When everyone's talking about it

When everyone's talking about it

The King County Library System asked me to present on cyber safety topics in a very neat program they have (“When everyone’s talking about it..”).  I have been giving two separate, but related presentations and both have been well-received by those who have attended.  Mine is but a small part of the KCLS program.  I have even attended presentations that I had interest  (like the presentation on drones!).  

For the most part, I have skipped over the basics in my presentations. There really isn’t much need to talk about “what is email” or “the Internet is a bunch of computers connected together”.  We all know that kind of information.  Rather, I have been giving practical advice on what to do right now to reduce the risk of having your devices compromised by hackers and reducing the risk of predators accessing your children online.  Every bit of information I talk about is real time applicable, from reducing your digital footprint to surfing the Internet while maintaining your privacy.  I even show how to use the Tor Browser and encrypted email!

In every presentation, I am seeing parents take notes furiously, ask serious questions, and show a genuine interest in online safety for their families and themselves.  For me, this is easy stuff.  I have already raised two kids in the digital age of Facebook and cell phones (hint: they survived, but still not easy).  And I have investigated cybercriminals (hackers, child pornographers, and others who have used technology to commit crimes).  That is the biggest benefit to attendees I try to give.  Cram as much pertinent information from what I know into an afternoon or evening presentation that can be put to use right away.  Free to anyone.

This is one of the few presentations you can step out the door and put the information to use before you get home.

But if you think this is just another Internet safety program, you are mistaken.  I go through how to use social media to help get (or keep) a job, get into (or prevent getting kicked out) of school for families and individuals, and reduce the risk of cyberbullying.  I show how easy it is for anyone to be a victim by clicking the wrong link or opening the wrong email along with ways to identify the dangerous links and emails. The term "Third party provider" takes on a whole new meaning to attendees when they are shown the ways their personally identifiable information (PII) can be stolen when stored on third party service providers such as their health insurance company or a toy company.

Most importantly, I answer tough questions. Although I give some guidance on creating family rules and personal use of technology, I leave it up to the invididual and family to decide what is appropriate. My guidance is to show how to create rules on the foundation of safety. Everything else is up to personal morals and values.

I’d like to credit the King County Library System for adding these presentations to their program this year because cyber safety is probably one of the most important topics today.   Everything comes down to cyber.  Whether it is personal information being leaked or hacked online or a child being lured from home, cyber is serious.  You can use technology safely and still enjoy the benefits but to ignore safety is like betting the farm on the Roulette wheel.  You never know when your number will come up, but when it does, it will hurt and hurt for a long time.

As far as this program (When everyone's talking about it) goes, KCLS nailed it.  I have organized more than a dozen training events and several conferences over the past decade.  I know exactly the effort needed to put something like this together and KCLS did it right.  If you are in King County, Washington, you really should check out the programs.  They do a fantastic job at a price you can't beat anywhere.  

As for me, I only have two more talks left.  All you need to do is show up.  No RSVP.  No charge.  Free parking.

Again, kudos to KCLS for putting this great program together.  Let's do it again next year.

----------------------------------My next talks----------------------------------

Cell Phones in the Family

Woodmont Library

26809 Pacific Hwy S, Des Moines, WA 98198

April 30, 2016      2PM – 3:30PM

 

Cell Phones in the Family

Newport Way Library

14250 SE Newport Way, Bellevue, WA 98006

June 23, 2016       7PM – 8:30PM

1480 Hits

I'm just a Tor exit node! I'm just a Tor exit node!

I'm just a Tor exit node!  I'm just a Tor exit node!

Never thought I would still see this happening…

http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-who-maintain-tor-anonymity-network-node-1552524

I have personally seen warrants served on the wrong address on two occasions.  The first was a drug investigation where the lead detective went to the wrong door to an apartment.   The warrant was correct in having the correct address, but the detective didn’t take the time to check the numbers on the door…

The second time I witnessed a wrong door entry was when the lead detective had the wrong address on both the search warrant and affidavit.  The detective never even corroborated the information to find the right address.  Basically, the detective looked down the street and picked the house she thought was the drug dealer’s house.  After SWAT kicked in the door and broke a few things in the process, it took all of 5 minutes to realize that it was the wrong house.  The drug dealer was on the next street over…the victim house got a new door from Home Depot and carpet cleaning paid for by the task force.  

Both of these warrants taught me something that I will never forget.  Before you kick in the door, make sure you got the right door.  After you make sure you got the right door, make sure again.  Then ask your partner to double-check that you got the right door. Then get a warrant and kick it in if the suspect doesn’t open it for you.

After investigating drug crimes, I went into cyber cases.  The same fear of entering the wrong house became even more worrisome since relying on IP addresses is not the same as relying on your eyes. You have to rely upon a fax from an Internet service provider for the address.  In an investigation case of following a suspect to his home, it is easy to physically see the house for which you plan to swear to in an affidavit.  But with an IP address, you have to rely on some third party service provider to give you the subscriber at the physical address where the IP address exists and trust that the information is accurate. That is at least one step before swearing to an affidavit to ask for authority to force your way into someone's home.  Investigators must still confirm that their suspect and/or evidence is at that particular and specific address, which requires at least some legwork to confirm the physical address.

When Tor is used by a criminal, relying on the IP address is worse than a bad idea, especially since it is so common knowledge that an exit node on the Tor network has nothing to do with the origin of any data that flows through it, other than the data flows through it.  I have taught and wrote about Tor as it relates to criminal/civil investigations for several years now, each time repeating:

IP address ≠ a person

MAC address ≠ a person

Email address ≠ a person

Tor IP address ≠ the address you want

CSI Cyber regularly does one thing right…whenever the cybercriminal uses Tor (proxies) on the show, the Hollywood FBI hackers don’t even try to trace it because they know that a proxy is not going to lead back to the cybercriminal.   They then resort to other means to find the cybercriminal before the hour ends.  Not that any of their other methods are realistic, but at least they got Tor right.  Anyone watching CSI Cyber even one time is exposed to explanations that tracing cybercriminals using Tor is virtually impossible.  This is the “CSI effect” in reverse.

Since TV show viewers can figure it out, you can imagine my surprise seeing this tweet today:

I don’t have access to the case reports, nor know anyone involved, but the one thing I can tell is that if this case was based on an IP address alone, I cannot fathom why no one checked to see if the IP address was a Tor exit node.  Checking a Tor exit node takes about 10 seconds.  The Tor Project even helps and provides everything you need.

https://check.torproject.org/cgi-bin/TorBulkExitList.py

Certainly, there are probably other details that could have led to going to the ‘wrong’ house, but running a Tor relay should not be one of those details.  At least currently, it is not illegal to run a Tor exit node.

The best analogy I can give to how relying on a Tor exit node to accurately reflect the physical address is that using an envelope.  Consider a criminal committing a crime through the mail (mailing drugs or something like that).  Instead of putting his address as a return address, he puts your address as the return address, drives to another city, and drops the package in a mail box on the side of the street.  Let’s say the police seize the package of drugs at its destination and then kick down your door because your return address was on the package.  Any investigator charged with tracking criminals online must (not should) be aware of how Tor works.  Even in the private sector investigating employee misconduct, or IP theft, knowing how Tor works is mandatory when IP addresses are involved.  You just can't get around knowing it unless you don't mind kicking down the wrong door one day..

https://www.torproject.org/about/overview.html.en

On side note, I am one of the biggest advocates of those who have the job of tracking, investigating, arresting, charging, prosecuting, convicting, and incarcerating predators of children.  I have not a bit of compassion for these criminals and I cannot imagine anyone feeling any different.

Coincidently, I gave a presentation on this very topic at an ICAC conference in the Seattle area last year…oh well.

 

UPDATE: APRIL 8, 2016

Link to the search warrant affidavit:  AFFIDAVIT

1858 Hits

Barking up the Encryption Tree. You're doing it wrong.

Barking up the Encryption Tree.  You're doing it wrong.

There always comes a time when an obscure, yet important concept, leaves the technical world and enters the main stream.  Recovering deleted files was one of those where we pretty much knew all along not only that it can be done, but that we have been doing it all along. The Snowden releases were another aspect of ‘yeah, we knew this all along, but the GFP (general f’ing public) was oblivious.

Encryption is just the most current ‘old’ thing to make the limelight.  Whenever something like this happens, there are ton of people ringing the end-of-the-world bells, clamoring that national security will be lost, and personal freedoms take a back seat to everything.  It happens all the time and when it happens, there is a fire to make new laws on top of thousands of other laws, in which the promise of better safety and security is as strong as a wet paper bag holding your groceries on a windy and rainy day.

b2ap3_thumbnail_bancalifornia.JPG

Legally, it is super easy to ban, control, and/or regulate encryption. A stroke of the pen with or without citizen oversight can make it happen quickly and painlessly.  One signature on the last page of a law that is a ream in size is all it takes.

Practically, it is impossible to completely eliminate or control or regulate encryption.  The only thing laws will do is restrict the sale of encryption products by corporations.  Encryption exists in the minds of mathematical practitioners and can be recreated over and over again. You can't blank out someone’s brain (I hope not…).  Encryption is available everywhere on the Internet, from software programs that are FREE and OPEN SOURCE to download and even in TOYS that can be bought off Amazon.com.  These 'toys' work by the way.

b2ap3_thumbnail_engima.JPG
Enigma encryption...for sale on Amazon.com

Go ahead and ban encryption and people will just buy a $10 toy to create cipher text for emails.  Tor use will skyrocket as will third party online privacy providers operating in safe harbors overseas.  Banning encryption or breaking the trust of companies like Apple will only result in loss of business for corporations and (more) loss of trust by consumers of both corporations and government.  Even if encryption is not banned, but under the complete control of any government, that particular piece of technology won’t be used for anything other than entertainment. No business is going to transmit sensitive intellectual property data through an insecure system.  No government is going to use a system that can be more easily compromised by enemies or hackers.

b2ap3_thumbnail_veracrypt.JPG
Free encryption software: https://sourceforge.net/projects/veracrypt/

The end result of banning encryption is creating a whole new class of “criminals” who just want to protect their private communications.  “Private” does not mean “illegal”.  Controlling the source code of Apple is only going to cause Apple to end up with 3 employees who will their only customers.  Not even the government will use Apple if they know the source code has been compromised...especially if compromised by the government itself.

Not long ago, I gave a presentation on Internet investigations to a group of law enforcement investigators.  One of the first questions I asked was 'Given authority and ability, what would like to see done in regards to the Internet?".  Most answers were to 'lock it down', 'watch everything', 'control it all', and "give government complete control".  At the end of the presentation, no one felt that way after I explained how that will negatively affect everyone down to the individual person business, including the government.  Ignorance may be bliss, but that doesn't make ignorance a good idea.

If this 'ban encryption bandwagon' keeps going, the next thing we will see is envelope regulations requiring the paper to be transparent, just in case the government needs to read your mail without opening it.

b2ap3_thumbnail_envelope.JPGI also do not believe that there is any one 'thing' that can prevent the apprehension of criminals, prevention of terrorist attacks, or investigation of a crime.  If encryption can do all of those, we need better investigative training for our detectives and case officers.
1272 Hits

What is this thing "privacy" you speak of?

What is this thing "privacy" you speak of?

 

I luckily missed being born into the Internet generation.  Facebook creeped me out with the amount of information demanded to create an account.  It took me all of 1 minute to create an account, 5 minutes to decide to delete it, and then two hours to figure out how. That was years ago and I still receive email reminders from Facebook to re-join with all my information still in the deleted  account, as if I never deleted it. If you ever wondered what Mark Zuckerberg thought of Facebook users, you may want to take a look...http://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5 

Perhaps a decade of working undercover has made me ultra-paranoid on personal information. At the time of doing UC work, I had little concern of sitting in an illegal business, having dinner with an organized crime figure and having one of his goons run me through Google, because there was no Google when I first started. That changed before I left the narc world and an undercover friend of mine was identified with Internet searches (while he was in the midst of a group of bad guys). If I was still doing undercover work, I'd no longer be doing undercover work. Thanks Google...

I can imagine that being born into the Internet age means never knowing what privacy is, nor have any concern about it all. Kids are literally texting in grade school, Facebooking in middle school, and blogging by high school.  Every generation now willfully gives up every aspect of their lives on social media and to buy some gadget online.

So when I see that the majority of people could care less about their most intimate and private details of their lives, it gives me pause. If you don’t think your Internet searches and web browsing is intimate, take a look at your web history and tell me that you don’t have some secrets in what you look at that you wouldn’t want anyone else to know about you. Health, wealth, and interests. How much more intimate can you get?

Despair at the Number of Americans Who Choose Security over Liberty, Privacy - Reason (blog)

http://news.google.com Thu, 31 Dec 2015 17:41:15 GMT

Reason (blog)Despair at the Number of Americans Who Choose Security over Liberty, PrivacyReason (blog)According to a new, frustrating poll, a majority of Americans in both the major parties appears to support warrantless government surveillance of Am ...

Read more ...

 

I’m not sure if people just don’t care the government watches and logs their Internet activity or if they just don’t know that they have a right to be secure in their homes, papers, and possessions. Either way, the result is the same. Privacy no more, and like the arrow flown, you can’t get the data back.

I can say that there are government organizations that actually take issue with privacy, one for example: Public Libraries. I’ve had criminal investigations where I needed information about a library patron for serious felonies. Not only were librarians willing to throw down with me to fight giving it to me, but I was promptly kicked out and told to get a warrant (which I did every time).  The library in the county where I live takes privacy seriously (KCLS). No security cameras anywhere. Not inside the library. Not in the parking lots. Nothing recorded. Patrons can use Tor if they bring it on a CD or flashdrive to plug into public use computers. The WiFi is free, no login required, no tracking of the users. 

For this, I say libraries may be the last bastion of personal privacy protection, but then again, I have no idea how many national security letters have been handed out to librarians

Certainly the day is close where privacy no longer exists in any manner. Already, if you ever applied for a security clearance, foreign governments have your application and probably your fingerprints too.

China says OPM breach was the work of criminal hackers - Engadget

http://news.google.com Thu, 03 Dec 2015 04:59:00 GMT

EngadgetChina says OPM breach was the work of criminal hackersEngadgetChina says the massive security breaches at the US Office of Personnel Management (OPM) that exposed the personal information of more than 21.5 million US government employees, con ...

Read more ...

I can say with experience, the Internet is great for investigators. Finding suspects has never been easier. In fact, finding an entire life history of a suspect takes on a whole new meaning with Facebook and every other type of social networking account.  Heck, they list their associates too. How much easier can it get? Criminals are people too, and they put as much personal information online as everyone else. Take the Dark Web as one example.  The Silk Road creator took massive steps to hide his identity, but an IRS agent identifed him with Google searches...

The Tax Sleuth Who Took Down a Drug Lord - New York Times

http://news.google.com Fri, 25 Dec 2015 17:48:14 GMT

New York TimesThe Tax Sleuth Who Took Down a Drug Lord New York Times It was Mr. Alford's supervisors at the I.R.S. who assigned him in February 2013 to a D.E.A. task force working the Silk Road case. The Strike Force, as it was known, had so far had l ...

Read more ...

My only concern with personal privacy evaporating like dry ice in the summer is that criminals also have an easier time of finding enough personal information to do damage to anyone, whether as ID theft, stalking, or worse.  It's bad enough that there are several levels of government agencies tracking everyone (including you), and that the criminals are using the same methods, but we also have the foreign governments doing it too.

Probably the best thing that can happen to the Internet is that it breaks...but then again, how will students find answers to their homework if they can't access Wikipedia? Can you imagine telling your kids to go to the library? The horror!

1587 Hits

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

I had help with this book with early reviews, suggestions, recommendations, and co-authoring.  Most of what is in the book, I’ve done or helped others do. Some things work sometimes, other things work other times, and nothing works all the time. But having a toolbox to choose from gives you choices of methods that can fit individual cases.

As a side note, many of the methods can work in civil litigation depending upon cooperation and legal authority. For example, use of the Tor browser in a corporate espionage or employee IP theft case can make a huge difference in the direction a forensic analysis takes.

For anyone going to Las Vegas for the Enfuse conference, I’ll be presenting on this book and look forward to meeting you there (please say hi).

You can order Hiding Behind the Keyboard here:

1585 Hits

Libraries and the Tor Browser

Libraries and the Tor Browser

A few weeks ago, I was asked by a librarian for my opinion on library patrons using Tor in public libraries. My initial reaction, based upon having done more than a few cybercrime cases, is that Tor in public libraries is a bad idea. How can law enforcement track criminals who use library computers when the Tor browser is being used?  And libraries are government entities! Tax dollars would be spent helping criminals commit crimes on the Internet and remain anonymous. By all means, NO! Don’t do it!

From a law enforcement perspective (which I have not lost since my days in law enforcement), the Tor browser makes cybercrime investigations practically impossible to identify the user for 99% of cyber detectives and this is a major problem for investigators.  The remaining 1% of cyber analyts have access to supercomputers and virtually unlimited budgets that is beyond the scope and reach of the regular police detective.   Since the Tor network is so effective in providing anonymity to Internet users and police are practically powerless against it, why support it since criminals are using it?

About a half second later, my opinion changed.

The public library protects freedoms more than most people will ever know (except for librarians…they know about freedom protections). Sure, police protect freedoms by protecting Constitutions (state and federal versions) but law enforcement has a dilemma. On one hand, they swear to protect freedoms and on the other, the freedoms restrict their ability to protect.  Using the First Amendment as an example;

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Taking the freedom of speech as an example, people have a right to express themselves and that not only includes speaking, but also reading, and communicating (assembly) with other people. Libraries provide access to information and support intellectual freedom.  And of course, people abuse freedoms and commit crimes, such as harassment where free speech goes too far and intrudes on someone else’s rights. Maybe it's easier to protect speech by getting rid of it? Nope. That doesn't work...

Many (all?) public libraries today in the United States provide Internet access with WiFi and public terminals. Complete freedom to browse the Internet and communicate with people around the world certainly meets freedom of speech criteria.  You can’t get much more supportive in providing access to information than that. As a government entity, the public library supports the First Amendment more than any other entitity.

Here comes Tor.

Without getting into too much detail about “Tor” (The Onion Router: http://www.torproject.org), let’s just say that Tor can be looked at simply as an Internet browser that hides the Internet Protocol (IP) address of the computer user. That means that a computer user can be practically anonymous online when using the Tor browser.  The Internet history cannot be tracked, the physical location of the user cannot be tracked, and users can feel secure that they have privacy online without interference from government or other persons.

Internet privacy is important. Not only is government tracking of Internet users invasive, but so is corporate intrusions into personal privacy. Every person has different tastes, likes, interests, and beliefs. The founding principle of privacy is…privacy. Tor provides that privacy when it is used appropriately.

Running the Tor browser is simple enough since it is just an Internet browser (basically anyway). For a library to support Tor use, IT staff just need to download the browser to the public computers and put the icon on the desktop.  That’s all there is to it to give library patrons access to Internet privacy.

During a recent conversation with a librarian, I was told that the library (in the Seattle area), does not monitor, track, record, or even look at patron Internet history and useage. After explaining that the library certainly has the technology to do so, by default in their network system, and that every patron’s Internet history can be viewed, tracked, recorded, logged, and be required to be produced to law enforcement by court order, the conversation changed quite a bit. Obviously, if a crime has been committed and a search warrant is obtained, providing any information to investigate and prosecute criminals is a good thing for society as a whole.  The drawback is Internet history being logged or viewed for all patrons, in any manner, for general purpose or for later historical analysis. That negates privacy and goes against intellectual freedoms for which the public library stands.

With Tor, patrons can generally be assured their Internet use is private (barring screen capture software, keyloggers, compromised systems, etc…). This is a good thing for patrons to have as a choice. Tor is not perfect and has drawbacks to the ‘normal’ Internet browsers, but for the most part, if privacy is a concern, the Tor browser relieves the concerns.

As an investigative point, if a criminal wants to remain anonymous and use Tor to commit crimes, the library probably isn’t the best place to do it. Although most libraries do not have video surveillance cameras, some do.  There are libraries (the East Baton Rouge Parish Library as one example) that hire police officers as security! For a criminal to use a library computer to commit a crime may make it easier to get caught.

Tor relays: it’s Tor, but a little bit different topic. One of the methods that Tor is effective is that when using the Tor browser, computer relays (“Tor relays”) are being used to route the computer user’s traffic around the world.

http://www.torproject.org 

Anyone can volunteer to be a Tor exit relay, where Internet traffic running through the Tor network will ‘exit’ from your system. By being a volunteer, you help world-wide Internet anonymity by providing a Tor exit relay. For the most part, nothing bad happens, but occasionally, the Internet traffic leaving your relay could be criminal in some aspect, such as child pornography. You won’t see it, nor have anything to do with it, but your IP address will be tied to it since your relay is the last relay to receive/send it.

Not that this makes you a criminal, or that you facilitated a crime any more than if you sold a Ford that was used in a bank robbery as a getaway car, but it can happen. Today, law enforcement is more aware that Tor exit relays are not the source of crime, and the person running the relay is not the criminal they are looking for.

https://www.propublica.org/article/library-support-anonymous-internet-browsing-effort-stops-after-dhs-email

So it was strange to find an article where law enforcement pressured a library to not volunteer as a Tor relay. Tor relays exist world-wide. There are literally thousands of relays, everywhere. Shutting down every relay is virtually impossible. So why push libraries to not volunteer when it is the public library standing for the freedoms in the first place?

As a business consideration, my opinion on public libraries being Tor exit routers depends upon the cost required to set up and maintain it since public libraries are funded by the public with taxes. Other than that, if the public supports it and libraries can do it, why not? A public library can do little more for intellectual freedom than not only providing use of the Tor browser, but also operating a Tor relay.

Restricting or eliminating use of the Tor network would be like shutting down Toyota dealerships because the Toyota Camry is used for bank robbery getaway cars.

For the investigators worried about rampant crime in the library because of Tor…you can still catch the cybercriminals.  And for libraries worried that they will facilitate crime, don’t worry about that either. Tor users can’t choose the Tor exit relays.  It won’t be like cybercriminals will be able to pick a library Tor exit relay and commit crimes.  I give an entire chapter on beating Tor in my next book, at least as much as Tor can be beaten.

 

 

 

Tags:
4883 Hits

Tor is perfect! (except for the user....)

Tor is perfect!  (except for the user....)

I have been spending so much time with the Tor browser over the past months that I have forgotten just how seamlessly it uses a complex network of global servers, and encryption to provide a near perfect level of online anonymity. The Tor browser is extremely effective in providing near 100% anonymity that if not for one little flaw, it would be perfect, and I found that flaw.

The flaw is the user. Yes, every physical device and software application has the same flaw, but with Tor, it is a flaw that can completely negate using Tor for anonymity with misuse. Something as simple as a user not updating the Tor browser when prompted in bold print is enough to break anonymity. The Tor browser can only do so much to warn users to update the browser...

On one hand, criminals using the Tor browser who are lazy, too busy, or not accepting the danger of using outdated Tor browsers run the risk of getting busted.  On the other hand, legitimate users, such as those living under oppressive governments, can be discovered and imprisoned (or worse!) for exercising speech online.  Both situations generally require the user to be the weak link.

FBI Uses Spyware to Catch Tor-Based Child Pornography Suspect - Softpedia News

http://news.google.com Thu, 01 Oct 2015 02:46:49 GMT

http://t1.gstatic.com/images?q=tbn:ANd9GcQxYPXiaO7F03zDfLzy9fCeiyj7obMA0G6jj8US0UWF_LBSKY7Tuq7WFLZykSGdtdYjjBoDZl4Softpedia NewsFBI Uses Spyware to Catch Tor-Based Child Pornography If you were wondering, the Flash plugin comes turned off by default in all Tor Web browsers. For this particular reason, if you ever read a tutorial on how to pr ...

Read more ...

I have been known to have the superpower of being able to break steel balls while locked in a rubber room, so trying to break Tor seemed possible. With more than a few personal tests, I found Tor works well.  Reading through dozens of white papers written by computer scientists (waaaayyyy smarter than me) only confirmed that Tor works...very well.  It is just the user, either by using outdated Tor browser bundles or other user-created accidents that are easily led to their front door.  In my current book, Hiding Behind the Keyboard, I have written a chapter solely dedicated to the Tor browser and included some methods where investigators can force a user error to identify criminals. In short, for investigators it is a game of chance when Tor is involved in an investigation.

Writing about Tor is a bit touchy. Generally, individual countries create and enforce laws for that country. Some countries allow near unfettered freedom of speech and others less so. Some countries go to extreme measures to identify and punish anyone speaking out against their government or government officials.  Technically, the methods to uncover Tor users in both types of countries are the same.  Some countries go so far as to shut down the entire Internet to prevent any use at all by its citizens. The touchy part is that the methods to go after criminals are the same methods used to go after legimiate users (whistleblowers, activists, etc...).   

China tightens noose on Internet as anti-censorship tools suddenly shutter - Washington Times

http://news.google.com Wed, 26 Aug 2015 20:29:28 GMT

http://t3.gstatic.com/images?q=tbn:ANd9GcQ4S__sARQwUCjQj6xlXikkzYxHZMr-5dgXdzJOKPjG_VEKcHE0UIUw5bD8w0DKowAhIVMKwiJ4Washington TimesChina tightens noose on Internet as anti-censorship tools suddenly shutter. Censorship circumvention tools designed to bypass Internet restrictions are again under attack in China as software meant to let users around th ...

Read more ...

Which brings me to the many news articles and NSA/Snowden leaks about Tor. Nearly all are based on exploiting the user and not Tor. Sure, high-tech spyware has been used to infect Tor browsers to uncover IP addresses and such, but the only reason this has been working is because the user has failed to use the most current version of Tor. And much like a house of cards will fall with one card pulled out, an entire criminal organization using Tor to commit crimes will fall when one thing (the user) is exploited through user errors or forced errors.

Tor is not perfect, and certainly not best for all Internet use, but it has its place when needed. As one example, whistleblowers have a legitimate need for anonymity to report violations. Another would be anyone using a public computer (library, hotel, etc...) and would like the Internet provider see everything they are doing online, not for criminal activity, but simple personal privacy.

For forensic analysts, the biggest takeaway I can give is that if you are not looking for Tor use in your cases, you may be missing LOTS of evidence. Think back to the last time you even searched for Tor remnants in an analysis. How about the last time you even thought about looking for Tor in an examination.  Or better yet, have you ever even considered it? Examiners who conduct an "Internet Analysis" of a computer system is not being complete without including searching for remnants of the Tor browser.  The mere existence of the Tor browser can affect your analysis conclusions.

In two investigative/forensic books I have been working, Tor is a factor for analysts, but it is not the only factor. Tor is but one part of any person's overall communication strategy. Rare is communication based on a single method, but instead included many types of communication methods used in conjunction with other.  A cell phone text message can be a reply to an e-mail sent through Tor which was a reply to a face-to-face contact.  When uncovering covert communications, the goal is to find all the methods in order to put the entire communication threat together, without missing pieces. If you have not been looking at Tor, most likely, you have missing pieces.

Tags:
3488 Hits