Tor Traffic Confirmation Attack -Roger Dingledine Report SUMMARY: On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected. Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don't know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too. Relays should upgrade to a recent Tor release (0.2.4.23 or 0.2.5.6-alpha), to close the particular protocol vulnerability the attackers used -- but remember that preventing traffic confirmation in general remains an open research problem. Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service. THE TECHNICAL DETAILS: We believe they used a combination of two classes of attacks: a traffic confirmation attack and a Sybil attack. A traffic confirmation attack is possible when the attacker controls or observes the relays on both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are indeed on the same circuit. If the first relay in the circuit (called the "entry guard") knows the IP address of the user, and the last relay in the circuit knows the resource or destination she is accessing, then together they can deanonymize her. You can read more about traffic confirmation attacks, including pointers to many research papers, at this blog post from 2009: https://blog.torproject.org/blog/one-cell-enough The particular confirmation attack they used was an active attack where the relay on one end injects a signal into the Tor protocol headers, and then the relay on the other end reads the signal. These attacking relays were stable enough to get the HSDir ("suitable for hidden service directory") and Guard ("suitable for being an entry guard") consensus flags: https://gitweb.torproject.org/torspec.git/blob/HEAD:/dir-spec.txt#l1775 Then they injected the signal whenever they were used as a hidden service directory, and looked for an injected signal whenever they were used as an entry guard. The way they injected the signal was by sending sequences of "relay" vs "relay early" commands down the circuit, to encode the message they want to send. For background, Tor has two types of cells: link cells, which are intended for the adjacent relay in the circuit, and relay cells, which are passed to the other end of the circuit. https://gitweb.torproject.org/torspec.git/blob/HEAD:/tor-spec.txt#l364 In 2008 we added a new kind of relay cell, called a "relay early" cell, which is used to prevent people from building very long paths in the Tor network (very long paths can be used to induce congestion and aid in breaking anonymity): http://freehaven.net/anonbib/#congestion-longpaths https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/110-avoid-infinite-circuits.txt But the fix for infinite-length paths introduced a problem with accessing hidden services: https://trac.torproject.org/projects/tor/ticket/1038 and one of the side effects of our fix for bug 1038 was that while we limit the number of outbound (away from the client) "relay early" cells on a circuit, we don't limit the number of inbound (towards the client) relay early cells: https://lists.torproject.org/pipermail/tor-commits/2009-July/014679.html So in summary, when Tor clients contacted an attacking relay in its role as a Hidden Service Directory to publish or retrieve a hidden service descriptor (steps 2 and 3 on https://www.torproject.org/docs/hidden-services), that relay would send the hidden service name (encoded as a pattern of relay and relay-early cells) back down the circuit. Other attacking relays, when they get chosen for the first hop of a circuit, would look for inbound relay-early cells (since nobody else sends them) and would thus learn which clients requested information about a hidden service. There are three important points about this attack: A) The attacker encoded the name of the hidden service in the injected signal (as opposed to, say, sending a random number and keeping a local list mapping random number to hidden service name). The encoded signal is encrypted as it is sent over the TLS channel between relays. However, this signal would be easy to read and interpret by anybody who runs a relay and receives the encoded traffic. And we might also worry about a global adversary (e.g. a large intelligence agency) that records Internet traffic at the entry guards and then tries to break Tor's link encryption. The way this attack was performed weakens Tor's anonymity against these other potential attackers too -- either while it was happening or after the fact if they have traffic logs. So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future. (This concern is in addition to the general issue that it's probably unwise from a legal perspective for researchers to attack real users by modifying their traffic on one end and wiretapping it on the other. Tools like Shadow are great for testing Tor research ideas out in the lab: http://shadow.github.io/ ) B) This protocol header signal injection attack is actually pretty neat from a research perspective, in that it's a bit different from previous tagging attacks which targeted the application-level payload. Previous tagging attacks modified the payload at the entry guard, and then looked for a modified payload at the exit relay (which can see the decrypted payload). Those attacks don't work in the other direction (from the exit relay back towards the client), because the payload is still encrypted at the entry guard. But because this new approach modifies ("tags") the cell headers rather than the payload, every relay in the path can see the tag. C) We should remind readers that while this particular variant of the traffic confirmation attack allows high-confidence and efficient correlation, the general class of passive (statistical) traffic confirmation attacks remains unsolved and would likely have worked just fine here. So the good news is traffic confirmation attacks aren't new or surprising, but the bad news is that they still work. See https://blog.torproject.org/blog/one-cell-enough for more discussion. Then the second class of attack they used, in conjunction with their traffic confirmation attack, was a standard Sybil attack -- they signed up around 115 fast non-exit relays, all running on 126.96.36.199/16 or 188.8.131.52/16. Together these relays summed to about 6.4% of the Guard capacity in the network. Then, in part because of our current guard rotation parameters: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters these relays became entry guards for a significant chunk of users over their five months of operation. We actually noticed these relays when they joined the network, since the DocTor scanner reported them: https://lists.torproject.org/pipermail/tor-consensus-health/2014-January/004134.html https://gitweb.torproject.org/doctor.git We considered the set of new relays at the time, and made a decision that it wasn't that large a fraction of the network. It's clear there's room for improvement in terms of how to let the Tor network grow while also ensuring we maintain social connections with the operators of all large groups of relays. (In general having a widely diverse set of relay locations and relay operators, yet not allowing any bad relays in, seems like a hard problem; on the other hand our detection scripts did notice them in this case, so there's hope for a better solution here.) In response, we've taken the following short-term steps: 1) Removed the attacking relays from the network. 2) Put out a software update for relays to prevent "relay early" cells from being used this way. 3) Put out a software update that will (once enough clients have upgraded) let us tell clients to move to using one entry guard rather than three, to reduce exposure to relays over time. 4) Clients can tell whether they've received a relay or relay-cell. For expert users, the new Tor version warns you in your logs if a relay on your path injects any relay-early cells: look for the phrase "Received an inbound RELAY_EARLY cell". The following longer-term research areas remain: 5) Further growing the Tor network and diversity of relay operators, which will reduce the impact from an adversary of a given size. 6) Exploring better mechanisms, e.g. social connections, to limit the impact from a malicious set of relays. We've also formed a group to pay more attention to suspicious relays in the network: https://blog.torproject.org/blog/how-report-bad-relays 7) Further reducing exposure to guards over time, perhaps by extending the guard rotation lifetime: https://blog.torproject.org/blog/lifecycle-of-a-new-relay https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters 8) Better understanding statistical traffic correlation attacks and whether padding or other approaches can mitigate them. 9) Improving the hidden service design, including making it harder for relays serving as hidden service directory points to learn what hidden service address they're handling: https://blog.torproject.org/blog/hidden-services-need-some-love OPEN QUESTIONS: Q1) Was this the Black Hat 2014 talk that got canceled recently? Q2) Did we find all the malicious relays? Q3) Did the malicious relays inject the signal at any points besides the HSDir position? Q4) What data did the attackers keep, and are they going to destroy it? How have they protected the data (if any) while storing it? Great questions. We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how "relay early" cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to Q1 is "yes". In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was. We don't yet know the answers to Q2, Q3, or Q4.
DELL, NEW YORK STATE AND BLOOMBERG ON BITCOIN AND VIRTUAL CURRENCIES
- Last week, New York State released a proposed regulatory framework for virtual currencies and Benjamin Lawsky, Superintendent of Financial Services said: “We have sought to strike an appropriate balance that helps protect consumers and root out illegal activity – without stifling beneficial innovation. Setting up common sense rules of the road is vital to the long-term future of the virtual currency industry, as well as the safety and soundness of customer assets.” Note: “Virtual currencies” include bitcoin and other digital currencies, but excludes online gaming platforms and customer affinity or rewards programs such as airline miles. The review and comment period is open for 45-days.
- In addition, Dell said it is starting a pilot test to support bitcoin as a purchase option on Dell.com for consumer and small business shoppers in the U.S. According to Adam White, of payment processor Coinbase, there will be no processing fees for Dell on the first $1 million in sales and a 1% flat fee for sales above that level.
- Finally, a Bloomberg survey of 562 of its subscribers found that 55% said the price of bitcoin was unsustainable, 14% said it was on the verge of a bubble, 5% said a bubble was not forming and 25% were unsure.
Bitcoin 2.0 and the Segway Bike
gAtO Imagine - some of the business side applications we can build with future triggered events being executed by Autonomous Cyber Robots. All build on the basic Bitcoin 1.0 code but not using the coins but the blockchain – there be treasure in that blockchain but it’s all math ugh!!!.
Ok first what is Bitcoin 2.0? Basically it’s a new way to have a cyber robot or a cyber drone that can do what you instruct them to do. It is a timestamp triggered event and you can now just add business rules to it that will work in cyberspace.
What do you do online today?
- Shop for things and have them delivered
- Online banking
- Buy and sell stocks and bonds
- Send donations to Charities or political organizations
So now you can build cyber-business rules to be execute on the web and put them into one of these cyber robot or a cyber drone. I use these 2 terms because when people hear drones they think attacks and such and yes you can now build digital FINANCIAL warriors that can execute based on events, millions of them and they can be used for good and evil.
timeStamp- or -blockchain-trigger event – robots with business rules- example//
- Send 100 Bitcoins to my family every 6 months after I die.
- Buy or sell stocks ambiguously – Digital Business Contracts – or Personalities
- Any transaction that can be performed on the web!
- Set up a corporation by an Ethereum digital actors
- Any Business rule that can executed digitally
gAtO lOvE Ethereum //= it is a platform and a programming language that makes it possible for any developer to build and publish next-generation distributed applications. https://www.ethereum.org/ Next Generation Smart Contracts and a Decentralize Application Platform. Non-geek cyber-business rules OK…
GAtO used to lug around an Osborne luggable computer… 1.0 laptops – but gAtO was cool aligning 10MB (yes 10 Mega Bytes) hard rives the size of a large home freezer. The good old computers days… Out of hardware back to Biz -mEoW
MasterCoin – The Master Protocol facilitates the creation and trading of smart properties and user currencies as well as other types of smart contracts. Mastercoins serve as the binding between bitcoins (BTC), smart properties and smart contracts created on top of the Mastercoin Protocol. Non-geek cyber-business rules OK…
Similar Alt-coins but both the same (going after the business side) in a way but these seem to be a new wave of Bitcoin 1.0 off shoots. Now NameCoin and Trusted coin are on a different course, since they are more into the digital Notary service that can be done with any blockchain type Bitcoin off shoot. And LiteCoin 84 Million -versus- 21 Million in Bitcoins another fight but of a different financial play on this alt-coin. LiteCoin is around $10 bucks Per so we have to keep an I on them too.
Once again these another development are being built on the shoulder of the great Satoshi Nakamoto work. GaTo as a technologist love all these new and exciting toys to play with. Then I think about the Segway Bike I alway wanted one but then again really, I’m I really ready to give up walking? Back in 2001 it was so cool, it was the evolution of the bicycle or was it???
13 years later this evolution the revolution of the bicycle is seem by most as the Mall Police ride by. Ok maybe in Seattle or San Francisco I can see that but really. Now Bicycle Cops are everywhere but real cops on a Serway Bike – you know maybe I don’t really want one anymore. But I wonder if I can buy one with Bitcoins? ummm
DogE-Coin is hot with the young bloods as a NEW digital currency that’s taking Reddit and other places by storm- I know gAtOCoin, maybe I’ll start one of my own, there only about 500 Alt-Coins around and growing all built on the Bitcoin core code. Bitcoin is only 5 Years Old -Wow- Imagine in another 3-5 years // world wide currencies all over doing different things creating the NEW Cyber-System D-(system) that no government can controls, of the people and by the people. Double -Wow
gAtO’s bet is on Bitcoin, simple it has payed it’s dues, from an underground play toy to International financial deals like flying to the Moon on Virgin Air, I wonder if I can buy that with Litecoins- you listening Richard Branson I’m mining Namecoin too Richard.
The new Bitcoin business Investors and Incubators are hopping with new Bitcoin 2.0 ideas, but is it different if it’s control by the users, not the sole players like the bankers and older financial players. But truth be told these will bring newer workable solutions that will trickle down to the normal person. We must be careful because these new worldwide cyber solution will have little government controls so the game is changing and the ability to jump on this but NOT to give up privacy with government toys like TPM – Trusted Computer Platform – yes July 2015 all Windows 8 devices will have TPM 2.0 in control of your devices. The US solution cyber Kill Switch.
AT least Apple has not added TPM into it’s hardware but they banned against Bitcoin -Steve told you to Innovate Apple- But that’s another battle.
You can trust your government spying on you IF you have nothing to hide RIGHT!!! - gAtO oUt
Digital System D-
System D is a slang phrase pirated from French-speaking Africa and the Caribbean. The French have a word that they often use to describe particularly effective and motivated people. They call them débrouillards. To say a man is a débrouillard is to tell people how resourceful and ingenious he is. The former French colonies have sculpted this word to their own social and economic reality. They say that inventive, self-starting, entrepreneurial merchants who are doing business on their own, without registering or being regulated by the bureaucracy and, for the most part, without paying taxes, are part of “l’economie de la débrouillardise.” Or, sweetened for street use, “Systeme D.” This essentially translates as the ingenuity economy, the economy of improvisation and self-reliance, the do-it-yourself, or DIY, economy.
Hydrogen Bonding and the Bitcoin War Apple -vs- Microsoft
How the world works:
gAtO sEe- Apple – Microsoft battle begins anew and Google and Yahoo are setting up sides and it’s all about Bitcoins. First we have Apple throwing all Bitcoins Apps from it’s App store. Then they turn around and are now accepting DogEcoins – the kids version of Bitcoin. Yes Bogecoins is a joke a Bitcoin off-shoot for this guys Doggie. So DogECoins was born… it’s not doing to bad in Rediit but that’s another article.
Then a few days after Apple announces the Dogecoins -(Microsoft) -Bing search engine changed it’s search on Bitcoins to include all kinds of new information. BTY Google and Yahoo and trying to see how to work Bitcoins into their checkout’s. So this is how the Bitcoin war begins. Amazon and other players will soon adopt but I think the Microsoft and Apple fight will be something to sit back and watch. But in the end Bitcoin will win.
Back in the day when Microsoft -vs- Apple world war 1 it was about hardware and software and users and it really mattered, but todays war is about Bitcoins and why Apple the front leader in new leading edge technology choose to drop all Bitcoins apps is a big question. Is Apple planning it’s own Coins??? Steve Jobs is rolling over in his grave on this one. People are shooting their iPhones, the users are fighting back on this one and for Apple I think they will loose this fight. I already found a way around Apple App Store for my Bitcoin Wallet and people that want to use Bitcoins will find a way around this too.
gAtO disclaimer – I hate Microsoft, I use a Mac and Android because it has Unix under the hood, but this blow is the stupidest move Apple has ever made and in the end they will loose. Bitcoin is here to stay and today the big companies fight mean shit, the users will decide what payment system and what coins to use to pay for their goods and services and if they choose Bitcoins and that merchant does not support it, the user will go to another site and still use Bitcoins- Big technology company wars don’t work the same anymore because now the consumer has choices and will decide Bitcoins or Dog-e-Coins not Apple or MicroSoft - gAtO oUt
Aug 5 the FBI snakes in Freedom Hosting and put a number of websites out of business in the Dark Web. They let the flames go out that they caught a bunch of Pedophile sites with that bust, but it does not seem so.
The Attack on the Dark Net Took Down a Lot More Than Child Porn - http://gawker.com/the-attack-on-the-dark-net-took-down-a-lot-more-than-ch-1081274609 – gAtO contribute to this article–
Aug 19 – Millions of Tor Clients start to go up in numbers. What’s this all about, we get a bunch of Tor clients just hanging around doing nothing in Tor. Some say it’s a Bot-net or something like that. Then it growns 4, 5 million Tor users and the last week or so it starts to go down again. So what is all this about all these Tor Clients and the Tor- Botnet?
Oct 3– Silk Road get’s taken down, Oh the FBI had a copy of the Silk Road servers back in June just before the AUG 5 take down of FH by the FBI. So the Feds had Silk Road all this time and this is all they can do, can’t even get a few Bitcoin wallets- what a cluster fˆ%k—//
Now you got NSA saying that Tor is cracked and the bad guys cannot use it. They claim that they can hack Tor anytime and anywhere with documents that a summer student left on how to hack the Tor network back in 2006. By the Way – most of these hacks do not work in Tor, maybe on a regular network but not on the Tor network.
So now gAtO goes in search of Tor sites and a lot of sites went down by hook or crook —BUT someone has started to replace these Tor Hidden Websites in the Tor Network – But something is FuNnY – all these sites us the same web templates -
So now you can take a walk down memory lane and see all the older Tor-Websites have gone away and new ones have magicly re-appear.
Now if this was the only place were this has happens OK sure, but at other Tor- Wiki Tor Link sites you will see the same thing – Commercial sites are all FuNnY and all the non-commercial Tor-websites are Tango Down.
So now Tor goes round and round but nobody knows what the heck is going on- In the Tor network – The Deep Dark Web run by Criminals or the FBI – you can answer these questions yourself by visiting the site –trust but Verify– – ((not me))– gAtO oUt
Silkroad Seized Coins Addresses are identifiers which you use to send bitcoins to another person.
gAtO fOuNd – the Bitcoins Silk Road MASTER Wallet – number #####
Checkout the blockchain link - https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
Taint Analysis 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
Taint is the % of funds received by an address that can be traced back to another address.
This pages shows the addresses which have sent bitcoins to 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX. The data can be used to evaluate the anonymity provided by a mixing service. For example Send Coins from Address A to a Mixing service then withdraw to address B. If you can find Address A on the taint list of Address B then the mixing service has not sufficiently severed the link between your addresses. The more “taint” the stronger the link that remains.
Find Related Tags
This tool can help find known addresses which could be used to reveal the identity of a number of target addresses.
This wallet contains a very large number of unspent outputs. Please consolidate some outputs
So the question becomes who is taking Bitcoins from Silk Road Master Bitcoin Wallet – click on the transaction and find the geo-location of money going out of SR BTC wallet every 20 seconds at a time, 5, 10 little numbers of BTC add up when you spread them out -
Block Chain gives you all kinds of ways to look at all this Bitcoin Data from Silk Road – With every Address of the user wallets, and all kinds of transactions informations, gAtO can find some of these SR-vendors geo-location and so can LE…we can do all kind of things with this data — have fun-gAtO oUt
gAtO lOOkInG - at the Tor-network intelligence, how does it do what it does. Tor takes volunteers Onion-relays and organizes them into different categories they are called “flags” -
— known-flags Authority BadExit Exit Fast Guard HSDir Named Running Stable Unnamed V2Dir Valid —
Of course there are only now 10 authority flags-servers own and controlled by some of the top people in the Tor-project community. These 10 Authority-relays control all the intelligence that Tor need to run and keep everything working automatic. Every few hours these relays gather the OR-relays and depending on how long they have been turned on, how much bandwidth they have what version of Tor-software and OS they have and put this together into one document then it does a calculation and assigns flags to the 3,500 or so volunteer OR-relays throughout the world. After it’s all said and done they produce a “Consensus Document and sends this information to every HSDir -OR-relay so that clients can find hidden service websites in Tor. The HSDIR relays have all the DNS information to find Tor-hidden service -websites…//
consensus document – May-2013
valid-after 2013-05-17 12:00:00
fresh-until 2013-05-17 13:00:00
valid-until 2013-05-17 15:00:00
voting-delay 300 300
known-flags Authority BadExit Exit Fast Guard HSDir Named Running Stable Unnamed V2Dir Valid
params CircuitPriorityHalflifeMsec=30000 UseOptimisticData=1 bwauthpid=1 pb_disablepct=0
dir-source tor26 14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 184.108.40.206 220.127.116.11 80 443
contact Peter Palfrader
dir-source turtles 27B6B5996C426270A5C95488AA5BCEB6BCC86956 18.104.22.168 22.214.171.124 9030 9090
contact Mike Perry <mikeperryTAfsckedTODorg>
dir-source maatuska 49015F787433103580E3B66A1707A00E60F2D15B 126.96.36.199 188.8.131.52 443 80
contact 4096R/23291265 Linus Nordberg <email@example.com>
dir-source dannenberg 585769C78764D58426B8B52B6651A5A71137189A dannenberg.ccc.de 184.108.40.206 80 443
contact Andreas Lehner <firstname.lastname@example.org>
dir-source urras 80550987E1D626E3EBA5E5E75A458DE0626D088C 220.127.116.11 18.104.22.168 443 80
contact 4096R/4193A197 Jacob Appelbaum <email@example.com>
dir-source moria1 D586D18309DED4CD6D57C18FDB97EFA96D330566 22.214.171.124 126.96.36.199 9131 9101
contact 1024D/28988BF5 arma mit edu
dir-source dizum E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 188.8.131.52 184.108.40.206 80 443
contact 1024R/8D56913D Alex de Joode <firstname.lastname@example.org>
dir-source gabelmoo ED03BB616EB2F60BEC80151114BB25CEF515B226 220.127.116.11 18.104.22.168 80 443
contact 4096R/C5AA446D Sebastian Hahn <email@example.com>
dir-source Faravahar EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 22.214.171.124 126.96.36.199 80 443
contact 0x0B47D56D SiNA Rabbani (inf0) <sina redteam io>
r ididnteditheconfig6 AB+dZViiymIEpTtbx+9cX5Y32i0 sjraCwjE8lzInizQ0UPqTI1AHkE 2013-05-17 10:29:13 188.8.131.52 9001 9030
s Exit Fast Running V2Dir Valid
v Tor 0.2.3.25
p accept 20-23,43,53,79-81,88,110,143,194,220,389,443,464,531,543-544,554,563,636,706,749,873,902-904,981,989-995,1194,1220,1293,1500,1533,1677,1723,1755,1863,2082-2083,2086-2087,2095-2096,2102-2104,3128,3389,3690,4321,4643,5050,5190,5222-5223,5228,5900,6660-6669,6679,6697,8000,8008,8074,8080,8087-8088,8332-8333,8443,8888,9418,9999-10000,11371,19294,19638
r MukiMukiAmaguri ADwuo9jHaHhVHIjp8/rSBaoXkj8 qZ48RT3ftleevrpO/kNy1qeBAS0 2013-05-16 18:16:19 184.108.40.206 9001 9030
s Fast HSDir Running Stable Unnamed V2Dir Valid
v Tor 0.2.2.39
p reject 1-65535
r= Version of Tor- -OS -timestamp -IP address
s= Flags of the Onion-relay
w= bandwidth that the relays has
p= Exit relay information
The 10 servers on top of the documents are the Tor- Authority the servers that have all the real power in Tor controlled by – SiNA Rabbani (inf0) <sina redteam io> – Sebastian Hahn <firstname.lastname@example.org> – Alex de Joode <email@example.com> – arma mit edu – Andreas Lehner <firstname.lastname@example.org> – Linus Nordberg <email@example.com> - Mike Perry <mikeperryTAfsckedTODorg> – Jacob Appelbaum – Peter Palfrader <firstname.lastname@example.org> -
These are the real master of the Tor network nah… just joking it’s in the code- gAtO oUt
There is a small set (say, around 5-10) of semi-trusted directory authorities. A default list of authorities is shipped with the Tor software. Users can change this list, but are encouraged not to do so, in order to avoid partitioning attacks.
Every authority has a very-secret, long-term “Authority Identity Key”. This is stored encrypted and/or offline, and is used to sign “key certificate” documents. Every key certificate contains a medium-term (3-12 months) “authority signing key”, that is used by the authority to sign other directory information. (Note that the authority identity key is distinct from the router identity key that the authority uses in its role as an ordinary router.)
Routers periodically upload signed “routers descriptors” to the directory authorities describing their keys, capabilities, and other information. Routers may also upload signed “extra info documents” containing information that is not required for the Tor protocol. Directory authorities serve router descriptors indexed by router identity, or by hash of the descriptor.
Routers may act as directory caches to reduce load on the directory authorities. They announce this in their descriptors.
Periodically, each directory authority generates a view of the current descriptors and status for known routers. They send a signed summary of this view (a “status vote”) to the other authorities. The authorities compute the result of this vote, and sign a “consensus status” document containing the result of the vote.
Directory caches download, cache, and re-serve consensus documents.
Clients, directory caches, and directory authorities all use consensus
documents to find out when their list of routers is out-of-date.
(Directory authorities also use vote statuses.) If it is, they download
any missing router descriptors. Clients download missing descriptors
from caches; caches and authorities download from authorities.
Descriptors are downloaded by the hash of the descriptor, not by the
relay’s identity key: this prevents directory servers from attacking
clients by giving them descriptors nobody else uses.
All directory information is uploaded and downloaded with HTTP.
[Authorities also generate and caches also cache documents produced and
used by earlier versions of this protocol; see dir-spec-v1.txt and
dir-spec-v2.txt for notes on those versions.]
gAtO pLaYiNg with words in Tor- We just simply counted the number of times a word appeared in our search engine by pages- this is something every search engine does but what it gave us was a picture of what Tor really is. It’s not all crime and ugly but information is number one in Tor. Exactly what it’s supposed to be. Tor was created to share information from the table below we see lot’s of stuff inside Tor.
Tor word data points: We put this report together to see what our word count occurrence was, in our crawled data so far. The chart below gives an interesting picture of the Tor data points that it generates.
We are finding that these are the best categories to put our websites into. The words by site occurrence speaks volumes to understand trends in Tor. For example it shows i2p network in Tor 2 notices above drugs in Tor. Because i2p is fast being intwined with Tor to get better anonymity.
- These are real data point based on 3/27/2013-4/3/2013 – this is a live report from our crawls.
- As we crawl and add more data our picture will change as to the landscape of Tor.
- Bitcoins is the fourth most popular word – currency in the Dark Web is number 1
- Bitcoins are above SEX tell us volumes in that bit coins are the normal exchange currency in Tor.
- Fraud and piracy are the lowest were we would except it to be much higher, People trust more in Tor.
This map does tell us that crime is everywhere in Tor at a more alarming rate than we though.
We are doing the same in the e-mail we found in Tor. In the email table is a place where we can get a better picture of emails in the Tor network. Not all of them go to tormail.org as we thought. As mentioned more i2p and connections with other anonymous networks seems to be a trend, as the growth rate of Tor users increase so is the technical base and more sophisticated users will come on board.
Hope this gives you a better picture of Tor. -gAtO oUt
gAtO fOuNd – this very interesting and wanted to share -
Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.
Try them! You may even find something interesting you cannot find on Tor!
These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.
- Tor – Fast anonymous internet access, hidden websites, most well known.
- I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
- Freenet – Static website hosting, distributed file storage for large files, decentralized forums.
Also anonymous networks, but less used and possibly more limited in functionality.
- GnuNet – Anonymous distributed file storage.
- OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
- RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
- Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.
These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.
- Osiris – Serverless portal system, does not claim to provide any real anonymity.
- Phantom – Hidden Services, native IPv6 transport.
- GlobaLeaks – Open Source Whistleblowing Framework.
- FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
- Telex – A new way to circumvent Internet censorship.
- Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
- Hyperboria A distributed meshnet built on cjdns.
These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.
- Anonet – AnoNet2, a more open replacement for AnoNet1.
- dn42 – Another highly technical routing community.
- CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.
- Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
- Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also
- Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
- OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
- Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).
gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.
With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.
Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.
I got a crazy Idea that may or may-not work, but it sounds good—// so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…