[Cryptography] The attack that broke the Dark Web—and how Tor plans to fix it
John Denker
jsd at av8n.com
Fri Dec 4 17:23:00 EST 2015
On 11/02/2015 02:26 AM, Darren Moffat wrote:
> For a public news site in not so sure I see why someone would expect to
> have any privacy
I can think of a dozen reasons why people /should/ want and expect
privacy when browsing public sites. These days shopping for a
pressure cooker can get you into trouble.
> If you need that then you should read in private browsing mode
> over Tor (or equivalent)
That is "supposed" to provide privacy ... but how sure are we that
the Tor network is not a wholly-pwned subsidiary of CMU / FBI / NSA
/ GCHQ / Спецсвязь / 总参三部 / et cetera ???
Here's an interesting article on the subject:
[1] Kashmir Hill
"The attack that broke the Dark Web—and how Tor plans to fix it"
http://fusion.net/story/238742/tor-carnegie-mellon-attack/
The basic story has been floating around for a while, but that is
the most detailed account I've seen of how the Tor guys detected
the attack. Among other things, it quotes the Black Hat abstract
that was taken down:
http://fusiondotnet.files.wordpress.com/2015/11/screen-shot-2015-11-25-at-10-52-16-am.png
A less-detailed article on the same subject is:
[2] Andy Greenberg
"Tor Says Feds Paid Carnegie Mellon $1M to Help Unmask Users"
http://www.wired.com/2015/11/tor-says-feds-paid-carnegie-mellon-1m-to-help-unmask-users/
I doubt the details of that incident will remain secret much longer.
Looking forward: It is reported [1] that Tor ...
>> now has a set, strict procedure for how to respond when it sees a
>> bunch of servers join its network. It will remove them by default
>> rather than taking a ‘wait and see if they do something weird’
>> approach.
That doesn't impress me. It would be poor tradecraft to repeat
the tactic of inserting a "bunch of servers" into the Tor network
all at once. One must assume that a slightly less oafish M.O.
would be used for subsequent attacks. One wonders whether more
a gradual infiltration would be detected.
More information about the cryptography
mailing list