Adrian Lamo - FAIL TOR LOGS

1. This memo explores the important role Tor plays in almost all hacker circles, and in particular that of Adrian Lamo.
2.  
3. A Canadian ethical hacker going by the handle `kaepora' has pointed out that footage from Lamo's recent Al Jazeera English interview (originally dug up by Anonymous) is potentially evidence of Lamo sniffing the now infamously leaky Tor network. [1] Actually, the AJE screenshot [2] shows the debug output of an OpenSSH tunnel, but is inconclusive. For example, consider a local OpenSSH tunnel from some port (9090) to a local Tor client (port 9050):
4.  
5. $ ssh -vv localhost -L 9090:localhost:9050
6.  
7. Note that debugging flags are on (-vv). Connect through this tunnel, say to fetch the check.torproject.org web page:
8.  
9. $ curl --silent --socks5 localhost:9090 https://check.torproject.org/ \
10. | grep -i congratulations | tail -1
11. Congratulations. Your browser is configured to use Tor.<br>
12.  
13. OpenSSH will then have printed to the terminal:
14.  
15. debug1: channel 3: free: direct-tcpip: listening port 9090 for localhost port 9050, connect from ::1 port 40883, nchannels 4
16.  
17. In the AJE screenshot, this is exactly what is seen: an OpenSSH tunnel listening at various addresses, all on port 5050, relaying to various other ports at those same addresses, and printing debugging information to the terminal. The addresses seen include: 74.82.57.190 (SetecAstronomy.org), 204.13.164.32 (swift.riseup.net), and 204.13.164.33 (mail.riseup.net).
18.  
19. To create a tunnel at these addresses, OpenSSH first requires a local account to log in to. This means Lamo has OpenSSH access to those machines, in itself not irregular, considering the address mail.riseup.net indicates Lamo is reading his email through an encrypted OpenSSH tunnel. Note, however, that Riseup.net was where Wikileaks began. Assange started its mailing list there, which he used to solicit advice and expertise, the contents of which John Young of Cryptome later leaked. Assange also used Riseup.net to maintain a ``donor's list'' -- a mailing list for all the *initial* Wikileaks donors, that is, before Wikileaks began soliciting funds publicly. Lamo was a member of this list -- an original, private Wikileaks donor.
20.  
21. Another address that is particularly of note is SetecAstronomy.org. ``Setec Astronomy'' is an anagram for ``Too Many Secrets,'' and the domain is registered to Adrian Lamo via Gandi.net -- the same registrar used by Wikileaks to register Wikileaks.fr. A quick scan reveals any open ports:
22.  
23. $ nmap setecastronomy.org
24.  
25. Nmap scan report for setecastronomy.org (74.82.57.190)
26. Host is up (0.33s latency).
27. rDNS record for 74.82.57.190: SetecAstronomy.org
28. Not shown: 989 closed ports
29. PORT STATE SERVICE
30. 22/tcp open ssh
31. 25/tcp filtered smtp
32. 80/tcp open http
33. 81/tcp open hosts2-ns
34. 113/tcp open auth
35. 135/tcp filtered msrpc
36. 139/tcp filtered netbios-ssn
37. 143/tcp open imap
38. 443/tcp open https
39. 445/tcp filtered microsoft-ds
40. 8080/tcp open http-proxy
41.  
42. The web server listening on ports 80 and 8080 returns the default web page for a Tor exit node. This machine is a Tor exit node running on a Microsoft Windows server. Connections to port 5050 on SetecAstronomy.org were being actively reset (``closed'') at the time of writing, which means Lamo was not logged into the machine and forwarding traffic:
43.  
44. $ nmap setecastronomy.org -p 5050
45.  
46. Nmap scan report for setecastronomy.org (74.82.57.190)
47. Host is up (0.33s latency).
48. rDNS record for 74.82.57.190: SetecAstronomy.org
49. PORT STATE SERVICE
50. 5050/tcp closed mmcc
51.  
52. So, Lamo, an original Wikileaks donor, is also a Tor exit node operator -- the domain for which he registered using the same ``free speech'' registrar Wikileaks uses; and maintains email accounts at the anarchist hacker collective Riseup.net -- the same network Assange used to initially organize Wikileaks volunteers and donors... Interestingly, Riseup.net lists operating Tor exit nodes under the ``Other Services'' section of its website:
53. ``... we also run TOR exit nodes, if you would like to contribute to the Tor Project but not deal with the technical or legal details.''
54.  
55. Recall that Lamo has accused both Appelbaum and Wikileaks of sniffing the Tor network. Given that sociopaths often accuse the subjects of their obsessions of committing their own crimes, this leads to the important question of whether Lamo has just been caught on television sniffing the Tor network using his exit node at SetecAstronomy.org. Unless other footage of Lamo's screen exists -- which would show the leftmost columns of his terminal clearly (i.e. the ports being forwarded *to*) -- this remains an open question. Lamo might not even have the technical aptitude to sniff the Tor network (which is nonetheless trivial). Perhaps he is using his exit node as a simple SOCKS proxy, relaying his web traffic through his exit node to camouflage it, i.e. get ``lost in the noise'' -- as Lamo's hacker ex-friend Appelbaum named his own collection of Tor exit nodes (LostInTheNoise.net). Or perhaps Lamo really is sniffing Tor exit traffic, looking for that next bit of information to snitch about or turn over to Project Vigilant.
56.  
57. Regardless, this all leads to a single conclusion: Tor is not safe. Tor is a tool designed by spies (see US Patent No. 6266704, 1998), for spies -- a spy audience consisting of everything from professionals like governments and Wikileaks, to mediocre hackers like Appelbaum, to sociopath prescription drug abusers like Lamo. Tor enables these fringe elements to enact their common fantasy of living the lives of spies.
58.  
59. The Tor network is not an anonymity network; it is not a privacy network. The Tor network is `wiretapping for dummies', an orgy of exhibitionism useful only to sociopaths -- sexual deviants and hackers alike.
60.  
61. < https://twitter.com/kaepora/status/48576036060938240 >
62. < https://uloadr.com/u/qVf.jpg >