Anonymous is not anonymous

A good friend emailed me the other day to ask if I thought using Tor’s network and software is truly as secure as everyone thinks. My immediate reply was no, I don’t think Tor or any other so-called anonymizing service is truly secure. If you want absolutely anonymity, don’t use the Internet.

No service or product can claim to give you absolute privacy or anonymity. Here are six good reasons why.

[ The Internet is not secure, but Roger Grimes has some ideas for a separate, supersecure network. | Keep up with key security issues with InfoWorld’s Security Adviser blog and Security Central newsletter. ]

Reason No. 1: Your location is traceable

Everyone on the Internet has an IP address, be it public or private. Ultimately, that address, along with upstream logs, can be used to identify you. Ask nearly any computer security criminal charged with a felony.

Some clever folks think they can play interesting tricks to make their originating IP address less obvious. For example, many cyber criminals use wireless networks not owned by them (at a coffee shop, a neighbor’s Wi-Fi, and so on). They still get caught.

This is nothing new. In 1995, Tsutomu Shimomura tracked down notorious hacker Kevin Mitnick by following triangulating wireless signals to modem connected to a neighbor’s house. Hundreds of child pornographers get caught each year who believed they were safe because they were using someone else’s network and source IP address. This defense isn’t new and rarely works in the real world when the cops decide to get serious about finding you.

Reason No. 2: Your cloak has holes

What about the anonymizing services? Oddly, many of the services and programs that guarantee you privacy have never undergone serious penetration testing. In fact, not just the anonymizing options, but security software in general is full of exploit holes. I don’t mean a few — I mean dozens to hundreds of holes.

Years ago, one of the penetration-testing teams I was working with was hired to go at a popular AV vendor’s virus scanner. We found hundreds of easy-to-exploit holes. The same can be said for encryption software.

Phil Zimmerman of the legendary Pretty Good Privacy program has moved on to encrypting VoIP and cellphone transmissions. Zimmerman is one of the world’s foremost encryption experts, and he designs some of the best encryption products, including a product called Silent Circle, an encrypted email service with military-grade encryption that shut down Friday. He’s also one of the world’s most passionate privacy experts — one of the few who actually faced a treason charge over his support of that Fourth Amendment freedom.

In short, Zimmerman is the type of guy you want designing privacy software, but even he has a hard time keeping bugs out of his products. At the end of June, it was reported that an open source library Silent Circle relies upon was found to have multiple security flaws. Plus, here’s what one reviewer found in February. Keep in mind that Zimmerman is one of my heroes, and in my opinion, his products are less likely to have issues than competing products.

Read one of my recent columns, and you’ll learn that the governments of the world have tens of thousands of undisclosed bugs they can use to break into computers at will. Don’t trust security software to protect you completely.

Reason No. 3: A password is still a password

The weakest link in most security software isn’t the code. It’s usually the password protecting the private keys. Most privacy and encryption software asks the user to input a password to protect the private key material that it used to encrypt and protect communications. For example, the Pretty Good Privacy program will ask you to type in a password to protect your public/private key pairing. It will even advise you what is and isn’t considered a strong password.

Unfortunately, most users choose relatively weak passwords. Even those who enter what they think are strong passwords are fooling themselves — and it’s inherently easier to guess a user’s password than it is to try and crack the private key that does the protecting. I have to assume that organizations like the NSA have specialized hardware-only chips that are adept at cracking the passwords to particular programs. Heck, they probably just extract the relevant parts of the program, along with the key pair, and crack away. I’m guessing their bank of crypto-cracking computers will make short work of most users’ allegedly “strong” passwords, and I’ll bet the designers of such hardware chuckle at our gullibility.

Reason No. 4: You don’t really know where your packets are Services like Tor work by randomly rerouting encrypted packets of information between varying participating hosts. The bad guy would have to know which Tor computers were used by you end to end, compromise those, then tackle the other encryption issues. Sounds like a pretty high bar to overcome, doesn’t it?

Except that Tor software has vulnerabilities just like any other software. In one recent example, it was speculated that law enforcement agents used a privately known vulnerability to track and locate child pornographers. Moreover, I think the entire premise of Tor’s anonymity through router obscurity is flawed.

The biggest advantage of using Tor is that your packets are randomly routed through “volunteer” computers all over the Internet. But Tor can’t really guarantee that. Who’s to say most of Tor’s volunteer computers aren’t owned by governments that want to keep a hand in?

If I was interested in invading Tor’s privacy, I would create a very large cloud of computers that would make up most of Tor’s network. They could even ensure that your traffic would only be routed on owned Tor computers by manipulating where future Tor packets go once they enter the owned segment. Even if Tor’s software hasn’t been manipulated, you can’t trust it if the volunteer computers are owned and manipulated. They could make participating Tor clients do anything. (Tor experts, if you think I’m wrong, please message me and explain how Tor would prevent this.)

Of course, it’s probably far easier just to break into the originating endpoint client, and government hackers are already very capable of that.

Reason No. 5: People make mistakes A lot of people who think they’ve hidden themselves stumble sooner or later. Antimalware hunters have a pretty successful record of tracking malware writers back to their personal accounts, usually due to one small mistake that links account A to account Z. One friend, Brian Krebs, tells entertaining stories about following trails between private and public accounts. He’s talking about guys who are making millions of dollars stealing money online and have every incentive to keep their private lives private.

Reason No. 6: You don’t really know who you’re talking to Lastly, the person you’re communicating with may already have been caught in some cyber sting and is using you as his ticket to a lesser sentence. A perfect example is Hector Monsegur, an Anonymous leader who lured several high-profile members to capture and incarceration. Monsegur not only helped the FBI nail Anonymous members, but he actively encouraged them to do more criminal hacking. Heck, one of the best arguments against guaranteed anonymity is how many of the Anonymous group’s members have been arrested since law enforcement authorities started concentrating on them. You could build a new Wikipedia entry on it. At least half of them fell because of the reasons I’ve listed on this page.

If you want anonymity, that’s great. Just don’t think that you’ll have guaranteed anonymity. Because you won’t. My advice: If you need absolute anonymity, don’t use the Internet. You’re far better off using just about any other method of communication.

This story, “Anonymous is not anonymous,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.