Delivery-Date: Tue, 07 Jun 2016 00:48:39 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [138.201.14.202])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 272471E0CAD;
	Tue,  7 Jun 2016 00:48:37 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 50A63E07A9;
	Tue,  7 Jun 2016 04:48:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 97D2AE0AE5
 for <tor-talk@lists.torproject.org>; Tue,  7 Jun 2016 04:48:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id JbxA0Rz4AJa4 for <tor-talk@lists.torproject.org>;
 Tue,  7 Jun 2016 04:48:28 +0000 (UTC)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com
 [IPv6:2607:f8b0:400c:c05::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 3711DE0AE1
 for <tor-talk@lists.torproject.org>; Tue,  7 Jun 2016 04:48:28 +0000 (UTC)
Received: by mail-vk0-x229.google.com with SMTP id c66so73776682vkb.3
 for <tor-talk@lists.torproject.org>; Mon, 06 Jun 2016 21:48:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:from:date:message-id:subject:to:cc;
 bh=wHcFhIZUtJWGWXh9bldDwWMGePi0h9Ft16d7VxCYwqE=;
 b=akpehIUviWJpR1jCZRqSCgLxz0mvjbDNr5v5sxzyHzxJWh40ht56B2tCuvLxUsf/uM
 J0lyu/DjVvzcjoFaTR3+WF8GFgrCiJCaVA5N4VW9w6+4DChVHpCK8Lh8bIoqMAKBWI20
 SAAI6OFfqVbn9BZVPAAFbRDQ8BPLS5ozBCgEKgHwlt8/IHTFV4yo80+ZcltoTvWqtHH3
 bIQfQ3L9ItSjX9vu8lF4tQttnmCM90iRskR+5D+f0Ti9hDDFvyZLfP1f7FgJnri3ALxD
 TyPS+blO/c6atPf7vwRegMutDxwgW3hf9mntgkNHw4uwEjBLU+t1gVpLFB8zKPAzN6lI
 6y6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=wHcFhIZUtJWGWXh9bldDwWMGePi0h9Ft16d7VxCYwqE=;
 b=kfWLw/YWDsnoMFoI3+t6U+bnqgCMHgf9ucHf0OKxR3PPqADbkwKWU18mtwU15jDDPN
 E51KHN9LGjKZZjm0FgjhROaXqlQInC5HTJg7YAqkSw/t/cNWZ1t0/tg0TOP3O/AELgbC
 l+ELWlr42JGKS3csM2swFYjoMaFcsIHQtrdi5IAk4sgYz0gKdBYyuyB24WvLiWbqn+r2
 6LqybBrbU2yBvBA17BuM6EHArRzOuCEZMJO60NMKn3T5qVvPM9sUWCCtjP42Y18uIqB8
 DE8zHqW6ROBuOaHDqNvbdsIyZBBsvUudatJqNyBzbJaPHwXqjdSd3MGjj3gHE4a/l20l
 tEgQ==
X-Gm-Message-State: ALyK8tI4hY0LEQ0xK3mCpV4GEbPXTwUMvO2PZjgLf5Zn0VPa194C3eFitbsMUlvKEUqdzoTVrZd3sCE+q0uXOg==
X-Received: by 10.31.85.3 with SMTP id j3mr9636164vkb.156.1465274905119; Mon,
 06 Jun 2016 21:48:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.41.35 with HTTP; Mon, 6 Jun 2016 21:48:24 -0700 (PDT)
From: grarpamp <grarpamp@gmail.com>
Date: Tue, 7 Jun 2016 00:48:24 -0400
Message-ID: <CAD2Ti283d47uwkY+GK2K=dZbedo9hcm5xkgSsmMpXSY5pRggEg@mail.gmail.com>
To: tor-talk@lists.torproject.org
Cc: cypherpunks@cpunks.org
Subject: [tor-talk] The cheap low risk node majority attack, pki, geoip, etc
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 6/6/16, Steve Kinney <admin@pilobilus.net> wrote:
> Since nobody asked, here's a description of why neither TOR nor any
> other existing or presently planned anonymizing protocol I know of can
> be relied on to conceal a user's identity from the Five Eyes or any of
> several other hostile actors.  I surface this concept every year or
> so, but so far nobody seems interested in discussing it.  Maybe it's
> just too discouraging to think about.  No matter who created it or
> why, TOR and similar mix networks are at best security theater,
> relative to top tier State adversaries.
>
> what if an effectively unlimited number of compromised routers,
> subject to realtime observation and internal manipulation, were
> available to hostile actors?  Game over, I think.
>
> About 15 years ago I used online traceroute utilities and whois
> lookups to determine (roughly) where all the high performing Mixmaster
> remailers were physically located.  Over half of them, including most
> with "exotic sounding" TLDs, were apparently in the state of Texas.
>
> Then I used my data to construct "hard to compromise" chains, routing
> Mixmaster messages through national jurisdictions not likely to have
> comprehensive data sharing between their security services, and
> started sending test messages.  None of these test messages ever made
> it back to me.
>
> So I concluded that, despite its major technical superiority to other
> anonymized networking protocols, the Mixmaster network was most likely
> compromised by passive observation (one owner for a majority of
> reliable remailers) and active intervention (traffic between
> uncontrolled remailers interrupted in transit).
>
> Owning enough of the routers in an anonymizing network to negate its
> security is largely a question of money:  How much budget to you have,
> how certain do you want to be that nobody is really anonymous?

While money can buy shill humans to stand in, as below, it's
costly, and casual human interactions by multiple signers reviewing
them may expose them to risk.

> proxy hosts could be machines owned by "friendly" actors, rooted
> consumer grade routers, purpose built appliances, conventional Windows
> botnets or some combination of these.

Govt seems to have no issue doing such illegal / unethical things.
And they certainly can use their own network, tor, to do it.

> The only defense I can think of is to assure that message traffic
> passes back and forth between mutually hostile national jurisdictions
> before delivery.

This is suggested often on tor-talk. And tor devs continually
pass on it.

> This would be a bit of a hairball to implement

Not really. Tor already loads GeoIP. So 20 or so lines
of code and you've got a separate country for
each hop. A few more lines to define groups like
FVEY / BRICS, hemispheres, regions, AS, etc.
Users could isolate on whatever they wanted.

And a bunch more lines to include attributes as to
"verified to be a human node operator in person"
pki web of trust into the consensus. At least that
way it raises the cost and risk to adversaries who
today just use their Govt credit card to order up
VPS nodes all over the world.

Does it benefit? Tor devs say trust the random node selection.
Others say at least some subset of users know the / their
environment better and could use such tools to advantage.

Tor still refuses to do it.
So like mixmaster, you have to do it yourself.
That sucks.
It could stand to be talked over a bit more.

> have to be taken into account.  But this approach could increase the
> cost and reduce the reliability of Hydra attacks against anonymizing

> Long story short:  If you want to be /really/ anonymous in the
> presence of hostile State sponsored actors, do not rely on a
> software-only approach:  Use physical security measures to conceal
> your identity from the physical router that connects you to the
> Internet

> No "airtight" security protocol has ever survived contact
> with end users.

password:12345, lol.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

