If you ask a reasonably informed techhead how you can hide yourself from the comprehensive surveillance by the US National Security Agency (NSA), chances are they’ll recommend using Tor, a system for concealing your location on the internet, and therefore your identity. But you’d be a fool to imagine using Tor alone provides a magic cloak of invisibility, as alleged child p-rnographer Eric Eoin Marques recently discovered.

The Tor anonymity network started life as The Onion Router, a project funded by the US Naval Research Laboratory intended to help secure naval communications. Now it’s run by the Tor Project, a US-based non-profit with a diverse funding base including the US and Swedish governments, the US National Science Foundation and myriad small donors.

What the hell is it?

Sign up for a FREE 21-day trial and get Crikey straight to your inbox

By submitting this form you are agreeing to Crikey's Terms and Conditions.

Images from Tor Project

It’s all in the name. Imagine that Alice wants to send a package to Bob and wants Bob to send a package back, but she doesn’t want Bob to know where she lives. (Alice and Bob are the traditional participants in these explanations.) Alice therefore enlists her friend Carol as a trusted intermediary. Alice puts her package for Bob in a bigger box addressed to Carol and sends it off. Carol opens the bigger box and sends the package inside on to Bob, having first added her return address. When the time comes for Bob to send his package back to Alice, he sends it to Carol. Carol puts the package back in the box that Alice sent and sends it on to her. Bob never learns Alice’s address, only Carol’s.

The problem with this simple set-up is that Bob could pressure Carol to reveal Alice’s address. To help prevent that, further intermediaries are added. Alice sends a huge box to Carol, who opens it and sends the box inside to Dan, who opens that box and sends it on to Evan and so on. The layers of boxes within boxes being gradually opened are like the layers of an onion being peeled back, hence The Onion Router.

How does the encryption work?

In Tor, each box-within-a-box is a layer of encryption. There’s a network of more than 4000 parcel-passers — Tor “nodes” running on computer capacity donated by the network’s users — and every time someone uses Tor, it chooses a different random path through that network. Browse to a different website and it’s a different random path again. Every node uses a different encryption key.

Data from half a million users is bouncing around this network randomly, so even if you intercept some of the traffic and, with massive computer power behind you, decrypt it, chances are you’ll merely peel back one layer of the onion, only to find another encrypted layer inside.

Tor can also be used to host “hidden services”, their location unknown to users. The most (in)famous is the Silk Road marketplace, which turns over about US$15 million a year, an estimated 70% of it illegal drugs. But like any tool, Tor is neutral. It can protect the identity of freedom fighters, whistleblowers, journalists’ sources, undercover cops or people simply wishing to retain their privacy, as well as that of criminals and enemy spies.

With your internet data being bounced randomly all over the world multiple times, and with all the maths-heavy encryption and decryption along the way, browsing the web through Tor is substantially slower than a direct connection. But the benefit is that for an outside observer, unravelling who’s connecting to what becomes an extremely difficult task.

Can it be cracked?

It’s not impossible. For a start, Tor users have to drastically change their habits to avoid revealing their internet address by other means. It’s long been known that nearly everyone’s specific configuration of web browser, plugins and so forth is unique, meaning it can be used as a fingerprint to identify your computer. Forgetting to use Tor when visiting just one website, which then logs your internet address, could provide the one correlating data point investigators need.

That’s how the FBI tracked Hector Xavier Monsegur, aka “Sabu”, a key member of the LulzSec hacker crew, to his New York apartment. As “cyber-insecurity expert” Robert Graham wrote:

“Just once, he logged onto IRC [internet relay chat] without going through Tor, revealing to the FBI his IP [internet] address. This reveals a little bit about the FBI, namely that they’ve infiltrated enough of the popular IRC relays to be able to get people’s IP addresses. We’ve always suspected they could, now we know.”

A Tor user could also be persuaded to visit a website that infected his or her computer with malware that reported its address or even scoured it for personal information — in our pass-the-parcel scenario that’s like Bob sending back a package with a hidden camera or some other booby trap. Or some of the 4000 Tor nodes could effectively be double agents, reporting back data from inside the system that could make it easier to unravel the connections.

Which brings us to Marques, a 28-year-old Dublin resident who was arrested earlier this month on charges that he is, in the words of the FBI, “the largest facilitator of child p-rn on the planet”. According to a blog post by the Tor project’s executive director Andrew Lewman, Freedom Hosting, a provider that specialises in Tor hidden services and from which, it is alleged, Marques’ services were operating, had been hacked and was attempting to infect visitors’ computers — exactly that booby-trapped package scenario.

Do “legitimate” users need to worry?

While taking down an alleged child p-rnographer is a clear win, this should also serve as a wake-up call to “legitimate” Tor users, according to security and intelligence commentator John Little in a post at his fine Blogs of War entitled “Tor and the Illusion of Anonymity“:

“Tools are not perfect and in the case of widely used tools like Tor they are also incredibly high-profile targets. Intelligence and law enforcement agencies are in search of secrets and they will go wherever those are found. They will crack open those layers of secrecy whatever the cost.

“If you think you can subscribe to a VPN, fire up Tor, and take on a world power you are in for a very rude awakening.”

Indeed, Bangkok-based security researcher “The Grugq” explains the complexities of online operational security (OPSEC, as spooks call it) at his blog Hacker OPSEC and in presentations like OPSEC for Hackers:

“The financial cost of compromising the Tor network is not even a rounding error in a nation state budget. Furthermore, Tor is not new. It isn’t as if nation state level adversaries just woke up last week, ‘Holy shit, this Tor thing! We better get on that!’. It is conceivable that a nation state has been setting up cover organisations, using agents, and compromising existing hosts for years with the sole goal of subverting the security of the Tor system.”

As Little puts it:

“Online anonymity is still possible but it is not something within the grasp of the casual user and it is not available via a simple software solution. You have to work for it, you have to have technical expertise, you have to sacrifice time and online social interaction.”

Stilgherrian adds: An earlier version of the headline on this story read as if the FBI had hacked Tor. As far as we know, this isn’t the case. The FBI appears to have hacked the computers of some Tor users by exploiting a month-old vulnerability in the Firefox web browser, which had previously been distributed with a package of software including Tor. There’s a message there about updating all your software promptly, whoever you are.