EXCUSE ME, I THINK YOUR DARK WEB IS LEAKING!

and privacy researcher. I do lots of independent stuff, lots of research into very weird things. I also run a publishing company called Masquerari Press, which is aimed at promoting and making privacy technology tools more useful to marginalized communities. Prior to all of this, I was a security engineer at Amazon, doing a bunch of stuff with fraud, machine learning, and security. And way before that, in another life, I was a computer scientist at GTHQ in the UK. For those who don't know, that's the British equivalent of the NSA. And so here's what I'm going to talk to you about today, which is basically my last year, kind of April 2016 to now. I started off last February looking into the dark web, looking into the

security and communities that exist there. And I get this for one reason. I had a hypothesis, and that was that people on the dark web are likely to have threat models that require them to do more than the above average level of security. It requires them to be paranoid. And I assumed, and we'll see that I assumed wrong, that they would take more precautions. And perhaps we could find some interesting security strategies that we could apply to regular folk, everyday folk, those who perhaps do not have the adversarial threat model that dark market drug lords do. And kind of this creative, I'm going to come back to some of the headlines here. But pretty much everyone, my projects have been behind.

And so kind of some basic things to start off with for those who aren't familiar with the dark web or hidden services or Tor or ITP. I'm not going to tell you how Tor works or how hidden services work or go into the cryptography because that's boring and that slides are like everywhere. So to start with dark web, that's just websites over anonymity networks and the kind of communications that go on between them. Hidden services are just services that have special property where they are being proxied over an anonymity network that hides their IP address or their location. Likewise, clients who connect to hidden services over anonymity networks also have their IP address hidden. So both sides of the connection do not know who the other side are.

And finally, there is nothing special about hidden services that prevents you from telling the world who you are. I run a bunch of hidden services. mostly so that people can access my content anonymously. But there is, you know, my name is plastered over them, my email address is plastered over them, my face is plastered over them, that they are not a secret who owns these hidden services. And that's kind of the fundamental takeaway from this talk, that anonymity systems,

only really protect the network level. They don't protect you from the software level or the content level. And the internet, as we have built it today, is built on the assumption that the servers and the software are built on the assumptions that IP addresses and identities on the internet aren't private. And because of that assumption, a lot of things break. So the EnnionsGAN project. Basically, a year ago, I started writing reports about the dark web. various security properties, kind of reporting what I had found. And the goal behind these was to understand anonymity networks and their participants and their kind of security properties and kind of what mistakes were people making constantly. Were there groups of mistakes that always came up?

Were there, are there ways to draw networks between these communities? Is there a way to map the dark web? And it turns out there is. I'm not sure how well you can see this slide, but there are a bunch of networks. And the dark web is not that dark. We are able to make connections through exploiting vulnerabilities in servers, correlating content across hundreds and thousands of hidden services. And so the different colors on this map are different types of connections that we've been able to make between particular hidden services. Sometimes it's just as simple as this site links to this site, and it turns out that if you are always linking to your own content, that is a pretty good indicator of some kind of connection.

So we see a lot of tight loops where everyone's linking to everyone else. Shared Bitcoin addresses are another one that comes up a lot. And I'm going to go through each of these connections and correlations and kind of explore how vulnerable they make people. And kind of to hit us off, I'm going to talk about a story of Mr. Adapted. Mr. Adapted is a French application developer. He has a small business company somewhere, a small town in France. He has a couple of iPhone apps. They're not very successful. And he likes hiking and walking, and he was woodworking too. And I know all of this because I found him Because I saw that he was selling MDMA on the dark web

as a side business. And the reason that I was able to extrapolate his identity from his very plain website, where it just had a few drug listings and a payment gateway, was that he was hosting his server on Apache. And Apache has this lovely thing called Mod Status. which is enabled by default in a lot of installs. And basically, if you connect to the Apache server on a local host connection and go to slash server status, it will give you a lot of information about the site. And in this case, it gave us his app. He was hosting his application development business on the same server he was hosting his dark market drug business. I recommend

you don't do that. And so yeah, I mean, this did not just have his app development business. It had linked to his personal site. He had a few of his client websites also hosted on the server. And of course, he had a nice big picture of his face on the server, and his name, and his address, and his business number. I have no idea how this guy is still around.

These local host bypasses are ridiculously common on the dark web. And the last count we did, which was back in February, we found that 10% of all hidden services that we checked exposed mod status. And this can be, I mean, if you're exposing mod status, you're pretty much critical. And that works out to about 20% of Apache servers on the dark web leaking this information. It's not just server IP. If you're also hosting clearnet sites, you're going to find that you get clearnet IPs there, as well as information on co-hosted services. We see a lot of people who host multiple dark websites on the same service. And we are able to look at Apache Mod

Status and say, oh, these sites are all run by the same person. And that gives us a good idea of a way to build these connections up And we've been able to build very large connections just by exploiting mod status links.

And if we make the assumption that it's very unlikely that the same pattern doesn't persist through to sites where we can't see mod status, it gives us this idea that the dark web isn't actually as big as we think it is. Even though you might see 20 drug sites, all those sites might be run by the same operation. And we often see that, and I'll come on to a few more of those later on. If you're particularly bad at writing applications, what you'll find is that if you have a Mods status leak, you also have a lot of other security issues too. I found API keys, passwords, search terms. Recently, there is a

cryptocurrency mining operation that also has a hidden service way of accessing their site. And they expose mod status. And through that, you could access each miner's individual account, see how much they'd mined. There was no way in this particular site

to change their addresses or to get money from it, but it was still a pretty critical issue, linking their IP addresses, how much they'd mined. That's a lot of information that you perhaps don't want to give away. Another example. I found a home energy monitor linked up to the dark web, also being exposed, also exposing mod status, happening to expose its JSON API key. So I could see how much energy the house was using, where they were using it. And just all around being able to, putting your house in the dark web is not a good idea, unless you do it behind authentication. Probably another one of my favorite ones, ModStatusLeaks, was a privacy-preserving search engine, which promised that you didn't store your

searches or mixed all your search terms with Google so Google wouldn't track you. Problem was that they also exposed ModStatus, and you could see client IP addresses and the terms that they were searching for. And you just refreshed, and you had a complete list of what everyone was searching for. There was no privacy. And this basically leads to complete de-anonymization of the site, the clients, pretty much everything. And it's one of the biggest problems that we see. It was a big problem last year when I was talking about it in Calgary, and it's still a huge problem.

Co-hosting leaks. This is probably my favorite new thing.

Every web server imaginable supports virtual hosting. that is supporting more than one website on the same server. And

this isn't a problem on the clear net because you expect multiple websites to live on the same server. This is a problem on the dark net. And so what we did was we sent two requests to a site, one with host, the onion address, and one with host, local host. And we compared the responses. And in 25% of cases, we got different responses back. Either we got an error message, or we got a completely different site, or we got the CleanIt version of the site, or we got something that was a bit weird.

Turns out this is an amazing way to track co-hosting, not only on the dark web, but also doing it the other way, sending onion addresses to IP addresses and seeing if they respond.

This is a ridiculous problem because the way that most web hosts, most web servers are set up, there is no way to really correct this by default. It will happily just listen to all the sites, and if it finds one in its virtual host, it will throw it back. You have to go through special configuration to do this properly. And a lot of websites, I mean, like 25%, it's not that high anymore, and I'll come onto whine a little bit.

It's certainly exposing a lot of content.

Software fingerprinting is another amazing example.

Application developers love stamping their software with its version and its name and everything. And this isn't a problem, except on the dark web. So we find SSH public keys, we're able to link Servers that are hosted on the same hosting server through SSH keys were able to find public servers by looking up their SSH keys in Shodan. I'll show you an example of that in a second. FTP and SMTP software banners, as well as OpenSH software banners, if these are unique enough, these can be enough to fingerprint a server. And if you can fingerprint a server, you can generally either find other servers that are hosted on the same platform and kind of build that network. Or in

some cases, you can completely de-anonymize it.

And another one, which is probably my favorite example of de-anonymization, web services in the server header often return much more information than they need to. This includes things like PHP version, Python version, MySQL version, Perl version, blah, blah, blah, blah, blah. And we found a particular set of servers that had a very, very unique set of configurations. No idea how they got this complete set of configurations, but they did. And we were able to plug that into Showdown and find two IP addresses in the whole world that also shared this unique configuration. Now, that's not a bulletproof conviction, but it is a very big coincidence. Those kinds of software configurations people using the same setup over and over again, the same deployment scripts, the same

downloaded software versions, are

particularly common and pervasive on the dark web.

And so this is a screenshot of a bit small to see, but we plug in all the kinds of software banners that we identify, we plug in to show down other tools to see if other people have seen them across the internet. And we often find hundreds of sites that have similar software banners or SSH fingerprints. And kind of it goes from, if you share the same SSH fingerprints, then it's a pretty solid conviction that they are the same service. If you find shared FTP banners, it's a little more tricky. You need some more evidence to kind of build that up.

Everyone's favorite currency, Bitcoin. This was my first attempt at mapping Bitcoin on the dark web. And as you can see, it's just a big orange blob. Because it turns out that a lot of people reuse Bitcoin addresses. And a lot of sites carry the same Bitcoin address. And a lot of sites duplicate themselves. You find the same Bitcoin address across hundreds of different sites. And so, What we do with Bitcoin is find the address, and then we kind of look to see if we've seen it anywhere else, and we look to see if we've seen it in different contexts. So what we often find is with smaller marketplaces, kind of site selling, you'll find a few sites selling like bespoke

cannabis or Amazon gift cards or PayPal accounts or something like that. And if you kind of go through the checkout flow of these systems, eventually you'll get to a Bitcoin address. It'll say, pay this Bitcoin address. But if you do that for every possible permutation of the site, you only end up with a handful of Bitcoin addresses.

They don't actually cycle their Bitcoin addresses. If you want to stay anonymous while using Bitcoin, you need to be using a new address for every single transaction. And we find that a lot of sites do not do that, especially sites that look like they've kind of, they're not aligned to the big marketplaces. And so we're able to also not only identify that reuse, but also identify them across. So we've seen sites selling Amazon gift cards and cannabis and PayPal accounts and all these kind of things, all eventually linking back to the same Bitcoin wallets. So they're all run by the same operation. And this kind of is another

It's another issue with counting dark websites. It's very hard to say, you know, the dark web is 50% crime or whatever figure you've seen. Because if these 10 different sites selling 10 different things are all linking back to the same Bitcoin wallet, is that 10 different criminal enterprises or is that one criminal enterprise that happens to do diversifying new things? And we see that a lot repeated over and over again with scam sites, with forums, with pretty much everything.

And with Google Analytics IDs. There was a paper a while back called Karanti which looked at various identifiers, kind of the stuff that I've been talking about and linking sites using them. We went back in August last year and kind of raided that experiment. And we found, I have no idea whose threat model is I want to be anonymous on the dark web, but I want to use Google Analytics to track my views. But they're out there, hundreds of different sites using hundreds of different Google Analytics IDs. But what was interesting was we found a few hundred casino sites. And they all, from the outset, looked rather different. One specialized in poker, another one in blackjack.

third one in whatever other gambling sites there are. But they all shared the same Google Analytics ID. And digging down further into the site, we were able to identify patterns in the way the source code was laid out and in the way that the site structure and kind of the news that was being, they had a little news sidebar. And so the news that occasionally repeated across sites. And so we were able to basically link these hundred different gambling operations, some of which are on the clear web, some of which are just solely dark web, all down to the same group of companies. And it turned out that that accounted for 95% of all the gambling sites on the dark web. So

minus a few kind of Bitcoin satoshi dice type things. And

so this whole I want a statistic that shows that the dark web is 10% gambling, and that's completely false in many different ways.

This will be a fun one. It takes a while to load. HTTPS. We mapped all of the TLS connections on the dark web. So as well as connecting to port 80, we connect to a bunch of other ports. One of them is 443. And what we quickly found was that if you connect to a port 443 in a dark website, you are very likely going to get a HTTPS certificate to a clear website. This is another case of server misconfigurations, people leaking, co-hosting, and that kind of stuff. The big white blob right in the kind of top right, those are all the sites using Let's Encrypt for their certificates linking to CleanIt sites. We can do some rather nice stuff with with HTTPS, whether it's self-signed certs or

legitimate certs, but the domains don't match. We can look at the parameters that they're using to generate the SSH certificate, the TLS certificate, as well as kind of what they're putting in there. What are they putting in as the issuing authority? Is it localhost? Is it localhost.localdomain? Is it something completely unique? And we can use that to start linking these sites together too. It's another level of linking. We were able to identify a bunch of different services that all we're using is very unique TLS certificate format. Kind of the way they were populating country and organization name and stuff. They were all very similar to each other. Not identical, but they had very similar structures and properties. And it turns out that we were later verified on that

when they all went down at the same time.

There are only, last I checked, nine legitimate HTTPS dark websites. These are things like Facebook's dark website, a few human rights organizations, a few Bitcoin sites. but they're really not that common. And this one sounds really silly, but it's a really big problem. Document metadata and open directories. So, EXIF metadata used to be really, really bad on the dark web. Most dark web drug marketplaces did not sanitize user content when they uploaded it. So, You would get people taking pictures of their cocaine, and they'd upload it. And the picture would have their name and their GPS coordinates and all kinds. So you could track this cocaine down to a living room in Boston. It was really bad. And

there's still a bunch of dark market dumps from back then. And you can download them and play with them and see how much data you can extract. It's ridiculous.

I was going to say, it's not as bad as it was anymore. We usually, when we do really deep scans looking at sites, we usually don't pick up more than 2% to 7% of sites that have EXIF metadata in images. And it's usually just confined to software versions, camera models, occasionally kind of photography names, but not that often.

What's more common these days is open directories. And this is because of Apache. And if you're seeing a trend here, it's that you should not host your illegal dark web operation on Apache. And this is because most default installations of Apache leave your directories open by default. And so it's very easy for us to scan those directories, find weird files. But we also look at some common files here, like backup.zip, backup.car.zip. And you'd be amazed how many admins just leave those things lying around. And people are not predictable about file names. are predictable about file names. So yeah, in kind of this directory, I found someone dumped their entire Trello archive to just an open directory, containing their homework and assignments and all kinds of weird

stuff. I think they were also the same person that had their energy monitor on the dark web. We found a bunch of open directories containing source code for other sites, mysql dumps, And we also found a site that contained nothing but an open directory. And in each open directory, there was a link to another hidden service. And we realized later on that all these hidden services were actually hosted on the same server. And this was just a kind of admin page that people could log onto and the admins would log onto and quickly check sites. But that had a backup directory, which contained a lot of stuff that you do not want lying around in the clear.

So I'm going back to the headlines now. So we released a tool called OnionScan, which kind of encapsulates all of these tests. And you can give it an Onion address, and you can spam it off. And that was back in April. And you can see some of the headlines there, you know, tool to make sure your dark website still works or is anonymous. And then we kind of did a few mapping projects. And you can kind of read about those in various papers, kind of, you know, Dark web maps show what the dark web looks like. And then you'll see a few other headlines there. Kind of right at the bottom, cyber attack hits dark websites. The dark web is disappearing.

And all of these headlines came about in the last few months. And I'll tell you a nice story. I was over in Waterloo giving a lecture there.

And the day after my talk, I was still hanging around. I was going to hang out with one of my friends. And she came to meet me in the hotel, at which point Freedom Hosting 2 was reportedly hacked. And someone asked me to go look into it. Freedom Hosting 2, I wrote an article about it way back in October.

It was the largest dark web hosting site. It was responsible for hosting. at least 2,000 actual hidden services with content, and probably much more. Based on our numbers and other numbers, we think it hosted somewhere between 20% and 35% of the dark lab. Back in October, we thought it was about 20%. And it was always pretty unstable. It went down a lot, and we could see it in our monthly scans. We'd see a lot of these sites all connected, and then suddenly they'd all disappear, and they'd all come back. And so yeah, I got this message, and I jumped onto Onion Scan, and we searched the sites and found out, yup, they had indeed been hacked and taken down.

But then it became apparent about how much of a big thing this was. I spent the day not hanging out with my friend, but Wi-Fi hopping different places, trying to talk to journalists about the extent of this while she kind of drank coffee and scowled at me.

So yeah, this is probably the biggest risk to hidden services in 2017, is that your hosting provider gets hacked. It's happened February 3rd, there's a lot of press about it. You might have read some headlines this week about 85% of the dark web missing. Those are based on my research, those headlines are wrong. So what we found was the hackers, after they'd taken all these sites down, dumped a bunch of database files. including all the private keys to all of the onion domains, making them useless to host in the future, and all of the databases associated with all of these sites. And it's taken a long time to kind of go through them and understand what exactly was in there.

And it turns out that there was a very long tail of sites that just had nothing there. And then there was a middle tail of sites that had small blogs, small forums, people messing around with anonymity tools, a few people with political situations kind of espousing their views. And

the main incentive for the hacker, why they said they did it, was that they found child exploitation material, child sexual exploitation material on the servers. The databases didn't contain any of that, but they did contain the databases to three large scale child exploitation forums with people discussing this material, commenting about it,

and exchanging links for where to find it. It takes a strong stomach to even look at that stuff for a tiny period of time. And so with that, a very large portion of the dark web disappeared. As I said, somewhere between 25 and 35%, it's really hard to count. dark websites because there's a lot of duplication and they're not exactly the most

available things in the world. So when we did our scan back in end of last month, we found that out of the 30,000 servers that we checked and had previously seen some sort of content on, not all of them had been up for a while. Generally, every time we check, we generally got between 11 and, well, somewhere between 6,000 and 11,000. And we found that we could not hit any more than 4,500, 5,000 services. So, I mean, this is coming up to half, but if you account for a lot of sites moving along, a lot of sites popping up and going down, and as well as previously established figures, as I said, it's probably about 35% of the

dark web that's gone, poof, And it's probably not coming back. It's not a replacement for Freedom Hosting anymore. Unless someone's really stupid enough to launch Freedom Hosting 3. The original Freedom Hosting, by the way, got raided by the FBI and taken down back in 2011. I'll go with

that. As I said, yeah, the Onion Scan tool. You can go to onionscan.org and download it. Give it a list of Onion services. and it will happily go through and tell you all the different links between them. The reason it does that, and the reason that I originally wrote Onion Scan, was I wanted to prove that these attacks are not impossible. They're not hard to do. You do not need to be a nation state to de-anonymize the dark web, as a lot of media has speculated in the past. You can get a $20 box from DigitalOcean, load up Onion Scan, give it a list of onions that you find online, And you will pretty soon have a bunch

of IP addresses and people's names and email addresses and API keys and passwords. It's ridiculous. And we have a nice web interface as of version 0.2. We are still doing development. It's going a bit slower now because I'm moving on to something else that I'll tell you in a little bit. But I'd encourage you to go play with this. I want to create an adversarial environment in this field because a lot of people still don't take their security seriously. And a lot of people assume that if you are on tour, then you are safe. Or if you're on an anonymizing network, you are safe. And that's just not true. And in order to make these technologies available to people who need them for what I would classify as

legitimate reasons. We need to make this whole domain better. Which kind of brings me on to how do we build better hidden services?

My thinking, my opinion right now is that we need to move away from websites. The whole client-server model was developed for the clear web internet, all of the web servers that we use have really no concept of privacy of information, of anonymity. They will happily host anything. They will happily report their IP addresses and error messages. And you have to go through increasingly ridiculous lengths to get a base install that is safe. And no one is going to read a four-page Onion setup guide and follow it completely and set it up. It just doesn't happen, as we've kind of seen. There are movements in this direction now in terms of peer-to-peer applications on the dark web. So we have things like Onion

Share for file sharing and Ricochet for instant messaging. And these essentially are tools that stand by themselves. They run up a hidden service. And then you can connect to it using your own client or using a web browser. And it will do the job. And then it will close down the hidden service. And this kind of model is much more easy to secure.

It's much easier to anonymize a small service that has a small footprint and a small protocol that just does one thing, rather than a generic web service where even if you get your Apache installed completely amazing and the underlying service completely amazing, you can install WordPress on top that has a bug and you're all gone again, right?

to solve with bringing generalized anonymous publishing to a lot of people. And these are kind of highlighted in some of the things I'm talking about. There's a reason why 2,000 plus people were using Freedom Hosting to host their blogs and small sites, and that's because hosting a hidden service is really hard. Hosting a website requires special skills. Hosting a hidden service is even more tricky.

So there are a lot of questions like, how do we make this easy for people to publish anonymously? Where do they host it? How do we build applications such that people can host them without putting themselves at risk? Can we provide technical assistance? Can we detect when people are reusing Bitcoin addresses? Can we detect when people are publishing cleaner emails or have done something on their service which looks weird? Do we have to go all the way up to actively looking for leaks like running a local onion scan and constantly scanning the website looking for new leaks? Do we need to be adaptive for that? Do we even need to go as far as stylometry to kind of help people write in a way that

isn't identifiable? This isn't something that a lot of people actively do. There's a lot in academia right now, but it's kind of that thing that's maybe 10 years away. But if you were really... set on trying to link two pieces of text, you can do it. And once we've solved all of those, how do people discover this content? The dark web is, while it isn't that dark, it is a pain in the ass to search and find content, unless you know it's there. But if you want to publish something anonymously, you want people to read it. So how do you solve that? I need to publish something anonymously, and I need people to read it, but I want to do that safely.

And I should probably at this point answer the question that some of you may be thinking, which is, why on earth would you want to do this? You just said that three larger sites on freedom housing were child exploitation sites. You've been talking about drug lords and gun runners.

We live in a very weird world. We live in a very unfree world. And you don't have to go far to find people who need these kinds of tools. You look at the case last November in Montreal, where it turned out that the RCMP and local police were spying on journalists for no legitimate reason that people could find.

You look at human rights activists and queer activists in countries that crack down on freedom of speech or criminalize gay sex. When you look at people who have a lot to say but have no way to say it, we need to build tools and technology as well as the whole human politics diplomacy movement, we need to arm these people with tools to help themselves, to empower them to speak out, to tell their stories, and for people like journalists to give them tools to converse with sources anonymously, to speak truth to power. And now that's being done, you look at the SecureDrop project. It's now run by practically every major news agency. of it on this part of the world,

where anyone can go to Tor, go to their secure drop, upload documents, and communicate securely with a journalist. That is the first step in this goal of making the world a freer place. But it's not the last step. And to get there, we need to solve these problems. We need to work out how we make anonymous publishing easy. We need to work out how we stop people from making these huge mistakes when they set up hidden services. Because it's not just dark market drug lords and gun runners and people who sexually exploit children or adults. It's people who are blogging for their lives. It's people who are trying to get the news out. It's people who are trying to discover who they are in their community. queer

people trying to find people to date without their family knowing. And I would like to live in a world where that's possible.

So to summarize, anonymity is hard. It is very hard. It's like security and privacy and this extra block all in one. And we all know how hard it is to secure a system. You have to secure a system and make sure that no identity leaks out of it at all while also meeting the needs I've talked about of content distribution and publishing and all that. And the dark web isn't that dark. It's actually pretty clear. I'm going to go back to you. Am I going to go back to you?

Yeah. The dark web isn't that dark. There are so many huge networks of clusters we can find. There are so many correlations we can do. When you start looking at the entire dark web and every correlation, every identifier, you start to be able to create all these little networks and find them. I think there are like 20 up there. You can find bigger pictures of this on my website and on my Twitter. And you can see from all the kind of maps that we've published, all the kind of that we've done that there is a long way to go in this space before we can even...

We can even let credence in the motion that the dark web is dark. So I'd like to thank you and I'm happy to take questions. You can find me on Twitter.

So do you have any questions for Sarah? Anyone? over

hey Sarah how how do we make it easier for marginalized and at-risk communities to to get the anonymity and and freedom that they need and deserve while also stopping the predators stopping those who target at-risk or

helpless or otherwise very vulnerable people? It's a really good question. It's a really hard question. And I think I'll kind of flip it.

When you look at the dark web, a lot of media is targeted towards how horrible the dark web is, how it's filled with criminals and pedophiles and hackers and all that kind of stuff. We did some analysis back in January of one darknet marketplace, Hansburg. And after doing all the calculations, looking at all the reviews and going through it, we noticed that they were doing like $30 million in the last year of trading. That's tiny for any criminal enterprise. Whoa. That is tiny.

for any criminal enterprise when you look at the legitimate drug trading like Colorado and stuff it's up to the billions and when you even if you touch the FBI's grossly inflated figure of like Silk Road and the drug busts and stuff it estimated that every darknet market was doing two billion dollars worth of illegal trade and there aren't that many darknet markets there aren't that many

There's not that much business. It's a tiny fraction of a fraction of 1% of the global crime that's going on. And it's the same with child exploitation. Most child exploitation does not take place on the dark net. It takes place real people in real life doing horrible things. And most of those cases are solved through good detective work and people going after it. And it's the same with drugs. I mean, the dark web is such a a tiny portion of crime that's going on, it seems stupid not to invest in the capabilities that might help a lot and empower a lot of people to escape horrible situations for the fear that it might help a few

people commit a few crimes. And I think that's the case with all tools we find. There's often many more legitimate uses than illegitimate uses.

Fair point. I had the question when you, the first thing you mentioned about the French person. Was that a real case? Was it proven that his computer wasn't just hacked? No, that was a real case that I found while browsing the dog web. That was him proven in court or something? Oh, it was not him proven in court. No, I think he's still around. I haven't checked on him in the last few months. But last I checked, he still had his site and he was still doing stuff.

You have a really unique perspective being formally GCHQ and on this side of it, obviously you can't talk too much about that, but around the realities around GCHQ is like no other business in a different way. It's got budgets and funding. At what point in time does that kind of stuff affect the capability of GCHQ and where are we gonna get to? When are we gonna have enough in the anonymity space to combat that, if ever? It's a good point.

So most anonymity networks we have today, and in particular Tor, Tor cannot prevent a globally passive adversary from correlating all your traffic and identifying it. There are new anonymity networks and schemes that have been developed that are kind of very academic that kind of make that also impossible. But the truth is that attacks on that scale are expensive. They cost a lot of resources. And they're often hit and miss. I mean, if you do all that work and discover that the person that you're looking for is in a jurisdiction you have no control over, then you've wasted that effort. When you look at active attacks on the Tor network, they're also very expensive, and they're very

detectable. We're able to see them and respond to them. So I think we're at that point now where nation states don't necessarily have the money, the resources, or maybe even the desire to go after and exploit these things on a whole scale. If they are doing it, they're doing targeted exploitation and targeted efforts. And that's what's going to get more and more the case as we start encrypting all of our communications, everyone using Signal, everyone using getting services. At that point you have to start going after targeted stuff because you don't have any other way of getting in.

We have another question. Hey Sarah, thanks a lot. That was a really awesome presentation. I just was wondering if you could speak for a moment about VPNs. Just going forward, if we're going to be advocates for anonymity and trying to empower people, is this something we can recommend? Do you see it as better than Tor? I personally don't really trust Tor all that much or think it's super robust for a lot of the reasons you went over. But I do advocate the use of VPNs for people and I just was wondering if you could speak to that for a moment. Sure. So my opinion behind VPNs is it's really hard to recommend a VPN. VPNs are great. Like, you can, you can, if you can find a good VPN,

It protects your traffic pretty much all the way to the endpoint. It doesn't anonymize your traffic, but many people don't have the threat model that requires complete anonymity all the time, especially when you're looking at generic browsing. So a VPN is much more effective in that space. It's much less scary. It's much more marketable. The problem is that when you look at studies, most VPNs are terrible. There are a few that are nice, and it's always hard to keep track of which ones which. So I never recommend a I never recommended someone use a particular VPN to go look at. I try to help them make an assessment of what works for them. But coming back to Tor, I would agree

it's part of the problem, I think, is these websites and the internet in general. Browsing the internet over Tor is still pretty dangerous. Exit nodes will do weird things to your traffic. Using hidden services is a bit safer. And if you're using legitimate hidden services, things like Facebook, other websites that have hidden services, you're pretty much as safe as you can be in terms of protection from man-in-the-middle attacks, downgraded encryption, that kind of stuff.

The problem is that most sites don't have a hidden service. So if you go through a toll, you're going through an empty network. It's slow. The exit nodes can do bad things. And it's really hard to suggest that to a naive user trying to improve their privacy. So I would recommend a VPN in that case.

Hi. I can't hear you, I'm sorry. I did turn it back off, thank you so much. Thanks a lot for your presentation so far. I appreciate the fact that people should get tools to publish in privacy and stuff like that. I wonder what your take is on the other side, like governments and law enforcement that maybe always want tools to get the information about people. Yeah, this is the case. I mean, I know people use Onionscan. I know they use other tools.

My personal take is that it's better to distribute power and force government's hand to actually go and get warrants and do targeted surveillance. I think that creates a much fairer society, even if it annoys them a little bit. I think we're in a rather unique point in history right now where surveillance tech has just crept up over the last 50 years as we've kind of centralized our entire communication networks around internet and phone companies and that kind of stuff. Governments have become very used to the idea that they can tap someone or spy on someone whenever they like. And that's not how it was at all for most history. And that certainly isn't the future, I think, that we want

for our societies. So while I would say that, yep, governments are going to invest in technology, you look at the job descriptions, you look at job postings that are going out, They are looking for people with experience in analyzing these kinds of systems, analyzing dark networks, looking for people with security skills to identify holes, to exploit traffic. So they will invest in that, and that is their raise on data, that is what they do. But I think that we also need to continue working to decentralize these systems and put them in the hands of people and give them secure tools.

wondering how much work you put into the cryptocurrency linking to find because even if you use a separate address to receive each payment when you try to buy something with your drug money or one person will buy drugs for multiple things how deeply did you look in that part so we don't dive too deep generally once we find a link we're happy with it but what we have seen I mean a good example is scam sites, scam sites kind of double your Bitcoin, you can't double Bitcoin. But you see these sites that pop up and say, hey, if you give us, if you send us five Bitcoin, we'll give you 10 Bitcoin in 10 days. And you can go to the

blockchain and you can see how many people have sent them Bitcoin. And I suggest you don't do that if you want to maintain faith in humanity. It's far more than it ever should be. These sites are rather profitable. But yeah, there are other, there was a talk at Hope last year, some guys who had created a tool for doing this kind of Bitcoin analysis, which is worth checking out. It's something that I would like to hook in one day and kind of do further explorations in that space.

Cool, thank you very much. I will be around for a second.