It's time you were T0RTT a lesson: Here's how you could build a better Tor, say boffins Academics in Germany say they've found a way to make Tor and similar onion networks more efficient and lower their latency. The crew at Ruhr University Bochum, Universität Wuppertal, and Paderborn University described their technique in a paper [PDF] this week accepted into next year's Proceedings on Privacy Enhancing …
was famously a US navy patented idea...I'm sure that's behind them now
the political prisoner Assange became famous partly after he ran a Tor exit server... probably still an unhealthy thing to do
and Tor has had a surprising amount of 'bug-doors' for the unwary user (typified by unique traffic staining visible by those who have mastery of the internet)...I'm sure that's all been solved
/sarc
"A political prisoner is someone imprisoned because they have opposed or criticized the government responsible for their imprisonment."
Assange was imprisoned for fleeing the country to avoid the justice system, twice. (Fleeing sweden after being told they wanted to arrest him on suspicion of rape, then fleeing the UK when he realised he was going to have to face a court room where the evidence against him would be presented)
As for the current extradition request, sympathy is quite a lot lower than it would have been if he hadn't done what he did prior to these charges being brought. It is also less likely that the US would have brought the charges if he hadn't spent the preceding years taunting the US and bragging about being above the law and able to do whatever the fuck he wanted without consequence.
I would also suggest that you watch one of the presentations (pick one, they said it nearly every time) from the Tor developers describing the architecture and what sorts of attacks it does and does not defend against. Pay particular attention to the attacks it does not defend against part, specifically the one that they stopped mentioning in their presentations after that whole "fuck, now everyone knows about it" thing revolving around just-as-clueless snowy.
Anyone who thinks that Tor makes your traffic undetectable to people like the 5 eyes because it bounces it between multiple endpoints, all of which are on a massive public list, is clueless as hell. It is a glorified proxy system, it is utterly pointless if your adversary is a major western intelligence agency. Or indeed anyone who has the resources to spend 5 minutes unsupervised with your physical hardware.
it seems that the Tor protocol bug-doors were deliberate traffic staining, presumably by someone on the development team - this was fine as I mostly trust 5EYE, knowing them well, but then the IRANIANS noticed these bugs and people/activists who HAD been led to believe that it was magic, suddenly were detained etc...
and as for the political prisoner who is arbitrarily detained, not my opinion, but the same UN panel who have criticised the IRANIANS over arbitrarily detained Nazanin-Ratcliffe have made the call, over quite a time period
https://www.nytimes.com/2016/02/05/world/europe/julian-assange-un-panel.html
https://news.un.org/en/story/2019/05/1039581
https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=24665
I think with several agencies having mastery of the internet, any anomising/cloaking technology will likely have bug-doors, still.
I can refer to some of my own related papers https://ieeexplore.ieee.org/document/6986977
https://ieeexplore.ieee.org/document/7289150
but I respect that other might have a different point of view
"
I mostly trust 5EYE, knowing them well, but then the IRANIANS noticed these bugs and people/activists who HAD been led to believe that it was magic, suddenly were detained etc...
"
Ask yourself which agency is more likely to target a private citizen and do them harm - their own government or a foreign government? The Iranians used the tracing techniques mainly to target their *own* citizens who were critical of the government. They are not really worried about Western citizens saying the same things from their own country, it is the internal threats they take seriously.
The same goes for Western countries - you are far more at risk from your own government should you criticise it or spill its secrets than you are from a foreign government. For a start your own government can "get you" far more easily than a foreign government. Your trust in 5EYE is cute but extremely naive.
You are however safe so long as you do nothing that might make your government (or the high-rollers of your country) feel in any way threatened. But if you do, then while you might not be run over by a bus or suffer an unfortunate attack from a poisonous umbrella (though you might), you could find there are other ways a person can be "neutralised." For example, your PC is found to be full of child-porn or similar obnoxious material, and you are arrested for something that will gain you zero sympathy with others, kill any credibility you may have had, and give you far more to worry about than exposing some dodgy unofficial government policy or dalliance by a member of the Royal family.
Tor was almost certainly released to the public under "leaf in a forest" logic. The bugs that help law enforcement aren't necessarily the kind intelligence agencies would like their assets vulnerable to(and said agencies would have the resources to mount actual attacks should they care to, so the bugs are less important to the anyway).
I think part of the thinking was that TOR would be useful to people in regimes with very locked down and surveilled internet access, eg Iran and China, and that in general, anyone who needed something like TOR in those countries would probably be anti-government, and therefore the enemy of the US's enemy, - a friend. That it's also good publicity, ("look at us helping these people get uncensored internet access!"), probably didn't hurt either.
Also, the more take up it had, the easier it would be for US agents in those (and other countries) to use TOR to hide their traffic without sticking out like a sore thumb.
You honestly believe that a serious government would EVER willingly release current tools? "Hey, I've got a great idea! Let's tell the WHOLE WORLD just how we operate. What could go wrong?"
Just like Google famously opensourced various tools after they moved on, the release of TOR meant that it had outlived it's usefulness for the big boys.
TOR was never a 'tool' in that sense. Anyone looking for suspicious activity will spot it straight away.
This isn't something that their spooks would use, it's something they might pass to a source who they didn't much care about.
Now that it's used more widely, it's possible their spooks might use it as an extra layer of obfuscation.
My guess is they're using libforwardsec for the actual PFS scheme implementation (including the puncturable security). Not much reason to reimplement that, at least at this point; libforwardsec was created by Green and Miers, the authors of the original puncturable-security paper. And libforwardsec is presumably the inner loop on T0RTT's circuit-establishment scheme.
So that would be the place to start, and there's a link to libforwardsec in the article.
libforwardsec uses third-party components - RELIC, GMP, and Cereal. (G&M warn of possible security issues with them.) GMP is widely used and so I assume there's not a lot of fat left to cut from it, but I don't know about RELIC and Cereal.
Also, G&M represent libforwardsec as "certainly better than many academic libraries", which I'd expect from Green, but as he'd be the first to say, that's a low bar. They say they haven't done a thorough review of it, and that probably means they haven't tried to optimize it either.
Of course, optimizing crypto is a dangerous business; you want to avoid introducing side channels and other problems.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
