New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Usually when these things happen without a warrant, we're talking about something very immediate, like state problems for example. Or something already investigated elsewhere that has an ample warrant, but not issued directly to the provider, or considered non-mandatory by someone high in court hierarchy.
Their lawyers may be after it, but this is very targeted and specific. It will be difficult for Windscribe to do much other than demand a compensation for the lack of service and potential physical damages.
PS - Gestapo was german. This is on the Netherlands. And nederlandese people don't like to be confused with germans... ever. It's a question of respect for them.
I get it, but sorry, I have zero respect for cops taking away a server without warrant.
Windscribe>mullvad?
If ram disk, then how auths knew which server to pull out? And police cyber dep is a no joke guys. They know what they do when serious situation arrives. If there epstein files involving high auths from Netherlands - it is warranted raid.
It's not that high-end. It's actually pretty easy.
Or ask the upstream for access to their NetFlow collector. Just because the server running the VPN software itself doesn't log doesn't mean that their upstreams don't either.
How would anyone be able to tie any specific activity or log entries from an upstream provider to the downstream (VPN) provider's specific user?
Trivial traffic correlation. Same way Team Cymru is able to sell the ability to deanonymize VPN usage using NetFlow (and similar, e.g. jFlow) records.
It is trivial with traffic correlation. The bullshit about users sharing the same server/IP being anonymous is one of the many snake oil claims of the commercial VPN industry. Their entire business model is based on lies and half truths, that's why some of us are very sceptical about claims of dire misconduct from Dutch police in this instance.
Even Tor can be successfully deanonimized by state and even private actors in relatively simple ways, there is no such thing as anonymous internet connections, and a VPN in particular is VERY far from that.
Not entirely. It depends on whether the circuit loops through the same AS or major IXP. Plus, Tor uses padding machines to collapse NetFlow records and its use of static guards makes Sybil attacks impractical. It isn't perfect, but it makes it much harder to deanonymize clients directly. Onion services, on the other hand...
There's a good reason why even high-profile criminals on Tor are almost exclusively caught due to OPSEC mistakes or RCE on (hilariously insecure) Firefox ESR. In fact, the last traffic-based deanonymization required the cooperation of one of the largest German ISPs, took a long time to pull off, and succeeded only because the target happened to be using an onion service-based chat app with an outdated Tor binary that lacked vanguards and was using a relatively low-traffic guard.
I don't know what news sources you are reading, but in europe it's in every newspaper and people are getting fired or in real trouble. The norvegian princess, Jack Lang in France, Andrew and Mandelson in the UK etc etc etc. The cover up is in the US.
It is much harder, but doable, and it would be naive to think that interested actors do not have significant visibility into it. Some adversaries control vast amount of nodes in the network, have access to global flow data, etc.
It also depends on the specific target: for example high traffic hidden services are impossible to hide, period. Connections to clearnet websites are vulnerable given an adversary with enough resources and time... and I'm sure there are many approaches which are not obvious to someone who is not an expert.
Just flow data is already very dangerous by itself, given that circuits very often do not leave central Europe, and T1s are selling access anyway.
The vast majority of traffic is actually controlled by several well-known members of the Tor community (r0cket, NTH, 1AEO, prsv, etc.), and Sybil attacks such as the KAX17 event are often discovered and not "persistent" due to the necessity to perform fairly noisy attacks to boost bandwidth consensus weights. The visibility is certainly not significant. High-traffic onion services (the name has changed from hidden services a while ago, despite some legacy terminology like HSDir) are hard to hide due to the fact that anyone can trigger a new connection with them at any time.
And actually, connections to the clearnet are less vulnerable due to their ability to use conflux and the fact that the anonymity set is larger, which matters when you can fingerprint the initiation of an onion circuit (although that is less true now with widespread alt-svc onions, though that actually comes with other issues due to single-hop and multi-hop onions being distinguishable under current padding machines).
The modern NetFlow-collapsing keepalives also cause Tor to be removed from the majority of sold flow data, especially for traditional sampled flows (which are the vast majority). This is why the latest traffic-based deanonymization attack required an ISP enable extensive logging with granularity far finer the type that is sold to data brokers.
Attacks can and do happen, but it's wrong to paint it as if remaining anonymous while using Tor is a quixotic task. There's a very good reason why it's still exceedingly difficult to deanonymize specific individuals without exploiting software or OPSEC mistakes and why it's rare and takes a significant amount of time even when the international IC works on it.
It would be better to say that passive, retroactive, dragnet-style deanoymization happens but is very rare, active traffic-based deanonymization is possible but difficult and takes a long time, and deanonymization through software exploitation and OPSEC failures is frequent. There is a large list of protocol-level leaks that are documented by the Tor Project, and the threats that are considered the most realistic are often not what you'd expect (i.e. it's almost exclusively guard discovery attacks, as in the Boystown case).
Even for nodes "controlled" by friendly volunteers, their network is for sure being monitored, which helps a lot, even given countermeasures offered by the protocol (which I am not an expert in). Also network diversity is very very bad, and that has been an ongoing issue forever.
By the way, it is very interesting that there was a publicly recognized deanonymization from the Germans, I hadn't read about that. Very often parallel construction is used, particularly in the US, to avoid going into specifics, it is kind of surprising that they published it.
Anyway I insist, I am not an expert, particularly in the latest developments of Tor, so maybe the situation has improved a bit in the last decade. But I have my doubts because some issues are structural to its design, and progress has been historically slow.
Network diversity is indeed an issue (hence why I currently run the second-most diverse set of relays, behind zGato). The issue actually isn't entirely due to lack of non-EU nodes, but due to the way the bandwidth authorities score nodes. Thus the two relays I have in Japan, despite being very fast, only get a combined ~1 Mbps going through them. When the bandwidth authority measurement techniques are improved, network diversity will skyrocket overnight (although it will still be NL/DE-heavy).
It's very difficult to keep such things a secret for long. In that case (I assume you mean the Boystown case), the target was using an outdated version of Tor with an onion service on his personal system. That deanonymization actually gives people quite a high confidence in Tor, given how much time and effort it took to find someone, even when utilizing logs from one of the largest ISPs in all of Germany and international IC coordination.
Historically and into the present, almost all attacks that aren't related to end-point exploitation go like this:
You might find this interesting: https://spec.torproject.org/proposals/344-protocol-info-leaks.html
Interesting insight, thank you. I was donating quite a lot of bandwidth a long while ago, when I was young and idealistic, but have not really cared much about Tor for a long time, so thank you for providing some interesting stuff to read!
@forest I know this is stupid. Do you think using open wifi network (no pass, or shared password e.g cafe, bar, other type of service industry. And use it on random pattern) sounds good enough solution to defeat the TOR deanonymization attempt?
As someone who runs Tor relays on LET hosts, I can only hope my $7/y server does not come with external network monitoring feature. (i didn't select such addon at checkout)
https://forum.torproject.org/t/tor-relays-important-update-on-an-upcoming-german-broadcasting-story-about-tor-onion-services/14656/3
I don't think starting another relay servers DE/NL/US is a good idea. Those two shown to be hostile towards the network in recent years.
i mean for now those cases were pretty justified and didn't target innocent people, however the ability to deanonymize users in a network that's supposed to make users anonymous defeats it purpose and affects everyone in a negative way
so for the future i would hope criminals would be caught without affecting the integrity of tools they used. It's the same as if law enforcement agencies backdoored every Apple iPhone user just because a few people commit crimes using their iPhone
just my 2 cents
That depends on your threat model. A deanonymization that leads to open Wi-Fi will lead back to an anonymity set of however many people use that Wi-Fi in that given time. If there are cameras around, then there's really no benefit.
If you really want solid protection, consider using the Snowflake pluggable transport. There are literally more than a hundred thousand Snowflake proxies. Just only use it if you really need to, because at the moment it's quite overloaded due to the situation in Iran.
You should get back to donating, even if only on your idlers! While it's not bulletproof (nothing is), people still benefit from it tremendously. The fact that it's even difficult for high-profile criminals to get caught without exploiting the browser means that it's virtually impenetrable for people who don't have an entire team assigned to finding them.
so, im guessing NL is not safe anymore for servers/torrents n such?
Anything is fine for torrents. No one is going to put effort into sophisticated deanonymization just to sue for copyright.
As far as NL/DE is concerned, I agree. It harms network diversity. My personal rule is to only set up an NL/DE server if it costs less than $10/year and has unmetered bandwidth, otherwise I pass.
US servers are actually fine though, since the US is absolutely massive and there are plenty of places with next to no Tor presence. We don't need another relay in LA or NYC, sure, but there are plenty of other locations that would be good to run relays at.
@oloke said: i mean for now those cases were pretty justified and didn't target innocent people, however the ability to deanonymize users in a network that's supposed to make users anonymous defeats it purpose and affects everyone in a negative way
so for the future i would hope criminals would be caught without affecting the integrity of tools they used. It's the same as if law enforcement agencies backdoored every Apple iPhone user just because a few people commit crimes using their iPhone
just my 2 cents
The problem is that multiple innocent people were targeted and were made suspects.
The vast majority of criminals are caught because they're simply terminally stupid. Good old-fashioned investigation is enough to catch them.
It certainly require few extra steps, e.g securing multiple access to several SSID within a zone. Certainly there's cctv around the public space. But, I don't think they're stored for more than few weeks. Thanks for the explanation.
This 100%
There were some worried about 0-days much but at the same time being so dumb about their opsec it's unbelievable.
But that's good for us I guess.
It’s just a matter of time before VPN services come under pressure in the EU.
$7/year on shared LET server
Yes, chat control will eventually go to vpn corporations, then demand access for their obscure members (literally blacked out list) to scan your traffic.
Is it? I know it used to be easy with e.g. firewire and doing DMA, but not sure how you'd do it in general nowadays.
AFAIK, even sticking in a rogue device into the PCIe slots that DMAs system memory is likely to fail nowadays if the IOMMU is active.
Not Firewire specifically, no, but memory acquisition in general. There are three broad ways to acquire memory directly from hardware:
And even if none of those work, IOMMUs have been shown again and again to be possible to bypass with physical access on systems without ATS disabled (many servers still run kernels so old that ATS is not disabled) or if the system doesn't support VT-d2 with x2APIC and interrupt remapping. And there have been many vulnerabilities in Intel's code signing, so one could reflash the CSME and exploit PSF and PAVP to gain usable bus master despite IOMMU isolation.
Now, I wouldn't call any of this trivial. It's not as simple as plugging in a device over a DMA-capable interface, requesting bus master, and dumping memory, but it's well within the capabilities of many.