Log in
"Pourriez-vous s'il vous plaît répéter la question?" said Andre, head developer. His voice was garbled over a VoIP connection. "My English ... not great."
Yvonne sighed. She was the project manager of MetaPortal, the creatively named flagship product of MetaCortex. "Why is there no email validation for the signup form?" Yvonne repeated, speaking slowly and clearly.
"Email already required," Andre replied. "What more validation do you need?"
Yvonne lamented forgetting so much of her high school French that she couldn't say "regular expressions."
This call with Andre was the last in a dozen late-night conferences with the temperamental, but always polite, programmer, who lived in Normandy. In fact, his entire team was composed of four different nationalities and spoke three different languages. Yvonne, along with the executives of MetaCortex, worked in New York.
Yvonne tried again. "Regular expressions. Can you add a regular expression to the email validation? Right now someone can type 'merde' for their address and the form accepts it."
Andre chuckled. "Ah, make the email straight. No more 'merde' emails."
"That should do it for this sprint," Yvonne said, relieved.
Garbled Transmissions
Despite the linguistic difficulties, Andre and his team met their deadline, and the code for MetaPortal 1.9.11 was released the following Tuesday. Yvonne, exhausted from all those late-night conference calls, took a nap in her apartment that afternoon. She awoke the next morning to a banging at her door.
"Yvonne?" It was Charles, the head of Customer Service. "Are you alive?"
"Yes," she mumbled. She had slept close to 18 hours, she noticed. "Is something wrong?"
"We had to roll back 1.9.11. A bunch of users couldn't log into MetaPortal."
Yvonne washed her face and followed Charles back to the office. He showed her a list of thousands of angry emails from customers unable to log into their accounts. "They started the moment the code was pushed up to production."
"Merde," Yvonne said. "I'll get Andre on the horn."
Lost in Google Translate
"I do not understand, it works on my computer." Andre sounded confused and tired over the VoIP connection. "You say no one can sign up in France?"
"Some can, most can't. Some can't sign up in the US. Half can in Germany, most can't in Japan, most can in Australia. Almost everyone can in the UK. We're still trying to find commonalities."
"I do not think I can triage," Andre said. "I do not live outside of France."
"I've got some interns playing around with it," Charles said. "Maybe it's just a matter of enough monkeys banging enough keyboards at this point."
Yvonne got coffee from the vending machine downstairs while Charles and his team looked at the issue. It's not regional, not exactly. It should be uniform if it were, say, an issue with a national firewall. So why is the UK the one country where it's not a problem? What's very common in England, a bit less common in the US and Australia, and not common at all elsewhere?
Merde! She headed back for Charles' desk.
Lost in Google Translate
"It only works in English." Charles pointed to his computer as she found him. "Something goes wrong when a user selects another language."
"I think I know why," Yvonne said. "May I?" She pointed to his computer.
He nodded. Yvonne opened the MetaPortal login page in a new browser window. "We use an automated translation service to localize much of our content. When the session is in English, nothing is translated ... but when I switch it to something else, like our friend Andre's native French, much of the output gets processed in the translation API. Did your monkeys try switching languages before?"
"Not before now," Charles said.
"Okay, watch this." Yvonne typed her account info into the login screen and hit submit. The browser showed an error icon. Yvonne opened the Inspector window. "'pour is not a valid keyword.'"
"I'll be..." Charles said. He took the mouse from Yvonne and viewed the page source. Where they expected to see:
for (var i = 1; i < a.length; i++) {Was instead:
pour (var i = 1; i < a.length; i++) {"I'll tell Andre to add an exception to the translation API. It should always skip embedded JavaScript code. How can I say that in French so he understands perfectly?"
"Developers and management already speak different languages," Charles said, "even if they both speak English."
[Advertisement] BuildMaster 4.1 has arrived! Check out the new Script Repository feature and see how you can deploy builds from TFS (and other CI) to your own servers, the cloud, and more.
E. T. wrote to tell us of a support tale from days long gone by at a company long since acquired by a much larger behemoth. A customer had called in, entered all of his information, but hung up before a human got on the line. The support system generated a nameless ticket which got randomly assigned to one of the support folks. Then the customer called back, entered all of his information again, and got E. T.
The customer wanted to delete slice 0 on his system. For those of you not familiar with this, in *nix, slice 0 is the root of the file system and basically points to where everything on the disk is located. Deleting slice 0 is the equivalent of deleting everything on the entire hard disk. While there are the occasional disk corruptions that require this action, they are exceedingly rare, and once done, you are forced to reinitialize and re-install the operating system.
E. T. told him that he didn't want to do that because it would wipe out the entire file system. The customer persisted, insisting that he wanted to free up the precious GB of disk space that this unnecessary file system was consuming. He insisted that he did not install whatever was on this file system, and that it didn't belong there, so he was going to delete it, and needed instructions on how to get it done.
Since E. T. was obligated to help the customer, he finally went over to the software guys, and asked one: Do you know how to delete slice 0? Naturally, the software guy replied: You don't want to do that... E. T. continued: I know, but this guy is insisting that he didn't install anything on that partition, and he wants to reclaim the space. I know it's stupid, but "The customer is always right" and all that; we're obligated to support him and answer his question! The software guy told E. T. to Talk to Bob.
E. T. hunted down Bob and asked: Hey, Bob, do you know how to delete slice 0? Of course, Bob replied: You don't want to do that...
This went on with several people, until finally E. T. got someone who told him how to do it.
As E. T. was headed back to his desk, the guy next to him asked: Hey is that F.P. Dingbat at XYZ company?
Yeah why?
Because when he originally called and hung up, his case was assigned to me; if you have him I'll just close it out.
E. T. decided there was a better way to handle this situation: No don't. He is about to do something above and beyond stupid (little did E. T. know the true scale of Epic Stupidity™ that the customer was about to commit). So let's give him 1/2 an hour to hang himself, then you call back so we can see what happened.
E. T. got back on the phone and told the guy how to delete the file system, but again, advised him that what he was about to do was evil, bad, would make his life Hell-on-Earth, and that he should absolutely, positively, not do it. Of course, the customer got all snooty at being told he was making a mistake, and barked back: See, you CAN do it!, and hung up.
A half hour later, the other support guy calls the customer back to see if he could help him with his original issue.
Did the guy delete slice 0? Yes but in a far more destructive way than one might imagine. It turned out that he had issued a command to SU on every machine in his company and execute the command sequence to remove slice 0. Then he executed the commands on his own box. He took the whole place down!
The customer asked the support guy: I only entered the one command; what the fsck did I just do?
[Advertisement] BuildMaster 4.0 is here! Check out the brand-new UI and see how you can deploy directly from TeamCity (and other CI) to your own servers, the cloud, and more.
The answer is "not very". Tor has many weaknesses, especially the "Tor Browser Bundle". I'm going to describe some of them here.
The NSA runs lots of Tor nodes
The NSA hosts many nodes, anonymously, at high speed, spread throughout the world. These include ingress, middle nodes, hidden services, and most especially, egress nodes. It's easy for them to create a front company, sign up for service, and host the node virtually anywhere.
On any random Tor connection, there is a good chance that one of your hops will be through an NSA node.
Update: This is a controversial claim. I have some sources I cannot name. Also: I don't have the exact details as to what "many" means: 1%? 10% 30%??
Tor uses only three hops
By default, Tor chooses three hops: the ingress point, the egress point, and only a single in-between node. If the NSA is able to control one or two of these nodes, you are still okay because the third node will protect you. But, if the NSA is able to control all three, then your connection is completely unmasked.
This means that the NSA occasionally gets lucky, when somebody's connection hits three NSA nodes, allowing them to unmask the user.
Update: If we assume the NSA controls 1% of Tor nodes, that comes out to one-in-a-million chance the NSA will unmask somebody on any random connection. If a million connections are created per day, that means the NSA unmasks one person per day.
Tor creates many new paths
Tor doesn't use a single static path through the network. Instead, it opens up a new path/tunnel every 15 minutes. Modern web-services create constant background connections. Thus, if you have your Outlook mail or Twitter open (and aren't using SSL), these will cause a new path to be created through the Tor network every 15 minutes, or 96 new paths every day, or 3000 new paths a month.
That means over the long run, there's a good chance that the NSA will be able to catch one of those path with a three-hop configuration, and completely unmask you.
Update: This is partly mitigated by the "guard" ingress node concept. You crease only a single connection to the guard node, then fan out paths from there. But, mitigated doesn't mean the same thing as "fixed".
Your egress traffic may be unencrypted
Tor encrypts your traffic on your end, but when it leaves the last node in the Tor network, it'll be whatever it would be originally. If you are accessing websites without SSL, then this last hop will be unencrypted. It's usually easy to verify within web-browsers whether they are using SSL, but most other apps have bugs that cause unencrypted sessions to be created.
Update: Also, some of your egress traffic is poorly encrypted, such as the 1024-bit keys without forward security that Facebook uses.
Update: @addelindh points out that things like SSLstrip often works because people aren't paying attention and websites don't support things like HSTS, and thus, even when you want SSL, it'll sometimes fail for you in the face of a hostile attacker. Somebody needs to setup an exit node, then SSLstrip it to figure out how often that works.
Tor uses 1024-bit RSA DH
Tor connections are only protected by 1024-bit RSA keys. The NSA can crack those keys. We don't know how easily they can do it. I'm guessing the NSA spent several years and a billion dollars to build ASICs. That means, their internal accounting might charge $1-million per 1024-bit RSA key cracked. This means they won't try to crack keys for petty criminals, but they have the power to crack keys for serious targets.
The NSA doesn't need to control all three servers along your route through Tor. Instead, it can control two servers and crack the RSA key of the remaining connection.
Update: We know the NSA can crack 1024-bit keys, because would cost only a few million dollars. What we don't know how many such keys it can crack per day. The number could be less than one such key per day.
Major Update: Because of Tor's "perfect forward secrecy", the NSA wouldn't be cracking the RSA key when eavesdropping. Instead, they would need to crack the "ephemeral" keys. A lot of older servers use 1024-bit DH ephemeral keys, which are about as easy to break as 1024-bit RSA keys. Newer servers use 256-bit ECDH keys which are a lot stronger, and likely not crackable by the NSA (estimates say NSA can crack up to 160-bit ECDH keys). Thus, for older servers, the ability of the NSA to passively eavesdrop and crack keys is a big threat, but for newer servers, it's likely not a threat. (I'm using http://www.keylength.com/ and round numbers here for key lengths). (I'm using http://torstatus.blutmagie.de/ and my own pcaps to confirm a lot of 1024-bit DH is still out in the Tor nodes).
The NSA can influence parts of the network
The NSA can flood the servers it doesn't control with traffic, thus encouraging users to move onto their own servers. Thus, they can get more connections onto their servers than chance would suggest.
Multiple apps share the same underlying Tor egress
Let's say that you use SSL for Twitter, but non-SSL for your email app. Both of these go out the same exit node. This allows the the NSA to associate the two together, the user named in the email connection associated with the otherwise anonymous Twitter connection. This association works well when the NSA is controlling the exit node, and less well if it's simply monitoring the exit node.
Outages out you
As everyone knows, if the NSA is monitoring you and the server you visit, they might be able to match up traffic patterns to associate the two. This is tricky for them, so a better way is to control the association by injecting faults. If the NSA is able to reset (spoof TCP RST) packets to your end of the connection, it'll cause the egress connection on the other end to drop. Some suspect the NSA is doing this in order to find hidden services.
Exploits (0day or not) can leak your IP address
In the recent incident, the FBI put a Firefox exploit on the servers that was designed to leak a person's IP address. There are lots of other things that can do this, ranging from hidden stuff within video files to PDF files. I doubt that it is possible, in the normal sense (i.e. without putting the Tor proxy and apps on separate machines), to prevent your IP address from being discovered.
DNS leakages can get you
This is partially fixed, with the latest build of Firefox in the Tor Browser Bundle. But it's potentially broken in other apps. The basic problem is that Tor is TCP-based, but DNS requests go over UDP. Also, DNS requests go over separate APIs in the operating system that bypass the proxying of Tor. Consequently, when apps open a proxied TCP connection, they'll still leak your IP address when resolving a name via DNS. (h/t @inthecloud247)
Mistakes inevitably happened
Remember: Lulzsec hacker Sabu was discovered because while he normally logged onto chatrooms using Tor, he forgot once -- and once was enough.
The NSA passes info to the FBI !!!
Normally, the NSA wouldn't go after petty criminals, like kids buying drugs on SilkRoad. That's because doing so would reveal the existence of the program, which the NSA wants to keep secret.
But now we've heard stories about how the NSA can give such information to FBI without revealing the program. Unmasking connections is opportunistic: the NSA is just running a huge dragnet and testing connections when they get lucky. With the above program, they can just pass it along to the FBI. That means even the pettiest of petty criminals might getting caught with the NSA's Tor monitoring.
Conclusion
Experts can probably use Tor safely, hiding from the NSA -- assuming they control a smaller number of nodes, and that their 1024-bit key factoring ability is small. It would require a lot of opsec, putting apps on a different [virtual] machine than the proxy, and practicing good opsec to make sure egress connections are encrypted.
However, the average person using the Tor Browser Bundle is unlikely to have the skills needed to protect themselves. And this might be good thing: it means dissidents throughout the world can probably hide from their own government, while our NSA cleans the network of all the drug dealers and child pornographers.
Update: Some comments might appear on the Tor mailing list here.
Update: Some useful tweets by experts:
@ErrataRob so "NSA runs nodes" and "NSA DoSes nodes" both would show up in the network. Empirically we don't see evidence for those.
— @eqe (Andy Isaacson) (@eqe) August 7, 2013
@ErrataRob Tor's 'guard node' design feature affects, but does not completely render invalid, your "Tor creates many new paths" point.
— Nick Mathewson (@nickm_tor) August 7, 2013
@ErrataRob Recent Tors use ECDH for forward secrecy, so breaking RSA keys would only be an (expensive) way to impersonate a node.
— Nick Mathewson (@nickm_tor) August 7, 2013
@ErrataRob @thegrugq There are a number of factual inaccuracies in your blog post, I wish you had asked me to review it before publishing.
— Runa A. Sandvik (@runasand) August 7, 2013
@ErrataRob @stevelord @donicer Isn't that because people have unrealistic expectations on Tor? Not broken, just not a silver bullet.
— Andreas Lindh (@addelindh) August 7, 2013
This discussion highlights some key points that are worth noting:
(1) Situations like this one look a lot like a Red Queen's Race - constant evolution might guarantee that both the NSA and "Bad/Good Guys" survive by adapting behavior, but it also means that some portion of both those populations will fail to survive. Sometimes the cat will get a mouse; sometimes a mouse will go uncaught... There is no personal (individual) guarantee.
(2) We cannot rely on the success of the technological arms race to protect our freedom. As a civilized people we must look to the law to restore and preserve the balance between capturing the bad guys, and protecting the good guys.
(3) It speaks volumes that the two user groups referenced repeatedly in the discourse of Tor are (a) Child Pornographers [read pure-evil], and (b) political dissidents [read good guys]. It is oppressive, abusive regimes that push the good guys to join the ranks of the bad guys on a system like Tor. That is something we should be very mindful of as we build national computer systems capable of “connecting dots” in the fashion described in this article. The more we can guarantee the privacy of the everyman with strong civil liberty protection, the surer we can be that only scum hides in the shadows. The more you invade civil liberties, the less sure you can be that those hiding are “bad guys”.
Factoring 1024 bit keys
But, the NSA has the ability to brute-force short RSA keys using arrays of custom silicon chips (ASICs or FPGAs).
What we don't know how far they've gotten, what the largest key is that they can crack. I think one of the revelations will be the size of keys the NSA is currently cracking. Since most websites default to 1024 bit keys, that the NSA can routinely crack keys of that size would be an explosive revelation.
Just as important would be revelation about specific cases where it might've used its vast cracking power, such as whether it successfully has decrypted somebody's SSL connections using this technique. If the NSA is routinely cracking RSA in the SSL traffic it eavesdrops on throughout the world, that'd be huge.
Update:A 768-bit RSA key was factored in 2010. They estimate cracking a 1024-bit key would be 1000 times harder, taking 1.5 million desktop computers to accomplish the feat. This is within the NSA's budget. Thus, it factoring these keys wouldn't be surprising -- but proof they regularly do it would cause everyone to update their SSL certificates.
TOR eavesdropping
An interesting revelation would be the extent to which the NSA is monitoring TOR. With enough exit, entry, and internal nodes, the NSA would be able to successfully unmask a person. It would be an enormous investment, though.
My recollections are hazy, but I think most Tor nodes use 1024 bit RSA keys. Thus, the above discussion on RSA factoring can be extended to cover Tor traffic. That ability would be an explosive revelation.
BitCoin mining
A separate issue is anonymity As everyone knows, BitCoin is pseudonymous. Every transaction is logged in a public legger open to everyone, including the NSA. It's just that these transactions are pure metadata. We don't know the physical person behind the BitCoin addresses. However, the NSA can sync this up with other metadata, such as it's tracking of all financial transactions, phone numbers, and IP addresses. That they'd successfully unmasked major BitCoin targets would be explosive.
Also, there is the rumor that Satoshi Nakamura (the pseudonym of BitCoin's creator) is an NSA employee.
Stuxnet and 0day market
But it's unlikely that NSA created it alone. Instead, they probably used contractors and purchased the 0days on the open market. It's like that the sellers of some of those 0days are well known to us in the cybersec community, being people that we personally know.
Likewise, there might be explosive revelations about the extent of the 0day market in general, how many the NSA has been buying, how often they've been used, and who they've targeted.
Backdoors
Modern backdoors are beyond crypto. For example, we might find that anti-virus companies routinely ignore malware at the request of the NSA. Or, conversely, the NSA might have a program for tricking anti-virus companies, such as by creating two copies of software that have the same MD5/SHA1 hash, then successfully getting anti-virus companies to whitelist the good version.
Another example is the iMessage issue. In theory, Apple promises some sort of "end-to-end encryption" such that even they cannot decrypt your messages. In practice, everyone believes there is a backdoor for law enforcement. The exact details of this might be revealed.
In other countries, there is a high degree of mistrust of American products, like Internet routers and telcom equipment. These might be revealed to have backdoors.
Even though most computer hardware and chips are designed in the United States, they usually manufactured in China. There has been constant rumors about the Chinese backdooring hardware during the manufacturing process.
What we might find is that the NSA has been backdooring hardware during the design process.
Skype
Microsoft bought Skype for $8 billion dollars. It doesn't seem to make sense. Now that we see Skype and Microsoft prominently mentioned in the PRISM documents, we may find out that this entire thing was a plot by the NSA.
The way it would work is this. In exchange for being the public face owning Skype, the NSA might guarantee $500-million a year of purchases of "software licenses". This could be a win-win for Microsoft, as it could use these fictitious licenses to hide from Wall Street how much their Windows market share is tanking in the mobile market.
Undersea Cables
As everyone knows, the NSA has its own private nuclear powered submarine.
There's more to it than just cable taps. Through manipulation of BGP routing, it's easy to cause targeted traffic that would normally be wholly within a country to leak out through an undersea cable, and then go back into the country. Revelations of this sort of thing would be pretty explosive.
More monitoring of Americans
As the NSA repeatedly says, they don't monitor Americans themselves -- they just outsource it to the FBI.
There might be more revelations about how the NSA hoovers up various law enforcement data from around the country into "fusions centers" that combine and correlate it.
For example, local police departments are increasingly scanning license plates automatically, recording the GPS location and time when the license plates were seen. This includes cameras on the side of the road, cameras mounted on top of police cars, and or manual action by police officers typing in plates into the computer.
Imagine if all that data was sent to the NSA, to be combined with other metadata, such as the cell location from your phone. I think this would get a lot of people upset.
Booz-Allen itself
The Booz-Allen company itself (as well as other military industrial complex companies) are up to their eyeballs in intelligence stuff. It also has a weird history: it was purchased by the private equity company The Carlyle Group,
All this means that we may be getting some interesting revelations about what the company is up to quite appart from the NSA. I'm not sure I'd want to hold stock in this company (though I probably am through a mutual fund or something).
Robert Mueller in drag
I'm sure the NSA has pictures of the director of the FBI in drag.
(I'm making a joke here, refering to how J Edger Hoover was rumored to be a transvestite. Sadly, in this age of tolerance, jokes and gossip about somebody's transvitism no longer works, because nobody cares.)
They finally come for me
These guesses are just the product of my paranoid fantasies, but there's a chance that some might be correct. I might get two FBI agents showing up at my door or be whisked away in the night for questioning.
For the record, I have not yet received an NSL (National Security Letter). Crypto guy Matt Blaze irregularly points this out on twitter as a neat trick. An NSL forbids a person from disclosing that they received the NSL. Thus, while you can't confirm you've received one, you can simply stop posting that you haven't.
reply