Category Archives: Tor

Can You Be Arrested for Running a Tor Exit Node In Canada? - Motherboard 20150925

Can You Be Arrested for Running a Tor Exit Node In Canada? - Motherboard 20150925

In some parts of the world, running a Tor node—a computer that makes up part of the dark web’s backbone—can make you a target for law enforcement. This is because traffic routed through a node could just as easily come from journalists, activists, or drug-slinging criminals, and there’s often no way to trace illegal activity beyond an exit node.

In Canada, however, running a Tor exit node out of your own home is essentially uncharted water, legally speaking. Should Canadian Tor node operators be worried about getting a knock on the door from the police?

“It’s not well understood or well defined,” said David Fraser, a lawyer specializing in internet law and partner at law firm McInnes Cooper, told me over the phone. “But if someone were to come to me and say, ‘I want to run an industrial-scale exit node,’ or if a library came to me and said the same thing, among the things I would tell them is that it’s not going to be smooth sailing.”

The problem is that the dark web isn’t just for humanitarians, of course, and child pornography and drugs are trafficked on the Tor network as well. In the US, the FBI has raided the homes of people operating exit nodes—computers through which encrypted, anonymous Tor traffic is finally routed back into the wider web—and the Department of Homeland Security isn’t above bullying libraries into shutting down their own nodes.

Nevertheless, although still a potentially risky proposition, civil rights groups such as the Electronic Frontier Foundation insist that running a Tor exit node in the US is totally legal.

Kate Kraus, a Tor Project spokesperson, told me that people have been running nodes in Canada for years, and a search on the Tor Project’s compass web service reveals that there are 29 exit nodes currently running in Canada. One of those nodes is operated out of the University of Waterloo by Ian Goldberg, a cryptography researcher and lead developer of the OTR protocol for encrypted messaging.

Goldberg says he configures his node so that it doesn’t connect to certain ports that might be used for shady business like executing DDoS attacks. Even so, he occasionally receives letters of complaint, often having to do with intrusion detection systems that have picked up some suspicious traffic passing through his node, but never from the cops.

“What I do is just explain what the purpose of Tor is,” Goldberg said. “I say, yes, people do bad things with Tor, but generally the people who do bad things on the internet have lots of ways to do them, What Tor does is allow the people who do not want to do bad things—who are not going to use a botnet or compromise others’ computers—it allows them to have privacy online.”

Goldberg told me he’s not worried about facing legal repercussions, but Toronto police spokesperson Allyson Douglas-Cook told me, after consulting with the cyber crime division, that the Toronto police have investigated Tor exit node operators in the past. Although she would not share specific details of the cases, Douglas-Cook said the police are chiefly interested in cases involving child pornography and ransom.

While the EFF and ACLU in the US are vocal in their support for Tor operators, there aren’t as many groups in Canada taking it up as an issue, and certainly not at the same scale. Tor is not openly discussed by law enforcement or civil liberties organizations north of the border, and when I emailed the Canadian Civil Liberties Association for comment, I was told they had “nothing” to add.

Without a strong human rights body to support the people who may be risking jail to operate a node on the Tor network, small internet service providers have picked up the slack. Ontario-based independent company Teksavvy, for example, is decidedly Tor-friendly.

“It’s not illegal to run a Tor exit node,” said Bram Abramson, chief legal and regulatory officer at Teksavvy. “It’s not illegal to allow people to do things anonymously as a general principle. A lot of it has to do with how you’re using it and positioning it, and how much you know about who’s using it.”

Service providers like Teksavvy in Canada are important for operators to keep running their nodes without interruption; when an ISP doesn’t quite understand what Tor is or what it’s used for besides illegal activity, providers may shut down a node automatically. The Tor Project recommends that node operators tell their ISP they are running a node so they can have some support.

“The majority of our exits that have been shut down are not in Canada,” Jeremy Hiebert, a member of privacy advocacy group Coldhak, which operates several Tor nodes, wrote me in an email. “In Canada we have been able to position ourselves with small ISPs who understand what Tor is and what it does for humanity.”

For now, at least, it seems like being a Tor exit node operator in Canada is all clear skies and smooth seas, save for the occasional letter of complaint. At least, that’s how the node operators I spoke to saw it.

But without clear protections for node operators when it comes to things like copyright—there’s no Canadian equivalent for the “safe harbor” provision in the US’s Digital Millennium Copyright Act, Fraser said, although a 2004 supreme court decision could be interpreted as such—and considering that the cops are keeping a close eye on Tor, it may only be a matter of time before Canadian node operators face scrutiny similar to those abroad.

Countries that Use Tor Most Are Either Highly Repressive or Highly Liberal - Motherboard 20160406

Countries that Use Tor Most Are Either Highly Repressive or Highly Liberal - Motherboard 20160406

You might assume that people in the most oppressive regimes wouldn’t use the Tor anonymity network because of severe restrictions on technology or communication. On the other hand, you might think that people in the most liberal settings would have no immediate need for Tor. A new paper shows that Tor usage is in fact highest at both these tips of the political spectrum, peaking in the most oppressed and the most free countries around the world.

“There is evidence to suggest that at extreme levels of repression, Tor does provide a useful tool to people in those circumstances to do things that they otherwise would not be able to do,” Eric Jardine, research fellow at the Centre for International Governance Innovation (CIGI), a Canadian think-tank, told Motherboard in a phone call. Jardine is the author of the new paper, recently published in peer-reviewed journal New Media & Society.

Jardine analysed data from 157 countries, stretching from 2011 to 2013. That information included a rating for a country's political repression, derived from assessments made by US-based research group Freedom House, and metrics for Tor usage, sourced from the Tor Project's own figures.

"Controlling for other relevant factors, political repression does drive usage of the Tor network"
Jardine included data for use of both Tor relays, which are nodes of the network users typically route their traffic through, and bridges, which are essentially non-public relays designed to be used in censorship-heavy countries that might block access to normal relays. He also considered a country's internet penetration rate, intellectual property rights regime, wealth, secondary education levels, and openness to foreign influences.

“The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network,” Jardine writes.

Bridges had the strongest association with political repression. “Moving from a country like Burkina Faso (political repression equals 8) to a country like Uzbekistan (political repression equals 14) results in an increase of around 212.58 Tor bridge users per 100,000 Internet users per year,” the paper reads.

There was also a “statistically significant” relationship between a regime's political context and the use of Tor overall, Jardine adds.

This graph shows use of specifically Tor bridges (not relays) according to political repression. Image: Eric Jardine/New Media & Society
Interestingly, however, it's not just harsh regimes that have a higher Tor usage. Countries on the lower end of the political repression spectrum also showed significant use. It was countries in the middle, ranked neither as strictly authoritarian regimes or free democracies, that had the lowest number of people connecting to Tor.

This might run counter to some people's intuition; wouldn’t liberal democracies have little need for Tor?

“But because it's dual-use, you start to see a different pattern,” Jardine said, meaning that Tor is not just used to circumvent censorship in oppressive regimes, for example. Instead, the technology could be to protect privacy, or for criminal purposes. (It's worth remembering that the study looked at data largely before the fallout of Edward Snowden's June 2013 revelations).

Why Tor usage peaks at the extremes of the political spectrum is less clear. Jardine hypothesises that it may be connected to a country's political need for such tools, such as circumventing censorship, but also the increased opportunity for their use—for example, in the US, Tor can be used easily without major consequence. Finding out the reasons for the trend are, however, beyond the scope of this study.

Tor, and the related technology of hidden services, can polarise discussions, with supporters often refusing to acknowledge criminal applications, and critics ignoring positive aspects. In a debate that is often overshadowed by emotions and feverish media coverage, having empirical data and analysis on the use of anonymity technology can only be beneficial.

CIGI-Ipsos Global Survey on Internet Security and Trust - Centre for International Governance Innovation 2016

CIGI-Ipsos Global Survey on Internet Security and Trust - Centre for International Governance Innovation 2016

The 2016 CIGI-Ipsos Global Survey on Internet Security and Trust, undertaken by the Centre for International Governance Innovation (CIGI) and conducted by global research company Ipsos, reached 24,143 Internet users in 24 countries, and was carried out between November 20, 2015 and December 4, 2015.

The countries included: Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.

The global Survey was developed to help support the work of the Global Commission on Internet Governance (GCIG). The GCIC, an initiative by CIGI and Chatham House, was established to articulate and advance a strategic vision for the future of Internet governance.

The Dark Net

The survey found that:

Seven in ten global citizens say the “dark net” should be shut down, while three in ten disagree, believing it should continue to exist. The question remains: why do so many global citizens believe the dark net should continue to exist, if it embodies the seedy underbelly of the Internet? The answer lies in the desire of global citizens to preserve the anonymity and benefits that are also a central part of the dark net.

  • 71% of global citizens agree the dark net should be shut down
  • 46% of global citizens trust that their activities on the Internet are not being censored
  • 38% of global citizens trust that their activities on the Internet are not being monitored
  • Only six in ten users say that government assurances that they are not being censored (59%) or monitored (58%) would make them trust the Internet more.

Read the news release here.

Privacy vs National Security

The survey found that:

Most global citizens favour enabling law enforcement to access private online conversations if they have valid national security reasons to do so, or if they are investigating an individual suspected of committing a crime. The survey also found that a majority of respondents do not want companies to develop technologies that would undermine law enforcement’s ability to access much needed data.

  • 70% of global citizens agree that law enforcement agencies should have a right to access the content of their citizens’ online communications for valid national security reasons, including 69% of Americans and 65% of Canadians who agree
  • 85% of global citizens agree that when someone is suspected of a crime governments should be able to find out who their suspects communicated with online, including 80% of Americans who agree
  • 63% of global citizens agree that companies should not develop technologies that prevent law enforcement from accessing the content of an individual's online conversations
  • Sixty percent of Americans and 57% of Canadians are most likely to agree with this statement.

Read the news release here.

FBI is fighting back against Judge's Order to reveal TOR Exploit Code - The Hacker News 20160329

FBI is fighting back against Judge's Order to reveal TOR Exploit Code - The Hacker News 20160329

Last month, the Federal Bureau of Investigation (FBI) was ordered to reveal the complete source code for the TOR exploit it used to hack visitors of the world’s largest dark web child pornography site, PlayPen.

Robert J. Bryan, the federal judge, ordered the FBI to hand over the TOR browser exploit code so that defence could better understand how the agency hacked over 1,000 computers and if the evidence gathered was covered under the scope of the warrant.

Now, the FBI is pushing back against the federal judge’s order.

On Monday, the Department of Justice (DOJ) and the FBI filed a sealed motion asking the judge to reconsider its ruling, saying revealing the exploit used to bypass the Tor Browser protections is not necessary for the defense and other cases.

In previous filings, the defence has argued that the offensive operation used in the case was "gross misconduct by government and law enforcement agencies," and that the Network Investigative Technique (NIT) conducted additional functions beyond the scope of the warrant.

The Network Investigative Technique or NIT is the FBI's terminology for a custom hacking tool designed to penetrate TOR users.

This particular case concerns Jay Michaud, one of the accused from Vancouver, Washington, who was arrested in last year after the FBI seized a dark web child sex abuse site and ran it from agency’s own servers for the duration of 13 days.

During this period, the FBI deployed an NIT tool against users who visited particular, child pornography threads, grabbing their real IP addresses among other details. This leads to the arrests of Michaud among others.

The malware expert, Vlad Tsyrklevich held by the defense to analyse the NIT, said that it received only the parts of the NIT to analyse, but not sections that would ensure that the identifier attached to the suspect's NIT-infection was unique.
"He is wrong," Special Agent Daniel Alfin writes. "Discovery of the 'exploit' would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud's computer, not what it did once deployed."

In a separate case, the Tor Project has accused the FBI of paying Carnegie Mellon University (CMU) at least $1 Million to disclose the technique it had discovered that could help them unmask Tor users and reveal their IP addresses. Though, the FBI denies the claims.

Confirmed: Carnegie Mellon University Attacked Tor, Was Subpoenaed By Fed - Motherboard 20160224

Confirmed: Carnegie Mellon University Attacked Tor, Was Subpoenaed By Fed - Motherboard 20160224

Photo: Wikimedia Commons

Update: Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, "We have nothing to add beyond our Nov. 18 statement." When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

In November, Motherboard reported that a “university-based research institute” provided information to the Federal Bureau of Investigation that led to the identification of criminal suspects on the so-called dark web. Circumstantial evidence pointed to that body being the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU). After a media-storm, CMU published a very carefully worded press release, implying that it had been subpoenaed for the IP addresses it obtained during its research.

Now, both the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.

“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.

“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.

Screenshot of filing.

Between January and July 2014, a large number of malicious nodes operated on the Tor network, with the purpose, according to the Tor Project, of deanonymising dark web sites and their users. The attack relied on a set of vulnerabilities in the Tor software—which have since been patched—and according to one source, the technique could unmask new hidden services within two weeks.

This new court document shows that, as many suspected, SEI was indeed behind the attack on Tor.

Evidence has pointed to SEI being behind that attack: SEI researchers Alexander Volynkin and Michael McCord were due to present research at the Black Hat hacking conference in August 2014 on how to unmask the IP addresses of Tor hidden services and their users, before the talk was suddenly canceled without explanation. SEI alsosubmitted a research paper to the 21st ACM Conference on Computer and Communications Security (CCS) in 2014 on unmasking dark web users and sites, although that paper was apparently based on simulations, rather than in-the-wild attacks. That research was funded by Department of Defense contract number FA8721-05-C-0003. (The Tor Project has made an unsubstantiated claim that CMU was paid by the FBI to the tune of at least $1 million to carry out the attack.)

This new court document shows that, as many suspected, SEI was indeed behind the attack on Tor, and that information obtained from that move was accessed by law enforcement via a subpoena, facts that Farrell's defense has been aware of for some time, judging by the latest filing.

When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

The Tor Project did not immediately respond to a request for comment, and neither did CMU, DoJ, or Farrell’s representatives. This story will be updated if we hear back.

Screenshot of filing.

This latest order was in response to a motion to compel discovery filed by Farrell’s defense in January. They have received “basic information” about the Tor attack, as well as the funding and structure relationship between SEI and DOD, according to the order, but have requested other materials too. The motion was denied by the Honorable Richard A. Jones.

Many of the filings are under seal, so it's not clear what exact information Farrell's lawyers have been trying to get hold of, but this latest order provides some indications. The defense has sought more information on the attack, and “disclosures regarding contacts between SEI, the Department of Justice, and federal law enforcement,” the order reads, encompassing periods before and after SEI performed the attack itself, with a particular emphasis on meetings between the DoJ and SEI.

As for why the court ordered that no further details about how SEI operated and collected IP addresses should be provided to the defendant, Jones claimed that IP addresses, and even those of Tor users, are public, and that Tor users lack a reasonable expectation of privacy.

“SEI obtained the defendant’s IP address while he was using the Tor network and SEI was operating nodes on that network, and not by any access to this computer,” the order reads.

“In order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed towards their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers,” the order continues.

This line of argument echoes that made in a recent case of FBI mass hacking, where a judge wrote that Tor doesn't give its users complete anonymity because users do have to provide their real IP address to a node of the network at some point. Indeed, in his order, Jones pointed explicitly to this ruling.

In sum, “SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.

Jones adds that the request for further discovery was made “despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous.” When it comes to the other requests made by Farrell's defense, the judge ordered they were irrelevant, overbroad, and that enough information has already been provided.

Farrell's case is far from the only one affected by SEI's attack on Tor.

Earlier this month, Gabriel Peterson-Siler pleaded guilty to one count of possession of child pornography, and another drug case in Ireland indicates it was also swept up in the institutes's actions. In fact, the search warrant issued against Farrell stated thatapproximately 78 IP addresses that accessed the vendor portion of Silk Road 2.0 were obtained. On top of this, the seizure of Silk Road 2.0 was part of the wider Operation Onymous, which ended in the shuttering of around 27 different dark web sites, suggesting that many more criminal suspects, or those already convicted, were likely discovered with the same approach.

Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers - Motherboard 20160218

Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers - Motherboard 20160218

On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client's computer.

When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, “Everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he continued.

Fieman is defending Jay Michaud, a Vancouver public schools administration worker. Michaud was arrested after the FBI seized 'Playpen', a highly popular child pornography site on the dark web, and then deployed a network investigative technique (NIT)—the agency's term for a hacking tool.

This NIT grabbed suspects' real IP address, MAC address, and pieces of other technical information, and sent them to a government controlled server.

The case has drawn widespread attention from civil liberties activists because, from all accounts, one warrant was used to hack the computers of unknown suspects all over the world. On top of this, the defense has argued that because the FBI kept the dark web site running in order to deploy the NIT, that the agency, in effect, distributed child pornography. Last month, a judge ruled that the FBI’s actions did not constitute “outrageous conduct.”

"The order yesterday requires disclosure of all the code components."

According to court documents in a related case, the FBI harvested approximately 1,300 IP addresses, and around 137 people have been charged so far. Motherboard found that the hacking campaign was global in scope, with computers in Greece, Chile and the UK being affected.

Since September, Michaud's lawyers have been trying to get access to the NIT code. It wasn't until January that Vlad Tsyrklevitch, the defense's consulted expert, received the discovery.

However, according to Tsyrklevitch, the code was apparently missing several parts. One of those was the section of the code ensuring that the identifier issued to Michaud's NIT-infection was truly unique, and another was the exploit itself used to break into his computer.

“This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud's computer, beyond the one payload that the Government has provided,” the lawyers write in an earlier filing.

The code of NITs has been disclosed in the past. In a similar 2012 case called Operation Torpedo, the government provided details of its technique, which turned out to be a novel use of popular hacking-toolkit Metasploit. Specifically, the FBI used a Flash applet to make a direct connection over the internet, instead of routing the targets’ traffic through Tor.

Now, it looks like the defense in this latest case will receive its own answers.

“The order yesterday requires disclosure of all the code components,” Fieman told Motherboard on Thursday, but he didn’t say when his expert would be receiving the code itself.

Peter Carr, a spokesperson for the Department of Justice, did not directly answer when asked whether the defense would be provided with the Tor Browser exploit.

“The court has granted the defense's third motion to compel, subject to the terms of the protective order currently in place,” Carr wrote to Motherboard in an email.