"Practical onion hacking: finding the real address of Tor clients"

George Shaffer George.Shaffer at comcast.net
Sat Oct 21 14:34:45 UTC 2006


On Fri, 2006-10-20 at 09:53, Fabian Keil wrote:
> George Shaffer <George.Shaffer at comcast.net> wrote:
> > On Wed, 2006-10-18 at 12:47, Fabian Keil wrote:
> > > . . . They aren't attacking Tor, but misconfigured applications
> > > behind the Tor client.
> > 
> > Which they said quite clearly in different words: "Clearly Tor's
> > designers have done a pretty good job: I couldn't find any weaknesses in
> > Tor itself . . . 
> > So instead, I attacked the data which Tor carries the most of: web
> > traffic."
> 
> Please don't quote out of context. I wrote:
> "I also think the title of the paper is intentionally misleading."
>                   ^^^^^

In case you did not notice, I used ellipses (". . ."), the standard
English language notation for omitted content. I considered the part
that I left out an unfounded personal opinion that needed no comment.
Since you seem to want me to address that, I will. For my first comment
the actual title does not matter. You use the word "intentionally" as an
adjective to "misleading." You start with "I also think" so you state
this is opinion, and not necessarily fact, but basically you are saying
that you think the authors are liars. I'm guessing that you have never
met or spoken to the authors, or communicated with them about this prior
to your post. Sometimes it's hard to know our own motives, and harder
still those we know well. In a context like this, we cannot know the
motives of strangers. So you have included an unnecessary pejorative
term with no basis in fact.

The second issue is a matter of fact to be determined. Is the title of
the paper misleading? For that we do need the title. The subtitle is
"Finding the real address of Tor clients." Unless the authors are liars,
and I think they present enough evidence that that is not likely, they
did find 86 addresses in one day. They did exactly what the subtitle
said, so I don't see how it could be misleading.

The main title is "Practical Onion Hacking:" and I expect your point is
that they did not successful hack, crack, or break the Tor software,
which everyone who read the article already knows. I think the first
word "Practical" is important. I have come to expect, that when I see
practical as part of the title of something in any way related to
computer security, not to expect something esoteric, theoretical, or
even necessarily very technical. What I do expect are topics loosely
comparable to social engineering attacks or dumpster diving. These
obviously have no relationship at all to the technical merits of any
software, but they are part of the black hat arsenal.

If the main title had simply been "Onion Hacking" or "Onion Cracking,"
you would have a point about it being misleading. I think the preface of
"Practical" is the right qualifier to indicate the authors are not
making a head on attack against Tor. I've already seen and considered
the title, which makes it impossible to be fresh or original, but having
seen it, I cannot think of a better title. Thus, I believe you are
mistaken to call the title misleading.

Paul Syverson posted an informative article to this thread, at least to
someone new to Tor like myself. Apparently the people at FortConsult,
who represent themselves as IT security experts, are repeating work that
has been done in the past, without knowledge and or acknowledgment of
this previous work. That is something it is reasonable to be unhappy
about, but nothing in Fabian Keil's post that I responded to said
anything like that. He did say it was "nothing new" but with no
elaboration or explanation that would help anyone not intimately
familiar with the project, understand what he was referring to.

> > In the meantime
> > though, some users are depending on it for anonymity. You can be sure
> > that someone in Red China, searching for information his or her
> > government does not want them to see, is not likely to have mis
> > configured or misused Tor for want of trying to get it right.
> 
> I assume you mean the opposite of the last sentence?

I've reread it multiple times, and while it may be complex or even
awkward, I believe I said what I meant and meant what I said. To
rephrase it, those referred to are highly likely to make every effort
they can to get it right, and still some are failing.

> Anyway, there will always be some people who don't
> understand the documentation, or don't even bother to
> read it. That's the case for every product and not a
> Tor specific problem.

But products also vary greatly in how easy or hard they are to install
and or use, as well as the quality of their documentation. The EEF warns
that Tor is an "advanced" topic, i.e., not one for the technically
unsophisticated. While Tor is easy to use once set up, it is definitely
nearer the hard than easy end of installs. After it was installed there
were at least a couple of places where I said to myself, oh now I see
what they mean. The documentation, though abundant, leaves much to be
desired. Unfortunately that is normally true of resource limited, young
projects. It's also unfortunate that there is not likely any correlation
between the need for anonymity and computer expertise.

> The risks of JavaScript, Flash and friends are mentioned
> several times in the docs.

Haven't the authors of the report that you seem to object to so much
made a dramatic demonstration of this. The products you mention are used
by many content providers, and many web surfers, even knowledgeable
ones, like the "rich" experience and are willing to sacrifice security
and privacy for it. As I was completely unaware of any of the work Paul
Syverson referred to, this report got my attention much more effectively
than the documentation I had seen. To me there is a big difference
between simply stating something can be a problem, and a demonstration
of actual compromises. If any of these older demonstrations are
available online, then perhaps at least some of the references to
applications or products that can compromise the use of Tor should link
to them. If however, this older work remains only in the institutional
memory of those closely associated with the Onion Routing project(s), or
in off-line hard copy, for all practical purposes, the FortConsult
report is new material.
 
> > > It's also a good idea not to trust any exit nodes,
> > > except the ones you run yourself.
> > 
> > If this is true, then the Tor network serves no useful purpose for the
> > large majority of users who don't run Tor servers, let alone exit nodes.
> 
> Why? Just because you can't trust a exit node, doesn't mean
> you can't use it. You just have to be aware that unencrypted
> traffic might have been altered.

We seem to have different ideas about trust. I generally avoid any
security or privacy product I don't trust. If you mean we have to assume
that some (hopefully small) percentage of exit nodes are compromised,
but that the likely (large) majority of good nodes, outweigh the risks,
then we may agree.

> > Besides technical knowledge and
> > connection limitations, there is at least one other valid reason for not
> > running a Tor server. Comcast, the largest ISP in the U.S., has Terms of
> > Use that very clearly prohibit any and all servers, including p2p, on
> > any residential connection. I suspect some other ISPs have similar
> > provisions.
> 
> That's a rather lame excuse. Even if your local ISP doesn't allow
> you to run a Tor server, you can always get your own rootserver
> and run your exit node from there.

I found a number of dedicated hosting solutions where you rent a
dedicated server associated with "root server." These start at $99 per
month. If I had that kind of money to spare, I think it would be better
spent in direct contributions to EFF.org. 

Also, anonymity needs are not likely to correlate with disposable
income. If anything, an inverse correlation is likely. The poor are much
more likely to be engaged in unpopular or anti establishment political
activities than the well to do. 

I'm stunned anyone would make such a suggestion. Only someone already
highly committed  to Tor would ever consider the time and expense of
such an approach; there is a world of difference between changing a
configuration option, if you have the bandwidth and your ISP allows it,
and what you suggest. Tor needs a mass of users and servers to succeed.
According to the graphs, servers are doubling annually. Trying to make
Tor users without a server feel like second class citizens or simply
unwanted, is a sure route to failure.

There is another reason for not running a Tor server even if my ISP
allowed it. I have a dedicated "stealth" firewall (protecting a personal
desktop with little of intrinsic value). There is no chance I would poke
holes in its configuration. That leaves only adding an additional
machine, outside the firewall in a DMZ. Even if I had sufficient
hardware, and was willing to deal with the routing issues, I'm not sure
that I'd want a computer that announces the presence of a live computer
at my IP address. When I put my security and privacy concerns together,
I'd rather give up Tor than my current security configuration.

There are also the potential legal issues which EFF addresses. In effect
they say they may try to help you if you run into legal problems running
a Tor server, but are more likely to help you assess the situation and
find a lawyer. Engaging quality legal representation to defend against a
serious legal challenge could easily bankrupt a middle income household.

George Shaffer







More information about the tor-talk mailing list