- People have much love for the all-women moderator panel at the presidential debate Wednesday 10:03 PM
- Kamala Harris: Trump ‘got punked’ by North Korea Wednesday 9:53 PM
- Biden on domestic violence: We need to keep ‘punching’ Wednesday 9:47 PM
- Amy Klobuchar says she raised $17,000 from ex-boyfriends Wednesday 9:16 PM
- Trump’s campaign is a fan of Tulsi Gabbard’s attack on the Democratic party Wednesday 9:07 PM
- 50 Cent makes Instagram return with transphobic meme Wednesday 8:34 PM
- Lyft driver attacks female passenger after she refused to turn off music Wednesday 7:30 PM
- J.J. Watt posted his phone number online, wants fans to text him Wednesday 6:22 PM
- How a normal redditor becomes a conspiracy theorist Wednesday 5:48 PM
- ‘Bikram’ is not a great film, but it is a document of justice Wednesday 5:43 PM
- Congress is concerned Amazon isn’t safeguarding Ring videos Wednesday 5:40 PM
- Twitter urged to suspend Tory Party Twitter account after it ‘misled’ the public Wednesday 4:56 PM
- This former stripper has the best Humans of New York story of all time Wednesday 4:47 PM
- How to watch tonight’s 2020 Democratic debate Wednesday 4:21 PM
- ‘Dollface’ offers a narrow vision of womanhood Wednesday 3:56 PM
The Tor Project on Thursday urged common sense after learning that hundreds of its gateways had been labeled by the U.S. government as “suspicious” in a recent report concerning malicious cyber activity attributed to the Russian government.
As part of a report on election security compromises, the U.S. Department of Homeland Security (DHS) published a list of computer IP addresses supposedly used by the Russian-affiliated hackers implicated by the U.S. intelligence community in the cyberattacks last summer on the Democratic National Committee (DNC) and John Podesta, Hillary Clinton’s campaign chairman.
The list accompanied a joint statement—released by DHS in conjunction with the Office of the Director of National Intelligence (ODNI)—which called the release of allegedly hacked Democratic emails, “consistent with the methods and motivations of Russian-directed efforts.” The disclosures, said the statement, were “intended to interfere with the U.S. election process.”
First reported by the Intercept on Wednesday, nearly half of the 876 “suspicious” IP addresses identified by DHS (roughly 42 percent) are currently Tor exit nodes or have been Tor exit nodes in the past few years. Up to 367 IP addresses listed alongside the government report on Russian malicious cyber activity may have been used, or may be presently in use, by thousands of internet users who have no ties to Moscow, the DNC hack, or any kind of malicious cyber activity.
Tor is a powerful anonymity tool used around the world by a wide range of people, including human rights activists, journalists, and everyday users—including some criminals—in order to conceal their identities and physical locations. The software, partially funded by the U.S. government, is also used by dissidents in countries, such as China and Turkey, that impose online censorship and crack down on internet activity.
“Clearly the evidence they have that these are Russian hackers isn’t what they released.”
To achieve anonymity, traffic over the Tor network is first encrypted before being bounced through a network of servers (“nodes”) in various countries in a process known as “onion routing.” Exit nodes are the final gateways where encrypted Tor traffic meets the internet.
The Tor network is maintained by a U.S.-based non-profit called the Tor Project.
The Tor nodes on the U.S. government’s list were first revealed by Micah Lee, an Intercept reporter and Tor network volunteer, who maintains a few of the more than 7,000 exit nodes in countries around the world. The discovery came after Lee checked the internet traffic of his own blog against the list provided by the government and found “over 80,000 web requests” from so-called “suspicious” IPs.
“I have a lot of regular readers who are Tor users,” wrote Lee, “and I’m pretty sure they’re not all Russian hackers.”
While asserting that it was plausible (and perhaps even likely) that the Russian government was behind the DNC and Podesta hacks, Lee was critical of the government’s report for failing to adequately prove the claim.
“If Vladimir Putin, the Russian leader, is truly responsible for manipulating the U.S. election, and if the Obama administration wishes to prove its case,” Lee wrote, “it needs to publish actual smoking-gun proof, such as intercepted emails or phone calls from within the Kremlin, or more complete technical details that connect dots directly to the Russian government, rather than to a Tor node that thousands of people use.”
In an interview with the Daily Dot on Thursday, Shari Steele, the executive director of the Tor Project, echoed Lee’s remarks, calling the listing of Tor exit nodes “not the most responsible way” to aid system administrators wary of Russian hackers.
“Obviously the government is trying to be somewhat helpful and act like they’re being somewhat helpful,” Steele said. “But clearly the evidence they have that these are Russian hackers isn’t what they released.” Steele said she presumes the government has other evidence implicating Russian hackers, but what the FBI and DHS released on Dec. 29 falls short of describing what malicious activity actually looks like.
In its report entitled “Grizzly Steppe”—the government’s designation for the Russian malicious cyber activity—DHS recommends to system administrators adding the IPs to a watchlist “to determine whether malicious activity has been observed within their organizations.” It also notes that while some traffic may correspond to malicious activity, other traffic “may correspond to legitimate activity.”
“Basically, what they’re saying is, ‘Here’s the list of Tor exit nodes, check and see whether or not there’s malicious activity,’” Steele said. “It’s the ‘malicious activity’ part that is the important part of it, and on that, they are very vague.”
“They don’t describe who would be doing it, what Russian hackers look like, how they identified that these are Russian hackers versus some other users of the exit nodes,” added Steele, who said she is hopeful that administrators will not jump to conclusions and move to block traffic arriving from Tor.
That would be an overreaction, concluded Steele, noting that “even the government report doesn’t suggest that you’re supposed to blacklist the exit nodes.”
The Office of the Director of National Intelligence declined to comment for this story. The Department of Homeland Security did not respond to multiple inquiries.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.