On 28/11/15 10:34, Florent Daigniere wrote: > On Fri, 2015-11-27 at 18:07 -0500, > [email protected] wrote: >> Let's talk about the bad news and the way forward. >> >> There was a Sybil attack for 4 years. The Freenet 0day has been >> around >> for so long that LE contractors have built a kit around it. Forget >> global adversaries or nation states, its so bad that local police >> stations with shoelace budgets can attack the network. My guess, >> Frost's >> spam issues make traffic tagging easy. > What's your source on this? > Do you understand what Sybil is about? > What makes it qualify as 0day (it's not documented on https://wiki.free > netproject.org/Opennet_attacks ?) Agreed, do you have any more information than the two sources we've seen - one state-level newspaper article and a very vague leaked law enforcement presentation?
As far as I can see, MAST-style attacks don't work, so we are talking about network-scale Sybil here. There is a cost to this; it's not a huge cost because the network is small and computing power and bandwidth is cheap in bulk, but it's not something you could do as an individual without some funding. Tools vendors presumably amortise the cost by selling to many users (many different police stations), or big users (NSA and agencies of other governments). >> Before anyone gets started: "But, but.. Tor was also attacked!" >> >> Yes, but responses are very different from what's going on here. They >> immediately fixed the hole and evicted the Sybil nodes. They are >> implementing code that will make future attempts much more difficult. >> They did not add a line to the FAQ that said "shit happens" and shrug >> their shoulders. >> >> More on what you can do later. An attack on Tor was detected in practice, and has been mitigated somewhat, however there are also cheap (and harder to detect) published attacks, e.g. the one published last year that could be conducted by anyone controlling two Autonomous Systems. So it's the tip of the iceberg IMHO. IMHO all of the current anonymity networks are vulnerable both to state level attackers and to well-funded research projects. Having said that, *any* practical system is vulnerable to NSA-level attackers, and that's likely to remain true for the foreseeable future. For example, the Investigatory Powers Bill (re)introduces a power for "bulk equipment interference", in other words mass hacking. In other words they are welcome and able to hack a majority of the network, if they can't get the information more cheaply some other way. And we know they introduce vulnerabilities when they need them. The war in cyberspace has been won conclusively. But then Freenet was always just one piece of the puzzle - a research project really. Historically we know that lots of the anonymous email remailers have been compromised. Can we defend against slightly weaker adversaries? Maybe - but even Tor has cheap attacks. Does it make any difference? That's not clear either: Intelligence agencies do pass on information when they feel it won't jeopardise their operations and methods - and they may be more willing to do that now that everyone knows they can break everything. Are the Chinese intelligence agencies hunting down political dissidents much less capable than the NSA? I wouldn't bet on it. >> "Securing Opennet is impossible, go Darknet mode or shut up!" >> >> Taking your defeatist attitude to conclusion we can say anonymous >> communication is a very hard problem so no point trying. Let's all >> use >> the surveiled network and take our chance? >> >> Of course not. You can raise costs to make it hard for any attack and >> other projects proved it. >> >> I understand you need more resources to turn things round. That can >> change, but carrying a defeatist attitude can never improve anything. >> >> Going Darknet mode only is not a real fix. > Can you define what is the attack and its real-fix then? Agreed, opennet is really, really hard to fix. Unless we can limit Sybil by requiring an up front cash payment to join the network. And even then it becomes vulnerable because it's likely more centralised. >> Its like suggesting to people >> to limit internet access only to their LAN to stay safe. The value of >> the network becomes diminished. Darknet mode also exposes people's >> social network to anyone watching enough of the internet. Its a >> dangerous liability. > The idea is that you're already exposing your social network regardless > of whether you are using darknet or not... so on the contrary, you do > *not* leak any information by connecting to your real-life social > contacts. > > What needs changing is the terminology; "friends" might not be the > adequate word to describe darknet peers. Yep. They (the cops, the agencies, the corporations) already have your address book, deal with it. And darknet is not fundamentally limiting. The problem with darknet is that Freenet is not socially acceptable and is technically challenging (it effectively requires a dedicated always on system), and currently is slow and inconvenient. There are lots of relatively easy ways we can improve the last point. The first is hard. >> You can use the bad news to your advantage. Write your proposals >> around >> it as one of your main goals. Say you need more funds to introduce >> PISCES tunnels, some notion of node pinning, limiting the number of >> nodes from address spaces, adding Tor transport support and updating >> crypto primitives. I am in favour of getting funding to improve security... PISCES tunnels are darknet only. Also rather complex to implement because the paper leaves out a lot of important stuff. I had hoped to do a project on this but abandoned it after discovering problems with PISCES and that MAST isn't as easy as I had thought. ShadowWalker is possible on opennet, and should resist up to 20% Sybil, however IMHO there are practical difficulties with this; in particular making the allocation of "shadow nodes" Sybil-proof may be hard, and may require dramatic changes to opennet. Limiting nodes per IP range is a good idea but it's hard to implement, requiring major changes to opennet, likely making it much more centralised and probably requiring a lot of manual management i.e. ongoing cost, for limited practical benefit. Agencies can get random IPs easily (since they own all the routers); criminals can get them easily (hire a botnet). In general if you want to do something illegal you hire a contractor... If the adversary is strictly adhering to the law, then we're talking VPNs, which do impose some limited cost... However, how many nodes do we legitimately expect for a given IP range? This varies enormously across the internet, e.g. due to carrier-grade NAT and varying popularity of Freenet in different areas and over time. It likely requires a big database and manual management. And it's much harder for IPv6, where lots of people have /64's, and /32's are fairly easy to obtain. And we don't want to block too many legitimate users. We could harden opennet a bit, at a considerable cost. But Sybil remains possible for even fairly large networks - because the bigger the network the more interesting a target it is, and the more economies of scale you can exploit (e.g. hiring geeks to write optimised code, dirty tricks etc). Controlling half the network is not a big problem for a company that sells exploits to regular police and agencies in many countries, let alone an agency. And it's enough to break ShadowWalker-style tunnels as well as Freenet itself: Peer selection for tunnels is a hard problem on anything more complex than a complete consensus database of nodes (i.e. Tor). Whether it is acceptable to implement tunnels on opennet when we don't have them on darknet is a policy issue that needs to be thought about at some point. Tunneling the first hop over Tor might be interesting but there are some big difficulties with it such as node discovery. Tunneling everything over Tor would make Tor very unhappy and would greatly increase latency to no good purpose. And in any case, our requirements are different to Tor's: In particular, we'd like to use long-term high-latency tunnels for inserts. If you were building a storage network on top of Tor hidden services it wouldn't look like Freenet. I was under the impression that there were such networks built on I2P, but people have contradicted me on this... anyone have actual knowledge of this? Also arguably Tor is easier to block than darknet Freenet. Although this is a debatable point, and efficient darknet tunnels will require losing some "invisibility". While Tor has stronger anonymity at the moment, IMHO Freenet still has some interesting security properties: 1. Censorship resistance. It is easier to host a website safely on Freenet than on Tor, although there are limits on interactivity. It is harder to take it down. Half of the hidden services on Tor were taken down by one raid; this can't happen on Freenet. 2. Blocking: Darknet is harder to block than opennet. Maybe this is irrelevant at this point, everything can be blocked via traffic flow analysis. I have no idea what you mean by "node pinning". > It's great that you're volunteering to do it. >> Questions: >> >> Does making it impossible versus very hard, to know what a user have >> in >> their datastore make attacks harder? As we saw, plausible deniability >> wasn't much help. Without disk encryption it's over. > Plausible deniability is all you get from pseudo-anonymous overlay > networks; whether they're called Freenet, Tor, I2P or anything else > doesn't change anything; whether they're perfect or not neither. > > Put it another way: if "any" probability is enough to get you > "convicted/jailed/murdered/tortured" using any of these tools isn't > going to do any good. What's in your datastore is irrelevant. In general it doesn't include your local downloads anyway. The client-cache does, and you may have saved files to disk / browser leaks etc. We are still not aware of anyone being convicted *merely for running Freenet*. US-centric legal advice: https://www.eff.org/en-gb/wp/iaal-what-peer-peer-developers-need-know-about-copyright-law Note that UK law has strict liability for possession of various nasties. E.g. there was a case "Ex-soldier found a gun, the cops told him to bring it to the police station, then they arrested him for possession (he was convicted)". A similar argument might be made against Freenet, but AFAIK it hasn't happened yet. Places which are hostile to the act of running Freenet are likely either to block it or to detect nodes and send in thugs. And we do indeed encourage people to run full disk encryption. In general Freenet provides anonymity, not protection against a nearby attacker. That is, once they find you, they can seize your computer and see what's on it, or they can just connect to your node and watch what you are requesting. The objective is mainly to prevent them getting to that stage. >> What can an attacker with DH 1024 cracking ability do to Freenet >> right >> now? > Nothing in current freenet uses or relies on DH1024; Define "DH 1024 > cracking ability" if you expect an answer. The ability to crack DSA-1024 gives you the ability to compromise arbitrary SSKs, including the one used for auto-update. This is a serious concern and we should patch the auto-update to use an external, stronger signature (given that it may take some time to fix SSKs). I imagine several different government agencies have the updater key already though, and they probably didn't get it by factoring. :) DH is gone, yes, this is good and is largely Florent's work. Inter-node link-level crypto is reasonable; it should be updated to use djb ciphers since secp* is NIST and therefore potentially compromised, but it's not terrible. Of course because it's implemented in Java, timing attacks are likely possible. Moving the transport layer to C may make sense, but would open up other problems such as portability, JNI performance and buffer overflows - but it might allow sharing transports with Tor. Although it might be worth considering just how fast a node needs to be for timing side-channels to be viable, maybe it's not a problem in practice for now?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
