I wasn’t quite sure if I trusted TOR, now I’m sure I don’t. I will post the facts about TOR and you can decide for yourself. I did not do this research someone else did.
…………..
Posted on the web by anonymous
Who carries half of all Tor traffic? 38 operators
If you use Tails, you probably enjoy using the Tor Network map provided by Vidalia. And if so, you probably noticed that your Tor circuits often use just a few nodes.
The fact that each of us use just a few Entry nodes is intended by tor and generally thought to be a good thing. (The reason why is not obvious, but never mind that.)
However, if it were also true that
• everyone is likely to use Entry nodes selected from a small subset of the set of all Tor nodes
• these same nodes are likely to also act as Exit nodes
this would not be at all good, because it would suggest that correlation attacks are too easy for our adversaries.
In this post I summarize the results of my study of this issue using the official figures for the Tor network in late Jan 2013 to study this issue. My results are similar to what I found in previous studies.
The main result is that, potentially, half of all Tor traffic may be carried by only 38 “operators”, corresponding in all but a handful of cases to known single entities. Even more disturbing, several of these entities belong to corporations whose business model involves surveillance.
There are several caveats:
• I am using figures for the published Tor nodes. The unpublished Tor nodes include bridges.
• In my analysis, the reported bandwidth of each node corresponds to the results of tests by the Tor Project. It is assumed that these figures accurately reflect the actual proportion of Tor traffic carried by each node.
• For convenience, I define “operator” as a domain, IP range, or a mixture as appropriate, corresponding to a clearly defined family of Tor nodes (typically 1-10). By this definition, an “operator” need not always correspond to a single entity. But in practice it turns out that “operators” are nearly always identifiable single entities.
• There is a way for “operators” to officially declare a family of Tor nodes, but I attempted to look for undeclared families too.
Here is a more detailed summary of my findings concerning the published Tor network in January 2013.
Breakdown by operators:
• the public Tor network has 3126 nodes with a total bandwidth of 2.2 GB/sec
• the top 94 bandwidth nodes carry just over 50% of all Tor traffic
• most of these play multiple roles as Entry nodes, Exit nodes, and Directory servers (at least)
• the top 94 nodes are operated by only 38 distinct operators
• almost all of the top 38 operators correspond to identifiable organizations
• four of these are entities which openly admit that their business is network surveillance
• one of these openly admits that its business is maintaining a “malware signature” database for the US government; one of its officers was formerly a principal in “Team Themis”; even if you do not know it, your computer does (if it uses Tails)
• another six are believed by some to run Tor nodes primarily for surveillance; one of these has been accused of fronting for the NSA
• several others describe themselves as “privacy organizations”, but at least two of these have been accused cooperating closely with national intelligence organizations
• the top three bandwith servers carry more than 3% of all Tor traffic, and all belong to a single domain, torservers.net
• the top bandwidth node alone carries about 2% of all Tor traffic; it is located in Dallas,TX and has a bandwidth of 4MB/sec
• the first network, torservers.net, carries about 11% of all Tor traffic using 17 nodes, including 13 among the top 94 nodes
• the second network, TorLand, carries about 6% of all Tor traffic using 7 nodes, including 3 among the top 94 nodes
• the third network, ccc.de, carries 5% of all Tor traffic using 14 nodes, including 4 among the top 94 nodes (this is the Chaos Computer Club in Berlin, which also operates other nodes not in the ccc.de domain)
• the fourth network, run by the Akamai Security team, carries about 3.5% of all Tor traffic using 11 nodes, including 7 among the top 94 nodes
• the fifth network, snydernet.net, carries 3% of all Tor traffic using 25 nodes, none among the top 94 nodes
• the sixth network, conformal.com, a rather mysterious software company in Chicago, IL which is developing a *nix type “secure OS” for an unnamed client, carries 3% of all Tor traffic using 5 nodes, all among the top 94 nodes
• the next three networks each carry about 3% of all Tor traffic
• the remaining 30 operators each carry about 1 to 2% of all Tor traffic
• among these, several, such as qwest.net and verizon.net, are home consumer ISPs whose nodes presumably are operated by distinct individuals
• several represent individual high bandwidth nodes (so operated by one individual or organization) using an IP corresponding to a consumer ISP domain
• the remaining home consumer ISPs carry considerably smaller total bandwidth
• among the remaining home consumer ISPs, tiny riseup.net carries more traffic with 9 nodes than huge comcast.net with 99 nodes; unlike most ISPs, riseup tells the world when the FBI mysteriously seizes (and mysteriously returns) its servers
• there are 21 nodes in the amazonaws.com domain, but their net bandwidth does not put amazonaws.com into the top 38 operators; however, some of the top nodes run in the EC2 cloud
• none of the Exit nodes designated as “Bad” by the Tor Project are among the top 94 nodes, or associated with the top 38 operators
• at least two of the top 38 operators previously had informal ties with wikileaks.org
• at least two have close ties to the Tor Project and/or EFF
• the torproject.org domain carries a negligible fraction of Tor data streams
Breakdown by reported geolocation of nodes:
• only three countries (US/DE/SE) carry 53% of all Tor traffic
• all three governments force carriers to let them snoop
• the top bandwidth countries are US 22%, DE 21%, SE 10%, FR 6%, GB 5%, NL 5%
• in all six countries, civil liberties are under attack
• the “Five Eyes” (US/GB/CA/NZ/AU) carry about 28% of all Tor traffic
• CN carries just under 2% of all Tor traffic
• US universities alone carry just under 2% of all Tor traffic
• RU dropped out of top six since new law took effect
• GR assumed much larger share after financial crisis
• the top non-country “geolocation” is currently A1 at 11%
Breakdown by reported operating system:
• nodes known to use Linux carry 76% of all Tor traffic
• nodes known to use BSD Unix carry 6% of all Tor traffic
• nodes known to use Bitrig carry 2% of all Tor traffic; all 6 of these are operated by conformal.com and are geolocated near Chicago, IL
• nodes known to use Darwin or Windows each carry about 1% of all Tor traffic
• the remaining nodes use undetected operating systems
• among the top 94 nodes, 66 run Linux, 8 run BSD, 6 run Bitrig, 1 runs Darwin, none run Windows, and the rest run undetected operating systems
The top 38 “operators” who collectively carry half of all Tor traffic are (operator, net bandwidth (KB/sec), and number of servers):
torservers.net 242804 17
TorLand 136451 7
ccc.de 107131 14
Akamai 77962 11
mooo.se 66241 5
snydernet.net 59321 25
conformal.com 54957 6
formlessnetworking.net 53803 8
perfect-privacy.com 46768 35
noisetor.net 40476 4
teamcymru.net 38965 9
Kromyon 37808 4
voxility.com 31005 3
kimsufi.com 30873 32
ipredator.se 26735 4
ph3x.at 25912 2
glasoperator.nl 24769 1
dfri.se 24052 3
mylittlecorner.org 21430 5
qwest.net 17409 13
verizon.net 17263 52
r3t.at 15393 1
ucar.edu 15166 2
uwaterloo.ca 12268 2
ndnr 11396 1
cypherpunks.to 10832 2
bu.edu 10271 1
spacedump.net 10663 1
xmission.com 10127 2
santrex.net 9575 13
inode.at 9460 2
wtfismyip.com 8899 4
scopehosts.com 8684 1
lobstertech.com 7452 1
guilhem.org 6894 1
nyr.be 6278 1
pm-ib.de 6058 1
42tech.de 5764 1
As an example of a network of Tor nodes operated by a single entity, the Akamai security team nodes are (IP, domain, location, nickname):
63.141.201.75 Cambridge, MA US AkamaiTor1
199.239.183.213 Englewood, CO US AkamaiTor2
64.211.209.132 Southfield, MI US AkamaiTor9
63.234.226.151 qwest.net Los Angeles, CA US AkamaiTor6
65.120.61.73 qwest.net A2 AkamaiTor4
66.171.225.207 Cambridge, MA US AkamaiTor12
146.82.13.14 US AkamaiTor3
217.212.225.108 telia.com SE AkamaiTor8
2.22.231.73, EU AkamaiTor7
61.200.81.168 akamaitechnologies.com JP AkamaiTor11
165.254.32.197 Englewood, CO US AkamaiTor5
…………
I forgot to add some paragraphs at the end sketching my methodology and offering my thoughts on what the moral might me. Let me rectify the omission now.
I encourage anyone who shares my concern about the fact that as few as 38 operators may carry half of all Tor traffic to seek out the official figures and compile their own figures. It is important to take several “snapshots” over time, since the roster of Tor nodes changes frequently, and even high frequency nodes come and go. However, I’ve been tracking this issue for quite some time and the basic problem (that a few dozen entities seem to carry most of the traffic) has persisted over time.
You can even make a study while running Tails without installing anything, since the nix scripting tools I used to process the data (awk, cut, sed) are available in any nix system. Using these tools you can perform initial processing to make a csv file which can later be transferred to a database running under your usual operating system.
Also, anyone can informally track over time which Tor nodes seem to appear again and again in his/her Tor circuits while using Tails. If you do that, I think you will find that the 38 networks do appear again and again, playing in particular the roles of both Entry and Exit nodes (in different circuits).
So, what should we make of this situation? Here are my thoughts:
I believe the problem is potentially serious, and needs to be addressed by the Tor Project, but I certainly am not suggesting that we all abandon using Tor!
I do not necessarily endorse some of the charges of bad actions which some onion sites have leveled against some of the networks listed above. While my assessments have changed over time, currently I believe that at least two of those charges against two of the most venerable networks are probably wrong.
I do believe that two of the networks are essentially known to sometimes cooperate with adversaries, but this may affect only a small number of Tor users.
Like many of you, I track anomalies in the Tor circuits I use (for example, events which appear to be tied to a Tor node using nagios or another security tool to probe my own system), and these do seem to be be associated with certain of the “suspect” networks. To some extent this could be due to operators running Tor on servers which do many other things and may even engage in some robotic “active defense”.
Two others which have not been accused (to my knowledge) in onion sites are suspect not so much because of what they are seen to do but because of who they are.
In short, at this point I have no reason to believe that very many of the named operators appear to be engaged in massive surveillance of Tor users.
Nevertheless, I think the issue is potentially serious, and I hope some other ordinary Tor users will attempt to track the problem over the coming year.
I think the answer to the problem lies in further lowering the boundaries to operating Entry nodes and Relay nodes, and in finding more people willing and able to host Exit nodes. I hope the situation will improve over time.
Some of the other responses so far duck the issue, which is not addressed in the pages/threads to which they linked. As far as the issue of raising general Tor issues in this forum, we all agree that it would be more appropriate to raise such issues in the Tor forum. The problem is that no such forum yet exists.
Mailing lists are inappropriate for communicating with ordinary Tor users. I hope that the Tor Project will create a simple forum like this one, offering unregistered users the chance to ask questions using Markdown. I hope that the Tails project will continue to maintain this forum in its present state. I believe that this is a much better way to communicate with the user base.
Comment by Anonymous
Ok, I guess you have to be in the club to understand what you are talking about here. For the uninitiated could you answer the following questions?
1. What is Tor and Tails?
2. Why do I care who carries ‘half of all traffic’?
3. What is the significance of ‘exit nodes’?
4. What exactly is the risk here?
I must admit I did not read the several dozen bullet points. Without knowing what we’re talking about, all that stuff is useless to me. I don’t mind your answer coming in the form of links.
Thanks!
GK,
While I do not speak for Delta01, many (most) of your questions can be answered here for TOR
https://www.torproject.org/ and for Tails look here
https://tails.boum.org/index.en.html
It is mostly about computers and ‘secure’ surfing, of those who use Tor and then check into Facebook and Gmail accounts… Kinda defeats the idea of anonymous.
Hopefully the article will make some users ‘think’ about just how in-secure they might be. Tor leads one to believe the connections are bullet proof, they are not. But if used with other options it can help. As with everything YMMV.
To answer the first question. It boils down to trust and difficulty with an attacker determining who you are while you attempt to surf the web anonymously. The FED is monitoring ALL electronic traffic and has back doors into ALL phone companies, email providers, web providers, credit card transactions and it looks like now all our passwords as well.
In an attempt to keep our web surfing private some people use TOR or TAILS. TOR uses an onion layering effect to distribute your connection all over the web in an encrypted format to make it much harder to track a persons activities. If your connection enters and exits both at the same point you are much easier to track. If you had entered in Montana and exited in Sweden it makes it much more difficult to track you.
If you are using TOR/TAILS you have some modicum of “Tech” knowledge and that is who this article was written for. This is NOT an article to teach you how to remain anonymous on the web.
Take a look at this link for a brief description of how TOR works.
https://www.torproject.org/about/overview.html.en
Thank you for your reply. What about using PGP for emails and a VPN to access the net? How does that compare to the TOR/Tails method?
Both PGP/VPN are good for now, I assume. If I were thinking like the NSA and was NOT able to crack PGP (big assumption here) I would store all your pgp email in a fusion center (UTAH) and when my quantum computer was finished being built I could read all encrypted emails in 1/billionth of a second. Once quantum computers are developed (and they may have them now) encryption as we know it will be DOA. Ive been saying for years the Feds had the power to watch everything we do and was flamed for saying it. They have even more power than I assumed.
Remember back when we learned they had a stealth fighter and it was built in the 1970’s? Supposedly they are 30 years ahead of what we know about now.
If you use PGP make sure your passphrase is 50+ characters. Read this site to learn how to remember a 50 character passphrase. https://www.grc.com/haystack.htm
You may also want to use Truecrypt and run whole disk encryption on your computer.
http://www.ucl.ac.uk/isd/common/cst/good_practice/encrypt/FullDiskEncryption
Here is another revelation regarding TOR, or one of the ‘Hosts’
No idea on the source, posted by Admin on a Militia forum.
— partial paste ——–
BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL
The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.
In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.
http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.
If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.
The Feds used a Java injection code to compromise the browsers (Firefox 17 and above ONLY) which fired off the real IP address of the user to the FBI. For those who dont know you can toggle Java on/off by going to —Tools–>add-ons–>Plugins–>Java–>Click on Disable tab. Many web sites wont work correctly but security is paramount over convenience. If you need to use Java at a trusted site like your bank toggle it back on. I would also disable flash, shockwave, adobe and any other suspect “leaky” plugin. I will do a write up in the near future of how to remain as safe as possible while online.
Ultimately, all electronic/computer crypto should probably be considered AT BEST to have a limited shelf life. Even if it cannot be cracked in real time, eventurally all non- One Time Pad crypto can be broken. We no routinely break things which 10 years ago would have been unthinkable. WEP encryption for WiGi was once the hot stuff – not any script kiddie with freeware can punch though your home wifi ‘protected’ by WEP in about ten minutes, on a slow machine.
>>> My concern with cryptography is that people might believe that it’s unbreakable, and so, talk about anything and everything. This is usually fatal. Let’s make a theoretical resistance movement: Force to Free Soterdonia (FFD). Remember – it’s usually the learning of back traffic that get’s resistance movements in trouble, whether through cryptanalysis or torture (aka: practical cryptanalysis) does not matter. If the counter insurgency (CI) beat the keys out of one of the FFD members and they are ‘coherent keys’ then their CI can read all traffic – FFD is doomed. If they read all back traffic, they can reconstruct the FFD organization’s chain of command, methods, meeting places, safe houses , members … The FFD is mostly doomed. Notice that I said ‘coherent keys’ , this means keys which can be reconstructed, remembered or etc. If YOU are able to read back traffic, and they get to you – then THEY can read it all too. The same goes for everyone who is in the FFD. e v e r y o n e. A certian Army I used to work against had a policy: only their comms guy had the essential elements to use their team cipher system. If there was likelihood of capture, their first bullet was to go into his head. Geeee, thanks guys. Though they are actually doing him a favor, considering what his life would be like in the hands of his enemies. That is how it works when the FDD because an enamy of a government.
If you want to chatter on line with GREAT protection from commercial data mining, then you have the tools in things like CryptoCat , TOR and etc. If your desire is to elude the NSA, then you’re going to have to loose your computer, cellphone and etc. go with paper and pencil One Time Pad, use old school trade craft methods of message delivery with electronic methods as a last resort, and that includes the use of radio. Radio is MUCH more private than internet, basically not directly traceable in the conventional sense, but if you’re the target of a major government, you’d have to learn how be as good or better than a Green Beret ‘communicator’ (18E). Good luck with that.
In short – if it is not done using a one time pad, consider it breakable. If you are doing it on a computer, consider all the back doors in your software, hardware, how the computer transmits signals which are easily found and exploited, data capture, COHERENT KEYS used and etc. which are built into the entire system to detect and to exploit that. If it is convenient, electronic and you are thinking that it’s unbreakable, you might have a rude surprise.
I love computer crypto and use it regularly for commercial and for friendly chats which I chose to have as private conversations. However ‘privacy’ is not the same as unbreakable by a major government.
Tor Heyerdahl