Nobody Knows You're a Dog

The security community lives on papers that analyze attacks on security tools. Although these are called “attack papers” they are usually done by people who are trying to help and refine the object of the research.

When an attack paper is published, documenting an attack on the Tor network, it’s often with our knowledge. The authors consult with us for inside info. But invariably, someone on slashdot or other blogs will skim the paper and say “OMG, Tor is broken!”

Using Tor is relatively safe. If there were a published way to attack the network that we thought made it less safe to use Tor, we’d tell you first — since, so far, the authors of every genuinely new vulnerability have told us before their work hit the web. We announce security patches and other issues on or-announce@freehaven.net.

The UColorado/Boulder technical paper is an example of the evolving research in anonymity. Refining well-known attacks from several years ago, the researchers better documented what an attack on the network might look and behave like. They combined a bandwidth overstatement attack with a correlation attack.

They consulted with us on the project. We are aware of these kinds of potential attacks — but such a bandwidth overstatement attack, to be successful, would leave fingerprints all over the Tor directories. We have never seen such an attack “in the wild,” and we think it no more likely that this paper would make such an attack easier or more likely than it was a few years ago when another version of it was documented.

The authors of the new paper have published a FAQ addressing how users should think about their research — they expressed their surprise and regrets at the uproar.
It says in part:

Q0. Most importantly, should we stop using Tor?

A0. ABSOLUTELY NOT! Despite our findings, Tor is the most secure and usable privacy enhancing system available. We believe that the system is safe for end-users, however, the system is experimental and the developers make no guarantees about the degree of privacy that it can provide. Let use re-iterate: Concerned users should NOT stop using Tor.

No internet security is 100%. Tor is not perfect — we’re constantly refining it, in a context of a hugely supportive community of researchers. But we believe we are still the best low-latency (i.e. allowing web surfing, not just transferring a file every few hours) anonymity/privacy one can have online without crossing a line of civility. Your only better option is to buy into a botnet, steal an identity, or participate in some other crime with a victim.

We are currently seeking funding that should help us close these vulnerabilities in Tor (and if you would like to donate or fund Tor development, please contact me!). We have plans to close the bandwidth overstatement vulnerability in the coming months. In the meantime, we watch for attacks on the network, and work to be transparent in our operations.

We appreciate that people care about Tor. If in the future you are worried about some issue in Tor, please feel free to contact us directly. If you read speculation about Tor, please encourage the bloggers to check with us — we’re very blogger friendly, and part of our purpose is to protect bloggers where blogging isn’t safe.
Imagine this scenario — a very small risk documented in a technical paper gets sensationalized in the blogosphere. Some number of dissidents and bloggers in places such as China abandon Tor. As a result, they might be arrested, jailed, or disappeared.

Blogstorms can have real world consequences. Please ponder before you write, critically examine what you read, and ask us for updates.

We have the concept of designing for accessibility for the disabled, but we need to include the idea of designing on the web for accessibility to those who are reaching us through national firewalls, or simply concerned with privacy and security. In cooperation with Reporters without Borders, I’m putting together a guide for safer anonymous use of the Internet, this summer.

Right now, we’re documenting and collecting methods that compromise privacy even with the use of anonymity software such as Tor.

Use of some technologies will make a site inaccessible to people practicing “safe surfing.” For example, people with concerns about strong anonymity will surf with javascript turned off in their browsers. If you are concerned that your site should be accessible particularly to users in countries with free speech restrictions, you need to design a site that does not use javascript for anything crucial to navigation or understanding the site.

Javascript can be “leaky” — as a server-side technology (code that is sent from the web site to be run on the surfer’s machine) the user has no control over what a bit of javascript code will ask for. Javascript can reveal the true IP number of a user shielded by a proxy, among other information.
Another piece of code we advise anonymity users to bypass is the Adobe PDF plug in. At the time I write this, this plug in ignores the proxy settings on the user’s machine, and fetches the file to display in the browser window directly. I’ve sent email to Adobe hoping they’ll fix this problem before we publish our guide in the fall.

If you are a person who plays with network security, we’d like you to find ways that plug-ins, applications and system settings can by-pass proxy settings and compromise user anonymity. Comment here contact us through http://tor.eff.org/. Thanks!

Do you know this man?

AOL user 710794 is an overweight golfer, owner of a 1986 Porsche 944 and 1998 Cadillac SLS, and a fan of the University of Tennessee Volunteers Men’s Basketball team. The same user, 710794, is interested in the Cherokee County School District in Canton, Ga., and has looked up the Suwanee Sports Academy in Suwanee, Ga., which caters to local youth, and the Youth Basketball of America’s Georgia affiliate.

That’s pretty normal. What’s not is that user 710794 also regularly searches for “lolitas,” a term commonly used to describe photographs and videos of minors who are nude or engaged in sexual acts.

Declan McCullagh gives a series of portraits of AOL users from an unsanctioned but not inadvertent file of the search activities of about 650,000 AOL users over three months. Most of them he picks out are far more disturbing and unsavory.

Although AOL did not corporately sanction the publication of this data, it was done deliberately in the interest of research. And although AOL yanked the data from the net, it was mirrored and is still as of the moment I write this accessible with its own search facility on a mirrored site.

Although this huge violation of user privacy is not the product of data retention policies, it’s doubtless that the data retention being implemented in the EU and soon in Canada will result in more and more incidents that represent breaches of privacy in this space. With requirements to retain 90 days of all user data, the EU policy creates an “attractive nuisance,” like laying bait for identity thieves, blackmailers, and other unsavory sorts — in the name of assisting EU authorities in tracing cybercrime.

It will be interesting to see how many portraits such as those Declan extracted will start to crop up from hackers “exploring” the data stores of the EU.

I was talking to Robert Winters this week at the Citizen Media Unconference and he mentioned talking to someone on the Cambridge (MA) school board who just tossed any anonymous messages about school board issues.

He admitted that he devalues any anonymous message. What if it’s from a political shill? Yes, but what if it’s from someone who feels chilling effects against expression?

Since I started working for Tor I’ve heard lots of stories about chilling effects. I can imagine a dozen reasons for people to want to give anonymous feedback to the school board. What if it gets back to my kid’s teacher and impacts her treatment? What if I have a contract with the city? What if I am involved in a private school, but my kid attends public schools — but if I comment, it could be taken to be sniping because of my job?

But even devaluing the feedback is better than tossing it. Go figure — the calculation still works. A political shill giving illegitimate feedback has their feedback devalued, which minimizes damage. But the chilled response gets heard, at least a little, which is better than if that person had never spoken out at all.

Ideally, as trust is built, perhaps the formerly chilled person will contact the school board member in person and say, “I sent you that anonymous message about [this issue], and I want to tell you, I’m glad I did because you did something about it.” It could help build the fabric of participation by allowing a trust-building phase.
Of course, this works for folks like Robert Winters, who would read but devalue the message, but not for the school board member using the round file.

The Washington Post reported Friday that Christine Axsmith, a CIA contractor, was fired for posting in her blog, on a top secret clearance government intranet, that “torture is wrong.”

The day of the last post, Axsmith said, after reading a newspaper report that the CIA would join the rest of the U.S. government in according Geneva Conventions rights to prisoners, she posted her views on the subject.

It started, she said, something like this: “Waterboarding is Torture and Torture is Wrong.”

And it continued, she added, with something like this: “CC had the sad occasion to read interrogation transcripts in an assignment that should not be made public. And, let’s just say, European lives were not saved.” (That was a jab at Secretary of State Condoleezza Rice’s trip to Europe late last year when she defended U.S. policy on secret detentions and interrogations.)

One wonders when the government is going to fire half the authors at the War College, where opinions like this (some based on the authors’ experience with classified information) are far more outspoken.

Mind you, Axsmith posted to peers only, on a top-secret access intranet.

As ZDnet said,

Fired – and threatened with criminal prosecution – for opining that torture is wrong, at a time when that sentiment is official policy.

How’s that for a chilling effect?

When such speech in such a context draws such consequences, what hope is there for real whistleblowers, or people working on true governmental transparency?

The Electronic Frontier Foundation will be sweet sixteen on July 10th this year. Some of us here in Cambridge remember the first offices in Tech Square, before they moved to DC, schismed over the role of lobbying vs litigation, and moved to California. The Center for Democracy and Technology was the lobbying group that remained in DC.

Now, according to this story (widely syndicated through AP), EFF is hiring a couple lawyers away from EPIC to create a new DC branch office again.

In the current climate, we need the EFF more than ever — the cases they handle as the “ACLU of the Net” are increasingly touching everyone’s life, as they confront telco releases of phone records and other headline issues.

Tor‘s mentioned in the article — EFF’s our fiscal sponsor.

— Thanks to Ron Newman for the tip on this story