User Error Is the Primary Weak Point In Tor

blottsie (3618811) writes with a link to the Daily Dot's "comprehensive analysis of hundreds of police raids and arrests made involving Tor users in the last eight years," which explains that "the software's biggest weakness is and always has been the same single thing: It's you." A small slice: In almost all the cases we know about, it’s trivial mistakes that tend to unintentionally expose Tor users. Several top Silk Road administrators were arrested because they gave proof of identity to Dread Pirate Roberts, data that was owned by the police when Ulbricht was arrested. Giving your identity away, even to a trusted confidant, is always huge mistake. A major meth dealer’s operation was discovered after the IRS started investigating him for unpaid taxes, and an OBGYN who allegedly sold prescription pills used the same username on Silk Road that she did on eBay. Likewise, the recent arrest of a pedophile could be traced to his use of “gateway sites” (such as Tor2Web), which allow users to access the Deep Web but, contrary to popular belief, do not offer the anonymizing power of Tor. "There's not a magic way to trace people [through Tor], so we typically capitalize on human error, looking for whatever clues people leave in their wake," James Kilpatrick, a Homeland Security Investigations agent, told the Wall Street Journal.

Summary:

[Tablizer]

GIGO

Re:

[Forbo]

What does that mean? I can't find an explanation anywhere.

Re:

[Anonymous Coward]

It's probably a typo for SIASD, "stupid is as stupid does".

Re:

[Impy the Impiuos Imp]

No, it means (go) suck an Imperial star destroyer.

Garbage in, garbage out

[zapyon]

Nothing to see here, move along. I had to put something here by demand of the CMS, sorry.

Oops

[zapyon]

this should have been the reply to the "What does that mean?" post below. By the way: https://en.wikipedia.org/wiki/... [wikipedia.org]

Good Security

[Anonymous Coward]

It is really easy to miss this, but all security is about people. Good security software guides users into the most secure behavior. Bad security software just sets up a bunch of rules that the user must memorize and follow without error. Users will always be the weakest link, but you can make it easy for them to make good decisions and hard for them to do the wrong thing.

Re:

[Lennie]

That is why the Tor-browser-bundle includes a browser with lots of indentifying information removed.

Security is too hard

[mveloso]

If security is too hard for criminals to use, it's too hard for normal people to use.

Re:

[mythosaz]

It might just be me who thinks this, but I imagine the average criminal as dumber than the population.

Re:Security is too hard

[Anonymous Coward]

The average person that ends up in jail is dumber than the average person who doesn't. The average criminal among those that doesn't get caught is a lot smarter than that.

Re:

[tehcyder]

Getting caught is part of being a career criminal.

The idea that there are evil criminal geniuses behind the scenes is just another conspiracy theory, dating back to Victorian/Edwardian times and fictional figures like Professor Moriarty or Fu Manchu.

Re: Security is too hard

[Anonymous Coward]

Yea the real criminals are the ones in congress.

Re:Security is too hard

[Anonymous Coward]

> I imagine the average criminal as dumber than the population.

Nah, that's just the average caught criminal. It is a common error to make.

Re:Security is too hard

[EnempE]

It is not just you that thinks this. But I think it is a convenient thought not a considered one.
I don't think there is anything in terms of research to support the 'criminal subclass' idea (i.e. a group too stupid to succeed without breaking the rules), it is just a rationalization that outlived phrenology.
Even if the measure of criminal intelligence was not being caught, it assumes that the entire criminal justice system is composed of exactly average people with the same resources as the criminals. That is clearly not the case, as their 'situational awareness' tools are what motivates those without criminal intentions to consider these technologies.
Regarding the use of TOR, when imagining the criminal 'eptitude', you have to balance the fact that the risk would motivate them to expend additional effort in using the system. These things are more about discipline than intelligence. You might be more disciplined in your approach to paid work than a hobby, it would be reasonable to expect that criminals would similarly be more disciplined with the use of TOR than a hobbyist.
TLDR
I think mveloso's heuristic for measuring a security tool is still valid.

Re:Security is too hard

[Matheus]

Incorrect. Your average criminal may be less moral BUT to lead a successful criminal life requires a level of intelligence the law abiding citizen does not require. It's easy to follow the rules laid out before you. Society has created a reality for you in which you choose to reside unaltered. The perpetual criminal chooses to reject that reality and so must not only create the one they choose to live in but constantly maintain the battlements between theirs and the rest of society's in order to not find themselves in a small locked room. An intelligent person may even be more likely to become a criminal to some degree in the respect that they see better than most the gray-scale of the world. Right and Wrong as taught to us as children is never so black and white in the harsh reality of adult life. Refining a complex moral code of your own creation and then holding yourself to it while living aside others is not for the simple minded.

As an aside, your presumption may be that the average criminal gets caught (ergo unsuccessful) but I'm afraid that is most likely an incorrect assumption. People break the law on a daily basis probably more than they think they do. The ones who knowingly do this would be your "criminal" but to assume they are well represented by the news-worthy ones being dragged off on TV is a bad assumption. Entire swaths of this society live their entire lives breaking law after law after law and dying peacefully in their old age comfortable that they lived their life the way they chose to.

Re:

[HornWumpus]

Law abiders live pathetic lives, constantly afraid.

Re:

[tehcyder]

Yeah, the true heroes are the drug-addled muggers and teenagers hitting old ladies over the head with bricks.

Re:

[HornWumpus]

Because those are the only two options? Fuckwit!

Re:

[tehcyder]

That's pretty well written for a thirteen year old. B++

Human nature

[s.petry]

I don't agree that it's hard, just that human nature will always try and take the path of least resistance. Most security is actually pretty easy for users, just follow these X steps and you will be safe. Users read the first and last step because it's easy. Other users may perform all the steps a few times, and jump to using step 1 and finish because the don't remember the point in performing all the steps. There are others that believe the propaganda fed to them by media and government and consider al

Two Words

[stoploss]

Parallel Construction. [wikipedia.org]

Re:

[mythosaz]

The post below yours expounds a bit, but he's an AC, fuck him :)

I'm not the biggest fan of parallel construction, at least not as its used. The idea that you have to protect a confidential informant from getting shot in the head is certainly a real issue, but nowadays it seems PC gets used to hide the results of mass wiretapping or other not-so-rosy snooping.

I still question if Tor is genuinely broken, if the NSA (or whomever) has a sufficient number of exit nodes and compromised carrier's routers plus the

Re:

[CaptainDork]

The weakness of Tor is proper implementation. Those who think they know how to do it right are a;most always wrong.

Re:

[SuricouRaven]

Even if the NSA had some way to break Tor, they'd have to use it sparingly - if they use it for every drug dealer, so many people would have to know it would be sure to leak. So I imagine it'd be reserved for the most vital of cases, like DPR and other such kingpins. Not your regular rogue doctor selling a few pills or teen looking to score some pot.

Re:

[Mister Liberty]

You can take parallel contruction to the adversary. Think about it.

Parallel Construction

[Anonymous Coward]

It is virtually certain TOR is compromised by the NSA by listening at all entry and exit points at a minimum. However, the only cases that come to trial are those where they can estabish an alternative ( parallel ) path to the evidence.

Re:

[Triklyn]

evidence of this would be significantly more contrived constructions. all the examples that the summary seems to describe seem like " yeah, ok that's plausible." if they require plausibility to guard their deniability, then don't let their be plausibility. the good security practices still work in so much that they won't be able to come after you with something incredibly contrived and still guard their secret. Evidence that isn't actionable really isn't evidence.

I don't think that's quite right

[tacokill]

If "they" are listening to the entry and exit points they would not be able to deduce what hidden service and what hidden sites a user is accessing. All they would know is that the user is using Tor through entry point X but they would not be able to trace the traffic after that. However, if the user is using Tor to go to a standard website on the publicly available internet, then -yes- the NSA would be able to connect the dots and follow the trail back.

Re:

[JRV31]

I've noticed articles like this one http://yro.slashdot.org/story/... [slashdot.org] sugggesting that TOR is safe. Remember, the best place to hide the truth is in a pack of lies.

primary weak point

[Anonymous Coward]

If there is a primary weak point its that anyone can make an exit node or a routing node, the government has the resources and expertise to make as many as they want, if they owned enough of the nodes there is a high probability that what you send will go through every node that they own, and they have a map right to you. it shouldn't even be hard to find out who hosts hidden services if they probe the system enough.

information can never be hidden, cast off your delusions of privacy and freedom.

Wrong argument!

[s.petry]

The argument should not be whether or not data can be hidden from the Government, but rather that the Government should not be attacking it's own citizens all of the time. I'm not claiming that the Government of the USA is currently acting within their Constitutional limits. Any 3rd grader that can read the Constitution should be able to tell you that they are not currently within their legal limits. Yes, searching all of your data all of the time is attacking your Constitutional rights. Whether they ta

And, by the way...

[Noryungi]

If people who have serious security preoccupations (drug dealers, pedophiles, etc...) are dumb enough to get caught due to human error (and probably not doing their homework), why exactly do the NSA, FBI, CIA, MI6, GCHQ, DGSE, FSB, BND, etc... etc... have to trace everything we do or say online?

In other words, what, on earth, is the purpose of these gigantic spying programs for, if all that is needed is good old fashioned gumshoe work? You know, like, waiting for the bank robbers to brag of their exploits to a police informants, painstakingly tracing money flows from dodgy businesses, or gathering evidence and finger prints on a crime scene?

Sure, security is hard, everyone makes a mistake once in a while, yadda yadda yadda, but what about the rights of the innocent average citizen? We are all being spied on, while police forces are perfectly able to catch the criminals, even if they use Tor! There is simply no justification, none whatsoever, for these agencies to spy on everyone. Think about that for a second.

Re:

[tehcyder]

Further, if the NSA.CIA/whatever says you are a commie, pedophile, adulterer, drug dealer, etc., how can you answer that accusation?

With the truth, via the criminal justice system.

If you actually are a pedophile/drug-dealer (not sure that being a commie or adulterer is illegal any more) and the government have actual evidence against you, tough, you have broken the law.

Re:

[tehcyder]

The only behaviour you have to "censor" is the actual commission of crime.

If you consider something not to be a crime, then you should go about finding enough people to support you in changing the law.

Re:

[blahplusplus]

"Why exactly do the NSA, FBI, CIA, MI6, GCHQ, DGSE, FSB, BND, etc... etc... have to trace everything we do or say online?"

This (mass surveillance) is just more part and parcel of state suppression of dissent against corporate interests. They're worried that the more people are going to wake up and corporate centers like the US and canada may be among those who also awaken. See this vid with Zbigniew Brzezinski, former United States National Security Advisor.

https://www.youtube.com/watch?... [youtube.com]

Look at the follo

Re:

[tehcyder]

If people who have serious security preoccupations (drug dealers, pedophiles, etc...) are dumb enough to get caught due to human error (and probably not doing their homework), why exactly do the NSA, FBI, CIA, MI6, GCHQ, DGSE, FSB, BND, etc... etc... have to trace everything we do or say online?

At the risk of stating the obvious, you can't rely on all of the narco-terrorists and ISIL-supporting pedophiles being equally careless.

Please allow me to correct the title.

[sconeu]

User Error is the Primary Weak Point In Software.

Re:

[Anonymous Coward]

Allow me to correct your title...

User Error is the Primary Weak Point in Life.

Re:

[TuringTest]

User Error is the Primary Weak Point In Software.

Corollary: designing software that fails to work well under user error is the primary engineering mistake.

Tor spooks

[Anonymous Coward]

The premise of this is wrong. It was never meant to be secure, or for public use.

Built for spooks, by spooks. Public use is just a way to hide the spooky within the child porn.

http://pando.com/2014/07/16/to... [pando.com]

User not always weak link

[manu0601]

In a related story from Brian Krebs, Silk Road was not outed by a badly configured CAPTCHA, as the FBI said. They seem to have another way to peek in TOR: http://krebsonsecurity.com/201... [krebsonsecurity.com]

Looks more like SR accidentally published their IP

[UpnAtom]

https://www.reddit.com/r/SilkR... [reddit.com]

Re:

[manu0601]

Please read Brian Krebs' paper. The SR machine was behind a firewall and could not communicate directly with the outer world, it had to go through TOR.

Re:

[UpnAtom]

Doesn't matter. If the host of the software firewall could be traced, maybe that could be traced back to DPR.

Not all user error is equal?

[cstec]

A major meth dealer’s operation was discovered after the IRS started investigating him for unpaid taxes, and an OBGYN who allegedly sold prescription pills used the same username on Silk Road that she did on eBay. Likewise, the recent arrest of a pedophile could be traced to his use of “gateway sites” (such as Tor2Web), which allow users to access the Deep Web but, contrary to popular belief, do not offer the anonymizing power of Tor.

I'm a Tor fan, and think it serves a real need. But seriously .. am I the only one on Slashdot that is ok with busting the meth dealer, the OBGYN dealer and the pedophile?

Generally speaking, it's been the other way. It's the fake fanning of the flames of a -potential- drug dealer or pedophile that law enforcement brutally abuses to make everyone guilty until proven innocent and collect power unto themselves. But here, here we are are with actual bad people, doing actual bad things that got caught, and t

Re:

[Anonymous Coward]

er no fucktard, because violating the security rights of a huge number of people, with the justification that you find a few criminals is exactly the fucked up logic The Man uses to increasingly erode our rights until we get to a point where we have none. If the man had allocated all their resources they've put into illegal and immoral monitoring of the general populace and put it to actual investigation of crimes I daresay they would have solved a fuckton more shit than they actually have. But busting priv

Re:

[Anonymous Coward]

It's true, my house was completely destroyed by a fire during a police raid with no search warrant.
But can't I cheer a little that now I don't have to wash those 3 dirty dishes which were in my sink?

I guess you can, if it makes you feel better. But it seems to be kind of missing the point and the big picture.

Re:

[Carnildo]

But can't we cheer a little that some bad guys went down?

How much collateral damage was there?

When Freedom Hosting was busted, they took down a bunch of child-porn sites and de-anonymized some of the users. But in the process, they also took down TorMail, a legal anonymous email provider, and de-anonymized some of its users.

Sure, punishing guilty people is fine, but not if you punish innocent people in the process.

Not just Tor

[Aaden42]

s/Tor/Security Technology/g

Tor, encryption, any kind of tunneling... Basically any kind of security or privacy enhancing technology is one wrong move away from breaking. Check your Facebook on the Tor connection? Oops... Type your disk encryption key into the wrong window? Oops... Etc.