The worst Tor "leak" of them all

To stay ahead of new and evolving threats, cryptostorm has always looked out past standard network security tools. Here, we discuss and fine-tune our work in bringing newly-created capabilities and newly-discovered knowledge to bear as we keep cryptostorm in the forefront of tomorrow's network security landscape.
User avatar
Posts: 612
Joined: Sun Dec 16, 2012 6:34 am

The worst Tor "leak" of them all

Post by Pattern_Juggled » Fri May 17, 2013 1:38 pm

What follows below isn't actually a "leak" as we define it in this subforum - nor does it relate to VPN service. So what's up?

Simply put, a security technology or tool that's sufficiently complex and user-unfriendly in how it interacts with the human it's intended to protect can easily become not just useless but actually worse than useless: by providing a false sense of confidence that "security" is guaranteed, these clunky tools cause enormous - and occasionally terrible - harm.

In my own experience (and opinion, fwiw), the worst sorts of faults like this in the VPN/network security market are tools that require users to actively remember to engage them, require fiddly configuration of individual applications and are able to protect only application-specific data, and require users to proactively confirm they're actually working lest she find herself exposed despite assuming things were ok.

Tor is guilty of all of these flaws, and more.

In some circles, criticizing Tor is akin to suggesting the Pope isn't catholic: apostasy. That's completely fucking silly. Tor is neither perfect, nor in fact the sine qua non of network security. Yes, it's got some spokesmodels who tour the world (funded substantially by U.S. military cash... which is an irony I'm not even going to touch) polishing the image of Tor as an automatical hero-tech of indescribable coolness and power. Most other security tools don't have the luxury of sponsored, never-ending worldwide junkets for PR flaks - certainly no other opensource "nonprofit" network security projects have anything close to the PR budget that Tor does. That cash burn on PR has resulted in levels of press hype that might make even grizzled PR hands blush in reflected embarrassment. Any criticism of Tor - literally any criticism risks retributive swipes from the globetrotting Tor PR flaks... and few folks dare to risk that kind of firepower just to state obvious things.

Obvious things like, well, that Tor is a pain in the ass to use for actual human beings. As in non-technical, non-geek, non-coding human beings. True, some members of the Tor team seem to consider such creatures beneath contempt... but they do make up a majority of the human race, so there's that. Other Tor team members crisscross the globe teaching actual human beings how to actually make Tor work without making perhaps-fatal mistakes along the way. One might suggest that actually making Tor user-friendly - investing in that, rather than another round of press junkets and hype tours - is a better investment of resources... but in any case a technology that requires high-end coding talent flit 'round the world to tell people how to actually make it work has something wrong with it, both ontologically and in purely practical terms.

Standard caveats: Tor does some things really, really well and is very much a useful part of the network security ecosystem. And the Tor team - even the press-hounds yours truly might find a bit much to swallow in PR terms - are genuinely good folks; some are simply fucking brilliant technologists as proved by extensive published output and code contributions, and all could be making way more money doing shady things for government agencies. These facts are incontrovertible, and on a personal level the Tor folks get my genuine personal respect, no footnote needed.

That said, even folks - and projects - we respect shouldn't be immune from criticism, nor should they develop the bully's habit of lashing out at critics when folks "dare" to suggest potential imperfection. That's bad for everyone. Tor is not sacrosanct - irrespective of the good it, and its team, does.

And by far the worst thing about Tor is that Tor requires of its users a level of expertise, oversight, and careful attention to detail that's simply never going to be found in 99% of actual human beings. That's a serious problem. Like... a really serious problem. It's not a flaw in the theoretical model, nor a bug in the codebase, nor even a "feature" that can be added; rather, it's an approach to delivering network security that's deeply disconnected from reality. In reality, network security has to "just work" and do so reliably, consistently, and durably or it's not going to be used. Worse, it might be used but it's flaky behaviour will result in tragedies.

The story below is an astonishingly clear example of just how this dynamic works. Even a technically competent individual - Sabu - was to (inevitably, given the above limitations in the Tor user model) eventually make a mistake using Tor. And one mistake is all it took, playing at that level of the game. It brought down Sabu, and a whack of other activists to boot. It killed LulzSec. It emboldened American police goons in ways it's difficult to overstate. It put Jeremy Hammond in prison, perhaps for life. And on, and on, and on.

And fucking on and fucking on.

So, please, next time you hear some geek blathering on about how fantastically splenderific Tor is, remember this: if it can't even be used "correctly" by a card-carrying, justifiably-paranoid geek, how the hell are actual human beings supposed to use it without always knowing they'll eventually "make a mistake" that might just cost them their lives? They can't.

- - -

LulzSec: what they did, who they were and how they were caught
From May 2011, the hackers targeted organisations, including the FBI, around the world – now many group members face jail
Charles Arthur | | Thursday 16 May 2013 17.39 BST

In July 2011, LulzSec hacked the Sun's website – forcing the newspaper to take down the site. Photograph: Rex Features
Early in May 2011, was targeted by a new hacking group which had been formed in private online chatrooms of the hacking collective Anonymous. They called themselves LulzSec – a contraction of "lulz", for laughs, and "security", which is what hackers like to compromise. The reason for the attack? Apparently because had described a rapper called Common as "vile" on-air.

The group discovered a weakness in the site, and used that to leak the profiles and names of 73,000 X Factor US contestants. "We don't like you very much. As such, we cordially invite you to kiss our hand-crafted crescent fresh asses," the group wrote in a message about the attack on Pastebin, the site that many hackers use to record their exploits.

From there, the hackers moved on to hit multiple targets of varying fame: US broadcaster PBS, where they planted a fake story saying the dead rappers Tupac Shakur and Biggie Smalls were in fact alive and living in New Zealand. Later they hacked into games companies including Nintendo (though without success) and Bethesda Studios.

They also attacked Sony's PlayStation Network, stealing 24.6 million customers' private data, and leading the company to take the network offline for days. They thought of themselves as "latter-day pirates" and boasted they were "gods" when they attacked a site.

LulzSec's members never met in the real world; they were unaware of each others' identities. Some were based in the US, and some in the UK, pointing to the way that hacking too has become globalised.

They knew each other's online "handles": Ryan Cleary, based in Wickford, Essex, was "Viral"; Jake Davis, from near Lerwick, Shetland, was "Topiary"; Mustafa Al-Bassam, in south London, was "Tflow"; Ryan Ackroyd, in Mexborough, South Yorkshire, was "Kayla", a former army recruit who pretended online to be a teenage girl based in the US in order to throw those trying to discover his identity off the scent. Their ostensible leader – by action if not name – was "Sabu", in reality New York-based Hector Xavier Monsegur, a Puerto Rican freelance programmer.

Their intention, the court heard after some members were arrested, was just to gain attention, embarrass website owners and ridicule security measures. But by putting private information – including credit card details – online, the group caused problems that cost hundreds of thousands of pounds to fix. LulzSec's response was that sites that were so insecure they could be hacked in this way were a risk to the sites' customers.

They also "phone bombed" companies, posting contact numbers publicly and encouraging their supporters to call – leading some support centres to report receiving up to 30 calls per minute.

Not for profit?

There's no sign they aimed to make profit directly from their activities as a group – although Monsegur, then 27, did have a sideline in using stolen credit card details to buy goods. The court heard Davis's computer had 750,000 items of stolen data when he was arrested, including passwords, credit card details and addresses, all of which could be used to make fraudulent purchases, though he was not charged with doing so.

And as individuals, some did profit from what they were doing. Cleary had spent five years building up a "botnet" – where more than 100,000 Windows computers around the world had been infected with a virus which enabled him to use them without the owner's knowledge. Those, the court heard, were hired out for "several thousand pounds a month" to send out spam, host phishing sites and run "denial of service" attacks against websites.

Cleary also pleaded guilty to possessing child abuse images – separate to his activities with LulzSec – which repeatedly expressed distaste for those who deal in "kiddie porn".

However, Cleary wasn't a core member of the group; they used his services to attack sites such as Eve Online, Minecraft, League of Legends and the IT security company FinFisher, whose government-approved surveillance software had attracted the attention of Monsegur.

In fact, it was Ackroyd who was the most skilled of the UK-based hackers, along with Bassam, then only 17. Davis, a quietly-spoken Scot who had had a difficult time at school, created the public face of the group: he co-ordinated activities and controlled the LulzSec Twitter account, which rapidly gained a huge following: by the time it made its last tweet – on 27 July 2011 – it had more than 340,000 followers, putting it well into the "celebrity" bracket.

Its ethos was that of a group of teenagers running amok in a cyber-toyshop, seeing what they could take and break, while thumbing their nose at both the authorities and rival hackers trying to "dox" them – meaning get documents on them.

The latter group combed through internet archives to try to find evidence that would tie their online handles to real-life identities. "Sabu" was wrongly identified as a man in Portugal; similarly incorrect identifications were made of "Topiary" (as a Swede).

Beginning of the end

The group's downfall came over two days within a single week. The first was on 3 June, when it hit an FBI-affiliated site – almost certainly at Monsegur's urging – and knocked it offline. At that, two of the members – "recursion" and "devrandom" – quit the group. Chatroom logs from that period obtained by the Guardian show that Monsegur, as "Sabu", told the rest of the group: "You realise we smacked the FBI today. This means everyone in here must remain extremely secure."

By hitting a government site, rather than a commercial one, LulzSec had made the stakes dangerously high, bringing itself to the attention of federal authorities in the US.

Then on 7 June 2011, Monsegur, who usually took care to disguise his location by using the Tor system – which anonymises data connections – forgot to use it when logging into an Anonymous chat forum. The FBI spotted him and traced his connection back to his home on Manhattan's lower East Side. Soon after, agents showed up at his door. (The FBI was reportedly already after him via his Facebook profile, on the basis that he had been illicitly trading credit card details.)

They offered him a stark choice: be arrested and remanded in jail, or co-operate. Monsegur, who had taken over parental care for his two nieces, then aged four and five, didn't want to see them go into foster care; he chose the latter. Arguably, the fate of Monsegur's two nieces decided the fate of LulzSec.

After a week's silence, Monsegur came back online – but now the FBI was monitoring everything he did. Suddenly, things moved fast. On 20 June, LulzSec knocked the UK's Serious Organised Crime Agency (Soca) website offline, apparently using Cleary's botnet. Now the authorities on both sides of the Atlantic were after them.

At 3.30am on Tuesday 21 June, Cleary was arrested. Through the LulzSec Twitter account, Davis tweeted that Cleary wasn't a member of the group. The hacking went on – except now the authorities were gathering information about what was being done. The net began closing.

On 19 July, Al-Bassam – "Tflow" – was arrested in London, his final tweet coming four days earlier, as he complained his phone's battery was running out.

On 27 July, Davis – "Topiary" – was arrested. He appeared to know the end was near: on 22 July, he deleted all his tweets but a single one: "You cannot arrest an idea".

While that's true, for the members of LulzSec, real-life arrest was all too possible. Ackroyd's followed in September. Cleary avoided extradition to the US, though the position of Davis is still unclear.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github


Re: The worst Tor "leak" of them all

Post by Guest » Sun Oct 06, 2013 3:51 pm

In this context, I wonder what you guys think about Whonix?

Could you please review this software?


Re: The worst Tor "leak" of them all

Post by Guest » Tue Oct 08, 2013 1:16 am

The whole introduction is about how TOR is not secure if you're not extremely careful, and yet the big mistake of Sabu was... not using TOR.
Then on 7 June 2011, Monsegur, who usually took care to disguise his location by using the Tor system – which anonymises data connections – forgot to use it when logging into an Anonymous chat forum.


Re: The worst Tor "leak" of them all

Post by torrified » Sat Oct 19, 2013 10:06 am

If you don't understand the pitfalls of a tool and/or how to use it, you will FAIL. No matter the tech, full stop. This isn't unique to tor. Tor does have pitfalls that aren't as big of issues for other technology. But then it offers something all but unattainable, the potential for true anonymity. It really is in a class of its own. This has now been privately recognized in now public docs. It deserves its fair share of criticism, but just because a skilled builder hits his hand with a hammer, doesn't mean a hammer isn't the right tool for the job.

Unfortunately, you can FAIL at using Tor perhaps more easily with other products (but by "products" I don't mean equivalent ones, because there really aren't any). This is partly because true, long term anonymity is an extremely hard problem. Even though Tor can take you there, it easy for other tools to trip you up.

However, to "reasonable" applications (not malicious), its *not* that hard. Use "torsocks", and you've generally got a torified which tries to protect you from leaks.

Or just use Tails (, which is basically a VPN into the Tor network (yeah there a quite a few important differences, but its an analogy).

Or for windows users check out Tortilla (, which uses a windows driver for routing everything through Tor. On Linux it easy to do with a couple iptables rules.

Tor definitely should be criticized where it needs it, but for this case something more constructive would be to start a discussion about how to alleviate these usability problems.

I haven't looked much into Whonix, but it seems like a more general purpose Tails. Something to watch for sure.

Blue Moon
Posts: 1
Joined: Wed Jan 14, 2015 5:24 pm

Re: The worst Tor "leak" of them all

Post by Blue Moon » Wed Jan 14, 2015 5:32 pm

It does seem odd that the IAC claims to be "developing" these "enhancements." Not the Tor Project, not "Tor Solutions Group," and not some other party being funded by the IAC/BBG. They, themselves, say they are doing the developing..?
Try out our free examvce and latest comptiaread more training courses to get high flying success in final and exams, mcts College of Notre Dame of Maryland is also very useful tool.

User avatar
Site Admin
Posts: 1275
Joined: Wed Feb 05, 2014 3:47 am

Re: The worst Tor "leak" of them all

Post by parityboy » Wed Jan 14, 2015 7:02 pm


I think there are two main issues with Tor, based on my experience.

1) It's application-based rather than network based. This means that applications have to be coded in order to support interfacing with the local Tor relay and they have to be validated as fail closed when that interface is unavailable. Too many applications fail open when they can't get a local SOCKS connection, or worse yet respect the settings in normal mode and ignore them in private mode (i.e. Rekonq browser). Not only that, but it requires ordinary users to understand the SOCKS settings of every network application they use.

2) As with a VPN, for proper network security it requires the understanding, installation and configuration of a firewall. The majority of users will be on Windows, OS X, Android or iOS. Out of those, OS X is probably the easiest firewall to set up (from what I've seen so far), but it still requires an understanding of what a firewall is and what it does.

Personally, I think the best combination would be to use a VPN for the inital network connection, then layer I2P or Tor over the top to access hidden services or clearnet sites anonymously, after firewalling the VPN of course.