April 16, 2014 • 38 mins
What is Tor? What's the web under the web? What's really going on? We dish out the details.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Get in touch with technology with text stuff from how
stuff dot com either and welcome to text stuff. I'm
Jonathan Strickland and I'm Lauren Bock Obama, and I'm in
the dark. That the dark, the dark dark net, dark
dark Web. I don't think we're actually in the dark snet. No,
(00:24):
Actually we're pretty much on the light. But we're gonna
talk a little bit about the dark net. Really, what
we're going to talk about is Tour, right, that was
originally an act from him for the Onion Router. Yeah,
now it's just Tour. They still have an onion that
is in their logo. It takes the place of the
O in Tour t o R. And that's not just
because they really like onions. There's a reason that we
(00:46):
will get into. Yeah, but so, but so, what is this?
So all the Mighty Tour is one of the Avengers.
He wields the hammer Jolner, and his brother is Loki.
She's not even rolling her eyes, she's just staring me
down this time. Okay. So seriously, though, what Tour is
free software. It's an open network and it helps you
defend against traffic analysis. In other words, people trying to
(01:10):
figure out what you are doing and who you're communicating with.
Traffic analysis is a form of network surveillance that threatens
personal freedom and privacy. UH, it threatens confidential business activities
and relationships, and it threatens state security. Therefore, some folks
got together and said, hey, you know what we should
do is we should come up with the means to
allow people to communicate over the Internet, but do so
(01:34):
in a private, anonymous fashion, so that you can set
up these anonymous channels. Perhaps the most popular way to
access this is through a customized built a Firefox called
the the Tour Browser Bundle. Right, yeah, because just using
Tour on its own is one thing to do to
to allow you to have a little more of an
anonymous presence, But it requires more than that, because if
(01:56):
you access Tour through some other means, if you don't
have say Flash disabled in your web browser, then you're
still kind of broadcasting where you are because Flash often
involves UH identification information in order for it to work.
So it is open source, so if you feel like
getting in there and and doing your own thing, you're
absolutely able to um and uh and and a lot
(02:19):
of people do use it in one form or another.
At its peak in more than half a million people
were using it every day. Yeah, oddly enough, I think
as I a call in that year, there was some
news that broke about government agencies. Yeah, Edward Snowden had
that leak about the n s A, and suddenly people
(02:40):
were thinking, you know, I was like it doubled. Yeah. Yeah,
it was one of those things where people began to
get very concerned. And it's not necessarily that these people
are doing anything wrong. In fact, that's not the point
at all. The point is that they have an expectation
to privacy and being able to hold this kind of
anonymous communication with other people. The communication itself isn't necessarily anonymous,
(03:04):
but the channels are. Uh, you know, that's just that's
just an expectation we have. It's not that, you know,
I'm planning something to various, it's just if I want
to send a message to Lauren and it's just for
Lauren's eyes, I don't think anyone else has the right
to look in on that. So yeah, and in normal
internet traffic, that's absolutely a possibility. Yes. Because we've talked
(03:28):
a lot about how information travels across the internet, you know,
it all gets divided up into these little packets. Then
the packets go across the network and then get put
together Willy Wonka style on the other side, so that
you get whatever it is you were trying to send,
which is unfortunately probably not a delicious chocolate bar no
or Mike TV either, it's not neither of those things.
(03:48):
What it might be like if I if I were
to send that email to Lauren and it's a sizeable email,
that email gets divided up into numerous packets. The packets
go across the Internet, not necessarily taking the same path,
and they eventually reassemble on the other side and Lauren
can read it. But in order for that to happen,
these packets have to have little bits of information so
(04:08):
the routers know where to send the information onto next.
So it's kind of like an address on a piece
of mail. So let's say that you've got a snoop
in your neighborhood and this person is getting into everybody's business.
And the way this person does it is they look
at all the mail that's going in and out of
(04:30):
a person's mailbox, and even if they're not opening that
mail and and reading all of it, just just the
fact that you're sending it to particular people at particular
times can tell that snoop a lot about what's going on. Right,
So if you're sending out uh, you know, envelopes to
say a medical facility, that could give a lot of
information to a snoop if they're seeing that stuff from
(04:53):
various insurance companies is coming into you, that could you know,
I'm going with a medical thing here. But really this
applies to any sort of communication. So so what we're
saying is that it's not enough for the content of
what you send over the internet, uh necessarily, I mean
you are hypothetical, you maybe you're fine. It's not enough
for you to encrypt the content, but the actual transfer
(05:16):
of the content in some cases needs to be encrypted exactly.
And there are a lot of legitimate cases where you
would want that to happen. I mean, let's talk about
journalists for example. So you might have a journalist who
is pursuing some major story, perhaps they're in unfriendly territory
to do so, and they want to be able to
(05:37):
contact sources that might be in danger otherwise if there
if if this communication were publicly known, or really anything
that could endanger the journalist, a source or the story itself,
then you would want to have a way of securely
communicating and making sure that no one's really snooping in
on you. Well, that's that's a perfectly legitimate source. Their
(05:59):
governments use this kind of thing in order so that
they can gather information and disseminate information. Uh, you've got
companies that use this kind of stuff in order to
have secure communications about upcoming products or services that are
not part of the public knowledge and don't need to
be Oh sure, I mean even if you're just doing
r and D about something, you know, like like let's
(06:20):
say that you're the example that you used and in
our notes here is Apple. Like if here, if you're
creating a new product and you start researching patents online, um,
the right person could could find your searches and figure
out what you were looking for. And that sucks for you. Yeah, yeah,
if you had the next big idea and you were waiting,
(06:41):
because you know, like the company of Apple, they get
a lot of you a boost from folks whenever they
announced something brand new that surprises everyone, which of course
is exactly why you have so many news agencies scrutinizing
everything Apple does in order to try and guess what's
coming next. So the more you're able to keep that secret,
(07:05):
the bigger the impact is when you unveil it. Because
the worst the worst feeling is when you tune into
an Apple event and it ends up being exactly what
you expected it was to be. Every everyone still tunes in,
but then they're like, oh, but that's exactly what they
were talking about last week. I know, and you read
what they wrote last week, so stop it me. Sure,
(07:29):
and and lots of other people who could generally be
considered to be working for for non nefarious purposes, but
nonetheless would like a little bit of secrecy, uh, for example,
activists or whistleblowers um or you know Chinese citizens who
really just want to use Facebook or read news from
other countries. Sure, and we've seen plenty of examples also,
things like the Arabs Spring. You know, places in the
(07:51):
world where you have people who are trying to enact
change in a very harsh environment where if their activities
were picked up on by official sources, government sources, state
sponsored sources, they could face some serious consequences. And it's
not necessarily the again, like you said, that they're doing
anything nefarious it's just they can't do it at all
(08:14):
without fear of some form of consequence unless that can
remain secure. So you've got to figure out how do
we make this secure. Also, we have to figure out
how do we frame this in such a way where
we also admit some people do use it for nefarious purposes. Oh, sure,
of course. I mean there are plenty of people out
(08:34):
there who are going to use this kind of anonymous
connection in order to conduct illegal or otherwise illicit activities.
We've talked about some of them in previous episodes, in fact,
and we'll mention some more as we go along. So again,
it's one of those things where you would probably argue
that it's a relatively small percentage of the population using
(08:54):
it for these purposes, but they're the ones who get
the most press, uh, and so therefore or it kind
of creates this public perception that people who use tour
are up to something. Also, you know, we mentioned the
fact that in a normal Internet communication, the you know what,
what amounts to the uh, the address on the label
(09:16):
is perfectly visible because it needs to be so that
it can route across gets to the place it's gone.
And Tour they had to figure out a way around
that so that you could have it be obuse skated
so that if someone were to snoop in on communication,
they would not be able to determine what the origin
nor destination were. And that it is pretty amazing stuff
(09:38):
because you've got you gotta figure out a way of
implementing that where it can still work, Like how do
you disguise the address and still hope that it gets
to where it's going? Because if we did that to
the to the US Postal Service, our stuff would never
get anywhere and it wouldn't be their fault either, because
you just wouldn't be following the rules. Oh sure, yeah,
I if you don't write your address on something, then
(10:00):
how does it get to that place? So here's another
funny thing, Lauren, Um, who was it that came up
with this whole tour idea? I mean it must have
been like some like hackers you know at def con
convention who all got together and said, we don't want
the government looking in on our stuff, right, you know?
(10:21):
It was the government? It was it was it was
the U. S. Naval Research Laboratory UM back in back
in actually, which makes it extra hilarious that that the
n s A has kind of been trying to crack
trying to crack it because you've got a government agency
doing its best to figure out how to intercept information
(10:43):
that goes across a tour network, and another government US
government entity that's responsible in large part for the creation
for creation and furthermore, other governmental agencies that are responsible
for funding it. As of twelve, one point two four
million dollars half of tours revenue UH came from government grants,
(11:04):
including a large part from the Department of Defense. So
this is an example of two different parts of the
United States government working at odds against each other, one
part saying this is absolutely necessary for us to be
able to operate in a secure way, and the other
part saying, we want to be able to see what's
going on here. So so so yeah. But but but this
(11:25):
all got its start back with the U. S. Navy
and UM. It was part of an onion rooting project
routing project rooting. If you're in England, it's routing. Here
in the US, it's usually routing either way. Why would
you even call it an onion It's because it relies
upon quote a layered object to direct the construction of
(11:47):
an anonymous, bidirectional, real time virtual circuit between two communicating
parties and initiator and responder. And that's as clear as day. Yeah,
we can just end up podcast now. Guys, don't worry.
We're going to explain the whole layered thing a little
bit later on. So we will. We will make sure
that you understand why an onion it's actually a pretty
(12:08):
clever way to describe what's going on. But the project
had specific goals to research and develop and build anonymous
communication systems, to analyze other anonymous communications systems, and to
create low latency Internet based systems that resisted traffic analysis, eavesdropping,
and other attacks from outsiders as an Internet routers or
(12:31):
insiders as an Onion routing servers. So if the best
uh the ideal was to create some form of distributed
system where you could have two parties communicating with one
another and no one would be able to know that
those two parties were in communication. They would know the
communication is going on because traffic is moving across the network,
(12:53):
but because of the network's design, they would have no
way of knowing what to end parties were actually communicating
with one another. Because just as we were saying with
that snoop. Even if you can't see what the information
itself is, just knowing who is talking to whom gives
you a lot of info. Right. Because of this, And
funnily enough, the Navy actually had to step back from
(13:14):
the project in order to make it actually useful because
the network needs to be open, right. Um. So, I mean,
if if you know, if you can see that everything
is coming through, if on if only the Navy used it,
then you would know whenever communication was happening that the
Navy was communicating with people like you would you would
have limited the number of people that could possibly be
(13:36):
the ones communicating by making it open and say this
is a playground where everyone can come in. Suddenly you
can't tell who's communicating with whom because there's so many's
too much noise and not in the traffic, right. Um. So,
the project incorporated as a nonprofit in two thousand six,
and it currently depends a whole lot on crowdsourcing. Um.
There are only nine full time to our employees as
(13:57):
of this podcast, which we are recording on April, by
the way, um and uh, the rest of the development
is spread across dozens of part time assistants and hundreds
of volunteers. The code is open source, which actually makes
it harder to mess with. Um. You know, like if someone, say,
say the n s A, tried to create a vulnerability deliberately,
(14:19):
then anyone could catch it, right. Yeah, it's not like
it's hidden the way behind closed doors. In that way,
it gets overlooked and you suddenly have this back door
entrance into the Tour Network. No, it's it's it's much
more likely for someone to catch it if lots of
people are looking. Yeah exactly. Yeah, you've got lots of
people checking on it all the time. So it's actually
more secure by being in plain sight in that way.
(14:41):
So here's how it used to work. Because you know,
I mentioned that tour was had an onion in the oh,
but it doesn't really involve onions anymore. And then we've
mentioned onions. Yeah, so yeah, so we're we're gonna we're
gonna go back to how it worked originally because the
way it works now is not that much different, but
it doesn't involve the onion metaphor anymore. So, first of all,
(15:03):
to achieve anonymity, the Tour Network uses something called privoxy filters,
which prevent client information from reaching servers. So this means
that a client, you know, that's that's your computer when
you are trying to access anything. Let's say you're using
your your browser to access your email, because I love
that example. It's easy one. So your your computer is
(15:24):
the client. It's sending a request to another computer. It's
asking for data from this computer that hosts the the
email service that you use, and that is called the server. Now,
normally the server receives information that can identify the client,
so you have some sort of address that identifies this
(15:45):
is the machine that's asking for that information, So then
the server knows exactly who it's talking to. Well, privoxy
filters prevent that from happening, so it's possible for a
client's identity to remain unknown to the server and also
to the rest of the network as these requests go
across the network. Also, one of the other things that
has and we'll talk more about this in a bit,
(16:07):
is the ability to create hidden services. But you know,
I'm not going to spoil that because the discussion we
have later on will really kind of bring that to
light and it will make much more sense after we
talk about exactly how this communication occurs. Yes, so it's
possible to use onion routing software to send information completely anonymously.
In other words, you could use it so that you
(16:29):
could send an anonymous message to someone else. They would
not know the identity of that person. But that's not
the purpose of tour. The purpose, like I said before,
is to allow anonymous channels of communication. So you and
the person with whom you're communicating know each other's identity,
but nobody else does, right, So this allows you to
have that honest, open expression of information without fear of
(16:53):
someone else snooping in on you or any other consequences
apart from whatever consequences come from just that communication between
two parties. If you tell someone that they dressed like
a slab, there's going to be consequence, is what I'm saying.
It doesn't have to be someone snooping in on you.
Good point. I get that a lot. Uh. So it
uses proxy servers, and a proxy server acts as an
(17:15):
intermediary between a client and some other server. So you
can kind of think of it as this is the
go between. So if I were to send a request
to get my email, but I wanted to go through
a proxy server, I would log into the proxy server.
The proxy server would then send my request onto the
email server, and from the email servers perspective, it looked
(17:39):
like the proxy server was the origin of that request.
It isn't able to see back to exactly there's a
hop missing there. So that's really important in this. And uh,
the communication part is the tricky part. Like I said,
so you've got this information, it's passing between nodes or
little orders within the tour network. Okay, so think of
(18:03):
these nodes as rest stops between the client, the sender,
and the recipient the server. Right, Each node only knows
the identity of the node before it and the note
after it, right, So uh, and the note before it
and after it completely is dependent upon when you're sending
the message, because you're you're going to create new pathways
every time you create a connection, so it's not like
(18:25):
you have a set path each time. It's like the Internet.
It's very flexible. So when you send a message, and
let's say it's going through letters A through G, we're
just designating these nodes as A through G and for
some reason it's going into a B C, D, E
F G order. So node D only knows about nodes
C and E. The information came from C. It knows
(18:46):
it has to send the information onto E. It has
no awareness of a B or you know, effor G.
So that's it. And that means that if you were
to intercept information passing between two nodes, you would just
know which note it came from and which node it
went to. You wouldn't know the actual person who sent it,
nor would you know the person to whom it went. Ultimately,
(19:07):
on top of that, the nodes encrypt the communication as
it's passed along. Yes, and this is where you get
that layer and layer and layer of encryption. And because
there's so many layers of encryption, well, what else has
lots of layers? And Onion I was gonna think of
Game of Thrones, but yes, Onion is right. Onion is
exactly the thing that they went with because Game of
(19:29):
Thrones really wasn't that popular. Also, it's proprietary. I mean,
you know, yeah, that probably would have George R. Martin
gotten a little upset about that. But yeah, so so
Onion is in fact what they went with because there's
so many different layers of encryption. Now I've I know
that this discussion we've just had is really dense and
there's a lot of things about nodes and traffic and
(19:51):
encryption and layers here. So I created an example to
kind of illustrate this. And we're going to get to
that in just a moment, but before we do, let's
take a quick break to thank our sponsor. Okay, So
here's my example, and I think it's a doozy of
an example because it's completely believable. I decided to use
(20:11):
as an example two of our beloved co workers here
at how stuff works. Uh, and when you start thinking
to yourself, who would be so paranoid that they would
need an incredibly secure communication process? Two names leap to
mind from the shadows and then back into the shadows,
because that's where they belong. One of them wearing a
gremlin mask ye, and maybe a fedora on top of it.
(20:33):
It's not a fedora, I know, Ben Dora. No, it's
a trill Bey, I'm going to call it a fedor anyway,
So Ben Bolan and Matt Frederick so Stuff they don't
want you to know hosts. Yes, and if you've never
ever listened to that show, go check it out. Watched show. Yeah,
that's great. So So let's say that Ben wants to
contact Matt and he wants the communication to be secure,
(20:54):
so he sends it across the Tour network using this
freely available software. He's got the Tour bundle installed, and
he sends the message along. So here's what happens. Ben
would contact a proxy server on the Tour network. Now,
that proxy server would then determine the route of nodes
or the number of hops that it will take to
get from the proxy server to Matt's computer. So for
(21:17):
argument's sake, let's say again that it's just uh five nodes,
So it's a B, C, D E. Those are the
Those are the nodes that it's going to go through. Now,
each hop becomes an encryption layer on this onion, and
the core of the onion is Ben's original message to Matt,
so that's the very center. Now Ben's proxy server starts
(21:40):
to construct layers of encryption based upon the path that
this onion is going to take journeying from the proxy
server all the way to Matt's computer, and the intermost
layer will be the encryption for mats proxy. Yes, so
the next layer out would be the node just before
it gets to Matt's proxy. The next layer out would
(22:01):
be the node before that, and so on and so
forth until you got to the first node that the
proxy server sends this onion onto. Now, every time the
onion travels to a new node, it decrypts that layer,
the corresponding layer of encryption. Yeah, so that that layer
of the onion gets pulled away, and that's how the
node knows where to send it onto next. So proxy
(22:25):
service sends it on to node A. Note A strips
away that encryption and sees that needs to send it
on to node B. Node B gets this onion. Now
Node B only knows that Node A sent the onion,
doesn't know where the onion originally came from, and it
decrypts that next layer, strips it free, uh, finds the
identification of notes C and send it along. Yep, Node
(22:47):
C doesn't know about Note A, just Notes knows about
Node B, So so on and so forth till it
gets to Matt. By the time it gets to Matt,
all those layers of encryption have been stripped away and
that can actually read what the messages. Therefore, anyone who's
trying to analyze all of this traffic would would just
see a message passing between two seemingly random routers with
with no way of knowing either where that information came
(23:08):
from or what the ultimate destination is. Yep, And because
you've encrypted it so many times, they probably can't even
tell what the information. They can't read it, they don't
know where it's going there in the dark. So to them,
it's just all they know is that traffic is going
across this network, but they don't have any way of
deriving meaning from that. Now, once Matt's proxy receives that onion,
(23:30):
a virtual circuit forms along the nodes. Think of it
as like a temporary pathway that solidifies between uh Ben's
proxy and Matt's final computer, and it allows for encryption
to pass both ways. So you have two different kinds
of encryption. You've got one kind whenever Ben sends a
(23:51):
message to Matt, and essentially you have the inverse of
that when Matt sends it to Ben. So unless you
have the key to that in encryption, you can't figure
out what's going on either. So it's it's pretty secure. Now,
there are some mainly we're talking about vulnerabilities when you
send it from your computer to that proxy server and
(24:14):
when that last proxy sends it to the destination. Because
this is when you don't have the protection of the
network itself. It's when it's you can think of it
as the information is leaving the network to get to
wherever it's going, or entering the net. Yeah, and again,
if you're using a browser that still has certain things
enabled like Flash or Java, then you may end up
(24:37):
having sending along some information that people could identify you
on based on that. But within the network itself, it's
incredibly secure, right And and so this, the circuit that
that you've created, well will last as long as both
parties want it to. You can you can send a
command to collapse it at the end of your session,
you say destroy, and it collapses. This uh, this virtual circuit.
(24:59):
And then if you going to create a new one,
you could and it would be a new virtual circuit,
probably taking a totally different pathway through the nodes. And
you know, I made the example of ABC D E
that kind of stuff, but really, you know, it could
be any order. You know, it's it's and it will
be an order. That's all. That's one of the who
points because if it were the same pathway each time,
(25:21):
then you would ultimately be able to determine who sent
it and who it went to. So it has to
be uh, you know. And of course the more the
more routers you have available, the more of these relay
nodes you have, the more secure the communication becomes, so
that's also really important. Then there's also a concept called
loose routing, which adds another layer of security on this
because like I said, you know, you ultimately you have
(25:43):
these proxies that no way more information than all the
nodes do. They have to in order to be able
to make that layer of encryption and have this onion
pass from one spot to the next. So one thing
you could do with loose routing is that the proxy
and up sending the onion on to the first node.
(26:04):
But that's all the proxy knows about the probably and
then the first nodes responsibility is to create the rest
of that pathway. So even that first stop isn't aware
of where, how, what path it's gonna take to get
to its destination. It just knows this is the first
step of that path, but beyond that I don't know,
So it adds another layer of security to it that way. Now, again,
(26:24):
if you were able to target that first node, you
might be able to figure some stuff out, but really
you just know that it came from a proxy. You
wouldn't know who sent the information to the proxy in
the first place. But yeah, so we've got these these
endpoints that have some vulnerabilities, but other than that, it's
it's pretty secure. Uh, I've got to We've got a
great little bit about how secure it is, and a
(26:44):
little in just a little while. But today nodes or
relays within the system still don't know the origin or
ultimate destination of information. And you still create virtual circuits
between the initiator and the recipient for encrypted anonymous channels.
But there's no our use of this onion metaphor. I mean,
it's not it's not the same implementation. You get the
(27:06):
same result, but it's a different implementation that does it.
But it's this, you know, it's following a lot of
the same philosophies. And you've got a tour directory that
keeps track of all the available nodes that are on
the system at any given moment. As of January, there
are about five thousand computers around the world operated by
those volunteers that I mentioned serving as potential nodes in
(27:27):
this system. Right, And when you send a message to
recipient across the Tour network, your Tour browser or whatever
consults this directory, which then uh gives it a route
of nodes, and then you can send the encrypted information
across and each node further encrypts the message again and
only knows the note immediately before and after, kind of
like the previous version we just talked about. So it's
(27:51):
not that different, it's just this whole layer metaphor is
kind of no longer as accurate. But um, yeah, one
thing you've got to remember is that because as you've
got this extra layer of encryption going on, and it's
purposefully obvious, skating the the origin by hopping around a lot,
communication is not as quick, right, It's going to take
(28:12):
a longer necessarily. So if you're using Tour in order
to send instant messages, your definition of instant maybe a
little different than what it normally would be. It may
just be pretty darn quick, but not as instant as
this other method. Yeah. Um. Furthermore, it is not the
most secure thing that you can do. No. I actually
read a great article on the best way of using
(28:33):
Tour as as part of an approach to securely using
the Internet and maintaining your anonymity, and I thought about
including it in this podcast. I really did, Guys. I
was gonna go all into the tips this guy had,
and then I realized that it was so in depth
and there was so much to keep tak into consideration
that really we could just do a full podcast just
(28:55):
on that, and perhaps in the future we will. If you,
guys in particular, want to know so I want to
be as anonymous and secure as possible, Tell me what
I need to do, and we'll we'll give you the podcast.
We should we should do that episode. Um I'll tell
you right now. It's crazy, but but right because because
even if you're using the most recent version of tour
I mean, which, as we have just detailed, is an
(29:17):
incredibly uh complex and encrypted process, a determined party could
exploit vulnerabilities and Firefox itself, which which Tour is based in.
Um it could attempt to set up monitoring nodes in
the network. UM or it could just methodically work on
key decryption in order to spy on your activities, so
uh stuff can still happen. Yeah, we'll think about doing
(29:40):
a full security episode. I mean, I kind of think
we'll have to pull Ben in for that one. Oh,
that would be great. We should totally do more classovers.
We'll we'll see if we can get Ben to be
available for an episode where we really talk about and
you know it's going to sound paranoid and crazy, but
the thing is technology, in order for it to work,
UH needs to have certain in nation so it can
(30:01):
allow you to have this communication. But because it needs
that certain information, it means that your anonymity is at risk.
So you've got to do these kind of crazy things. Also,
they're wacky bugs like heart bleed. Yeah actually, um okay,
go ahead and mention this so heart bleed. If you
listen to our previous episode, we talked all about this
vulnerability that was an open SSL versions one point zero
(30:24):
point one through one point zero point one F and
UH and how that ended up meaning that people who
use the heartbeat method could get access to encryption keys
and thus see everything that's going across the server. So
you might wonder does this work on the tour network,
this crazy relay node network, And the short answer is,
(30:46):
technically it works, but it doesn't help anybody out because
even if you were to see the information moving across
a node, it still has multiple layers of encryption, so
it's not as vulnerable. Yeah, although I mean toward towards
being tour did say that, you know, if you if
you really want to be secure, you might just want
(31:07):
to stay off the internet for a few days, right,
And they did say that they had planned on rolling
out patches of the open SSL uh software because the upgrade,
the newest patch does patch that vulnerability. So uh, they
are going to be fixing up those nodes over time anyway.
In fact, by the time this podcast comes out, most
of them may already be addressed. But yeah, they said that, Um,
(31:31):
that worst case scenario, you're probably still pretty okay. You know,
in the grand scheme of things, that heart bleed story
was a real eye opener. YEA. Then we have the
other thing we alluded to earlier, oh right, hidden services,
and that's where that dark net or deep web kind
of thing comes in. Um okay. So, so tour also
(31:54):
provides a way to to offer up access to a
server or to run an entire service without revealing your
IP addressed to your users and from behind a firewall. Um.
Sites and services set up like this are are off
the beaten Internet path. You can't even find them using
Google or other web searches. You have to be using
Tour in order to find them. And um, they're they're
all using what's called the dot Onion extension because onions. Um. Okay. So,
(32:19):
so basically how this works. The hidden service has a
public to tour listing, and so when a client wants
to access that service, the client sets up a rendezvous
node and sends along an access request via the usual
Tour encryption routing process UM through a random introduction node
that the service has set up UM, and then the
(32:41):
client and service can contact each other through that rendezvous
node again using the usual Tour circuits. UM. It's it's
like the the introduction and the rendezvous nodes are translators, right.
It protects the service and the client because neither knows
where the other is. That the translators are the recipients
for each party's communications. And so this this deep web
(33:03):
or dark net hosts lots of different stuff, some things
that are definitely in the nefarious category, like the Silk Road,
although Silk Road still has some legit. Sure of the
stuff that was on Silk Road was completely legal, the
other not so much. Yeah, So Silk Road, of course
(33:24):
that got shut down, but it existed on tour and
this kind of hidden web because you know, you wouldn't
want it to be easily accessible, uh, and then everything
would come crashing down, you know, ultimately came crashing down anyway,
but it was hidden better than just sitting there and
on the web. So yeah, that's that's definitely one of
(33:45):
the other issues. And again there are other things that
are on this deep net, this this dark net or
rather or deep web that again not nefarious at all.
They have very legitimate purposes for existing. It's completely legal,
but it's also designed in such a way as to
protect the identity of the people who need to use
the services. So again, just because we have some really
(34:08):
high profile examples of naughtiness doesn't mean that the entire
network is naughty. Just like there are other services that
people have used where some people are using it in
order to get like illegal downloads of whatever content they want,
but most people aren't. A lot of the focuses on
the people who are the pirates, and thus the entire
(34:29):
service gets painted as yeah, yeah, it's I I read
a really great quote and I don't have it open
right now, and um. Bloomberg Business Week did a really
great article in January about about tour in general and
the kids who are running it and all that kind
of stuff, and uh, the the example that I think
they used was that, you know, you don't hear about
(34:50):
someone who's stalker couldn't find them. You you hear about
the kid who got drugs or the child porn rang
or something right, right, So you know there are some
very very The Navy wouldn't have been interested in making this, uh,
in order just to have crime happened, because as low
as your opinion of the Navy, maybe depending on if
(35:12):
you're a Marine or not, it's it's really not in
that business. No, but but certainly the fact that this
kind of illegal activity can go on means that it
attracts attention from, for example, the n s A. Yes, Uh,
I love the stories about the n s A and
tour because they're both infuriating and funny at the same time.
(35:33):
So infuriating in that, uh, the n s A has attempted.
We know the n s A has attempted to try
and crack because some of those slides that have come
out from Standon's League A specifically mentioned tour yep, and uh,
one of the documents within the n s A is
titled Tour Stinks. And the reason they say Tour stinks
(35:56):
is because it's so gosh darn hard to figure out
what formation is within the Tour network. Now, they do
note that if you are able to target those points
where information is coming into the network are coming out
of the network, then you are more likely to be
able to determine what is going on and who is
talking to whom. But if it's within the network itself,
(36:19):
there's no report that has leaked so far that has
indicated the NSA has been able to crack that, which
has not stopped a whole lot of theorists from saying
that they have totally cracked it, and that the reports
saying that they haven't cracked it are just so that
people feel, yeah, that they people will feel a false
sense of security using tour. Here's the thing about conspiracy theories,
(36:41):
and again, I wish we had been on here right now. Uh.
You know, you can you can have a lack of
evidence and that becomes evidence, or if you have a
denial then that becomes hard evidence, you know. So I
I think, I really do think because I don't think
the n s A ever intended for all the information
to leak out based up on I don't know everything
that's happened since then. Uh So I'm pretty willing to
(37:05):
believe that they have not yet cracked how to get
look at information in a meaningful way on the Tour
network itself. In general, I would say that tours seems
for many purposes pretty secure. Now, keep in mind, you
still have to uh practice good internet security on your
own even if you're using tour. Uh And like I said, well,
(37:27):
maybe we'll do a full episode on that if you're
interested in that, let's know, because you know, maybe that
our listeners are thinking, wow, they did a heart bleed
episode in a tour episode, go back to talking about
Nintendo or something that we don't know. We have to
hear from you in order to know. So if you
want to know really how to securely navigate the web
like a superspy, let us know, and we'll give you
(37:48):
all the inside skinny and uh maybe we'll be able
to grab Ben on here and have them do his
creepy voice and be awesome. So I do not want
an entire episode of Ben's creepy I don't know they
could do a full episode each. I want at least
for him to introduce himself trap now. I want to
see him trying. Yeah, all right, well anyway, let us know.
You can send us email, all right addresses, text stuff
(38:11):
discovery dot com, or drop us a line on one
of the many social networks that we are on in
full view that includes Facebook, Tumbler, and Twitter. We use
the handle tech stuff H. S W and Lauren and
I will talk to you again really soon for more
(38:32):
on this and thousands of other topics. Staff works dot
com
Get in touch with technology with text stuff from how
stuff dot com either and welcome to text stuff. I'm
Jonathan Strickland and I'm Lauren Bock Obama, and I'm in
the dark. That the dark, the dark dark net, dark
dark Web. I don't think we're actually in the dark snet. No,
(00:24):
Actually we're pretty much on the light. But we're gonna
talk a little bit about the dark net. Really, what
we're going to talk about is Tour, right, that was
originally an act from him for the Onion Router. Yeah,
now it's just Tour. They still have an onion that
is in their logo. It takes the place of the
O in Tour t o R. And that's not just
because they really like onions. There's a reason that we
(00:46):
will get into. Yeah, but so, but so, what is this?
So all the Mighty Tour is one of the Avengers.
He wields the hammer Jolner, and his brother is Loki.
She's not even rolling her eyes, she's just staring me
down this time. Okay. So seriously, though, what Tour is
free software. It's an open network and it helps you
defend against traffic analysis. In other words, people trying to
(01:10):
figure out what you are doing and who you're communicating with.
Traffic analysis is a form of network surveillance that threatens
personal freedom and privacy. UH, it threatens confidential business activities
and relationships, and it threatens state security. Therefore, some folks
got together and said, hey, you know what we should
do is we should come up with the means to
allow people to communicate over the Internet, but do so
(01:34):
in a private, anonymous fashion, so that you can set
up these anonymous channels. Perhaps the most popular way to
access this is through a customized built a Firefox called
the the Tour Browser Bundle. Right, yeah, because just using
Tour on its own is one thing to do to
to allow you to have a little more of an
anonymous presence, But it requires more than that, because if
(01:56):
you access Tour through some other means, if you don't
have say Flash disabled in your web browser, then you're
still kind of broadcasting where you are because Flash often
involves UH identification information in order for it to work.
So it is open source, so if you feel like
getting in there and and doing your own thing, you're
absolutely able to um and uh and and a lot
(02:19):
of people do use it in one form or another.
At its peak in more than half a million people
were using it every day. Yeah, oddly enough, I think
as I a call in that year, there was some
news that broke about government agencies. Yeah, Edward Snowden had
that leak about the n s A, and suddenly people
(02:40):
were thinking, you know, I was like it doubled. Yeah. Yeah,
it was one of those things where people began to
get very concerned. And it's not necessarily that these people
are doing anything wrong. In fact, that's not the point
at all. The point is that they have an expectation
to privacy and being able to hold this kind of
anonymous communication with other people. The communication itself isn't necessarily anonymous,
(03:04):
but the channels are. Uh, you know, that's just that's
just an expectation we have. It's not that, you know,
I'm planning something to various, it's just if I want
to send a message to Lauren and it's just for
Lauren's eyes, I don't think anyone else has the right
to look in on that. So yeah, and in normal
internet traffic, that's absolutely a possibility. Yes. Because we've talked
(03:28):
a lot about how information travels across the internet, you know,
it all gets divided up into these little packets. Then
the packets go across the network and then get put
together Willy Wonka style on the other side, so that
you get whatever it is you were trying to send,
which is unfortunately probably not a delicious chocolate bar no
or Mike TV either, it's not neither of those things.
(03:48):
What it might be like if I if I were
to send that email to Lauren and it's a sizeable email,
that email gets divided up into numerous packets. The packets
go across the Internet, not necessarily taking the same path,
and they eventually reassemble on the other side and Lauren
can read it. But in order for that to happen,
these packets have to have little bits of information so
(04:08):
the routers know where to send the information onto next.
So it's kind of like an address on a piece
of mail. So let's say that you've got a snoop
in your neighborhood and this person is getting into everybody's business.
And the way this person does it is they look
at all the mail that's going in and out of
(04:30):
a person's mailbox, and even if they're not opening that
mail and and reading all of it, just just the
fact that you're sending it to particular people at particular
times can tell that snoop a lot about what's going on. Right,
So if you're sending out uh, you know, envelopes to
say a medical facility, that could give a lot of
information to a snoop if they're seeing that stuff from
(04:53):
various insurance companies is coming into you, that could you know,
I'm going with a medical thing here. But really this
applies to any sort of communication. So so what we're
saying is that it's not enough for the content of
what you send over the internet, uh necessarily, I mean
you are hypothetical, you maybe you're fine. It's not enough
for you to encrypt the content, but the actual transfer
(05:16):
of the content in some cases needs to be encrypted exactly.
And there are a lot of legitimate cases where you
would want that to happen. I mean, let's talk about
journalists for example. So you might have a journalist who
is pursuing some major story, perhaps they're in unfriendly territory
to do so, and they want to be able to
(05:37):
contact sources that might be in danger otherwise if there
if if this communication were publicly known, or really anything
that could endanger the journalist, a source or the story itself,
then you would want to have a way of securely
communicating and making sure that no one's really snooping in
on you. Well, that's that's a perfectly legitimate source. Their
(05:59):
governments use this kind of thing in order so that
they can gather information and disseminate information. Uh, you've got
companies that use this kind of stuff in order to
have secure communications about upcoming products or services that are
not part of the public knowledge and don't need to
be Oh sure, I mean even if you're just doing
r and D about something, you know, like like let's
(06:20):
say that you're the example that you used and in
our notes here is Apple. Like if here, if you're
creating a new product and you start researching patents online, um,
the right person could could find your searches and figure
out what you were looking for. And that sucks for you. Yeah, yeah,
if you had the next big idea and you were waiting,
(06:41):
because you know, like the company of Apple, they get
a lot of you a boost from folks whenever they
announced something brand new that surprises everyone, which of course
is exactly why you have so many news agencies scrutinizing
everything Apple does in order to try and guess what's
coming next. So the more you're able to keep that secret,
(07:05):
the bigger the impact is when you unveil it. Because
the worst the worst feeling is when you tune into
an Apple event and it ends up being exactly what
you expected it was to be. Every everyone still tunes in,
but then they're like, oh, but that's exactly what they
were talking about last week. I know, and you read
what they wrote last week, so stop it me. Sure,
(07:29):
and and lots of other people who could generally be
considered to be working for for non nefarious purposes, but
nonetheless would like a little bit of secrecy, uh, for example,
activists or whistleblowers um or you know Chinese citizens who
really just want to use Facebook or read news from
other countries. Sure, and we've seen plenty of examples also,
things like the Arabs Spring. You know, places in the
(07:51):
world where you have people who are trying to enact
change in a very harsh environment where if their activities
were picked up on by official sources, government sources, state
sponsored sources, they could face some serious consequences. And it's
not necessarily the again, like you said, that they're doing
anything nefarious it's just they can't do it at all
(08:14):
without fear of some form of consequence unless that can
remain secure. So you've got to figure out how do
we make this secure. Also, we have to figure out
how do we frame this in such a way where
we also admit some people do use it for nefarious purposes. Oh, sure,
of course. I mean there are plenty of people out
(08:34):
there who are going to use this kind of anonymous
connection in order to conduct illegal or otherwise illicit activities.
We've talked about some of them in previous episodes, in fact,
and we'll mention some more as we go along. So again,
it's one of those things where you would probably argue
that it's a relatively small percentage of the population using
(08:54):
it for these purposes, but they're the ones who get
the most press, uh, and so therefore or it kind
of creates this public perception that people who use tour
are up to something. Also, you know, we mentioned the
fact that in a normal Internet communication, the you know what,
what amounts to the uh, the address on the label
(09:16):
is perfectly visible because it needs to be so that
it can route across gets to the place it's gone.
And Tour they had to figure out a way around
that so that you could have it be obuse skated
so that if someone were to snoop in on communication,
they would not be able to determine what the origin
nor destination were. And that it is pretty amazing stuff
(09:38):
because you've got you gotta figure out a way of
implementing that where it can still work, Like how do
you disguise the address and still hope that it gets
to where it's going? Because if we did that to
the to the US Postal Service, our stuff would never
get anywhere and it wouldn't be their fault either, because
you just wouldn't be following the rules. Oh sure, yeah,
I if you don't write your address on something, then
(10:00):
how does it get to that place? So here's another
funny thing, Lauren, Um, who was it that came up
with this whole tour idea? I mean it must have
been like some like hackers you know at def con
convention who all got together and said, we don't want
the government looking in on our stuff, right, you know?
(10:21):
It was the government? It was it was it was
the U. S. Naval Research Laboratory UM back in back
in actually, which makes it extra hilarious that that the
n s A has kind of been trying to crack
trying to crack it because you've got a government agency
doing its best to figure out how to intercept information
(10:43):
that goes across a tour network, and another government US
government entity that's responsible in large part for the creation
for creation and furthermore, other governmental agencies that are responsible
for funding it. As of twelve, one point two four
million dollars half of tours revenue UH came from government grants,
(11:04):
including a large part from the Department of Defense. So
this is an example of two different parts of the
United States government working at odds against each other, one
part saying this is absolutely necessary for us to be
able to operate in a secure way, and the other
part saying, we want to be able to see what's
going on here. So so so yeah. But but but this
(11:25):
all got its start back with the U. S. Navy
and UM. It was part of an onion rooting project
routing project rooting. If you're in England, it's routing. Here
in the US, it's usually routing either way. Why would
you even call it an onion It's because it relies
upon quote a layered object to direct the construction of
(11:47):
an anonymous, bidirectional, real time virtual circuit between two communicating
parties and initiator and responder. And that's as clear as day. Yeah,
we can just end up podcast now. Guys, don't worry.
We're going to explain the whole layered thing a little
bit later on. So we will. We will make sure
that you understand why an onion it's actually a pretty
(12:08):
clever way to describe what's going on. But the project
had specific goals to research and develop and build anonymous
communication systems, to analyze other anonymous communications systems, and to
create low latency Internet based systems that resisted traffic analysis, eavesdropping,
and other attacks from outsiders as an Internet routers or
(12:31):
insiders as an Onion routing servers. So if the best
uh the ideal was to create some form of distributed
system where you could have two parties communicating with one
another and no one would be able to know that
those two parties were in communication. They would know the
communication is going on because traffic is moving across the network,
(12:53):
but because of the network's design, they would have no
way of knowing what to end parties were actually communicating
with one another. Because just as we were saying with
that snoop. Even if you can't see what the information
itself is, just knowing who is talking to whom gives
you a lot of info. Right. Because of this, And
funnily enough, the Navy actually had to step back from
(13:14):
the project in order to make it actually useful because
the network needs to be open, right. Um. So, I mean,
if if you know, if you can see that everything
is coming through, if on if only the Navy used it,
then you would know whenever communication was happening that the
Navy was communicating with people like you would you would
have limited the number of people that could possibly be
(13:36):
the ones communicating by making it open and say this
is a playground where everyone can come in. Suddenly you
can't tell who's communicating with whom because there's so many's
too much noise and not in the traffic, right. Um. So,
the project incorporated as a nonprofit in two thousand six,
and it currently depends a whole lot on crowdsourcing. Um.
There are only nine full time to our employees as
(13:57):
of this podcast, which we are recording on April, by
the way, um and uh, the rest of the development
is spread across dozens of part time assistants and hundreds
of volunteers. The code is open source, which actually makes
it harder to mess with. Um. You know, like if someone, say,
say the n s A, tried to create a vulnerability deliberately,
(14:19):
then anyone could catch it, right. Yeah, it's not like
it's hidden the way behind closed doors. In that way,
it gets overlooked and you suddenly have this back door
entrance into the Tour Network. No, it's it's it's much
more likely for someone to catch it if lots of
people are looking. Yeah exactly. Yeah, you've got lots of
people checking on it all the time. So it's actually
more secure by being in plain sight in that way.
(14:41):
So here's how it used to work. Because you know,
I mentioned that tour was had an onion in the oh,
but it doesn't really involve onions anymore. And then we've
mentioned onions. Yeah, so yeah, so we're we're gonna we're
gonna go back to how it worked originally because the
way it works now is not that much different, but
it doesn't involve the onion metaphor anymore. So, first of all,
(15:03):
to achieve anonymity, the Tour Network uses something called privoxy filters,
which prevent client information from reaching servers. So this means
that a client, you know, that's that's your computer when
you are trying to access anything. Let's say you're using
your your browser to access your email, because I love
that example. It's easy one. So your your computer is
(15:24):
the client. It's sending a request to another computer. It's
asking for data from this computer that hosts the the
email service that you use, and that is called the server. Now,
normally the server receives information that can identify the client,
so you have some sort of address that identifies this
(15:45):
is the machine that's asking for that information, So then
the server knows exactly who it's talking to. Well, privoxy
filters prevent that from happening, so it's possible for a
client's identity to remain unknown to the server and also
to the rest of the network as these requests go
across the network. Also, one of the other things that
has and we'll talk more about this in a bit,
(16:07):
is the ability to create hidden services. But you know,
I'm not going to spoil that because the discussion we
have later on will really kind of bring that to
light and it will make much more sense after we
talk about exactly how this communication occurs. Yes, so it's
possible to use onion routing software to send information completely anonymously.
In other words, you could use it so that you
(16:29):
could send an anonymous message to someone else. They would
not know the identity of that person. But that's not
the purpose of tour. The purpose, like I said before,
is to allow anonymous channels of communication. So you and
the person with whom you're communicating know each other's identity,
but nobody else does, right, So this allows you to
have that honest, open expression of information without fear of
(16:53):
someone else snooping in on you or any other consequences
apart from whatever consequences come from just that communication between
two parties. If you tell someone that they dressed like
a slab, there's going to be consequence, is what I'm saying.
It doesn't have to be someone snooping in on you.
Good point. I get that a lot. Uh. So it
uses proxy servers, and a proxy server acts as an
(17:15):
intermediary between a client and some other server. So you
can kind of think of it as this is the
go between. So if I were to send a request
to get my email, but I wanted to go through
a proxy server, I would log into the proxy server.
The proxy server would then send my request onto the
email server, and from the email servers perspective, it looked
(17:39):
like the proxy server was the origin of that request.
It isn't able to see back to exactly there's a
hop missing there. So that's really important in this. And uh,
the communication part is the tricky part. Like I said,
so you've got this information, it's passing between nodes or
little orders within the tour network. Okay, so think of
(18:03):
these nodes as rest stops between the client, the sender,
and the recipient the server. Right, Each node only knows
the identity of the node before it and the note
after it, right, So uh, and the note before it
and after it completely is dependent upon when you're sending
the message, because you're you're going to create new pathways
every time you create a connection, so it's not like
(18:25):
you have a set path each time. It's like the Internet.
It's very flexible. So when you send a message, and
let's say it's going through letters A through G, we're
just designating these nodes as A through G and for
some reason it's going into a B C, D, E
F G order. So node D only knows about nodes
C and E. The information came from C. It knows
(18:46):
it has to send the information onto E. It has
no awareness of a B or you know, effor G.
So that's it. And that means that if you were
to intercept information passing between two nodes, you would just
know which note it came from and which node it
went to. You wouldn't know the actual person who sent it,
nor would you know the person to whom it went. Ultimately,
(19:07):
on top of that, the nodes encrypt the communication as
it's passed along. Yes, and this is where you get
that layer and layer and layer of encryption. And because
there's so many layers of encryption, well, what else has
lots of layers? And Onion I was gonna think of
Game of Thrones, but yes, Onion is right. Onion is
exactly the thing that they went with because Game of
(19:29):
Thrones really wasn't that popular. Also, it's proprietary. I mean,
you know, yeah, that probably would have George R. Martin
gotten a little upset about that. But yeah, so so
Onion is in fact what they went with because there's
so many different layers of encryption. Now I've I know
that this discussion we've just had is really dense and
there's a lot of things about nodes and traffic and
(19:51):
encryption and layers here. So I created an example to
kind of illustrate this. And we're going to get to
that in just a moment, but before we do, let's
take a quick break to thank our sponsor. Okay, So
here's my example, and I think it's a doozy of
an example because it's completely believable. I decided to use
(20:11):
as an example two of our beloved co workers here
at how stuff works. Uh, and when you start thinking
to yourself, who would be so paranoid that they would
need an incredibly secure communication process? Two names leap to
mind from the shadows and then back into the shadows,
because that's where they belong. One of them wearing a
gremlin mask ye, and maybe a fedora on top of it.
(20:33):
It's not a fedora, I know, Ben Dora. No, it's
a trill Bey, I'm going to call it a fedor anyway,
So Ben Bolan and Matt Frederick so Stuff they don't
want you to know hosts. Yes, and if you've never
ever listened to that show, go check it out. Watched show. Yeah,
that's great. So So let's say that Ben wants to
contact Matt and he wants the communication to be secure,
(20:54):
so he sends it across the Tour network using this
freely available software. He's got the Tour bundle installed, and
he sends the message along. So here's what happens. Ben
would contact a proxy server on the Tour network. Now,
that proxy server would then determine the route of nodes
or the number of hops that it will take to
get from the proxy server to Matt's computer. So for
(21:17):
argument's sake, let's say again that it's just uh five nodes,
So it's a B, C, D E. Those are the
Those are the nodes that it's going to go through. Now,
each hop becomes an encryption layer on this onion, and
the core of the onion is Ben's original message to Matt,
so that's the very center. Now Ben's proxy server starts
(21:40):
to construct layers of encryption based upon the path that
this onion is going to take journeying from the proxy
server all the way to Matt's computer, and the intermost
layer will be the encryption for mats proxy. Yes, so
the next layer out would be the node just before
it gets to Matt's proxy. The next layer out would
(22:01):
be the node before that, and so on and so
forth until you got to the first node that the
proxy server sends this onion onto. Now, every time the
onion travels to a new node, it decrypts that layer,
the corresponding layer of encryption. Yeah, so that that layer
of the onion gets pulled away, and that's how the
node knows where to send it onto next. So proxy
(22:25):
service sends it on to node A. Note A strips
away that encryption and sees that needs to send it
on to node B. Node B gets this onion. Now
Node B only knows that Node A sent the onion,
doesn't know where the onion originally came from, and it
decrypts that next layer, strips it free, uh, finds the
identification of notes C and send it along. Yep, Node
(22:47):
C doesn't know about Note A, just Notes knows about
Node B, So so on and so forth till it
gets to Matt. By the time it gets to Matt,
all those layers of encryption have been stripped away and
that can actually read what the messages. Therefore, anyone who's
trying to analyze all of this traffic would would just
see a message passing between two seemingly random routers with
with no way of knowing either where that information came
(23:08):
from or what the ultimate destination is. Yep, And because
you've encrypted it so many times, they probably can't even
tell what the information. They can't read it, they don't
know where it's going there in the dark. So to them,
it's just all they know is that traffic is going
across this network, but they don't have any way of
deriving meaning from that. Now, once Matt's proxy receives that onion,
(23:30):
a virtual circuit forms along the nodes. Think of it
as like a temporary pathway that solidifies between uh Ben's
proxy and Matt's final computer, and it allows for encryption
to pass both ways. So you have two different kinds
of encryption. You've got one kind whenever Ben sends a
(23:51):
message to Matt, and essentially you have the inverse of
that when Matt sends it to Ben. So unless you
have the key to that in encryption, you can't figure
out what's going on either. So it's it's pretty secure. Now,
there are some mainly we're talking about vulnerabilities when you
send it from your computer to that proxy server and
(24:14):
when that last proxy sends it to the destination. Because
this is when you don't have the protection of the
network itself. It's when it's you can think of it
as the information is leaving the network to get to
wherever it's going, or entering the net. Yeah, and again,
if you're using a browser that still has certain things
enabled like Flash or Java, then you may end up
(24:37):
having sending along some information that people could identify you
on based on that. But within the network itself, it's
incredibly secure, right And and so this, the circuit that
that you've created, well will last as long as both
parties want it to. You can you can send a
command to collapse it at the end of your session,
you say destroy, and it collapses. This uh, this virtual circuit.
(24:59):
And then if you going to create a new one,
you could and it would be a new virtual circuit,
probably taking a totally different pathway through the nodes. And
you know, I made the example of ABC D E
that kind of stuff, but really, you know, it could
be any order. You know, it's it's and it will
be an order. That's all. That's one of the who
points because if it were the same pathway each time,
(25:21):
then you would ultimately be able to determine who sent
it and who it went to. So it has to
be uh, you know. And of course the more the
more routers you have available, the more of these relay
nodes you have, the more secure the communication becomes, so
that's also really important. Then there's also a concept called
loose routing, which adds another layer of security on this
because like I said, you know, you ultimately you have
(25:43):
these proxies that no way more information than all the
nodes do. They have to in order to be able
to make that layer of encryption and have this onion
pass from one spot to the next. So one thing
you could do with loose routing is that the proxy
and up sending the onion on to the first node.
(26:04):
But that's all the proxy knows about the probably and
then the first nodes responsibility is to create the rest
of that pathway. So even that first stop isn't aware
of where, how, what path it's gonna take to get
to its destination. It just knows this is the first
step of that path, but beyond that I don't know,
So it adds another layer of security to it that way. Now, again,
(26:24):
if you were able to target that first node, you
might be able to figure some stuff out, but really
you just know that it came from a proxy. You
wouldn't know who sent the information to the proxy in
the first place. But yeah, so we've got these these
endpoints that have some vulnerabilities, but other than that, it's
it's pretty secure. Uh, I've got to We've got a
great little bit about how secure it is, and a
(26:44):
little in just a little while. But today nodes or
relays within the system still don't know the origin or
ultimate destination of information. And you still create virtual circuits
between the initiator and the recipient for encrypted anonymous channels.
But there's no our use of this onion metaphor. I mean,
it's not it's not the same implementation. You get the
(27:06):
same result, but it's a different implementation that does it.
But it's this, you know, it's following a lot of
the same philosophies. And you've got a tour directory that
keeps track of all the available nodes that are on
the system at any given moment. As of January, there
are about five thousand computers around the world operated by
those volunteers that I mentioned serving as potential nodes in
(27:27):
this system. Right, And when you send a message to
recipient across the Tour network, your Tour browser or whatever
consults this directory, which then uh gives it a route
of nodes, and then you can send the encrypted information
across and each node further encrypts the message again and
only knows the note immediately before and after, kind of
like the previous version we just talked about. So it's
(27:51):
not that different, it's just this whole layer metaphor is
kind of no longer as accurate. But um, yeah, one
thing you've got to remember is that because as you've
got this extra layer of encryption going on, and it's
purposefully obvious, skating the the origin by hopping around a lot,
communication is not as quick, right, It's going to take
(28:12):
a longer necessarily. So if you're using Tour in order
to send instant messages, your definition of instant maybe a
little different than what it normally would be. It may
just be pretty darn quick, but not as instant as
this other method. Yeah. Um. Furthermore, it is not the
most secure thing that you can do. No. I actually
read a great article on the best way of using
(28:33):
Tour as as part of an approach to securely using
the Internet and maintaining your anonymity, and I thought about
including it in this podcast. I really did, Guys. I
was gonna go all into the tips this guy had,
and then I realized that it was so in depth
and there was so much to keep tak into consideration
that really we could just do a full podcast just
(28:55):
on that, and perhaps in the future we will. If you,
guys in particular, want to know so I want to
be as anonymous and secure as possible, Tell me what
I need to do, and we'll we'll give you the podcast.
We should we should do that episode. Um I'll tell
you right now. It's crazy, but but right because because
even if you're using the most recent version of tour
I mean, which, as we have just detailed, is an
(29:17):
incredibly uh complex and encrypted process, a determined party could
exploit vulnerabilities and Firefox itself, which which Tour is based in.
Um it could attempt to set up monitoring nodes in
the network. UM or it could just methodically work on
key decryption in order to spy on your activities, so
uh stuff can still happen. Yeah, we'll think about doing
(29:40):
a full security episode. I mean, I kind of think
we'll have to pull Ben in for that one. Oh,
that would be great. We should totally do more classovers.
We'll we'll see if we can get Ben to be
available for an episode where we really talk about and
you know it's going to sound paranoid and crazy, but
the thing is technology, in order for it to work,
UH needs to have certain in nation so it can
(30:01):
allow you to have this communication. But because it needs
that certain information, it means that your anonymity is at risk.
So you've got to do these kind of crazy things. Also,
they're wacky bugs like heart bleed. Yeah actually, um okay,
go ahead and mention this so heart bleed. If you
listen to our previous episode, we talked all about this
vulnerability that was an open SSL versions one point zero
(30:24):
point one through one point zero point one F and
UH and how that ended up meaning that people who
use the heartbeat method could get access to encryption keys
and thus see everything that's going across the server. So
you might wonder does this work on the tour network,
this crazy relay node network, And the short answer is,
(30:46):
technically it works, but it doesn't help anybody out because
even if you were to see the information moving across
a node, it still has multiple layers of encryption, so
it's not as vulnerable. Yeah, although I mean toward towards
being tour did say that, you know, if you if
you really want to be secure, you might just want
(31:07):
to stay off the internet for a few days, right,
And they did say that they had planned on rolling
out patches of the open SSL uh software because the upgrade,
the newest patch does patch that vulnerability. So uh, they
are going to be fixing up those nodes over time anyway.
In fact, by the time this podcast comes out, most
of them may already be addressed. But yeah, they said that, Um,
(31:31):
that worst case scenario, you're probably still pretty okay. You know,
in the grand scheme of things, that heart bleed story
was a real eye opener. YEA. Then we have the
other thing we alluded to earlier, oh right, hidden services,
and that's where that dark net or deep web kind
of thing comes in. Um okay. So, so tour also
(31:54):
provides a way to to offer up access to a
server or to run an entire service without revealing your
IP addressed to your users and from behind a firewall. Um.
Sites and services set up like this are are off
the beaten Internet path. You can't even find them using
Google or other web searches. You have to be using
Tour in order to find them. And um, they're they're
all using what's called the dot Onion extension because onions. Um. Okay. So,
(32:19):
so basically how this works. The hidden service has a
public to tour listing, and so when a client wants
to access that service, the client sets up a rendezvous
node and sends along an access request via the usual
Tour encryption routing process UM through a random introduction node
that the service has set up UM, and then the
(32:41):
client and service can contact each other through that rendezvous
node again using the usual Tour circuits. UM. It's it's
like the the introduction and the rendezvous nodes are translators, right.
It protects the service and the client because neither knows
where the other is. That the translators are the recipients
for each party's communications. And so this this deep web
(33:03):
or dark net hosts lots of different stuff, some things
that are definitely in the nefarious category, like the Silk Road,
although Silk Road still has some legit. Sure of the
stuff that was on Silk Road was completely legal, the
other not so much. Yeah, So Silk Road, of course
(33:24):
that got shut down, but it existed on tour and
this kind of hidden web because you know, you wouldn't
want it to be easily accessible, uh, and then everything
would come crashing down, you know, ultimately came crashing down anyway,
but it was hidden better than just sitting there and
on the web. So yeah, that's that's definitely one of
(33:45):
the other issues. And again there are other things that
are on this deep net, this this dark net or
rather or deep web that again not nefarious at all.
They have very legitimate purposes for existing. It's completely legal,
but it's also designed in such a way as to
protect the identity of the people who need to use
the services. So again, just because we have some really
(34:08):
high profile examples of naughtiness doesn't mean that the entire
network is naughty. Just like there are other services that
people have used where some people are using it in
order to get like illegal downloads of whatever content they want,
but most people aren't. A lot of the focuses on
the people who are the pirates, and thus the entire
(34:29):
service gets painted as yeah, yeah, it's I I read
a really great quote and I don't have it open
right now, and um. Bloomberg Business Week did a really
great article in January about about tour in general and
the kids who are running it and all that kind
of stuff, and uh, the the example that I think
they used was that, you know, you don't hear about
(34:50):
someone who's stalker couldn't find them. You you hear about
the kid who got drugs or the child porn rang
or something right, right, So you know there are some
very very The Navy wouldn't have been interested in making this, uh,
in order just to have crime happened, because as low
as your opinion of the Navy, maybe depending on if
(35:12):
you're a Marine or not, it's it's really not in
that business. No, but but certainly the fact that this
kind of illegal activity can go on means that it
attracts attention from, for example, the n s A. Yes, Uh,
I love the stories about the n s A and
tour because they're both infuriating and funny at the same time.
(35:33):
So infuriating in that, uh, the n s A has attempted.
We know the n s A has attempted to try
and crack because some of those slides that have come
out from Standon's League A specifically mentioned tour yep, and uh,
one of the documents within the n s A is
titled Tour Stinks. And the reason they say Tour stinks
(35:56):
is because it's so gosh darn hard to figure out
what formation is within the Tour network. Now, they do
note that if you are able to target those points
where information is coming into the network are coming out
of the network, then you are more likely to be
able to determine what is going on and who is
talking to whom. But if it's within the network itself,
(36:19):
there's no report that has leaked so far that has
indicated the NSA has been able to crack that, which
has not stopped a whole lot of theorists from saying
that they have totally cracked it, and that the reports
saying that they haven't cracked it are just so that
people feel, yeah, that they people will feel a false
sense of security using tour. Here's the thing about conspiracy theories,
(36:41):
and again, I wish we had been on here right now. Uh.
You know, you can you can have a lack of
evidence and that becomes evidence, or if you have a
denial then that becomes hard evidence, you know. So I
I think, I really do think because I don't think
the n s A ever intended for all the information
to leak out based up on I don't know everything
that's happened since then. Uh So I'm pretty willing to
(37:05):
believe that they have not yet cracked how to get
look at information in a meaningful way on the Tour
network itself. In general, I would say that tours seems
for many purposes pretty secure. Now, keep in mind, you
still have to uh practice good internet security on your
own even if you're using tour. Uh And like I said, well,
(37:27):
maybe we'll do a full episode on that if you're
interested in that, let's know, because you know, maybe that
our listeners are thinking, wow, they did a heart bleed
episode in a tour episode, go back to talking about
Nintendo or something that we don't know. We have to
hear from you in order to know. So if you
want to know really how to securely navigate the web
like a superspy, let us know, and we'll give you
(37:48):
all the inside skinny and uh maybe we'll be able
to grab Ben on here and have them do his
creepy voice and be awesome. So I do not want
an entire episode of Ben's creepy I don't know they
could do a full episode each. I want at least
for him to introduce himself trap now. I want to
see him trying. Yeah, all right, well anyway, let us know.
You can send us email, all right addresses, text stuff
(38:11):
discovery dot com, or drop us a line on one
of the many social networks that we are on in
full view that includes Facebook, Tumbler, and Twitter. We use
the handle tech stuff H. S W and Lauren and
I will talk to you again really soon for more
(38:32):
on this and thousands of other topics. Staff works dot
com
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.