18.8 C
Sunday, August 20, 2017
Home Tags Tor

Tag: Tor

NEWS ANALYSIS: The first known attempt to spread ransomware on Macs was quickly spotted and disabled by security researchers and by Apple, but it won’t be the last. The first try at creating ransomware for the Macintosh was a bust, according to a spokesperson at Apple who told eWEEK that the company acted to invalidate the developer certificate tied to the malware to protect users from installing it.The malware was initially found by researchers at Palo Alto Networks, who alerted Apple and Transmission, the software developer that made the Tor file transfer app that was infected to spread the malware.Macintosh users who downloaded the Transmission software can get rid of the malware, now called KeRanger, by downloading the updated version 2.9.2 of the Transmission installer, which among other things, contains code that will find and remove the malware.Meanwhile, Apple updated XProtect so that it would recognize the KeRanger malware, and prevent it from infecting more Macintosh computers. XProtect is Apple's built-in anti-malware software for the Macintosh. Of the approximately 6,500 Mac users that downloaded the infected Transmission software, most won't actually have their files encrypted by the malware nor have to pay the hackers a Bitcoin ransom to get the decryption key because the necessary file, called General.RTF, won't execute. Unfortunately, a few Mac users will have had their files encrypted before the malware was detected and thwarted.

These users will either need to pay to decrypt them, or if they're lucky, restore their files from a backup.The vast majority of Macintosh users dodged the bullet this time, but it's not safe for them to assume that the hackers won't have better luck and better malware, the next time.Then Mac users will find themselves in a situation similar to what Windows users have been dealing with for years.

The only safe approach is to assume that any software you don't personally know to be safe probably isn't.The reason that Mac users haven't had to worry about ransomware or other malware until recently isn't that the Macintosh is immune, because it's not.

The reason that Macs haven't had a problem is mainly that their market share has been so low that malware writers didn't have the economic incentive to write malware.

But that's all changed.As Apple's market share has grown, so has the temptation to create malware and Apple's XProtect is the first approach at fighting it.

But XProtect is only a basic, signature-based security package, so it's limited in what it can do against advanced threats.

Fortunately, all of the familiar antivirus packages are also available for your Mac, including software from Symantec, McAfee, Avast, Trend Micro and many others.But ransomware isn't always picked up by antivirus software or by corporate firewalls. What happens then is that you could still end up with your data encrypted and find yourself stuck with no means of getting your work done except to pay the ransom.Unfortunately, the problem is only going to get worse. "This is the first really functional ransomware on the Mac," said Dodi Glenn, vice president of cyber-security for PC Pitstop, a security vendor. 
With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware. The incident is believed to be the first Apple-focused attack using ransomware, which typically targets computers running Windows. Victims of ransomware are asked to pay a fee, usually in bitcoin, to get access to the decryption key to recover their files. Security company Palo Alto Networks wrote on Sunday that it found the "KeRanger" ransomware wrapped into Transmission, which is a free Mac BitTorrent client.  Transmission warned on its website that people who downloaded the 2.90 version of the client "should immediately upgrade to 2.92." It was unclear how the attackers managed to upload a tampered version of Transmission to the application's website.

But compromising legitimate applications is a commonly used method. "It’s possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto wrote on its blog. The tainted Transmission version was signed with a legitimate Apple developer's certificate.
If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous. Apple revoked the certificate after being notified on Friday, Palo Alto wrote.

The company has also updated its XProtect antivirus engine. After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system.
It is coded to encrypt more than 300 types of files. The ransom is 1 bitcoin, or about $404. There are few defenses against ransomware.

Antivirus programs often do not catch it since the attackers frequently make modifications to fool security software. The best method is to ensure files are regularly backed up and that the backup system is isolated in a way to protect it from being infected as well. Disturbingly, KeRanger appears to also try to encrypt files on Apple's Time Machine, its consumer backup drive, Palo Alto wrote. Ransomware schemes have been around for more than a decade, but over the last few years have spiked. At first the attacks struck consumer computers, with the aim of extracting a few hundred dollars.

But it appears attackers are targeting companies and organizations that may pay a much larger ransom to avoid disruption. Last month, a Los Angeles hospital said it paid a $17,000 ransom after saying it was the quickest, most effective way to restore its systems.

The ransomware had affected its electronic medical records. Although Apple's share of the desktop computing market is much lower than Windows, cyberattackers have been showing increasing interest in it.

But so far, ransomware hasn't been a problem, although some researchers have created proof-of-concept file-encrypting malware for Macs. Last November, Brazilian security researcher Rafael Salema Marques published a video showing how he coded ransomware for Mac in a couple of a days. He didn't release the source code. Also, OS X security expert Pedro Vilaca posted proof-of-concept code on GitHub for Mac ransomware he wrote, another experiment showing how simple it would be for attackers to target the platform.
If you downloaded 2.90, you've got a few hours to get rid of it The first "fully functional" ransomware targeting OS X has landed on Macs – after somehow smuggling itself into downloads of the popular Transmission BitTorrent client. Transmission's developers have warned in a notice splashed in red on the app's website that if you fetched and installed an afflicted copy of the software just before the weekend, you must upgrade to a clean version. Specifically, downloads of version 2.90 were infected with ransomware that will encrypt your files using AES and an open-source crypto library, and demand a payment to unscramble the documents. Transmission has millions of active users.
It is possible the app's website was compromised, and the downloads tampered with to include the KeRanger nasty. Those who have had files encrypted will be asked by the malware to cough up US$400 in Bitcoins, paid to a website hidden in the Tor network, to get their files back. "Everyone running [version] 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the Transmission authors posted on Sunday. Palo Alto Networks researchers Claud Xiao and Jin Chen found the KeRanger ransomware hidden in the BitTorrent software on Friday, and warned the Transmission team of the infection. The pair and a group of seven others from Palo Alto Networks detected the infiltration hours after miscreants somehow injected the malware into the downloads.

They noted that KeRanger is programmed to encrypt victims' files three days after the infected Transmission client is installed. The website warning Mac fans who installed Transmission for OS X 2.90 from the official website between March 4 and March 5 are probably at risk.

Those who upgrade to the latest clean and ransomware-free version of Transmission – version 2.92 – by Monday, 11am PT (7pm UTC) should avoid having their files encrypted. The malicious code has a process name of kernel_service, which can be killed, and it stores its executable in ~/Library/kernel_service, which should be deleted.

The latest safe version of Transmission, v2.92, includes a tool to remove the KeRanger ransomware. "On March 4, we detected that the Transmission BitTorrent installer for OS X was infected with ransomware, just a few hours after installers were initially posted," Xiao and Chen wrote. "As FileCoder (earlier Mac ransomware) was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform. "It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred." Attackers could potentially alter the ransomware through its command-and-control server so that KeRanger immediately encrypts files rather than lying in wait for a few days. KeRanger was cryptographically signed using a now-revoked Apple-issued developer certificate, but will still be accepted by OS X's Gatekeeper protection system.

That means if an OS X system is configured to only run software from trusted developers, KeRanger will be allowed to start as it is signed by a developer cert.

Apple has added the ransomware's signature to OS X's XProtect mechanism, which screens downloads and blocks malicious code. KeRanger also contains other dormant features that could encrypt Mac TimeMachine backups preventing users from restoring their machines.

As an interesting aside, the malware's executable was smuggled in an .RTF README file within Transmission. ® Sponsored: Managing business risk
nrkbeta A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines. "This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Ryan Olson, of Palo Alto Networks, told Reuters.The KeRanger malware, which imposes a 72-hour lockout window unless the victim pays 1 bitcoin ($410 as of this writing), appears to have been first discovered via a rogue version of Transmission, a popular BitTorrent client. For some time now, ransomware has primarily targeted Windows machines—threatening total data destruction if the ransom isn't paid. Recently, even a Los Angeles hospital was infected, which resulted in the payment of a $17,000 ransom.
In June 2015, the FBI said it had been contacted by 992 victims of CryptoWall, a similar ransomware scheme, who have sustained combined losses totaling over $18 million. On Saturday evening, some Transmission users noticed the strange activity on a discussion board—users concluded that the 2.90 version of Transmission was infected with the ransomware.
It appears that somehow the Transmission website may have been compromised as it was served via HTTP rather than the primary HTTPS Transmission website. Soon after, Transmission posted this message on its website: "Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file." In a technical analysis, Palo Alto Network’s Claud Xiao and Jin Chen wrote: The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.
If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network.

The malware then begins encrypting certain types of document and data files on the system.

After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data. Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4.

Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems. Apple did not immediately respond to Ars’ request for comment. Palo Alto Networks also added: Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.
If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now. This story is developing. Please check back for updates.
Two sudden leaps in the number of advertised "hidden services" on Tor have led to rampant speculation about the cause of them.The Tor Project In recent weeks, the number of "hidden services"—usually Web servers and other Internet services accessible by a ".onion" address on the Tor anonymizing network—has risen dramatically.

After experiencing an earlier spike in February, the number of hidden services tracked by Tor spiked to 114,000 onion addresses on March 1.

They then dropped just as quickly, falling to just below 70,000 hidden services seen by Tor on Thursday—still twice the number that Tor had held steady at for most of 2015. "We don't know what's causing this," said Kate Krauss, the director of communications and public policy for the Tor Project. "But it's not difficult for even one person—a researcher, for instance—to create a lot of new onion addresses—which is not the same as actual websites or services.
In fact, we want the process of creating onion addresses to be as easy as possible to encourage the creation of more onion services.

These spikes are typically temporary—and as you see from the chart, this one is already going away." Still, there has never been this sort of wild gyration in the number of addresses in recent times—or at least as far back as the Tor Project has kept metric data.
So what caused the sudden near-tripling of the size of Tor's hidden Web and its rapid contraction? Based on a deeper look at Tor's metrics and discussions with both Tor developers and security experts, the huge spike in the "size" of the hidden Web within Tor was likely caused by a perfect storm of coincidences: major Internet censorship events in at least two countries, the relatively rapid adoption of a new messaging tool, a malware explosion, and ongoing attempts to undermine the privacy of the network. Tor’s hidden Web Hidden service addresses are 16-character "names" that are generated automatically when the service is created based on cryptographic key pairs.
It's possible to create "vanity" onion addresses by basically throwing computing power at the key creation process until it hashes an address that is human-readable.

For example, Facebook's Tor-facing hidden service address is https://facebookcorewwwi.onion/. Multiple onion addresses can be hosted on the same server, so there isn't a one-to-one relationship between the number of onion addresses and the number of servers connected to Tor. Most Tor users never create a hidden service of their own.

They generally use Tor for anonymous access to sites on the open Internet or to access hidden sites provided by others. However, the fluctuation in the number of onion addresses may partially be due to the adoption of Ricochet, a Tor-based messaging application.

The latest version of Ricochet posted on February 15, just as the first bump in hidden services began. To function, Ricochet creates a hidden service on the user's computer.
It doesn't create an onion address, but it does create its own hidden service identifier to allow clients to find each other across Tor.

The service periodically connects to those of the user's contacts to determine if the user is online and to send messages. "Ricochet users are included in the 'onions seen' metric," Ricochet maintainer John Brooks told Ars in an e-mail.

Because of the distributed nature of Ricochet—it uses no centralized server—Brooks said he had no real figures on how many users the software had. "I would be surprised if these changes were related to Ricochet," he added, "but it certainly could be a contributor." While it may have added to the growth, it's unlikely that Ricochet was responsible on its own for the massive spike in hidden services from February 26 to March 1; the amount of hidden services traffic over that period doesn't reflect a surge in Ricochet use or in any hidden services, for that matter. Censorship events and other things Elections in Uganda and Iran, and accompanying Internet censorship by the governments of both countries, roughly matched the period of growth in hidden services.

Tor traffic out of Uganda spiked in mid-February as a result of the government blocking social media sites, and Tor traffic using bridges from Iran rose dramatically during elections there last week—though it had been on the rise for much of the last three months. The election-week spike in Tor traffic from Uganda, where the government blocked access to social media as a "security measure." The election-week spike in Tor traffic from Uganda, where the government blocked access to social media as a "security measure." Direct Tor traffic from Iran dropped off in the runup to elections last week... ...as traffic from Tor bridges designed to help evade Tor blocks by Iran's network authority grew. A dip in the number of relay servers on Tor offering the hidden services directory dipped as the surge in traffic began. Hidden services traffic grew, but not significantly in comparison to the number of hidden services created. However, the rise in bridge traffic in Iran corresponds to a drop in direct traffic to Tor from that country, as Iran apparently moved to block direct Tor connections.

And even if all of those users—3,000 at the peak in Uganda, and 3,500 at the peak a week later in Iran—created hidden services, that wouldn't alone account for the surge. Also, the Tor network's statistics show no accompanying spike in traffic to hidden services.
So it seems there was something creating a massive number of new services with little traffic associated with the results. That suggests some likely reasons for the weeklong surge in new onion sites spotted by Tor's directory: some sort of bot or "darknet" service creating new sites or an effort to break Tor's relays by overwhelming them with new directory data. Remember that a single server can have multiple onion addresses associated with it, pointing to different webpages or other applications.

And there are a number of underground services used by criminals that generate onion pages.

Tor has been a favorite command-and-control platform for cryptographic ransomware such as CryptoWall. Many ransomware variants have used Tor sites to transfer the private keys used to encrypt the files of victims and to collect payments, and some ransomware tools are offered as a subscription service to would-be criminals, automatically generating onion addresses associated with each "customer." And there have been other episodes of malware generating spikes in hidden services—but not to this degree. Of course, the spike also drove rampant speculation that it was an attempt by a government agency to somehow compromise Tor's hidden services or to knock Tor relays (the servers that route Tor traffic through the anonymizing network) offline.

A spike in hidden services might have been intended to fill the memory allocated for tracking them on Tor relays, causing them to crash. One Tor relay operator reported on Reddit, "I run a Tor relay, which has the HSDir flag, and my relay crashed a few times while someone was publishing a large amount of hidden service descriptors. Has anyone else had problems like this? If someone found a vulnerability in how published hidden service descriptors are handled, someone might be trying to mass exploit every Tor relay with the HSDir [hidden services directory] flag." Some other relay operators reported similar issues, and there was a drop in the number of relays running the hidden services directory. "It's not a botnet," another poster on the "onions" subreddit posted. "I think we'll be reading about more hidden server raids in a few months."
'Sybil' nodes could be used to de-anonymise traffic The Tor Project is working with Princeton University boffins to try and identify possibly malicious nodes, and prevent them from harvesting traffic by gaming its node reputation system. Tor's reputation services collect flags from relays, from which they assess and publish (hourly) the reputation of relays, but the researchers from Princeton and the Tor project believe the network isn't sufficiently protected against “Sybil attacks”. In a Sybil attack (named after the Flora Schreiber novel about dissociative identity disorder), a single individual controls multiple accounts to game a reputation system.
In the case of Tor, gaming the system would let an attacker attract traffic to nodes they control – and that gives the attacker more traffic to observe (for example, to try and de-anonymise users). Tor already tries to remove malicious Sybils from the network (not all of them are attackers), but a false positive is costly, because it removes bandwidth from the network. However, the paper (by Princeton and Karlstad University's Philipp Winter, Roya Ensafi and Nick Feamster of Princeton, and the Tor Project's Karsten Loesing) notes that to get rid of dangerous nodes, the network needs ways to identify them. A miscreant, the authors say, can also use Sybils to snoop on exit traffic (for credential collection), fingerprint Websites users are connecting to, harvest bridge addresses (which undermines Tor's potential to circumvent censorship). The boffins trained their main tool, called “sybilhunter”, on historical network data about the Tor consensus (that is, the output of its reputation system), and turned up some interesting results, including: Rewrite Sybils – these hijacked Bitcoin transactions by rewriting their Bitcoin addresses; Redirect Sybils – these also attacked Bitcoin users, by redirecting them to an impersonation site; FDCservers Sybils – associated with the CMU deanonymisation research later subpoenaed by the FBI; Botnets of Sybils – possibly misguided attempts to help drive up usage; Academic Sybils – they observed the Amazon EC2-hosted nodes operated by Biryukov, Pustogarov, and Weinmann for this 2013 paper; and The http://www.theregister.co.uk/2014/12/27/tor_lizard_squad_sybil_attack/ LizardNSA attack on Tor. The paper notes that sybilhunter isn't a complete answer to the problem.
It can't assess the motivations behind Sybils, and some fingerprints it misses are picked up by other tools, such as Exitmap.
So the Tor Project is advised to use “diverse and complimentary tools” to protect the network. Manual work is needed as well, and can provide important context to distinguish harmless and malicious Sybils: “Sybils that are (i) operated in “bulletproof” Ases, (ii) show signs of not running the Tor reference implementation, or (iii) spoof information in their router descriptor all suggest malicious intent”, they say. They hope to create a crowd-sourced sybilhunter: “We are also working with The Tor Project on incorporating our techniques in Tor Metrics, a web site that contains network visualisations, which are frequented by numerous volunteers that sometimes report anomalies.

By incorporating our techniques, we hope to benefit from “crowd-sourced” Sybil detection.” The code for sybilhunter is here. ®
Study finds it's not just CDNs to blame for anti-privacy drive Computer scientists have documented how a large and growing number of websites discriminate against people who browse them using Tor. Tor is an anonymity service that is maintained with assistance from the US State Department and designed in part to allows victims of censorship in countries like China and Iran to surf the web. New research show how corporations are discriminating against Tor users, in some cases partly because it’s harder to classify anonymous users for the purpose of pushing ads at them. Many websites block access from the Tor network, either deliberately or because they are reacting to malicious traffic originating from the Tor network. One particular problem is that content distribution networks (CDNs) like CloudFlare are used by many popular websites and these very often block Tor users, occasionally to the surprise of website operators who enabled CloudFlare. A (heated) discussion thread on the Tor website, involving the Cloudflare staff, can be found here..

El Reg’s interview with CloudFlare boss Matthew Prince on the controversy can be found here. But the issue extends far beyond CloudFlare and affects surfers visiting popular websites using anonymisation software much more generally. You're not getting in with jeans Tor users face various annoyances in their web browsing experience in general, ranging from pages saying “Access denied” to having to solve CAPTCHAs before continuing.

These hurdles disappear if the same website is accessed without Tor. The growing trend of websites extending this kind of “differential treatment” to anonymous users undermines Tor’s overall utility, and adds to the traditional threats to Tor, such as attacks on user privacy, or governments blocking access to Tor, etc. Computer scientists tried to quantify these problems and answer related questions such as how prevalent anti-Tor discrimination might be and whether there is any pattern in where these Tor-unfriendly websites are hosted (or located). To answer these questions, researchers conducted comprehensive network and application layer measurements in order to log websites that block Tor.

The researchers scanned the entire IPv4 address space on port 80 from Tor exit nodes before fetching the homepage from the most popular 1,000 websites from all Tor exit nodes. Measurements from this exercise were compared with a baseline from non-Tor control measurements. The experiment uncovered what the boffins describe as “significant evidence of Tor blocking”.

At least 1.3 million IP addresses that would otherwise allow a TCP handshake on port 80 block the handshake if it originates from a Tor exit node.

The researchers also found at least 3.67 per cent (or more than one in 30) of the most popular 1,000 websites block Tor users at the application layer. A paper (pdf), Do You See What I See? Differential Treatment of Anonymous Users, was presented this week at the Network and Distributed System Security Symposium (NDSS) conference in San Diego, USA.

Computer scientists from the University of Cambridge, University College London, University of California, Berkeley and International Computer Science Institute (Berkeley) collaborated in putting together the study. University of Cambridge doctoral candidate Sheharbano Khattak summarises the researchers findings in a post on the University of Cambridge Computer Laboratory Security Group's Light Blue Touchpaper blog here. Khattak explains that the researchers identified CloudFlare, Amazon Web Services and Akamai as dominant Tor blockers, “highlighting the amplified blocking effect such centralised web services may create when their Tor-unfriendly policy trickles down to thousands of their client websites.” “We think that some of this blocking is caused by blacklists that include Tor exit nodes, yet other instances likely arise when abuse generated from Tor exit nodes trigger automated blocking mechanisms on websites,” she writes. Researchers view the process of quantifying problems faced by Tor users and identifying websites that treat traffic from the Tor network differently as the first step in driving change.

Engaging with major players on the web such as CloudFlare in order to brainstorm possible solutions ought to be the next stage in the process, according to researchers. ISPs as well as content delivery networks are also part of the problem but making progress on that front may be difficult, Khattak warns. "There is not much we can do in the case of entities such as ISPs and countries that preemptively block all Tor exit nodes as a matter of policy, beyond some alleviation in the form of awareness campaigns to highlight the problem (such as, Tor’s “Don’t Block Me” initiative)," she writes. "With abuse-based blocking, we need solutions to enable precise filtering beyond IP address blocking of Tor exit nodes, so that benign Tor users don’t have to suffer from the abusive actions of other Tor users sharing the same exit node." ® Sponsored: Building secure multi-factor authentication
The university refused to confirm the rumors when they surfaced last fall. Computer scientists at Carnegie Mellon University (CMU) were indeed behind a hack of the Tor project, according to court documents filed yesterday, Vice News reports. The revelation comes several months after the university denied reports that its Software Engineering Institute (SEI) was paid by the FBI to identify criminal suspects. SEI's carefully worded statement, however, only denied receiving money for cooperating with "lawfully issued subpoenas." It did not directly address whether it hacked the Tor network at the behest of the FBI in order to uncover the identities of the people behind Silk Road 2.0. One of those suspects is Brian Farrell, who is charged with conspiracy to distribute cocaine, heroin, and methamphetamine via Silk Road 2.0.

An order filed yesterday in the case specifically names SEI as the organization that identified Farrell's IP address. "Farrell's IP address was observed when SEI was operating its computers on the Tor network," the filing reads. "This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU." The Tor project, which provides free anonymity software to conceal Internet users' location and browsing activities, accused CMU of attacking it last November.
In a blog post, Tor representatives said researchers from the university of accepting $1 million from the FBI to identify Tor users. While the issue of the money is still up in the air, SEI came under suspicion for the Tor hack because SEI researchers were scheduled to give a presentation at Black Hat 2014 about weaknesses within the Tor network.

That presentation was cancelled on the eve of the conference with little explanation.

The description of the talk, however, "bore a startling resemblance" to the attack on Tor, Vice said at the time. Yesterday's order largely denies a motion filed by Farrell's defense lawyers, who are attempting to uncover more details about the relationship between law enforcement agencies and Carnegie Mellon. The Department of Defense renewed a contract with SEI last summer worth up to $1.73 billion.

The university says its institute is the only federally funded research center to focus on "software-related security and engineering issues." CMU, the Department of Defense, the FBI, and Farrell's defense team did not immediately respond to PCMag's requests for comment.

But CMU told Vice that it is not commenting beyond its November statement.
Tor Project A federal judge in Washington has now confirmed what has been strongly suspected: that Carnegie Mellon University (CMU) researchers at its Software Engineering Institute were hired by the federal government to do research into breaking Tor in 2014.

The judge also made a notable statement in his court order that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network." However, some of the details that Tor alleged previously seem to be wrong: the research was funded by the Department of Defense, not the FBI.

Tor Project Director Shari Steele told Ars earlier this year that the organization still couldn't get straight answers from CMU.

According to the judge, that research was then subpoenaed by federal investigators.The Tor Project did not immediately respond to Ars’ request for comment. Meanwhile, Kenneth Walters, a CMU spokesman, refused to answer Ars' questions, referring us only to the university's last statement, from November 2015, which hinted that the university was served with a subpoena. The revelation, which was first reported by Vice Motherboard, came out as part of the ongoing criminal case against Brian Farrell, allegedly one of Silk Road 2.0’s top administrators.

CMU's research enabled investigators to find him.

Farrell was arrested over a year ago in Washington state—his trial is scheduled for April 25, 2016, to be held in federal court in Seattle. The Tuesday court order by US District Judge Richard Jones was in response to a still-sealed motion to compel discovery filed by Farrell.

According to Judge Jones, "the defendant seeks to compel disclosure of additional material pertaining to the relationship between SEI and federal law enforcement and the methods used by SEI to identify the defendant’s IP address." In the order, the judge seems to suggest that even though Farrell took measures to protect his privacy, his actual IP address—which was what betrayed him and made it trivial for law enforcement to find him—was not in and of itself private. Judge Jones wrote: In the instant case, it is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers.

Again, according to the parties’ submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network.
In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances. The paper shredder precedent? Orin Kerr, a law professor at George Washington University, told Ars that the court’s analysis here is "right, although the application of that idea depends on how the surveillance occurred." He suggested that Ars examine a 1992 case decided in the 1st Circuit Court of Appeals, which found that just because someone takes steps to protect privacy, it doesn’t necessarily mean that they continue to have a "reasonable expectation of privacy." That case, US v. Scott, involved a man suspected of tax fraud by the Internal Revenue Service.

The man used a paper shredder to destroy some documents, which were then picked up as garbage by investigators, "which when painstakingly pieced together produced incriminating evidence." Scott challenged the collection of his trash, arguing that because he had "manifested an objectively reasonable expectation of privacy in the shredded remnants" that the evidence should be suppressed. He won on this argument at the district court level but then lost on appeal. The 1st Circuit found in that case: What we have here is a failed attempt at secrecy by reason of underestimation of police resourcefulness, not invasion of constitutionally protected privacy.

There is no constitutional protection from police scrutiny as to information received from a failed attempt at secrecy. … Appellee here thought that reducing the documents to 5/32 inch pieces made them undecipherable.
It turned out he was wrong. He is in no better position than the citizen who merely tears up a document by hand and discards the pieces into the sidewalk.

Can there be any doubt that the police are allowed to pick up the pieces from the sidewalk for use of the contents against that person? Should the mere use of more sophisticated "higher" technology in attempting destruction of the pieces of paper grant higher constitutional protection to this failed attempt at secrecy? We think not.

There is no constitutional requirement that police techniques in the detection of crime must remain stagnant while those intent on keeping their nefarious activities secret have the benefit of new knowledge. However, not all legal scholars agree on this point. Neil Richards, a law professor at Washington University in St Louis, said that this "reasonable expectation of privacy" for Internet users is "an open one." The so-called third-party doctrine, which stemmed from the 1979 Supreme Court decision Smith v. Maryland, found that telephone users do not have a privacy interest in the phone numbers that they dial, as the phone company has access to them. "Law enforcement have argued that this sharing rationale applies to all Internet and digital data held by third parties—ISPs, e-mail providers, fitness trackers, cloud storage providers, etc," Richards told Ars. "The strong form of this argument is nonsense. Law enforcement in the past also argued that they didn’t need warrants to open mail or tap telephones, and ultimately lost on both counts.

The Supreme Court hasn’t ruled on e-mail yet, but lower courts require a warrant for e-mail, and the Supreme Court has made clear in recent cases that a majority of Justices are very concerned about digital privacy and are eager to extend the Fourth Amendment to that, just like they did for telephone calls in the 1960s." Mark Rumold, an attorney with the Electronic Frontier Foundation, concurred. "The expectation of privacy analysis has to change when someone is using Tor," he said. "Rotely applying precedent leads to bad results, like courts finding that someone 'clearly' lacks a privacy interest in their IP address, even though they're using technology specifically designed to protect that privacy interest."
David StanleyAbout 1.3 million IP addresses—including those used by Google, Yahoo, Craigslist, and Yelp—are turning users of the Tor anonymity network into second-class Web citizens by blocking them outright or degrading the services offered to them, according to a recently published research paper. Titled "Do You See What I See? Differential Treatment of Anonymous Users," the paper said 3.67 percent of websites in the Alexa 1,000 discriminated against computers visiting with known Tor exit-node IP addresses.
In some cases, the visitors are completely locked out, while in others users are required to complete burdensome CAPTCHAs or are limited in what they can do.

The authors said the singling out was an attempt by the sites to limit fraud and other online crime, which is carried out by a disproportionately high percentage of Tor users.
In the process, law-abiding Tor users are being treated as second-class Web citizens. "While many websites block Tor to reduce abuse, doing so inadvertently impacts users from censored countries who do not have other ways to access censored Internet content," the authors wrote. In many cases, the degraded experience is automatically carried out by content delivery networks, which help individual websites to distribute content and block malicious users. One of the best-known CDNs, CloudFlare, assigns a reputational score to visiting IP addresses and if it's too low will require end-users to complete a CAPTCHA designed to prove they're a human rather than a malicious script. On a support page, CloudFlare says it doesn't specifically target Tor users, but it goes on to say that "due to the behaviour of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes generally earn a bad reputation." The paper's findings have touched off a long and often heated discussion between Tor advocates and representatives of CloudFlare. Websites that use CloudFlare competitor Akamai, meanwhile, often block Tor users outright with a 403 error that can't be bypassed. While Google and Yahoo don't block Tor users outright, some of their pages or services aren't available to visitors using Tor IP addresses. One site that's not mentioned at all in the paper is Facebook.
In 2014, the social network became available as a hidden service.

Facebook also tweaked its fraud-detection algorithms to improve the experience of Tor users. The paper exposes the tension between site security and access to information and anonymity, particularly by those in repressive countries that censor content or closely monitor citizens' Web browsing. "Anonymous communication on the Internet is a critical resource for people whose access to the Internet is restricted by governments," the authors wrote. "However, the utility of anonymity networks is threatened by services on the Internet that block or degrade requests from anonymous users."
The Internet is becoming harder to browse for users of Tor, the anonymity network that provides greater privacy, according to a new study. The blame can be placed largely on those who use Tor, short for The Onion Router, for spamming or cyber attacks.

But the fallout means that those who want to benefit from the system's privacy protections are sometimes locked out. Researchers scanned the entire IPv4 address space and found that 1.3 million websites will not allow a connection coming from a known Tor exit node.

Also, some 3.67 percent of Alexa's top 1000 websites will block Tor users at the application level. It results in Tor users "effectively being relegated to the role of second-class citizens on the Internet," they wrote. "Anonymous communication on the Internet is a critical resource for people whose access to the Internet is restricted by governments," the paper reads. "However, the utility of anonymity networks is threatened by services on the Internet that block or degrade requests from anonymous users." Tor is a network of distributed nodes that provide greater privacy by encrypting a person’s browsing traffic and routing that traffic through random proxy servers.

The project was started by the U.S. Naval Research Laboratory although it is now maintained by the nonprofit Tor Project. Using Tor requires downloading a specialized version of the Firefox browser. When a person visits a website, the website only sees the IP address of the so-called Tor "exit node" server, which could be anywhere in the world. The problem is that while Tor is used by people looking to safeguard their privacy, it's also used by cyber attackers to mask their activities. Because of that, some companies that provide specialized and attack-resistant content delivery systems have either blocked or made it difficult for those using Tor to access services, the researchers wrote. CloudFlare, a large content delivery service, does not explicitly block Tor users, but it does assign a reputation score to Tor exit nodes.
If an IP address has a poor reputation, visitors that have come through via that flagged exit node might see a CAPTCHA, the jumbled text that users have to solve before proceeding. The Tor Project has a list of commonly seen blocking messages, including one from Akamai, another large content delivery service.

Craigslist and Yelp also appear to have their own custom detection algorithms to limit Tor users. Google and Yahoo do not block Tor for search, but the researchers noticed that some pages and functions within those sites were blocked. "While many websites block Tor to reduce abuse, doing so inadvertently impacts users from censored countries who do not have other ways to access censored Internet content," they wrote. The paper was authored by Sheharbano Khattak, David Fifield, Sadia Afroz, Mobin Javed, Srikanth Sundaresan, Vern Paxson, Steven J. Murdoch and Damon McCoy.
Bar to 'malicious attack traffic' may be lowered Tor users crying over CloudFlare's CAPTCHAs will soon be able to put away their onions, the company has suggested. CloudFlare's CEO, Matthew Prince, told The Register that he would love to create a no-more-tears system allowing the network's legitimate users to access websites without being hit by buggy Turing tests, while also protecting his customers' sites from abuse. Tor, which allows individuals to use the internet without spaffing identifying information at the TCP/IP level, is highly prized by privacy activists.
It unfortunately also provides miscreants with a valuable layer of protection, with their use of it allegedly accounting for more than 90 per cent of the network's traffic. While definitive figures on the degree to which the network is used abusively are unavailable, its supporters have complained that CloudFlare – which provides CDN and/or DNS services for over a million websites – has allowed those customers to implement CAPTCHAs which are purposefully designed to hamper Tor users' anonymous access to the web. CloudFlare has always denied this.

An FAQ on its support site states that the company “does not actively block visitors who use the Tor network.” It adds, however, that “due to the behaviour of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes generally earn a bad reputation.” As such, CloudFlare's basic protection level – which is set by customers – issues “CAPTCHA-based challenges to visitors whose IP address has a high threat score.” Prince told The Register: “You have to acknowledge the complaints that Tor users have.
It's made browsing the internet much more difficult for Tor users, and we hate that.” The CEO is not alone in hating it.

A bug tracker ticket opened yesterday by one of the Tor project's most well-known evangelists, Jacob Appelbaum, alleged that companies such as CloudFlare “are effectively now Global Active Adversaries.” CloudFlare, according to Appelbaum, “actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and frankly, they run untrusted code in millions of browsers on the web for questionable security gains.” Comments in the Tor Project's trac page, however, show that Appelbaum is not alone in his criticism.
Vituperative members of the Tor community declared their dislike of CloudFlare in the thread, saying that it gathers metrics which "count as a kind of surveillance that is seemingly linked with a PRISM provider," as Appelbaum described CloudFlare's use of Google's CAPTCHAs. Prince denied this to The Register, saying: “If you sat at CloudFlare and listened to how much we're supportive of communities like Tor internally, it's hard to make that same claim.” The CEO also disagreed with another of Appelbaum's allegations – that the company isn't interested in engaging in a dialogue with the Tor project – though he stressed his respect for Appelbaum himself, whom he regards as “a very smart guy.” “Our customers are website owners,” Prince added, “and if you survey them ask what they think about Tor, they would rather just block it in most cases.

The reason why is because an enormous amount of abuse comes via Tor.” According to Prince, third-party figures have suggested than more than 90 per cent of Tor traffic – in voluminous terms – “is, in some way, per se abusive, and I don't mean that in terms of visiting distasteful sites, that's not our business, but is traffic that is actively trying to hurt the websites it is visiting.” CloudFlare's CTO responded to Appelbaum's “Global Active Adversary” claim, criticising it for being an “inflammatory introduction” before clarifying that CloudFlare is "not adversarial to TOR as an entity, we are trying to deal with abuse that uses the TOR network.” Malicious traffic arriving via a Tor exit node is indistinguishable from legitimate traffic, as those using the Tor Browser Bundle share the exact same user agent and IP range.

The alternative to a CAPTCHA providing a small Turing test to visitors to distinguish humans from email-address-scraping bots. Concurring with Prince's comments about engaging with the Tor Project, the CTO asserted that the company has had “multiple contacts with people working on Tor through events like Real World Crypto and have been trying to come up with a solution that will protect web sites from malicious use of Tor while protecting the anonymity of Tor users (such as myself).” Prince also told El Reg that his company offered "six or seven" of its 125 engineers to work with the Tor project.

Among the active Tor users at the company are the CTO, and Ryan Lackey, known for previously founding the Sultanate of Kinakuta-like Sealand-based HavenCo and joining CloudFlare when his company, CryptoSeal, was acquired in 2014, as well as “at least 20 others.” "About a month ago, I blacklisted every single IP address that was used in the CloudFlare office network, so our own team had to pass the CAPTCHAs too, so we had to feel the same pain, and it is a pain in the ass," added Prince. There have been bugs in the CAPTCHA system too, Prince added, forcing Tor users to have to pass the CAPTCHA more than once per site. "We just see a tonne of abuse coming from those IP addresses," said Prince, "and our system says it's statistically probable that this is abusive." CloudFlare is working on making things easier, however.

The CEO told us that, "for first time, we're allowing our customers to apply their own rules to Tor exit nodes." The company will soon allow customers to whitelist Tor exit nodes. "What I worry about," said Prince, "was that I could not think of a philosophically justifiable reason to allow the whitelisting Tor exit nodes and not the blacklising of Tor exit nodes. We are just allowing customers to whitelist them, but I think a majority of site owners would rather blacklist them." I was at a hosting conference recently and somebody stood up and said, “I want to ask you something specifically about Tor” and somebody from the EFF stood up and said it was my question too.

And then the person asked “When will you allow us to block Tor entirely?” and the EFF guy was like “Wow, I never appreciated how much malicious stuff the average website owner sees coming off of the network.” The Tor Project does not explicitly accept that it facilitates additional abuse.
Its Abuse FAQ repeatedly states variations on the theme of: "So yes, criminals could in theory use Tor, but they already have better options, and it seems unlikely that taking Tor away from the world will stop them from doing their bad things.

At the same time, Tor and other privacy measures can fight identity theft, physical crimes like stalking, and so on." Prince agreed with the principle that Tor was a legitimate service and said that the company has "tried to feel the pain of those users too. We're trying to be as empathetic as possible to those challenges.

But our customers are saying something else." "If there's a technical way to do it, we're interested," said Prince, regarding a means of enabling the legitimate use of Tor while protecting customers. He suggested moving "the proof-of-work problem to their side" might help. “I'd love to be able to work with the Tor community to come up with one solution,” added Prince. Potential solutions are being debated by the Tor community on the trac page. ® Disclosure The Register is a CloudFlare customer. Our security settings require CAPTCHAs be completed by those coming from “possibly malicious IP ranges” for the reasons stated above. While we apologise for any inconvenience this causes, it remains a useful security mechanism. Sponsored: DevOps: hidden risks and how to achieve results