The Tor network is billed as an anonymiser; a way for internet users to connect to websites without the operators of those websites knowing who is visiting. Think of it as caller ID blocking for your internet connection.
There was a huge controversy a couple of months ago when a Swedish hacker, Dan Egerstad, set up a rogue Tor exit node and intercepted the data that came through it.
He wound up intercepting the emails and mail passwords of government, embassy, NGO and corporate staffers. Initially we all thought that Dan was able to do this because the organisations were using Tor in a silly way, thinking that it was encrypting all of their traffic. But as we'll find out, Dan now says that the passwords that he intercepted were actually being used by hackers who'd already compromised the mail accounts -- the bad guys were using Tor to mask their attacks.
Dan Egerstad (DE): I did it because I had to do some research on how many people are actually encrypting their emails and I thought 'well, Tor is pretty much used all over the world so it is going to be easy to get some statistics of the numbers on how many people are encrypting their email'. I was doing this research for a couple of days and right before I was shutting it down, I accidentally saw a government email. That caught my attention and I got the idea to put up more nodes and do this for a longer time and see what happens.
Patrick Gray (PG): What did happen?
DE: Well I did set up five nodes all over the world pretty much and what happened was I put in a regular packet sniffer and sorted out for words like government, gov and certain domain names, military, war, terrorist and all kinds of words which I thought the NSA probably used and I am going to use the same ones. It started pretty much just flowing in. Mail from all over the world... around two hundred and fifty perhaps three hundred different email accounts flowing into governments.
PG: Anyone can set up a Tor node can't they?
DE: Yes anyone can and it you don't have to know anything at all, you just download software off the internet and you are done.
PG: So it is something that you run on a typical home PC?
DE: Yes, I ran it on Linix servers of course but you can run it on Windows as well on your home computer.
PG: Were you surprised by what started flowing through those boxes when you started filtering for those key words?
DE: Yes I was. At first I thought well these accounts are probably not very sensitive but then I started reading some of the emails and some of these were really sensitive actually. I just stood there for like two months before I knew what to do with it. I did try to contact a few but didn't really get any response, but you never do when you do contact people. I was trying to figure out what I was going to do with it. My legal actions on it and I just ended up with 'oh screw it, I am just going to put it online and see what happens'.
PG: Was it a case of you being put in an untenable position because if you had've handed over that information to the Swedish authorities you would have really been engaged in assisting them with their espionage?
DE: Exactly. It was impossible to give to the Swedish authorities because it really would be espionage. Even if they wouldn't use it, it was putting Sweden in a bad situation as well because if the Swedish Government or Swedish Security Police would call some other country telling them we got access to your emails, that is not going to sound very good. I didn't want to put anyone in that kind of trouble so I thought I was just going to take the hit myself.
PG: What would you say to people who criticised you for putting those log ins and passwords for sensitive email accounts onto the internet for anyone to use?
DE: Yeah I can understand their point of view. I had the same one and I did think through it very, very carefully for quite some time however most of this criticism came before I told them what I did. Most people thought I hacked something and I broke in somewhere and it was some kind of new exploit and I should have contacted the vendor. The problem there is there is no vendor. The people who are behind Tor, they are posting this information publicly saying don't do this, this is dangerous and it is in the documentation and so on and so on. When that came out that I actually just used something that is very well known people stopped criticising and changed their mind pretty much. Most people at least.
PG: Why do you think it is that embassies were using this system in an insecure way?
DE: That's the whole point of the story which has been forgotten. I haven't said much about it but many of these accounts have already been compromised. The logins I caught were actually not legit users but actual hackers (who) had been reading these accounts several times. Some were using Tor and some were not. I know for example in India many of these accounts have been compromised, so they were actually compromised passwords I caught and many of the accounts were using Tor even if it shouldn't be using it. They were breaking their own rules.
PG: So you say these were compromised accounts. How did you know they were compromised accounts?
DE: I know that now. That was pretty much my feeling that they would be, a lot of them at least and I have been getting some information later on after I published it that said 'OK, it was actually pretty good you did that because we noticed that we had a break in a long time ago'. The hacker was just using Tor to access it.
PG: Do you think that intelligence services around the world have been setting up Tor nodes to conduct signals intelligence to intercept data?
DE: I don't know and I don't like to speculate about it. But I am telling people that it is possible and if you actually look into where these Tor nodes are hosted and how big they are, some of these nodes cost like thousand of dollars each month just to host because they are using lots of bandwidth, heavy duty servers and so on. Who would pay for this and be anonymous? For example there are five or six in Washington DC which are really, really major servers for hosting around forty to fifty terabytes each.
PG: There is some money going into that you think?
DE: You don't need to be paranoid but still you need to know what you are doing.
PG: What do you think about the Tor network in general? Do you think it is a useful thing?
DE: Yes it very much is. It is a good thing and I have really good contact with the Tor developers however it is not a security tool it is a privacy tool. The problem is that if you actually analyse the traffic, most of the traffic is just porn.
PG: That is the internet in general isn't though?
DE: True. But why do you need to hide yourself if you are looking at porn? I don't get it!
PG: Human rights activists and people who need to conceal their identities like journalists operating in oppressive regimes, use Tor. Do you think it has an important role to play in human rights and about spreading information without the risk of oppressive regimes finding out people are looking at subversive material?
DE: Yes. Information needs to be free and you need to get your word out and have non objective information out there. Tor is an excellent tool for doing that but you still need to encrypt it because if you don't maybe they can't see who you are, but they can still see that you are sending this information and can read your emails or your articles or whatever you are doing. And of course your passwords if you are logging into it as well. People think they are protected just because you use Tor. Not only do they think it is encrypted but they also think nobody can find me. However if you configured your computer wrong which is probably more than fifty percent of the people using Tor have, you can still find the person behind the other side.
PG: How do you do that?
DE: If you use Java script and cookies and so on, you can still find out who is actually their real IP, it is not that hard. If you haven't configured your computer or your browser correctly you could still be traced.
PG: I interviewed the people who maintain Tor and they said that they actually published guidelines on their websites and if people follow these guidelines they are OK. Do you think that is the case or do you think the problem is that people generally don't follow guidelines?
DE: People don't read rules or manuals ever. On the Tor website it says pretty big and in several places that Tor is not encrypting your traffic, it is just hiding who you are. But still people are 'woah, it is hiding who I am well then it is probably a security thing'. The Tor team is great. They have been some great work and it works great for its purpose. If you don't follow the rules well, nothing is going to protect you if you don't follow the rules. It is like if you have the best firewall in the world but you are not locking the door people can just walk in and take the computer. You need to cover all aspects of it.
PG: I believe when you notified embassies the only one you got a response from was Iran.
DE: Yes exactly. They Swedish embassy called me first and talked to me for a moment and I don't know who I was talking to but they hooked me up with someone in Iran who was in charge of security and they wanted to know everything I knew and so on.
PG: And you thought they were quite responsive?
DE: That was the only response I got! Except for a couple of calls from the Swedish Security Police that was pretty much all the response I got from any authority.
PG: And you haven't had any blowback from this have you?
[EDITOR'S NOTE: Since this interview Egerstad's apartment was raided and he was taken in for questioning. No charges have been laid yet.]
DE: No. I know that I have been reported to police in Hong Kong for some reason but they reported me for breaking in which I haven't done so it's kind of funny. If they can prove me breaking in anywhere, fine. That would be awesome if they could prove that.
PG: So you are not worried about applying for visas for countries now?
DE: Actually a couple of weeks ago I went to the US and right before I went the Swedish Security Police called me up and said you probably shouldn't go to the US because the laws there are a little bit different so we can't guarantee your safety. But I still went and no problem at all. I deleted everything I had because the information I had was belonging to so many different countries that no one single person should have. I deleted it and the hard drives are long gone.
This is a transcript of an interview that originally ran in ITRadio.com.au's Risky Business security podcast