---
Subject: Re: Popular Net anonymity service back-doored
From: Andreas Kuntzagk <andreas.kuntzagk@mdc-berlin.de>
To: bugtraqat_private
Date: 21 Aug 2003 18:42:08 +0200
Am Don, 2003-08-21 um 06.56 schrieb Thomas C. Greene :
> Popular Net anonymity service back-doored
> Fed-up Feds get court order
> http://theregister.co.uk/content/55/32450.html
...
Please see the news release of the AN.ON project:
http://www.datenschutzzentrum.de/material/themen/presse/anonip_e.htm
"... Since it is not permissive to release information about current
proceedings according to German law, the project partners did not inform
the public at first. Based on the fact that the developed software has
been released in the source code since the beginning of the Open Source
Project, also the implemented recording function was of course released.
..."
Andreas
---
From: Richard Stevens <mailat_private>
To: "Drew Copley" <dcopleyat_private>, <bugtraqat_private>
Subject: Re: Popular Net anonymity service back-doored
Date: Fri, 22 Aug 2003 00:35:13 +0200
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
first, let me make one thing clear, I think what happened is very bad. They=
=20
should have done anything else but secretly bug their system. But your logi=
c=20
is seriously flawed.
> German police have no jurisdiction in the US, for instance, just as the
> US police have no jurisdiction in Germany -- apart from whatever
> agreement Germany has made with the US regarding post-WWII treaties or
> whatever.
Very unpleasant for sure but also higlhly irrelevant. The people running AN=
=2EON=20
are German entities operating under German laws being situated in Germany.=
=20
They were the ones that received the court order so they had to do somethin=
g.=20
If there are international users or not is really highly irrelevant in this=
=20
case. Nobody claimed that German police or courts had juristiction in the U=
S.=20
> Still, I do not think anyone would be pleased if it was found that the
> NSA backdoored a US product. How much moreso of a problem would this be
> if local police backdoored a system such as this anonymity system?
Well, you can be sure, people are not pleased here, either. But do you real=
ly=20
think if american police or better yet the FBI would demand some kind of=20
tracking for an anonymizer in the US, they'd care about international users=
?=20
Maybe the individuals operating the anonymizer would react better but I'd b=
e=20
surprised if american law enforcement agencies wouldn't use similar measure=
s=20
if they could by law (not sure about american laws).=20
> This kind of crime sends a message to would be hackers. It says that it
> is okay to hack if the end is justified. Hackers, you may not have
> jurisdiction in Germany, but if you are hacking pedophiles or Neo-Nazis,
> they are law breakers, so your means must be okay. Do people really want
> this? Can anyone really be trusted with this? Wouldn't they hit the
> wrong people and make all sorts of bad mistakes for which they would not
> be held accountable for?
Not really. It's not a crime. You can argue about the correctness of their=
=20
decision to secretly implement this backdoor in an *anonymizer* instead of=
=20
standing up and tearing the service down. But following a valid court order=
=20
is not a crime. Even though I really don't like those laws but spying on=20
people seems to be hip after the events of Septembre 11th.=20
Regards,
Richard
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/RUkkCfA4EwqVdIQRAh7JAJ9Tgt7ZqhaQAuJ7eWt+bp0AlStjaACg7Hrc
W0PYxdAfEnCot0ORC2LlS+s=3D
=3D25Si
=2D----END PGP SIGNATURE-----
---
To: bugtraqat_private, full-disclosureat_private
Cc: "Thomas C. Greene " <thomas.greeneat_private>
Subject: Re: Popular Net anonymity service back-doored
References: <200308202156.22920.thomas.greeneat_private>
From: Florian Weimer <fwat_private>
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"Thomas C. Greene " <thomas.greeneat_private> writes:
> traffic might be going straight to Big Brother, right? Wrong. After takin=
g=20
> the service down for a few days with the explanation that the interruptio=
n=20
> was "due to a hardware failure", the operators then required users to ins=
tall=20
> an "upgraded version" (ie. a back-doored version) of the app to continue=
=20
> using the service.
This is technically incorrect. As far as I know, the client update is
completely unrelated.
The logging functionality has been implemented in the mixes
themselves, otherwise you would be able to circumvent it by using a
different client. The CVS commit occured on 2003-06-27. Logging is
implemented this way: if the last mix in the cascade (which sees the
request in the clear) detects a suspicious request, it is logged
together with an ID. The ID is transmitted (through the cascade) to
the first mix, which logs the ID and the IP address. Combining the
two log files, it is possible to collapse the cascade and backtrack
the requests. This exploits that TU Dresden operates both the first
and last mix in the Dresden--Dresden cascade (which is the only that
works reliably, AFAIK).
An employee of TU Dresden described this scheme in an interview with
Heise Online, a German online news site, back in October 2001. He
announced an implementation within the next six months, but I don't
know at the moment if he was speaking for the JAP project as a whole,
or if he was just expressing his own ideas.
According to the news sources I have read, the court requested
surveillance based on the target IP address. However, the source code
does not contain code to monitor specific (target) IP addresses, but
an elaborate URL screening facility, based on regular expressions.
Just by specifying ".*", it should be possible to log all requests
(and the corresponding IP addresses). I don't know why the source
code doesn't implement the surveillance based on IP addresses, as the
court allegedly requested.
> "What was the alternative? Shutting down the service? The security
> apparatchiks would have appreciated that - anonymity in the Internet
> and especially AN.ON are a thorn in their side anyway."
Note that this kind of target-based monitoring would be much harder on
the plain Internet unless the remote site is willing to cooperate. A
broken anonymizer makes this type of surveillance quite easy.
> But that's not the point. Disclosure is the point. The JAP Web site still=
=20
> claims that anonymity is sacrosanct: "No one, not anyone from outside, no=
t=20
> any of the other users, not even the provider of the intermediary service=
can=20
> determine which connection belongs to which user."
The official declaration ("Selbstverpflichtung") of the mixes, which
promises that neither logging will be enabled nor backdoors will be
implemented, hasn't been updated either.
However, perhaps the JAP team at TU Dresden hadn't much choice. I
haven't seen the court order, but I could imagine that they weren't
allowed to inform the users because it would have harmed the criminal
investigation. Following the order while fighting it within the legal
system is perhaps a wiser choice than just resisting it (and thus
breaking the law yourself). But I agree that it takes them awfully
long to update their web site, now that some information is public.
Finally, they could have avoided all the hassle if they hadn't
published the source code. Why did they publish? I don't believe
it's an accident.
For BUGTRAQ readers: Symantec strips message headers. The original
To: and Cc: are:
To: bugtraqat_private, full-disclosureat_private
Cc: "Thomas C. Greene " <thomas.greeneat_private>
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.2-cvs (GNU/Linux)
iQEVAwUBP0URumOpx4pWo0FrAQLTXQf/aJLMGYtvLpzbB8BtYNFqdoHEQlu/QUmv
gzouWH76cIL6zVJLK7eAM6nNI29itfOm/mJRfAJvU5B7FVAbFfPyhwEuBr4bUCYj
wkIwdM0tQihu+SBdIEIKdrSlfpNbstGJiKkQkPPpa2EREqqVYLadGk95KughJ1AG
f9HJzUG5jbPS/FEXrEYSqudJeVQPVPGUdmXbl0ayq8y2+AtZnk9NCJIFbXlBXf9P
/zK+AoORdDl6t8fzKfUwi/qTu4qads/+eHklAbaKo2EyghjquKubTQdWpQodpt17
2CB/D25ULum2e8LWN6el2AW+PjkyaxeVBenKQV8Rw9Zv2JLenZsWrQ=3D=3D
=3DsN0C
=2D----END PGP SIGNATURE-----
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 00:32:26 PDT