The Tor Project

Discussion in 'General Discussion' started by A.O.T.F, Jan 22, 2015.

  1. A.O.T.F Member

    A thread dedicated to all things Tor - Enjoy


    “One must acknowledge with cryptography no amount of violence will ever solve a math problem.”

    Jacob Appelbaum

    Jacob Appelbaum, Advocate, Security Researcher, and Developer.

    Speaks at conferences and gives trainings all over the world to get people excited about Tor, explain how Tor is used in real world situations, and generally explain why anonymity online matters to you. Original developer of ttdnsd, Tor check, Tor DNSEL, and Tor weather site. Runs one of the directory authorities.

    Roger Dingledine, Project Leader, Director, Researcher.

    Original developer of Tor along with Nick Mathewson and Paul Syverson. Leading researcher in the anonymous communications field. Frequent speaker at conferences to advocate Tor and explain what Tor is and can do. Helps coordinate academic researchers. Runs one of the directory authorities.

  2. A.O.T.F Member

    Tor Weekly News — January 21st, 2015

    Harmony harmony01 at
    Wed Jan 21 12:08:57 UTC 2015
    Tor Weekly News January 21st, 2015

    Welcome to the third issue in 2015 of Tor Weekly News, the weekly
    newsletter that covers what’s happening in the boring [1] Tor community.


    Tor Browser 4.0.3 and 4.5a3 are out

    Georg Koppen announced two new releases by the Tor Browser team. Version
    4.0.3 [2] of the privacy-preserving browser is based on Firefox
    31.4.0esr, and also contains updates to NoScript, meek, and Tor

    The third release in the 4.5-alpha series [3] allows the secure
    in-browser update mechanism to handle signed update files, and will
    reject unsigned ones from now on. It also restores functionality for
    meek, which was broken in previous 4.5-alpha releases, and offers other
    improvements and bugfixes — please see Georg’s announcement for the full

    These releases contain important security updates, so users of both the
    stable and alpha series should upgrade as soon as possible. Furthermore,
    Tor Browser 4.5a3 is signed by a new Tor Browser Developers signing key
    rather than the personal key of an individual developer. If you want to
    verify your download of the new alpha (and you should!), you will need
    to retrieve the new key (fingerprint EF6E 286D DA85 EA2A 4BA7 DE68 4E2C
    6E87 9329 8290) from a keyserver before doing so.


    Miscellaneous news

    Anthony G. Basile announced [4] version 20150114 of Tor-ramdisk, the
    uClibc-based micro Linux distribution whose only purpose is to host a
    Tor relay in an environment that maximizes security and privacy. This
    release includes updates to Tor, Libevent, and other key software.


    Nik announced [5] oppy, an onion proxy implemented in Python: “oppy
    works like a regular Tor client”, though “there are a number of
    simplifications made, with the major ones primarily centering around
    circuit management/build logic and how and when network status documents
    are collected”. Nik also asked for suggestions on how to take the
    project forward: “Whether or not I continue hacking on oppy to make it a
    solid piece of software (rather than just a prototype) or just leave it
    as is as a reference depends on whether or not the Tor development
    community sees any real uses or future potential for the project”.

    Continued -
  3. System Member

    did losersquad (lizardsquad) stop attacking TOR servers??
  4. A.O.T.F Member

    One is of the opinion that the mindset of said individuals will never stop trying.

    I do believe, In depth testing of the Tor infrastructure and source code, to make it more robust has been a top priority. And they have had some very promising results with this endeavor.
  5. A.O.T.F Member

    The Digital Arms Race: NSA Preps America for Future Battle

    By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer


    The NSA's mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency is arming America for future digital wars -- a struggle for control of the Internet that is already well underway.

    Normally, internship applicants need to have polished resumes, with volunteer work on social projects considered a plus. But at Politerain, the job posting calls for candidates with significantly different skill sets. We are, the ad says, "looking for interns who want to break things."

    Politerain is not a project associated with a conventional company. It is run by a US government intelligence organization, the National Security Agency (NSA). More precisely, it's operated by the NSA's digital snipers with Tailored Access Operations (TAO), the department responsible for breaking into computers.

    Potential interns are also told that research into third party computers might include plans to "remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware." Using a program called Passionatepolka, for example, they may be asked to "remotely brick network cards." With programs like Berserkr they would implant "persistent backdoors" and "parasitic drivers". Using another piece of software called Barnfire, they would "erase the BIOS on a brand of servers that act as a backbone to many rival governments."

    An intern's tasks might also include remotely destroying the functionality of hard drives. Ultimately, the goal of the internship program was "developing an attacker's mindset."

    The internship listing is eight years old, but the attacker's mindset has since become a kind of doctrine for the NSA's data spies. And the intelligence service isn't just trying to achieve mass surveillance of Internet communication, either. The digital spies of the Five Eyes alliance -- comprised of the United States, Britain, Canada, Australia and New Zealand -- want more.

    Continued -
    • Like Like x 3
  6. BLiP Member

    Does he keep his clothes on when giving trainings?
  7. A.O.T.F Member

    :D .. One thinks that it was most likely a translation hiccup.
  8. A.O.T.F Member

    New NSA Documents on Offensive Cyberoperations

    By Bruce Schneier

    Sunday, January 18, 2015 at 2:10 PM

    Jacob Appelbaum, Laura Poitras and others have another NSA aticle with an enormous Snowden document dump on Der Spiegel, giving details on a variety of offensive NSA cyberoperations to infiltrate and exploit networks around the world. There’s a lot here: 199 pages. (Here it is in one compressed archive.)
    Paired with the 666 pages released in conjunction with the December 28th Spiegel article (compressed archive here) on the NSA cryptanalytic capabilities, we’ve seen a huge amount of Snowden documents in the past few weeks. And, at least according to one tally, 3560 pages in all.

    Source -
    • Like Like x 1
  9. A.O.T.F Member

    Jacob Appelbaum: Reconstructing narratives - transparency in the service of justice [31c3]

    • Like Like x 1
  10. BrainStorm Member

    Interesting stuff, even if I do not understand much of the technical language lol :s
    • Like Like x 1
  11. A.O.T.F Member

    Jacob Appelbaum: Revolutionary times


    Jacob Appelbaum: New Berliner, exiled hacktivist, passionate idealist

    A longtime collaborator of Julian Assange, a close friend of Edward Snowden confidants Laura Poitras and Glenn Greenwald and now himself a trusted ally of the NSA whistleblower, this is a man with some serious cred on the Snowden scene.

    Jacob Appelbaum is a natural-born dissident with a fighting spirit and serious oratory skills. Starting off as a campaigner for medical marijuana in California at age 15, Appelbaum spent more time worrying about planet Earth (later with Greenpeace and Rain Forest Action Network) and his computer’s ecosystem than his schoolwork. By his early twenties he was busy helping friends bring technology to Iraq (installing internet satellites in Kurdistan) or de-constructing Apple’s encrypted disk storage system. His involvement with the Tor Project (from 2004) and Wiki-Leaks were soon to follow. In 2010, Rolling Stone tagged him the “most dangerous man in cyberspace”, a label that still pisses him off today.

    He would hate the idea, but the Snowden affair has boosted his career – as a freelance writer with access to the NSA files, and as a public speaker who’s been both an expert on and victim of digital surveillance. Appelbaum was among the few cyber-security brains who engineered the Tor anonymity software. This and his connection to WikiLeaks earned him harassment from US intelligence agencies – relentless pressure which culminated in his girlfriend being spied on in her bedroom. In June of last year, he decided to bid home and friends farewell and join the likes of Poitras and WikiLeaks’ Sarah Harrison in self-imposed Berlin exile.

    Appelbaum – a man with over 76,000 Twitter followers – is coy about his new celebrity on the digital scene. Yet today it’s hard to conceive of a conference with the words “surveillance” or “Snowden” in the title without his participation. Like many of his techie peers, he encrypts his email, and if he does have a smartphone on him, the battery travels separately in his bag.

    “I’m a journalist, a computer security researcher/programmer, as well as an artist – all three are on my visa,” a freelance visa Germany has just renewed for another two years.

    He’s also bit of a rabble-rouser – like when this year, after winning the respected Henri Nannen prize for journalism, Appelbaum publicly expressed his shame at winning an award named after a one-time Nazi (the famous Stern founder was a Waffen-SS propaganda man in Italy), and pledged to melt his award together with those of other winners, creating a new artwork.

    In person, “Jake”, as his friends call him, comes across as a rather shy, aloof type. But get him on topic and this 31-year-old tattooed product of “generation so-what” metamorphoses into an uncompromising yet endearing idealist.

    Last year, you decided to move to Berlin after years of harassment by the US government. Why then?

    I had enough. For years I had terrible interactions with the police, with border control, with the FBI. All sorts of different encounters that my family had experienced, that my partner had experienced, who is no longer my partner now partially due to this stress. Unbelievable things really.

    Continued -
  12. Mozilla dusts off old servers, lights up Tor relays

    Worst outcome means 50 percent capacity hit

    Mozilla has given the Tor network a capacity kick with the launch of 14 relays that will help distribute user traffic.

    Engineers working under the Foundation's Polaris Project inked in November pulled Mozilla's spare and decommissioned hardware out of the cupboard for dedicated use in the Tor network.

    It included a pair of Juniper EX4200 switches and ......
  13. A.O.T.F Member

    Jacob Appelbaum @ioerror · 5h 5 hours ago
    Fuck yeah, Jeremy Hammond:

    The government's cyberterrorism 'concerns' are a pretext for their own hacking operations

    Jeremy Hammond


    The US has always been the world leader of cyberwar, hacking damn near everyone without any repercussions. And, for years, US intelligence officials and private contractors have been milking hacks to secure billions in cyber security programs: all you need is an enemy, and they will sell you the cure.
    Their blatant hypocrisy, threat inflation and militaristic rhetoric must be challenged if we are to have a free and equal internet.

    That familiar formula is playing out again with the recent Sony hack. We are supposed to be shocked that these “cyber-terrorists” – purportedly from North Korea – would attack our critical infrastructure and, clearly swift retaliation is in order. But, despite the apocalyptic hype, the Sony hack was not fundamentally different from any other high-profile breach in recent years: personal information was stolen, embarrassing private emails were published and silly political rhetoric and threats were posted on Pastebin. In many ways, it’s similar to an Anonymous operation except that, this time, the FBI accused North Korea. That accusation was based on supposed forensic analysis which they have not publicly produced after refusing to participate in joint inquiries.

    This official narrative is disputed by many renowned infosec figures. Any skilled hacker or well-financed nation-state practices anti-forensics measures like modifying logs and using proxies to make the attacks appear to originate elsewhere. And North Korea has already been falsely accused of several cyber-attacks – including attacks against US and South Korean targets in July 2009 and again in 2013. The inherent difficulty of identifying the true attackers should give us pause
    before we rush to judgment.

    Continued - …
  14. A.O.T.F Member

  15. A.O.T.F Member

  16. A.O.T.F Member

  17. A.O.T.F Member

    Dear Torizens,

    I’m thrilled to finally publish something we’ve been working on for a while.
    The “Tor Animation” is a short video to help new users and members of our community become more familiar with Tor and understand how Tor Browser protects their privacy online.

    https://www dot

    The Tor Animation is available in the following languages for stream and download in two sizes of High Definition (~95M) and High Quality (~15M).

    Arabic: HD, HQ, YouTube
    English: HD, HQ, YouTube
    Farsi: HD, HQ, YouTube
    French: HD, HQ, YouTube
    German: HD, HQ, YouTube

    Subtitles are available in Arabic, Chinese, English, Farsi, Filipino/Tagalog, Finnish, French, German, Polish, and Spanish. (special thanks to Karsten Loesing for coordinating the translations)
    You can find all the files in this directory, which is also available via torrent.

    This could not be possible without the fantastic work of the KAJART studio (@KajartStudio) and the Tor community and we'd like to thank everyone involved.

    But we still have work to do. The idea behind this video and other activities like the UX studies is to get closer to end-users and understand their needs. So if you have an idea for making better videos and documentation, or if you're a visual artist and you can help us explain these complex technologies in simple and understandable forms to inexperienced users, please step forward and contact us.

    Please consider helping us make the video available in more languages. To make this easier for you, we've added a version of this video without the voice over for download. We'd be glad to accept translated subtitles for any language. If you're also interested in providing voice-overs, please talk to us first. Send your contributions and any feedback to tor-assistants at lists.torproject dot org or contact mrphs on IRC.
    Please download and share this video with your friends and help others understand Tor better.
    And if you liked the video, make sure you donate to the Tor Project, so we can make more cool things like this.

    With love and respect,
    Nima Fatemi
  18. A.O.T.F Member

  19. A.O.T.F Member

    Jacob Appelbaum talks at IACR Istanbul conference

    New ground covered on many issues - An excellent talk from Jake.

    The volume is a tad low - If HDMI'd to TV, Just pump up the volume, or download



  20. Crowdfunding the Future (of Hidden Services)

    Posted March 30th, 2015 by asn

    Hidden Services have received a lot of attention in 2015, and Tor is at the center of this conversation. Hidden Services are a Tor technology that allows users to connect to services (blogs, chats, and many other things) with neither the user nor the site giving up identifying information.

    In fact, anything you can build on the internet, you can build on hidden services. But they're better--they give users things that normal networking doesn't authentication and confidentiality are built in; anonymity is built in. An internet based on hidden services would be an internet with Tor built in--a feature that users could take for granted. Think of what this might mean to millions of users in countries like China, Iran, or the UK. Yet currently, only about 4% of Tor's traffic comes from hidden services.

    So we at Tor have been considering how we might meet the challenge of making them more widely available. In this post, we will briefly discuss the role of hidden services before we explore the idea of using crowdfunding to pay for bold, long-term tech initiatives that will begin to fulfill the promise of this technology.

    Moar ...
  21. Tor Browser 4.5 is released

    Posted April 27th, 2015 by mikeperry

    The Tor Browser Team is proud to announce the first stable release in the 4.5 series. This release is available from the Tor Browser Project page and also from our distribution directory.

    The 4.5 series provides significant usability, security, and privacy enhancements over the 4.0 series. Because these changes are significant, we will be delaying the automatic update of 4.0 users to the 4.5 series for one week.

    On the usability front, we've improved the application launch experience for both Windows and Linux users. During install, Windows users are now given the choice to add Tor Browser to the Start Menu/Applications view, which should make it easier to find and launch. This choice is on by default, but can be disabled, and only affects the creation of shortcuts - the actual Tor Browser is still self-contained as a portable app folder. On the Linux side, users now start Tor Browser through a new wrapper that enables launching from the File Manager, the Desktop, or the Applications menu. The same wrapper can also be used from the command line.

    We've also simplified the Tor menu (the green onion) and the associated configuration windows. The menu now provides information about the current Tor Circuit in use for a page, and also provides an option to request a new Tor Circuit for a site. Tor Browser is also much better at handling Tor Circuits in general: while a site remains in active use, all associated requests will continue to be performed over the same Tor Circuit. This means that sites should no longer suddenly change languages, behaviors, or log you out while you are using them.

    On the security front, the most exciting news is the new Security Slider. The Security Slider provides user-friendly vulnerability surface reduction - as the security level is increased, browser features that were shown to have a high historical vulnerability count in the iSec Partners hardening study are progressively disabled. This feature is available from the Tor onion menu's "Privacy and Security Settings" choice.

    Our Windows packages are now signed with a hardware signing token graciously donated by DigiCert. This means that Windows users should no longer be prompted about Tor Browser coming from an unknown source. Additionally, our automatic updates are now individually signed with an offline signing key. In both cases, these signatures can be reproducibly removed, so that builders can continue to verify that the packages they produce match the official build binaries.

    The 4.5 series also features a rewrite of the obfs2, obfs3, and ScrambleSuit transports in GoLang, as well as the introduction of the new obfs4 transport. The obfs4 transport provides additional DPI and probing resistance features which prevent automated scanning for Tor bridges. As long as they are not discovered via other mechanisms, fresh obfs4 bridge addresses will work in China today. Additionally, barring new attacks, private obfs4 addresses should continue to work indefinitely.

    On the privacy front, the 4.5 series improves on our first party isolation implementation to prevent third party tracking. Specifically, blob: URIs are now scoped to the URL bar domain that created them, and the SharedWorker API has been disabled to prevent cross-site and third party communication. We also now make full use of Tor's circuit isolation to ensure that all requests for any third party content included by a site travel down the same Tor Circuit. This isolation also ensures that requests to the same third party site actually use separate Tor Circuits when the URL bar domain is different. This request isolation is enforced even when long-lived "HTTP Keep-Alive" connections are used.

    We have also improved our resolution and locale fingerprinting defenses, and we now disable the device sensor and video statistics APIs.

    Source -

    Download Tor -
  22. [IMG]

    torproject retweeted
    [IMG] Caspar Bowden @CasparBowden · May 7
    don't miss brilliant exchange between German police and @ioerror last 20 mins

    A Deeper Frontier of Freedom — The State of the Deepweb

    Discussing the future of Politics, Security, Crime and Dissidence on the Deepweb with Joana Varon (Coding Rights), Jacob Applebaum (Tor Project)

  23. BLiP Member

    • Like Like x 2
  24. A.O.T.F Member

  25. Anonymous Member

    How safe is TOR today?
  26. JohnnyRUClear Member

    Wait... DARPA is funding what???

    I'm busy/lazy; is there a TL;DR explanation of this?
  27. A.O.T.F Member

  28. A.O.T.F Member


    Chatting in Secret While We're All Being Watched


    By Micah Lee - Jul. 14 2015, 7:08pm

    When you pick up the phone and call someone, or send a text message, or write an email, or send a Facebook message, or chat using Google Hangouts, other people find out what you’re saying, who you’re talking to, and where you’re located. Such private data might only be available to the service provider brokering your conversation, but it might also be visible to the telecom companies carrying your Internet packets, to spy and law enforcement agencies, and even to some nearby teenagers monitoring your Wi-Fi network with Wireshark.

    But if you take careful steps to protect yourself, it’s possible to communicate online in a way that’s private, secret and anonymous. Today I’m going to explain in precise terms how to do that. I’ll take techniques NSA whistleblower Edward Snowden used when contacting me two and a half years ago and boil them down to the essentials. In a nutshell, I’ll show you how to create anonymous real-time chat accounts and how to chat over those accounts using an encryption protocol called Off-the-Record Messaging, or OTR.
    If you’re in a hurry, you can skip directly to where I explain, step by step, how to set this up for Mac OS X, Windows, Linux and Android. Then, when you have time, come back and read the important caveats preceding those instructions.

    One caveat is to make sure the encryption you’re using is the sort known as “end-to-end” encryption. With end-to-end encryption, a message gets encrypted at one endpoint, like a smartphone, and decrypted at the other endpoint, let’s say a laptop. No one at any other point, including the company providing the communication service you’re using, can decrypt the message. Contrast this with encryption that only covers your link to the service provider, like an HTTPS web connection. HTTPS will protect your message from potential snoops on your Wi-Fi network (like the teenager with Wireshark) or working for your telecom company, but not from the company on the other end of that connection, like Facebook or Google, nor from law enforcement or spy agencies requesting information from such companies.

    A second, bigger caveat is that it’s important to protect not only the content of your communications but also the metadata behind those communications. Metadata, like who is talking to whom, can be incredibly revealing. When a source wants to communicate with a journalist, using encrypted email isn’t enough to protect the fact that they’re talking to a journalist. Likewise, if you’re a star-crossed lover hoping to connect with your romantic partner, and keep your feuding families from finding out about the hook-up, you need to protect not just the content of your love notes and steamy chats, but the very fact that you’re talking in the first place. Let’s take a quick look at how to do that.

    Secret identities

    Meet Juliet, who is trying to get in touch with Romeo. Romeo and Juliet know that if they talk on the phone, exchange emails or Skype chats, or otherwise communicate using traditional means, there’s no way to hide from their powerful families the fact that they’re communicating. The trick is not to hide that they’re communicating at all, but rather that they’re Romeo and Juliet.

    Juliet and Romeo decide to make new chat accounts. Juliet chooses the username “Ceres,” and Romeo chooses the username “Eris.” Now when Ceres and Eris have an encrypted conversation it will be harder for attackers to realize that this is actually Juliet and Romeo. When Juliet’s accounts are later audited for evidence of communicating with Romeo — her short-tempered cousin is a bit overbearing, to say the least — nothing incriminating will show up.

    Of course, just making up new usernames alone isn’t enough. It’s still possible, and sometimes even trivial, to figure out that Ceres is actually Juliet and Eris is actually Romeo.
    Juliet is logging into her Ceres account from the same IP address that she’s using for everything else on her computer (e.g. emails with her favorite friar). If her Internet activity is being logged (it almost certainly is; all of our Internet activity is being logged), it would be easy to connect the dots. If the chat service is forced to hand over the IP address that the Ceres account connects from, they’ll turn over Juliet’s IP address. Romeo has the same problem.

    Third-party services, like telecom companies and email providers, have access to private information about their users, and according to the third-party doctrine, these users have “no reasonable expectation of privacy” for this information. And it’s not just illicit lovers who are exposed by this doctrine; even journalists, who can sometimes assert special privilege under the First Amendment, have to be wary of who handles their communications. In 2013, the Justice Department obtained the phone records of Associated Press journalists during a leak investigation. And many news organizations don’t host their own email, making their email vulnerable to U.S. government requests for data — the New York Times and Wall Street Journal outsource their email to Google, and USA Today outsources its email to Microsoft. (This is why we run our own email server at The Intercept.)


    In order to keep the fact that she’s communicating private, Juliet must keep a bulletproof separation between her Ceres identity and her real identity. At the moment, the easiest and safest way to do this is by using Tor, the open source and decentralized anonymity network.

    Tor is designed to let you use the Internet anonymously. It’s a decentralized network of volunteer “nodes,” computers that help forward and execute Internet requests on behalf of other computers. Tor keeps you anonymous by bouncing your connection through a series of these nodes before finally exiting to the normal Internet. If a single node is malicious, it won’t be able to learn both who you are and what you’re doing; it might know your IP address but not where on the Internet you’re headed, or it might see where you’re headed but have no idea what your IP address is.

    Most people who have heard of Tor know about Tor Browser, which you can use to browse the web anonymously. But it’s also possible to use other software to visit Internet services other than the web anonymously, including chat and email.

    If Romeo and Juliet use Tor to access their Eris and Ceres chat accounts, and if their conversation is end-to-end encrypted using OTR, then they can finally have a secret conversation online — even in the face of pervasive monitoring.


    Continued -
    • Like Like x 1
  29. Tor is released

    Posted July 27th, 2015 by nickm
    This, the second alpha in the Tor 0.2.7 series, has a number of new features, including a way to manually pick the number of introduction points for hidden services, and the much stronger Ed25519 signing key algorithm for regular Tor relays (including support for encrypted offline identity keys in the new algorithm).
    Support for Ed25519 on relays is currently limited to signing router descriptors; later alphas in this series will extend Ed25519 key support to more parts of the Tor protocol.
    If you typically build Tor from source, you can download the source code from the usual place on the website. Packages should be up in a few days.

    moar .....
  30. A.O.T.F Member

    Tor Project to use US public libraries to boost network speed

    Public libraries in the US are to help support the anonymous web browser Tor as part of a new initiative. Through a collaboration between the Tor Project and the Library Freedom Project, libraries will host Tor exit relays in order to improve Tor browsing speeds and overcome scalability issues of the network.

    A pilot programme has already taken place at Kilton Library in Lebanon, New Hampshire, while members of the Tor Project will be meeting with library directors and boards of trustees in order to add more libraries.
    "This is an idea whose time has come," a blogpost on the Tor Project website reads. "Libraries are our most democratic public spaces, protecting our intellectual freedom, privacy, and unfettered access to information, and Tor Project creates software that allows all people to have these rights on the internet.

    "We're excited to combine our efforts to help libraries protect internet freedom, strengthen the Tor network, and educate the public about how Tor can help protect their right to digital free expression."

    Exit relays are necessary to improve the speed and efficiency of the Tor network but the volunteer-based nature of the Tor Project means third parties are often relied upon to provide the hardware.

    Earlier this year the Tor Project was given a helping hand by Mozilla when the internet giant provided spare and decommissioned hardware for Tor network use. The launch of 12 network relays allowed for maintenance to be carried out on the network without losing more than 50% of traffic capacity.

    The Tor Project has grown both in popularity and notoriety in recent years, following the takedown of drugs marketplaces like Silk Road and revelations from NSA whistleblower Edward Snowden.

    Andrew Lewman, executive director of the Tor Project, revealed last year that the network has an average of 2.5 million users at any one time, while the software has been downloaded more than 150 million times.
    The increase in user numbers is an issue for the network, as it is not designed to carry heavy loads of traffic. Lewman said at the time: "If tomorrow Taylor Swift said 'to all my hundreds of millions of fans, go to this [Tor] address', it would not work well."

    In order to be able to grow significantly, Lewman believes that a major company like Facebook or Google needs to take it over. If not, users may be put off by sluggish speeds and move over to more efficient networks currently in development.

    One potential rival is HORNET (High-speed Onion Routing at the Network Layer). Created by researchers from Zurich and London, HORNET claims to be able to offer "internet-scale anonymity" by processing traffic at speeds of more than 93 Gb/s.

    Source -

    This is a fucking joke, right!? WTF! is going on, Jake?

  31. ravenanon Member

    • Like Like x 1
  32. A.O.T.F Member

    UPDATE: The Tor Project has responded to Motherboard with the following comment via email:

    "It's is [sic] a known issue that hidden service circuits are noticeable in certain situations, but this attack is very difficult to execute. The countermeasures described in the paper are interesting since the authors claim that deploying some of them would neutralize their attack and better defend against hidden service circuit fingerprinting attacks in general.

    This has yet to be proven. We are interested to see this article get officially published at Usenix Security where some Tor developers and privacy researchers will be attending. We need more concrete proof that these measures actually fix the issue.

    We encourage peer-reviewed research into both attacks against and defenses of the Tor network."
    • Like Like x 1
  33. Anonymous Member

    • Like Like x 1
  34. A.O.T.F Member

    In an e-mail, Tor project leader Roger Dingledine said the requirements of the attack greatly limited its effectiveness in real-world settings. First, he said, the adversary must control one of the entry guards a hidden service is using. Such entry guards in theory are assigned randomly, so attackers would have to operate a large number of Tor nodes to have a reasonable expectation of seeing traffic of a given hidden service. Additionally, he cited research from last year arguing that researchers routinely exaggerate the risk of website fingerprinting on anonymity.

    He went on to question the "classifier" algorithm that allowed the researchers to identify certain traffic as belonging to a Tor hidden service. It wouldn't be hard to thwart it, he said, by adding random padding to the data being sent.

    "It's not surprising that their classifier basically stops working in the face of more padding," he wrote. "Classifiers are notoriously brittle when you change the situation on them. So the next research step is to find out if it's easy or hard to design a classifier that isn't fooled by padding.
    The full text of Dingledine's e-mail is below:
    This is a well-written paper. I enjoyed reading it, and I'm glad the researchers are continuing to work in this space.
    First, for background, run (don't walk) to Mike Perry's blog post explaining why website fingerprinting papers have historically overestimated the risks for users:
    and then check out Marc Juarez et al's followup paper from last year's ACM CCS that backs up many of Mike's concerns:
    To recap, this new paper describes three phases. In the first phase, they hope to get lucky and end up operating the entry guard for the Tor user they're trying to target. In the second phase, the target user loads some web page using Tor, and they use a classifier to guess whether the web page was in onion-space or not. Lastly, if the first classifier said "yes it was", they use a separate classifier to guess which onion site it was.

    The first big question comes in phase three: is their website fingerprinting classifier actually accurate in practice? They consider a world of 1000 front pages, but and other onion-space crawlers have found millions of pages by looking beyond front pages. Their 2.9% false positive rate becomes enormous in the face of this many pages—and the result is that the vast majority of the classification guesses will be mistakes.

    For example, if the user loads ten pages, and the classifier outputs a guess for each web page she loads, will it output a stream of "She went to Facebook!" "She went to Riseup!" "She went to Wildleaks!" while actually she was just reading posts in a Bitcoin forum the whole time? Maybe they can design a classifier that works well when faced with many more web pages, but the paper doesn't show one, and Marc Juarez's paper argues convincingly that it's hard to do.

    The second big question is whether adding a few padding cells would fool their "is this a connection to an onion service" classifier. We haven't tried to hide that in the current Tor protocol, and the paper presents what looks like a great classifier. It's not surprising that their classifier basically stops working in the face of more padding though: classifiers are notoriously brittle when you change the situation on them. So the next research step is to find out if it's easy or hard to design a classifier that isn't fooled by padding.

    I look forward to continued attention by the research community to work toward answers to these two questions. I think it would be especially fruitful to look also at true positive rates and false positives of both classifiers together, which might show more clearly (or not) that a small change in the first classifier has a big impact on foiling the second classifier. That is, if we can make it even a little bit more likely that the "is it an onion site" classifier guesses wrong, we could make the job of the website fingerprinting classifier much harder because it has to consider the billions of pages on the rest of the web too.

  35. A.O.T.F Member

  36. A.O.T.F Member

    What happened when we got subpoenaed over our Tor exit node

    We've run a Tor exit-node for years. In June, we got the nightmare Tor operator scenario: a federal subpoena (don't worry, it ended surprisingly well!)

    By Cory Doctorow


    Tor, The Onion Router, is a privacy and anonymity network that bounces traffic around the Internet in nested cryptographic wrappers that make it much harder to tell who its users are and what they're doing. It's especially hated by the NSA and GCHQ.

    Many people run Tor nodes, but only a few run "exit nodes" through which traffic exits the Tor network and goes out to the public, normal Internet. Having a lot of exit nodes, with high-speed connections, is critical to keeping Tor users safe and secure. We wanted to do our bit for allowing, for example, Bahranian and Chinese dissidents to communicate out of view of their domestic spy agencies, so we turned some of our resources over to Tor in 2012, including access to our blazing-fast Internet connection.

    The nightmare scenario for Tor exit-node operators is that you'll get blamed for the stuff that people do using your node. In Germany and Austria, prosecutors have actually brought criminal action against Tor exit-node operators.

    So we were a little freaked out in June when an FBI agent sent us a subpoena ordering us to testify before a federal grand jury in New Jersey, with all our logs for our Tor exit node.
    We contacted our lawyer, the hard-fightin' cyber-lawyer Lauren Gelman, and she cooled us out. She sent the agent this note:

    Special Agent XXXXXX.
    I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).
    The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.
    I would be happy to discuss this further with you if you have any questions.
    And that was it.

    Continued -
    • Like Like x 3
  37. The Wrong Guy Member

    • Like Like x 1
  38. A.O.T.F Member

Share This Page

Customize Theme Colors


Choose a color via Color picker or click the predefined style names!

Primary Color :

Secondary Color :
Predefined Skins