31 July 2014

How secure is Tor?

Today I retweeted a tweet from Kenn White (@kennwhite):

SV [Silicon Valley] tech writers flip out after discovering Tor was created by the Navy & gets State Dept grants.

Wait till someone tell them about Arpanet.

For the uninitiated, Tor is a service for making online communications anonymous, to foil things like state efforts at surveillance. ARPANET was a technical precursor to the Internet created by the Advanced Research Projects Agency (ARPA) of the US military. This is a reference to the suggestion that many have made that US government funding for Tor is a sign that it may not be as secure as it purports to be.

I forwarded this tweet because it nicely summarizes the double-edged naïveté implicit in being shocked by Tor's funding. On the one hand, one can read seeing the hand of state surveillance lurking under Tor because of its funding sources as a manifestation of a kind of paranoia. If that connection indicts Tor, don't the Pentagon origins of ARPANET indict the whole of the Internet? On the other hand, the forces arrayed for state surveillance are demonstrably so powerful that one is tempted to ask “is that too paranoid, or is it just paranoid enough?”

On my Facebook feed, this inspired a lively discussion between Vinay Gupta, a “global resilience guru”, and Billings, a web security professional who reminds us that he is not speaking for his employer here. They are both people I respect very highly.

The discussion seemed useful to share with the world, so with the discussant's permission, here's a lightly-edited version.

If you just can't get enough of this stuff, I also have Quinn Norton's article Clearing The Air Around Tor, which gives a pretty accessible explanation of the mechanics behind Billings' argument that the mechanics of Tor suggest that its funding sources do not indict its security.

And an update:

Yasha Levine has a question they couldn't ask at a Tor presentation:

There was a lot of talk on stage today about using Tor as a tool of freedom and liberty on the Internet. But there is another side of Tor that was never mentioned: Tor as a regime change weapon — a tool of soft power used by the United States government to destabilize countries it considers hostile to its economic interests: Iran, China, Russia, Belorussia. This regime change function is why Tor continues to receive over 90 percent of its funding from US government agencies like the State Department and the Pentagon, agencies that are responsible for so much of the death and destruction in the world today.

So my question is: How do you people at Tor reconcile these two sides of your product? Is Tor about Internet Freedom? Or is it about empire and regime change?



Gupta
The thesis that internal conflict in the US government is so enormous that the NSA is unable to stop the US Navy funding something which effectively makes many of the NSA's operations impossible seems, to me, to be a less likely hypothesis than “Tor is another Crypto AG.”

You pays your money, and you takes your choice.

Wikipedia: Grypto AG back-doored machines

By the way, just to clarify, I'm not accusing Tor of being consciously cooperating with the NSA. Rather, I think their technology must be flawed on the basis that the USG would not fund them if Tor did what it said on the can, and there is very good evidence that the USG loves people to use broken cryptography presuming it to be secure.

None of this involves a detailed technical analysis of Tor: it's a political rather than a technical analysis. And I could be wrong.

But so could they.

Billings
Well, except I actually know and work with core Tor developers and they both edit the code and are definitely not government shills. These people are not poor security engineers either (quite the contrary). The fact is that parts of the US Navy intelligence apparatus and others have used it to cloak their own activities and have a vested interest in keeping it secure. If only government stooges used it, then you'd know anyone coming out of a Tor node was a government stooge. If they do use it, they don't want to be tracked either.

Gupta
So we're left with the hypothesis that the Navy is paying them to thwart the NSA. I just don't buy it: a vastly more historically plausible analysis is that the NSA is good techniques for circumventing Tor, and is quite happy for the Navy to continue selling people rope, with which the NSA can later hang them. That's consistent with historical intelligence practices and the available evidence.

Billings
and the reason why the stolen Snowden docs reference often the NSA bitching about Tor is just COINTELPRO and Snowden works for them? The NSA basically says that it is a good thing that most people are so poor at opsec and they can break stuff in other places because they can't break Tor itself.

That said, if an entire nation state apparatus walks to watch Tor, they can probably watch enough end nodes eventually to nullify much of the anonymity. Tor folks are pretty aware of that and have spoken about it publicly. Without any evidence though, I generally treat people saying Tor is secretly broken as FUD, especially when the other evidence we do have contradicts that.

To quote from NSA targets the privacy-conscious:
As revealed by the British newspaper The Guardian, there have been repeated efforts to crack the Tor Network and de-anonymize its users. The top secret presentations published in October last year show that Tor is anathema to the NSA. In one presentation, agents refer to the network as “the king of high-secure, low-latency internet anonymity”. Another is titled “Tor Stinks”. Despite the snide remarks, the agents admit, “We will never be able to de-anonymize all Tor users all the time”.
I admit that this is a personal bugaboo of mine, since I know many of the Tor folks personally (and their integrity) but most of these discussions seem to run along the lines of “but but but they get most of their funding from the US government and no one ever told me that the Navy started Tor so it must all be a trip/track/setup by the government.” Other than the fact that they get money from the government, I've yet to see any proof of this offered though. I recognize Vinay is drawing the distinction with them knowingly being tools and unwittingly being tools though.

Gupta
Snowden has released nothing about cryptography so far: nothing about which ciphers can be broken. This is probably because the NSA keeps its data in tiny little boxes, and people in one box don't get to know what's going on next door. The psychology of reflexive defence of Tor while ignoring the funding paradox is simply exactly the mindset which security people love to exploit when breaking things.

Dream on.

Billings
If Tor was something the NSA had broken, they would not be doing internal presentations and circulating reports bitching about how they couldn't easily de-anonymize people using Tor. That is unless you're arguing that rank and file NSA spooks don't know the initiatory secret of the secret inner order, which knows that Tor is broken but doesn't bother to tell the NSA. I mean, these are internally circulated documents between NSA folks, not for Congress, etc.

Billings
To be clear, Snowden has released everything as of a year ago. Greenwald and the technical people, like Schneier, haven't released the information that they have. BTW, the defense isn't reflexive. My day job is in security for a browser used by hundreds of millions of folks.

Gupta
Wait, wait, hoooold on. “The NSA” is not a monolithic object. It's a sea, a foam, of little security compartments. Snowden has (as far as current data suggests) no access to the math, the crypto, the network analysis and all the rest of it. He's got brute infrastructure stuff because that's what was in his compartment.

Billings
So the NSA (meta) allows its agents to fail to catch people by not telling them that Tor is actually broken to the point where said agents to presentations, author reports, etc. to other NSA agents complaining about Tor?

Because we have seen those complaints.

Gupta
The entire point of the NSA's security compartments is so that a Snowden or a spy can't get the entire ball of wax. It's routine for one part of the org to slave for decades on a problem that another part of the org has already solved, for example. Their approach is not polite, it's battle testedly irrational. And well documented.

Billings
Of course, is the NSA was well compartmentalized, a 29 year old contractor wouldn't have hoovered up probably more than a million documents from different programs. Clearly, he was able to get past plenty of walls.

Gupta
Consider Coventry: the UK had broken the codes, they knew the bombing was coming, and they took the hit anyway. That is what cryptography is about, really. It's that depth of strategy that's the core to understanding what you see in front of you.

Nothing on the math, nothing on ciphers they've broken = he was nowhere near the crown jewels.

Billings
Or Greenwald et al simply haven't found it juicy or safe enough to release yet. They are redacting to avoid, in their opinion, getting folks killed or endangering “acceptable” things.

I still think if Tor was that broken by the NSA, their agents would be actively breaking it, not complaining to each other internally about how they had to do various work arounds to figure out who folks are.

So, if they're saving that trick and keeping it for the 40th level NSA wizards, then their agents still haven't broken Tor because they don't get to know.

Gupta
Your model of the NSA is not the same as my model. I think my model of the NSA is better founded on historical evidence. I just can't see (knowing what we know about the history of cryptography as used by intelligence agencies) how you can justify your faith in the security of a tool they are paying for. The sweet spot has always been “let the Rubes think they are using encryption” and then read their messages and gather at will. That has not changed in centuries.

Billings
So it comes down to “We have no evidence it is broken but because government groups pay for much of it, it is inherently untrustworthy” then? I'm not saying it isn't an argument that rational folks would make, just not one I'm buying.

Gupta
Do we have no evidence that it's broken? Surely “We will never be able to de-anonymize all Tor users all the time” is clear reporting that, indeed, Snowden's team can get some Tor users some of the time. How many? How much does that matter? Do we have statistics on this? So that's the first line.

Billings
Except we also, from the same slidedecks and other events, know how they denonymize users. I could find you articles if you wish but it basically comes down to “people suck at operational security and do a bunch of other stuff to identify themselves, no matter that they went through the Tor network on the way.” See how they tracked down the Dread Pirate Roberts or that fellow running a Tor hidden service in Ireland. Poor opsec, which is a relatively well understood issue. We are also aware of a number of attacks involving watching a certain percentage of end nodes or of running a certain number of nodes, en masse, and correlating traffic. Again, the guys working on Tor aren't idiots, are aware of these problems, and working to address them. You saw yesterday's news about Tor middle nodes, right?

Tor security advisory: “relay early” traffic confirmation attack | The Tor Blog

Gupta
The second line is this: deception is the normal practice of intelligence agencies. To take what they are doing at face value, to believe one leak as the entire story? “Now we understand?” My god. Read the history of intelligence operations. Look at “The Double Cross System.” Look at Angleton. The Cambridge Five. You can't just puddle through this stuff taking a single NSA document as an absolute verification of Tor's relationship to the NSA: that's what one team knew at one time, in fact, it's not even what they knew it's what they chose to write down. You just can't look at intelligence data this way and be on secure ground. It's not how these people operate.

Billings
Differences of opinion are simply uninformed, as opposed to making rational decisions that don't happen to match yours.

I'd be more strongly convinced that, for example, maybe one of the Tor founders, like Roger, might be a secretly paid agent maintaining Tor access for government this whole time (though I don't believe it) than proof by lack of proof.

Gupta
These people are your opponents. They're very, very good at these games. We know a little about what they were up to 50 years ago from WW2 releases. Do not assume, not for one minute, that the games we are entangled in now are any less sophisticated, Machiavellian and manipulative than they were in WW2. The UK government ran every single spy the Germans had on UK soil. This is the caliber of the deceptions operated by the same mechanisms we are being asked to take at face value re: Tor's funding streams. I cannot buy it.

Billings
Yes, I think your position is clear. Me? I require some actual evidence beyond “they get money from the government” as proof they are pwned.

Gupta
It is very easy to assume that our model of the technological capacities of the NSA is accurate, too. But on the math side they've had close to a 20 year head start on the two occasions when we have good evidence of their know-how (hardening DES against differential cryptanalysis, and RSA being developed at GCHQ). Is it possible that they're unwinding Tor with math we won't see in public for another decade or more? Quite possibly. Could they be routinely owning all of the network nodes that relay traffic they want to see, using some kind of low-level hardware exploits or even plain old OS bugs? We don't know. But unless you ignore the entire history of intelligence agency operations around cryptography you cannot take this story at face value. It's not remotely justifiable.

It's really cute to tell the story of US government needs a security tool so they hire hackers to build one, and it protects us and it protects them just the same. But, for god's sake, when has the USG EVER created a level playing field in something as sensitive as cryptography? It just DOES NOT HAPPEN. Not the way the institutions work. I cannot believe the level of political debate around the Tor funding stream: it's as if nothing was learned from watching the past 50 years: everything since ENIGMA is admissible as baseline data on the NSA's modes of operation. Use it.

Billings
Who is taking it at “face value”? My evaluation is based on a lot of sources, including week to week working with developers at Tor as they ship their Tor Browser based on the code of Firefox, where I work. If people offer actual evidence that Tor is broken, I'll evaluate it but I haven't seen any.

Gupta
facepalm

Billings
Rational people can hold a differing evaluation of the evidence, Vinay.

Gupta
Wrong standard of proof. Wrong. Wrong. Wrong. Your adversary is doing everything humanly possible to make sure that you do not get evidence that the system you are working on is broken. Their entire modus operandi throughout their history is to leave systems in place which people assume are secure, and then read whatever it is they like that goes over those wires. That's the goal state for the NSA. They're good at cracking systems, and they're good at concealing those systems have been cracked. Those are two halves of a whole.

Billings
Good at concealing it from their own agents too, it seems. Anyway, I'm done here. We're just repeating ourselves and I have no expectation of convincing you. I expect people will use Tor if they feel they can trust it and to use ... nothing ... if they feel they can't. No one is going to be convinced by further debate here.

Gupta
Yes. That's standard operating procedure for most of these agencies. Of course they conceal things from their own people, and lower level folks die in gutters because they didn't know the higher clearance data that would have saved their lives. Standard standard standard. That's how intelligence works.

Billings
I will say that if the NSA has broken Tor but they don't tell their agents, pretend it isn't broken, and ignore everyone but people like Snowden or Chinese master spies in order to maintain that facade then, for all functional versions of reality, it isn't broken until someone becomes important enough to blow their cover. I'm not Osama Bin Laden. If the NSA wants to watch me but not tell their agents they can break Tor so I'm anonymous to them through it, then I'm still effectively anonymous. (That said, I'm not doing anything that would actually get me in trouble so there is that.)

Gupta
Parallel construction. You peel the data out of the cracked system, and then you use it to target efforts using in-the-open technologies or you “stumble” on some lucky happenstance that lets you nail your targets. This is much more the way these things are done.

Billings
Well, clearly you're smarter than everyone else in the security community. You should contract out.

Gupta
I did. You do know that I did a contract for NSA, don't you? Designed a genocide-resistant biometric ID card scheme pointed at Iraq and Afghanistan.

Cheap ID

Never had a clearance, never went through the wire, and never worked on anything that I did not publish: that was the deal I cut.

Billings
Yes, you mention it once or twice a year. I'm aware.

All I do is work to make sure your web browser stays unowned.

Gupta
So just consider that I might know what I'm doing, and have done my research on a rather broader landscape than the technical security analysis which most of the people playing this game are doing. The actual domain of operations is far wider than most people consider, and the result is that we lose nearly every round of conflict we have with the State about civil rights. We have to think more deeply, and we have to trust far, far less.

Billings
Your concerns and mine are slightly different as a home owner with a mortgage, a spouse, a daughter entering college in a month, and other typical midlife stuff. The state isn't my enemy. Aspects of it may be but I value law and order as well as general stability. I'm not a revolutionary and have little desire to be if it means actual open warfare, death, and suffering for folks. I don't want to live in a fascist police state but I also don't want to live in some anarchist or libertarian dream world either. I'm also a pragmatist, as doing this stuff for a living will make you.

Gupta
Doing which stuff for a living?

Billings
Working in information security as my day job ... When you contact [my company] about a security bug or a zero day, I'm one of the main people with whom you deal and I'm the process guy that works to make sure things get fixed and out the door in an organized fashion, as well as evaluating the issues (with the developers). I also started the first Oakland hackerspace, which isn't directly security related but you'd be amazed at the kind of people who come through our door.

Gupta
I spent my last six months writing software for representing complex strategic situations for analysts to discuss. Would have been FOSS too, but the project ran into Issues. Hence I have a different perspective on these things.

Billings
I understand that you do and I'm not saying your perspective isn't rational. On the other hand, if people disagree with your assessment, it isn't simply because they are uninformed or ignorant of history and security. They may just be reaching different conclusions.

Jonathan Korman
It's almost as if reasonable people may differ.

Gupta
Indeed. But there is a fundamental issue here, which is that we need to be pretty clear about what assumptions we are making when we tell users what is secure and what is not. The analysis which says Tor can be trusted is based on an implicit world model. That world model is useful. As long as people know “we assume X, Y and Z” they can decide if they agree with those assumptions.

“We assume that USG funding of the Tor network does not impact Tor's security in any way” is not something the Tor guys are in any hurry to put on their home page. That bothers me. The responses of the security community around Tor to questions about the funding stream? That bothers me even more.

Here's what responsible handling of that issue looks like; “Yes, Tor is funded by the government. We believe it's because they use Tor, and that their need for Tor outweighs any negative impacts Tor has on their ability to spy on us.” Up front, clear communication about the very real security Need To Know that the USG's funding of Tor represents. Because if the community is wrong, and that money flows because the State can easily compromise Tor in some scenarios people are going to jail or getting assassinated all over the world. We need to consider this early in the process of advising users on their risks.

Billings
What was Tor's response when you asked them about this in a friendly and mannered way?

Mostly, what I see, is people tweeting (140 chars or less) “OMFG, Tor gets government money and is OWNED!!!!” That isn't going to engender much of a conversation with them.

Gupta
Never gets that far. Every contact I've had with Tor over funding has started with pathologically hostile defensiveness because the problems are really severe. Tor doesn't exist without the State, and if you doubt the State's intention in this matter, the whole project is revealed to be a honeypot for Satan. Who can consider, in all good conscience, that they may have been coopted by what they despise?

Billings
Huh. I've talked to them about it and it was perfectly friendly. Of course, I didn't open it with implicitly calling them government stooges either.

Gupta
They were probably friendly because you basically agreed with their interpretation of the situation. When pushed from the outside, understandably, they are a little more freyed. Because if they are wrong about this, they are putting all of their users in danger and acting as a Cat's Paw for the NSA.

Not a comfortable position. Not at all.

Billings
Actually, I assume they were friendly because I know them, have talked to them for years, and, again, didn't implicitly imply anything about them. I simply asked about their funding, the questions that have been raised before, etc. I waited for the eye rolling to stop and we chatted. It wasn't a big deal. Of course, if your argument is that they are unknowingly pwned, then it really doesn't matter what they say, does it? That argument says that they can have the best intentions but their technology is so broken (without anyone knowing) that it doesn't matter.

You also have to realize how many tinfoil hat script kiddies and so forth troll them every time this issue comes up on twitter in 140 chars or less without even pretending to want a real discussion. In a lot of ways, it really doesn't matter what they say because a lot of folks make up their mind without even talking to them about it. I'm not sure why the Internet collectively forgets where Tor funding comes from every 12-18 months since Tor publishes all of their tax filings and grants on their website.

Gupta
bah internets.

“Wait, we're using your software to protect us from the government, and it's funded by the government? What the fuck?” Yes, actually, I can see exactly where the script kiddies are coming from. The simple form of this argument is pretty compelling. It may be wrong, but it's not the wrong kind of analysis.

The burden of proof is actually on the Tor project to tell us why we should expect them to be secure, given the agency which funds them. It's a critical security issue which needs open, fair, comprehensive analysis to manage.

I'd even go so far as to call it a flaw: “funded by the enemy.”

Billings
I think they point to their open and vetted code, going back years, along with their complete financial transparency.

Gupta
That doesn't tell us anything about the government's motivations.

Billings
The US government isn't my enemy. The NSA may be but they aren't the entirety of government. I'm a US citizen with ancestors that fought for the Union in the Civil War and in the Revolution. I'm not ready to declare the USA my enemy.

What does it matter what the government's motivations are if the code is secure and isn't inherently flawed? That argument only works if the NSA or someone truly has super secret mathematical voodoo that can crack Tor that they haven't told their own rank and file about and don't use in most cases where they hit Tor (or share with the FBI). The government handed over the project a decade ago.

Gupta
You can be doing your part of the puzzle exactly by the book, and still be part of a bigger picture in which your perfectly innocent, perfectly well-intentioned effort is being used to throw people in jail. And the point is not whether you, or the Tor team consider the USG as their enemy: everybody involved is on US terrorist watch lists, their communications are intercepted and so on. The government treats you as the enemy. And an awful lot of Tor users are living lives which, if subjected to full prosecutorial scrutiny, would wind up in jail cells: bitcoiners for tax evasion, anonymous for site compromises, and so on. Tor is used by an awful lot of people with something to hide, and if it does not hide them effectively, it's software which is deceiving users into acting irresponsibly, regardless of how carefully the project attempts to communicate real risks.

Billings
and yet strangely, we have a lack of prosecutions of these people ...

Gupta
Today.

Gupta
“Where did they get the names?”

Wikipedia: IBM and the Holocaust

Billings
So, given that we're never going to have any evidence proving Tor is insecure or secure in the near term, you're arguing that it simply can't be trusted because of its funding sources. Correct?

Gupta
The fact that people are being put on increased surveillance lists simply for searching for privacy tools matters.

Billings
If so, it really doesn't matter what they say.

Gupta
I'm not arguing anything simply. I'm arguing in depth and with moderate sophistication.

Billings
I'm not sure what evidence that the Tor Project could provide you that would satisfy you as to its safety since even you admit that they may be unwitting tools. There is no response that can satisfy in that case. They could all honestly say that they aren't government stooges and mean it and it wouldn't change anything. Hard to prove a negative.

Gupta
In that case, they have a problem: a glaring security question (“why does the highly intrusive spying-obsessed US government fund you?”) which you suggest can never be answered. Now tell me this: faced with such a conundrum, should users choose to trust Tor or not?

Billings
They've answered that question more than once. You just don't believe/like their answer. I'm sure I can find a blog post by them or an interview with Andrew or Roger that discusses this.

Gupta
I was asking you. I know where they stand: it's their project.

Billings
I use Tor all the time.

Gupta
Do you think users should trust Tor, if this security issue can never be resolved as you suggest?

Billings
I think a calculus can be made and that Tor can be used, yes. Otherwise, why would I use it?

Gupta
So, to be blunt, this is what I feel: with thinking at this level, we will simply never evolve tools for meaningful privacy in the future. We are simply fucked.

There is simply no model I can imagine in which the burden of evidence does not fall on Tor to explain why the US government funders are getting more out of Tor's existence than it (apparently) costs the NSA. That's the core riddle at the heart of the Tor Funding Paradox. If the answer is “gee, looks good enough to me!” then we're simply defenceless against any kind of subterfuge. We're like sitting ducks.

Billings
You've gone and read the responses from the Tor Project and its leader to this question when previously asked?

Gupta
The US government has killed roughly a million people in the past 15 years, and right now it's flying killer robots all over the world to politically assassinate people based on evidence gathered by network intercepts. If the answer, in that context, is “gee, I think we can trust them” then there is simply no hope of a meaningful political response to the world we live in.

What do they have to do? Start putting hippies in death camps?

(other than, you know, the 1+ million people in jail for non-violent drug offences, in an environment which considers prison rape to be a standard part of the punishment protocol for certain demographics)

Billings
You're turning this conversation from a conversation about Tor and its trustworthiness into a referendum on US policy and whether I or other folks approve or support it in various aspects or how we exist as both US citizens and folks with issues with aspects of US government and behavior. That's not a useful conversation here and not one that I would consider to be an intellectually honest turn. I meant to bow out 20 comments ago so I think I will do so now.

Gupta
At a certain point, one's trust in the Government has to be tempered by some realistic perspective on what they are doing.

Gupta
You are essentially saying that you believe the USG's answer to why Tor is trustworthy: “we're using it ourselves, no doubt you can trust us.” Ok, that's fine, but they're also doing this whole “killer robots working on network intercepts” thing on the other hand, at which point maybe we need to re-evaluate the veracity of their initial statements. It's sorta hard to trust mass murderers, isn't it?

Billings
Vinay, please don't construct a straw man and put words in quotes and pretend that I'm saying them. You can infer lots of things but please don't put words in my mouth and then argue with them.

Gupta
At what point do we say “the people that just stalled the global eradication of Polio to do secret genetic testing of a town in Pakistan to find one terrorist leader” are maybe not the best people to trust when we need security software funded?

Is there no connection in your mind between the vast scale of US deception on the field of intrigue to the software that we are discussing? Is there some kind of firewall which separates “how the US government does security work” from “how Tor is positioned?”

This is not a straw man at all: this entire question boils down to “do you trust the US government to tell you the truth about why it funds Tor?”

(I was not using “quote” to indicate you had said something, but to paraphrase complex arguments made by a hypothetical government employee)

Gupta
Add a PS for me, please?

Why don't leaked NSA documents mention Tor funding sources? “Tor stinks” but no query of the US government funding?

That smells so weird to me. So fucking weird.


There's more from Vinay Gupta in a long Storify of a Twitter thread: Tor and security versus espionage thinking.

No comments: