[HN Gopher] Is "KAX17" performing de-anonymization Attacks again...
___________________________________________________________________
Is "KAX17" performing de-anonymization Attacks against Tor Users?
Author : Tomte
Score : 168 points
Date : 2021-12-06 18:30 UTC (4 hours ago)
(HTM) web link (nusenu.medium.com)
(TXT) w3m dump (nusenu.medium.com)
| amatecha wrote:
| Lightweight frontend alternative: https://scribe.rip/is-
| kax17-performing-de-anonymization-atta...
| nabakin wrote:
| Front ends are getting more common around here. I like this
| change. If they reach mainstream, maybe websites will finally
| become more responsive
| jerheinze wrote:
| Instead of messing with your path selection a better strategy
| would be just run your own guard nodes that you trust (a guard
| node is the first node that you connect to in a Tor circuit) and
| to stick with them. Remember, de-anonymization attacks require
| the attacker to control both the guard node and the exit node at
| the same time.
| pstrateman wrote:
| That only works if the attacker doesn't know the guard node is
| you.
|
| If they do all you've done is made the middle mode the guard.
| jerheinze wrote:
| > That only works if the attacker doesn't know the guard node
| is you.
|
| That's not how Tor nodes work. Once you setup a guard node
| (and it got enough reputation) you won't be the only person
| using the guard node. Also de-anonymization attacks require
| you to know the traffic coming to the guard node (and if you
| run a trustworthy one yourself and you're not dealing with a
| global passive adversary then there's no way the attacker
| will be able to see the incoming traffic to the guard node).
| VWWHFSfQ wrote:
| Running your own node and "sticking with it" is not a great
| idea especially if you're the only one using it. You will be
| spotted and identified pretty much instantly
| jerheinze wrote:
| > especially if you're the only one using it
|
| That's not how Tor nodes work. Once you setup a guard node
| (and it got enough reputation) you will NOT be the only
| person using it.
| yardstick wrote:
| > > just run your own guard node that you trust
|
| I guess this approach works fine for an individual, but if
| everyone has to run their own guard node to be safe, why
| would anyone connect to your guard node (given it would be
| risky from their perspective since they aren't running it
| themselves).
|
| In other words, if you accept you can't trust anyone else,
| why would anyone else trust your node too?
|
| (Edit: Sorry I'm wording it poorly but I hope you get the
| idea)
| jerheinze wrote:
| The overwhelming majority of people don't customize their
| path selection in Tor, so you will always get traffic to
| your new guard node.
| p_j_w wrote:
| I think what GP was getting at is that your solution is
| not a global one. Not everyone can employ it.
| int0x2e wrote:
| If you want your guard node to be helpful in anonymizing your
| traffic, you should really make sure it's public and used by
| some % of the global user base (so that your traffic blends in
| the noise). Once you do that though, you will always have to
| trust that node a little less than you could if it was walled-
| off so it would only serve you, just because it is another
| machine serving connections on the internet that will likely be
| targeted by adversaries who would benefit from turning many of
| the guard nodes into part of their Tor de-anonymization
| service.
|
| If I had endless resources and was truly paranoid, what I'd do
| is build my set of public guard nodes, make sure they're
| serving Tor traffic, etc. But then, I'd "borrow" those IPs
| occasionally for trusted nodes which will only accept
| connections from me (ideally both sets of machines will be live
| and routing traffic simultaneously).
|
| In theory, you could apply the same tricks with similar success
| to exit nodes of course (though as usual, running an exit node
| is generally a slightly riskier / harder thing to do)
| kingcharles wrote:
| What was the email address they were using?
| fdhfdjkfhdkj wrote:
| This author going to either get recruited by or murdered by this
| malicious actor
| hereforphone wrote:
| Question from someone outside the Tor loop: how do they know that
| these various nodes are correlated with one another / belong to
| the same entity?
| mmastrac wrote:
| It's not specified, but related to the software they are
| running:
|
| "In autumn 2019 I stumbled on something odd: Tor relays doing
| something that the official tor software is unable to do." [1]
|
| [1] https://nusenu.medium.com/the-growing-problem-of-
| malicious-r...
| rsync wrote:
| "... how do they know that these various nodes are correlated
| with one another ..."
|
| The OP alludes to this:
|
| "... and the fact that someone runs such a large network
| fraction of relays "doing things" that ordinary relays can not
| do (intentionally vague), is enough to ring all kinds of alarm
| bells."
|
| ... and the OP is "intentionally vague".
|
| I, also, am very interested to know how they correlated them
| and what the interesting behavior was that they exhibited ...
| password4321 wrote:
| In very small part:
|
| > _Some of KAX17 's relays initially had used that email
| address in their ContactInfo but soon after these relays were
| setup the email address got removed from their configuration._
| qeternity wrote:
| Nice try, KAX17
| tn890 wrote:
| Surprised to see a quality post on Medium. I'd be interested to
| know why the author chose Medium?
| drugones wrote:
| Medium was good when it started, then got overhauled by low
| quality; you can still find good content here and there.
| tantalor wrote:
| Weird how this article has a "hashtag" but its not a link, so its
| not actually a hashtag.
|
| Medium actually has a "tag" feature, but this ain't it:
| https://medium.com/tag/KAX17 (404 Page Not Found)
| sp332 wrote:
| Twitter users started using hashtags well before the Twitter
| platform automatically turned them into links. The important
| part of a hashtag is the syntactic # and not the HTML <a> tag.
| wlesieutre wrote:
| That's useful if you can do exact text searches, which are
| increasingly not supported
| russh wrote:
| Of course, it's Medium.com policy never to imply ownership in
| the event of a hashtag. We have to use the indefinite article,
| "a hashtag," never ... your hashtag.
| analognoise wrote:
| https://youtu.be/GfqEBVFHnTg
| [deleted]
| saurik wrote:
| FWIW, as much as people love to rag on cryptocurrencies, I feel
| like this is where they shine. ( _Of course_ --as someone like me
| always shows up--I work on Orchid, a cryptocurrency market for
| bandwidth that is intended to support various use cases including
| those similar to Tor.)
|
| The issue is that no one entity should be able to just sit around
| and dominate the directory of nodes by claiming "I'm a million
| nodes, wheee!!!", and so that needs to be "expensive". However,
| for it to be expensive, they also need a way to make money
| running the nodes.
|
| In our case, people have to lock some money up in a shared pile
| in order to gain control over percentages of the directory, and
| what you get in return is that you randomly will get people using
| you to relay their traffic, for which they will pay you fees
| (likely close to cost).
|
| (Essentially, instead of Tor's mechanism where, when you want to
| find a relay node, you randomly select between all entries with
| equal weight, you would select between market participants
| linearly weighted by the amount of money they have locked up in
| the directory.)
|
| And that's really what most of these cryptocurrencies are doing
| in this generation of new decentralized protocols (which I've
| seen people hate on): dealing with the reality that there are bad
| actors and not everyone is going to run the software without evil
| changes.
|
| This is also the core of Ethereum: you want a decentralized
| database capable of transactions? OK, well, the order of
| operations matters (as transactions can preclude the ability for
| later incompatible ones) and so we need to limit the influence
| that any one operator has...
|
| ...so you build a system where nodes have to spend something--
| either doing some silly math constantly (proof of work) or
| locking some money up in a pile (proof of stake)--to gain control
| over percentages of the directory, and in return they get to
| charge fees to commit transactions.
|
| (There is additionally often an inflation-based block-rewards
| component, in the case where no one is paying fees. I'm honestly
| not for these and have a way-too-complex-for-here argument for
| why they might even be "evil" in most cases, but that's kind of
| irrelevant anyway.)
|
| The reality is that, if you want to build a decentralized system,
| and you want to figure out how to make it hard for bad people to
| do bad things, you have to raise the cost of doing said bad
| things; but, to do that will require programmable money...
| leading you to crypto.
| NikolaNovak wrote:
| >>"The issue is that no one entity should be able to just sit
| around and dominate the directory of nodes by claiming "I'm a
| million nodes, wheee!!!", and so that needs to be "expensive".
| However, for it to be expensive, they also need a way to make
| money running the nodes. "
|
| I always feel either I'm stupid or I'm missing something when
| it comes to crypto, Because I understand words and I feel I
| understand concepts but I don't understand linkages others take
| for granted, as it pertains to problem at hand of anonymous
| communication.
|
| If nodes are expensive, doesn't nsa have more money than any
| given privacy focused individual or organizing?
|
| If they make money how is it expensive in a useful way
|
| I genuinely don't understand how that solution solves a
| problem, unless they problem is "we need another way to
| transfer money (ideally to ourselves and early adopters from
| late adopters)."
| saurik wrote:
| > If nodes are expensive, doesn't nsa have more money than
| any given privacy focused individual or organizing?
|
| So, two things are going on here.
|
| The first is that I doubt KAX17 is the NSA... they might not
| even be a government! Most systems people build that rely on
| altruism are so easily attacked that a grad student can take
| control of them using resources at a University. I appreciate
| that the bar to prevent the NSA (or the CCP, or whatever
| other government surveillance network you are most concerned
| about) taking over your network is high, but the bar right
| now is just _so low_ for most of these protocols that it
| should be embarrassing. If the NSA were really the only
| problem for Tor, I 'd call that "a wild success".
|
| The second, though, is that the goal should be to get big
| enough that the NSA would actually have a hard time
| dominating the resources of the pool. This requires being
| pretty large, but isn't insanely impossible. Let's look at
| Bitcoin for a moment: I am one of the first people to agree
| that "proof of work is probably an immoral way to solve this
| problem" (due to the externalized environmental effects of
| electricity usage and the such), but damn if it isn't
| effective, right? Bitcoin uses 0.5% of the world's
| electricity. That means to take control of half the Bitcoin
| network the NSA would have to build out the infrastructure
| for buying an equivalent amount of the world's electricity
| usage... I bet that's hard, even for them.
| AlexanderTheGr8 wrote:
| > The reality is that, if you want to build a decentralized
| system, and you want to figure out how to make it hard for bad
| people to do bad things, you have to raise the cost of doing
| said bad things; but, to do that will require programmable
| money... leading you to crypto.
|
| So to create a decentralized system like crypto, you need
| crypto (as programmable money)?
|
| Also, can you elaborate on locking money in a pile? Do people
| lock money as the currency? How does it demotivate people
| (whose money is locked) to do bad things?
| hnarn wrote:
| The adversaries mentioned in the article are highly
| sophisticated and seem to have access to a great amount of
| resources. They may be, and some would probably say they likely
| are, working for nation states.
|
| Given a situation where your adversary is a nation state, how
| does crypto fix anything? How is crypto not in the end just
| "proof-of-resources"? Nation state wins.
|
| The article touches on trust models and personally I think it
| would be a better solution to introduce some kind of manual
| trust into the routing. If there's one thing Tor does not need,
| it's crypto-"currencies".
| saurik wrote:
| I just-about-concurrently to you asking this question
| answered a similar question someone else had posed already
| (using the NSA as their specific example) here:
| https://news.ycombinator.com/item?id=29466855 .
___________________________________________________________________
(page generated 2021-12-06 23:00 UTC)