought of this in 10 minutes (or 6 months, or...) as one smart individual, I'd assume any government of any country you've heard of has been doing this for a while.
The skilled labor to set that all up, especially in a way that TOR won't notice and shut you down will be worth much much more than $5k.
People that have such a sophisticated and resourced team actively hunting them down, likely know about it, and are using many additional layers of security on top of TOR. Even just for personal use out of curiosity to "see what the darkweb is," I used 1-2 additional methods on top of TOR.
> used 1-2 additional methods on top of TOR
Curious: what did you do and what were you hoping to mitigate?
Just playing around, not mitigating anything. I think it would be poor practice to share my ideas/techniques- think of your own! Contrary to popular philosophy- obscurity is a powerful security method. People still rob houses with expensive locks… nobody robs secret underground bunkers.
This attack is quite practical. In 2007 I controlled a huge chunk of Tor traffic from 2 racks of cheap servers in a basement on Folsom Street in SF. It was easy to arrange and nobody noticed. Yeah those were early days for Tor but I don't think scale changes anything. If you're using Tor because you think it is private, you have fooled yourself.
It'd be ten times that cost, easily. You have to buy data volume.
Also since you aren't targetting specific people, rather specific interests, it'd be easier to setup an irresistible site serving content of the vice of interest. It can even be a thin wrapper on existing sites. Do you only need to control entry nodes in that case? You'll return user-identifying data in headers or steganographically encoded in images and since you control the entry node you can decrypt it. It doesn't work for a normal (unaffiliated) entry node but since your entry node is in collusion with the server I think this works.
Here is an awesome DefCon talk about this topic from the perspective of a darknet vendor. It's amazing:
Nice presentation. Ironically the ?si= parameter is for tracking. You should remove it.
Is it sad that when someone else gives me a video with an si parameter or similar, I keep it on when passing it forward, in my eyes, this feeds garbage to their backend.
New tool idea: a si parameter tracking "mixer"?
Crowdsource making tracking useless?
Thanks. I was on mobile and didn't notice it.
happens
For context, here's the NDR report: https://www.ndr.de/fernsehen/sendungen/panorama/aktuell/Inve...
And more info here: https://lists.torproject.org/pipermail/tor-relays/2024-Septe...
Edit: The NDR alleges a timing attack (no further explanation) that allows "to identify so-called ‘entry servers’" Very little information is actually available on the nature of the attack. The NDR claims this method has already lead to an arrest.
Might one mitigating possibility be to use a VPN that uses padded and rate limited packets, so that it is always sending and receiving user_defined bit rate and your real traffic would be traffic shaped to take priority but not exceed the padded streams? Maybe this assumes one is running their own tor daemon on a server somewhere and the vpn terminates on that node. I assume this could be done with tc sch_htb class shaping or perhaps sch_cake and tagging packets with iptables mangle rules and two never-ending bi-directional rsync streams reading /dev/urandom or big random files.
e.g.
Port 873 (native rsync) bulk traffic, low priority
Port 3128 (squid mitm ssl-bump proxy) high priorityAlso relevant - wikipedia for Boystown, the pedo site in question
This should be the article linked at the top.
Why is this downvoted?
I remember Adrian Crenshaw doing a speech at Def Con 22 about how people got busted using Tor. Even then he point out in most of the cases, it was bad OpsSec by the person, and had nothing to do with Tor.
How applicable do people think this information is now 9-10 years later?
DEF CON 22 - Adrian Crenshaw- Dropping Docs on Darknets: How People Got Caught https://www.youtube.com/watch?v=eQ2OZKitRwc
Don't quite get it - why doesn't CCC share information with the Tor Project maintainers?
I suspect that the reporter has a bone to pick with Tor and the CCC members that were given the documents were compelled legally or socially to not share them further.
The information comes from the NDR (Link im neighboring thread), not the CCC. The CCC only got to see the documents via the NDR.
Maybe they want to reveal it on the CCC in december?
It's unlikely that they want so save the technical details for the conference. It would put people at risk if the tor project would not be able to fix the issue in the meantime.
curious about this as well
If enough governmental bodies can get behind running Tor nodes then couldn't we theoretically protect the bulk of humanity from spying on Internet access? Truly an advance in the Internet technology. It's kind of like if a single nation does it they control everything, but once all the nations compete then everyone wins.
But at planetary scale would Tor scale in an environmentally friendly way?
Most governments value their law enforcement obligations and/or desire for surveillance more strongly than an Internet that is protected from spying, so good luck with that.
Ironically, most of these same sectors in the same governments have strong need to be protected from spying themselves.
So in many cases it's really a case of "we want a monopoly on secrecy".
Which should be a massive red flag for everyone, from left to right, from liberal to conservative, from anarchist to communist and so on. But somehow isn't picked up by any of these. I presume because they all believe somehow they either won't be targeted or will be exempt?
Several of those ideologies you mention are just different flavors of authoritarianism, and one of an ideological authoritarian's primary goals is power. Hell, take out "anarchist" and you could make a convincing argument they're all authoritarians in their own way. You don't get power by giving the populace - or helping them to keep - a free, secure Internet. It's just completely antithetical to someone who wants to hold power by nondemocratic means.
Federal agencies operate enough exit nodes to make Tor use risky at best. I have no idea if they have since implemented some feature to prevent this but if not I would stay far away from Tor if you're planning to do illegal things. There's also the risk of trusting service operators to secure any PII you expose on marketplaces.
Not that I think the Fed's would blow their cover to hunt down people buying drugs but still seems stupid to trust.
“The western governments run most of the exits” is one of those things everybody “knows” but rarely backs up.
The list of all relays is public knowledge by design. There’s contact information attached to relays. The big operators are known individuals and organizations. They contribute. Interact.
Which ones are actually the governments doing bad things against their citizens? It’s hard to tell? Then why do you make such claims?
Relays that observably do bad things are removed from the network all the time. Are those ones the government? Tor seemingly has a reasonable handle on the situation if that’s the case.
If the fed is doing correlation attacks, why would they run relays at all? “Just” tap the IXPs near major hubs of relays. Or heck, get data from the taps you already had. Silent and more widespread.
Pushing people away from tor potentially makes it even easier to deanonymize them, depending on the adversary model assumed.
> “The western governments run most of the exits” is one of those things everybody “knows” but rarely backs up.
Thanks for pointing this out. Seems obvious in retrospect but I don't really recall seeing a lot of evidence for this despite seeing the claim quite commonly. That said, the use of "rarely" makes me wonder what evidence has been presented in such rare instances. Just curious. (Of course it's also fine if the phrasing was just communication style.)
Tor was literally developed by the intelligence community. I’m sure there are a variety of means to gather actionable intelligence from it, with or without the cooperation of the exit node volunteers.
Beyond a principled stance re communications, I can’t think of a reason to use it. If you’re planning to resist some regime that controls telecom infrastructure, the fact that you’re using it is both uncommon and notable.
Tor was literally developed by the Naval Research Lab. Not a part of the IC.
I know because I work there. AMA (edit: about tor. Because people say a lot about it without actually knowing much. But now I should put my phone down so… too late!)
To protect our most sensitive communications and vulnerable communities , Tor usage should be normalized so it is common and not notable.
I think if the Tor Project wants to boost their network they might try putting anything about how to do so on their website, easily-accessible. I'm trying to figure out how to run a relay and having a pretty challenging time finding anything at all about this. They just really want me to download Tor Browser, it seems.
Edit: I finally found it![0] I had to go to Donate, Donation FAQ, "Can I donate my time?" , "Learn more about joining the Tor community.", and then "Relay Operations" -> "Grow the Tor network" at the bottom right. I would really hope there's a more direct path than this...
Sorry that it is hard to find. This is the root link to point you towards.
https://community.torproject.org/relay/
Thanks for considering to run a relay.
No prob - and thanks! Looks like I found it right as you were drafting this message. It would be really useful to add some call to action about "Help grow the Tor network!" anywhere on the home page. Partly just to increase the "welcoming-ness" but mostly to reduce friction for ppl who want to contribute, and help make it clear that the network needs support from whoever :)
Unrelated to Tor, what was your favourite project to work on that you're allowed to talk about? That must be a fascinating job.
Unfortunately the tor part is the part I can most obviously talk about. Not that I work on anything classified. I just need to be mindful.
I got to travel to Canada, Mexico, and Europe (from the US) for tor meetings and privacy-enhancing technology conferences.
More or less every single cell that goes through the tor network today is prioritized and scheduled by the cell scheduler I wrote.
I still think the IC, and especially the state department, benefits from having Tor fulfill its actual design goals most of the time. There are operations and state department goals that can benefit from Tor working properly. It's the same with encryption in general -- the IC benefits from there being strong and bug-free crypto implementations. That they have in the past backdoored some of them doesn't change that they've also hardened others. I'm sure they come up with and deploy various attacks on Tor all the time, same with foreign nations (whom the state department would like to thwart). I'm skeptical though that they can do working attacks at any time and against any set of people.
For your AMA, if you want: How's the job? What keeps you working there? How's patriotism these days?
The job these days is boring but secure. Tor stuff was more exciting, then I switched teams because grass-is-greener.
At least for the teams I have been on and my view of leadership, there is very little political talk.
But patriotism isn’t politics… lol. The higher you get the more “hoo rah America!” is a part of the motivational speech or report or whatever. Down here in the streets it’s just another job. Pride in the country isn’t much of a driver. At least for me.
> Tor was literally developed by the intelligence community. I’m sure there are a variety of means to gather actionable intelligence from it, with or without the cooperation of the exit node volunteers.
These two statements make little sense together. It was originally developed by the Navy. Okay. So why would they design it from the get-go with such a fatal flaw that would risk their own adversaries gathering "actionable intelligence" from it?
I'd like to stress if we're talking about the Navy's involvement, then you're questioning the design of the whole thing from the very beginning, not just the current implementation.
People saying that the government funds Tor so it's insecure is like saying that the government funds the army which kills people on purpose, so any government hospital will also kill people on purpose
This brings up a couple questions I've always had about Tor. I played around with it a bit maybe a decade ago and it seemed it was used for drugs, CSAM, and getting yourself honeypotted trying to buy illegal guns or murder-for-hire.
I always assumed if you were doing things where your threat model included governments trying to kill you that Tor wouldn't be all that useful even if it was secure.
You'd be surprised how much crime goes on in plain sight. There are literally people on Instagram making stories of themselves showing off their drugs and stacks of money.
Given that a lot of law enforcement doesn't even bother with the low hanging crimes, the chance of them prosecuting anyone using Tor is extremely low unless you get big enough or go far enough to warrant the attention.
Please read the blog post:"It is important to note that Onion Services are only accessible from within the Tor network, which is why the discussion of exit nodes is irrelevant in this case."
Monitoring exit nodes does not necessarily reveal hidden services, though.
Edit: Never does, exit nodes are not part of the circuit, thanks to commenter below.
Monitoring exits is completely irrelevant to onion services, in fact.
Completely.
Exits aren’t a part of the circuit. Ever.
If they run just the exit node they still can’t de-anonymize you right?
Depends on the content of your traffic.
If “deanonymize” strictly means perform a timing attack using info you have from the beginning and end of the circuit, then by definition you’re correct.
But if you visit an identifying set of websites and/or ignore TLS errors or … they can still deanonymize you.
What role do TLS errors play in de-anonymizing onion traffic?
My comment is strictly about exit nodes which are not used as part of connecting to onion services.
Ignoring TLS errors might mean you’re ignoring the fact your exit relay is MitM attacking you.
I am interested in the “legitimate” uses for tor. I have not kept up with this but I understand it was designed by US Navy to make it hard for oppressive regiemes to track their citizens use of web.
What do we want Tor for except as a hope that Russian citizens might be able to get to the BBC site?
I am asking honestly - and would prefer not to be told my own government is on the verge of a mass pogrum so we had better take precautions.
For the same reason we have SSL on this site, despite the fact that it has no sex, no storefront, nor any access to my banking or private information.
If everything is SSL secured, then we don't have to explain why any specific thing is SSL secured. The same reason can be applied to use of TOR.
The point ranking on comments, which is private, would be of interest to parties training an LLM and want the data annotated, but your point stands.
"Every site having SSL is a Good Thing because it means you don't need to defend your use of SSL. If more people used Tor it would mean you didn't need to defend your use of Tor."
"Yeah but Y Combinator made a decision that makes it harder for me to auto-generate spam."
I’m not sure how much more useful that is than just using HN’s automatic ranking for comments, at least outside of parent comments on posts; As far as I can tell, child comments are always ORDER BY score DESC.
Even for top level comments, HN’s algorithm for ranking is pretty useful for assigning “worth”
On posts there's an attempt to suface later comments (with fewer points) so the comment section isn't dominated by earlier posts.
Ordering by score DESC only gives you relative point information, not absolute. Theres additional signal if the top comment has 100 points vs only having 3 (and the bottom post also having 100 vs 1).
How would you feel if a stranger came up to you in the street and said they appreciated the wiki article you were reading last night?
I think everyone wants “privacy by default”, they just don’t make the connection between this hypothetical and real life. In real life you’re still spied but nobody confronts you directly.
I browse social media sites like Facebook and Reddit using their onion services. I was sick of seeing ads pop up that were clearly based on tracking my general browsing activity through IP correlation, tracking pixels and embedded “like” buttons. So now I block all cleartext Facebook/Reddit traffic completely.
Using Tor this way doesn’t anonymize me—on Facebook at least, I’m logged in under my own account—but it limits the profile Meta builds on me to the union of what it directly observes on Facebook and what it can purchase through data brokers. Ever since I started doing this, I’ve noticed a huge drop in relevance in my Facebook ads, so apparently it’s working. When the ads become suddenly relevant again (which has happened a few times), it exposes an information leak: usually a credit card purchase that Meta must have obtained from either my bank or the shop vendor and tied to my identity.
Using a VPN could theoretically provide the same benefit, but in practice Facebook tended to temporarily lock my account when using a VPN and Reddit blocks VPN traffic completely. So I stick to the onion services, which are run by the websites themselves and so are less likely to be treated as malicious traffic.
If you use these platforms, I recommend bookmarking their onion sites in Tor Browser and using it as your primary interface to them for a while. Then, if you don’t find it too inconvenient, start blocking the non‐onion versions of the sites on your network.
https://old.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqn...
https://www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg...
(P.S.: You shouldn’t trust the links I just posted; I could have posted fake ones! I recommend double‐checking against https://github.com/alecmuffett/real-world-onion-sites which links to proofs of onion site ownership under their usual domain names.)
Let's not discount the validity of making it easier for Russians, or Chinese, or North Koreans, to get western media.
>This is a collection of anonymous user stories from people who rely on Tor to protect their privacy and anonymity. We encourage you to share their experiences with your network, friends and family, or as part of your work to promote the use of privacy-preserving technologies like ours and help us defend strong online protections.
Are there legitimate arguments in favour of privacy, and private communications? It seems to be largely the same issue.
We've come to accept (as a normal mainstream thing) end to end encryption in several popular messaging apps (which seems to be largely thanks to WhatsApp?), but the same idea applied to web browsing is still considered fringe for some reason. That distinction seems arbitrary to me, like just a cultural thing?
It might be a UX thing though. WhatsApp is pleasant. Trying to use the internet normally over Tor is horrendous (mostly thanks to Cloudflare either blocking you outright, or sending you to captcha hell).
Don't know if it is still used much. There is SecureDrop to facilitate communication between investigative journalists and sources/whistleblowsers via Tor that was at some point deployed by several prominent news organizations.
NAT traversal, on both sides!
most governments retaliate to some degree against journalists, whistleblowers, etc. - no pogrom needed
Anonymous publishing
I’m a tor novice, so please excuse the simplistic question…
Couldn’t a national security organization just modify a node to route traffic to other nodes it controls instead of uncontrolled nodes?
No!
The client controls path selection, and each hop is verified using its encryption keys.
You're saying that if you modify the tor software, other clients will be able to tell before connecting to you? And you can't trick them into sending to a bad node?
It is not the node that chooses the next one, but the client. A bad node cannot "fake" a good node, because it cannot cryptographically authenticate to be the new node the client selected (the client knows the public key of the newly selected node).
TOR critics like Len Sassaman said the same years ago, with traffic analysis it is possible to detect where the source is coming from.
Timing attacks are a well-known weakness. There's a lot of research into timing attacks and proposed countermeasures.
Also, it's just Tor – not 'TOR'.
>Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
To get past the self signed certificate: https://web.archive.org/web/20240918195838/https://blog.torp...
The certificate for blog.torproject.org should not be self-signed. For me it is an extended validation certificate issued by DigiCert Inc.
You're MitM'd yo.
I don’t think you should be seeing a self-signed certificate? I’m getting a valid Digicert-signed certificate on my end.
It isn't a self-signed cert.
Remember the Harvard student that emailed in a bomb threat via Tor to get out of a final exam in 2013?
He got caught not by the FBI breaking Tor, but just by network analysis of university network traffic logs showing a very narrow list of on-campus people using Tor at the time the threat was communicated. He quickly confessed when interviewed.
https://www.washingtonpost.com/blogs/the-switch/files/2013/1...
Just another factor to consider when using Tor - who's network you're on.
I recall this situation well as it interrupted an exam of mine. iirc, it was the MAC address of his machine being known/registered to the Campus network that nailed him.
If he simply didn’t confess, they likely could not have proven it was him - but yes, it is best to avoid suspicion altogether.
As relevant today as it has ever been: https://www.youtube.com/watch?v=d-7o9xYp7eE - "Don't Talk to the Police" by Regent Law professor James Duane (2012). 19M views for a reason, it's a great talk that I've watched a couple times now. And a former cop who was an L3 at the time of the video also speaks very convincingly on the topic, and about how the only times people who they knew were guilty but couldn't prove it got away were when they lawyered up and shut up immediately.
As always there are caveats that he goes into regarding how to assert the right and all that but the major thrust is if the police want to talk to you for any reason, just don't. Lots of great stories, too.
You are under no legal obligation to assist police in their investigations. Give only the information you are legally required to (varies by state and whether it's a consensual encounter, detainment, arrest, etc.), and no more. If you're arrested say you want an attorney and you will not answer questions until they arrive.
Here's imaginary attack with adversary. Just push as much traffic as possible from many hosts to the given hidden service. Now observe traffic metadata from high level network operators. With enough filtering it should be possible to detect where traffic spike is terminated.
I think it's prudent to point out that the article's title is quite 'clickbaity', but to address it directly, the correct answer is (as it usually is) is 'it depends'. In my view, it depends on the answer to the question 'safe for who?', i.e. what is the threat model to which you are trying to guard against? If it's the US, then of course not, as the code is well-known to the US and I would expect that they have known vulnerabilities that they can leverage to ascertain the users of their service. The fact that TOR is, 'on paper', non-governmental doesn't really matter these days with the merging of private and public (and non-affiliated open-source communities) inside the security community. I would say that even the fact that it's open source isn't much of guard against such attacks, given that it relies on proficient oversight (which many eyes may not guarantee). Against other 'nation state' type adversaries - I'd wager that the more prominent who have the capacity to host a large number of relay nodes, and have access to very large computational power, will find it possible to decode portions of the TOR traffic. Against less technically proficient adversaries, such as 'run of the mill' police forces and minor nation states I'd go so far as to say it might be secure but only if you are using it for something uninteresting to them, but I ask 'how hard is it really to do a man in the middle a TOR relay?', and in terms of the most general case, 'what about the endpoints?' which of course aren't secured via TOR. Ultimately the best defense against 'snooping' in my view is to use a pre-agreed communication protocol which is undocumented and is known only between the communicators and is unusual enough to be hard to recognize or hard to work out what it means (preferably with a key to those communications known only to the two parties), but then I suppose you could use any communication protocol...
https://spec.torproject.org/vanguards-spec/index.html
>A guard discovery attack allows attackers to determine the guard relay of a Tor client. The hidden service protocol provides an attack vector for a guard discovery attack since anyone can force an HS to construct a 3-hop circuit to a relay, and repeat this process until one of the adversary's middle relays eventually ends up chosen in a circuit. These attacks are also possible to perform against clients, by causing an application to make repeated connections to multiple unique onion services.
Old Ricochet used onion v2, that has stopped working long ago as far as I know, or I am missing something
based on the article I think this is old news just now being reported
You are right. The lack of details or time window when this happened make it difficult to know what the actual compromise was, or if it is still something that can be used. However, if they compromised a Ricochet user, then this attack was a long time ago, and from what Tor's blog says that client didn't have the defenses that would have prevented the attack they think it is. Without the actual details, it seems like this attack was mitigated some time ago and is no longer something that can be done in the same way.
We have a rough timeframe: "To the best of our knowledge, the attacks happened between 2019–2021."
The hidden service targeted[0] had completely ceased to exist by April 2021, so that time range makes sense.
[0]: https://www.ndr.de/fernsehen/sendungen/panorama/aktuell/Inve...
AFAIK v2 has stopped working. Iirc were up to v3 or something.
no v2 onion urls resolve or work. It's been v3 since 2021.
From what little I've heard, de-anonymization of Tor users is largely done by targeting their devices with zero-day exploits. That is still a valid method, I wouldn't trust Tor personally, but I'm with the Tor project that there is no credible evidence of a large scale de-anonymization attack.
Why wouldn't you trust Tor? Do you mean you wouldn't trust it at all, or wouldn't trust it completely?
I mean at all, but I don't have any reasons worth mentioning here, that I'm willing to defend on a public site.
Fair enough. Was just curious. :)
Absolutist statements about services like TOR or VPNs are often not helpful. It's highly contextual to the threat. If the threat is a state actor it's likely nothing, TOR included, can preclude them from determining things about you that you would prefer them not to know.
Some specific state actors operate TOR entry and exit routers and can perform analysis which is different to others who just have access to the infra beneath TOR and can infer things from traffic analysis somewhat differently.
I have never been in a situation where my life and liberty depended on a decision about a mechanism like TOR. I can believe it is contextually safe for some people and also believe it's a giant red flag to a lead pipe and locked room for others.
I'm being pedantic but it's simply just Tor, not TOR.
https://support.torproject.org/about/why-is-it-called-tor/
>Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
If your threat model includes western nation states, there are much bigger threats to your opsec than Tor. If your threat model does not include western nation states, Tor is safe to use.
This isn't written in the most confidence inspiring way
But the things that do inspire confidence:
Tor is updated against vulnerabilities pre-emptively, years before the vulnerability is known to be leveraged
Tor Project happens to be investigating the attack vector of the specific tor client, which is years outdated
They should have just said “we fixed that vulnerability in 2022”
with a separate article about the old software
> confidence inspiring
I don't want them to try to sell me something. If they were making bold claims as you suggest I would be more concerned.
The truth isn't confidence inspiring, the truth can be even without selling something, its not here.
There is a risk that the network is compromised at any moment and cannot be relied upon, except for your own personal risk tolerance on the activity you are interested in.
To quote the article. " To the best of our knowledge, the attacks happened between 2019-2021." and " This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022."
While it has been fixed for years it was not a case of using old software from what I am reading.
The vulnerability is mitigated by shifting the economic incentives, not fixed by making it impossible. It can't be fixed without a completely different network design, like in Mixminion or Katzenpost. Someone suggested I2P, but it's mostly fundamentally the same as Tor. It uses unidirectional tunnels, which might help.
Yeah, but the problem is that they cannot say that with 100% confidence, because the details were not shared with them (why, I have no idea)
Is it possible to "break" the protocol in such a way that Hidden Services cannot be used without some version of vanguards? It almost seems worth doing?
https://github.com/blueprint-freespeech/ricochet-refresh
...We are writing this blog post in response to an investigative news story looking into the de-anonymization of an Onion Service used by a Tor user using an old version of the long-retired application Ricochet by way of a targeted law-enforcement attack.
...From the limited information The Tor Project has, we believe that one user of the long-retired application Ricochet was fully de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the vanguards addon, which were introduced to protect users from this type of attack. This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022.
"Safe" doesn't have a meaning until you define your threat model.
Sincere question. This was created with US government funding. Is there any reason to believe it is safe?
So was the Internet at DARPA (or its modern foundation). And the WWW at CERN.
Tor's development team aren't on the payroll of the US gov't, and their funding comes from many sources.
If having received funding from a government agency is enough to earn your distrust, you'd quickly become a paranoid schizophrenic.
> Tor's development team aren't on the payroll of the US gov't, and their funding comes from many sources.
That's not serious. From the Tor official blog:
> U.S. Government (53.5% of total revenue)
> Individual Donations (28.5% of total revenue)
> Non-U.S. Governments (7.5% of total revenue)
> Foundations (6.4% of total revenue)
> Corporations (3.4% of total revenue)
> Other (0.6% of total revenue)
https://blog.torproject.org/transparency-openness-and-our-20...
It's true that a majority is from the US government through various funding schemes and grants. They're very transparent about their funding and ongoing efforts to diversify. But a little over half coming from US government sources isn't the same as their devs literally being on the gov't payroll; people often talk about Tor as if the developers themselves earn a government salary.
(Funnily, Signal also received major funding from US government sources but very few people seem to question that when lauding Signal.)
Even if you had your own SMT how can you be sure no one fiddled with your lab? If you can't trust your own stack 100% how can you trust ANYTHING else then?
So my answer to your sincere question: no reason to believe it is safe, no.
Was it ever safe? Wasnt it created by the AirForce or something? I’ve always thought of it as a honeypot.
> Wasnt it created by the AirForce or something?
No, don't be silly, that's ridiculous! It was the Navy.
Was Tor ever safe to use? I don't think so.
Yes. Why wouldn't it be?
The fact that adversaries need to rely on zero-days, or people running massively outdated and unsupported software, strongly suggests the network is safe and robust.
safe as it ever was
The more privacy the better as far as I'm concerned, but I've never used tor. What are people using tor for? General comms, piracy (mild illegal), other (very illegal), ...?
>other (very illegal), ...?
I will be waiting patiently for people to admit that they do very illegal things over Tor.
It's okay, you can safely confess to felonies and crimes against humanity on HN. Our usernames are meaningless and our traffic is SSL encrypted!
They don't have to be admissions, reports are an option.
Besides regular browsing (basically a free VPN), a pretty nice use case of Tor is that some news sites have non-paywalled onion addresses.
The Guardian: https://www.guardian2zotagl6tmjucg3lrhxdk4dw3lhbqnkvvkywawy3...
New York Times: https://www.nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2l...
BBC: https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6a...
Depends on your risk, if are are trying to avoid censorship and political repression in say Iran or china you are probably fine
If you are an enemy of the United States you probably aren’t but that’s a high bar
Maybe. I think the real distinction is reach. Are you consuming content passively, or are you creating content for many people? If you're creating content on torture China's doing, they absolutely will track you down. If you're in North Korea and revealing what life is really like in South Korea, or in Russia exposing the realities of the Ukraine war, Tor is probably unsafe.
But there is also an element of resources. Even if you're sowing distrust in, say, the Comorian government, I don't think they have the resources to go after you unless you are truly destabilizing and not just annoying.
Yes fair point
Representing the letters "nsa" in "unsafe" since 2006.
I doubt it, it's too vulnerable to relay or 50% style attacks. I stopped using it in 2011/12-ish.
It depends, are you dealing with Mossad or not Mossad?
You’re leaving out one very important class of actors, which I will call the NSA: The NSA, and others like them, unlike Mossad, are not after you personally, in that they don't want to do anything to you. Not immediately. Not now. They simply want to get to know you better. They are gathering information. All the information. What you do, what you buy, how you vote, what you think. And they want to do this to everybody, all the time. This might or not bite you in the future. You seems to imply that since nothing immediately bad is happening by using slightly bad security, then it’s OK and we shouldn’t worry about it, since Mossad is not after us. I think that we should have a slightly longer view of what allowing NSA (et al.) to know everything about everybody would mean, and who NSA could some day give this information to, and what those people could do with the information. You have to think a few steps ahead to realize the danger.
(This has been a partial repost of a comment written four years ago: <https://news.ycombinator.com/item?id=23572778>)
Hah, I was reminded of that essay while reading about recent events.
"If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone."
not when you consider the level of monitoring at critical internet exchange points..
That's why we need more bittorrent-like decentralized internet, like they were making on the show Silicon Valley.
Still?
The best attack against Tor is convincing people not to use it.
If anyone tries to convince you Tor is not safe, ask yourself: cui bono?
After the Snowden revelations regarding FOXACID and QUANTUM going largely undressed in the tor project, people have every right to feel sketched out with using ToR for anything. "We're still helping people" just isn't a good enough argument for most people.
https://www.schneier.com/blog/archives/2013/10/how_the_nsa_a... https://blog.torproject.org/yes-we-know-about-guardian-artic...
Wonder what has replaced “Xkeyscore” given the wide adoption of TLS. I know ISPs, especially national ISPs like AT&T (see: titanpointe - 33 thomas st, nyc) would feed data to NSA since traffic at the time was mostly via http (rather than https). I suppose the unencrypted dns queries are still useful (although DNSSEC is supposed to defend against snooping/deep packet inspection)
>Wonder what has replaced “Xkeyscore” given the wide adoption of TLS.
Cloudflare is a US-based company that does MITM attacks on all traffic of the websites that it protects. It's part of how their DDoS mitigation works.
Many people still use large US-based mail providers such as Outlook or Gmail.
Many large services use AWS, GCP or Azure. Perhaps there are ways for the NSA to access customers' virtual storage or MITM attack traffic between app backends and the load balancer where TLS is not used.
Load Balancing && WAF or CDN enablement usually suggests at least a decrypt step or two in the HTTP(s) chain. WAF for layer7 payload inspection, or the default wildcard cert'ing your Cloudflare site for instance.
There's also significant aggregation of traffic at handfuls of service providers amongst service categories, all generally HTTP(s) type services too ... Mail, CDN, Video, Voice, Chat, Social, etc. Each of these are still likely to employ Load Balancing & WAF.
Most WAF/Load Balancing providers have documentation about when/where to perform decrypt in your architecture.
How many Cloudflare sites are just using the Cloudflare wildcard cert?
From there, plenty of 3 letter agency space to start whiteboarding how they might continue to evolve their attack chain.
Often the connection between the load balancer and app backend also uses TLS. I've operated a large / complex service on AWS and all internal communications at each level were encrypted.
Of course, in principle, a cloud provider could tap in anywhere you're using their services – ELB (load balancer), S3, etc. I presume they could even provide backdoors into EC2 instances if they were willing to take the reputational risk. But even if you assume the NSA or whoever is able to tap into internal network links within a data center, that alone wouldn't necessarily accomplish much (depending on the target).
It is MITM, but is it an attack? Literally the website owner hires Cloudflare explicity to decrypt and filter the traffic. Attack implies that it's unwanted behavior, yet the reality seems to imply that its wanted behavior by the site owner at a minimum, although continued use of the site by visitors also suggests that they want that behavior (or they'd go elsewhere).
Isn’t the attack assuming that NSA/FBI/TLO has full access to the MITM connection at will? I mean that doesn’t seem too far fetched does it give various revelations over the years and things like The Patriot Act actually passing when it’s obviously unconstitutional
Worse is how most email providers require SMS confirmation or a secondary email.
A lot of pages are now behind CF, hosted on AWS,... It would surprise me if these providers didn't share their data with the 3-letter agencies.
I'd argue any data center of cloudflare is just as valuable to fiber tap, just like the undersea fiber cables.
Lots of juicy Internet protocols are still running in cleartext. OCSP, for example, and DNS, as you noted. And the IP-level metadata of TLS connections is still enough to uniquely identify which entities are communicating with each other in many situations. I very much doubt XKeyscore has been retired.
DNSSEC is a replacement for the commercial WebPKI that is run by world governments.
>> Wonder what has replaced “Xkeyscore” given the wide adoption of TLS.
A nationwide invisible firewall, with man in the middle decryption and permanent storage of all unencrypted data. All run by the major backbones and ISPs.
> man in the middle decryption
How would that work?
Start an NSA cutout called Cloudflare. Configure sites to use an SSL/TLS connection to Cloudflare, then a separate SSL/TLS connection from Cloudflare to your actual machine. Then have the marketing team call it "Strict" encryption. Make it free so everyone uses it.
It is also a lot easier since ceetificate pinning has fallen out of favor. Many sites use LetsEncrypt. The Certificate Authority system itself is not reliable.
In a way it is the perfect solution from a Govt perspective. Other countries have systems at this scale and larger. China for example.
What makes the CA system reliable is browsers insisting on Certificate Transparency before trusting a cert. If an attacker creates an evil cert by stealing the ACME verification traffic, there's a permanent record of it. Big corps can monitor the ledger to see what certs have been handed out to their domains.
DNSSEC does NOT protect against snooping.
DNSSEC is an authentication mechanism. It does not encrypt queries or responses.
You might be thinking of DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
There's also DNSCurve.
DoH and DNSSEC don't use ECH (encrypted client hello)
From what I remember, only DoT uses ECH
https://media.ccc.de/v/chaoscolloquium-1-dns-privacy-securit...
ECH can be used regardless of DoT, DoH, dnscrypt, or plain as long as your resolver passes HTTPS queries.
You can easily test this: dig @8.8.8.8 https pq.cloudflareresearch.com
> If anyone tries to convince you Tor is not safe, ask yourself: cui bono?
It could be for insidious reasons, or because the speaker legitimately believes it. "If anyone tries to convince you you shouldn't use Rot13 as an encryption scheme, ask yourself- cui bono?" Silly example, but the point is, just about *everything* could be explained equally by either evil lies or honest warnings.
Same was true of Truecrypt.
After the core team disbanded there was a full security audit which uncovered some very minor issues.
People never really trusted Veracrypt though. Quite interesting how that turned out.
IIRC there were a lot more options by the time of the Truecrypt-Veracrypt shift. Truecrypt was around when drive encryption was otherwise an expensive enterprise software thing, but I think Bitlocker was included with Pro versions of Windows by the time of Veracrypt so that probably became the easiest free option - and probably with better compatibility as well.
this presumes that anyone would trust bitlocker.
Being able to sniff a key as it transits a local bus is a very different kind of compromise of "trust" than believing that something is preemptively backdoored by a threat actor. It is deeply mysterious that Microsoft don't simply use TPM encrypted sessions to prevent this, though.
Isn't this yet another example of if they have your physical machine, it's already game over?
No? Any modern disk encryption system with a strong passphrase (basically, anything but default-BitLocker) is very effective against "they have your physical machine and it's off" for any known, current adversary. And, the basic cryptography in use is common, robust, and proven enough that this is probably true even if your tinfoil hat is balled quite tightly.
Where modern research effort goes is into protecting against "they HAD your physical machine and they gave it back to you" or "they got your machine while it was on/running" - these are much more difficult problems to solve, and are where TEE, TPM, Secure Boot, memory encryption, DMA hardening, etc. come into play.
You're talking much more hypothetical than the actual situation that was linked up stream from here. Context is crucial
Disagree. If one has physical access to your machine, they also have physical access to you. Practically everyone is vulnerable to rubber hose cryptanalysis.
Right, because every stolen laptop automatically comes with an abduction of the owner? No, getting "hardware access" to a human is much harder (more expensive in the best case and riskier in terms of drastic punishment) than for a laptop, even more so if you want to go undetected.
How's it free if it's not available in the Home edition of Windows?
In fact it's pretty much the only difference between Home and Professional editions of Windows these days, so I'd price it as the difference between the two (about $60).
> People never really trusted Veracrypt though
Can you expand on this? It was my understanding that Veracrypt is the new de-facto standard.
Bitlocker, LUKS and FileVault are the new standard(s).
Veracrypt is a curiousity, not beloved the way truecrypt was.
I’d love to see hard numbers for this, just my outside impression.
In fact, when trying to find old forums that I was part of during that era, I failed; and found only this: https://discuss.privacyguides.net/t/why-people-still-believe...
This is complete conjecture. Like Truecrypt, Veracrypt is open source, has been audited and has been actively maintained. Could it use another audit? Sure but so could Bitlocker but that isn't happening for even the first time any time soon.
I read this as intended to be some kind of rebuttal but… Where did I say it wasn't conjecture?
I was stating facts about the ecosystem. People didn't trust it at the time.
I never said there was a definite reason for that distrust.
Never heard of any credible reasons to distrust Veracrypt. Don't know who these "people" are either, none of the comments named anything more concrete than what sounds like online rumors.
I'll ask the inverse: if Tor is unsafe, who benefits from telling you to use it?
Especially “the solution to an unsafe Tor is more Tor!” it feels like I’m at a charity drive.
"Unsafe" is not enough data.
Safer or unsafer than ISP or VPN, is the question.
(I presume safe means private here)
The groups that primarily fund The Tor Project, i.e. the US State and Defense Departments.
The best attack against Tor is creating entrance and exit nodes that monitor traffic. That was the biggest risk factor when Tor was invented and it still is today.
How does that work technically, if I am connecting with SSL?
The only thing I see is seeing which IP addresses are using Tor, when, and how much traffic exchanged, but mostly it will be a bunch of reused residential IPs? If you know who you are looking for anyway better to work with their ISP?
With the exit nodes, you know which IP addresses are being looked up. You might get an exit node IP when investigating a crime say. Raid that person, but can you find anything more?
This isn't an argument, but a question.
They don't use encrypted data. They look at the metadata like packet size and timing and perform traffic correlation, which defeats Tor's primary purpose: hiding the connection between the source and destination of traffic.
Someone tries to convince you a room totally isn't bugged and that you should have private conversations in it. (A room designed by the US military, incidentally...)
A question before I enter your Manichean universe:
Does Tor Browser Bundle currently ship with Ublock Origin installed and on by default?
It would be irresponsible for it to do so. Ad blocker lists can inject scripts into web pages which could compromise user privacy.
Well then ship a version that can't inject js and only block network requests. Could it be that hard?
In that case we're talking at cross-purposes, so I'll reserve judgment.
I'm concerned with what let's call Gorhill's Web-- that is, the experience glued together by gorhill's Ublock Origin that is viewed by the vast majority of HN commenters on a day to day basis.
What you're describing is the Web-based Wasteland that is experienced by the vast majority of non-technical users who view the web without an ad blocker.
Encouraging Wasteland users to use TBB may well be an overall improvement for them. But there are more and more popular parts of the web that are practically unusable without an ad blocker-- e.g., fake download buttons, myriad other ad-based shenanigans, multiple ads squeezed into short pieces youtube content that ruins the music, etc. And there's an older segment of the population who at I cannot in good conscience move away from Gorhill's Web.
If Tor uptake somehow spikes to the point that some services can no longer get away with discriminating against exit nodes, then great! But in the meantime, I and many others have solid reasons for encouraging more and more Ublock Origin use among a wide variety of users.
And as you point out, there are technical reasons why the ad blocker lists are at odds with TBB design goals. Thus, I find the top poster's "cui bono" comment low effort and unhelpful.
Edit: clarification
I don’t think it’s true that the vast majority of HN users use ad blockers. I don’t, and I don’t find the web “practically unusable”.
Society benefits when people refrain from illegal and immoral activities.
Politicians and the powers-that-be benefit from slowly adding to the existing pile of what's considered illegal and immoral. They build that pile as a levee against threats to their power; to maintain the status quo.
Immoral is as subjective as it gets and is therefore an awful yardstick.
Are you implying that Tor is primarily used for illegal or "immoral" purposes?
I would assume very likely yes?
There definitely are legit use cases for it and in an ideal world, I think all traffic should go over onion routing by default to protect them.
But in reality today besides a handful of idealists (like me some years ago), and legitimate users, like protestors under oppressive regimes - I would assume the biggest group with a concrete interest to hide would be indeed pedophiles and other dark net members and therefore use it.
I'm pretty sure many people use Tor for other things than journalism and CP.
Tor is a privacy tool. Much of what we do in our lives is on the internet, and privacy is important. Tor helps people enjoy privacy in a medium that they are increasingly dependant on.
Tor also helps you to increase your average loading time of a webpage to 10x. That's a very good deterrent against using it if you don't need it for some reason
You would assume wrong then. The majority of Tor traffic is just normal people, not illegal stuffs.
The regular internet aka clearnet has far more malicious activity and traffic.
Can you link to some data, that proofs this?
I have no data, just assumptions.
are you implying that Tor is not used for illegal or immoral purposes? (I took out the primarily that you threw in to make your argument stronger because that made my argument stronger, and I took out your scare quotes because morality doesn't scare me)
What's a scare quote?
did your search button break? lmgtfy
https://www.urbandictionary.com/define.php?term=scare+quotes
this is a helpful answer, downvoting it would be extremely bad form
I have no idea who is using Tor other than that I heard it can be used by people requiring privacy from governments, e.g. whistleblowers. It also seems to have broad support from the tech industry so I'd be surprised if it was in fact primarily used for illegal or "immoral" purposes. That's why I'm asking.
No. It is not. More than 1/3 of the Tor servers are run by US Federal Govt as does other members of the Five Eyes. Israel has a large number as well. Cases are built backwards or in parallel that are from the fruit of the poisonous tree. If you don't know what that term means, look it up.
Use Tor with extreme caution.
Or just hit onion services that don’t require exit nodes.
How is that even possible? Unless you keep to hidden services underneath you do need an exit point to talk to the regular internet.
Comment is saying: never use regular internet ONLY use hidden services so you never need to exit the network through an exit node
>More than 1/3 of the Tor servers are run by US Federal Govt
Source? People repeat this claim and nobody every provides evidence.
It's safe if you ain't a pedo or terrorist.
Sometimes I wonder wtf y'all are doing with such crazy security expectations and paranoia.
1. It's fun. Playing with these technologies is entertaining and will learn you some good stuff about the networking and the encryption and what not.
2. Tor allows reception of unsolicited TCP/IPv4 traffic if you are behind a NAT you can't open ports for, because your connection to the network is initiated on your side. This is nice, especially with increasing prevalence of CGNAT.
3. Something my niece stated when I talked to her about it, who I disagree with: Many countries have a notion of upstanding citizen enforced by well funded and maintained violence-monopoly actors (R) that are not equivalent to what the majority of citizens actually do (S). R minus S is T - the tolerance gap. Things that allow T to exist include lack of will to prosecute, general social acceptance of things that were not acceptable years ago, etc. All things that are quite mutable. If your activities fall into T, privacy-enforcement tech benefits you if R and S might change in the future.
FWIW I am firmly in the "if you have nothing to hide you have nothing to fear" camp and I looked at her funny when she said this. Maybe she is a criminal or just crazy, idk.
You believe you have "nothing to hide" from 1. your own government, 2. the government of a nation you happen to be visiting or communicating with, 3. corporations who slurp up and sell personal data, 4. organized crime, 5. con artists and phishers looking for an easy mark, 6. people who personally want to harm you or exploit you, 7. people who want to harm others in your life and would use you as a means to do so, 8. people who want to harm your race/gender/religion/etc and identified you as a member of their targeted group.
Really?
End-to-end encryption technologies (of which TOR is one) help prevent entire categories of attacks which would otherwise be available to all of those groups, to use against you and others.
Your niece's reasoning sounds excellent to me, I am pleased you have included it.
I'd like to place a camera in every room of your house and stream them on my website. Surely you won't mind because you have nothing to hide. Right?
The implication of the right to privacy being unnecessary because you have nothing to hide is akin to declaring the right to free speech unnecessary because you have nothing to say.
The ability to maintain privacy and anonymity is not for today, it's for tomorrow.
Where do I say it's unnecessary?
I don't think many people seriously think that terrorists planning attacks to maim and kill people, and pedophiles sharing child sexual abuse imagery with each other, have an absolute right to privacy in such communications, nor that doing so is an example of free speech.
Really it's a good thing that the "global adversary" is - almost certainly - keeping tabs on Tor traffic and tracking down who is responsible for the worst abuses within this network.
You sound like a stalin era communist. The secret police are spying on you for your own good!
Not sure what you mean. Gathering evidence is a vital part of investigating criminal activity. In the age of the internet, this includes evidence generated on computer networks, such as connection metadata from distributed systems like Tor.
Why, in your view, is this akin to Stalinism? It's just standard police work adapted for modern technologies, not an indication of totalitarian governance.
Not everyone lives in a country where government is a friend
And even if it is today, a fiend is just one bad election away.
Noone does..
Tor has never been safe to use.
How am I any further forward reading that?
you have the truth - it was cooked up by US Naval Intelligence - why would you think it was safe?
Wait until you learn about the creation of the Internet and the World Wide Web. Better disconnect.