{"id":79269,"date":"2015-02-08T00:05:15","date_gmt":"2015-02-07T22:05:15","guid":{"rendered":"http:\/\/businesstech.co.za\/news\/?p=79269"},"modified":"2015-02-06T17:53:01","modified_gmt":"2015-02-06T15:53:01","slug":"there-is-nowhere-you-can-hide-online","status":"publish","type":"post","link":"https:\/\/businesstech.co.za\/news\/internet\/79269\/there-is-nowhere-you-can-hide-online\/","title":{"rendered":"There is nowhere you can hide online"},"content":{"rendered":"

The Silk Road trial has concluded, with Ross Ulbricht found guilty<\/a> of running the anonymous online marketplace for illegal goods.<\/p>\n

But questions remain over how the FBI found its way through Tor, the software that allows anonymous, untraceable use of the web, to gather the evidence against him.<\/p>\n

The development of anonymising software such as Tor and Bitcoin has forced law enforcement to develop the expertise needed to identify those using them. But if anything, what we know about the FBI\u2019s case<\/a> suggests it was tip-offs, inside men<\/a>, confessions<\/a>, and Ulbricht\u2019s own errors that were responsible for his conviction.<\/p>\n

This is the main problem with these systems: breaking or circumventing anonymity software is hard, but it\u2019s easy to build up evidence against an individual once you can target surveillance, and wait for them to slip up.<\/p>\n

The problem<\/h2>\n

A design decision in the early days of the internet led to a problem: every message sent is tagged with the numerical Internet Protocol (IP) addresses that identify the source and destination computers. The network address indicates how and where to route the message, but there is no equivalent indicating the identity of the sender or intended recipient.<\/p>\n

This conflation of addressing and identity is bad for privacy. Any internet traffic you send or receive will have your IP address attached to it. Typically a computer will only have one public IP address at a time, which means your online activity can be linked together using that address.<\/p>\n

Whether you like it or not, marketers, criminals or investigators use this sort of profiling without consent all the time. The way IP addresses are allocated is geographically and on a per-organisation basis, so it\u2019s even possible to pinpoint a surprisingly accurate location.<\/p>\n

This conflation of addressing and identity is also bad for security. The routing protocols which establish the best route between two points on the internet are not secure, and have been exploited by attackers<\/a> to take control of (hijack) IP addresses they don\u2019t legitimately own.<\/p>\n

Such attackers then have access to network traffic destined for the hijacked IP addresses, and also to anything the legitimate owner of the IP addresses should have access to.<\/p>\n

\"How<\/a>

How Tor works Tor Project\/EFF, CC BY<\/p><\/div>\n

This is why those looking for cat videos on YouTube on February 24, 2008 found themselves at Pakistan Telecom instead<\/a>, why hackers made off with US$83,000 worth of bitcoin between February and May 2014 by impersonating the legitimate owners, and why hundreds of organisations found their communications mysteriously routed via computers in Belarus and Iceland<\/a> in 2013.<\/p>\n

Redesigning with security in mind<\/h2>\n

Onion routing was developed to correct these mistakes, separating identity and address so that it\u2019s possible to communicate through the internet without revealing the IP address used. Originally a US Navy Research Laboratory project<\/a>, the latest implementation of onion routing is known as Tor<\/a> and is independently developed by the non-profit Tor Project.<\/p>\n

Tor routes internet traffic through three or more intermediate computers called nodes, which prevents anyone listening in \u2013 and any website the traffic connects to \u2013 from knowing the source of the traffic or working out who is communicating with whom.<\/p>\n

Even Tor nodes aren\u2019t individually aware of the details of which user, where, is connecting to what. The first node sees the user\u2019s IP address, the last knows which site is being accessed, but unless both the first and last nodes are controlled maliciously these two facts won\u2019t be linked.<\/p>\n