Comment by alasdair_

Considering multiple world governments have already shown in leaked documents that this is exactly what they do, I personally wouldn't trust my secrets with tor.

Pagers and the next day handheld radios exploded on their users! This can be done.

They say the internet is just someone else's computer. With Tor it's the computer of a person who wants you to think it's not their computer, and also that they aren't paying attention to (or somehow can't see) what you're doing on it.

The interesting thing is, the more agencies that run relays, the more they interfere with each other. So having something like US, Russia, and China a each running 25% of the network reduces the chances of any one getting all three relays.

I think the threat model is that the majority are not run by cooperating malicious parties.

Russia, china and usa all dont like each other much so are probably not sharing notes (in theory).

Before 2020 when /r/privacy stimulated conversation that was worthy of good discussion you learned Tor the software made less available nodes accessible with newer deployments, that’s why it got faster. Regardless of how many nodes existed. The routing shifted. Now it’s way faster and there's specifically designated guard nodes seemingly pinged repeatedly out to the same allied nations.

In fact, you should assume they are. This doesn't imply the network doesn't have utility for a given actor.

Pardon my ignorance, but I thought it fruitful to ask: Are there any issues that can arise by doing this on a VPS?

I ask because I know of stories of law enforcement sending inquiries to owners of, say, exit nodes requiring certain information about given traffic. I don't know if this happens for middle-nodes (or whatever they're called).

Moreover, are there any issues with associating a node to, you know, your name and billing information?

I don't know much about this, and although I could look it up, I think that my questions - and your respective answers or those of others - might do some public service of information sharing here.

Many individuals contribute to running relays. And there are non-profit organizations collecting donations to operates Tor exit nodes:

- https://www.torservers.net/

- https://nos-oignons.net/

I run a non-exit node any time I have the spare resources. I2P too. This means they're on the same popular providers that have too many other nodes, though.

Sometimes I set it up as a bridge (hidden entry node) instead.

only exit nodes get there door kicked in and they are the minority and not needed for the tor network to function

> I’ve heard individuals getting doors kicked in for participating in the network, so it’s not individuals.

It's individuals

Not only would you need the node to expose IPs with a wide enough distribution to allow the right path selection, you'd also need to have enough bandwidth available to look like distinct hosts, and ensure any losses in connectivity aren't correlated enough to draw attention (people monitor metrics.torproject.org pretty diligently, and would notice if there was a chunk of bandwidth coming and going in lockstep). At that point, the difference in cost to just actually running legitimately separate hosts is negligible. All empirical evidence points towards the status quo that has existed for most all of Tor's existence: if you want to identify Tor users, there are cheaper ways to do it than dominating the network (and those ways are expensive enough to be outside most people's threat models).

That said, any bandwidth anyone wants to contribute to mitigate such attacks is always appreciated, even if it's more useful for performance reasons in practice. ;)

This is what providers such as https://www.vultr.com/ are for:

https://www.vultr.com/features/datacenter-locations/

Its important to realize that TOR is primarily funded and controlled by the US Navy. The US benefits from the TOR being private.

It provides a channel for operatives to exfiltrate data out of non-NATO countries very easily.

The original purpose of TOR was to provide agents and handlers with a means of secure communication, allowing them to organize subversive or espionage activities. It was created by the Department of Defense to propagate their interests and spread democracy around the world using these secure capabilities. Given this context, it's not unreasonable to assume that TOR is still being used in a similar manner today.

Because of its origins, access to the identities of users on the TOR network—even if they could be de-anonymized—would likely be extremely restricted, compartmentalized, and classified. This would make it much more difficult for such information to be used in law enforcement proceedings. Perhaps that, rather than a technical limitation, is the reason most high-profile arrests related to TOR involve criminals making some other mistake, rather than the security of the network itself being compromised.

Additionally, it’s interesting to speculate that some of the secure private defense and intelligence networks—parallel or classified world internets—could themselves be implemented as possibly enhanced forms of TOR. It would make sense that nation-states, through shell companies and other disguises, might run and control many seemingly innocuous machines acting as secure relays in these parallel networks. While I have no data to back this up, it seems logical, given that TOR was originally created by the DoD and then open-sourced.

Why wouldn’t they keep something that works, build on it, and enhance it as a means to secure their own global communications?

> Maybe someone, somewhere, has decided that allowing petty criminals to get away with their crimes is worth maintaining the illusion that Tor is truly private.

This is what I believe. If they do have a way to track people, it wouldn't be worth blowing their cover for small stuff that wasn't a ridiculously huge national security threat that they could afford to throw away 20+ years of work for.

In fact there have been court cases that were thrown out because the government refused to reveal how their information was obtained... I think that usually means they're hiding it on purpose for a bigger cause. I also wouldn't be surprised if multiple SSL CAs are secretly compromised for the same reason.

TOR as it exists now is a honeypot simple as. Same as that documentary called "Benedict Cumberbniamnatch's Great Work" where they cracked the radio signals of the Frenchmen but they had to let the submarine sink so that they knew that the other guy doesn't know that they knew. NSA uses ROT which is TOR-inspired but takes the techniques and incognito aspects 7 or 8 steps ahead.

This entirely ignores the fact that traffic to and from onion sites never leaves the Tor network, never utilizes an exit node. It doesn’t matter if a bad actor has control of every exit node if your communications are within the network unless the underlying encryption protocols have been compromised.

> petty criminals to get away with their crimes

Like human rights activists, journalists and dissidents in totalitarian countries.

[dead]

> could capture the sessions of 10,940 criminals in a given month

Let’s say to do that, and now you have found 10k people accessing pirate bay in countries where it is blocked.

Also you captured someone who lives in Siberia and watches illegal porn, now what?

Many of these will not be actionable, like not criminals you would have interest in.

> could capture the sessions of 10,940 criminals

What does that mean? The way I understand it you would be getting traffic correlations -- which means an IP that requested traffic from another IP and got that traffic back in a certain time period. What does that tell you, exactly, about the criminal? If you aren't looking for a specific person, how would you even know they are doing crimes?

These pretexts for "discovering" are a "bedrock principle" in law enforcement called parallel construction.

The NSA sharing data with the DEA becomes a "routine traffic stop" that finds the drugs. The court would not allow the NSA evidence or anything found as a result, but through parallel construction, the officer lies in court that it was a "routine stop", and judicial review never occurs.

> these people always made other mistakes that led authorities to them.

Says who? The intelligent community entity that busted them? If they're using a tool to discover X or Y they're not to let anyone know that.

For example, I live in the NYC area. A couple of times per year there's a drug bust on the New Jersey Turnpike of a car headed to NYC. The story is always a "random" police stop ends up in a drug bust.

Random? My arse. Of the thousands of cars on the NJTP the cops just happened to pick the one loaded with drugs? A couple times a year? I don't buy it. But what are they going to say? They have someone on the inside that tipped them off? That's not going to happen.

The intelligence community doesn't deal in truth and facts. It deals in misinformation and that the ends justify the means. What they're doing and what they say they're doing are unlikely the same.

>Yes, this is obviously the sort of adversary we would be discussing.

OP explicitly asked about himself, not some government organisation.

>causing your number to be an underestimate

Not necessarily. It might even be an overestimate if the attacker fails to supply enough nodes of the right kind.

>So almost certainly thousands of people

We're talking about a targeted attack. Of course the statistics game works better when you don't target specific people and just fish randomly. But there are probably more cost effective methods as well.

That assumes you could run thousands of malicious tor nodes for several years without being detected. Unless you have vast resources and time, this is unlikely.

That is why in tor it picks a specific guard node and sticks with it. To prevent this kind of attack where you change nodes until you hit a bad one.

Because you're an enemy of the Iranian, Saudi, North Korean, etc. gov't.

Because your ex-spouse wants to murder you.

Because you just escaped Scientology, or another cult.

Because you're a criminal. The NSA doesn't handle that.

Because you're a journalist talking to sources in the industry you're investigating.

Depends on what you’re doing. The NSA isn’t going to expose themselves by tipping off law enforcement about small time drug deals. If you’re sharing CSAM or planning terrorist attacks, it might be different.

> given enough time (in theory) parallel construction is eventually exposed.

Parallel construction has existed for decades. It's even in "The Wire". It has never been tested in court, probably because it is nearly impossible to discover outside of being the agents that implement it.

1/ tor-browser by default sticks to the same circuit for one origin for the session, so that'd have to be 10,000 separate sites or 10,000 separate sessions.

Or you can use more... underhanded means that never result in an arrest.

Sounds like https://arxiv.org/abs/1808.07285

Onion sites do not utilize an exit node.

Tor does have padding defenses to protect against that.

Also, according to their latest blog post on their finances, while it is true they have money from the US Government, that was only ~50% of their income (I think that was 2023). For the FUD part of that comment, see the "U.S. Government Support" section of https://blog.torproject.org/transparency-openness-and-our-20...

The happy equilibrium is that if you have enough adversary nation-state intelligence services doing this and not sharing information, they'll cancel each other out and provide free node hosting.

You're misusing probability and ignoring critical information.

There's 1000 red marbles added to a jar with 8000 blue marbles (9000 total). Take three marbles from the jar randomly, one at a time. The odds of getting three red marbles is ~0.14%. That's all.

Tor nodes are not randomly picked marbles. The Tor network is not a jar.

I run an exit node, and I know several people who do, I dont suspect any of them to be anything but people who care about privacy, surveillance, and helping people get access to the free internet from restrictive locations. I admit, I bristled at your comment, because I do not like myself, the EFF, and many of my close friends being imagined as part of the US Government.

https://blog.torproject.org/tips-running-exit-node/

> Doesn't a solid VPN

Finding a solid one is the hard part. With tor, you kind of know what you are buying. The risks are in the open. With VPN maybe the operator is selling your data to advertizers. Maybe they are keeping logs. You kind of have to just trust them and have no way to verify.

When you think about countries that have the resources to "pay a thousand different isps in a thousand different ways with a thousand different os versions and tor versions" your first thought was Iran?

Why not just have greater number of relays by default? Internet bandwidth tends to increase over time, and the odds of this correlation attack are roughly proportional to the attacker's share of relays to the power of the number of relays used.

So latency issues permitting, you would expect the default number of relays to increase over time to accommodate increases in attacker sophistication. I don't think many would mind waiting for a page to load for a minute if it increased privacy by 100x or 1000x.

it was used by Snowden to leak documents...

>It’s then best we’ve got for achieving actually meaningful privacy and anonymity

...while being practical.

One could argue that there is i2p. But i2p is slow, a little bit harder to use, and from what I can remember, doesn't allow you to easily browse the clearnet (regular websites).

These sort of “Tor evangelism” comments are so tiring, frankly. There are quite a few like it in this thread, in response to…not people poo-pooing Tor, or throwing the baby out with the bathwater, rather making quite level-headed and reasonable claims as to the shortcomings and limitations of the network / protocol / service / whatever.

One should be able to make these quite reasonable determinations about how easy it’d be to capture and identify Tor traffic without a bunch of whataboutism and “it’s still really good though, ok!” replies which seek to unjustifiably minimise valid concerns because one feels the need to…go on and bat for the project that they feel some association with, or something.

The self-congratulatory cultiness of it only makes me quite suspicious of those making these comments, and if anything further dissuades me from ever committing any time or resources to the project.

Say there are only 2 sites on Tor. Site 'A' is plain text and has no pages over 1KB. You know this because it's public and you can go look at it. Site 'B' hosts memes which are mostly .GIFs that are 1MB+. You know this because it's also a public site.

If I was browsing one of those sites for an hour and you were my guard, do you think you could make a good guess which site I'm visiting?

I'm asking why that concept doesn't scale up. Why wouldn't it work with machine learning tools that are used to detect anomalous patterns in corporate networks if you reverse them to detect expected patterns.

If I visit facebook.com it's about 45 requests and 2.5MB of data. Are you saying that if I did that via Tor I would get a different circuit for each request or each individual packet?

Eventually the guard has to send the whole payload to me, right? Wouldn't that look similar every time if there's no obfuscation?

The problem is also that different network stack implementations have different MTU values and different TCP headers.

There's a lot of tools available that can fingerprint different applications pretty well these days. For example, Firefox and TOR Browser can be fingerprinted because of their custom network library that's OS independent.

It gets worse if you use a DSL2 connection with scaling because that will uniquely make your packets fingerprintable because they have a specific MTU size that's dependent of the length of the cable from modem to the next main hub. Same for cable internet, because the frequencies and spectrums that are used are also unique.

(I'm clarifying this, because an FBI van not having access to your Wi-Fi still has access to the cable on the street when there's a warrant for surveillance / wire tapping issued)

[1] https://github.com/NikolaiT/zardaxt (detects entropies of TCP headers and matches them with applications)

[2] https://github.com/Nisitay/pyp0f (detects the OS)

[3] https://github.com/ValdikSS/p0f-mtu (detects the VPN provider)

Just playing around, not mitigating anything. I think it would be poor practice to share my ideas/techniques- think of your own! Contrary to popular philosophy- obscurity is a powerful security method. People still rob houses with expensive locks… nobody robs secret underground bunkers.