How The NSA Targets Tor 234
The Guardian has released new documents from Edward Snowden showing how the U.S. National Security Agency targets internet anonymity tool Tor to gather intelligence. One of the documents, a presentation titled "Tor Stinks," bluntly acknowledges how effective the tool is: "We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user in response to a TOPI request/on demand." (Other documents: presentation 1, presentation 2.) The NSA is able to extract information sometimes, though, and Bruce Schneier details what we know of that process in an article of his own. "The NSA creates 'fingerprints' that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see "almost everything" a target does on the internet. ... After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems." Schneier explains in a related article why it's important that we figure out exactly what the NSA is doing. "Given how inept the NSA was at protecting its own secrets, it's extremely unlikely that Edward Snowden was the first sysadmin contractor to walk out the door with a boatload of them. And the previous leakers could have easily been working for a foreign government."
Govt. won't be happy (Score:2, Insightful)
Instead of an Arab Spring (Score:1, Insightful)
Man, it's about time we had an American Spring... before it becomes impossible.
Re:TAILS (Score:5, Insightful)
This quote from TFA was particularly insightful:
Other efforts mounted by the agencies include attempting to direct traffic toward NSA-operated servers, or attacking other software used by Tor users. One presentation, titled 'Tor: Overview of Existing Techniques', also refers to making efforts to "shape", or influence, the future development of Tor, in conjunction with GCHQ.
What that says is "hang on to old copies of TAILS and Tor, and don't 'upgrade' them." Sure, they're going to keep trying to attack them, but for right now this is as close to evidence as we'll ever get that says they're effective.
Foreign government? (Score:5, Insightful)
What the NSA is doing is unacceptable whether or not a foreign government access any of the data. Unless the US government obtains a warrant, based on probable cause, that specifically describes the places to be searched and things to be siezed, this activity is illegal.
Re:Instead of an Arab Spring (Score:5, Insightful)
so will this result in a theocratic christian government run by the bible belt?
Re:Govt. won't be happy (Score:5, Insightful)
Here's how I see it: Government agencies tend to take the path of least resistance to accomplish their assigned goals. Spy agencies goals are to monitor and identify threats. It's much easier to monitor everyone online rather than the comparatively difficult task of getting a proper subpoena for each individual being monitored.
The reason this is easier is because it's allowed by the government and tolerated by the people (at least enough to let it stand, we're not taking to the streets with torches and rope). Due process has not been updated to cover this in a way most of us feel would be appropriate. There are probably other barriers against this type of behavior that more knowledgeable people could come up with. They should be there, but they're not.
The officials in charge likely know that there is only so much they can abuse that power before it's taken away from them. If it came out that the NSA had found a way to listen in on every conversation and track you at the moment, and the public understood it and wasn't successfully distracted from it, the NSA would have it's powers trimmed. And then their job would be harder again.
So it's not that they're just voyeurs who will stop at nothing to have a live feed on your sphincter. It's more that we want to have our cake and eat it too. We want the NSA to protect us from the boogeymen terrorists, and we don't want them to spy on us either. But we're more flexible on the latter, so there you have it.
We'd need to keep limiting the NSA from taking the easiest paths we don't want them to take, but we're also lazy and apathetic as a nation.
Re:TAILS (Score:5, Insightful)
This is the full financial power of a Cold War military intelligence branch being directed against individual citizens. Doesn't matter what you're running, you brought a knife to a gun fight, and they brought an armor division.
Yeah, I agree. We're pretty fucked, but I do think there's hope, however. The common man is disposed to do nothing until they feel the jack-boot at their own throat. The founding fathers knew of this:
Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.
USA Declaration of Independence.
The important thing to note is that they also gave us tools such that we would not have to throw off our government in order to fix it. We actually can fire congress. We actually can hold accountable the traitors to the constitution they swore to uphold. They keep this shit up, and more folks will come around to the idea of using them. They may have an armor division, but note that it's actually on our side. The pen is mightier than the sword, and the Army is not the NSA or CIA or individual sessions of congress.
I developed a fairly weak encryption system with hash based CBC, and a simple substitution cipher prior to XOR to reduce effectiveness of chosen plain text attacks (random throw-away nonce initialization vector also helps). It's going to be part of the reverse-DRM system for my games (give the users the power: They can ensure game updates and mods can be trusted / signed), but since it's for games and the mods are scripts not native code, and will distribute online (thus internationally), I don't need anything super secure, or copyright encumbered (so I can open & close source as needed to mitigate cheaters in online games).
I was looking at my router bandwidth log a few days ago and there was an upload of about 375 megabytes in the middle of the night, over an hour and a half 11pm to 12:30ish. No one was uploading anything here, I know for a fact. I recall a few days prior to that my Firefox browser had oddly glitched and crashed on adobe flash content (this rarely ever happens, since I don't consume much flash). The next day I noticed on my private game dev forum that a post I had made somehow got duplicated and glitched up, marking it as a global sticky announcement, and quite tellingly, none of the BBCode markup was parsed into the board's internal format -- My post somehow made it into the SQL database twice, and one copy apparently didn't go through the board's posting filter -- The posts are transactional, if the forum had glitched the DB wouldn't have been populated, let alone twice, and it would have been filtered for markup PRIOR to even touching the DB... This post was a list of all the improvements I recently made to my custom cipher. Coincidence? Yeah, right.
In addition to being a cryptographer, I frequently make politically inciteful comments (see above), and since I make games as a hobby research some crazy stuff for plot ideas, sometimes I post in-character as a machine mastermind; And am also writing a novel about machines holding the government for ransom. (Spoiler: the machines autopiloted airplanes into bulidings as a show of force on 9/11 to get the government to expand the world wide neural network... you can imagine red flags everywhere doing research and collaborative writing for that, eh?) I also tinker with electronics hardware and hobby OSs coded in ASM and my own toy languages. Being that I email enc@nsa.gov directly to comply with encryptio
Re:TAILS (Score:2, Insightful)
OK, a couple of things.
1) They probably have info on everybody here. Every person who visits this site with any regularity probably has an FBI file, courtesy of the NSA. Note that Slashdot doesn't use HTTPS. Note that this is ground zero for intellectuals, which as we've seen in China and Iran, make up the bulk of their dissenters.
2) If you're willing to pay the Best Buy tax and have a LiveCD saved off somewhere prior to being targeted, you probably can get a clean system. I'm not sure it matters though, as that machine's going to be compromised the moment it goes online anyway. So your choice is either to be secure by not exposing your communications to the rest of the world, or to not be secure the moment you try.
3) They're not going to black van you. The important stuff isn't what you do at home, by yourself, with yourself. I.e., they're not interested in your masturbation, intellectual or physical. They're interested in your communications. Because words spoken in an empty room have no power, but those spoken to an audience does. If you speak, they'd want to make sure you're not too loud, that not too many others hear. In more repressive places, they don't want you to speak at all. And without the affirmation of others, you become one of those crazy people with crazy ideas, i.e. easily discredited, powerless. That's the ultimate goal.
4) If you're as clean as you say you are, you should run for public office. But I sincerely doubt it. Everybody's got dirt somewhere. And if you don't, something you've done, or someone close to you did, can probably be made to look bad. Suffice to say, if you feel that the system works as intended, you should try it out. Sadly, myself and many others here are fairly certain it doesn't work the way it's supposed to. The best anybody (EFF, ACLU, etc.) can really do, short of something violent, tragic, and likely not nearly as beneficial as it would initially appear (reference Arab Spring, where things are worse now than they were before), is hold off the inevitable.
5) This is not a result of terrorism. Terrorism is just the latest key to the uneducated American psyche. Before that, it was communism. Before that, it was something else, Native Americans maybe. This is a power grab by someone, or several individuals. Just like wealth has been moving from the general population to a select few over the past 20 years, so has power. Hoover was the perfect example of such a power grab in the past, and guess what, that happened in the 20's when there was a similar wealth distribution. Most people have no idea about Hoover, and even if they did, don't understand the significance of his actions. That's because:
6) Most people just don't care. They're not willing to sacrifice their time and energy into serving other people. If they run for public service, they're going to make sure it serves themselves first and foremost. That's just how things are. The founders based the foundation of their system upon an enlightened society. They themselves were fairly enlightened individuals, albeit with the occasional shortcoming. We're about as far away from that as we can get, and getting farther with every passing moment. The attacks on education, the attacks on information, these are all methods to keep people in the dark, unenlightened.
7) The nihilist parts of Nietzsche are good too. Actually, the part you like comes out of his nihilism. Privacy implicitly assumes that it's possible for there to be nobody else present but you and yourself alone. In fact, that actually may be why most people don't care for their privacy; they start from the position that they don't have it in the first place.
In summary: Business as usual. 25000 years and we're fundamentally no different today than the humans alive then. Did you really expect a different outcome?