Russia is hoping that 3.9 million roubles will be sufficient to produce a feasibility study on cracking Tor—a nonprofit service that reroutes internet traffic to anonymize user's IP addresses. Turns out: They could have saved over 3.7 million roubles just by switching to whatever these guys at Carnegie Mellon did!
Russia's Ministry of Internal Affairs, or MVD, posted their procurement specs (or "tender") earlier this month, calling for "research work on the possibility to obtain technical information about users (user equipment) of the anonymous network Tor." Very quickly, however, MVD rescinded those details as news outlets, like the Moscow Times and (seriously) everyone else, picked up the story:
— Kevin Rothrock (@KevinRothrock) July 25, 2014
Or, maybe, Russia was just straight-up ashamed that researchers at Carnegie Mellon's Computer Emergency Response Team had announced a cheaper $3000-method for exposing the identities of Tor users. (MVD's 3.9 million-rouble contract comes out to about $109,723-and-change USD.)
Carnegie Mellon researchers Alexander Volynkin and Michael McCord were scheduled to present a talk this August on the discovery, at the annual Black Hat hacker conference in Las Vegas. Entitled "You don't have to be the NSA to break Tor: de-anonymising users on a budget," it promised to show how any dedicated hacker-and-thousandaire could "de-anonymise hundreds of thousands of Tor clients and thousands of hidden services within a couple of months." Then, to the disappointment of many, the talk was removed from Black Hat's schedule, its synopsis replaced with the following notice:
Late last week, we were informed by the legal counsel for the Software Engineering Institute (SEI) and Carnegie Mellon University that: "Unfortunately, Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by CMU/SEI for public release." As a result, we have removed the Briefing from our schedule.
What really happened, though?
Let's, just for a moment, speculate, shall we?
Carnegie Mellon's Software Engineering Institute is "a Federally Funded Research and Development Center (FFRDC) sponsored by the U.S. Department of Defense (DoD)" according to their overview. As the Guardian reported yesterday, Tor received $1.8 million from the U.S. government last year, the majority of it through "pass-through" grants via a third party, but $100,325 came directly from the National Science Foundation and $256,900 came the U.S. Department of State. That's roughly 65 percent of Tor's budget—and it has truly been money well spent, both for traditional espionage, and promoting freedom/regime change wherever American interests deem that freedom/regime change may ring. It would really suck to lose such an expensive asset—even just for the short period it would take to patch up whatever hole Volynkin and McCord discovered—yes?
A lot of journalists asked Carnegie Mellon and the Tor foundation itself, why the talk was pulled, with little in the way of new information emerging. Maybe they should have just asked Dad instead? The global hegemonic patriarchy that is the U.S. Military-Industrial complex, I mean.
Anway: Tor is naturally very popular in Russia, where an ex-lieutenant colonel of the KGB named Vladimir Vladimirovich Putin has ruled—autocratically and without a shirt—for going on 15 years.
Source: Tor metrics
Russian citizens looking to duck censorship and political repression constitute the fifth largest block of Tor users, a figure that (as you can see in the chart above) has spiked recently due to the passage of a "bloggers law" that required any site with more than 3000 daily visitors to formally register with the government. Registering, as the New York Times clarifies, ultimately means that bloggers "will be considered a media outlet akin to a newspaper and be responsible for the accuracy of the information published." These bloggers will also no longer be permitted to post anonymously. High-traffic not-exactly-news agencies, like search engines and social networks, were required to keep a record of all activity on their sites for six months by the law—in stark contrast to the American method wherein the government secretly stores it themselves outside Bluffdale, Utah.
Still, unflattering comparisons notwithstanding, the suppression of public speech in Russia has been very severe lately, in response to a long string of well-attended opposition rallies since 2011. Three major opposition news sites were blocked by the Putin government in March, as was the blog of anti-corruption activist Alexei Navalny. (They all now, obviously, can only be accessed in Russia via Tor.) In April, state investigators searched the offices of the very popular Russian social networking site, VKontakte, as well as the home of its boy founder, Pavel Durov, ostensibly over allegations of some kind of traffic violation.
"A year ago, when the protests started, Durov showed he wasn't ready to close protest pages," a source told the Guardian. "That's when his problems started."
That week, a fund belonging to Ilya Shcherbovich, a Russian oligarch and board member at the state-owned oil company Rosneft, unexpectedly bought 48 percent of VKontakte, meaning that "Putin is now the de facto owner" according to the Guardian's source.
Worse still, Putin signed a law recently requiring that all internet companies (e.g. Facebook, Twitter) store Russian user data within the nation's borders, presumably so that it can be readily accessed by the government's intelligence agencies in collusion with the nation's communications providers, like Rostelecom. The law, which goes into effect in 2016, is clearly designed to stifle dissent, as is Rostelecom's recent investment in Deep Packet Inspection technology, which promises to filter internet traffic based on content rather than its point of origin.
Earlier this year, Putin very hilariously dismissed the whole internet as "a special C.I.A. project," which, while partially true, is not entirely fair to the Pentagon's APRANET and DARPA people, or Al Gore, or all the wizards who stayed up late at MIT and elsewhere to bring us the internet. However, it does highlight that Tor, nonprofit though it may be, is caught along with Syria, and Ukraine, and the rest of us in some kind of post-Soviet Cold War right now.
So, in lieu of all this pertinent background, how should Russian MVD's desire for a Tor cracking method be considered?
Andrei Soldatov, an expert on surveillance and security services, has told reporters that it is primarily a veiled threat from a government that, as opposed to China's wholesale blocking of websites, tends to focus more on intimidation.
"It's not important if the Russian government is able to block Tor or not," Soldatov says. "The importance is that they're sending signals that they are watching this. People will start to be more cautious."
However, Russian Pirate Party leader Stanislav Sharikov told Global Voices that the $100,000 contract, which is frankly small by tech company standards, and the contract's origin in the Interior Ministry, suggests that this may have been a true public relations goof-up. MVD, Sharikov suggests, is more interested in conducting genuine police work, ferreting out child pornographers in the Deep Web, and so forth, and should not really be confused with the hardcore spooks at Russia's intelligence agency, the FSB.
For what it's worth, this is exactly the perspective that the Tor Project's board appears to have taken. Engaging in a charming bit of trash talk, Tor's executive director Andrew Lewman told Vice's Motherboard, "What the Russian's have really done is effectively offer a bug bounty program for Tor. We assume many other national police forces are doing the same thing, just not publicly. We have a good track record of reverse engineering attacks and fixing the attack, even when we're not told the details."
Pretty baller, right? Lewman continues, "There are some talented people in Russia who will likely try to get some funding for finding bugs. It will be interesting to see if they find anything; and if they do, if the bugs are around design or more standard software vulnerabilities."
"The bug is a nice bug," Tor Project Leader Roger Dingledine reassured subscribers to Tor Talk group, "but it isn't the end of the world."
Reassuring as this all may sound, the reality is of course simply that Tor is vulnerable right now, to anyone who has been surveilling CERT researchers at Carnegie Mellon, like their DoD paymasters or (Oh, wow!) sexy, college-aged Russian spies at Carnegie Mellon. Are you a researcher at Carnegie Mellon's Software Engineering Institute? You might be having sex right now with someone who does not really love you, but is instead a Russian spy. Or a Chinese spy. Who told you that you were really worthy of love? They might also be a spy.
As for the rest of you, this global drama should not directly impact you, no doubt, because you purchased a junk ThinkPad on Craigslist, anonymously, in cash, and have been pirating Internet access from a mile away with a PREMIERTEK Outdoor 2.4GHz 24dBi Directional High-Gain N-Type Female Aluminum Die Cast Grid Parabolic Antenna, like I told you to, right?
[photo of Putin visiting Gazprom HQ via Alexander Nemenov/AFP/Getty Images]