Human factors exploitation and the Tor Project
This is a speculative fictional whitepaper. Names, characters, places and incidents either are products of the author’s imagination or are used fictitiously. Any resemblance to actual events or locales or persons, living or dead, is entirely coincidental. Also see Poul Henning-Kamp’s inspired talk on NSA’s ORCHESTRA program (pdf).
Introduction
For some segments of the intelligence community, Tor, the anonymization suite, has been seen as a hindrance to law enforcement and other intelligence gathering activities. Significant amounts of resources are directed towards finding software vulnerabilities that can be used to deanonymize users. So far, success has been gleaned from the attack surface surrounding Tor, and not Tor itself.
Instead of trying to perform the work to deanonymize connections routed through Tor itself, can we instead persuade people to simply refuse to use Tor and not remain anonymous? We have had some mild success in ensuring attacks on Firefox and engendering fear and uncertainty around the software are well publicized, but statistics published by the Tor Project show an overall increase in users connecting to the Tor network.
Post Snowden, participation in the Tor network remains as attractive as ever. Clearly, this poses a problem for client agencies who would like to disrupt and hinder the progress of the Tor network.
The goal of this whitepaper is to outline an effective means to attack Tor by non-technical means, such as using social engineering and social manipulation techniques, which we call human factors exploitation, or HFE. Why should HFE be considered? Attacking a software suite by means of finding vectors for exploitation is in some degree problematic. Bugs can always be fixed, and exploits can always be mitigated, even when the potential exploit is merely hinted at. Indeed, the patching of the Volynkin bug was one such instance of a thwarted exploitation attempt that our client agencies alerted us to, and spurred consideration of alternate mechanisms of attack.
Exploitation of humans and human behavior is much more reliable. Human behavior is more consistently irrational and easier to manipulate; considerable bodies of work discuss the triviality of manipulating behavior in non-intelligence settings. Furthermore, for a target of a HFE action, even when the mechanisms of manipulation are known to the target, it can be considerably difficult for the target to mitigate.
Several vectors already exist that can be exploited towards an overall goal of disrupting the Tor network. Even though the network itself cannot be easily subverted, like any other technology humans are involved at every step in the organization, and therein lies opportunity for online covert actions in HFE.
Targeting users
In this whitepaper we will avoid delving too deeply into the technical aspects of how Tor works, but it suffices to describe Tor’s users—using Tor clients—send traffic through the Tor network with the intent that the traffic be anonymized. Users may do so for several reasons. For our purposes, we can divide the user traffic into two types: governmental uses and civilian uses.
Governmental agencies have two conflicting desires when considering the Tor network, namely, that maximizing governmental use would negatively affect anonymity, and maximizing civilian use would negatively affect network monitoring and other law enforcement activities. This is the central tension behind anonymity in general: anonymity cannot be selectively afforded without destroying it.
Therefore, we should not simply dissuade all users by HFE to give up Tor without destroying Tor for our client agencies (In any case, most mass HFE actions are never aimed affecting 100% of a target population). In fact, it suffices to dissuade a given population of the civilian Tor user base.
What are the demographics of these users? We can guess that there is a certain contingent of the population that is technically adept and trusts Tor, and would generally not be dissuaded to convey their traffic back over surveillance-capable networks. We can also guess that the demographics also stratify into less technically adept populations: those who are mistrustful of government but whose capabilities to evaluate privacy tools are less complete than the first demographic, and regular users who may use Tor very sporadically. Tailoring HFE actions for the last two demographics is key, and it so happens that the concepts surrounding Tor and strong anonymity are complex and therefore easy to manipulate.
Tension and Tor
Exploitable concepts in general are those that are at their heart a balance between two separate goals at tension to each other. Normally, these concepts are “sold” to the target by pushing forward one of these goals and hiding or downplaying the other. The prior example about selective anonymity is deeply exploitable, and has provided much opportunity for counter-messaging in the past. Users who are not accustomed to thinking about anonymity can easily be persuaded to think that anonymity for “good” people is desirable and anonymity for “bad” people is undesirable, without understanding that such an outcome is impossible to achieve. Users can then be manipulated into considering that Tor is “bad” for supporting “bad” people, even though it must in order to support the “good”. Most people tend towards a binary sense of morality, “good” vs. “bad”, and exploiting those prior beliefs in practice can be used to create alternate perception cues to suggest that Tor verges on the “bad” side and for people to forget the “good”.
Furthermore, exploitable concepts around Tor need not have anything to do with anonymity. Tor publicly notes that they receive government funding, and given civilian use of Tor is often employed to circumvent government intercepts and monitoring. Publicizing Tor’s funding model further to users harboring anti-government beliefs can further dissuade users from Tor and using networks that can be more easily monitored. In practice, this can be exploited by presenting fragmentary stories around Tor which suggest there is something to hide where in fact there was nothing.
Practical techniques for pushing messaging is straightforward enough, and other techniques are highlighted above. Some may be more applicable than others, and some may be touched upon later in this whitepaper. However, actually propagating the messaging requires influencing media organizations or other publications (which we will refer to as “partners”) which have some manner of trust by their readership.
The act of pushing the messaging to partners is outside of the scope of this whitepaper, as we are confident that our client agencies are proficient at manipulating the organizations they need to influence. It is important to note that influencing large numbers of partners is unnecessary and even harmful, as it increases the risk of the operation being exposed. The messaging can be reinforced through other realms, such as through social media. As with all messaging and the cyclical nature of news and other publishing platforms, persona management by client agencies can be used to make the messaging popular and spread through social networks, with the goal of making messaging self-reinforcing. This is ideal, as it means that people that are not influenced, directed, or otherwise under the employ by client agencies are instead performing those agencies’ work for them.
One such social media platform that can be amenable to the effective communication of HFE messaging is Twitter. Effective use of persona management software can be used to simulate grassroots campaigns out of nowhere, or provide deniable means of creating multiple accounts to spread HFE messaging to targets. Twitter has a proven track record of reacting both slowly and ineffectually to users reporting abuse, so HFE actions can be effective and reach their targets even if large numbers of users report the personas utilized. Network effects mean that even with Twitter’s inability to defend its users against HFE actions, targets will still utilize Twitter as an online social platform.
Targeting developers
Social media is indeed useful for making sure seeded messages propagate and are reinforced. But they are also useful for affectual purposes. Persona management can be used to direct offensive messaging at targets and create cognitive and physiological stress. In a sense this is remarkable, as social networks provides a mechanism for causing physical damage to the target without requiring physical contact with the target; this is well understood in the concept of “cyberbullying” with respect to juveniles in volatile school environments.
Core developers on Tor are ideally placed for HFE actions that generate stress and physical harm, if the targeted developer exhibits the correct psychological characteristics. Social media techniques can be used to determine who may be amenable to an action: determine which are the accounts of the developers, use persona management to generate several distinct subscribers to those feeds, monitor those feeds for generating psychological profiles of developers, and then using persona management again to launch affective HFE actions.
Persistent affective HFE actions, once launched, can easily demoralize and amplify negative states of thought. Furthermore, they become nearly impossible to combat without causing some degree of damage to the target and/or benefiting other HFE actions. The outcomes are as follows: the target removes themselves from the HFE action, depriving themselves of access to the social network and depriving themselves of the ability to countermessage other HFE actions; the target responds in kind to the HFE action, but the affective stress is not mitigated by doing this, and responding can be used to feed non-affective HFE actions — that is, responding can be used to discredit them; the target ignores the HFE action, but again the affective stress is not mitigated, and therefore is not a sustainable course of action for the target.
Affective HFE actions are incredibly effective: humans are not computers; the brain cannot be patched. Human vulnerabilities are considerably difficult to counteract and mitigate. Such actions, when applied to Tor developers, have the benefit of ensuring their input to the project is hampered and that it becomes impossible for the target to work effectively. When HFE actions target developers as well as users, our client agencies benefit by ensuring that technical vulnerabilities and exploits in Tor last longer before being addressed, or ideally, not at all.
Additionally, as a target’s ability to work effectively is hampered, the action helps fracture the organization, contributing to pulling the collective nature of the group apart. It is important to ensure the affective HFE actions are not applied to all developers, as doing so would increase shared opposition and help drive the group together.
Addressing personal power can be used even when there are no competitive power differentials in the organization. Once the group is cleaved in some way, non-affective HFE actions can be used to suggest competition and power differentials where none exist, increasing paranoia and difference amongst the organization.
Ideological differences, if originally tolerated amongst the organization, can be catalyzed by HFE actions and further increase the probability of fracture. Additionally, existing groups with strong ideological positions can be manipulated to serve agency purposes; such as highlighting ideology by non-affective HFE action in order to drive an affective HFE action. For example, non-affective HFE actions pushing messaging that one developer is a libertarian can be used to catalyze groups that are traditionally opposed to libertarian ideology to participate in an affective HFE action. The ability to manipulate those groups can be used as selection criteria to for affective HFE actions. Other groups may be less manipulable but be amenable to infiltration and messaging be propagated within those groups.
Infiltration is not merely limited to ensuring desired messaging is catalyzed among manipulable groups. As mentioned, Twitter is an effective platform for ensuring HFE actions reach and affect their targets, not only when the targets are users, but also when the targets are the developers themselves. Twitter provides mechanisms for users to hide their tweets from the general public (known as “protection”). Partners can circumvent these protections for infiltration purposes easily by making sure that dummy personas are created and following the targets on Twitter before the HFE action is launched proper. Even if dummy personas are not used before a HFE campaign, protections can be circumvented if dummy personas are constructed to look appealing based on psychological profiling and have enough of a semblance of validity to pass a cursory inspection. Once infiltration is complete, protected tweets can be publicized with a goal for discrediting or other standard HFE techniques.
Combating retaliation
The above list of mechanisms for fracturing groups is by no means complete. Any mechanism that ensures that the target group is eventually isolated from the rest of the group has merit to be used in a HFE action. Again: HFE actions are effective because they are so difficult to retaliate against, and it is difficult to protect organizations from human factors exploitation. In any case, it is useful to consider how to defend partners from retaliation by targets ahead of time.
HFE actions succeed because there are no direct associations with client agencies, or if indirect associations exist between a partner and the client agency they are acting on behalf of, they are firewalled in some way. HFE messaging through social media is not associated with any client agency by means of persona management software and careful control of information. Targets may, however, attempt to call out a HFE action in progress, even though they have no factual data to make this claim. When this occurs, these claims can easily be ridiculed.
We can go even further with this, however. Recall that Tor is funded primarily through federal grants. Tor’s funding model can be used to suggest that somehow the Tor Project is the originator of the HFE action by means of their funding model. Having some HFE techniques publicized through Snowden can be a blessing in disguise, and can enable such a counterstrike. Tor’s funding model enables other counter-messaging. Eventually, the Tor Project must fall back on its security record to thwart HFE messaging that Tor is insecure. When other security issues are raised in future, HFE messaging can suggest that these issues have eventuated because Tor has been paid to look the other way.
Inevitably, client agencies can win any HFE action simply because of the power disparity. Targets cannot match the size and breadth of a concerted HFE campaign, even if they manage to make small retaliatory gains. Bugs can always be found, and therefore opportunities to repackage problems can always be taken advantage of.
Conclusion
We have briefly touched upon the wide range of human factors exploitation that can be applied to degrade and disrupt the operations of Tor. HFE techniques have the benefit of being difficult, if not impossible to trace, due to their ability to get non-agency participants to serve towards an action. HFE techniques in other contexts have documented effectiveness: the desired ideas can be spread quickly, and people can be disabled easily.
Because technical attacks on Tor have been hampered and interfered with, HFE techniques provide an effective and powerful addition to our client agencies’ toolkits for deanonymization and law enforcement in cyber operations.
There are a myriad of HFE techniques that can be applied that aren’t discussed in detail here, and we hope the reader is inspired to investigate more of these and determine how they might be applied in their day-to-day life.
