JULY/AUGUST 2019. DISCOVER 53
Peeling the Onion
On a normal network, every device — whether it’s a computer running software or a
server storing webpages — attaches an identifying number called an Internet Protocol
(IP) address to data it sends. You can trace this digital identifier to the real world by
linking IP addresses to the location they entered the network — like a cellphone tower
in Peoria, Illinois, or an internet provider’s data center in Portland, Oregon.
The Tor network obscures an IP address by encrypting data as it bounces around
a network, swapping IP addresses along way. When the data reaches its destination,
it will look like it came from a random computer. On the Tor network, every user could
be any other user — everyone is no one.
JULY/AUGUST 2019. DISCOVER 53
Is It Really Anonymous?
Although the Tor network masks your location, there are still ways to reveal
someone’s identity. Here are just a couple:
Traffic analysis: By observing data flows, it’s possible to match exchanges between
linked computers and decipher their true location. For instance, you may notice that
one computer (A) sent a message at a certain time, while another computer (B)
received a message at a time that roughly corresponds to how long it would take
for data to get from A to B. If there are multiple instances of that happening, you
might be on to someone. It’s difficult — you typically need to know the entry and
exit nodes — but it’s possible.
Bitcoin transactions: Researchers in Qatar identified 125 Tor users linked to illegal
services on the network. The team systematically hunted for the addresses of the
digital currency bitcoin. The addresses — unique codes, like credit card numbers —
allow users to send bitcoin to each other. The program scoured both the dark web
and public forums like Twitter. Eventually, the researchers linked publicly posted
bitcoin addresses to the same addresses used in dark web transactions to reveal
users’ identities.
Know Your
Dark Web Lingo
Exit node: The final link in a Tor
circuit. Whether it’s legal or
illegal, every transaction sent
through whatever pathway you’re
using on the network will look
like it came from an exit node.
People who volunteer to operate
exit nodes risk being contacted
by federal law enforcement or
banned by their internet service
providers if illegal data does
pass through their node. Proving
you’re an exit node operator
typically gets you off the hook,
but if you don’t want the hassle,
don’t operate one.
Sniffing: The process of capturing
data packets as they race
through a network. A software
tool, called a sniffer, can monitor
and analyze data for things that
might be incriminating or useful.
For instance, cybersecurity firms
use sniffers to monitor networks
for vulnerabilities.
Fullz: A slang term that describes
full packages of a person’s
information: credit cards, Social
Security, birth date, etc. Fullz can
easily be purchased for $10 to $40
worth of bitcoin from websites
that function just like eBay. Prices
vary depending on the quality
and breadth of the accounts in
the package.
Tumblers: Also known as mixers,
tumblers are web-based services
that ingest potentially identifiable
funds like bitcoin and anonymize
them with a pool of other funds
seeking anonymity. Basically, it’s
digital money laundering.
SecureDrop: A Tor-based
document submission service that
links whistleblowers to journalists.
MEMEX project: A U.S.
government-led initiative aimed
at indexing content across
every layer of the internet,
including data from forums,
Tor services and chats, to make
it more searchable. MEMEX’s
first mission was to help federal
agents discover and disrupt
human trafficking networks
on the internet.
Honeypot: An enticing website
that’s designed to trap users and
steal their identifying information.
A federal agency might use a
honeypot to locate drug dealers
or pedophiles by planting
malware on their computer
when they access the site.
N
E
T
W
O
R
K
:^ D
A
N
B
IS
H
O
P
/D
IS
C
O
V
ER
Step 2
Directory
establishes random
path through
network; usually
there are at least
three stops, or
nodes, on path.Step 4
User sends triple-layer-
encrypted message to A.Step 5
A unlocks first
encryption layer,
revealing next
address in circuit.Step 6
Message “hops”
from A to B,
where second
encryption layer
is unlocked,
revealing next
address.Step 7
Message reaches
C, where third
encryption layer is
unlocked, revealing
final destination.Step 8
Message, now unencrypted,
reaches destination/server
appearing as if it came from C,
rather than user’s computer.Node A
Step 3
For a path with three
nodes, the directory
sends three keys —
imagine each key as
two halves of a whole
— to unlock encryption
layers and pass the
message through each
node in a circuit. User
will have one half of all
three keys, while each
node will have only one
half of one key.Node B
Node C
Step 1
User opens a Tor
browser, establishes
connection with Tor
directory.