TOR - Uh Oh

Discussion in 'Technical' started by DarkLight, Aug 20, 2013.

  1. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    [tor-announce] Tor security advisory: Old Tor Browser Bundles vulnerable

    From the article:

    Don't know if anyone here is/has/is considering using TOR but if so, update.
  2. Motomom34

    Motomom34 Monkey+++

    I use firefox but unsure what TOR is.
  3. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    It's a DARPA/US Navy digital onion....well sorta.
    It's what most people aged 10-35 use to download stuff and pretend they are anonymous on the interwebs. Your ISP can clearly see .tor traffic and have been routinely slowing down those packets to reduce lag on the overall network. Some companies use what is called an ellacoya switch to do this as well as other hardware to analyze and log content but most of this info is pretty hush hush.

    Tor Project: Overview

    Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others.

    Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
    Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor's hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.
    Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization.
    Groups such as Indymedia recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company's patent lawyers?
    A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.
    The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected.
    Why we need Tor

    Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you're travelling abroad and you connect to your employer's computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.
    How does traffic analysis work? Internet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that's an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you're doing and, possibly, what you're saying. That's because it focuses on the header, which discloses source, destination, size, timing, and so on.
    A basic problem for the privacy minded is that the recipient of your communications can see that you sent it by looking at headers. So can authorized intermediaries like Internet service providers, and sometimes unauthorized intermediaries as well. A very simple form of traffic analysis might involve sitting somewhere between sender and recipient on the network, looking at headers.
    But there are also more powerful kinds of traffic analysis. Some attackers spy on multiple parts of the Internet and use sophisticated statistical techniques to track the communications patterns of many different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Internet traffic, not the headers.
    The solution: a distributed, anonymous network

    Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going.
    To create a private network pathway with Tor, the user's software or client incrementally builds a circuit of encrypted connections through relays on the network. The circuit is extended one hop at a time, and each relay along the way knows only which relay gave it data and which relay it is giving data to. No individual relay ever knows the complete path that a data packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop can't trace these connections as they pass through.
    Once a circuit has been established, many kinds of data can be exchanged and several different sorts of software applications can be deployed over the Tor network. Because each relay sees no more than one hop in the circuit, neither an eavesdropper nor a compromised relay can use traffic analysis to link the connection's source and destination. Tor only works for TCP streams and can be used by any application with SOCKS support.
    For efficiency, the Tor software uses the same circuit for connections that happen within the same ten minutes or so. Later requests are given a new circuit, to keep people from linking your earlier actions to the new ones.
    Hidden services

    Tor also makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor "rendezvous points," other Tor users can connect to these hidden services, each without knowing the other's network identity. This hidden service functionality could allow Tor users to set up a website where people publish material without worrying about censorship. Nobody would be able to determine who was offering the site, and nobody who offered the site would know who was posting to it. Learn more about configuring hidden services and how the hidden service protocol works.
    Staying anonymous

    Tor can't solve all anonymity problems. It focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use Torbutton while browsing the web to withhold some information about your computer's configuration.
    Also, to protect your anonymity, be smart. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.
    The future of Tor

    Providing a usable anonymizing network on the Internet today is an ongoing challenge. We want software that meets users' needs. We also want to keep the network up and running in a way that handles as many users as possible. Security and usability don't have to be at odds: As Tor's usability increases, it will attract more users, which will increase the possible sources and destinations of each communication, thus increasing security for everyone. We're making progress, but we need your help. Please consider running a relay or volunteering as a developer.
    Ongoing trends in law, policy, and technology threaten anonymity as never before, undermining our ability to speak and read freely online. These trends also undermine national security and critical infrastructure by making communication among individuals, organizations, corporations, and governments more vulnerable to analysis. Each new user and relay provides additional diversity, enhancing Tor's ability to put control over your security and privacy back into your hands.
    kellory likes this.
  4. Motomom34

    Motomom34 Monkey+++

    Thanks Mindgrinder- it's gonna take me 3 days to understand that post.:rolleyes:
  5. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    If you don't use it you probably don't need to know.
    Ask your kids if they download from the pirate bay or elsewhere...
    They can probably give you a good idea of what it is used for.
  6. ghrit

    ghrit Bad company Administrator Founding Member

    Does that vulnerability still exist? Ff v17 was supposed to fix that, v23 is current.
  7. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    MG - That's a really simplistic and skewed look at what the network is used for. Yes, I'm sure that's one of the many things it's used for but certainly not the only thing. Like every technology, it has its pros and cons. It's used by tens of thousands of people in countries with oppressive regimes and human rights violators in power to get to the "regular" Internet and see what's going on elsewhere and report anonymously.

    Yes, you don't have to like it but it can in fact be anonymous. Like everything OPSEC related though, you can blow your own whistle if you aren't careful.

    Just because your ISP can see you are using TOR, they can't see what you are doing with it and the more people who use TOR, the less you stand out because you aren't the one-off.

    Likewise with slowing the traffic down. Ok, they slow the traffic down. As long as they aren't cutting it off entirely, you are still getting out.
    Mindgrinder and kellory like this.
  8. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    To the best of my knowledge from reading up on it online and per the Tor announcement, Mozilla fixed that hole, and they did so in June. The Tor project had an updated bundle shortly thereafter. The problem stems from the fact that people didn't update. They had over a month to do it and chose not to.

    As far as FF v17, the reason the Tor Browser Bundle uses that is it's the Extended Support version (kind of like LTS for Ubuntu). No functional changes, just security patches for x amount of time.

    v23 should have that vulnerability closed but any number of new 0-day issues could still be waiting to be found.
    ghrit and kellory like this.
  9. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    Uh...thinking you're anon on the net is retarded. Skewed? Hardly. I work for my ISP....13 year Vet tech. We see EVERYTHING .tor - file names especially. True Crypt? We log the whole thing if requested by law enforcement. To protect the children of coarse. Even in a small market like Canada, google/youtube have co-lo cache servers EVERYWHERE under the guise of "it speeds it up for the next viewer if we cache it locally" - in truth - it's tracking. Look m8, I watch the change controls for our NOC go through all the time...this has been in place for years. Proxy? Useless if your ISP is on board for the .gov....which ALL except the small resellers are. We don't slow it down to reduce "lag"'s to have a closer look and log it. There is almost as much profit in tracking you and reselling your traffic patterns as there is in your monthly sub charges for access. In the NEAR'll be more profitable to TRACK YOUR ACTIVITY than it is to SERVE YOU bandwidth. Copyright infringe claim? Give us $20 and we'll cache every click you make. THAT is the near future.

    Think aboot it.
  10. DarkLight

    DarkLight Live Long and Prosper - On Hiatus

    I do think about it all the time, it's my job. I work for one of the three largest ISPs in the United States. You see the traffic, we see the traffic, it's using SSL and I know first hand that we can't see inside the packets. Can the TLA's? Maybe. Do they? I will go with no, for the time being and reserve judgement on the future data centers. I have worked hand in hand with TLAs, numerous times and watched their frustration at not being able to see something.

    I know how it works. I've used it, I've taught it, I run it. Been working for this ISP for 8 years, in the industry for almost my entire working career (yes, since before you needed SLIrP to get on through a college Computer Science Dept. account, HTML 1.0 wasn't ratified yet and "blink" hadn't even been considered yet).

    The .gov has a lot of power behind it but they don't have it all. Living with your head in the sand is foolish. Living in fear is no less foolish. Propagating fear and just flat wrong information is immoral and will eventually just get you ignored.

    Good for you, I guess I'm glad you work for an ISP that will grab the truecrypt drives. Everybody needs a job. Ever try decrypting a truecrypt file? Have any success? Considering that (and no, it isn't just the advertising on the website but peer reviewed fact) the government can't decrypt it (again, judgement reserved on the data centers) without the password for the key (not just the password and not just the key), I will humbly disbelieve you if you say yes, you have cracked the encryption on a truecrypt volume. The processing power to do it in a timely manner just isn't available yet.

    Lastly, watch the retarded comments. You don't know me, you don't know my history, you don't know my family so watch the mouth.
  11. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    Guess this makes us "peers".
    Wasn't a personal attack with the retard comment....simply my opinion of people who think their ISP or Gov is not paying attention. Copyright is mind-control and this is exactly the reason they will use to criminalize crypt and .tor.

    See 5:33 of the vid.

    “The technotronic era involves the gradual appearance of a more controlled society. Such a society would be dominated by an elite, unrestrained by traditional values. Soon it will be possible to assert almost continuous surveillance over every citizen and maintain up-to-date complete files containing even the most personal information about the citizen. These files will be subject to instantaneous retrieval by the authorities. ”

    It's all aboot control. UNITED NATIONS CONTROL of the internet.
    In the name of Copyright they will track/log/decrypt/ eveything you try to transmit PRIVATELY to ANYWHERE in the world.
    To think well....maybe "childish".
  12. Mindgrinder

    Mindgrinder Karma Pirate Ninja|RIP 12-25-2017

    Sure it isn't.
    My local.
    Burnaby company’s D-Wave quantum computer attracts NASA, Google

    "The collaboration, which also involves the Universities Space Research Association, is D-Wave’s second customer. The first, in 2011, was Lockheed Martin. The value of the new deal was not disclosed."

    Chinese supercomputer declared world's fastest - Technology & Science - CBC News

    Chinese 'supercomputer' named world's fastest | CTV News

    This stuff is probably 20 years old.
  13. PapaGrune

    PapaGrune Inside the firestorm

    Tor is out there. Nothing new. As with most thing care must be used with using. You can use on the windows side or Linux side. I use it on Durbin Linux. It does not mean you can not get virus or malware. Stuff on there you can not find regular Internet. People sell things that will get you in trouble with all those instils only people in the g*o*v*
survivalmonkey SSL seal warrant canary