Academics Build a New Tor Client Designed To Beat the NSA 63
An anonymous reader writes: In response to a slew of new research about network-level attacks against Tor, academics from the U.S. and Israel built a new Tor client called Astoria designed to beat adversaries like the NSA, GCHQ, or Chinese intelligence who can monitor a user's Tor traffic from entry to exit. Astoria differs most significantly from Tor's default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.
Re: (Score:2)
I.T. is the field that is splitting hairs when it comes to privacy and security, if TOR beats the NSA someone gets fired or their budget cut, not really the folks one wants to scorn and the people know it. So innovation is dead there. I think the last statement in the "Lord of War" holds true, "Never go to war with yourself", kind of late now though a decade later ya think?
Re: (Score:2)
Can anyone confirm NSA / GCHQ and Chinese intelligence's ability to monitor Tor user's traffic, from entry to exit?
Are there any articles online which can substantiate that claim??
See e. g. How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID [schneier.com]. That's NSA monitoring, based on Snowden disclosures. More references in the Astoria article.
So where is the source code? (Score:3, Informative)
no source code == no story
written by the NSA (Score:5, Interesting)
If the NSA were going to create a TOR substitute, wouldn't this be how they would want to describe it?
Re:written by the NSA (Score:5, Informative)
TOR was originally developed by the Navy to hide CIA and NSA traffic. It was released to the public specifically to allow everybody's lesser-importance traffic to provide cover for said spies.
mod parent up! (Score:4, Informative)
Re: (Score:1)
And how did that work out?
Re: (Score:2, Insightful)
Paranoia on a site hosted in a country where Sgt. Friendly of the local Police dept. rides around on an APC in full riot gear ready to pepper spray protesters in the face in a country with "free speech" written as an inalienable right?
Trust has been eroding steadily for decades
Re: (Score:2)
My head assplode!
Re: (Score:2)
Why would they want to?
They know the security features of Tor and probably need them for themselves. They also know they can classify tor users as suspicious based on their tor usage alone. They don't need to make a substitute, it would probably even be bad for them. They have stated quite often that they only work with metadata and its probably correct, metadata is a lot easier to work with than the actual data and it gives them all they need. With tor they will know the metadata but might not know the act
Re: (Score:2)
For Tor to be effective, more people need to use Tor. The problem is, people using Tor are usually people needing to (or wanting to) hide something, not the "more" people needed.
Re: (Score:2)
For Tor to be effective, more people need to use Tor. The problem is, people using Tor are usually people needing to (or wanting to) hide something, not the "more" people needed.
This is why I make it a point to fire up the Tor browser at least a couple of times a week. It's not because I'm doing something I want to hide, it's that everybody should be free from having to live under the all-seeing Eye of Sauron. If they're going to watch all Tor traffic, they can watch my webcomics and funny cat pictures.
Re: (Score:1)
Re: (Score:2)
What happened to my net? It seems all stux!
Seriously, beating the NSA does nothing. You need to give them a real punishment that means something to them and then not waver when they complain. It's the only way they'll learn good manners.
Re: (Score:2)
I've always wondered if the NSA has academics "informally" on their payroll. In East Germany, the secret police, called the Stasi, had loads of folks working "informally" for them.
The NSA would pay (or bribe?) the academics to mislead research with disinformation, and intentionally build in a backdoor.
Of course, one might think that academics would have some sense of integrity. But these days, nothing really surprises me anymore.
Re: (Score:2)
Citation needed.
Bad headline (Score:5, Insightful)
Should be 'Academics hypothesize better tor client', since all they're giving out is their analysis and not sourcecode there's no way to verify their claims.
Re: (Score:2, Interesting)
Nah, should be: Academics Build a Hypothetical Framework for the NSA to Beat Before It's Ever Implemented. ... then again I would title it: Academics Continue to Ignore that NSA can NSA can inject exploits into any Tor Exit Node's traffic. You're fucked once the Ferret Cannon has you in its sights. [theatlantic.com] All you need to do is be interesting and access HTTPS:// since the NSA assumes any encrypted traffic is non-USA-ian because they can't prove origin without hacking it.
Aside: This combined with the fact that the
Re: (Score:3)
Transmission encryption without authentication is useless in the vast majority of cases.
No, it isn't. Because in the vast majority of cases your traffic wasn't interesting enough to MITM the first time you connected to the server, and after that, you've stored the key you found there and can be alerted if it changes. Also you can post-verify to see whether you've been MITMd if you care to know whether the horse is out of the barn, which isn't as useful as keeping the horse in the barn, but still qualifies as useful.
Re: (Score:2)
your traffic wasn't interesting enough
How interesting is interesting enough? Interesting enough to spend $5 on? $0.05? GCHQ redirected the slashdot site for Belgacom users to their own servers, so slashdot readers are at least that interesting, and mass observation programs like PRISM make it cheaper and cheaper to watch you.
Re: (Score:2)
MITMs are different than just sniffing.
You can tell, in fact, that you were MITMd post hoc, because you can compare the cert that was used versus a copy of the cert obtained through other means. That's easiest to do if you have admin access to the server, of course, but those of us that do, know that MITM attacks are rare.
Re: (Score:2)
About the only argument for not encrypting that holds water is if you want an offboard IPS to see the attack packets. Caching and resources are of steadily diminishing importance.
you've got a nice algorithm there (Score:2)
Re: (Score:2)
Our darknets are better than their darknets. If you read the history of darknet systems I think there are two or three of them, Japanese ones, that turned out to have serious flaws - programs are out that will give you the IP addresses of people on one of them, of commenters on the other. And the Japanese police went around picking people up. Major difference from our ones, theirs weren't open sourced.
Link padding (Score:2, Interesting)
the article seems to miss on the details. How can you choose "safe" circuits when it is assumed that all points are compromised?
The best defense is chatty end points. Just spew requests continuously and that defeats traffic analysis. They used to call it link padding.
Re: (Score:2, Informative)
The problem with link padding is that it would be very costly for Tor nodes and for usability.
Firstly, link padding would require rate-limiting each link to something quite small to keep bandwidth reasonable. If you think Tor is slow now, it would be much slower with padding.
Secondly, link padding also requires batching circuit construction. If a new link comes in, you can't immediately allow the Tor user to open a new link out. You have to wait and batch multiple outgoing link requests. That increases late
Re: (Score:2)
Sounds right to me, except for the assumption that link batching would necessarily increase latency. I believe tor already handles asycnronously in most cases and only rotates circuits as needed or about every 10 minutes.
So circuit creation time, generally speaking, should have little effect that the user can see (unless he requests a new circuit through a control app).
israel? (Score:2)
i never seen anything come out of israel that wasnt backdoored.. Icq skype etc
i think showden files had things about this also
Re: (Score:2, Troll)
i never seen anything come out of israel that wasnt backdoored.. Icq skype etc
i think showden files had things about this also
I'd be far more likely to trust Israeli-produced tools as opposed to anything from the Five Eyes.
Strat
Re: (Score:1)
i never seen anything come out of israel that wasnt backdoored.. Icq skype etc
i think showden files had things about this also
I'd be far more likely to trust Israeli-produced tools as opposed to anything from the Five Eyes.
Strat
Didn't you see the Snowden docs last year saying Israel became the Sixth Eye?
Re: (Score:2)
Didn't you see the Snowden docs last year saying Israel became the Sixth Eye?
No, I apparently missed it. Thanks, I will investigate and if accurate, modify my opinion accordingly.
Strat
Re: (Score:1)
Scarlett Johansson? She's as pure as the driven snow. I'm sure she's never been backdoored.
Re: (Score:1)
Re: (Score:2)
Spreading FUD all over, aren't we?
First, Skype is not, and has never been, Israeli. ICQ hasn't been Israeli for ages and ages (sold to AOL, that's America Online) in 1998. That's 17 years ago. Either way, a search for "ICQ snowden backdoor" shows nothing relevant in any of the first 10 results, causing me to question the validity of trusting you as a source. If I'm wrong, by all means, please do provide sources.
Second, I used to be in charge of Check Point's product security (late 2000 to early 2003). If an
Re: (Score:1)
http://intelnews.org/2013/06/2... [intelnews.org]
https://www.middleeastmonitor.... [middleeastmonitor.com]
100s more storys on this
sorry after reading a lot about how skype bent over or hacked by/for israel i figured they are a israeli company
still no reason to trust israeli companys.. when it comes to safe software packages
Re: (Score:2)
100s more storys on this
Why don't you pick ONE that is actually about an actual Israeli company actually backdooring its own products for the Israeli government (or whatever)?
Because that was and is your claim, and neither of the two stories you linked discuss that. The first discusses Skype setting a backdoor, but does not mention Israel in any way or form (and even if it did, Skype is not, and has never been, an Israeli company). The second talks about how the NSA is cooperating with Israeli intelligence, and uses Israeli produc
Not foolproof (Score:3, Insightful)
Just remember: if somebody is interested in finding out what you are doing, and they have unlimited resources to do so, then you WILL get caught no matter how good you think your tools are, no matter how careful you think you are.
Re: Not foolproof (Score:4, Insightful)
Luckily there is no such thing as infinite resources.
Re: (Score:2)
TOR worked pretty well for Snowden.
It boils down to how interesting you are. Unless you are already on their radar and doing something extremely bad they probably won't even try, and certainly won't want to reveal their capabilities just to get at you.
I'd trust the NSA before the State of Israel (Score:1)
Project shoots itself in the foot... (Score:1)
"Astoria is a usable substitute for the vanilla Tor client only in scenarios where security is a high priority."
And this means that only people requiring high levels of security will use Astoria, which means that its use/download will be an immediate red flag.
The only way to make something like this actually useful is for the same software (possibly with multiple user configurations) to be used by everyone and their dog. As soon as you can profile based on the software, then the exact organizations that it