Delivery-Date: Wed, 22 Apr 2015 15:07:09 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 3DB671E0A66
	for <archiver@seul.org>; Wed, 22 Apr 2015 15:07:07 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 17A48350C3;
	Wed, 22 Apr 2015 19:07:03 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id D9DB93509C
 for <tor-talk@lists.torproject.org>; Wed, 22 Apr 2015 19:06:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id j1vm7bKLfuZn for <tor-talk@lists.torproject.org>;
 Wed, 22 Apr 2015 19:06:59 +0000 (UTC)
Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com
 [IPv6:2607:f8b0:400d:c09::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id B776735098
 for <tor-talk@lists.torproject.org>; Wed, 22 Apr 2015 19:06:56 +0000 (UTC)
Received: by qkx62 with SMTP id 62so233375681qkx.0
 for <tor-talk@lists.torproject.org>; Wed, 22 Apr 2015 12:06:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonsorol.org; s=google;
 h=message-id:date:from:user-agent:mime-version:to:subject:references
 :in-reply-to:content-type:content-transfer-encoding;
 bh=jLulKS+kfi/xrCIDnY/aTqJqOSnwrjctKI5W8AmE+z4=;
 b=N1xmbamC5yxkMzv9Wuyw/wTlG3itRgpP9rfifpVhPxz4MuRazcLE8P+9T4xFShMjSd
 j1X3uq9NdAqCsZw4ky/VtjM21l1B60obnFEyQXf3mPbCNE1Y8r6ZoaO66zHn64Zn9WVl
 dqFN+Li5DSc1sC5FDV2manHaGTVpNAqkIaWew=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :subject:references:in-reply-to:content-type
 :content-transfer-encoding;
 bh=jLulKS+kfi/xrCIDnY/aTqJqOSnwrjctKI5W8AmE+z4=;
 b=JbU7XhVz2ZOkKbpbH9T8xvhqrJiJIjP6FdeLXwLTCG6ks5LDCWZzFqLDmAyDU1dVuS
 7AjOY2/UQd1c7jld4GwIkStFVmYZTArka11I1LoKPJFYaliQ2PVeZ72LK95KGpiB1BqF
 IY2peqBGAMhbdN6oBodKPc9GnYfwk9EcOGr+iXDjcXeGXtMMJQxzX5Vt6LYpRXy/06Lq
 361+qeSNh1SOyB8+mDcAp5ADHYoTboFe9J98b4+PmwuaYs87dAH2xQ6UpauqS3a3YYsg
 Kfb97M+5xVxszZ2XBMPszFHIvHPRg4bt5za46K5/TzjDBpSbVJzdyBppMDkqGzYiHCJC
 xraQ==
X-Gm-Message-State: ALoCoQmbpJsrU/F7AZ3mWij4MZeGJFooBCvW6Z+3cbG9aq+uFDHsWq5De4+0q2CRiavjmOzvkxOn
X-Received: by 10.140.152.209 with SMTP id 200mr32328189qhy.34.1429729614292; 
 Wed, 22 Apr 2015 12:06:54 -0700 (PDT)
Received: from mistakeNot.local (gw-bos.sonsorol.net. [50.247.195.121])
 by mx.google.com with ESMTPSA id w17sm4262846qkw.32.2015.04.22.12.06.46
 for <tor-talk@lists.torproject.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 22 Apr 2015 12:06:53 -0700 (PDT)
Message-ID: <5537F142.7030002@sonsorol.org>
Date: Wed, 22 Apr 2015 15:06:42 -0400
From: Chris Dagdigian <dag@sonsorol.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <CAFN1edqPWLSm-Ru6ZcQwa741YPqXtDOQBZxBnYVmruRhN4NxuA@mail.gmail.com>
In-Reply-To: <CAFN1edqPWLSm-Ru6ZcQwa741YPqXtDOQBZxBnYVmruRhN4NxuA@mail.gmail.com>
Subject: Re: [tor-talk] Quantum Insert detection for everyone
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


I run a US-based exit node and would be interested in a way to run this 
software without compromising the users exiting my node. Looking forward 
to your additional writeups - especially anything geared towards exit 
nodes and quantum insert detection.

-Chris


> David Stainton <mailto:dstainton415@gmail.com>
> April 22, 2015 at 2:41 PM
> Greetings,
>
> Did you all see this Wired article about Quantum Insert detection?
>
> https://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks
>
> These TCP injection attacks are used by various entities around the
> world (not just NSA!) to target individuals for surveillance or
> perhaps to add their computers to a botnet for other purposes.
>
> If you do not use a VPN or Tor you can run "Quantum Insert" detection
> on your computer and detect when you receive an attack attempt.
> However be advised that proper sandboxing is important here because
> intrusion detection and protocol anylsis tools are notoriously
> insecure and get pwned all the time.
>
> If you are a Tor exit relay operator you have the options of running
> detection software; However you should not publish the results
> publicly without mixing in some noise or your published data might
> make it possible for some adversaries to deanonymize Tor users. If
> your country has strict telecommunications laws then it might only be
> legal for you to perform this type of detection if you do not perform
> logging.
>
> For the past several months... in my free time I've been slowly
> developing a very comprehensive TCP injection attack detection tool
> called HoneyBadger:
>
> https://github.com/david415/HoneyBadger
>
> Quantum Insert is a NSA codeword for "TCP injection attack", however
> either of these terms are too vague. During my research I was able to
> classify 4 different types of TCP injection attack. When I say that
> HoneytBadger is comprehensive what I mean is that Honeybadger can
> detect ALL of these types of TCP injection attack types... I describe
> them briefly here:
>
> https://honeybadger.readthedocs.org/en/latest/
>
> Here's the Fox-IT blog post about their Quantum Insert detection software:
> http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
>
> I am going to work on writing a much more comprehensive blog post; it
> will be filled with gory technical details AND it will include
> information on how to use HoneyBadger. HoneyBadger has optional (off
> by default) full-take logging which could enable you to capture a
> zero-day payload from a TCP attack; you should then responsibly
> disclose to the software vendor or contact a malware analyst to help
> out!
>
>
> Sincerely,
>
> David Stainton
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

