Tor it a new one

NOTE: Much debate went into posting this article. After some revisions, making a few details more obscure and talking about the pros/cons of the info, we decided to run with it. The comments are open, but any sort of attacks on anyone, including other commentators, will not be tolerated.

Onion routing, as defined in Wikipedia, is “a technique for pseudonymous (or anonymous) communication over a computer network. [It utilizes] the concept of “routing onions”, which encode routing information in a set of encrypted layers.”

Tor, or The Onion Router, is a client/router implementation of onion routing. Originally developed by the US Naval Research Laboratory, it become an EFF project from late 2004 through late 2005. It is currently provided under a BSD license.

What is important to understand is, using Tor, someone can provide a completely hidden service - one that can be accessed completely anonymously. What better place for mischief?

We could go on about what onion routing is, what Tor is, and so forth. You can find out more by visiting the pages linked above. We’re going to cut through the technicalities and get down to business.

We wanted to write an article about this emerging “hidden internet.” But we wanted to get to the meat - the stuff you couldn’t find elsewhere. We were thinking hacking programs, manifestos by lunatics, banned documentation, pirated movies, phone numbers for gov’t offices, the sort of stuff you used to get on dialup BBSs back in the day. The stuff that, on the web, is hidden by pop-up ads, misleading links, spyware, malware, and general garbage.

So off we went. And you won’t like what we found.

From Wikipedia:

Although Tor’s most popular feature is its provision of anonymity to clients, it can also provide anonymity to servers. By using the Tor network, it is possible to host servers in such a way that their network location is unknown. In order to access a hidden service, Tor must also be used by the client.

Hidden services are accessed through the Tor-specific .onion top level domain. The Tor network understands this TLD and routes, anonymously to the hidden service. The hidden service then hands over to standard server software, which should be configured to listen only on non-public interfaces. Services that are reachable through Tor hidden services and the public Internet are susceptible to correlation attacks, and consequently are not really hidden.

An added advantage of Tor hidden services is that, because no public IP address is required, services may be hosted behind firewalls and NAT.

An .onion URL looks like this (non-working example):

http://www.voehtr2k943bo9bh.onion

It is a hash created when setting up a Tor server, and is completely unreachable unless you are running a Tor client. Once your browser is properly configured to direct traffic through Tor, you’re set.

So with all the commotion about the government dropping eaves (although not on the ‘net, it doesn’t bode well for the future), Tor seems like a good solution for sensitive information - secured server, secured client, untraceable, anonymous, not accessible via shallow web (coined!).

We configured Tor, and a companion filtering component called Privoxy (to hide details about our computers). All we needed was a starting place…

Where do you find a starting place for hidden services? It felt like trying to get into an exclusive club when the only way in is a short guest list, and through a really big bouncer. Right off the bat, there is the Hidden Tor Wiki, located at http://6sxoyfb3h2nvok2d.onion/tor. For the curious, this is a good place to start:

This wiki houses a list of hidden servers - hidden to the outside world, at least. The thing we noticed though, was that most of the content was available elsewhere. If not on the web, then on Usenet or IRC:

Which is when we realized that we’d have to treat .onion like an exclusive club, and go out looking for an invite. Not really sure what we were looking for, we started out at the asshole of the internet - /b/!

After a few hours of browsing page after page of drivel, poking around and following leads, we had ourselves two .onion servers - servers not mentioned too much, not really talked about with any sort of detail, so we didn’t know what to expect. At worse, we figured they’d be pages of pr0n.

With the giddy anticipation that only pretending to be investigative journalists can bring, we punched the URLs into our Tor-enabled setup, and waited. And waited. Tor bandwidth is provided by peers, so it is a good bit slower than the usual internet. Think 28.8kbps - it was like being in 1995 again, the days where you’d “stay up all night and only see eight women.”

Slowly but surely our jaws pretty much dropped as each image thumbnail loaded. What we had stumbled on wasn’t porn. It wasn’t even what passes as “fine art photography.”

We hit a huge vein of kiddie porn.

(Wait, what do you even call that? Coven of witches, flock of birds, vein of… child pornography? Hope you can tell that we talked a lot about how to deliver this line, and frankly nothing fit. Nothing should fit.)

Just to make this clear, this wasn’t some guy’s photo of his cousin without her shirt on, or a photo stolen by a creepy uncle of his brother’s kid in the bathtub. Full on, man-girl sex. Sometimes boy-boy, sometimes man-boy, sometimes girl-girl, sometimes woman-girl - it just went on and on, for pages and pages and pages. This was a standard image board, the kind you’d find anywhere on the web, but completely dedicated to the distribution of child pornography.

And the language - we’re not repeating anything specific here - but it was frightening: “Post moar!” “Can anyone identify this girl and post?” “Too old.” “Too young.” Even in the most depraved areas of society, it looks like there are standards.

Before we get ahead of ourselves, we had another site to access. With a deep breath, we punched the second one in and waited.

What greeted us was a page in Japanese. So we thought, no big deal, it’s just a BBS. Scrolling down, we found a few posts in English. Right away the language grabbed us: “Good action!” “Post more with sound!” “There looks to be a third in the series, the girl was reaching down at the end.”

This site, while nowhere near as in-your-face as the first one, hosted a little selection of videos. It turned out that we did not have to download anything for proof - this second site referenced the first site for obtaining screencaps of the movies.

Behind the curtain of anonymity, hidden from the public’s view, lies a little world of depravity. Photos and videos from what looked like the 60’s and 70’s, right up through what could have been yesterday, of girls and boys from toddler through preteen. Sometimes the subjects looked happy, sometimes sad, sometimes scared.

What was most jarring though, was the emptiness. No matter their expression, the eyes gave them away. They looked like they knew what was going on was horrifying, but had a reason forced onto them to smile through it all. Who were the men? Were they fathers? What father could do that? Brothers? What brother could do that? What kept hitting us was how sociopaths (read: serial killers) react to images of voilence - they don’t react at all. This easily extrapolated to child molestors. What sort of person could just sit there idly while being shown some of the images we came across? We went in circles attempting to fathom where this came from - what in us, in humans could possibly account for this behavior.

We gave up after a while.

Now here is the question. You have this Tor technology - something that, living in the world we do, we’re going to need. As government gets more and more involved in tearing down personal privacy, this could be a way out. (Hell, when the revolution comes, we’ll use it to hand out orders!)

The Tor site has a FAQ up about Tor Abuse. We’ll post a few notable quotes from it, as they’re on the same tack that we are, but they sound a lot more professional:

…criminals could in theory use Tor, but they already have better options, and it seems unlikely that taking Tor away from the world will stop them from doing their bad things. At the same time, Tor and other privacy measures can fight identity theft, physical crimes like stalking, and so on.

There is nothing the Tor developers can do to trace Tor users. The same protections that keep bad people from breaking Tor’s anonymity also prevent us from figuring out what’s going on.

Some … have suggested that we redesign Tor to include a backdoor. There are two problems with this idea. First, it technically weakens the system too far. Having a central way to link users to their activities is a gaping hole for all sorts of attackers; and the policy mechanisms needed to ensure correct handling of this responsibility are enormous and unsolved. Second, the bad people aren’t going to get caught by this anyway, since they will use other means to ensure their anonymity (identity theft, compromising computers and using them as bounce points, etc).

So we find ourselves in an interesting situation. What, if anything, do we do? We don’t know if the people posting the content were the creators - it may be a very fine line (morally, nonexistant), but there is indeed one between the creators and the consumers. And yes, we’re ignoring the potential future activities of such consumers, driven by their choice of smut, at the moment.

Obviously the first choice in any other situation would have been, call the Feds. Two problems though - first off, we don’t want to get in trouble. No one read up on what the hell could happen to us in a situation like this. We’re assuming nothing, as we’d be turning over a mountain (well, a nice sized hill) of evidence. But you never know with the police state we live in lately.

Secondly - what harm would we be doing to a technology that is already very valuable, and will definitely be more valuable in the future? What sort of irreversible harm could we cause by shining a spotlight on Tor? Legislation forcing backdoors into every single encryption scheme? Changes to TCP for tracking individual packets via massive mandatory logs? A government-mandated “Internet ID”? With alarms going off if this digital ID was missing? We can imagine a million scenarios - unfortuantely, none are good. Not very realistic either, but with Senator Tubes in D.C. - anything goes, kids.

The only good to potentially come out of us bringing this to the fuzz, would be shutting down two hidden servers engaged in illegal activities. If they could even find them, which after reading the technical documentation of the Tor protocol, seems a bit hard. And as the Tor folk themselves state, real criminals already have better ways to hide - shutting down two sites won’t do much to stem the flow.

It seems like a decision between the future of online rights and privacy, versus making a little chip in a worldwide criminal enterprise. Two big deals - honestly, deals way bigger than the scope we’re discussing here - but what would the effects of our actions be?

And what if the things that we could bring to light, saved the life of a little girl somewhere?

I say, maybe bring it to the Feds, very carefully: if we can perhaps save a life, it’s worth it. The internet itself has never killed anyone (to my knowledge!), and it will go through many more ups and downs that we could never foresee. My associate, who is more conspiracy-minded than myself, says no way: with this country going the way it’s been going the past few years, this kind of technology will serve a genuine purpose sooner than later, and it needs to be kept open despite usage by criminals.

So, what do we do?

This is how the article ends, just an open invitation for your thoughts.

Technorati Tags: anonymity, child pornography, depravity, privacy, tor