Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:04
Welcome to Tech Stuff, a production
0:06
from I Heart Radio. Hey
0:12
there, and welcome to tech Stuff. I'm your
0:14
host, Jonathan Strickland. I'm an executive producer
0:16
with iHeart Radio and I love all things tech
0:18
and it's time for a classic episode.
0:21
This episode originally published
0:23
on April six. It
0:26
is titled The Secrets of Tour
0:28
and the Deep Web. I've covered
0:31
these topics a few times over the years.
0:33
This one was a pretty fun discussion. Hope
0:35
you enjoy. The Mighty Tour
0:38
is one of the Avengers. He wields
0:40
the hammer Mjolner, and his
0:42
brother is Loki. She's
0:45
not even growing her eyes, She's just staring me down
0:47
this time. Okay. So seriously, though,
0:49
what tour is free software. It's
0:52
an open network, and it helps you defend
0:54
against traffic analysis. In other words,
0:56
people trying to figure out what you are
0:58
doing and who you're commun ninicating with. Traffic
1:01
analysis is a form of network surveillance
1:04
that threatens personal freedom and privacy. Uh,
1:06
it threatens confidential business activities
1:08
and relationships, and it threatens state security.
1:11
Therefore, some folks got
1:13
together and said, hey, you know what we should do is we should
1:15
come up with the means to allow
1:18
people to communicate over the Internet,
1:20
but do so in a private,
1:22
anonymous fashion, so that you can
1:24
set up these anonymous channels. Perhaps
1:26
the most popular way to access this is
1:28
through a customized build a Firefox
1:30
called the Tour Browser Bundle. Right,
1:33
Yeah, because just using Tour on its
1:35
own is one thing to do to
1:37
to allow you to have a little more of an anonymous
1:39
presence, but it requires
1:42
more than that, because if you access Tour through
1:44
some other means, if you don't have say Flash
1:47
disabled in your web browser, then
1:49
you're still kind of broadcasting where
1:52
you are because Flash often involves
1:54
uh identification information
1:57
in order for it to work. So it
1:59
is a and source. So if you feel like getting in there
2:01
and and doing your own thing, you're absolutely able
2:04
to um and uh and
2:06
And a lot of people do use it in one
2:08
form or another. At its peak, in more
2:11
than half a million people were using it every day.
2:13
Yeah, oddly enough, I think as
2:16
I a call in that year, there was some news that broke
2:19
about government agencies.
2:23
Yeah, Edward Snowden had that leak
2:25
about the n s A, and suddenly
2:27
people were thinking, you know, I was like it
2:29
doubled. Yeah, Yeah, it was one
2:31
of those things where people began to get very
2:34
concerned. And it's not necessarily
2:36
that these people are doing anything wrong. In fact,
2:38
that's not the point at all. The point is that
2:41
they have an expectation to privacy
2:44
and being able to hold this kind of anonymous
2:47
communication with other people. The
2:49
communication itself isn't necessarily anonymous,
2:52
but the channels are. Uh,
2:54
you know, that's just that's just an expectation we have.
2:57
It's not that, you know, I'm planning
2:59
something to Ferry. It's just if I want
3:01
to send a message to Lauren, and
3:04
it's just for Lauren's eyes, I
3:06
don't think anyone else has the right
3:08
to look in on that. So yeah,
3:10
and in normal internet traffic, that's absolutely a
3:13
possibility. Yes, Because we've
3:15
talked a lot about how information travels
3:17
across the internet. You know, it all gets divided
3:20
up into these little packets. Then the packets
3:22
go across the network and then get
3:24
put together Willy Wonka style on
3:26
the other side, so that you get whatever it is you
3:28
were trying to send, which is unfortunately probably
3:31
not a delicious chocolate bar no or Mike
3:33
TV either. It's not neither of those
3:35
things. What it might be like if I, if I were to send
3:37
that email to Lauren, and it's a sizeable
3:40
email, that email gets divided up into
3:42
numerous packets. The packets go
3:44
across the Internet, not necessarily taking the
3:46
same path, and they eventually reassemble
3:49
on the other side and then Lauren can read it. But
3:52
in order for that to happen, these packets
3:54
have to have little bits of information so the
3:56
routers know where to send the information
3:58
onto next. So it's
4:01
kind of like an address on a piece
4:03
of mail. So let's say
4:05
that you've got a snoop in your neighborhood
4:08
and this person is getting into everybody's
4:11
business. And the way this person
4:13
does it is they look at all the mail
4:15
that's going in and out of
4:17
a person's mailbox. And even if they're not
4:20
opening that mail and and reading
4:22
all of it, just just the fact that you're sending
4:24
it to particular people at particular times
4:26
can tell that snoop a lot about what's going
4:29
on. Right, So if you're sending out, uh,
4:31
you know, envelopes to say
4:34
a medical facility,
4:36
that could give a lot of information to a snoop
4:38
if they're seeing that stuff from various
4:41
insurance companies is coming into you that
4:43
could you know, I'm going with a medical thing here,
4:45
but really this applies to any sort
4:48
of communication. So
4:50
so what we're saying is that it's not enough for
4:52
the content of what you send over
4:54
the internet. Uh necessarily,
4:56
I mean you are hypothetical, you maybe you're
4:58
fine, it's not enough for you to encrypt
5:00
the content, but the actual transfer
5:03
of the content in some cases needs
5:05
to be encrypted exactly. And there are a lot
5:07
of legitimate cases where you
5:09
would want that to happen. I mean, let's
5:12
talk about journalists for example.
5:14
So you might have a journalist who is pursuing
5:17
some major story,
5:19
perhaps they're in unfriendly territory
5:22
to do so, and they want to be able
5:24
to contact sources that
5:26
might be in danger otherwise if there
5:28
if if this communication were publicly known
5:31
or really anything that could endanger
5:33
the journalist, a source, or the story
5:35
itself, then you would want to have a
5:37
way of securely communicating and
5:40
making sure that no one's really snooping
5:42
in on you. Well, that's that's a
5:45
perfectly legitimate source. There are governments
5:47
that use this kind of thing in order so
5:49
that they can gather information and
5:51
disseminate information. Uh, you've
5:53
got companies that use this kind of stuff
5:55
in order to have secure
5:58
communications about upcoming products
6:00
or services that are not part of the public knowledge
6:02
and don't need to be oh sure, I mean even if
6:05
you're just doing r and D about something you
6:07
know, like like let's say that you're the
6:09
example that you used and in our notes here is Apple.
6:11
Like if here, if you're creating a new product and you
6:14
start researching patents online,
6:16
um, the right person could could
6:19
find your searches and figure out
6:21
what you were looking for, and that
6:23
sucks for you. Yeah, yeah, if you
6:25
had the next big idea and
6:28
you were waiting, because you know, like
6:30
the company of Apple, they get a lot of
6:34
a boost from folks whenever they
6:36
announced something brand new that surprises
6:38
everyone, which of course is exactly
6:40
why you have so many news agencies
6:44
scrutinizing everything Apple
6:46
does in order to try and guess what's
6:48
coming next. So the more
6:50
you're able to keep that secret, the bigger
6:52
the impact is when you unveil it. Because
6:55
the worst, the worst feeling
6:58
is when you tune into an Apple of that and
7:00
it ends up being exactly what you expected. It
7:02
was. Time to be right. Every everyone still
7:04
tunes in but then they're like, oh, but that's exactly
7:07
what they were talking about last week. I know,
7:09
and you read what they wrote last week,
7:11
so stop it me.
7:16
Sure, and and lots of other people who could
7:18
generally be considered to be working
7:21
for for non nefarious purposes, but
7:23
nonetheless would like a little bit of secrecy, uh,
7:26
for example, activists or whistleblowers,
7:28
um or you know Chinese citizens who
7:30
really just want to use Facebook or read news from other
7:32
countries. Sure, and we've seen plenty
7:34
of examples also, things like the Arabs Spring.
7:37
You know, places in the world where you
7:39
have people who are
7:41
trying to enact change in a very
7:44
harsh environment where if
7:46
their activities were picked up on by
7:48
official sources, government sources,
7:50
state sponsored sources, they
7:52
could face some serious consequences.
7:55
And it's not necessarily the again, like you
7:57
said, that they're doing anything nefarious, it's just they
7:59
can't do it at all without fear
8:02
of some form of consequence
8:04
unless that can remain secure. So
8:06
you've got to figure out how do we make this secure.
8:10
Also, we have to figure out how
8:12
do we frame this in such a way where we
8:14
also admit some people do
8:16
use it for nefarious purposes. Oh, sure,
8:18
of course. I mean there are plenty of
8:21
people out there who are going to use this
8:23
kind of anonymous connection in order to conduct
8:26
illegal or otherwise illicit activities.
8:28
We've talked about some of them in previous episodes,
8:31
in fact, and we'll mention some more as
8:33
we go along. So again,
8:35
it's one of those things where you would probably argue
8:37
that it's a relatively small
8:40
percentage of the population using it for
8:42
these purposes, but they're the ones who get
8:44
the most press, uh, and
8:46
so therefore it kind of
8:48
creates this public perception that people
8:50
who use tour are up to something. Also,
8:54
you know, we mentioned the fact that in a
8:56
normal Internet communication, the
8:59
you know what, what amounts to the
9:01
the address on the label is perfectly
9:04
visible because it needs to be so that it can route
9:06
across gets to the place it's gone. Yeah,
9:08
and Tour they had to figure out a way
9:11
around that so that you could have it be
9:13
ob you skated, so that if
9:15
someone were to snoop in on communication,
9:18
they would not be able to determine what the origin
9:20
nor destination were. And
9:22
that is pretty amazing
9:25
stuff because you gotta you gotta figure out a way of implementing
9:28
that where it can still work, Like, how
9:30
do you disguise the address and
9:32
still hope that it gets to where it's going,
9:35
Because if we did that to the to the US Postal
9:37
Service, our stuff would never get
9:40
anywhere. And it wouldn't
9:42
be their fault either, because you just wouldn't
9:44
be following the rules. Oh sure, Yeah, if you don't write your
9:46
address on something, then how does
9:48
it get to that place? So here's
9:50
another funny thing, Lauren, Um,
9:53
who was it that came up with
9:55
this whole tour idea?
9:58
I mean it must have been like, um,
10:00
like hackers, you know at
10:03
def con convention, who
10:05
all got together and so we don't want the government looking
10:07
in on our stuff, right, you know? It was the
10:09
government. It was the it
10:11
was it was the U. S. Naval Research Laboratory
10:14
UM back in back in actually,
10:17
which makes it extra hilarious that
10:19
that the n s A has
10:21
kind of been trying to crack trying
10:23
to crack it because you've got a government agency
10:26
doing its best to figure out how to intercept
10:30
information that goes across a tour network,
10:32
and another government US government
10:35
entity that's responsible in
10:38
large part for the creation for its creation
10:40
and furthermore, other governmental agencies
10:43
that are responsible for funding it. As of one
10:45
point two four million dollars, half
10:48
of tours revenue UH came
10:50
from government grants, including a large
10:52
part from the Department of Defense. So this
10:55
is an example of two different parts
10:57
of the United States government working at odds
10:59
against each other, one part saying
11:01
this is absolutely necessary for us to
11:03
be able to operate in a
11:06
secure way, and the other part saying,
11:08
we want to be able to see what's going on here. So
11:11
so so yeah. But but this all got its start back
11:15
with the U. S. Navy and UM. It
11:17
was part of an onion rooting
11:19
project. Routing project, Yeah,
11:21
rooting. If you're in England, it's routing.
11:24
Here in the US, it's usually routing either
11:26
way. Why would you even call it
11:28
an onion It's because it relies
11:31
upon quote a layered object
11:33
to direct the construction of an anonymous,
11:35
bidirectional real time virtual circuit
11:37
between two communicating parties and initiator
11:39
and responder. And that's as clear as
11:42
day. Yeah, we can just end the podcast now,
11:44
guys, don't worry. We're going to explain the
11:46
whole layered thing a little bit later
11:48
on. So we will. We will make
11:51
sure that you understand why
11:53
an onion It's actually a pretty clever
11:56
way to describe what's going on. But the
11:58
project had specific goals
12:01
to research and develop and build
12:03
anonymous communication systems, to
12:05
analyze other anonymous communications
12:07
systems, and to create low latency
12:10
Internet based systems that resisted traffic
12:12
analysis, eavesdropping, at other attacks
12:15
from outsiders as an Internet
12:17
routers or insiders as an
12:19
onion routing servers. I
12:22
have more to say about the secrets of tour. The deep
12:24
Web got a lot of layers
12:26
to peel off that onion. But before we
12:28
get to that, let's take a quick break.
12:38
So the ideal was to create some
12:40
form of distributed system
12:42
where you could have two parties communicating
12:45
with one another and no one would be
12:47
able to know that those two parties were in
12:49
communication. They would know the communication
12:51
is going on because traffic is moving across the network,
12:54
but because of the network's design, they
12:56
would have no way of knowing what to end
12:58
parties were actually communicating with one another. Because,
13:00
just as we were saying with that snoop, even
13:03
if you can't see what the information
13:05
itself is, just knowing who is talking
13:07
to whom gives you a lot of
13:10
info right because of this,
13:12
and funnily enough, the Navy actually had to step
13:14
back from the project in order to make it actually
13:17
useful because the network needs to be open,
13:19
right. Um. So, I mean if
13:21
if you know, if you can see that everything is
13:23
coming through, if if
13:26
only the Navy used it, then you would know
13:29
whenever communication was happening that the Navy
13:31
was communicating with people like
13:34
you would. You would have limited the number of
13:36
people that could possibly be the ones
13:38
communicating by making it open and
13:40
say this is a playground where everyone
13:42
can come in. Suddenly you can't tell
13:44
who's communicating with whom because there's so
13:46
many's too much noise and not in the traffic,
13:49
right. Um. So, the project incorporated
13:51
as a nonprofit in two thousand six, and
13:53
it currently depends a whole lot on crowdsourcing.
13:55
UM. There are only nine full time
13:57
tour employees as of this podcast, which
14:00
we are recording on April. By
14:03
the way, um and uh, the
14:05
rest of the development is spread across dozens
14:07
of part time assistants and hundreds of volunteers.
14:10
The code is open source, which
14:13
actually makes it harder to mess with. Um. You
14:15
know, like if someone say, say the n s A
14:17
tried to create a vulnerability deliberately,
14:20
then anyone could catch
14:22
it, right, Yeah, it's not like it's hidden
14:25
the way behind closed doors. In that way, it
14:27
gets overlooked and you suddenly have this back
14:29
door entrance into the Tour network. No,
14:32
it's it's it's much more likely for someone to catch
14:34
it if lots of people are looking. Yeah exactly. Yeah,
14:36
you've got lots of people checking on it all the time.
14:38
So it's actually more secure by being
14:40
in plain sight in that way. So here's
14:43
how it used to work. Because you
14:45
know, I mentioned that tour was
14:48
had an onion in the oh, but it doesn't really
14:50
involve onions anymore. And
14:52
then we've mentioned onions. Yeah, so yeah,
14:54
so we're gonna we're gonna go back to how
14:56
it worked originally because the way it works
14:58
now is not that much different, but it doesn't involve
15:01
the onion metaphor anymore. So, first
15:04
of all, to achieve anonymity, the Tour Network
15:06
uses something called privoxy filters,
15:08
which prevent client information from reaching
15:11
servers. So this means
15:13
that a client, you know, that's that's your computer.
15:16
When you are trying to access anything,
15:18
Let's say you're using your your browser
15:21
to access your email, because I love that example.
15:23
It's easy one. So your your computer
15:25
is the client. It's sending a request
15:28
to another computer. It's asking for
15:30
data from this computer that
15:32
hosts the the email service
15:35
that you use, and that is called the
15:37
server. Now, normally the server
15:39
receives information that can identify the
15:41
client, so you have some sort of
15:43
address that identifies
15:46
this is the machine that's asking for that information.
15:48
So then the server knows exactly who it's
15:50
talking to. Well, privoxy filters
15:53
prevent that from happening, so it's possible for
15:55
a client's identity to remain unknown
15:58
to the server and also
16:00
to the rest of the network as these
16:02
requests go across the network. Also,
16:05
one of the other things that has and we'll talk more about
16:07
this in a bit, is the ability
16:09
to create hidden services. But you
16:12
know, I'm not going to spoil that because the discussion
16:14
we have later on will really kind of bring that to
16:17
light and it will make much more sense after
16:19
we talk about exactly how this communication occurs.
16:22
Yes, so it's possible
16:24
to use onion routing software to send information
16:27
completely anonymously. In other words, you could use
16:29
it so that you could send an anonymous
16:32
message to someone else, they would not know the
16:34
identity of that person. But that's not the purpose
16:37
of tour. The purpose, like I said
16:39
before, is to allow anonymous channels
16:41
of communication. So you
16:44
and the person with whom you're communicating know each
16:46
other's identity, but nobody else does, right,
16:48
So this allows you to have that honest,
16:51
open expression of information without
16:53
fear of someone else snooping in on you or
16:56
any other consequences apart from whatever
16:58
consequences come from just that communication
17:00
between two parties. If you tell
17:03
someone that they dressed like a slab, there's
17:05
going to be consequences. What I'm saying doesn't
17:07
have to be someone snooping in on you. Good
17:10
point. I get that a lot. Uh.
17:13
So it uses proxy servers,
17:15
and a proxy server acts as an intermediary
17:17
between a client and some other server.
17:20
So you can kind of think of it as this is the go between.
17:23
So if I were to send a
17:25
request to get my email,
17:28
but I wanted to go through a proxy server, I
17:30
would log into the proxy server. The
17:32
proxy server would then send my request
17:35
onto the email server, and
17:38
from the email servers perspective, it looked like
17:40
the proxy server was the origin of that
17:42
request, it isn't able to see back
17:45
to exactly there's
17:48
a hop missing there. So
17:50
that's really important in this. And uh,
17:53
the communication part is
17:55
the tricky part. Like I said, So you've got this information,
17:58
it's passing between nodes or little
18:01
routers within the tour network. Okay,
18:03
so think of these nodes as rest stops
18:05
between the client, the sender,
18:08
and the recipient the server. Right. Each
18:10
node only knows the identity of
18:13
the node before it and the node after it,
18:15
right, So uh, and the note before it and
18:17
after it completely is dependent
18:20
upon when you're sending the message, because you're
18:22
you're going to create new pathways every
18:24
time you create a connection, so it's not like
18:26
you have a set path each
18:28
time. It's like the Internet. It's very
18:30
flexible. So when you
18:32
send a message, and let's say it's going through letters
18:35
A through G, we're just designating these
18:37
nodes as A through G and for some reason it's
18:39
going into a B, C, D, E F G order. So
18:42
node D only knows about
18:44
nodes C and E. The information
18:46
came from C. It knows it has to send the information
18:49
onto E. It has no awareness of
18:51
a B or you know, effor G. So
18:55
that's it. And that means that if
18:57
you were to intercept information
19:00
passing between two nodes, you would just know which
19:02
note it came from and which node it went to. You wouldn't
19:04
know the actual person who sent it, nor would
19:06
you know the person to whom it went. Ultimately,
19:08
on top of that, the nodes
19:11
encrypt the communication as it's passed
19:13
along. Yes, and this is where you get
19:15
that layer and layer and layer of
19:17
encryption. And because there's so many
19:19
layers of encryption, well, what else
19:22
has lots of layers? An onion?
19:24
I was going to think of Game of Thrones, but yes,
19:26
Onion is right. Onion is exactly the thing
19:28
that they went with because Game of Thrones really wasn't
19:31
that popular. Also, it's proprietary. I
19:33
mean, you know, yeah, that probably would have George
19:35
R. Martin gotten a little upset about that. But
19:37
yeah, so so Onion is in fact
19:40
what they went with because there's so many different layers
19:42
of encryption. Still a little
19:44
bit more to talk about with the secrets of tour in the
19:46
Deep Web, but before we get to that, let's take
19:48
another quick break. Okay,
19:57
so here's my example, and I think
20:00
it's a doozy of an example. Because it's completely
20:02
believable. I decided to
20:05
use as an example two of our beloved
20:07
co workers here at how stuff works.
20:09
Uh And when you start thinking to yourself,
20:12
who would be so paranoid
20:14
that they would need an incredibly secure communication
20:17
process? Two names leap to
20:19
mind from the shadows and then back
20:21
into the shadows, because that's where they belong. One
20:24
of them wearing a gremlin mask. Yeah, and maybe
20:26
a fedora on top of it. It's not a fedora, I
20:28
know, Ben Dora. No, it's a trill Bey,
20:31
I'm going to call it a fedora anyway. So Ben Bolan
20:33
and Matt Frederick so stuff they don't
20:35
want you to know hosts. Yes, and if you've
20:38
never ever listened to that show, go
20:40
check it out. Watched the
20:42
show. Yeah, that's great. So so let's
20:44
say that Ben wants to contact Matt
20:46
and he wants the communication to be secure, so he sends
20:48
it across the Tour network using this
20:51
freely available software. He's got the Tour bundle
20:53
installed and he sends the message
20:55
along. So here's what happens. Ben would
20:57
contact a proxy server on the TORN
21:00
network. Now, that proxy server
21:02
would then determine the route of
21:04
nodes or the number of hops
21:06
that it will take to get from the
21:08
proxy server to Matt's computer. So
21:11
for argument's sake, let's say again that it's
21:13
just uh five nodes,
21:16
So it's a B, C, D E.
21:18
Those are the Those are the nodes that it's
21:20
going to go through. Now, each
21:23
hop becomes an encryption layer
21:26
on this onion, and the core of the
21:28
onion is Ben's original message
21:30
to Matt, So that's the very center. Now
21:33
Ben's proxy server starts to construct layers
21:35
of encryption based upon the path
21:38
that this onion is going to take
21:41
journeying from the proxy server all
21:43
the way to Matt's computer, and the innermost
21:46
layer will be the encryption for Matt's proxy.
21:48
Yes, so the next layer out would
21:50
be the node just before it
21:52
gets to Matt's proxy. The next
21:54
layer out would be the node before that, and
21:57
so on and so forth until you got to the first
21:59
node that the proxy server sends
22:01
this onion onto. Now, every
22:03
time the onion travels to a new node, it
22:06
decrypts that layer. The corresponding
22:09
layer strips of encryption. Yeah,
22:11
so that that layer of the onion gets pulled away,
22:14
and that's how the node knows where
22:16
to send it onto. Next,
22:18
so proxy service sends it on to node
22:21
A. Note A strips away that
22:23
encryption and sees that needs to send it on to Node
22:25
B. Node B gets
22:28
this onion. Now Node BE only
22:30
knows that Note A set the onion, doesn't
22:32
know where the onion originally came from, and
22:34
it decrypts that. Next layer strips
22:37
it free UH, finds the identification
22:39
of Notes C and send it along. Yep. Node
22:41
C doesn't know about Node A, just notes knows
22:43
about Node B, so so on and so forth till
22:45
it gets to Matt. By the time it gets to Matt,
22:48
all those layers of encryption have been stripped away and that
22:50
can actually read what the messages. Therefore,
22:52
anyone who's trying to analyze all of this traffic
22:54
would would just see a message passing between
22:57
two seemingly random routers with
22:59
with no way of knowing either where
23:02
that information came from or what the ultimate destination
23:04
is. Yep. And because you've encrypted it
23:06
so many times, they probably can't even tell
23:09
what the information. They can't read it, they
23:11
don't know where it's going. They're
23:13
in the dark. So to them, it's just all
23:15
they know is that traffic is going across this
23:17
network, but they don't have any way of deriving
23:19
meaning from that. Now, once
23:22
Matt's proxy receives that onion, a
23:25
virtual circuit forms along the
23:27
notes. Think of it as like a temporary
23:30
pathway that solidifies
23:32
between uh Ben's proxy
23:34
and that's final computer,
23:37
and it allows for encryption
23:39
to pass both ways. So you have
23:41
two different kinds of encryption. You've got one
23:44
kind whenever Ben sends a message
23:46
to Matt, and essentially you have the
23:48
inverse of that when Matt
23:50
sends it to Ben. So unless
23:52
you have the key to that encryption, you
23:54
can't figure out what's going on either.
23:57
So it's it's pretty
23:59
secure or now there are some la
24:03
Mainly we're talking about vulnerabilities when you send
24:05
it from your computer to that proxy server
24:08
and when that last proxy sends it to the
24:10
destination, because this is when
24:12
you don't have the protection of
24:15
the network itself. It's when it's you can
24:17
think of it as the information is leaving the network
24:19
to get to wherever it's going or entering.
24:23
Yeah, and again, if you're using
24:25
a browser that still has certain things
24:28
enabled like Flash or Java, then
24:30
you may end up having sending
24:33
along some information that people could identify
24:35
you on based on that, but within the network
24:37
itself, it's incredibly secure,
24:40
right And and so this, this circuit that that you've
24:42
created, well will last as long as both parties
24:45
want it to. You can you can send a command to collapse
24:47
it at the end of your session, you say
24:49
destroy, and it collapses.
24:51
This uh, this virtual circuit, and then if
24:53
you wanted to create a new one, you could, and it
24:56
would be a new virtual circuit, probably
24:58
taking a totally different hathway through the
25:00
nodes. And you know, I made the example
25:02
of ABC D E that kind of
25:04
stuff, but really, you
25:07
know, it could be any order. You know, it's it's
25:10
and it will be any order, right, that's
25:12
all. That's one of the whole points because if it were the same pathway
25:14
each time, then you would ultimately be able to determine
25:17
who sent it and who it went to. So it
25:19
has to be uh, you know. And of course,
25:21
the more the more routers you have available,
25:23
the more of these relay nodes you have, the
25:26
more secure the communication becomes, so
25:28
that's also really important. Then there's
25:30
also a concept called loose routing, which
25:33
adds another layer of security on this because
25:35
like I said, you know, you ultimately you
25:37
have these proxies that no way
25:40
more information than all the nodes do. They
25:42
have to in order to be able to make that layer
25:44
of encryption and have this onion pass
25:47
from one spot to the next. So
25:49
one thing you could do with loose routing
25:52
is that the proxy ends up sending
25:55
the onion on to the
25:57
first node. But that's all the proxy
25:59
knows about the probably and then the first nodes responsibility
26:02
is to create the rest of that pathway.
26:05
So even that first stop isn't
26:07
aware of where, how, what path it's
26:09
gonna take to get to its destination.
26:11
It just knows this is the first step
26:13
of that path, but beyond that, I don't know. So
26:15
it adds another layer of security to it that
26:17
way. Now, again, if you were able to target that first
26:20
node, you might be able to figure some
26:22
stuff out, but really you just know that it came from a proxy.
26:24
You wouldn't know who sent the
26:26
information to the proxy in the first place. But
26:29
yeah, so we've got these these
26:31
endpoints that have some vulnerabilities, but other
26:33
than that, it's it's pretty secure. Uh,
26:36
I've got to We've got a great little bit about how secure
26:38
it is, and a little in just a little while. But
26:40
today nodes or relays
26:43
within the system still don't know the origin
26:45
or ultimate destination of information, and
26:47
you still create virtual circuits between
26:49
the initiator and the recipient for
26:52
encrypted anonymous channels. But there's no more
26:54
use of this onion metaphor.
26:57
I mean, it's not it's not the same implementation.
27:00
You get the same result, but it's a different
27:02
implementation that does it. But it's
27:04
this, you know, it's following a lot of the same
27:06
philosophies. And you've got a Tour directory
27:09
that keeps track of all the available nodes
27:11
that are on the system at any given moment.
27:14
As of January, there were about
27:16
five thousand computers around the world operated
27:19
by those volunteers that I mentioned serving as potential
27:21
nodes in this system. Right, And when you send
27:23
a message to a recipient across the Tour network,
27:26
your tour browser or whatever
27:28
consults this directory, which
27:31
then gives it a route
27:33
of nodes, and then you can send the encrypted
27:35
information across and each node further
27:37
encrypt the message again and only
27:39
knows the note immediately before and after, kind of like
27:41
the previous version we just talked about.
27:44
So it's not that different. It's just
27:46
this whole layer metaphor is kind
27:48
of no longer as accurate. But
27:51
um, yeah. One thing you've got to remember
27:53
is that because you've got this extra layer of encryption
27:56
going on and it's purposefully
27:59
obvious, skating the the origin
28:01
by hopping around a lot, communication
28:04
is not as quick, right. It's going to
28:06
take a longer necessarily, So if you're using
28:08
tour in order to send instant messages, your
28:10
definition of instant maybe a little different
28:12
than what it normally would be. It may just
28:15
be pretty darn quick, but not as instant
28:17
as this other method. Yeah.
28:19
Um. Furthermore, it is not the
28:21
most secure thing that you can do. No.
28:24
I actually read a great article on
28:26
the best way of using tour as
28:28
as part of an approach
28:31
to securely using the Internet and maintaining
28:33
your anonymity, and I thought about including
28:36
it in this podcast. I really did, guys. I
28:38
was gonna go all into the
28:40
tips this guy had, and then I realized that it was
28:42
so in depth and there was so
28:45
much to keep tak into consideration that
28:47
really we could just do a full podcast
28:49
just on that, and perhaps in the future we will.
28:51
If you guys in particular, want to know. Seriously,
28:54
I want to be as anonymous and secure
28:57
as possible. Tell me what I need to do. Well,
28:59
we'll we'll give you podcast. We should we should
29:01
do that episode. UM, I'll tell you right now. It's
29:03
crazy, but but right because because
29:05
even if you're using the most recent version of Tour
29:08
I mean, which, as we have just detailed,
29:10
is an incredibly uh complex
29:13
and encrypted process,
29:15
a determined party could exploit vulnerabilities
29:18
and Firefox itself, which which Tour is based
29:20
in. UM, it could attempt to set up
29:22
monitoring nodes in the network, or
29:25
it could just methodically work on key
29:27
decryption in order to spy on your activities
29:29
so stuff can still
29:32
happen. Yeah, we'll think about doing
29:34
a full security episode. I mean, I
29:36
kind of think we'll have to pull Ben in for that one.
29:38
Oh, that would be great. We should totally do more classovers.
29:41
We'll we'll see if we can get Ben to be
29:43
available for an episode where we really
29:45
talk about and you know it's going to
29:47
sound paranoid and crazy, but the thing
29:49
is technology in order for it to work, UH
29:52
needs to have certain information so
29:54
I can allow you to have this communication.
29:57
But because it needs that certain information. It
29:59
means at your anonymity is at
30:01
risk, so you've got to do these kind of crazy things.
30:03
Also they're wacky bugs like heartbled
30:07
Yeah actually, um okay, go
30:09
ahead and mention this so heart bleed. If you
30:12
listen to our previous episode, we talked
30:14
all about this vulnerability that was an
30:16
open SSL versions one
30:18
point zero point one through one
30:20
point zero point one f and
30:23
UH and how that ended up meaning that
30:25
people who use the heartbeat
30:27
method could get access to encryption
30:30
keys and thus see everything that's
30:32
going across the server. So you might wonder does
30:34
this work on the tour network, this
30:37
crazy relay node network, And
30:39
the short answer is, technically it works,
30:41
but it doesn't help anybody out because
30:45
even if you were to see the
30:47
information moving across a node, it
30:50
still has multiple layers of encryption, so
30:53
it's not as vulnerable. Vulnerable, Yeah,
30:55
although I mean toward toward being toward
30:58
did say that you know, if you if you only
31:00
want to be secure, you might just want to stay off the internet for
31:02
a few days, right, And they did say that
31:04
they had planned on rolling out patches
31:06
of the open ssl UH
31:09
software because the upgrade the
31:11
newest patch does patch that vulnerability.
31:14
So they are going to be fixing
31:17
up those nodes over time anyway.
31:19
In fact, by the time this podcast comes out, most of them
31:21
may already be addressed. But
31:24
yeah they said that, Um that worst case
31:26
scenario, you're probably still pretty
31:29
okay, you know in the
31:31
grand scheme of things.
31:32
That herd
31:34
bleed story was a real eye opener.
31:37
Yeah. Then we have the other
31:39
thing we alluded to earlier, oh right, hidden
31:41
services, and that's where that dark net or
31:43
deep web kind of thing comes in. Um
31:46
okay. So, so tour also
31:48
provides a way to to offer up access to
31:50
a server or to run an entire service
31:52
without revealing your IP addressed to your users
31:55
and from behind a firewall. Um,
31:57
sites and services set up like this are are off
32:00
the beaten Internet path. You can't even find them
32:02
using Google or other web searches.
32:04
You have to be using tour in order to find
32:06
them. And um they're they're all using what's
32:08
called the dot Onion extension because
32:11
onions. Um okay. So, so basically
32:13
how this works. The hidden service has
32:16
a public to tour listing, and
32:18
so when a client wants to access that service,
32:21
the client sets up a rendezvous node
32:23
and sends along an access request via
32:25
the usual tour encryption routing
32:28
process UM through a
32:30
random introduction node that the service
32:32
has set up UM, and
32:35
then the client and service can contact
32:37
each other through that rendezvous node, again
32:39
using the usual tour circuits UM.
32:42
It's it's like the introduction and the rendezvous
32:44
nodes are translators, right. It
32:46
protects the service and the client because
32:48
neither knows where the other is.
32:50
That the translators are the recipients for
32:52
each party's communications. And so
32:55
this this deep web
32:57
or darknet hosts
32:59
law of different stuff, some things that
33:01
are definitely in the nefarious category,
33:04
like the Silk Road, although Silk Road
33:06
still has some legit. Sure
33:11
of the stuff that was on Silk Road was completely
33:13
legal, the other not
33:15
so much. Yeah, so a silk
33:17
Road, of course that got shut down, but it
33:20
existed on tour and
33:22
this kind of hidden web because you know,
33:24
you wouldn't want it to
33:26
be easily accessible, uh,
33:28
and then everything would come
33:30
crashing down, you know, ultimately came crashing
33:32
down anyway, but it was hidden better than
33:35
just sitting there and on the web. So
33:37
yeah, that's that's definitely one
33:39
of the other issues. And again there are
33:41
other things that are on this deep net, this
33:44
this dark net or rather or deep web that
33:47
again not nefarious at all. They
33:49
have very legitimate purposes for existing.
33:52
It's completely legal, but it's also designed
33:54
in such a way as to protect the identity
33:56
of the people who need to use the services.
33:59
So it again, just
34:01
because we have some really high profile
34:03
examples of naughtiness
34:06
doesn't mean that the entire network
34:08
is naughty, just like there are other
34:10
services that people have used where some
34:12
people are using it in order to get
34:14
like illegal downloads of whatever
34:17
content they want, but most people
34:19
aren't. A lot of the focuses on the people
34:21
who are the pirates, and thus the entire
34:23
service gets painted as yeah,
34:25
yeah, it's I I read a really
34:28
great quote and I don't have it open right now, and um.
34:30
Bloomberg business Week did a really great
34:32
article in January about
34:35
about tour in general and the
34:37
kids who are running it and all that kind of stuff, and uh,
34:40
the the example that I think they used was that,
34:42
you know, you don't hear about someone
34:45
who's stalker couldn't find them. You
34:47
you hear about the kid who got drugs or
34:50
the child porn rang or something,
34:53
right, Right, So you know, there are
34:55
some very very the
34:57
Navy wouldn't have been interested in making this
35:00
uh in order just to have crime happened,
35:02
because as low as your opinion of
35:04
the Davy, maybe depending on if you're
35:06
a Marine or not, it's it's
35:08
really not in that business. No. But
35:11
but certainly the fact that this kind of
35:13
illegal activity can go on means that
35:15
it attracts attention from, for example,
35:18
the n s A. Yes, uh,
35:20
I love the stories about the n s A and
35:23
Tour because they're both
35:25
infuriating and funny at the same time.
35:27
So infuriating in that uh, the
35:30
n s A has attempted. We know
35:32
the n s A has attempted to try and crack
35:34
because some of those
35:36
slides that have come out from Standon's
35:38
League as specifically mentioned Tour yep
35:41
and UH. One of
35:43
the documents within the n s A is
35:46
titled Tour Stinks. And
35:48
the reason they say Tour stinks is because
35:50
it's so gosh darn't hard to figure
35:52
out what information is within
35:55
the Tour network. Now, they
35:57
do note that if you are able to target
36:00
those points where information is
36:02
coming into the network are coming out of the network,
36:05
then you are more likely to be able to determine
36:07
what is going on and who was talking
36:09
to whom. But if it's
36:12
within the network itself, there's no
36:14
report that has leaked so far that
36:16
has indicated the NSA has been able to crack that,
36:19
which has not stopped a whole lot of
36:21
theorists from saying that they
36:23
have totally cracked it, and that
36:25
the reports saying that they haven't cracked it
36:27
are just so that people feel, yeah, that they
36:30
people will feel a false sense
36:32
of security using Tour. Here's
36:34
the thing about conspiracy theories, and again, I wish we had
36:36
been on here right now. Uh you know, you
36:38
can. You can have a lack of evidence and that
36:40
becomes evidence, or if you have a denial,
36:43
then that becomes hard evidence. You
36:45
know. So I
36:47
I think, I really do think, because
36:49
I don't think the n s A ever intended
36:52
for all the information to leak out based upon I
36:54
don't know everything that's happened since then.
36:57
Uh so I'm pretty willing to
36:59
believe that they have not yet cracked
37:02
how to get look
37:04
at information in a meaningful way on the Tour
37:06
network itself. In general, I would say
37:08
that Tour seems for many
37:11
purposes pretty secure. Now
37:13
keep in mind you still have to uh
37:15
practice good internet security on
37:17
your own, even if you're using tour. UH
37:21
And like I said, well, maybe we'll do a full episode
37:23
on that. If you're interested in that, let's no because
37:25
you know maybe that our listeners are thinking, wow,
37:27
they did a heart bleed episode in a tour episode.
37:30
Go back to talking about Nintendo and
37:32
that wraps up this classic episode from hope
37:36
you enjoyed it. If you have any topics
37:38
that you think I should tackle for future episodes
37:40
of tech Stuff, or maybe there's one that you've
37:42
listened to and you think that really needs an
37:44
update it's seriously overdue. Let
37:47
me know the best way to do that is over on Twitter.
37:49
The handle I use is tech stuff hs
37:52
W and I'll talk to you again really
37:55
soon. Tech
38:00
Stuff is an I Heart Radio production.
38:02
For more podcasts from I Heart Radio,
38:05
visit the i Heart Radio app, Apple Podcasts,
38:07
or wherever you listen to your favorite shows.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More