What The Invisible Wahington DC TOR Nodes Mean to You

14 04 2007

It has been established before that TOR is not as purely anonymous as you might think. There have been a few well documented anonymity attacks for TOR but none have ever really been considered a “significant risk”.  This latest scare, which I saw pop up on REDDIT and several other social link sharing sites, is actually a collection of data from 2006, which on the net clock is a long time, but it is still alarming.

Excerpt via http://jadeserpent.i2p.tin0.de/tor-dc-nodes-2.txt

Due to the sheer amount of traffic apparently passing through this collusion
network, consolidation and analysis of exit node traffic is only one of several
forms of anonymity attacks made more feasible. Hence these 9 routers appear to
pose a significant anonymity threat to users of the public Tor network.

If that doesn’t scare the pants off you then read the rest of the article (CLICKY).

For those that aren’t well versed in TOR anonymity attacks and other long winded net speak, I’ll break it down in terms that even I could understand. (And it really did take a bit of research and thinking to figure what this document was saying in lay terms.)

So here goes my lame ass attempt at explaining it:

There are 9 TOR (The Onion Router) nodes in the Washington DC area that are colluding several different types of  internet traffic (including ssh).  These nodes have been identified as follows; donk3ypunch, TheGreatSantini, mauger, paxprivoso, soprano1, hubbahubbahubba, m00kie, and joiseytor. According to the article, 8 of these nodes are routing all of their traffic to the one node called “alaa”, which is acting as the only node that allows traffic to pass through it, which means that somebody has a significant amount of power to fuck with your privacy … and they live in Washington DC.

That’s pretty much all I get out of the original article, which makes me want to start using my own ssh tunnel to a private proxy all on its own, but I did some further research.

All the “poses a risk”, “could be”, “maybe” and numerous other qualifiers I found in my google-palooza, means no one really knows if data is actually being collected. So all this info would seem harmless, except according to the PRIVACY ECOSYSTEM BLOG :

We found ourselves [Aug/06] coming from IP Address 149.9.0.27 which is apparently not a Tor node, but given that we were using the Tor network we knew that it must be a Tor node. We could see this was an IP Address owned by PSI (Performance Systems International) and apparently located in Washington, DC in the USA. But the DNS system advises this domain does not exist (status NXDOMAIN) and has no corresponding domain name. Traceroute fails to find 149.9.0.27 as though it is hidden behind some servers in some way we do not yet understand. Traceroute gets as far as Rethem.demarc.congentco.com (also owned and operated by Performance Systems International located in Washington, DC but registered to Cogent Communications) but no further.

Click here for some more info on the “missing” Washington nodes.  There’s a huge list of domains that show up as just not existing, except the TOR nodes do in fact exist.  The existance of the missing machines (or IP addresses) running these colluding TOR nodes has been established by jadeserpent.i2p.tin0.de in their exhaustedly researched paper, which brings us right back to square one:

Due to the sheer amount of traffic apparently passing through this collusion
network, consolidation and analysis of exit node traffic is only one of several
forms of anonymity attacks made more feasible. Hence these 9 routers appear to
pose a significant anonymity threat to users of the public Tor network.

Which is just super.

So what’s the friggin deal, you ask? Why are these machines magically “missing”? What is happening to the data that passes through them?  The resounding answer that I could find, is that nobody knows, not even the people who created and continue to update TOR.

For the mean time, if you want super duper unimpregnable privacy, you’re JWF (jolly well fucked).  For what its worth, if you’re just using TOR to get past your office fire walls and see the web pages that they have blocked, you’re fine.  If you’re using TOR to do some shit that the government might take note of, you may want to use a darknet or some such service that has yet to be compromised.  Unfortunately for us poor folk, the only commercial darknet that I can think of is Relakks, a pay service that offers “true” anonymity.

As for everyone else, who just wants music and software, you’re fine.  Encrypt your bittorrent traffic, don’t use static IP’s, and keep up a strong set of firewalls.  Redundancy is your friend when it comes to fairly good privacy.


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: