NSA Hacking Tor - something to worry about?

I came across this document on Cryptome and wanted to get other people's opinions on it:

cryptome.org...

It sounds like they think anyone who uses Tor is an extremist or something, or at least that's what I thought. I rarely use Tor but it's nice to have on my computer because I tire of Google's constant "logged in" philosophy sometimes. Yes I know you can use incognito mode, but it's not quite the same.

a reply to: Sharted

Tor's security is based on the security and trust of the exit nodes. Anyone can run an exit node and anyone can monitor all traffic that goes over them.

If you only use a trusted exit node such as a friend or family member you will be safe.

To be totally honest, if you want security use a VPN.

originally posted by: shaneslaughta
a reply to: Sharted

Tor's security is based on the security and trust of the exit nodes. Anyone can run an exit node and anyone can monitor all traffic that goes over them.

If you only use a trusted exit node such as a friend or family member you will be safe.

To be totally honest, if you want security use a VPN.

And if the NSA already has back doors to the RSA algorithms what encryption would you recommend since the bulk of https is predicated on RSA?

I would recommend 256 bit AES encryption, assuming we are talking about VPN encryption algorithms, as it is generally assumed that 128 bit AES will be brute-forceable soon (2030 and beyond).

Also, it's much, much more likely that one end of the VPN tunnel is going to be compromised and that's what leaks your data, not the algorithm itself

a reply to: MarlinGrace

I have never been to concerned with security myself. I don't do anything that warrants me to scarification my data to that extent. My more secure information i use HTTPS/SSL and VPN.

Even using a VPN has its risks. You still are relying on a third party to safeguard your information. Lots of VPN companies do log your information and keep records of what machines are connected and to where.

I do not bank online nor or make online purchases, nor do i visit the deep web or anything that would draw unwanted attention to myself.

As for encryption protocols, that depends on what your using it for. That is far from a simple answer. All machines that your communicating with must use the same protocol. If they don't it will be like speaking Greek to German.

Certain protocols stick out more to malicious people monitoring your traffic.

Also, using file sharing software, java, flash, and a bunch of other peer assisted software make you visible even when using tor and freenet and other services like them.

originally posted by: hombero
I would recommend 256 bit AES encryption, assuming we are talking about VPN encryption algorithms, as it is generally assumed that 128 bit AES will be brute-forceable soon (2030 and beyond).

Also, it's much, much more likely that one end of the VPN tunnel is going to be compromised and that's what leaks your data, not the algorithm itself

Even AES makes me nervous since it was given to the government for approval. Some way we have to have something that they can't get there hands on. Don't know if its possible.

How is it possible to decrypt one end when it takes both keys to decrypt?

AES 256 is only as strong as the length of your password. Short passwords less than 8 characters can be crackled with GPU'S relatively easily.

Also using large random salt hashes prevent pre-computational attacks.

Dont use any easily definable passwords like ilovepizza or 1972transam or 1234567890

Take a look at word lists and dictionaries that hackers use for cracking to give you an idea about how to not make a password.

originally posted by: MarlinGrace

originally posted by: hombero
I would recommend 256 bit AES encryption, assuming we are talking about VPN encryption algorithms, as it is generally assumed that 128 bit AES will be brute-forceable soon (2030 and beyond).

Also, it's much, much more likely that one end of the VPN tunnel is going to be compromised and that's what leaks your data, not the algorithm itself

How is it possible to decrypt one end when it takes both keys to decrypt?

If hardware is compromised/has been or is accessible, all bets are off. Even if the channel between your computer and the VPN machine is secure, if someone on the other end can view memory via some utility (after decryption to plaintext), etc., then that's that. Or your end before it's encrypted and sent out.

This is like when the NSA sucked communications data from Google's nodes (by tapping them like someone taps a tree for honey)...

Ah Tor, does not surprise me in the least the NSA would consider any users of it extremists. When it comes to using Tor and security my philosophy is this - if you are doing enough illegal activities online to actually be a blip on TPTB's radar - well then they will get you if they want you. Simple as that.

a reply to: Sharted

It's a scary article. Sure, we all know that the Tor network was infiltrated by various intelligence agencies and that the NSA 'own' a proportion of the network. The scary part of the article is what will happen to people who search 'tor,' access the tor website, search for 'tails' or use the Tor network.

IPs are logged and stored whilst the traffic from that IP is scrutinised as if the owner is a threat to US security. This implies that anyone who has searched 'tor' will have subsequent searches logged and stored. By extension (the scary part), the simple act of showing an interest in anonymity will get you marked for surveillance.

The dragnet nature of this automated process means too much metadata for human agents to digest and analyse. There'd presumably be another filter to escalate the searches of individuals to a higher level of scrutiny. So downloading Tor to porn-cruise will get you listed by machine, using it to visit Arabic sites or technical specifications of chemical explosives will get you more personalised attention.

It's alarming how little is now needed to find yourself on a 'watch list.'

originally posted by: Kandinsky
a reply to: Sharted

It's a scary article. Sure, we all know that the Tor network was infiltrated by various intelligence agencies and that the NSA 'own' a proportion of the network. The scary part of the article is what will happen to people who search 'tor,' access the tor website, search for 'tails' or use the Tor network.

IPs are logged and stored whilst the traffic from that IP is scrutinised as if the owner is a threat to US security. This implies that anyone who has searched 'tor' will have subsequent searches logged and stored. By extension (the scary part), the simple act of showing an interest in anonymity will get you marked for surveillance.

The dragnet nature of this automated process means too much metadata for human agents to digest and analyse. There'd presumably be another filter to escalate the searches of individuals to a higher level of scrutiny. So downloading Tor to porn-cruise will get you listed by machine, using it to visit Arabic sites or technical specifications of chemical explosives will get you more personalised attention.

It's alarming how little is now needed to find yourself on a 'watch list.'

Well, I don't do anything noteworthy so I should be fine. It's lame that they flag people just for wanting total anonymity. I understand that they need to do it to catch perverts and drug lords, but the only way they can do that is by spying on everyone, so lame.

There is no encryption that is safe.

Gizmodo

The NSA wishes they could hack Tor. They can not.

They simply lack the talent. No computer programing wizards are willing to work for the NSA under the conditions and wages they offer.

They have minor league talent and are only fooling themselves to believe they can out hack the world's best.

originally posted by: jrod
The NSA wishes they could hack Tor. They can not.

They simply lack the talent. No computer programing wizards are willing to work for the NSA under the conditions and wages they offer.

They have minor league talent and are only fooling themselves to believe they can out hack the world's best.

If they have access to nodes can't they see what people are doing?

a reply to: Sharted

Beats me. All that stuff is beyond me. I can't hack.

What are these nodes you speak of?

Are there people floating around in the dark web?

a reply to: Kandinsky

Hey K. Ever since the discrete logarithm problem was part solved. I no longer put much bank in SSL certs. HTTPS Everywhere was great while it lasted. Frankly, RSA should be treated as though it is compromised. The only way the internet will have real anonymity again is if we put real effort into Meshnet. Even then though we'll probably have to setup websites to use something like Diffie-Hellman rather than one size fits all trapdoor RSA-type encryption.

originally posted by: jrod
The NSA wishes they could hack Tor. They can not.

They simply lack the talent. No computer programing wizards are willing to work for the NSA under the conditions and wages they offer.

They have minor league talent and are only fooling themselves to believe they can out hack the world's best.

Cool story, you know this how?
Oh wait you don't.

Just because you read about a few people that used a LOIC or DDoS or DOS or some script kiddie somewhere who heard about boxing at his local 2600 meeting ,ffs I wished red boxes still worked , and wears a fawkes mask then makes quotes that sound like rejected dialogue from The Matrix doesn't give you any more insight into how the real world is than anyone else.

originally posted by: Xtraeme
a reply to: Kandinsky

Hey K. Ever since the discrete logarithm problem was part solved. I no longer put much bank in SSL certs. HTTPS Everywhere was great while it lasted. Frankly, RSA should be treated as though it is compromised. The only way the internet will have real anonymity again is if we put real effort into Meshnet. Even then though we'll probably have to setup websites to use something like Diffie-Hellman rather than one size fits all trapdoor RSA-type encryption.

Everyone can thank the Global warming expert Mr. Gore for the RSA backdoor. The problem is there are optical splitters installed in the fiber optic network that allow for capture without interruption, much less a slow down. Personally I don't think any of of it hasn't already been broken to some degree. The thing to remember is all encryption can be broken given the time, the question is the time sensitivity of your data. So they can tell where packets are going to and coming from but once you start in on the math, start the clock. Always use a passphrase as long as you can remember.

The "meta data" the two IP addresses, MAC addresses are all recorded and everything in the middle if they feel is worth the trouble will be looked at seriously. In most cases if you're under that much scrutiny they just break in and place a moving in memory logger and viola' the encryption doesn't matter. The really good government worms/loggers/ etc. move within blocks of memory and are virtually undetectable.

a reply to: Xtraeme

Great post though.

a reply to: Xtraeme

Hiya X, although the technicalities are beyond me, I've read enough to know you're right about anonymity being compromised. It'll take a while to go through your links, digest, and watch the YT vids.

Looking at the Meshnet article, wouldn't it be susceptible to 'sniffers' or 'man in the middle' players? Given the capabilities of major agencies, wouldn't they be able to monitor traffic from an IP via the ISP? The article mentions encrypted traffic that's limited between one IP and another and, in theory, would be anonymous to outside agents. However, the question crosses my mind about how those two parties come to agree to share an encrypted line of communication? Before they agree on the encryption, wouldn't their online correspondence be observable to others like ISPs, email hosts and those who monitor their traffic?

In that scenario, whether communication occurred via phone, SMS or snail-mail, we'd be using channels that are known to be under surveillance. The circumstantial evidence would have flagged our intent before we went 'dark.'