Tech Tuesday goes legitimate and illicit — and explores — and explores the “darknet.” A shadow Internet network where users are anonymous and information cannot be tracked, the darknet is used by everyone from activists avoiding repressive regimes to criminals avoiding the law. A useful tool for journalists and law enforcement, we all got a small window into the darknet last fall, when the hacker group Anonymous breached a notorious child porn site and released the names of its users.

Guests

  • Chester Wisniewski Senior Security Advisor,Sophos Incorporated
  • Karen Reilly Development Director, Tor Project
  • Jillian York Director, International Freedom of Expression, Electronic Frontier Foundation

Transcript

  • 12:06:47

    MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. They call it the darknet. It's an Internet network hidden from most of us, websites and networks where users are anonymous and nearly impossible to trace. Some say it's a dangerous forum for society's evils: child porn, drug dealing, and a whole host of other criminal activity. But there are many legitimate reasons to be anonymous on the Internet.

  • 12:07:37

    MR. KOJO NNAMDIMany people living under repressive regimes, like those who launched the Arab Spring, rely on these networks to remain safe. It's also a tool used by journalists and law enforcement, and it's even used by those who simply seek more privacy in an increasingly linked online world. Joining us to discuss the darknet in our Washington studio is Karen Reilly, development director for the Tor Project, Tor being a free software assistant that enables anonymous communication on the Internet. Karen Reilly, thank you for joining us.

  • 12:08:09

    MS. KAREN REILLYThank you, Kojo.

  • 12:08:10

    NNAMDIAnd joining us from remote studios in Vancouver, British Columbia, is Chester Wisniewski, senior security adviser with Sophos Incorporated, a global data protection and security firm. Chester, thank you for joining us.

  • 12:08:25

    MR. CHESTER WISNIEWSKIThank you, Kojo.

  • 12:08:26

    NNAMDIAnd joining us from studios in San Francisco is Jillian York, director for International Freedom of Expression at the Electronic Frontier Organization, which is a nonprofit digital rights advocacy and legal organization. Jillian, thank you for joining us.

  • 12:08:42

    MS. JILLIAN YORKThank you.

  • 12:08:42

    NNAMDIAnd you, too, can join this conversation, 800-433-8850. Why might you choose to be anonymous on a hidden Internet network? 800-433-8850. You can send email to kojo@wamu.org. Send us a tweet, @kojoshow, or simply go to our website, kojoshow.org, and join the conversation there. Chester, I'll start with you. Let's start with the basics. What is this so-called darknet, also known as the deep net or the hidden Web?

  • 12:09:13

    WISNIEWSKIWell, the terms darknet kind of was coined 30 or 40 years ago with the idea that they were kind of these disconnected sub-Internets, if you will, things like the military might operate or the government might operate. Some of them were connected to the Internet like we know it today but in a kind of a read-only fashion. You know, you could bring information in from the Internet, but nothing was allowed to go out for security purposes.

  • 12:09:36

    WISNIEWSKIAnd now, you know, in the more modern age, this has kind of evolved into being more of, as you said, a shadow Internet or, you know, a parallel Internet almost that co-exists on the Internet but isn't visible. It's kind of --you know, it's encrypted and anonymous and, you know, the concept being no one can identify for sure anybody that's at either end of the connection.

  • 12:10:02

    WISNIEWSKISo when -- I may be able to communicate with you by pre-arranging something, but no one -- our service providers, our Internet providers and network operators -- no one in between can necessarily know where any bit of information is coming or going or what might be contained within that communications.

  • 12:10:19

    NNAMDIWell, the Internet was founded as a relatively open forum, and it remains one. What's the idea behind these networks, Chester?

  • 12:10:28

    WISNIEWSKIWell, because the Internet isn't, you know, designed to be entirely open, to a large degree, that means that privacy, security, all these concepts didn't really exist. I mean, if we go back to -- you know, the precursor to the Internet was known as the ARPANET, which was part of the Advanced Research Projects Agency within the military. And everything was academic, so it was intended to be open. There were no passwords on email accounts or logins for servers or anything.

  • 12:10:54

    WISNIEWSKIIt was completely wide open. And most of us require, or at least desire, a great deal more privacy than that, and the traditional Internet doesn't really provide that.

  • 12:11:04

    NNAMDIKaren, your organization Tor, originally a military project, plays a big role in what we're talking about today. What exactly is the Tor Project?

  • 12:11:13

    REILLYWell, Tor is a U.S. 501 (c)(3) that does a lot of research into privacy and anonymity. We also produce a tool that guards your privacy and helps to circumvent censorship by bouncing your communications through a volunteer network all around the world. So you have three hops to this network that are randomly selected. The idea being that no one node in this network has all the information about the route, so the destination and where the communications came from are completely separated.

  • 12:11:47

    NNAMDIT-O-R is short for the onion routing system. What do onions have to do with this?

  • 12:11:53

    REILLYWell, at each hop, there's a layer of encryption that gets peeled off. So you have basically an encrypted tunnel through this network.

  • 12:12:02

    NNAMDIWe're talking with Karen Reilly. She is development director for the Tor Project. Chester Wisniewski is senior security advisor with Sophos Incorporated at global data protection and security firm. And Jillian York is the director for international freedom of expression at the Electronic Frontier Organization. We'd be happy to hear from you, 800-433-8850. In this Tech Tuesday conversation about darknet, do you think the benefits of an anonymous Internet network outweigh the negatives? 800-433-8850.

  • 12:12:33

    NNAMDIJillian, you train people on these networks. Give us a sense of how this works. If I want to see some of these sites invisible to most of the world, can I get there using my regular browser?

  • 12:12:44

    YORKSo that's actually -- I think that one's a question for Karen. I mean, I train people, I advocate for them to use Tor because we -- you know, at the Electronic Frontier Foundation, we think that it's very important that people retain their sense of anonymity. But I'm going to have to pass that one to Karen.

  • 12:13:00

    NNAMDIKaren.

  • 12:13:01

    REILLYOK. Well, there's something called hidden services in Tor, which is the idea being that you don't know who's hosting the content which can be really important for activists not only because they need to guard their identity against people who want to track them down and arrest, maybe torture them, but also distributed denial of service attacks rely on knowing where the server is. So the site is hosted somewhere in the Tor network.

  • 12:13:28

    REILLYAnd instead of getting a direct connection to it, you go through the Tor network, and then there's a rendezvous point somewhere so that your connection and the connection from the server are meeting at some third point.

  • 12:13:41

    NNAMDIChester, once you have accessed the darknet, how do you navigate?

  • 12:13:46

    WISNIEWSKIWell, often, for these hidden services, as Jillian was talking about, we -- you need to kind of know where you're going. There are some sites on the Internet that lists some of these sites. There are some kind of, like, free blogging hosts that offer services to, you know, potential dissidents or anybody that wants to communicate through this private network, but I think it's important to kind of differentiate a little bit between these hidden services and simply using Tor.

  • 12:14:11

    NNAMDIYes.

  • 12:14:12

    WISNIEWSKIBecause while Tor is a great service, if you go through Tor and pop out the other end and go to Gmail, you're just accessing Gmail through an encrypted route that, you know, may provide some additional anonymity. But Google, to some degree, is still going to know what account you're logging in as and, you know, that account is still being accessed. And it's not -- it doesn't provide the level of protection that maybe if somebody were trying to kill me that I would want as opposed to these hidden services.

  • 12:14:34

    WISNIEWSKIBecause they occur entirely within the Tor network, they don't pop back out the other side onto the public Internet somewhere which makes them, to a degree, much more secure and safe for people that have concerns to use.

  • 12:14:46

    NNAMDIKaren Reilly, a Tor node operator volunteers the use of his or her computer as part of the larger network. How does that work?

  • 12:14:55

    REILLYWell, it's really easy to set up. We have a graphical user interface, and you just click a few buttons. Let's say I want to become a part of the Tor network. You can select whether you're a beginning or middle node or an exit node because at the exit node, the traffic looks like it's coming from your IP address. And -- but there's another way to do the entry node, which is also called a bridge, which you can also select. It's just that first hop into the Tor network.

  • 12:15:21

    REILLYBut for users where the government is putting a lot of effort into censorship, it adds some more blocking resistance. It's just the regular first node, but we only publish those bridge addresses a few at a time so that they can't be harvested and blocked.

  • 12:15:35

    NNAMDIChester, on principle, you'd like to be a node operator, but you decided against it. Why? You just mentioned in case someone's looking to kill you.

  • 12:15:44

    WISNIEWSKIWell, I hope no one is for that matter.

  • 12:15:48

    WISNIEWSKIBut, yeah, I mean, I would be really interested in the EFF's opinion about this, but I personally would have concerns about -- if I operate a Tor exit node, all of the traffic that people are using on the Tor network connecting back to the public Internet would appear to be coming from my computer or my connection to my ISP. And while I have, you know, lots of computer gear and a very nice, very high-speed Internet connection here in Vancouver, you know, I'm not sure what people might be using that connection for.

  • 12:16:16

    WISNIEWSKIThere's going to be both things that I would be proud to support and things that I might not be wanting to be associated with if law enforcement were come knocking on my door and go, you know, why is all this traffic from your computer, you know, attacking this website or downloading this child pornography or whatever it might be? So, you know, I don't know where the legal lines are drawn, and I think, you know, I guess that's the specialty of the EFF.

  • 12:16:39

    NNAMDIMeans your turn, Jillian.

  • 12:16:42

    YORKRight. So, unfortunately, I'm actually not a lawyer, so I can't give legal advice on that, but I would agree. I mean, Chester, I think that that is a legitimate concern of a lot of folks who would like to be operating Tor nodes. You know, in terms of what those users are using it for, I feel the same way, and so, you know, I'm sure that that's something that our lawyers would be happy to answer on an individual basis, of course.

  • 12:17:04

    NNAMDIKaren Reilly, the Tor browser is slower than the regular Internet. Why is that?

  • 12:17:08

    REILLYWell, part of it is the way that the Tor network is set up. It's going to -- though the selection is random, it's going to go to nodes that are geographically distributed. So you might be, say, connecting from Washington, D.C. You might go to a node in Sweden and then pop back to the United States and then onward to Germany or wherever, so there is a certain amount of latency just because of the distance involved.

  • 12:17:34

    NNAMDIHere is Mike in Alexandria, Va. Mike, you're on the air. Go ahead, please.

  • 12:17:38

    MIKEHi, Kojo, thanks for taking my call. I just have a question. Are the Tor nodes -- are they affected by either using IPv4 or IPv6 protocol? Does it make a difference?

  • 12:17:50

    NNAMDIAnd could you explain what the heck he's talking about, Karen?

  • 12:17:55

    REILLYOK. Well, IPv4 and IPv6 -- so an IP address is that string of numbers...

  • 12:18:01

    NNAMDISure.

  • 12:18:01

    REILLY...that actually tells a network where a computer is, where a resource is. And we're running out of addresses, and so they're actually adding more numbers to those. And there are some other technical things, like whether you add the address of your hardware into that as a permanent part of your address. So we're actually researching how to get IPv4 and IPv6 to play nicely together.

  • 12:18:27

    REILLYOne of the projects that we're rolling out, pluggable transports, where you run Tor traffic and make it look like something else other than the SSL connection, the encrypted connection, like logging into your bank or logging into your Gmail, to make it look like completely innocuous traffic. So, right now, you can run from IPv6 and then bridge over to IPv4, but that's something that needs a lot more research to streamline.

  • 12:18:54

    NNAMDIMike, thank you very much for your call. Jillian, you educate people on how to remain anonymous. You work in places in the world where citizens and activists face censorship and repression, places like Egypt, Syria, Russia. With whom do you work?

  • 12:19:10

    YORKRight. So we generally work with individuals, bloggers, for example, or activists, dissidents. What I do in this context is I like to give people a sense of how to analyze their own risk before they make any decisions about what they're going to do online. And so, for your average user, someone like me who lives in a U.S. city, I might not need to use Tor on a daily basis. I might feel comfortable and confident enough to use, for example, SSL encryption when I'm accessing my Gmail account.

  • 12:19:44

    REILLYBut for a user in Syria, that risk increases significantly, and so what I do is I generally will talk to someone, try to understand what they're using the Internet for, what types of things they're doing, and then advise them accordingly. And I would say that, right now, you know, if I were talking to just about anyone in Syria, I would be advising them to use Tor.

  • 12:20:05

    NNAMDIIt's not just dissidents abroad, Jillian, who might need protection and anonymity. There are also people here in the U.S. facing discrimination or prejudice of various types who might use these tools, are there not?

  • 12:20:17

    YORKAbsolutely. You know, we -- one of the things that EFF advocates for is anonymity both within the law and in terms of being able to use tools like Tor. And so it's absolutely true that anonymity is an important thing that there are -- you know, there are number of folks in the U.S. who will also need. And so Tor -- what's great about Tor is that it's for everyone. It's not just for dissidence. It's not just for law enforcement. It can be used by, you know, both of those parties and then some.

  • 12:20:43

    YORKAnd so, you know, I would use Tor if I were researching a very sensitive subject perhaps. And so it's really just about risk assessment.

  • 12:20:51

    NNAMDIBefore I go to break, Chester, there was news last week about censorship in Iran. The government there had managed to block even the encrypted Internet traffic that normally comes across networks like Tor. What happened? How did it happen?

  • 12:21:05

    WISNIEWSKIWell, this goes back to the bridging mode that we were talking about just a moment ago and that, you know, you can kind of profile or fingerprint computer traffic when it's going across a network and determine what type of traffic it might be. So you can see these packets going through the network and say, oh, this looks like it's a Skype conversation, or this looks like it's a conversation with a secure website. And they were able to basically fingerprint the pattern of information coming over the network that appeared to be Tor traffic.

  • 12:21:32

    WISNIEWSKIAnd that's why they came up with this plug-in architecture to kind of encapsulate the Tor traffic and make it look like it's something else that would be allowed to transit the network. That combined with the changing addresses that they're publishing in small numbers are helping bypass things like the Great Firewall of China, as it's known, or some of the new traffic filtering that they started instituting in Iran.

  • 12:21:57

    NNAMDIKaren, clearly any network that allows someone to be anonymous will attract criminal activity. But the privacy feature makes it very hard for law enforcement to track down illegal activity because even Tor doesn't know who these people are. Isn't that a major flaw in the system?

  • 12:22:14

    REILLYWell, it is a flaw, but also, it's important to consider that the protections that we put into Tor to protect activists, to protect victims of the very people that are -- that law enforcement wants to track down, if we were to put a back door for law enforcement, then that would be a exploited by people, like the Syrian government, like the Western companies that are actually working for the Syrian government among other law enforcement.

  • 12:22:41

    REILLYSo there is an amount of abuse on the Tor network and -- but none of us got involved in Tor to protect criminals, so we do reach out to law enforcement to help them with other tools because it's important to know that criminals -- one, they have much better tools. If you have a Tor network for nothing but evil -- it is known as a botnet -- a criminal organization will infect a large number of computers, and then they'll be able to use them to do whatever you can do on the wider Internet.

  • 12:23:13

    REILLYThey can host content. They can attack other systems. Those will -- if law enforcement said this Tor thing is horrible and passed laws to make us -- make it illegal, to toss us all in jail, those networks will still remain.

  • 12:23:27

    NNAMDIThe botnets.

  • 12:23:28

    REILLYThe botnets and various other...

  • 12:23:31

    NNAMDIGot to take a short break. When we come back, we will continue this conversation on Tech Tuesday about the darknet. You can still call us, 800-433-8850. How should child porn and other criminal activity taking place on the so-called darknet be controlled, in your view? 800-433-8850. You can send us a tweet, @kojoshow, or email to kojo@wamu.org. I'm Kojo Nnamdi.

  • 12:25:43

    NNAMDIIt's a Tech Tuesday conversation on the so-called darknet. We are talking with Karen Reilly, development director for the Tor project, which is a free software system that enables anonymous communication on the Internet. Chester Wisniewski is a senior security advisor with Sophos Incorporated, a global data protection and security firm, and Jillian York is the director for International Freedom of Expression at the Electronic Frontier Foundation, a nonprofit digital rights advocacy and legal organization.

  • 12:26:11

    NNAMDIYou can call us at 800-433-8850. You can send us a tweet at #TechTuesday or email to kojo@wamu.org, or you can simply go to our website, kojoshow.org. Join the conversation there. Allow me to pursue the criminal conversation for a while here, Jillian York, because your organization works with law enforcement to help them track criminals. And you get pretty broad support from law enforcement, isn't that correct?

  • 12:26:40

    YORKI'm sorry. Sorry, that's not exactly what we do. That's a tough one to answer.

  • 12:26:50

    NNAMDIWhat is the nature of your relationship, if any, with law enforcement? That's tough, too?

  • 12:26:57

    YORKSo most of my work is actually international, so this is not really a question that I can answer. I'm sorry.

  • 12:27:02

    NNAMDIOh, OK. Well, here's an email we got from Sandra in Bowie, Md., that doesn't deal with criminalities as much as it deals with the possible everyday use of Tor. Sandra says, "I'm a normal person who doesn't use the Internet for any illegal or controversial uses, but I do think there's way too much personal privacy invasion going on these days. But this conversation seems to be above my head. I'm hoping you'll pull back a bit to 10,000 feet and explain to us when, where and why I or someone else in my family should consider using Tor."

  • 12:27:33

    NNAMDI"For instance, would it be smart for me to use Tor before I access my online bank account or when I want to make an online purchase or sign a public petition? Will using Tor help protect us from bad guys trolling the Web, who want to track me or steal my information in some way?" I suspect the answer to all of that is no.

  • 12:27:50

    REILLYWell, when you're logging into your bank, there are already protections in place that basically scramble things, like your password, so that somebody snooping on your connection can't get to them. When you're in your browser, you'll notice that a lot of addresses start with HTTP or HTTPS. That S is for secure. Now, some websites enable that by default, like most banks. Gmail enables it by default. Not all Web providers do that, so that's a layer of protection.

  • 12:28:19

    REILLYUsing Tor for that purpose would be more if you don't want your Internet service provider to know that you're going to your banking website. There is a couple of other things that Tor and EFF actually address. The HTTPS issue, it was in the news the last time because if you were sitting at an Internet cafe logging into your Facebook account, if they didn't enable HTTPS by default, so somebody could sit there and use a tool called Firesheep, which meant that if your connection to Facebook wasn't secure, they could just click on your user name and they could -- they were you.

  • 12:28:59

    REILLYThey could friend themselves. They could post on your wall. So there are a lot of issues like that where it's -- when you're logging into third-party websites, you either want to make sure they have security by default or that you're using something like EFF's HTTPS Everywhere, which is a Firefox plug-in.

  • 12:29:19

    REILLYI would -- if you're searching for information on medications or medical issues and in particular, I would use Tor because there have been some cases where people have been fired or they've been denied medical insurance because they have a pre-existing condition according to their ISP records. And those don't fall under HIPAA.

  • 12:29:41

    NNAMDIJillian, how important are these anonymous networks like Tor to -- and others to the resistant movements across the Middle East and elsewhere like Russia?

  • 12:29:51

    YORKI would say that in many cases, these are absolutely vital. You know, like Karen said, there's certain levels of protection. So HTTPS is one great protection that people can use, but, you know, back in January of 2011, the Tunisian government was actually redirecting connections. They've cut off SSL, and they're actually redirecting those connections to sites like Facebook to a fake login page that a lot of people fell for and then had their accounts compromised.

  • 12:30:20

    YORKAnd so for activists, I guess, this sort of answers the question that just came in actually because it's true. If you're going to access your own Gmail account or your own banking account, you're not anonymous because those are accounts that you've already created, and using Tor would just be a bit redundant. But if you're a dissident, you may want to create an entirely anonymous account, and so you would want to create that account while using Tor to retain the utmost level of anonymity.

  • 12:30:47

    YORKAnd so, basically, you know, when you're looking at some of these movements, it's vital for people to essentially remain underground to be able to get information out of the country.

  • 12:30:58

    NNAMDIYou often travel to places where censorship and repression are severe. Your work likely doesn't make you very popular with governments in those countries. It's my understanding you're not welcome in at least one country.

  • 12:31:11

    YORKThis is true. There is one country that I'm not particularly welcome in. And I did use Tor while I was there, too, but that had nothing to do with it. Yeah, I know, it's true. There are a lot of places where my work is not very popular. I can give you an interesting example actually that relates to Tor. I was in Egypt a few weeks ago where, obviously, things are still...

  • 12:31:31

    NNAMDIYou put yourself at risk in Egypt. Yes.

  • 12:31:33

    YORK...sort of up in the air. And I was in a room full of people, and I was advising them on very basic safety. This was a group of individuals who, you know, didn't necessarily know about HTTPS. And I told them that they should use HTTPS, that they should use encryption. And then after the session, someone came up to me and whispered in my ear that encryption was, in fact, against the law in Egypt.

  • 12:31:53

    YORKAnd so that's the kind of situation where you might actually be better off using Tor in remaining anonymous than if you were just, you know, using SSL to access your email.

  • 12:32:05

    NNAMDIChester, there are, however, other uses of anonymous networks like Tor. Last fall, the hacker group Anonymous breached a notorious child porn site known as Lolita City. What happened?

  • 12:32:18

    WISNIEWSKIWell, you know, anonymity and free speech kind of cuts both ways. And we have to really carefully consider, you know, when we're talking about crime using these types of technologies and networks. It's really not any different to crime in the physical world and that, you know, if you have a gun, you can go hold up a 7-Eleven or you might be able to defend your family if you had an intruder in your home. And I think, you know, these anonymous networks work very similarly.

  • 12:32:41

    WISNIEWSKIAnd in this case, there's a free provider on this -- I believe it was on the Onion Network, which is part of the -- that's the Tor network that is only accessible through this encrypted anonymous connection -- and it's not on the public Internet -- that was hosting a bit of a cache of child pornography. And the stance of the provider that hosts that site on Tor says that free speech is free speech. They don't differentiate between any one type of content and any other type of content. And the -- I don't -- I hate to call Anonymous a group.

  • 12:33:14

    WISNIEWSKIBut I guess the people who ally with the concept of Anonymous decided that that was inappropriate and attacked the site and took it down and published the information of a lot people that logged into that site allegedly to access child porn.

  • 12:33:29

    NNAMDIAs we were talking early, criminals, drug dealers, cyber criminals, hackers, pedophiles obviously can and can -- do operate on these networks, including the Tor network. Do we have any sense of the extent of criminal activity on the so-called darknet? First you, Karen.

  • 12:33:46

    REILLYWell, the good news is that the number of child predators as opposed to the larger population is fairly low. Since we don't gather -- we can't connect who is using Tor to what they're looking at, we don't know if that is actually an incidence of somebody looking at child abuse images or somebody from law enforcement who's actually using the Tor Network to get to those images.

  • 12:34:08

    REILLYBecause, instead of blocking things, it's very important that law enforcement is able to get to those images to potentially identify the victims, compare them to a database of known victims, and potentially rescue people. There was actually a -- a criminal network was taken down in Canada recently, and I believe it was something like 22 victims were actually found and rescued. But there is no simple solution to this issue.

  • 12:34:38

    NNAMDIAs evidenced by this, Chester, the hackers released the identities of many users of the particular porn site that Anonymous took down. But some have said that the hacker take-down could very well have interfered, as Karen was just implying, with law enforcement action against some of these sites. Is it possible they did more harm than good?

  • 12:34:57

    WISNIEWSKIYeah. That -- I'm one of the people that shares that opinion. I mean, we work with law enforcement quite frequently on tracking down people that distribute computer viruses. And, of course, we, unfortunately, run into, you know, child abuse content in our work and have to report it and work with law enforcement on helping them gather the information necessary to legally arrest these people and track down all the right people and make sure that, you know, as was pointed out, that we're not interfering in something before we can find the victims potentially.

  • 12:35:27

    WISNIEWSKIAnd, of course, I'm not in law enforcement, so I can't speak on their behalf. But when we see many of the activities that Anonymous has been involved in, allegedly to speak on the behalf of all of us that care about free speech, in many cases, the people that they're going after, they are potentially blowing investigations open that means that some of these criminals would -- can go free.

  • 12:35:48

    NNAMDIWell, a lot of people would like to use, so allow me to go back to the telephones. I'll start with Kathleen in Fairfax, Va. Kathleen, you're on the air. Go ahead, please.

  • 12:35:59

    KATHLEENHi. I wanted to know -- going back to the subject of HIPAA and the ways in which an ordinary citizen might want to check themselves using Tor and the circumstances under which they might want to do so, is there any such protection similar to Tor or some sort of subset of the services that Tor provides that can -- over a mobile phone?

  • 12:36:18

    NNAMDIIndeed.

  • 12:36:19

    KATHLEENAnd if so, since there are a lot of -- do almost all their Internet browsing over mobile phones these days.

  • 12:36:26

    NNAMDIIndeed. Jason emailed to ask, "Can Tor be used with smartphones? If not, is an app in the works?"

  • 12:36:32

    REILLYThere's actually another organization, the Guardian Project, that does a lot of things with mobile security, but one of the things that they do is they produce some -- an app called Orbot and Orweb, which you can get in the Android Market. We use Android because it's an open platform that can be audited for security, and you can modify it in the ways that the app needs. And you can just download that from the Android Market.

  • 12:36:56

    REILLYYou might need to root your phone if you want to use it with other applications. But as it stands, if you download Orbot and Orweb and use that browser, then you can use Tor over your mobile connection.

  • 12:37:09

    NNAMDIOn to the Alan in Annapolis, Md. Alan, you're on the air. Go ahead, please.

  • 12:37:15

    ALANGood morning, Kojo. Do you read me OK? I'm on a cellphone.

  • 12:37:19

    NNAMDIWe hear you OK.

  • 12:37:22

    ALANA quick question for your experts there. I'm very interested in Tor and will look into it further. But I have a more basic question based upon an assumption I made. I set one of my -- oh, I've been using PCs, Microsoft based for 30 years (unintelligible) 2.01. I've set my main machine as a triple boot on the assumption that incoming spam, malware, whatever you want to call it, is -- gets directed to drive C. And I regard that as my trash dump. Am I all wet, or should I -- or am I on the right track?

  • 12:38:10

    NNAMDII don't know. Chester, care to respond?

  • 12:38:13

    WISNIEWSKIYeah. I don't think that technique would be particularly effective against the modern attacks in malware of, you know, nasties getting into your machine, unfortunately. You know, really, the best approach, if you're really paranoid about security, they do -- you know, people do produce what, you know, are called live CD. And if you boot that live CDs -- in fact, there's one, I believe, that includes Tor.

  • 12:38:34

    WISNIEWSKIEven if you want to play with Tor, it's a great way to use Tor because a lot of the complexities -- and we're talking about encryption and, you know, traffic fingerprinting and all these different things that are above the head of a lot of people. And, unfortunately, with Tor, one of the drawbacks of it is if you don't use it correctly, you can actually leak private information by accident if you don't really understand the technology well or haven't been educated on how to use it properly.

  • 12:38:55

    WISNIEWSKIAnd so you can boot one of these live CDs, and it pretty much kind of makes you a bit immune to malware if it's a concern because that way, you know, the CD is not writable. Every time your computer boots up, you've got a clean browser to surf the Internet. And if you want, you can have that be a Tor CD that automatically sends you through the Tor network and makes all of your communication private. And then when you want to do some productivity work or whatever, maybe you reboot back into your C drive in Windows and fire up Microsoft Word and start working on your novel.

  • 12:39:22

    WISNIEWSKIAnd that kind of is one way of -- if you do all your surfing on one of these live CDs, or even just your banking. Personally, I boot a system specifically just to do my banking 'cause I'm very worried about my bank being compromised, my account being compromised, and I don't bank from my regular PC where I do my regular surfing activity, just to kind of keep them isolated. I might be a bit paranoid, but I have a hunch they might be after me.

  • 12:39:43

    NNAMDIAlan, thank you very much for your call. Here is Jorge in Takoma Park, Md. Jorge, your turn.

  • 12:39:51

    JORGEHi there. Well, the government of the United States is extremely powerful in technologies to actually track you down and even check your email. And people don't know that actually the government is in touch (unintelligible) with Yahoo, Gmail to actually read your email in case of -- they suspect, even political activity. So I'm wondering how we can make sure this amazing tool, Tor, is not being infiltrated by the U.S. government.

  • 12:40:22

    JORGEAnd, actually, they can track you down (unintelligible) of the fact that they are providing this platform without us knowing, or actually they're infiltrating it in any way. And they are able to read the email, the password, the encryption of (unintelligible).

  • 12:40:45

    NNAMDIIndeed, Jorge is following up on Chester's humorous remark. The reason I'm paranoid is because they're after me. Jorge asserts that the government is into all of our email. Can Tor prevent them from doing that?

  • 12:40:57

    REILLYWell, if you are using your real name to log in to Gmail and they serve a subpoena to a provider that's in the United States, then, of course, they can get that -- to that information. So you might need to use a host that's outside of your country that has a habit of responding to subpoena requests with, no, come back with more documentation, that will push back. The other thing to do is to use a pseudonym instead of your real name and connect over Tor.

  • 12:41:28

    REILLYThere's actually a lot of information for activists about how to blog and access email anonymously. Now, when it comes to the Tor Network itself, the software is open source. So if -- even if you don't have the technical chops to look at it, you can ask a friend to. And there's also a large academic community that looks at Tor. So if we were to put in a backdoor, at the behest of the United States government or somebody else, then it would be discovered. And we would get flamed on our blog.

  • 12:41:57

    REILLYThere would be lots of posts everywhere. So open source software is actually more secure in that way because, instead of locking it away and making somebody reverse engineer it, which only adds a couple of days to their efforts, it's open so that your allies can actually look at it and point out your mistakes.

  • 12:42:16

    NNAMDIGot to take short break. When we come back, we'll continue our Tech Tuesday conversation on the darknet and take your calls at 800-433-8850. You can send us a tweet at #TechTuesday or email to kojo@wamu.org. I'm Kojo Nnamdi.

  • 12:44:17

    NNAMDIIt's a Tech Tuesday conversation on the so-called darknet with Jillian York, director for International Freedom of Expression at the Electronic Frontier Foundation, which is a non-profit digital rights advocacy and legal organization. Chester Wisniewski is senior security advisor with Sophos Incorporated, a global data protection and security firm. And Karen Reilly is the development director for the Tor Project, which is a free software system, Tor, that is -- that enables anonymous communication on the Internet.

  • 12:44:45

    NNAMDIWe're taking your calls at 800-433-8850. Karen, recently, there was a great deal of debate over SOPA or the Stop Online Piracy Act. It failed for the moment. But how might that kind of legislation affect Tor?

  • 12:45:00

    REILLYWell, there is a provision in the law that says that circumventing the provisions would be subject to some sort of legal penalty. The parts of SOPA that worry privacy and Internet security advocates are the ones that mess with the DNS system, the domain name system, which is one of the core parts of the Internet. It's as simple as asking a server, where is this site I want? Give it to me.

  • 12:45:26

    REILLYAnd so, instead, you'd have a system which says, where is this site I want? And the reply would be, I am sorry, that's deemed illegal. So you either -- so you can't have it. Or -- and this is the same way that censorship is done. When you ask for a politically sensitive website and instead of getting that website, you either get parts of it according to which keyword filters are tripped, or you get a webpage that says, I'm sorry, this is against the law. Or you get a false version of the website, which is particularly troubling.

  • 12:45:59

    REILLYThat might -- when you connect toward Tor website in another country, it may be beautiful. It may be formatted in the local language very beautifully. There is actually one of those floating around. But when you download Tor from it, you're not getting actual Tor. And this is a way that criminals -- actually, phishing websites are leading you to a site that may look like, say, your bank but really isn't. So putting that into the Internet with law is a really troubling thing.

  • 12:46:30

    NNAMDIChester, you've got concerns about what might happen if the government starts censoring the Internet in the name of stopping piracy.

  • 12:46:37

    WISNIEWSKIRelated to very similar things in that, you know, the domain name system is something that we're starting to rely on for security. There's a new protocol actually being pushed ironically enough by the U.S. government at the same time that they're trying to manipulate it and break it. But it's called DNSSEC or domain name service security. And this allows us to make sure that when we go to PayPal or we go to our bank or we go to Facebook, that it's actually Facebook.

  • 12:47:04

    WISNIEWSKIWe can verify kind of this digitally signed -- it's like a digital notary that says, yes, in fact, the site you're going to not only says it is, but if the Tunisian government is intercepting all your traffic and trying to pretend to be Facebook, you would be able to tell that that actually isn't Facebook.

  • 12:47:20

    WISNIEWSKISo, on one hand, you've got, you know, the military side and the DOD side pushing this protocol called DNSSEC that will ensure that these types of things don't happen including phishing or, you know, potentially for dissidents or other people as well that may have their traffic intercepted. And that on the other hand, you've got the U.S. Congress trying to pass a law that will basically break all of this technology that will enhance our security.

  • 12:47:43

    WISNIEWSKISo personally -- I'm not speaking on behalf of my organization in this case, but, personally, I'm happy to see that it's went away. And fortunately, even before SOPA and PIPA, kind of, took a nap, I guess, I think they'll come back. The provisions to mess with the DNS system that would break the security enhancements were removed from the bill and hopefully won't be reintroduced.

  • 12:48:03

    NNAMDIIf you'd like to join the conversation, call us at 800-433-8850. Can and should the so-called darknet be regulated? Do you think the benefits of an anonymous Internet network outweigh the negatives? 800-433-8850. Send us a tweet at #TechTuesday, email to kojo@wamu.org. Or simply go to our website, kojoshow.org. Join the conversation there. Jillian York, do you think the so-called darknet should be regulated in some way? Can it be, in you opinion?

  • 12:48:34

    YORKNo. You know, I don't think it can be. And this is -- it's very similar to the debate that's happening around whether or not social networks should allow anonymity. We've, you know, spoke out about this a number of times in that we recognize that anonymity can be abused, that it can be used by bad actors. But at the same time, you know, the EFF believes that the good uses of these tools and the good uses of anonymity outweigh the bad.

  • 12:48:56

    NNAMDIWell, Karen, getting back to the other use of Tor, dissidents and other activists who need to remain anonymous for their safety, what are the ways a government can control someone's Internet use? You talked earlier about governments filtering search results, but I guess they can also block sites completely.

  • 12:49:13

    REILLYYes. They block, which is actually one of the least troubling things. When you have blockage that is lifted, where access to Facebook and Gmail and these other services is available again, that's what actually stops us in our tracks and what makes us advise more caution because surveillance is part of this. With deep packet inspection, you can tell the content of somebody's communications. You can intercept their passwords. You can infiltrate a whole network of activists. So -- and you can't have censorship without such surveillance.

  • 12:49:52

    NNAMDIBack to the telephones. Here is Joseph in Ellicott City, Md. Joseph, you're on the air. Go ahead, please.

  • 12:49:59

    JOSEPHOK. Thank you, Kojo. I would just like to say that while I find the Tor network fascinating and very interesting, I seem to -- this is also about -- sorry. The -- it seems that the way you guys are mischaracterizing the deep Web is like, you know, mostly the Tor network when it's really not. I mean, it's vastly larger than, like, the Tor network.

  • 12:50:23

    JOSEPHAnd mostly there's, like, academic, like, libraries and catalogs and stuffs, you know, with, like, very specialized resources. And, you know, you make it -- and while the Tor network is a very important part of it, it just seems the way you guys are focusing on it, you know, which makes sense due to its importance, but seems just so, like, per se -- sorry -- mischaracterize the entire darknet language, OK?

  • 12:50:56

    NNAMDIWell, allow me to have Chester elucidate. Chester, exactly what is Joseph talking about?

  • 12:51:02

    WISNIEWSKIWell, I think there might be a little bit of confusion in terminology 'cause, unfortunately, there's a lot of overlapping terms. And there is a term known often as deep net or the hidden Internet, meaning all the content that's not obviously visible on the Internet. And that would be things like, say, you go to a site, and the only way you know that there's some page in there is that you have to type in some search term to go look for it.

  • 12:51:24

    WISNIEWSKIAnd Google wouldn't index that, and Bing wouldn't index that. And that would be considered part of the deep net or deep Web, and that content is enormous, as the caller points out. I mean, there's just tons and tons of stuff that you actually don't see on the Internet when you search Google or Yahoo or anything else, whereas, when we're specifically talking more about darknets here, I think we're talking about sites that aren't actually on the regular, normal Internet.

  • 12:51:49

    WISNIEWSKIYou cannot get to them necessarily through -- without something like Tor. They're hidden, cloud-encapsulated, encrypted, you know, cloud out there that's separately contained within the Internet that is not only not accessible to Google but it's not available unless you yourself join this encrypted, anonymized network.

  • 12:52:11

    WISNIEWSKIAnd while there's some overlap there -- and I can both use that same term -- I guess, today, we're mostly addressing the separate, hidden network that is totally inaccessible on the Internet, not just inaccessible to Google, unless you have Tor installed or -- there's other things, too. There's something called I2P, which is another kind of -- very Tor-like hidden Internet, except it doesn't provide a portal to the free, regular, open Internet like Tor does.

  • 12:52:38

    WISNIEWSKII mean, Tor can be used in multiple different ways. But I think what the caller is referring to is more of hidden information that's -- not necessarily requires this encryption technology to get a hold of.

  • 12:52:49

    NNAMDIGlad you could make that distinction because we have done broadcasting before about the deep net. But we got a tweet from B (sp?), asking, "If I use any of these anonymizing technologies, might I stumble upon content I don't want to see?" Karen?

  • 12:53:06

    REILLYIt's really difficult to get to some of this really disturbing content without actively searching for it. People tend not to stumble upon it. Where people do stumble on it is if somebody reaches out to you through a chat program or something like that. But you're not just going to be surfing the Web, looking for pictures of puppies and end up with something that's going to scar you for life.

  • 12:53:27

    NNAMDISo, Chester, how do networks like Tor allow users to see blocked websites or get past filters put in place by repressive governments? This is a follow-up on the question I was asking Karen about governments simply blocking websites and the like.

  • 12:53:41

    WISNIEWSKIYeah. That's -- one of the best uses of things like Tor, especially if you think that somebody might be spying on you, whether you're, you know, in the United States or you're in Tunisia, it doesn't really matter 'cause one of the beauties of Tor is, in essence, it gives you a window into the world somewhere else, right? So if I suspect my -- the RCMP up here, the Mounties may be monitoring my Internet connection, and I think that they're trying to access my Facebook, I can pop on the Tor network.

  • 12:54:06

    WISNIEWSKIAnd because, after making these random hops around the globe in this encrypted fashion with the way it works, and I may be popped out in Sweden, I now have a view of the world from Sweden. So in order to intercept my connection to Facebook, Swedish law enforcement would need to be sitting there at the other end of that Tor connection, intercepting or redirecting my traffic in order to capture my information.

  • 12:54:28

    WISNIEWSKIAnd so that's kind of the beauty, is wherever you pop out, you're, in essence, in whatever country, having a view, as if you're an Internet user there, of the world. And if you're somewhere that you know Internet is being monitored -- like a lot of the countries we've been speaking about on the show today -- it's very comforting to know that you can choose to come out in the United States or choose to come out in Germany and have a view of the world as if you are there.

  • 12:54:51

    NNAMDIBut, Jillian York, even using tools like Tor, is it still possible to reveal your identity?

  • 12:54:58

    YORKSo it is if you're not using it correctly, and I'm sure Karen can elaborate on that a little bit more. But, you know, if you're -- if -- I just wanted to come back to the previous question. You know, if you're in a country where, say, Facebook is blocked, you -- you know, you're -- if you're using Tor, like Chester said, you're coming out on the other end. But you would reveal your identity if you had, say, created that Facebook account without using Tor, you know, using your real name and whatnot, and then you access it using Tor.

  • 12:55:30

    YORKAnything you post on there could still be subpoenaed by law enforcement. So that's an important thing to keep in mind. If you want to remain entirely anonymous while using, say, social networks or email, you need to be creating that account while using Tor. Otherwise, it's connected to your IP address.

  • 12:55:46

    NNAMDIKaren.

  • 12:55:49

    REILLYWell, one of the things that we do talk to law enforcement about is that our goal is not to make their job impossible. Our goal, as civil liberties advocates, is to make them follow old procedures in line with the Constitution or whatever civil rights protections there are available in your country -- in other words, using technology to say, come back with a warrant.

  • 12:56:13

    REILLYSo if you are being tracked by law enforcement, they can still get a warrant and search your home. They can get content on your computer. And so this is one of the things that law enforcement will have to do in the future as technology available to criminals gets better and better, frankly, better than what most activists have access to.

  • 12:56:36

    NNAMDIWell, Chester, there are commercial providers that offer privacy and protection on the Internet. Your connections go through normal Internet channels. If you're operating legitimately but just want to remain anonymous, why not use those?

  • 12:56:49

    WISNIEWSKIWell, depending on the provider, I mean, I think you're referring to some of these virtual public -- virtual private network providers or VPN providers.

  • 12:56:56

    NNAMDIYes.

  • 12:56:57

    WISNIEWSKIAnd, you know, I use one for some of my communications. It's great, except the issue is, of course, that all of your traffic is always connecting to a certain point on the Internet and popping out at the same point on the Internet. So if that provider is subpoenaed, et cetera, they would be -- they know your identity. You have a relationship with them, especially if you're doing some sort of financial transaction.

  • 12:57:20

    WISNIEWSKIAnd also, your traffic is always known to be coming from the same point. So if somebody was wanting to watch your communications, you'd always be coming from this one provider and this one location on the Internet. And they potentially could go there to watch your activities as opposed to Tor, where it kind of pops out all over the place, in many different random places and gives a lot more diversity.

  • 12:57:41

    WISNIEWSKII just want to comment on the Come Back With a Warrant. I actually have an EFF, Come Back With a Warrant sticker on my laptop that I'm here in the studio with today. So I was glad that you mentioned that. But, you know, I think that's an important thing here, is that a lot of these things, you know, when it comes to law enforcement side, I don't think any of us oppose law enforcement. In fact, many of us work very hard to help them, but we want them to do it within the confines of the way it should be done.

  • 12:58:02

    NNAMDIChester Wisniewski is senior security adviser with Sophos Incorporated, a global data protection and security firm. Thank you for joining us. Come back with a warrant, says Jillian York, director for International Freedom of Expression at the Electronic Frontier Foundation. Jillian York, thank you for joining us.

  • 12:58:18

    YORKThank you for having me.

  • 12:58:19

    NNAMDIAnd Karen Reilly is the development director for the Tor Project, a free software system that enables anonymous communication on the Internet. Thank you for joining us.

  • 12:58:27

    REILLYThank you.

  • 12:58:28

    NNAMDIThank you all for listening. I'm Kojo Nnamdi.

Related Links

Topics + Tags

Most Recent Shows