Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Anonymous is not anonymous

Roger A. Grimes | Aug. 14, 2013
At this point, most of us would welcome shelter from the gaze of government cyber spies. Here are six reasons why that may be unattainable

Read one of my recent columns, and you'll learn that the governments of the world have tens of thousands of undisclosed bugs they can use to break into computers at will. Don't trust security software to protect you completely.

Reason No. 3: A password is still a password
The weakest link in most security software isn't the code. It's usually the password protecting the private keys. Most privacy and encryption software asks the user to input a password to protect the private key material that it used to encrypt and protect communications. For example, the Pretty Good Privacy program will ask you to type in a password to protect your public/private key pairing. It will even advise you what is and isn't considered a strong password.

Unfortunately, most users choose relatively weak passwords. Even those who enter what they think are strong passwords are fooling themselves — and it's inherently easier to guess a user's password than it is to try and crack the private key that does the protecting. I have to assume that organizations like the NSA have specialized hardware-only chips that are adept at cracking the passwords to particular programs. Heck, they probably just extract the relevant parts of the program, along with the key pair, and crack away. I'm guessing their bank of crypto-cracking computers will make short work of most users' allegedly "strong" passwords, and I'll bet the designers of such hardware chuckle at our gullibility.

Reason No. 4: You don't really know where your packets are
Services like Tor work by randomly rerouting encrypted packets of information between varying participating hosts. The bad guy would have to know which Tor computers were used by you end to end, compromise those, then tackle the other encryption issues. Sounds like a pretty high bar to overcome, doesn't it?

Except that Tor software has vulnerabilities just like any other software. In one recent example, it was speculated that law enforcement agents used a privately known vulnerability to track and locate child pornographers. Moreover, I think the entire premise of Tor's anonymity through router obscurity is flawed.

The biggest advantage of using Tor is that your packets are randomly routed through "volunteer" computers all over the Internet. But Tor can't really guarantee that. Who's to say most of Tor's volunteer computers aren't owned by governments that want to keep a hand in?

If I was interested in invading Tor's privacy, I would create a very large cloud of computers that would make up most of Tor's network. They could even ensure that your traffic would only be routed on owned Tor computers by manipulating where future Tor packets go once they enter the owned segment. Even if Tor's software hasn't been manipulated, you can't trust it if the volunteer computers are owned and manipulated. They could make participating Tor clients do anything. (Tor experts, if you think I'm wrong, please message me and explain how Tor would prevent this.)


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.