Now, one security researcher aims to make the distributed network less of a haven for the shadier side of the Internet. HD Moore, the lead developer of the Metasploit Project, has created a rough set of tools that allows anyone operating a Tor server to attempt to track the source of network data. Moore originally created the software to block file sharers from eating up his computer's bandwidth, but soon targeted potential child pornographers who appeared to be using the network, he said. "I don't want my network connection to be used to transfer child pornography or pictures of child models," Moore wrote in an e-mail to SecurityFocus on Thursday. "I don't want my server confiscated by law enforcement because of some Tor user who thinks they are anonymous." The tools, which Moore dubbed "Torment," use a number of known techniques to link content handled by the exit servers--the computers that manage the border between the Tor network and the Internet--to their source. The Tor Project uses a method known as onion routing to obfuscate the source of data. (Tor originally stood for "The Onion Router.") Data from a user is encrypted in layers using keys from each of the servers that will handle the data--or "cell"--and delivered to an entry node into the Tor network. The data is passed to one or more servers, each removing a layer of encryption until the cell reaches the exit node. Thus, only the exit node sees the data fully decrypted. Moore's Torment code modifies the normal Tor proxy server software to implement the necessary functions, resulting in a poisoned proxy server. However, the techniques also rely on the targeted Tor user taking risky actions, such as allowing Javascript to run in their browser. The Tor documentation specifically warns users to use a browser with stripped down functionality when visiting Web sites using the anonymizing network. Unsurprisingly, Moore's actions have stirred up controversy. Tor operators have criticized the project as endangering the vast majority of legitimate Tor users to pursue a smaller number of bad actors. "This is a general-purpose attack tool--there's no reason it can't be just as useful for identifying the IPs of misconfigured Tor users looking for information on democracy in China, or for the nearest VD clinic, or for information on how to run for office, or whatever," said one poster to the Onion Routing Talk (OR-Talk) mailing list. "Snoops everywhere should be pleased." Shava Nerad, executive director of the Tor Project, agreed that any technique that could be used by law enforcement to track down criminals, could also be used by authoritarian regimes to track down democracy activists or by the United States' enemies to track down the military intelligence officers that use the network. "Mr. Moore's solution will not solve the problem he is trying to solve, and in the process, he will hurt a lot of people that he should be helping," Nerad said. Moreover, Moore's reliance on keywords to identify potential illegal transactions would likely have a high false positive rate, Nerad said. The Torment project, which Moore first unveiled at a meeting of the Austin Hacker's Association in August, consists of modified client code, a domain name service (DNS) server, and SQL schema. The current version of the code is based on an outdated version of Tor, he said. A ZDNet blog first reported on the project on Wednesday. In an e-mail to SecurityFocus, Moore explained how his system--basically a form of Web bug--works. The modified server software uses scripts to process data before sending it back to the targeted Tor user. The patched software, dubbed Torment, uses the Ruby scripting language to match certain parameters and then allows, modifies or drops the packet. When specific keywords are detected, the Torment software will inject some HTML into the Web request, causing the browser to load an applet on the targeted user's computer to help identify that user. The code includes a unique identifier to track the users. The code requests that the victim's browser resolve a unique host name containing the identifier, a request that will end up being sent to the DNS server run by the attacker, and in so doing, disclose the victim's Internet service provider. The piggybacked Javascript also loads an applet that attempts to determine the internal network address of the targeted machine and to send a raw UDP packet to the attacker's DNS server to identify the external Internet address of any router that--by using network address translation (NAT)--may be obfuscating the user's address. "The only difference between this and a standard IMG (image) tag is the multiple correlation points that it uses to identify users," Moore told SecurityFocus. "By combining standard HTTP requests with a custom DNS server, a Java applet, and a database, it can abuse client-side information leaks to pinpoint a user's real IP address." The attack also relies on the attacker's ability to have its server become an exit node for the Tor network. Exit nodes are key servers that act as the drop point for encrypted data cells from the Tor network, which are translated into unencrypted network packets and sent out to the Internet. Responses are processed by the same server, translated back into data cells, and sent through the Tor network back to the user. In a paper released in February, computer scientists from the University of Colorado at Boulder outlined a method to dramatically increase the chance of a malicious server being selected as an exit node by the Tor network's algorithms. However, the technique would leave recognizable fingerprints that the Tor service could identify, the Tor group stated in a blog post at the time. And, that's not the only hurdle that Moore's attack would have to leap. Tor servers meet the definition of an Internet service provider, which means that operators are not required to know what data passed through the server, said Kevin Bankston, staff attorney with the Electronic Frontier Foundation (EFF), which hosts the Tor Project's site. While it is possible for the operator of an exit node to see the data, it would likely increase their liability, because if the operator became aware of illegal activity, they would have to report it, he said. "In the ordinary course of operation of a Tor node, there is no reason for someone to become aware of what content is traversing that node," Bankston said. "If you do become aware of specific child pornography images transiting your network, you do face a legal obligation to inform the authorities, but that does not translate to some over-duty to monitor your customers' communications." Moreover, anyone who implement's Moore's tools could be violating federal wiretap laws, Bankston said. For his part, Moore intends to turn the tools over to law enforcement for their own use, he said. "I agree that evidence collected in this fashion may not be admissible in court, but my end goal is to provide a software package to law enforcement, not stream evidence directly to the agencies," the researcher said in an e-mail to SecurityFocus. The Tor Project has already taken steps to inform its users. On Thursday, the project added a warning to its documentation and further outlined what users need to do to protect their anonymity online. "Tor by itself is NOT all you need to maintain your anonymity," the site read. "There are several major pitfalls to watch out for." The list of threats is not small: misconfigured applications, using any of a number of browser plugins, visiting sites that have set cookies, and a lack of encryption from the Tor network to the destination server. If nothing else, the list underscores that, in the digital world, anonymity is not easy. securityfocus.com
