WikiLeaks and Tor: Moral use of an amoral system?

Reading the New Yorker’s piece on WikiLeaks, it’s hard to decide whether I’m reading about freedom fighters, skilled propagandists, or as is often the case, both.

Without looking too deeply, although I have serious reservations about their editorial decisions from time to time, I believe in what WikiLeaks is trying to do, and I have since they first arrived on the scene.

But I’m profoundly worried to read about Tor server traffic mined for data.

If I have the story straight, this is the sort of behavior Tor is designed to protect people from, not subject them to:

Before launching the site, Assange needed to show potential contributors that it was viable. One of the WikiLeaks activists owned a server that was being used as a node for the Tor network. Millions of secret transmissions passed through it. The activist noticed that hackers from China were using the network to gather foreign governments’ information, and began to record this traffic. Only a small fraction has ever been posted on WikiLeaks, but the initial tranche served as the site’s foundation, and Assange was able to say, “We have received over one million documents from thirteen countries.”

Confusing, right?

In this narrative, Chinese hackers are crawling the Tor network for the purpose of espionage. Someone attached to WikiLeaks with access to a Tor node — most likely an anonymous volunteer, if we believe the narrative regarding the structure of WikiLeaks elsewhere in the story — notices this, and starts tracking the activity of the Chinese hackers.

My first set of questions, directed toward friends who know far more about Tor than I do:

  • What, what? Can “hackers from China” successfully trawl Tor for information?
  • Hold on, even if they can, could someone with access to logs from a single Tor node figure that out, and then, figure out how to get access to the same documents the Chinese were accessing?

And then we come to my greater question, and worry:

If these two points of the narrative are true, then Tor is (perhaps as it should be?) an amoral network being used for both good and evil (painting with a broad brush here, forgive me).

And if that’s the case, if Tor is just a platform that doesn’t make any judgments of its use, how do we then judge the acts of a lone WikiLeaks/Tor volunteer?

Is it OK to hack Tor in the name of the public good?

And if it is, what do we do when secrets are exposed that don’t serve the public good?

I’m not sure, but I have a hard time trusting Tor or WikiLeaks right now.

Tell me why I’m wrong…

(It occurs to me now, of course, that the “Tor” line in the narrative could easily be a falsehood, constructed to substitute for something a bit more direct. If WikiLeaks wanted to fend off queries regarding the sources of documents in their possession, getting them from a network that theoretically provides total anonymity to the user certainly sounds like a solid way to parry those questions. Maybe.)

More context: Does the “military” section of the “Who uses Tor” page answer any of my questions?

These are all open questions. I’m reading up on the history of Tor, and its vulnerabilities. I’ll update this post with anything I hear from friends who know better…

[UPDATE: As expected, commenters come through. Ethan Zuckerman added a thorough explanation of what someone hosting a Tor server would be doing monitoring what users are up to, among other things.]

[SECOND UPDATE: The Tor Project blog responds, pointing out that Tor doesn't magically encrypt text, it simply allows for the anonymous transfer of files. So if you use unsecure connections and send data in plain text, it's just as safe as writing down the information on a piece of paper, folding it into an airplane, and throwing it across the street. (My ridiculous metaphor, not Tor's.)  The other interesting thing you'll find in the Tor blog post is this sentence: "We hear from the Wikileaks folks that the premise behind these news articles is actually false -- they didn't bootstrap Wikileaks by monitoring the Tor network."] //Thanks to commenter Shava Nerad for pointing out the Tor post and more.

Further reading:

9 thoughts on “WikiLeaks and Tor: Moral use of an amoral system?

  1. Lots of folks use Tor without using proper secrecy-protection on top. Tor provides only anonymity—and only a little of that, though as much as anything. Anyone using Tor should use SSH, SSL, or a VPN on top of it. Lots of folks don’t; the story about Chinese hackers is possible.

  2. A quick review of the purpose of the Tor network as I understand it:

    Tor was originally created (or at least heavily used) by folks using BitTorrent who wanted avoid other folks like the RIAA. It does this by tunneling your internet traffic, sent through a particular port, to a series of randomized proxy servers. In theory, this makes your traffic very difficult to trace because there are so many bits and pieces of it spread literally around the world.

    This system is great for anonymity, horrible for privacy. In exchange for a pretty decent attempt to make your traffic untraceable, you give up the privacy that an ISP (theoretically) provides.

    I’d agree with your synopsis that Tor is amoral. I would also agree that WikiLeaks, by examining traffic that goes over a node, went against the spirit of the Tor system – but so did the hackers.

    It wasn’t illegal – they’re totally within their rights to look at the traffic going over their own computer. Further, the chances that WikiLeaks would report on folks torrenting (legality of that activity aside) is low. Therefore, I basically trust that WikiLeaks isn’t out to subvert the main intention of the system.

    The story reads (to me) as: hackers (Chinese or otherwise), figured out how to pervert an open system for espionage. WikiLeaks, figured out how to use the system’s weakness against the hackers.

    For me this falls into the category of ‘sometimes you have to do a little bad to do a little good.’ It’s a real fine line, but someone’s got to walk it.

  3. Brian – I thought the brief passage on Tor was the weakest aspect of what was otherwise an excellent piece in the New Yorker.

    I think the author wanted to be writing about two things: Hidden services, and exit node monitoring.

    Hidden services – which the author appears to refer to in the sentence – ”
    The entire pipeline, along with the submissions moving through it, is encrypted, and the traffic is kept anonymous by means of a modified version of the Tor network, which sends Internet traffic through “virtual tunnels” that are extremely private.” – is a long-established part of the Tor system, in place since 2004. It’s a way of publishing information so that it’s extremely difficult to trace the existence of content to a particular IP. It’s a very cool feature, though it’s hard for average users to access, which is why we generally don’t recommend it as a strategy for whistleblowers. But it’s a very reasonable tool for internal use within Wikileaks and suggests an appropriate degree of caution for what Wikileaks is doing. And it’s possible that they’re using a somewhat customized version of Tor to do this… but it’s also possible that this is a misunderstanding on the part of the journalist, as Hidden Services requires significantly more configuration than off-the-shelf Tor clients.

    The assertion that seemed to worry you was about exit node monitoring. In other words, a member of the Wikileaks project was running a Tor exit node, a part of the Tor network that interfaces with the public internet. The job of an exit node is to take a request from within the Tor network and route it to a webserver or a machine running another internet service (POP, IMAP email, FTP, etc.)

    It can be troublesome to run an exit node, as bad actions – defacing wikipedia, sending spam – are traceable back to that exit node, but not back to who actually made the request. That’s the beauty of Tor – it’s designed to hide the identity of the person requesting a webpage from the operator of the exit node, and therefore to the operator of the web server. Tor does this by passing a request between three nodes before sending it to a webserver. Node A (the entry node) knows where the user is (she’s requesting a page from her IP address) and where node B is, but not node C (the exit node) or the destination webserver. Node B knows A and C, but neither the user’s IP or her destination. Node C, the exit node, knows node B and the destination.

    Monitor node A and you get a list of IPs accessing Tor… but no sense for where they were trying to go using Tor. Monitor node C – as the Wikileaks participant says he was doing – and you get a very good sense of what users are doing through your node.

    In 2007, Swedish security expert Dan Egerstad ran a packet sniffer – a tool designed to look for specific strings within a stream of data – to monitor the traffic through five exit nodes his firm maintained. By sniffing for strings likely to identify email or web passwords, Egerstad was able to collect an impressive (scary, embarrasing) set of information. His project is well-described in an Ars Electronica article: http://arstechnica.com/security/news/2007/09/security-expert-used-tor-to-collect-government-e-mail-passwords.ars

    What Egerstad was able to do isn’t a bug in Tor, per se. Tor promises to obscure the connection between your originating IP address and the web server you are visiting – and it does, in all but a small set of esoteric, lab-based attacks. What Tor doesn’t do – and what Tor will happily tell you it doesn’t do, if you read their careful warnings closely enough – is protect you from being stupid online. Logging into a sensitive service using a http:// – rather than https:/// – interface is a stupid thing to do, and Tor won’t prevent you from making that mistake. To be safe and anonymous, you need to make changes in your behavior – use secure mail protocols, log into secure services via HTTPS interfaces – and understand what Tor does and doesn’t do. Andrew Lih has an excellent piece explaining the implications of Egerstad’s research, titled “Assume Tor Exit Nodes Are Monitored” – http://www.andrewlih.com/blog/2007/09/11/using-tor-assume-exit-nodes-are-monitored/ . That’s good advice.

    Egerstad’s experiment evidently turned up precisely the sort of information that could be used to start a document collection like Wikileaks. See http://www.wired.com/politics/security/news/2007/09/embassy_hacks , a Wired story which shoes Egerstad reading the correspondence of India’s ambassador to China, amongst others.

    What of the Chinese hackers? Egerstad conducted his experiment because he was worried that intelligence agencies might be running rogue Tor nodes – as he was – to monitor them – as he was doing. I don’t know of credible reports that this has happened, but I can see how a story about Egerstad monitoring Tor and intercepting passwords and documents to demonstrate that the Chinese could use this technique could morph into the situation described in the New Yorker article.

    Let me just make clear – I have no basis on which to suggest that Egerstad has any connection to Wikileaks. I am simply mentioning that there’s a well-documented story within the security community whose basic outlines are similar to the story told in this New Yorker piece.

    As for the ethical implications? Don’t blame Tor – it does what it says on the wrapper. It’s just that no one reads or understands the wrapper.

    Are there ethnical concerns about someone who’d run an exit node to spy on users? Yes, there are. But Egerstad’s point was a valid one – anyone running an exit node can spy as he did, and people need to understand that to use Tor safely.

    Entertain a theoretical for a moment, that Wikileaks received a cache of information obtained by Egerstad, who sniffed passwords and then used those passwords to enter systems, reading the email of the Indian ambassador to China and cacheing all documents found. Should Wikileaks delete those documents? Or selectively release some because they have political relevance?

    I’d be pretty uncomfortable defending widescale system intrusion and document perusal in that case. These wouldn’t be documents from whistleblowers – this would be the contents of filecabinets obtained through a (smart, sophisticated, non-destructive) form of breaking and entering. But that’s my read on the situation, and not necessarily the read you’d get from Julian… or at least, that’s what I got from the author’s piece.

    Hope some of that’s helpful.

  4. I agree that the article is probably referring to documents that were on “hidden services,” not tapped from Tor exit servers. There was some amount of discussion of this early in Wikileak’s history, as I remember.

    Hidden services are the complement of the general Tor session — the Tor client is generally used to hide the originator’s IP, but the hidden services facility is used to hide the *destination’s* IP (this is to say, to create an anonymously hosted web site). Wikileaks still uses a hidden service as an avenue for leak submission I think, and various other whistleblower projects (for example, the Zyprexa scandal) made documents available through this channel to prevent takedowns/attacks.

    But as Ethan notes, Tor doesn’t hide the content of documents end-to-end — that’s up to the user. Tor is a tool, and you need to understand how to use it. It’s documented, really. But you have to RTFM, as it were.

    We commonly ignore security dangers in casual network use. You are probably more in danger of having your data and username/passwords stolen by using open unencrypted wifi at a cafe than by careful use of https: on the Tor network.

    Tor encrypts the first jump — from your machine to the first Tor server. It does not, and never promised to, encrypt that last jump — because if it did, then the destination wouldn’t understand the data. If that data *happens* to be using end-to-end encryption (https: and other encrypted connections) it will be decrypted, obviously. But if you connect to something that would be in the clear without Tor (http), it will be in the clear leaving the exit node to the ultimate destination.

    Without that last hop to an http service being in the clear, the destination would have no way of decrypting it. An http service has no way to decrypt content.

    But say you wanted to anonymously connect to wired.com to read their article — wired.com doesn’t allow encrypted connections. There’s no https: certificate for the site. It’s all http:

    If you are on unsecured wireless and not using Tor, your username and password for Wired are by necessity sent over the air unencrypted, totally in the clear, for that first hop. People do this all the time. They never think about it. But your computer probably warns you that you are using an insecure connection. And you probably just hit the “OK” button.

    You have to hope there isn’t some kid tapping the wireless — and that you don’t share that username/password pair anywhere else (your bank, amazon,…) that could be exploited by that tap.

    If you are on unsecured wireless, connecting to Tor, that first hop is encrypted, so the kid with the promiscuous tap on the cafe wireless can’t get your password — but if someone were tapping the Tor exit node, they could get it, because Wired doesn’t accept encrypted connections. (This is why I use Tor on open wireless, even though I don’t care about anonymity personally.)

    But because that first hop is encrypted, sometimes people misunderstand that the entire connection is encrypted end to end. Tor doesn’t determine that — the service at your destination does.

    So, any service that doesn’t accept secure connections should never use important passwords, whether or not you use Tor. Your Wired password is protected at the cafe end, but not at the exit server where your information is sent on to wired.com. That’s not Tor’s fault, but it is a level of understanding that isn’t baked into a common level of computer/network literacy.

    Tor promises anonymity (obscuring the source of packets) not encryption end-to-end. End-to-end encryption depends on the destination service — and user sophistication. We just have to hope people who use Tor for sensitive data will read the warnings and the information on the Tor Project web site, and take care.

    Users not only need to use end-to-end encrypted services (gmail,…), but need to avoid Flash and other tech that will embed your originating IP address without your consent.

    All security utilities are series of compromises between security and usability. Very few are transparent — and the ones that are transparent tend to involve end-to-end protocols (https is a good example), and only involve a small hit in performance.

    Because Tor allows anonymous access to an open set of Internet services, it relies on the user to ensure his/her encryption security (or not) at will. For many, encryption is not the point — anonymous access is. The origin is important, but not the content. Those people want to be able to use Tor too, so Tor doesn’t restrict users to end-to-end encrypted services.

    An example might be a lawyer I met from northern New England who wants to blog about local politics. He blogs anonymously using a pseudonym, because his firm and probably half his clients might be put off by his politics — and having a job shouldn’t ban you from public political opinion. But he doesn’t care if the content of his connection is revealed, just that the anonymity (or really, pseudonymity) of his blogging is preserved.

    If the content is important, extra care on the part of the user has to be put in place and minded. You can’t download Tor from the Tor Project web site without seeing these warnings, but I’m afraid they become as invisible as the average EULA to many.

    People need to use common sense (and read the supporting documentation until literacy in networking rises to the “common sense” level).

    In the case of postal mail/package delivery, this means sending something with a signature required if you want to make sure it isn’t intercepted. In the case of dorm mailboxes, in my time, this meant asking people to have valuables sent c/o the bursar’s office. In the case of Tor, it means using end-to-end encryption if the content of your message is sensitive.

    In all three cases, it’s assumed that the beneficial uses of the system outweigh the abuses, but no one assumes there aren’t abuses.

    Shava Nerad
    Tor Project volunteer (but speaking for myself)

  5. whoops.

    “If that data *happens* to be using end-to-end encryption (https: and other encrypted connections) it will be decrypted, obviously.”

    s/b

    “If that data *happens* to be using end-to-end encryption (https: and other encrypted connections) it will not be decrypted [by Tor, only by the destination], obviously.”

  6. It sounds to me like the articles suggest that the Tor exit node operator found that “hackers” were breaking into computers in general (not using Tor to do so). But after breaking in somewhere, whenever they found an interesting document, this set of hackers (or spies, or whatever) were using the Tor network to forward those documents back to somewhere within their control.

    Sending documents home via Tor would prevent the owner of a hacked machine from tracing where the documents went (e.g. by monitoring the IP traffic from the hacked machine). However, the Tor exit nodes that those documents happened to pop out of would know where those documents went – but not where they came from. And because the last hop from the Tor exit node to the document repository was apparently done “in the clear”, the exit node operator could also see the documents themselves.

  7. slashdot updated their article with a correction. http://bit.ly/bqiDIa

    So far, Wired and The New Yorker have not.

    slashdot quotes a blog from The Tor Project, and adds “This flat denial of the assertion that Wikileaks was bootstrapped with documents sniffed from the Tor network is repeated unambiguously in correspondence from Wikileaks volunteers.”

Comments are closed.