FBI Director James Comey said on Thursday that criminals who think they can evade law enforcement using the “dark web” and the Tor Network, which is designed to conceal the Internet addresses of the computers being used, are “kidding themselves.”
Comey was asked about criminal use of the so-called dark web — parts of the Internet walled off from ready access — at a House Intelligence Committee hearing on cybersecurity on Thursday. His answer referenced Tor, which was originally known as “the onion router.”
Speaking in particular of people who view child pornography, Comey said: “They’ll use the onion router to hide their communications. They think that if they go to the dark web … that they can hide from us. They’re kidding themselves, because of the effort that’s been put in by all of us in the government over the last five years or so, that they are out of our view. ”
Comey’s statement could be read as an assertion that U.S. law enforcement has found a way to routinely thwart Tor’s system for providing anonymity to users. If that’s Comey’s intended implication, and if it’s true, it would would represent an enormous expansion of the U.S. government’s known abilities, as well as a significant blow to privacy advocates.
But online security experts consulted by The Intercept cast doubt on that possibility. And Comey could simply have been referring to the kind of specifically targeted attacks that have been known to be successful in the past.
For instance, a 2013 story based on documents leaked by NSA whistleblower Edward Snowden described how the National Security Agency had developed attacks against people using Tor, by identifying Tor users and then attacking vulnerable software on their computers. But one top-secret presentation, titled “Tor Stinks,” stated: “We will never be able to de-anonymize all Tor users all the time.”
Micah Lee wrote in The Intercept in July about leaked emails from spyware maker Hacking Team indicating that the company had sold the FBI a way to monitor Tor Browser traffic from a target already infected with Hacking Team malware.
And the FBI famously unmasked and arrested the operator of the Tor-enabled drug marketplace Silk Road not by cracking Tor but by chasing other clues, including the sloppy re-use of aliases, and by physically surveilling the operator as he logged in and out of his dark-web site.
But Comey seems to be implying that the FBI has some sort of across-the-board ability to see who is looking at what on the Tor network.
Cryptography expert Bruce Schneier said Comey’s statement should not be taken at face value. Given previous false public statements by intelligence officials, “the truth value is irrelevant,” he said.
“We certainly know that Tor has been broken in the past” using specific exploits, he said. “Do they have a blanket attack? Or is it posturing? Who knows?” He added, “It’s certainly good posturing.”
Chris Soghoian, chief technologist for the American Civil Liberties Union, told The Intercept that Comey is not credible. “The FBI director continues to ignore the consensus of the computer security community when we say there is no way to build a secure backdoor for the government,” Soghoian wrote in an email. “If he continues to ignore experts on this issue, why should we believe what he has to say on something as equally technical as the security of the Tor network? He has every incentive to bluff.”
Comey has recently been making headlines for alleging — also without evidence — that he is increasingly unable to track criminal conduct online due to end-to-end encryption. He has been insisting that tech companies come up with a system that’s secure to everyone except law enforcement — something that tech experts say is flatly impossible.
Soghoian notes that the Tor Browser’s new automatic security updates feature means the FBI can no longer reliably hack large numbers of Tor users with public security exploits for which patches exist.
“Tor is not perfect, for sure,” he wrote. “But it is one of the best tools we have to protect privacy online, largely because researchers have been beating it up, finding and fixing flaws in it for a decade. Much of this research was supported by the U.S. government.”
(The Tor Project, which helps develop Tor and Tor Browser, has received money from the Omidyar Foundation, co-founded by Pierre Omidyar, who funds The Intercept’s parent company, First Look Media.)
Why don’t these law enforcement agencies try a little old fashion police work.
Forget the back doors, Sting Rays, the Dark Web, TOR, tracking devices.
Many bad guys have vulnerabilities that can be exploited beyond their use of electronic gadgets.
Try getting out of your van once and while and see what happens.
Of course Comey must say they have a handle on the darknet. The reality is they do not, and may prefer drug trafficking to occur within this relatively bloodless & efficient system. America’s appetite and demand for drugs is a given. It’s going to happen regardless, and perhaps the darknet allows this to occur in a safer, more bloodless environment. Users don’t have to leave their apartment to go find the dope man anymore. The potential for violent interactions is lessened. Drug quality more assured & consistent which results in less accidental overdoses. Gang activity may abate a bit in some areas. The computer expertise necessary to successfully navigate dark net markets is just high enough to discourage curious teenagers or non computer savvy addicts from jumping into the fray. So there is not an en masse cohort of users disappearing into the dark markets. It’s effectively closed off to large communities of potential & current drug users due to the inherent lack of tech know-how in these groups. So all in all, looking at the situation from a cost/benefit analysis standpoint and taking the inevitability of our thirst for drugs as a given, perhaps the FBI prefers the efficiency of the dark net drug markets to the chaotic & more violent alternatives on the streets. Yes, I know I need to take off the rose colored glasses..but
Just a little social engineering is all it takes and the FBI can infiltrate a group like silk road. They posed as buyers and sellers eventually to site administrators and that’s the point when mistakes led to clues. No need to crack TOR.
The real back door is the cops can also make themselves anonymous using TOR and dark web users can’t tell whose a cop and who isn’t a cop.
I keep saying that you must fight fire with fire. I find preposterous that people think of politicians as if they were their parents, expect for them to stop being politicians …
TOR, defeating TOR; https vs http; exploiting vulnerabilities in soft and/or hardware … whatever are all silly syntactic devices which logic and procedures can be automatically mapped and fed into another device. All software should be designed with “pleeze watch me” automatic capabilities and groups of people should synchronize their devices to do so.
Think of a strategy in which when you call someone you two are automatically setting up decoy exchanges talking about stuff that is interestingly erotic to the NSA and such folks. Say, addresses of U.S. government institutions and spies overseas, chemicals use for bombs, word such as “fly path” in contextualized phrases … Now since the phones themselves agreed to decoy exchange text and/or voice … the phones would not even ring outwardly, all of that would be automatic and the NSA will need more capabilities … but then again they will have to do something that will make them explode from within: -make sense of things, including themselves-
The good thing about that technology is that much, much better randomness can be achieved using cell phone sensors and Chinese room experiment kinds of phrases can be created and exchanged using corpora in ways that they won’t be able to tell apart from actual, real talk.
Satyagraha,
RCL
If you have a back door, somebody will find it, and that somebody may be a bad guy or bad guys (even nefarious criminals under the color of law hired deliberately and clandestinly) and they will intentionally abuse their access,” Vint Cerf(grandfather of the internet), one of the co-founders of the Internet, said during remarks on Monday at the National Press Club.“Creating this kind of technology is super-, super-risky,” he added. “I don’t think that that’s the right answer. There is no substantive difference between a “back door” and a “front door,” they say — just secure technology and insecure technology. Building flaws into security systems to allow the FBI to access it, they add, would also make it easier for foreign spies and malicious hackers to break into people’s communications
The usa-law enforcement want not only unanimous Anonymity but impunity when they spy and subvert anything they want by the nefarious criminals under the color of law. Disgusting. and do not forget the stingrays that these nefarious use against men and women and children.
while comey has not aprehended all the gang of pedophilers in the royal UK and their international politicians in public office that are the traffikers, aiders, abetters and perpetrators:“If this becomes the norm and even suggests to the domestic and foreigh populations that “”” homicide cases could be stalled, suspects walked free, child exploitation not discovered and prosecuted,” FBI Director James Comey
And if you want to know how the false flags of threats and MANIPULATION is done, i have never seen it more clearly than in the usa with appearances playing the leading role in order to deceive.
https://www.youtube.com/watch?v=Q3aG0CtZbU4
People need to visit the dark web to get a true understanding of why this is concerning to the FBI. It’s a place where gun smugglers, drug dealers, pedophiles, contract killers, human smugglers have found sanctuary to commit the most atrocious crimes against society.
If they are operating with a judicial warrant there is no problem. Keep in mind there are no hard statistics on “Blacklisting” Americans and the general public isn’t seeing this part of the equation.
Most judges don’t fully understand how dangerous blacklisting programs and tactics really are. McCarthyism in the 1950’s was somewhat OVERT. After the public embarrassment of McCarthyism the FBI and other agencies went COVERT with programs like Cointelpro used against Martin Luther King, Jr. In these covert programs, many times the blacklisting victims aren’t aware they were even targeted so they can’t claim legal standing in court or even file a local police report.
If it’s legitimate get a judicial warrant based on probable cause.
Today FBI COINTELPRO has developed into Organized Stalking similar to E German STASI.
No warrants, no trials.
No Touch Torture and harassment by STASI low life’s!
People like Glenn Greenwald will need to be stalked and harassed before the FBI’s illegitimate activities will be taken seriously and investigated. In truth, these activities should be of great concern to journalists and citizens alike.
WTH, Glenn? YOU of ALL people should know better than to skew things in only this direction.
I’m this close to just giving up on you. I don’t know what happened, but I imagine it was bad.
Hang in there.
It’s a telling comment, isn’t it.
Nevertheless, we have a 4th Amendment for a reason, and it needs to be protected. While I appreciate the problem, the “solution” isn’t a wholesale violation of fundamental rights that people have fought, bled, and died on battlefields from Saratoga to Omaha Beach to preserve. And while those may be “atrocious crimes”, they pale in overall numbers of victims by comparison with the 250M people who died at the hands of their own governments in the 20th century, or those hundreds of thousands who have suffered in Iraq and elsewhere in this century from indiscriminate bombings and drone attacks to the use of depleted uranium ammunition.
I run a cloud-services virtual desktop hosting company. Our policy is “we don’t keep logs” and “not without a warrant, hell no”.
I have heard reports that he dark web, a place where I am not sufficiently brave to venture, as a source of child pornography, consists overwhelmingly of adolescent-produced and adolescent-distributed material. It mostly takes the form of kids masturbating in front of their web or phone cams and making it freely available, in real-time, to random individuals who click “next”. If that is true, then I think the evil pedophile narrative may be another unfalsifiable assertion (by virtue of its illegality) made by government agents and social entrepreneurs. It truly is impossible to verify their claims, under these circumstances, in the absence of a legal means to do so.
If this is true, then your “most atrocious crimes against society” may be based on as sparse of evidence as those who say you are complicit in compromising American security, a claim that I personally find libelously unpersuasive.
Further, I would say that it is just such evidence-free assertions that are being used to erode our liberty. I am surprised at your willingness to make them.
James Comey and every FBI employee/contractor swore a supreme loyalty oath to operate within the boundaries of the U.S. Constitution as a condition of having any authority over any citizen.
As part of their oath the FBI must meet 4th Amendment requirements with a judicial warrant in order to search, cell phone track or any other types of searches including non-electronic tracking?
The FBI, as part of their loyalty oath, is prohibited from penalizing legal 1st Amendment exercises and prohibited from using “guilt by association” to subvert any constitutional right. The FBI is also prohibited from subverting the “Fruit of the Poisonous Tree Doctrine” – where an investigation is built upon an unconstitutional foundation and that false foundation built upon.
The FBI’s supreme loyalty oath essentially means “the ends never justify unconstitutional or illegal means”. It’s hard to do but that’s called fidelity to one’s oath!
But the FBI (a) isn’t the only agency in the land and (b) doesn’t seem to be sticking to these principles, all that aside. And with Fusion Centers, NSA acting as law enforcement sources, and anonymizable, parallelized evidence trails, and a land full of informants (real and made up), it’s possible to completely do away with the Poisonous Tree doctrine — they do it often (as do the majority of agencies that are rolled into the apparatus).
(C) There also is no mechanism for innocent citizens on the receiving end of blacklisting abuses to report those abuses to federal judges – the only watchdogs that have been given real teeth.
(D) The U.S. national security agencies have adopted the Cold War era “East German Stasi” model of blacklisting their own citizens (with better technology) which presents an even bigger problem – the innocent Americans harmed or killed many times aren’t aware they were destroyed by American agencies and contractors. These Americans can’t file a police report or even initiate a complaint of any kind. It’s unlikely that American Stasi bureaucrats, like Comey, will report their complicity in the premature death of their targets (which would be a war crime). This type of Stasi blacklisting program can only be policed by an army of watchdogs overseeing every intelligence operation. During the Cold War, this form of blacklisting resulted in one of the highest death rates in Europe primarily from suicide by destroying a citizen’s career, livelihood, emplyment tampering, marriage and reputation destruction. American judges really have little understanding of the American Stasi that Comey is defending.
(E) One can assume that if the 5 Eyes (and one assumes, at times, other countries’ agencies) are able to monitor and modify traffic in real time, in-stream, they can do it to other agencies’ traffic just as easily as they can do it to John Q Public. Meaning even if one could trust that the FBI would actually be following this ‘code of ethics’, that has nothing at all to do with whether or not they’d *know* if they were breaking it; they are, in ways, as fallible as the rest of us.
Maybe Jared Fogle’s footlong diet didn’t work for someone and they got miffed? (J/k, I hope)
… with much, much better technology I would say. To the point that they have turned the whole world into a Foucauldian Panopticon in which every citizen lives in his/her own virtual cell, even paying for the service of carrying around their 24×7 bracelets and all encompassing monitoring device into one and as it happens in totalitarian systems, refusing to “responsibly” carry your “tracker” is enough for them to “flag”, target you …
// __ Zersetzung made in U.S.A.
https://ipsoscustodes.wordpress.com/2015/05/27/zersetzung-made-in-u-s-a/
RCL
Gee, I wonder what interesting things about antivirus software are in the Snowden archive!
The answer would seem obvious: Bozo takes his computer to TOR, downloads Illicit Document. Narc (of the FBI) takes his computer to the same document. Narc arranges for his document to be checked by Crappy Antivirus as a virus signature. Three months later Bozo has a virus scare and runs free Crappy Antivirus on his computer. Good thing – he’s not infected. Bad thing – it phones home and tells them he has Illicit Document on his computer. Now maybe Crappy Antivirus isn’t totally NSA – maybe it just gets a bad “virus signature” reported (after all, how many times do perfectly legitimate games trip those things up?) – maybe Narc even has to go to their office and say that he might “plausibly be able to ask for a court order” to satisfy their privacy policy (in full), or even slip the guy at the office a $20 with a nod and a wink. Only a jihadist can feel truly secure.
Sounds like the Windows 10 model.
Currently I use TOR but am thinking of moving onto a VM. I guess if you are really afraid then an air gap machine is next. I’m not worried about NSA or FBI or whatever. I worry about the “locals”. A few years ago my ISP censored me from using their email servers. Their reason, they couldn’t get into my machine to find out who I was. I wasn’t even using TOR back then. I don’t use the dark side, it’s just to read the news and run a web site. These machines come with logs, learn how to read them, you’ll soon see who is trying to get in. Your ISP, AOL, Amazon and the like. Most people I know run their machine wide open, read their logs and nothing out of the ordinary is there. Hackers? I haven’t a clue. Or, move to Sweden. But to be censored in the land of the free and the home of brave did bother me. Rights?, we don’t need no stinking rights. I contacted the ACLU and they wouldn’t even touch it. …good night and good luck…
Do you mean VPN? A VM would be something like VirtualBox, running a different OS inside your main machine, I don’t think it would defend you from your problem of your ISP snooping. The VPN would show you as connecting to some box in Sweden or Seychelles or wherever and they wouldn’t know what you’re doing beyond that point.
The fact that Comey has implied that Tor is not secure, means that IT IS SECURE! Everything that comes out of the goons mouths is a lie.
Don’t forget RNM.
http://www.learning-mind.com/remote-neural-monitoring-how-they-spy-on-your-thoughts/
The above technology is what he is talking about.I am victim of RNM so i know this technology is real.
Why not use a Faraday cage to stop them then? Surely you’ve heard of such a device.
How will you work if you can’t sleep whole night thanks to RNM? If you don’t work then from where will you get money to buy such device?Things that do work are binueral beats, sleeping on floor,anti-emf clothes and i often use them myself.Faraday cage costs a lot and i hardly have money to survive.Most important thing they hate is when anyone talks anti-war. They literally beg me that if i stop anti-war comment, they will stop the torture.Imagine how worried MIC is?
Oh please. You can build your own damn Faraday cage with copper wire and instructions easily found on the inter webs. Startpage is your friend.
Suppose one were to photograph a document, and then expand the image to individual pixels, which were then numbered and encrypted and then rearranged and re-encrypted into the image of a flower which is then embedded into the deepest background of a photograph of a protest march on Washington and then posted on a TOR site?
The photo of a protest march that is unaltered gets one Digital DNA identification number. The photo you have altered gets another. To the machine, the photos may look similar, but looking at them is a minor thing about them. The question is, when the NSA metadata for the unaltered photo’s ID is examined, it will form a familiar network of Move On liberals or Tea Party conservatives or something; they can run a correlation coefficient with every known photo in creation and probably it will drop out right in the same folder as a bunch of others from the same rally that were pimped on the same Twitter feed. And when the altered photo’s ID is examined, it will have a correlation coefficient that is highest when compared to a motley collection of child porn photos, or programs to hack passwords, or whatever. And so those two photos, though they may look alike to your eyes, couldn’t look more different to the machine; by looking at who looks at it, it pretty much knows what they are. Unless pretty much nobody looks at it, in which case they couldn’t care what it is. You always have the right to free speech when nobody is listening – in any country.
The statement about TOR by the FBI rings hollow. It sounds like propaganda to me. I would trust TOR more than I would trust Comey.
Why heck, Dan, I’d believe anthing which James Comey, uber-neocon, and former intern for Judge John Walker, member of the Bush-Walker family, cousin to George H.B. Bush, and former legal enforcement officer of the Dept. of Treasury when the links between the BCCI and George H.W. Bush were being investigated.
Comey was also with the white shoe shyster firm, Gibson, Dunn & Crutcher (Iran-Contra, Bush v. Gore, Citizens United v. FEC, etc.) and a director of the US Chamber of Comerce’s legal arm, the National Chamber Litigation Center, and a director at HSBC Holdings, that wonderful drug money laundering operation, also called a bank.
Although it is theoretically possible to completely compromise TOR utilizing a similar algorithm and Big Data techniques (massive data mining) like they use to isolate and monitor one-time usage burner cell phones within a cell configuration, I am not presently aware of its existence – – – but then I was completely certain about the Equation Group, either?
Good news!
Everyone can now use TOR without drawing suspicion from the government since it’s an open book to them.
TOR is probably and improvement in security from everyone else’s prying eyes, so use it where not needing privacy from, say, a prosecutor.
I believe him. TOR has been insecure for a LONG time. Use it at your risk. As a card-carrying ACLU member I hate to have to say this, but it’s pretty irresponsible of Soghoian to call it a bluff when people are actually getting nailed using it.
http://techcrunch.com/2013/09/07/the-nsa-can-read-some-encrypted-tor-traffic/
http://www.extremetech.com/computing/101633-how-to-use-tor-and-is-it-actually-safe-and-anonymous
http://www.ibtimes.com/tor-safe-anonymous-browser-hacked-suspects-keeping-quiet-privacy-advocates-shaken-1645210
http://www.infosecurity-magazine.com/news/tor-is-not-as-safe-as-you-may-think/
http://www.theguardian.com/technology/2013/nov/05/tor-beginners-guide-nsa-browser
https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/
We nailed people using TOR because other software on the target’s computer was compromised, or weak. It is harder to crack TOR itself, because it is much easier using a known exploit on weaker software.
Although nothing is ever 100% secure, so you never know – TOR could quite easily have flaws known to us.
What you say is true. However, TOR depends on people like you and me running nodes. When a substantial number of those nodes are run on racks and racks of blade servers by spy agencies…. well, do you see where I’m going with this? In addition to technologies which spy on browser and Flash cookies, it is now possible to profile users by data entry patterns. And many people forget that WITHIN the Onion network many nodes still run HTTP (not its more secure twin, HTTPS). This means that if you ARE one of the aforementioned spy agencies with a shitload of blade servers running Tor nodes … you can do packet scans on a lot of the dark sites. There are actually a number of vulnerabilities to the whole system.
The most important one is this: all the stars have to align and there must be 100% perfect security with just the right browser settings and use of plugins. If a user makes just one mistake, they’ll be tracked.
I’m guessing a lot of users getting caught are getting outed via information they are passing in transit (ex using your real address when ordering drugs on Tor). They may be able to read the messages, but to actually pinpoint the users location by network traffic analysis is probably a lot less likely. Or they exploit known vulnerabilities on people not running the most up to date software. Then again, with the Equation Group hack, the number of vulnerable computers might be much larger than anyone anticipated.
That’s a particularly ‘interesting’ claim on the heels of this story:
https://www.propublica.org/article/library-support-anonymous-internet-browsing-effort-stops-after-dhs-email?utm_source=et&utm_medium=email&utm_campaign=dailynewsletter&utm_content=&utm_name=
Comey’s assertion might sound a contradictory chord with the patrons of Kilton Public Library in Lebanon, New Hampshire.
Very important article you linked to, TallyHo. The Library Freedom Project has been doing wonderful and crucial work, so I hope they will be joined by an cadre of knowledgeable “experts” and a large citizen participation voicing their approval of what the Kilton Public Library had been putting to use after being visited and taught by Alison Macrina and team. It would be a terrible shame if the following circumstance were to remain unchallenged:
Here is more on that:
Support tor and intellectual freedom in libraries
There is no question that Tor — and this also applies to simple VPN services like Cyberghost, Spotflux, etc. — makes it more difficult to spy on citizens. Both leave trails on visited websites with foreign IP addresses that do not map to a person’s own address. Someone has to take the trouble to map the fake address to the real one. This is why Tor is unwanted — it makes things DIFFICULT but not impossible for the spy agencies. And difficulty is a matter of time and money — something that the spy agencies have lots of. But if you’re a top hacker they want — they’ll get you even if you use Tor. Spy agencies have expanded the number of exit nodes under their own control (not volunteers), and they have also placed fake darknet sites within the Onion. So you think you’re going to http://awzioxiifrgzcufs.onion/ — when in fact you’re going to http://awzi0xiifrgzcuf5.onion/. Could you easily tell? And one last point — who do you think developed Tor? That’s right — the military. Do you REALLY think they’re too stupid to know their own software’s weaknesses?
Thanks for that link. We’d better be watching what happens with it next week.