2. CVE-2016-5696 and its effects on Tor

   
   

   tl;dr: This vulnerability is quite serious, but it doesn’t affect the Tor network any more than it affects the rest of the internet. In particular, the Tor-specific attacks mentioned in the paper will not work as described.

   Recently, an excellent paper, entitled “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous,” was published by Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel at USENIX Security 2016.

   The paper describes the 2012 modifications of RFC5961 to the specification of the Transmission Control Protocol (TCP), the latter of which is used to transport roughly 90% of our data across the internet. The modification was meant to protect against TCP “blind in-window” attacks.

   When a TCP packet is sent, the sender and receiver both know a number, called the sequence number, that this packet should have. If the sequence number is not correct, various (complicated, boring) things may happen, but the important part is that neither the sender nor the receiver actually believes that this is a valid packet. Instead, they assume something went wrong somehow, or that an active attacker is attempting to inject packets into their communication stream. The term blind simply means that an attacker is unable to directly observe the packets going between the sender and receiver, but is usually instead trying to use some side-channel to determine this information. There’s another part of the TCP specification which describes windowing — which simply means (did I mention that TCP is very complicated and boring…) that the sequence number was “correct enough” — that is, that the sequence number was within the right range. Specification nerds have long argued over what “correct enough” means, because apparently they find this topic absolutely riveting.

   The fix to the TCP blind in-window attack was to specify that, under certain conditions, if the TCP sequence number doesn’t match what was expected, the receiver of this messed up packet should send a “challenge” ACK to the sender. Depending on the type of messed-up-ness, the sender and receiver do one of a number of little dances with each other, in the special way that TCP is so fond of doing. When one party sends a challenge ACK, they increment a counter stored in a global variable which is shared across all TCP connections. This global variable is reset to 0 once per second, and it has a maximum value of 100, i.e. no more than 100 challenge ACKs will be sent per second (for all connections combined). If it wasn’t obvious from the title of the paper, global variables (across programming languages, frameworks, and contexts) are commonly known to be a very bad, no good, horrible idea.

   The attack described in the paper is elegant. In terms of its impact, 96.6% of the Alexa top one million are running Linux kernels, and hence are likely vulnerable. The previously described global ACK counter enables various side-channels across TCP connections, meaning that a blind attacker can determine …

   read more

3. The Forest for the Trees

   
   

   It feels rather sardonic to say this now, openly, after two years spent alternating between trying to inhibit my rage and convince myself that I hadn’t been hurt, followed by seeking out other victims, in order to develop the collective capacity to defend ourselves and to have the simple ability to speak out in a manner which would be heard and not discarded.

   I’m Forest. Here’s my story, as submitted to the anonymous site jacobappelbaum.net:

   Jake and I had been friends and coworkers for years. Looking back on it, I’m not sure why. From the very first Tor developer meeting I had attended, he repetitively propositioned my partner and I for sex. He even went so far as to, on the very first meeting on the first morning, in front of all the other developers — whom I had not yet met — tell me that he was okay with my partner and I fucking in the same bed as him while he watched, causing both of my partner and I to feel completely humiliated that our private sex life was being discussed in front of colleagues we had hoped to build a good start towards friendly, professional relationships.

   While travelling, the first time he came to the city I lived in, I invited him to stay at my house. As politely as I could, I explained, “You can have the floor, and I’ll take my bed, or the other way around. If you’re comfortable with it, we can share my bed, as friends. Meaning no physical contact.” We both slept in my bed.

   That turned out (mostly) fine. (Except, of course, being propositioned again, this time for a threesome with Jake and one of my roommates.) In fact, Jake and I proceeded to share beds in a friendly manner over the years, and nothing bad ever happened.

   Once Jake had moved to Germany, I came to visit friends there for a while, and one night I stayed at Jake’s place. Again, we shared a bed, as friends. There weren’t even any discussion or attempts beforehand to convince me to do anything sexual with him. It was freezing cold, and I went to bed with several layers of street clothes on.

   Sometime around 5 o’clock in the morning, I woke up very confused and startled because my pants were unzipped and Jake’s arm was wrapped around me, his hands in my underwear and he was rubbing my clit and rimming the edges of my vagina. I tried to shove him off me and wake him up. He’s physically much bigger than me, so the shoving didn’t work as well as it should have, but nonetheless he rolled over, a bit exageratedly, mumbling as if asleep.

   In the morning, I confronted him about it. I was really confused. I didn’t know if he was actually asleep, but if he was, how did my clothes come undone? Assuming that if …

   read more

4. FBI Harassment

   
   

   Obligatory Disclaimer: Personal or political views presented within this post absolutely do not reflect those of my employer(s), client(s), and/or legal counsel.

   In the final week of November 2015, a Special Agent from the Federal Bureau of Investigation, Mr. Mark Burnett, knocked on the door of my family’s home and left his card, with an additional phone number penciled in. All my family members residing in America had planned a week-long vacation and were all on a remote island. When the FBI receives DHS flight records as if they’re the morning paper, I must admit that whatever reasons for why the Bureau didn’t know that I or my family were absent escape me entirely.

   
   

   My mom found the above card of Agent Burnett, face down on the marble entryway of the house, some days after returning home from vacation. As credit to her and my dad, and, the sheer chaos of every member of our family (including my sibling) being hackers/programmers, at first they didn’t assume the card had anything to do with me. After all, I don’t live in America anymore, and also anyone who knows me in the slightest is well aware that I’m so horribly busy with work… such that for several years I’ve often ignored, stood up, and let down my closest friends. My mother assumed that, if it were really important, the agent would call her. He did, while she was at work a couple days later. (As an aside: that any random FBI agent has the ability to learn someone’s personal cell phone number and use it — uninvited — is, in my opinion, extremely threatening and unacceptable.) He didn’t say what he wanted, only that he wanted to know how to contact her daughter. I was travelling (as always), and my mother didn’t have a phone number for me.

   I had already been in the process of moving, permanently, to Germany, and had retained a German immigrations lawyer several months prior to these events. In late November, not knowing this had already been taking place, I returned to the US for two weeks to visit family and friends for the holidays, collect my remaining belongings, and make any needed long-term arrangements.

   Word got to my lawyer in the US, who decided to call FBI Special Agent Mark Burnett, on that Friday, saying that he represented me and my family. Burnett said the FBI simply wanted to ask me some questions. My lawyer responded by stating that, as my invoked representation, all questions should be directed to him rather than to me or my family. The agent agreed, paused while some muffled male voices were heard in the background, and asked to call back in five minutes.

   Five minutes later, Burnett called back and said, “I don’t believe you actually represent her.”¹ Burnett stated additionally that a phone call from me might suffice, but that the FBI preferred to meet …

   read more

⇇ « Page 2 / 31 » ⇉