 Let me welcome let me welcome Eric and Sean for the talk about tour and give them a warm round of applause. Thank you Good morning everybody So we're going to to present you all work and on the tour network or more specifically on dynamic cryptography bug doors and how to apply it to Try to break some encrypted network. So I did a joint work with Sean and our colleague in We now is back to Tanzania the University of Tanzania. So here's the agenda and Most of the time people speak about breaking cryptography But in fact most of the time we think about using huge time-consuming Exhausted search which is of course for modern cryptographic system quite impossible or totally impossible But most of the time we observe the fact that we have the situation of Armour door on the paper or cardboard wall So why bother to try to break the door if you can go through the window Find the key under the carpet or even crush the wall So we have to take the the environment in a very broad sense the operating system the users network architectures protocols to Determine whether it is possible to go to to use and exploit them to bypass cryptography Everything is of course in the context where we all suffer from bricks of protocols of tools that are imposed by standards by organizations and we have to work with them and and Maybe more concerning is the fact that we all Are suffering from some sort of standardization of mind if you consider For example the development of cryptographic IPA It is very difficult to to try to develop Without considering those norms at least for some products So in fact, we have to remind that the game is not to have the key or to break the system in an academic view The very final aim is to access to the plain text. So in fact, we have excellently worked on What we call dynamic cryptographic backdoors mostly implemented through malware's Otherwise, we can do the same job, but with strapped doors and it has been possible It is a few Results we obtained to bypass for example IP sake based encrypted network You may use tempest or not. It's not the issue and for example, we have applied these techniques to break some military IP encryptors This respect there are but most of them are badly implemented and What is very important to stress on and to keep in mind and everything has been tested or We like to go from theory to practical stuff and to verify that everything works. So all these attacks are very efficient so now we are going to Explain how this up to us. It is possible to apply this kind of techniques over a Network encrypted network like Tor or any other network in all of these types So the working is a starting scenario Can be either an undemocratic country. We want to monitor not to block the aim is not to block the network It's quite the contrary just to monitor and to survey all the political opponents May it be outside or outside inside or outside the country or any small group of bad guys So A few elements, I think they are important important to keep in mind More and more with the evolution of Regulation national regulation in Western countries the use of malware is now something well recognized and accepted and I have no exception in mind from France to Yannick's I said and German Germany or United Kingdom now It is well accepted that police forces intelligence forces can use without a restriction malware. So it is not a Dream it would be more a nightmare. It's reality and They are beginning to develop many many capabilities in in this respect and probably China is among the most Advanced country in this area So we would like to present our attack not like a single attack just deploying malware No from an operational point of view from tactic point of view. It's not it's not a good idea In fact, we would like to present an attack which is in fact more related to the way military are thinking and To organize a coordinated multilevel attack with small surgical strike in order to combine to a very final effect and I have made a discussion with officials in different countries and they say well if you manage to break at least one percent of the traffic It's already a success so no matter if we Is the the attack is very efficient or only efficient But if you already managed to have this success rate, it's already a success. Of course We think it's possible to do to do far better So here the agenda so Sean will present all all the network part I just will try just to recall some part about dynamic cryptographic drop doors So in fact, it is very interesting to notice that most of the implementation relay rely very importantly on the environment and the operating system for example and the windows I Have only a very few exceptions in mind They all rely on the Microsoft cryptographic IPI You have just to hook this IPI to do what what you want You can modify algorithm in memory for example We managed to scan for S box of the AES in memory and to replace those Xbox with with weeks Xbox that of course the attacker knows in advance You can turn between modes you can do many many things and the word dynamic come from the fact that in fact You can play it only during a limited window of time just stop then come back to the attack It's fully customizable So of course if you consider the static security the mathematical security is the algorithm has not been modified as a changed Since everything is in memory So for example here we use the creep gen random, which is the most common used function to generate In digitization vectors so here for example we choose we want that the malware Modifies the cryptography in memory between noon and 2 p.m. So We have it is part of the Small part of the malware we have developed. So here we fix as a message key for a limited period of time so why fix the message key because in This case all the message that are going to be encrypted will be parallel cipher text It means that it is easy to detect them among many many Encrypted text it is you can detect them in a polynomial time and break them as well in polynomial time Just the fact to reuse this to fix the IV so we have developed Cryptanalysis library exploiting this fact and you will be surprised how many encrypted traffic can be partly broken with Applying these techniques. Of course. We are considering stream cipher modes So how to do that when you are for an ECB or CBC mode? Well, that's where there is a very interesting point because because in fact since the contest of the NIST National Institute of Standard technology to promote The AES in fact they impose some sort of standardization of mind to develop around cryptographic library as a consequence Many developers are writing their library in the same way most of the time. So there is some sort of standardization of mind So if you explore this you can do many things you can change many things in memory By with malware in order to weaken the cryptography So for example here you have during the cipher in it You have a byte which defines a mode and then you just change a few bytes in memory And you switch from one month to another one, which is actually very interesting. So How to use that So first I would like to stress on the fact that we do not have anything against or this is not the issue Actually at the present time. This is the only available network Of the this type we have made Experiment on other well non-public network. So it is of course impossible to publish So I think that it is a good feel of experiment But once again it isn't or aim is not to say to have something against or so You will find everything where I explained the library is a Torrexon library is a different data are available either on the wiki of This is a conference or on the this link. So Shen has developed a very interesting library. You have the Google Earth Map of everything so In fact We have tried to consider the ton network as a critical infrastructure Many when you deploy some brick In fact, you don't know whether you will have local weakness or And how to exploit them So in fact, it is not the tall technology in itself that we Analyze in fact, it is the fact that is we exploit the fact that it is deployed by volunteers Make using their own security computer security And of course using weak protocols So I won't Recall our Torrex there are there was a talk yesterday So just remind that in fact you have to find a circuit of three nodes three on the new authors Randomly every time you want to exchange Secretly and anonymously So you have here very quickly the key negotiation. In fact, there is a first Level to negotiate a secret key and to make sure that all the three nodes have the same key so So about the previous attacks or there are many many attacks, so I have just Mention some of them, but of course you will find everything on the Tor Tor foundation blog in the Return there referencing everything so In our attack in fact, we try to work at a very high level and low level at the same time so first you have to Make intelligent step you have to try to have as possible as complete View of the network how many on and who torrelles Eden Relays and so on so in fact in this respect or attack just follow what military are doing intelligent step planning and conduct of maneuver so Many people say okay, we have broken Torna once again. It's not it's not the issue It is a deployment of Tor because is a core concept up to me is rather sound and elegant, but it is deployed on a very Imperfect world weak protocols We also use some protection mechanism that we have turned against the network or and of course Every volunteer is free to use his own security rules and just imagine the same in a big large company where everything is free to choose is Operating system to secure or not Is a computer well it will be like nightmare honestly And up to me the use of crypto is not a good good thing everything you every time you want to action Secretly of course if you use crypto it means that you send send noise because crypto and cryptic stuff It just noise Very high a large entropy profile So of course you focus attention up to me you have to add transmission security for example steganography so in fact From a very general point of view. We just select some week notes So the week the weakness issue may depend on your view and we try to force the route Through those infected notes. So According to dig a lean at some authors. In fact, there is a general for interesting formula Which has a claim that if you control M onion routers of a total of N You can control this percentage of the traffic So the aim is to increase the value of M and to reduce in a way or another one another the value of M so we will infect M onion routers and then We will try to Decrease the value of N it I mean the number of onion other through You can go through effectively So the general description of the attack you can use a botnet, so I will say a botnet But of course you can use several small botnets in order first to infect some Nodes and then to deny to block or to congest the other one So it is a general scheme of course shown will present in more details so we have among many Information in fact we have developed in or in a school test network Architecture, which is rather close to the reality at least statistically speaking and we have validated everything on on this architecture some parts have been validated on the Real network and shown will make experiment using the rail network. We are not connecting to or the or architecture and the the question is Can we trust the network or network or well, I will say the Things differently. Is it possible to for a country to exploit the weaknesses? That we have mentioned in order to not to block Tor but to control so From a general point of view step one you just identify the it is an intelligent step You identify a subset of weak or uninvited you and start the dynamic drop doors and so on You modify the AES in control mode in order to fix the initiation vector and Of course, we do not modify the OR integrity. Everything is in memory and after that we try to Selectly selectively deny excess tools and on a wheelchair. We did not manage to infect or to control So of course you have to to establish a complete map of available Nodes and then to deny according to three different techniques So You will find on the website complete Google Earth map with all the different nodes. So I won't show it here for But in fact we have identified slightly more than 1000 or your new rotors and Well, you have the description here, so we have Observe that nearly 60% of our are in the EU well Slightly less than 13% in Asia. So once again, there is a complete map Either they are on the windows Linux or it is either or not So election now Toe works with we have what we call bridges and we have relays as explained at the talk yesterday So the bridges are supposed to be like a way to prevent countries or governments or the adversaries from denying access to Tor completely So but then there's always a way like so there's there's a way for users to actually get the bridges Which is also a way for the various in attackers to get the bridges. So There the normal ways to obtain the bridges would be from the website the bridges website or Sending an email or they might also be other social ways to actually receive bridges so the Tor software actually provides a control protocol to enable your script. It's also actually communicates with Tor directly build circuits or make requests attach streams you can do almost anything with it So we have extended the Ruby controller for Tor That normal that is normally used to build circuits or just to connect to Tor so you can actually make requests with the library and Do a couple of other things with it. So normally it's Possible to get just three bridges at a time from any IP address you go to Then probably after an hour or so you might be able to get more bridges as another three But you get only three at a particular point. So with this library You'll be able to request more bridges using Tor exit nodes We're able to obtain about 70 in 10 minutes and 70 distinct addresses in 10 minutes and About 200 over 200 in just one hour So the our goal was not to get all the bridges. We just try and then you actually obtain about 200 bridges within the time Using this short script so I can give a demo about how this is being done So I've just connected to the control ports to show So you can actually see some of the events that will come up as I run when I run the library This would just connect this would do this 20 times using different circuits and I If the circuit is not built in three seconds It's just to try to get the bridge either way and then continue it could probably be done faster Some circuits may not be actually completed in three seconds. So It's just a sample the first part of the script I run was just to get first exit nodes and first gardeners to use for the circuits and Then the script I'm going to run is just picking anyone at random. I'm not selecting any particular entry node or exit node Then the exit node is I'm going from zero to 20 Just speak the first 20 first exit nodes You can actually see as he tries to build a circuit and one you may see the sex succeeded then you probably got It hasn't come back So yeah, that's puts the first three bridges. It gots. Let's keep trying Has gotten six right now. This has also been limited. So it doesn't Exactly doesn't get all the nodes immediately. So the buckets of bridges that gives out using exit nodes has been limited For this reason But then if we actually keep going or you actually use all the exit nodes, you should be able to get a lot number of bridges normally Just not now So the library is actually easy for just about anybody to use and it's easy for anybody to script through the pages so then the vulnerability With the descriptors the cut descriptors that actually distributed to just about every node You have Over two thousand really addresses that are actually there and then it's like you give an account a list of two thousand addresses And you tell me okay check if this addresses are vulnerable to anything Of course, you might have zero different abilities and then you have a number of them that might be weak and very easy to compromise including windows and Apple Nodes which might be easy for an attacker to infect with Maui to use for the attack So the vulnerability scan issues that about 30% of the ORs are vulnerable 41% of which are windows and 19.6% run a unique flavor and This is in terms of the number of the nodes and percentages are likely underestimated well About 20% of them actually have critical severity, but it's what is to be expected of a voluntary based network It might be beneficial if there was a way to actually Tell clients or volunteers that okay your system might be vulnerable to this or it just runs the test and then he knows Where exactly he can do to help so he doesn't get attacked by an adversary So the attack the goal of the attack was to try to force a client to go through Three specific nodes that you're not trying to block the tone. It's all completely But you just want to control it within a limited time When the dynamic when the cryptographic bug that will be in place So you would have to use a number of Availability attacks you could it could be similar to the great firewall you resetting the clients That's but our all most of all these availability attacks will only work if you have the complete list of the network already so you still need all the bridges and all the public roles that are available and With the rate at which the bridge the release actually change addresses DHCP you need to keep this list updated to Have the attack work So then the another way would be you could actually spin packets on the network or have A kind of congestion Just to exhaust the bandwidth on some of these nodes So Previous attacks have been based on the congestion approach or Even the packets spinning you send in packets to multiple nodes at the same time to multiple nodes in tour network Until we try used to be possible to actually build very long circuits. You could build a circuit of say 90 nodes You see you have errors in your logs if the client actually checks it But then how many users actually check their logs frequently when do you store? people you probably prefer the GUI just click a button with Vardilla and then you connect and that's about all so by default tour which is the first nodes and Nodes that have high up time based on the metric But then this metric is also published in the consensus. Your boundaries there is like you tell the attack Okay, this is how much packets you need to send to keep this node really busy And then if I can send a pocket through your node say ten times the same nodes as I build a circuit of three nodes and I Cycle true that three nodes say ten times. It just keeps growing. It has a multiplicative effect on the size of the packets I'm actually sending So the goal of this would just be to keep the packets in place just to occupy This nodes prevent them from having time for Other nodes for other requests from the clients and then again, it's not going to be played like all the time You don't need to attack all these nodes at all times of the day. You're just trying to control them say Today you want to Implement the you have the dynamic cryptographic back door and then you know the specific time or specific day that it's what that's It's will come to pass Some countries might decide or some governments might decide to actually try this at that specific time of course the tall metrics will you see downtime in the Number of clients connecting at that particular time or it may appear as if the Safe country or government is throttling the attack the network for the users Users just won't connect to the specific nodes at a particular time And then the attacker just has to hide. I asked pre-compromise nodes on the network. Oh, it has a botnet or order Other nodes is able to compromise and Implement install the malware So long as you have all these nodes in place They work normally at all times at all other times they work normally, but then at a specific time when it will be attacked the Clients will only be able to connect to these specific nodes so and then this can also be Set in a different way Such that the attacker can actually distribute the map to Say different nodes and then he has a map of news. He wants to block at a specific time and then He sends pocket and just keeps the packets in play Keep sending keep building circuits And then it's it just keeps going on and on So yeah, I said I was going to demonstrate how the Long circuit of the pocket spanner works So yeah, I'm going to pick a circuit of three random nodes and then build a circuit of 15 nodes that's five Loops over those three nodes. It's the random nodes might not always Perform as the attacker once because some nodes will actually have different access requests That's all different access policies that will prevent you from making Circuits with the next node you're trying to or the next hope you're trying but in here we can see This is the first note This is it again. It's the second loop This is the third This is the fourth and this is the fifth so I can also show that we can browse through this So yeah, I'm using I'm going to try to I Disable the auto attach mechanism of tour Yeah, we can see Okay, right now the circuit has been closed So I can I'll have to rebuild the circuit before I try this again But then again, this this doesn't work with the new version of tour anymore But then if you use the old clients it still works so but They've been mechanisms in place to prevent this, but then it just can't be Put to use until all clients everybody that uses tour as upgraded their versions Okay, maybe I could get back to this after Second has been closed again. So maybe I'll just do this after so then for the TCP resets, it's it's not a Newton resetting packets or blocking nodes. The whole attack is Based on using just about any availability attack that is out there your reset or ways to congest the network So the resets has been there some is please use this to prevent clients from accessing some services or different ports So unlike your typical resets where you have to send reset packet both ways For so you just need to send reset packets just to the clients that's trying to connect and then Even if they really sends the packet back to the clients the client rejects it and it tries to pick a different really So this will go on until he probably picks your malicious node, which you have in place so you still have to rely on the randomness to of taught to select Those nodes that are vulnerable So the other thing will be if the client tries to build a circuit using First the entry probably a malicious node and then the next one is a malicious you might want to block that also So that can typically that can be done from the nodes. You've already compromised using just about anything so then The whole attack will be in this form where you have the botnets infect You deny access to some nodes that you are not able to infect using whatever means you have you could do the reset you could It could be with some other forms of denial of service attacks and then you have ISPs also doing the reset attacks to the clients and the denial of service attacks will continue until The clients uses the nodes you want them to use so the Alternatively, you may not need to Or alternatively You may not need to block access to all the nodes But then just the ones with Higher bandwidth or higher metrics than the ones you have on the network so you might have Some nodes on the network already that have high bandwidth or With an eye of time of time is not really a problem. You just need to leave your nodes connected until when you need it To work so but in the bandwidth might be the Question because you need more nodes with boundaries And then the attack continues the same way So then the second version of the library also allows you to build circuits in circuits instead of just building long one single long circuits So with a new version of toy you are only able to be able to see a circuit with three nodes So but then if I want to build a circuit and still have the multiplication effects of sending packets through this I'll have a circuit green tree another circuits and then a third one And it could also go in the same way you as however you want it to so this The one the drawback with this is the exit nodes must be chosen carefully So they don't have like restrictions to the next hop. That's the next entry node. You're trying to connect so so sometimes your entry node might Be on port 9 and 9 0 for 9001 or some other ports. That's the airport But then you have to choose exit nodes that allow access to the inch to the next hop And you can actually send an attacker can actually send packets using either of all these proxies just to Increase the congestion so just a few word about the malware we have developed so it is a very complex code Implementing a lot of things So of course since we are able to deploy a malware you we can fix the key Of course, it is in constant time to decrypt since we know the key in advance But generally it's more efficient in this case precise case to just to fix the IV And then the decryption and the detection of weak ciphertext is in polynomial time So once again, there is a library that we have developed in order to detect and break It is possible we have developed a lot of optimization techniques For example, if we have only one single file with plain text tagging techniques and so on and if you use In the library that detects single file but see you will see how it works so it is possible of course to make a lot of things and The malware is able to adapt to the fact that in fact since we only force roots Through infecting node with the high probability. It may appear that in fact Since the probability is not close to one that it is either you cannot some keys Remain uncontrolled so he's able to detect that and just to say okay. I do nothing okay It is only small bricks that then you have to combine in a very Random way according to your scenario. It is just a framework attack framework You can play or you can replay it change the time window everything is possible and Once again, everything is in memory. We do not modify the settings Well from a more general point of view of course, but if you know many of the nodes You could simply block them, but well it is not our intention. We just Want to show that it would be possible to bypass crypto by some sort of surveillance and monitoring So once again the discussion is and I still agree with it is of course impossible to have the exact figure it is not exact science to have the exact figure of success probability But well, even if we manage to break at least 10% or even one percent of the encrypted traffic up to me It cannot be accepted. So Well, once again, I was stressed on some very critical point up to me It is very surprising to see that in fact, there is no high-level auditing of our security It's it The volunteering is very nice But if everyone does what he wants without control and security control well The security of the the wall and fracture chair is limited to those Unsecurity of a few of you once so it is not possible And of course when you have many many vulnerabilities and flows well, it's very easy to infect Without giving too many details We have been very surprised not to say shocked that for example HTTPS machine with a badly configured That it was possible to collect To catch the secret key instead of the public key. So I'm not sure it's a good thing Of course once once again, I'm I'm convinced that using cryptography alone is not a good thing You send noise and if you send noise it means that you have something to hide So up to me stegan Murphy or stegan if he comes other transect security Tools are far better. And of course using DCP, you know what you you you may you may find so We are of course since over for example the spinning attack has now a limited effect So I were happy to see that in fact we have some somehow contributed contributed to better security for Thor I think that Some measure in order to maintain the activity of Thor and to enable a far better security I think Yes forbid windows on your router. Well, it's it's maybe a little bit drastic But in fact, you would be nice maybe to enforce some scanning to use some scanning tools and to deliver some security Certificate for onion rotors. Okay, you are valid for the service. You can go on and join and join the group But I'm I'm convinced that it is very mandatory to take with ours To be clear on attack cannot work if all onion routers cannot be infected But we are very far from this situation So that's why I Think that part of the solution the most part of the solution is to enforce some high-level security policy Managed from the by the Thor foundation to deal with to manage a security of all new routers And of course prevent scripting since part of the security relies on the fact relied on the fact that some Really bridge where he done well prevent scripting in a way or another so as a conclusion in fact Well, you have a number of Command that I was stressed on one fact that less and less Sophisticated attacks will be the fact of a single step. You will have single Multiple innocent looking surgical strike Little touch with combination will produce a final effect. I had the the occasion since two years to analyze some sophisticated attacks Mostly coming apparently from China Well, just deploying one signal my where I think it's over now. I just change the port in memory I do one I send a document and and and so on and the combination of all those effects makes the final attack and of course from the Victim point of view It is quite impossible to prevent quite impossible to detect for the single reason is a combinatorial effect How to survey to monitor to compare everything for it is impossible and And of course if you want to design trapdoor or backdoor you have to do the same just to split everything in multiple innocent looking parts So Well Me term works we hope that infection will go for a PhD on that subject But I think that using steganography will do have some sort of steganography version of Thor would be nice To enforce some memory protection. We are actually working for different companies about techniques to prevent Attacks in memory and once again, I would like to stress on that point Just enforce other high-level security policies So maybe you want to make some So in fact, it is so some change that appeared recently The on the tall project website, we can see the draft for future crypto proposals Well, the main thing is I think since it's Modification of the keys in memory The fix could actually be done by the operating system or even the crypto API's developers so that they prevent Such attacks by the malware's but then again the application developers could also should also consider Protecting the applications against such attacks pending the time when the API developers release such fixes So if they are memory protection techniques, they would be able to fix they will be able to prevent Such malware from affecting their applications and told me a critical application Something should be done to protect this in the memory For the congestion Attacks There's a paper about the comparison of datagram, which could be a starts Since you do you might not have the same congestion Problems as TCP, but then it could still have its own security vulnerabilities in the end So thank you. Well, thank you very much For that talk and I would also like to remind you to use the feedback system on the talk feedback System is available in the far plan if you select that talk now. We still have time for Q&A session Could you please raise your hand if you have a question we start at the back Okay Here we go So you said that there were a 30% vulnerable relays the tour protocol balances load by using the faster relays more often than the slower ones and in fact the tour network has about 2,500 relays now and a small number of them are very fast and the rest of them are quite slow So I would not be surprised to learn that the 30% of the relays that you consider vulnerable are less than 1% of the network by capacity and Once you are only compromising a small amount of the network that requires you to do a much larger Denial of service attack against the rest of the network to make your attack work So I guess my question is what fraction of the network by capacity. Do you believe is vulnerable? Not just fraction the network by relays All right. No, it's a very important question, but it's difficult to evaluate Without making experiment on the real network You can calculate that in polynomial time Well, but then again even if you said the the bandwidth is Much higher as in the nodes that are not vulnerable have a high bandwidth If the attacker is actually forcing packets to all these nodes as an all the specific nodes and then it goes in a loop without circuits in true circuits or packets spinning or whatever The bandwidth of this of each system might really not have much effect since you're actually trying to overload each of the system with the congestion So instead the number of systems that would be available would be the question Say you have a system that has 20 times the bandwidth of a I just have to use it in my circuits 20 times Or I have a circuit a loop street or But the result of this is that you basically need to attack every tour relay and knock it over and then there are known left So you have no Computers that you have no relays that you control and then your attack is I deny service to the tour network not I Target users and learn what they are doing In fact, I think we don't target any specific user that's the main point we just and for Deploy the malware catch what we can and decrypt what we can right, but if you own roughly zero of the tour relays No, I do not agree There is wasn't solution We have exchanged through emails. It is to do the To deploy the attacks through the network for real. Are you ready for that? I'm ready So just to be clear here you cited I think it was like I don't know the original design paper where you talked about controlling M over N nodes or something like that An interesting question here that at least comes to mind here Is that almost every single proposal every single fix all the changelog some of the things that Roger wrote that I wrote the George wrote? Basically all of that was stuff that was already published So what exactly is new here? Is it the crypto back door where you have to already root a box in order to do it or? I mean, I mean, I see in the original design paper of tour which is seven years old the packet spinning attack Which is previously published work. I mean no offense to the guy that wrote some software and demoed it because that was actually the contribution But what is the actual attack here that is new that is novel? That we have not already worked on actually stopping with proposal 110 I mean I put in the disabled the bugger attachment long before you ever mentioned this stuff and So what's actually new here Eric? most of you're right and it has been Mentioned in the in the slides and in fact we start as any work in scientific research We start from existing work. You're right, but unless I am mistaken. I've never found Multilevel coordinated attack. We just take many bricks. We have improved some of them We have developed part of them in spite of course from Murdoch danesis and so on authors were mentioned You're right, but in fact the new the new Aspect in fact lies in the fact that we combine everything not to block most of the time people are trying to block the No, we don't want to block and we try we show that in fact it is up to me possible to Control the cryptography in a way or another just combining those bricks and the concept of dynamic trapdoor I'm sorry, but it is totally new. Okay, so I don't know about everybody else in this room But I was writing user land route kits like a long ago and that included being able to backdoor the random number generator That is also not new So and can you repeat writing back doors for The operating system apis and for say like user land apis and changing the output of those functions is Also not new and saying that to a crowd of people here I think it's important to know that I bet if we ask a sample of the people here who has ever Caused their crypto function to have a zeroed IV or a predictable key based on time or random number generator with a fixed output Anybody other than me ever write something like that in the room. Okay, we got a couple So, I mean, I guess the thing is that you could also have summed up this talk with one slide Which is you have a botnet and you start 10,000 tour nodes, which is part of the original tour design threat and You don't have to do any congestion whatsoever at all and you control m over n nodes And so the question is what what is the real contribution as Comparison to just a basic Sibyl attack Which is the word that we would use to describe this in the literature and I don't see any real difference here And I didn't even see you decrypt any traffic, which is quite a bold claim. So I wouldn't I mean, yeah fired up No, I'm not sure. I'm not sure to understand because in fact Well, I'll to say that I Think it's first for the crypto for the cryptographic bug door aspect Okay, you mentioned but if I well understood in fact you mentioned side channel attack and so on here We modify and memory a number of things in such a way that first from the defender point of view There's a traffic seems still to be encrypted respect every random general random randomness property and so on but it is possible to decrypt it so I'm sorry, but unless you are giving to me References I would be happy to have one It this aspect is new Okay, I'm sorry. Yes. No, okay. I know what you it is a very Critic say, okay, you have just to fix the key and send the key but from a malware perspective You have to open socket. You have to do many things that Antivirus are supposed to detect here. We just modify We just make innocent looking modification memory. Of course, you're right I could just fix the key and then through the traffic, but from Antivirus perspective, it can be modified and he can be detected They I can fix the key in advance Okay, I'm sorry. We have other questions questions from the internet as well Yeah, there's one question says you disclosed bridge IP addresses on your blog. Mm-hmm That's directly health centers. Why are you deliberately harming the tour project by doing that? Why are we disclosed it? Just to be sure to do yes at the very first time when we are changed with store foundation They say, okay, your attack is exaggerated and in science you have to either you're wrong or you you you give a proof These things their dresses was approved the first then and I agree I'm convinced that many people have a probably Designs equivalent attack So we have to be very involved if we are able to do that other people are probably already done that for example China But they don't publish the list. So Honestly, I think that in secure in security if you know There are some risk. I think that making them public is a good thing because people are able On those machines are able to see okay. My machine has been detected while it was supposed not to be So now they are aware Okay, next question We just publish nothing, but I don't think that Security security is a good thing. Whatever we may paint I would like honestly, I would like but well, I want to remain free because there are still regulations But I have published Okay, no It's better to do. I think that source code is far less efficient than mathematics and we have published everything There is there is two possibility. I give you a fish or I'll run you to fish I do prefer to give mathematics in order to program a lot of different version So Scott is just one one instance Excuse me, please The guys from the top project, please get together with Eric after the talk so as normal people can ask questions, please Thank you So quick my question Tor client usually uses guard nodes. I'm here. Sorry. It usually uses guard nodes Three in the default config and they change slowly over time one the month if I remember correctly if you cannot own such a guard node of a client and also These guard nodes are very fast nodes You would have to put a very large traffic through it and Effectively only can deny access to the tour network. You did not mention guard posts in your presentation Have you not considered it or? How do you deal with God knows? The thing with the attack is you're not exactly Congesting Yeah, no, you don't have to congest all the nodes You intend to attack but instead Some of them might just be blocked with your typical reset attack some might be if you can't Overwhelming to be traffic then you might at the attack of my actually block it using order means necessary So it's it's not about the guard nodes having a high The list of fast God nodes are available to everyone including the attacker so It's it's more like a local attack if I Wanted to go and see everybody here, and I know exactly where the God nodes are I Can if I have some God nodes on the same network. I will just try to limit the nodes that you have access to Using whatever means necessary. I can choose to block some of them I could actually leave some of them to be available as I say you think okay It's available, but then I try to truttle the bandits to that specific node Oh, I make it available for a minute and then after it's unavailable But then your nodes will actually choose nodes randomly it to try to specific ones It sees okay feels and then it moves on to the next node. So the aim is At some points you actually select the malicious node, okay any more questions It then I would say thank you very much and a warm round of applause