Ben Laurie blathering

Tor Executive Director Loses The Plot?

HD Moore wrote a gadget to track down incautious Tor users. Of course, if you don’t anonymise your DNS and you enable Java/Javascript in your browser, then you deserve to get tracked down. So, no news there, really, except that HD has actually gone to the trouble to implement a tool that exploits this foolishness.

More disturbing is the apparent attitude of Tor’s Executive Director, Shava Nerad:

“Mr. Moore’s solution will not solve the problem he is trying to solve, and in the process, he will hurt a lot of people that he should be helping,” Nerad said.

Moreover, Moore’s reliance on keywords to identify potential illegal transactions would likely have a high false positive rate, Nerad said.

The problem he’s trying to solve is, apparently, paedophiles using Tor to cover their tracks. But what is Ms. Nerad on about? Why does she think that HD exploiting this problem and making it public is bad? Surely alerting users to the issue is the important thing? We have to assume the tool exists whether we know about it or not.

Also, if it isn’t going to solve HD’s problem, how’s it going to damage users he should be helping? It either works or it doesn’t!

Furthermore, the “reliance on keywords” attack is lame – clearly false positives can be eliminated by examining the records after the fact.

I am not impressed.

BTW, if anyone finds a link to Torment (for that is what its called), let me know. Oh, and my advice: if you really want to be safe from Tor operators, make sure you use encrypted protocols over Tor, plaintext is clearly going to bite you.



    Comment by Anonymous — 12 Mar 2007 @ 15:06

  2. HD Moore linked to it from one of his posts to or-talk.

    Comment by Steven J. Murdoch — 12 Mar 2007 @ 15:14

  3. I think it’s “bad” because HD’s solution isn’t going to accomplish what he wants to do.

    Here’s my understanding of US law: An individual can’t legally collect this information without violating federal law. Law enforcement can’t use it without a warrant, suspecting a specific individual.

    There are more victims of pedophiles out there, and they use Tor to access support groups via Tor. So this tool is as likely to “catch” victims as perps.

    But the exploit kit *will* be used, just by substituting a new word list, by whom? By people willing to illegally violate privacy, and by governments looking for, for example, “tibet, falun gong, democracy.”

    Because oppressive governments will use a canned solution to make it even easier for them to persecute human rights workers, activists, journalists and bloggers, Moore’s kit could be responsible for jailing, disappearing, or killing people whose motives he admires.

    But honestly, it’s unlikely to be of any further use to law enforcement here, who already know how to track a pedophile who has his Tor misconfigured to allow Java.

    Feel free to contact me for more information
    Shava Nerad
    Tor executive director
    shava -at- freehaven -dot- net

    Comment by Shava Nerad — 12 Mar 2007 @ 16:21

  4. I think what Ms. Nerad means is the Tor folks have known about this attack. It’s really hard to counter. It would be a lot more helpful for people to work on deeper browser integration to break the attack than to distribute attack code to demonstrate that a known, documented attack works.

    Alternately, we could get major internet companies to use less javascript, so it would be easier to browse the web with js off.

    Comment by Adam — 12 Mar 2007 @ 16:23

  5. Shava’s response makes even less sense than her original comments.

    a) HD’s solution isn’t “bad” because it doesn’t work, its broken.

    b) Victims can be clearly distinguished from perps by looking at what they did.

    c) The existence of HD’s tool changes not one iota the risk to human rights works, activists, journalists and bloggers. If they assume no such thing is being used against them, then they are in danger.

    d) If law enforcement already know how to track paedophiles with Java switched on, why do you think “oppressive governments” do not?

    Comment by Ben — 12 Mar 2007 @ 16:31

  6. Hi, Ben. Let’s step back from our security design mindset for a moment.

    Suppose it’s 1996, and we’re in the middle of the crypto wars. Suppose that I published an exploit for some crypto project that you were working on, and that I did so
    A) without contacting anybody in the project beforehand, and
    B) promoted my exploit as “here is a tool to catch all of the dirty criminal terrorist perverts who hide behind Ben’s cryptography.”

    Surely you’d be a bit miffed?

    Nobody is claiming that writing exploits per se is evil. I’d be pretty happy with HD’s work here if he were only using it to advertise the dangers of Java, Javascript, and friends when used with Tor. That’s security research, and that’s a fine thing. What bothers me is the fact that his media-facing statements have (AFAICT) not actually mentioned that user misconfiguration that makes his tool work, but instead painted Tor as a den of criminal perverts, and Tor-busting as every node operator’s right. This is not the way I was taught to do security research. (On non-media-facing communication, he seems far readier to actually discuss vulnerabilities and how to fix them.)

    (Side issue 1: in the US, for legal reasons, surely it wouldn’t be a good idea to “examing the content after the fact” if you’re not the cops: if your keywords are good, you’d like find yourself violating the very laws against CP possession that you’re trying to catch violators of.)

    (Side issue 2: I agree that the “falun gong” example is not the best, given China’s likely capabilities. I’ll suggest “abortion providers” or “domestic abuse shelter” or “gay dating” are likelier targets for nasty snoops. Also, IMO, people who face reprisal for stuff like this don’t “deserve to get tracked down” even if they _can’t_ figure out browser configuration.)

    Comment by Nick M — 12 Mar 2007 @ 17:33

  7. I might be a bit miffed, though if its an exploit for a problem I have already agreed exists and do not have (or intend to have) a fix for, I’m not entirely sure what else I would be expecting.

    I totally agree that there’s a need to set the record straight with respect to when the tool can be used and with the actual usage patterns of Tor, but saying HD is naughty and his tool doesn’t work anyway, so there, is hardly the best approach.

    And you are right, people who fail to configure properly don’t deserve to be tracked down – however, they _are_ going to be tracked down so its a good idea to try to educate them.

    Comment by Ben — 12 Mar 2007 @ 18:21

  8. You might expect, “Hey, here’s another exploit for this well-understood problem in Ben’s tool. If anybody believed that this was a hard thing to exploit, they were wrong. Use the workaround, you stupid gits” rather than “here is a tool to catch all the dirty criminal terrorist perverts who hide behind Ben’s crypto.”

    I don’t want to be hostile here, so let me add: in his or-talk posts _after_ the original article broke, HD has been much more like the former than like the latter. Also, I have no idea how much of the writeup in the media is HD’s fault; he may well have discussed a whole bunch of applications, and had the reporter run off with one. Certianly, one can read a great deal into a couple of paragraphs from an online news article.

    Comment by Nick M — 12 Mar 2007 @ 18:37

  9. Don’t know if anyone reads these comments this long after the
    fact, but I just ran across this, so here goes.
    Where there seems to be no disagreement above:
    What HD did was basically something that is well known technology
    and at most a small variant on what has been done and made
    available many times over the last many years. So, the impact is
    not on the technology but rather on its usage, public image and
    policy. Here I think Shava is dead-on. But the person who best
    stated the hurt-the-good-while-doing-no-harm-to-the-evil effect
    of the publicity around HDs work was Freemor. See

    Comment by Paul — 26 Mar 2007 @ 16:07

  10. either tor works 100% or it doesn’t.
    Either Tor will be patched to prevent exploitation or it will die.
    there is no gray in the area of security

    Comment by Blocko — 3 Aug 2008 @ 0:58

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress