[Rack] Tor security in Noisebridge

Andy Isaacson adi at hexapodia.org
Sat Dec 15 05:43:53 UTC 2012


On Fri, Dec 14, 2012 at 07:23:33PM -0800, James Sundquist wrote:
> How easy is it to gain administrative access to Noisetor?

Either trivial, or incredibly difficult.  The box has been hardened by a
few good hackers.  We believe its network threat surface is minimal.

Of course we have no way of knowing where the eth0 is plugged into.  For
all I know the FBI showed up with a NSL and told our hosters how it was
going to go down and now we have the special red cat5 going into an
inconspicuous black box.  Or men in black showed up and plugged an extra
special dongle onto a spare DIMM socket.  Or an Intel microcode backdoor
was inserted using the top secret radio hole in Nehalem.  Feel free to
make up your own hardware conspiracy theory to go here.

I don't think any of those physical compromise scenarios happened, but I
can't be sure.

> How do you
> guarantee Noisetor is not modifying, monitoring, or recording traffic?

I and a few others set it up.  We believe it's not modifying,
monitoring, or recording traffic.  The benefit to us of lying about it
are pretty small (and if I had evidence or even a good suspicion that
one of the others had done something bad, I'd say so.)

>  Trust is good, but I'd like to learn more specifics.
>   This guy here[3] and here[4] mention simply using a tor node and
> tshark or just a proxy to capture tons of information immediately.

Yep, it's incredibly easy to do so.  I can't present any evidence that
would convince a sufficiently paranoid auditor (you) that this specific
box hasn't been misused in this way.  I can say that I believe it hasn't
and I have an incentive to find out if it has and to publicize if I find
out.

> How would you prevent someone from doing this?

We have a limited list of people with access to the box.  We are pretty
sure the box can't be compromised without compromising one of the admin's
authentication methods, and we're pretty sure that hasn't been done.
Short of hiring an actual auditor to examine an image of the box, I'm
not sure what more proof you'd be interested in.

> How is the project managed?  Is there extensive documentation
> somewhere of how Noisetor has been configured and maintained?  I found
> some information that Andy posted in January 2012 [1], but couldn't
> find anything else in the Noisetor mailing list archive.

We set out with grand plans to have the exit node extensively puppetted
and completely checked in to github, but we ended up hacking together
the configs for the box to get it running, and then ended up in the
classic situation of "well, it's working, but getting the configs
completely parameterized and checked in is more work than any of the
existing admins are willing to put in."  A fair bit of stuff is on the
github repo, but not all.

> What first got me thinking about this was an 07/2012 article from
> BoingBoing[2] about a fake certificate used to spy on a resident of
> Jordan.  It looks like the company, Cyberoam, used the same SSL
> certificates in multiple services.  The light traffic on the tor
> mailing list and general chaos of the 'bridge make me curious of
> whether the online services are treated in a similar manner.  Thanks
> for the info!

Shrug.  If you trust a different Tor node operator more, feel free to
use them instead of Noisetor.  Personally I am certain that my machines
could be compromised by an even minimally competent black-bag team; I
don't have interest or wherewithal to defend against that threat, but
I'm fairly confident that it hasn't been done unless by a major
government agency, in which case I'm fucking screwed so I might as well
just pretend I haven't been.  I do my best to not get pwned and I think
I do a pretty good job.  I'm well aware of the weaknesses in my security
posture; sometimes I mitigate those, other times I don't bother.

HTH,
-andy



More information about the Rack mailing list