The rumors of our demise
The security community lives on papers that analyze attacks on security tools. Although these are called “attack papers” they are usually done by people who are trying to help and refine the object of the research.
When an attack paper is published, documenting an attack on the Tor network, it’s often with our knowledge. The authors consult with us for inside info. But invariably, someone on slashdot or other blogs will skim the paper and say “OMG, Tor is broken!”
Using Tor is relatively safe. If there were a published way to attack the network that we thought made it less safe to use Tor, we’d tell you first — since, so far, the authors of every genuinely new vulnerability have told us before their work hit the web. We announce security patches and other issues on or-announce@freehaven.net.
The UColorado/Boulder technical paper is an example of the evolving research in anonymity. Refining well-known attacks from several years ago, the researchers better documented what an attack on the network might look and behave like. They combined a bandwidth overstatement attack with a correlation attack.
They consulted with us on the project. We are aware of these kinds of potential attacks — but such a bandwidth overstatement attack, to be successful, would leave fingerprints all over the Tor directories. We have never seen such an attack “in the wild,” and we think it no more likely that this paper would make such an attack easier or more likely than it was a few years ago when another version of it was documented.
The authors of the new paper have published a FAQ addressing how users should think about their research — they expressed their surprise and regrets at the uproar.
It says in part:
Q0. Most importantly, should we stop using Tor?
A0. ABSOLUTELY NOT! Despite our findings, Tor is the most secure and usable privacy enhancing system available. We believe that the system is safe for end-users, however, the system is experimental and the developers make no guarantees about the degree of privacy that it can provide. Let use re-iterate: Concerned users should NOT stop using Tor.
No internet security is 100%. Tor is not perfect — we’re constantly refining it, in a context of a hugely supportive community of researchers. But we believe we are still the best low-latency (i.e. allowing web surfing, not just transferring a file every few hours) anonymity/privacy one can have online without crossing a line of civility. Your only better option is to buy into a botnet, steal an identity, or participate in some other crime with a victim.
We are currently seeking funding that should help us close these vulnerabilities in Tor (and if you would like to donate or fund Tor development, please contact me!). We have plans to close the bandwidth overstatement vulnerability in the coming months. In the meantime, we watch for attacks on the network, and work to be transparent in our operations.
We appreciate that people care about Tor. If in the future you are worried about some issue in Tor, please feel free to contact us directly. If you read speculation about Tor, please encourage the bloggers to check with us — we’re very blogger friendly, and part of our purpose is to protect bloggers where blogging isn’t safe.
Imagine this scenario — a very small risk documented in a technical paper gets sensationalized in the blogosphere. Some number of dissidents and bloggers in places such as China abandon Tor. As a result, they might be arrested, jailed, or disappeared.
Blogstorms can have real world consequences. Please ponder before you write, critically examine what you read, and ask us for updates.
Tor Open To Attack - an.alogo.us
February 26, 2007 @ 9:31 pm
[…] UPDATE 2/26/2007 18:29:50 MST: See the official tor response (link courtesy of Shava Nerad) “The essential avenue of attack is that Tor doesn’t verify claims of uptime or bandwidth, allowing an attacker to advertise more than it need deliver, and thus draw traffic. If the attacker controls the entry and exit node and has decent clocks, then the attacker can link these together and trace someone through the network.” 2 Replies […]
…My heart’s in Accra » Don’t stop using Tor.
February 27, 2007 @ 6:16 pm
[…] The good news is that this isn’t happening. To quote from the Tor developers’ blog: We are aware of these kinds of potential attacks — but such a bandwidth overstatement attack, to be successful, would leave fingerprints all over the Tor directories. We have never seen such an attack “in the wild,” and we think it no more likely that this paper would make such an attack easier or more likely than it was a few years ago when another version of it was documented. […]
Dick Helms
February 27, 2007 @ 6:35 pm
Tor Users:
Did you know Tor was openly created by the NSA (and promoted by the EFF)?
Did you know Tor is NSA spyware, created by spooks, just like Freenet?
Did you know there are spooks all over the web spying on you?
Did you know 911 was a Bush crime family operation?
Did you know 911 was a controlled-demolition?
Wake up and research it yourself:
http://stj911.org
Dick Helms
Langley, VA
anonymous
February 27, 2007 @ 7:09 pm
um. Do you know that Tor was openly designed by the Naval Research Lab, who sent it out into the world as open source?
Do you know that, as open source, Tor can’t have any backdoors, because there are thousands of programmers all over the world who look at the code and understand it?
My goodness. I suppose it must keep you entertained. I can’t speak to the rest of the claims, since I haven’t done conclusive research.
However, a search of stj911 shows that they make no commentary at all on Tor.
But good lord, if I had those opinions, I wouldn’t choose to live in Langley. Doesn’t it make you extra uncomfortable?
Shava Nerad
executive director
The Tor Project
chucksheen
March 3, 2007 @ 2:14 am
Truth911.net
911Files.net
911Blogger.com
UniversalSeed.org
Thanks Tor, TorPark and Torrify. I love Tor and I’m so greatful. I am also elated by the fact that Tor is OPEN-SOURCE.
japadamus.com » Tor vulnerable?
March 3, 2007 @ 11:07 pm
[…] Last week the Tor development community published their response on a blog. My personal opinion of their response is that they fail to really address the issue today through a software patch or a quick and dirty work around. I almost think that their assertion that they haven’t seen the attack carried out “in the wild” really doesn’t disprove the argument that such an attack is possible or already being carried out. Furthermore, by stating that these vulnerabilities have been well known for some time before the paper was published seems to reinforce my belief that they seem to want to dampen the problem. […]
Elmar Schraml
March 5, 2007 @ 10:00 am
The possiblity of such attacks has been known for a while. It is simply a trade-off of choosing to have a network that optimizes data flow for maximum performance. The practicality of such attacks remains debatable.
If you are worried about such attacks, you could check out JAP at http://anon.inf.tu-dresden.de/index_en.html .It uses the same core technology, but uses only predefined routes over severs that are known to and certified by the developer team. Which means that you get the same kind of anonymization, but are safe from the kind of attack discussed here.
(Disclosure: I am one of the main developers of JAP, so you might consider this post blatant self-promotion)
Tor User
March 6, 2007 @ 1:44 am
Ahh Elmar… After checking out your site I was disturbed by a couple things, the first being the lame alarming news title on your site.
“Attacks on Tor - JAP remains secure While using similar technology, the recently published attacks on Tor do not affect JAP due to its fundamentally different architecture. (05.03.2007) ”
Uhh, I think its been pretty well beaten by not only the Tor development team and many other technical sources that no “Attacks” have taken place. The published materials on both were announcements of “Potential” attacks that could take place. Maybe thats why you lack the funding, because you lie to attempt to panic people who use other systems into using yours… Notice I said maybe showing that I am not saying you are, just that its a possibility.
I also was extremely disturbed by a lack of information about any potential vulernabilites to your system… You know the kind privoxy takes care of… Does your service wash DNS requests or do those still go out with your original IP? Not only did the developers of tor publish the potential (full disclosure) they fixed it!!! Do I really have to download your source and see if I can find any backdoors in it? Whos your global development team. Oh yeah, and 5 whole server nodes… Wow, bet thats a cranking connection… 100 users is ranked as high server load, good thing you only have 4 on right now. A final thought, being as how many users of these networks are afraid of various gov agencies I cant help but notice that your project is developed in germany by an educational institution. No offence, but I dont really trust any servers you trust, no matter how “well” you know them. In reading this back I realize I kind of sound like a fan boy… Yes, tor has a couple vulernabillities but at least they tell us openly exactly what they are and how they could work. I will check back in a couple months to see your 404 error when your project fails from lack of funding… Sincerely APP (Another Paranoid Person)
Anonymous Living » Blog Archive » Hacker outlines how to expose Tor-users
March 7, 2007 @ 4:15 am
[…] A paper technical paper released in February by UColorado/Boulder outlines how to attack Tor using a few evil servers. A spokesperson for the Tor-project was quick to respond, saying that they are aware of the problem and that nothing indicates that such an attack has been launched “in the wild” yet.Yesterday “respectable” publication ZDNet repored that “Hacker builds tracking system to nab Tor pedophiles“. Such tracking has nothing to do with nabbing pedophiles and everything to do with compromizing the security of the entire Tor-network and all it’s users. So this article should be very alarming. […]
Anonymous Living
March 7, 2007 @ 4:15 am
Hacker outlines how to expose Tor-users…
A paper technical paper released in February by UColorado/Boulder outlines how to attack Tor using a few evil servers. A spokesperson for the Tor-project was quick to respond, saying that they are aware of the problem and that nothing indicates that su…
eee
March 8, 2007 @ 3:09 pm
Long live TOR! Currently our only hope for survival in, what most of us call home, cyber space.
Tor User
March 8, 2007 @ 6:09 pm
“über-hacker HD Moore is building a tracking system capable of pinpointing specific workstations”
Not “Builds”, “Building” which will require
“Moore said the plan is to release the source code, which will allow anyone to run a patched Tor server to help pinpoint pedophiles online.”
“1. Run a patched TOR server. The patches embed a Ruby interpreter into the TOR connection engine and allow arbitrary Ruby scripts to process data before sending it back to the client.”
“…inject a little extra HTML code into the response going back to the Web browser. This HTML code would connect to my decloaking engine.”
See? It still isnt finished and even when it is it will require users to use a patched version of tor. He will release the source so Im sure the tor developers can work around this before it becomes a “privacy problem”
The real problem with this article is that even though it is well meaning to introduce a system to catch pedophiles and Moore claims it will only respond to “keywords” before his “decloaking” protocol kicks in, It is still just as available to abuse by who ever wants to use the technology. Tor developers say they are working on the fix for the next version and for now Moore doesnt have his code complete to even begin his distributed network but its not too long before he does and there are RIAA or MPAA or Commercial servers all hosting super high speed tor servers and all of them checking all the data that goes through them for “keywords”
TrueJapper
March 13, 2007 @ 7:43 pm
I find it almost amusing that “Tor User” bad mouthes JAP because it was developed in Germany.
The US is a country which condones TORTURE fore crying out loud.
A country where the Supreme Court has already decided that even legal residents here are not protected by the Bill of Rights, forget about illegals or foreigners living overseas.
The US is a country where Sneak & Peak searches w/o judical approval are by now common place (143000 during the last few years alone).
Simple FBI letters of approval are all that is by now required and you as the target won’t even find out EVER!
Now they even use “letters of inquiry” which each FBI agent can just write up on his own.
Your ISP is forbidden by US law to tell you about it.
In Germany on the other hand the people developing JAP have already taken their case to the highest court and WON.
Yes, in Germany the Supreme Court has already decided that no entity participating in JAP can be forced to hand over user information to law enforcement or the intelligence services.
By now I find it extremely(!) tiring to listen to US arrogance when it comes to freedom of speech or civil liberties.
Just a few days ago American soldiers threatened journalists in Afghanistan into deleting videos they had taken of an American assault on civilians.
And you try to make us believe they haven’t already infiltrated Tor back, front and center?!?!
Yeah, right….
anonymous
March 14, 2007 @ 2:20 am
Well, you can ask the JAP crew in Germany about whether there are back doors built into Tor — I suspect they are very familiar with our code, which is open source, and it’s a bit hard to hide back doors under those circumstances.
Although I understand that you are not happy with everything that happens with the US, most people will readily admit that there is nowhere in the world untouched by government interference, really. Saying that the US is not perfect doesn’t negate the possibility that Germany may have or have had faults related to such things.
Academic institutions in Germany are not immune to government interference, and whatever the US military is doing, they are not interfering with our project any more than Germany is, to our knowledge.
TrueJapper
March 14, 2007 @ 10:17 am
Mr. anonymous, even if it hurts your American ego, there are still countries in this world where might does not make right and were Supreme Courts are not just spitlickels of the power mongerers.
And yes in Germany academic institutions *are* immune from Goverment interference.
ITS THE LAW OVER THERE, and opposite to the US, most folks in Europe still give a damn about the law - instead of trying to run everyone of campus who just dares to say the words “Charles Darwin”, “Vietnam” or “Iraq”, likein the US.
And please spare us this nonsense about the supposed infallibillity of open source.
I’m a professional programmer myself and I could hide a back door in my sources in plain sight and no ordinary software monkey could find it.
Its a well known methodology to hide code in plain sight, dating all the way back to the days of BASIC, where companies used that for copy protection purposes.
I did it myself many times and no one ever caught on to it.
You would need to debug such a code line by line to g
TrueJapper
March 14, 2007 @ 10:22 am
Mr. anonymous, even if it hurts your American ego, there are still countries in this world where might does not make right and were Supreme Courts are not just spitlickels of the power mongerers.
And yes in Germany academic institutions *are* immune from Goverment interference.
ITS THE LAW OVER THERE, and opposite to the US, most folks in Europe still give a damn about the law - instead of trying to run everyone of campus who just dares to say the words “Charles Darwin”, “Vietnam” or “Iraq” (like in the US).
And please spare us this nonsense about the supposed infallibillity of open source.
I’m a professional programmer myself and I could hide a back door in my sources in plain sight and no ordinary software monkey could find it.
Its a well known methodology to hide code in plain sight, dating all the way back to the days of BASIC, where companies used that for copy protection purposes.
I did it myself many times and no one ever caught on to it.
You would need to debug such a code line by line (good luck with hundreds of thousands of code lines) to get behind it and that still does not even account for “compromised code”, distributed through 3rd party channels.
The inherent weakness of your TOR system is its supposedly strongest point.
The anonymous nature of the node participants.
As far as I know 99% of your traffic might be routed straight through the CIA’s server rooms (which are not all in Langley - I should know as I worked next to some of them).
anonymous
March 14, 2007 @ 11:22 am
I understand that you have never looked at Tor’s source (or the About page — my name is Shava Nerad, I’m not really anonymous, I’m the executive director of the Tor Project, and quite female). Tor’s source is small, and the code has been pretty rigorously reviewed by a lot of extraordinary software monkeys…:)
Actually, JAP has had problems with government interference. Their code ensures anonymity only if multiple operators are not compelled to comply with legal authorities (as they were, by court order, to insert this code).
As a result, I understand, they moved their servers to separate jurisdictions to deter such a situation in the future, but I’m not sure what current EU laws around law enforcement cooperation and data retention will do to their situation. Certainly, were I in Europe now, I would be working hard on data retention resistance.
Perhaps as a presumably interested German, you should work with JAP to solidify their legal position? I understand they have had some success in court establishing that the original court order requiring the code insert was improper.
The JAP group says this code is not a back door because it requires recompiling and is not compiled in by default, and it is in compliance with their threat model. Unfortunately, not everyone believes them when they say they are not back-doored. This is a business of delicate trust models, as well as fluid threat models.
I don’t expect that I’m going to change any of your opinions. It’s a free world, at least in this sense: if you don’t enjoy Tor, don’t use it.
I do encourage you to rigorously research *any* security or privacy solution you choose to use.
Lastly, please don’t blame every act of the American government on all Americans. Every country in the world has had periods that have not reflected well on their contributions to history, and as an American I regret this is our turn. I would especially not confer blame on those people working to keep government and corporate interests transparent, and free speech and free participation safe.
You may not believe it, but I suspect we are on the same side.
NoBody
March 14, 2007 @ 2:58 pm
Hey Dick Helms,
You know you’re full of crap??
Nick M
March 14, 2007 @ 3:28 pm
Dick Helms: I feel a little bit like Sting did in the 80s when Jerry Falwell said something like “This song, ‘Murder by Numbers’ was written by Lucifer, and performed by the sons of the devil!” Sting’s reply was, “Look, _I_ wrote the song, all right?”
Look, Roger and I wrote the code, all right?
TrueJapper: the AN.ON developers that I know are good, decent people. We don’t agree with all of their technical choices, and they don’t agree with all of our technical choices. This doesn’t mean that either they or we are necessarily a bunch of idiots–this anonymity stuff is tricky to get right. The open questions in architecting anonymity nets won’t be settled by having all the users go fight with each other, though, any more then 20th century physics was decided in a fist-fight between Einstein and Heisenberg. Instead, we do research, and they do research, and lots of other people do research, and hopefully we all arrive at interesting results that make everybody’s project better.
TrueJapper
March 14, 2007 @ 3:53 pm
Ms. Shav Nerad there is sureley something to be said about lack of intellectual honesty here.
That link of yours is dated 2003-08-21.
And in another link I found this comment: “The ICPP has immediately made use of the formal measure of appeal from the decision.”
At the end of that process was exactly that German Supreme Court decision I was talking about.
I do not claim that JAP is 100% safe from government interference.
But while I’m listening to Senator Orrin Hatch screaming his lungs out about traitors and terrorists in the US, I know that in Germany you still need at least a court order to get access to such information.
No German police officer or secret service agent can just write his own search warrant, like it has been done in the US already over 143000 times !!!
Over 143,000 “security letters” and “letter of request & approval” and all it takes is someone claiming National Security Interest.
And one can only imagine what will happen if these wars will go one for a few more years.
No server, I repeat NO SERVER within reach of US government authorities can be considered safe as long this silly terrorist hysteria is going on.
And for crying out loud, infidellity is still considered a felony in Illinois, as is anal penetration in Texas.
One can only imagine the 1000 + 1 reasons US law enforcement can come up with for “sneak & peak” searches and you’ll never find out, because your ISP will never, ever be allowed to tell you about it.
TorUser
March 14, 2007 @ 4:01 pm
“And yes in Germany academic institutions *are* immune from Goverment interference.”
Really?! Explain the backdoor inserted into JAP at the demand of the German Government.
TrueJapper
March 14, 2007 @ 4:05 pm
And Nick, my issue is not so much with the Tor team.
Its just that in an age of US patriotic hysteria (which is realy difficult for most Europeans to appreciate), coupled with utter lawlessness when it comes to controlling government access to private user data, ANY server within the reach of US law enforcement could just as well be located in North Korea for all purposes.
Just the other day I read a report about the FBI’s online data mining activities during the last 3 years and the numbers there were just mind blowing.
George Orwell had nothing on these folks, nothing at all.
So that is why I inherently distrust anonymous node routes, as I would never, ever conduct compromising political or social activities over a US server.
As I wrote earlier, in the US they still prosecute people (adults!) for infidelity and/or anal intercourse.
Just as they have already jailed 65+ year old grannies for protesting against the war in Iraq.
TorUser
March 14, 2007 @ 4:11 pm
The Tor attacks highlighted by the University of Colorado paper are unrelated to the developing attacks from HD Moore. Just because they both use the word “attack” does not mean they are related. Even dumb Americans and Germans can understand this fact. Correlation does not imply causation (cum hoc ergo propter hoc).
Tor is under active attack. This is good. The network will be stronger in the end. JAP is under active avoidance by users who care about anonymity. This is bad as the network will fail.
As Tor states on every start up:
“This is experimental software. Do not rely on it for strong anonymity.”
Tor vs. JAP is a silly war to start. Perhaps if you two communities work together, you’ll develop better software to defeat the First World Fascism coming online.
Until then, we’re watching you,
Love,
Your local Government spy agency
Nick M
March 14, 2007 @ 5:05 pm
TrueJapper: I agree that the US is not respectful of privacy rights at the moment. In fact, you’d be hard-pressed to find anyone who will disagree with that. Fortunately, we have lots of Tor servers in Europe, or wherever it is that you think government can most be trusted. My personal opinion is that it’s a bad idea to trust any government to respect privacy in the long run, but I’m better at software than politics, so there’s not much reason to listen to me.
Also, it’s not seized servers and search warrants you need to worry about: in systems that do PFS (including Tor and, I hope, AN.ON), a compromised server can’t compromise previous communications. What you ought to be worried about is servers being eavesdropped upon (which can lead to end-to-end timing attacks), attacks where servers are compromised, and attacks on misconfigured browsers.
And it’s also not local “blue laws” you should be worried about: local law enforcement doesn’t have the resources IMO to do a successful attack against a properly configured Tor user, and national enforcement agencies really don’t care about whether it’s illegal to sell vibrators in Mississippi. It’s national agencies doing eavesdropping with no warrants (or inadequate warrants) that you should be concerned about. Honestly, if you’re up to something naughty enough to attract serious attention from the likes of the NSA, I’d be quite surprised if any low-latency anonymity system could help.
Tangentially, wasn’t the anal sex thing ruled unconstitutional by the US Supreme Court’s decision in Lawrence v Texas? Those laws were struck down on 2003-6-26.
TorUser: Well, I believe JAP a lot of users too, unless I’m quite mistaken. I think that the fact that Tor’s getting more attention from the research community these days is probably because we’ve got a published up-to-date byte-level specification, so it’s easy for people who want to write papers about Tor to speak authoritatively about what Tor actually does. There’s also a self-reinforcing effect here: Tor gets more attention from security researchers because Tor _has_ more attention among sercurity researchers, and security researchers want to impress other security researchers, so they aim for where the attention is. Obviously, I’d like for Tor to _remain_ the Hot Thing Of The Moment, but I don’t want to confuse being an attractive target with actual technical quality. It’s the technical quality we should really try to maintain.
guest
March 15, 2007 @ 4:26 am
i myself use tor for privacy, but HD moore’s attack raises a little doubt
on one privacy, wotsoever, i like tor n will use tor no matter wot.
Moore’s attack will help the TOR commuity and developers to come
up with some solution which can bypass the attack.
last but not the least, one small question.
will using TOR with Hamachi client can bypass the attack.
hamachi claims that no one not even them can find what is passing thru
the VPN tunnel (don’t now whether it is true to what extent).
Middle East
March 15, 2007 @ 10:31 am
Anonymous ..!
What ever system it first has to be available and workable .. agreed
I used JAP and TOR, while my personal preferences is TOR; you can agree or disagree.. freedom of choice
But wouldn’t the most important thing is the availability of it…. for those US and Germans which might not aware of, TOR and JAP has been successfully block by UAE government (Etisalat ISP) since the past previous week. I haven’t myself perform the detail debugging but in general it look like they have manage to block the tor/jap client or server (tor) from getting the list of servers for the handshaking/communication. So in general there is no anonymity since then.. and dont you think this can also be implemented at US and German??? ha ha . just to ponder. Any genius out there than can give a god solution.. I mean a good anonymous one.. dont ask me to use a VPN to another country ..
Nick M
March 15, 2007 @ 11:25 am
Middle East: A few people have reported this. It doesn’t look like UAE is doing anything terribly clever here, so the workaround shouldn’t be too hard, although there are a lot of details to get right so they don’t turn around and tweak their firewall again. No guarantees, but I think we might manage to get an initial version of the circumvention code working in the next few months.
TrueJapper
March 17, 2007 @ 11:53 am
TorUser:
>Tor is under active attack. This is good.
>JAP is under active avoidance by users who care about anonymity.
Not sure what you have been smoking lately, but it must be some heavy Republican smoke.
Your “attack is good for u” statement reminds me of Newt Gingrich telling his fan crowd on Fox TV:
“Those who speak up against the war should feel a chill of fear running down their spine (as they give aid & comfort to the enenmy in doing so)”
Jap is being actively developed by people who can be not pressured into pro-Government views by a lawless “law enforcement apparatus”, in a country where *all* people are protected by the constitution and the only thing that changed is that they will now have to charge for high speed access.
High speed only mind you - because even in Germany money is tight these days for public Universities.
But even the worst one of them still offers a largely free education which can trump American public ones any time of the year.
I know, because I’ve seen both.
And work together? I’ll stop using Jap the very day it starts to >work togetherAlso, it’s not seized servers and search warrants you need to worry about…
>enforcement agencies really don’t care about whether it’s illegal to sell vibrators in Mississippi…
>if you’re up to something naughty enough to attract serious attention from the likes of the NSA,…
>Those laws were struck down on 2003-6-26….
Unless you show me a better form of government, proper(!) judicial oversight is still the only way how to protect us from government excesses.
The very day Americans agreed to that infamous Patriot Act provision which allowed for warrantless “sneak & peak” searches, they signed away all other rights, too.
Combined with the fact that people proven innocent by now (including people form Germany) have been imprisoned & tortured in the CIA’s Gulag system for just having the wrong name or visiting the wrong neighborhood, I’d say the Us is the last place by now fit to lecture others about civil liberties.
By the way, I have NO problem with law enforcement using every tool available to hunt down real criminals.
Let them sneak & peak all they want. What I do despise is if they do it not because they have “probable cause” a crime has been commited.
But when they do it to pre-empt something I might do, because I just sound so suspicious, or my racial background makes them nervous or my political views don’t fit theirs. To prevent that, that is what judges and search warrants are for - and in the US they don’t need either any more.
And those archaic laws, criminalizing everything from infidellity, to anals sex to urinating in public (taking a leak by the roadside can indeed get you on the sex offender list for life in many states) have indeed been ruled unconstitutional in some cases.
That was *after* those victims had spend years in the legal system and all their money on their defense.
Indeed, one DA said afterwards “Yes, we know those laws are problematic, but we want to keep them so if we can not prosecute him for another crime, we still have some other leverage over him”.
And yes, local law enforcement already did request data from the FBI’s Carnevore program for their local purposes.
And once all that mined data has been centralized its only a question of time until even family court can tell you exactly when you last visited the Hustler’s website.
And don’t even get me started how little it takes these days to get the FBI, NSA or CIA up your behind. Been there, done that…
And to ANYONE living in one of those US sponsored dictatorships like Pakistan, Saudi Arabia or UAE…
FOR HEAVEN’S SAKE DON’T USE ANY US SERVER TO HIDE YOUR IDENTITY!!!
The CIA & FBI renders help to those “allies in the war on terror” on a regular basis, which they in turn then use all to often to hunt down people demanding human rights for women or the right to vote or the right to freedom of thought or….
There are tons of documented cases where US government agencies have helped those regimes to track down their opponents on the Internet.
Inviting people from those countries to use a service like Tor is like signing their death warrant.
Europe still has the rule of law, Europeans don’t torture, they don’t start pre-emptive wars and most important of all THEY DO NOT HAVE A PATRIOT ACT!
Look for Anonymizers based in Germany, Netherlands, Sweden or Spain.
France might be tricky if you life there, as the French might not pass your information on, but their government does claim the right to access all encrypted communications (same goes for the UK, but they are not to be trusted anyways since they are “on call” to the US government 24/7).
Switzerland should be perfect, but the Swiss are not a big fan of “free services”.
Whatever you do, make sure your information is not routed via a US network.
Because even if they do not have your start & end point, unless you got super-strong encryption built into your system, stronger than all the servers located in those secret vaults in Plano, they can (& will) still capture your traffic and track you down that way.
By some (serious) estimates 99.9% of all e-mail traffic in the US and routed through the US is by now send through US government filters & triggers.
And it doesn’t take that much to end up on a US “no fly list” or have your plane forced to land in the US once you’re on it.
I’m not making this up, people did get blacklisted in the US already for just speaking up in the wrong forum and planes not even bound for America were forced to land here because the CIA (wrongly) assumed there to be a “bad guy” aboard.
And before anyone here claims “but Tor servers do use encryption”, I have to reply:
yeah, that is what they tell you and you just trust that. if I don’t know who runs that server, then I don’t know what happens with my traffic on it.
anonymous
March 17, 2007 @ 1:18 pm
TrueJapper — it seems to me that you are a troll.
You are a true japper, yet you’re connecting to the blog via an open connection from Road Runner in Herndon, VA. You are obviously not terribly concerned about the issues on a personal basis.
If you are so concerned about US security services, why do you send your own data across US networks in Herndon of all places?
Please stop trolling.
TrueJapper
March 17, 2007 @ 2:18 pm
anonymous - I wish you good luck trying to track me down via that connection.
You’re gonna need it. Other than that, you of course have the liberty to simply denounce anyone trying to stand up for a realy safe approach to anonymity and against the myth of “only a US system can guarentee liberty” as a troll.
Not that it has anything to do with anything and it most certainly doesn’t validate the bad mouthing of JAP or other none-US based anonymity systems, which happen on a routine basis both in this BLOG and on other US based ones.
JAP & other none-US based systems are at least as secure as Tor *and* have the added advantage that in countries like Canada, Germany, Sweden and so on, they at least still need a Judge & Jury before they can send you of to the Executionor.
Tor User The 1St
March 18, 2007 @ 4:25 am
Ok. First off I would like to begin by stating that I am the user named Tor User not TorUser who has ripped off my name and continued to fight under it while I was away for a week. Although I agree with the majority of what they said and thank them for trying I do not agree with the format in which they handled it. Sadly I have lots more to respond too than I had ever imagined. First of all.
Jappy- Back to your first Comment
“I find it almost amusing that “Tor User” bad mouthes JAP because it was developed in Germany.”
If you actually read my comment rather than just look for stuff to whine about you would notice that I bad mouthed JAP because they LIE!!! They simply placed lies on their main site to bad mouth Tors security and more importantly they state that there is no possible weakness with their system and that it is somehow (magically I suppose) impervious to attacks because they “Know” the server admins. Guess what, I dont know the server admins and obviously I dont know the developers of JAP so why in hell should that be reason enough for me to trust them? As I stated previously as well, the reason I trust Tor is because from the beginning they are honest and point out their own weaknesses not only to inform their users but to open the gates to fixing the errors (A really nice feature about open source) The poke at Germany was actually added because of the fact that Germany is the ONLY country to arrest innocent Tor server operators (Based in Germany of course) under the guise that somehow they were responsible for accessing Pedo sites. Wheres the super government structure that prevented those agents from hauling those people out, throwing them on the groud and arresting them?
“The US is a country which condones TORTURE fore crying out loud.”
I knew things were going down hill when I got here. I dont recally ANY political figure “condoning” torture in this entire country. If you have ANY evidence of this I would be happy to read it and will even apologize because that is the kind of person I am (A dying breed thats for sure)
“…even legal residents here are not protected by the Bill of Rights….”
Ha I noticed you made a terrible mistake and admitted you are just another off the handle liberal nutcase IN THE US!!! I dont know where you people get your ideas but some of them are way out there (Notice I said some and not all because once again I am one of “those” kind of people who actually listen to what people say if it has some basis in reality and although I am a “liberal” in many ways it actually breaks my heart to be associated with people like you.)
Moving on to your next post
“And yes in Germany academic institutions *are* immune from Goverment interference.
ITS THE LAW OVER THERE”
Ahh another slip up, “Over there” Also NO person in the world is “immune” from any Governments (not Goverment plaese laern to splel Prob a younger person but maybe just uneducated, not that there is anything wrong with that.) interferance. Hello, there are spies and agents from almost every country in the world in almost every other country in the world. Even the 3rd world ones. The governments of the world are VERY interested in other people affairs, not only their own.
“good luck with hundreds of thousands of code lines”
I can’t actually believe that you are a professional programmer because true “professional” programmers get honest pleasure out of reading thousands of lines of code. We like to see how software works through and through, and in order to understand code you do usually need to explore all of it. Not to mention we are always looking for interesting ideas and concepts and implimentations that we can use on projects we are working on.
“instead of trying to run everyone of campus who just dares to say the words “Charles Darwin”, “Vietnam” or “Iraq” (like in the US).”
You must be from the south because up heah in the north the only people who get run out of campuses are the whole 5 students that are conservitive out of 10000 liberal students and entire staff of schools that only teach liberal doctrines. Honestly I have never even heard of a school that doesnt fully and completely teach Darwinism, Vietnam and even Iraq.
“that still does not even account for “compromised code”, distributed through 3rd party channels.”
Ok, show of votes, how many people are actually insane enough to download tor from anywhere other than EFF
“I know that in Germany you still need at least a court order to get access to such information.”
Come ON, how can you be so off the wall paranoid about americas spying but be so ignorant about accessing information. Do you really think that court orders make you safe? In that case only the US should need tor since apparently no other country in the world spies on its network traffic (Especially not china…)
“No server, I repeat NO SERVER within reach of US government authorities can be considered safe as long this silly terrorist hysteria is going on.”
Uhh another really obvious fact. NO COMPUTER, I REPEAT NO COMPUTER IN THE ENTIRE WORLD is safe from not only governments( including but not limited to the US ) but also just smart hackers. A single hacker anywhere in the world can gain access to any computer anywhere in the world if he has the right tools, technology and intelligence. It has absolutely nothing to do with the US or terrorist activity, In fact the servers are the highest risk since they are the ones allowing their IPs to display “your” activity, making them attack step number 1 in finding you.
“And for crying out loud, infidellity is still considered a felony in Illinois, as is anal penetration in Texas.”
You gotta be kidding right? Only fanboys who are losing very very bad would bring up something so completely unrelated and unimportant to try and make a point that cant be made…
“Just as they have already jailed 65+ year old grannies for protesting against the war in Iraq.”
Ok, this one was so out there I just had to ask. Do you have even 1 shred of evidence of this?
“The very day Americans agreed to that infamous Patriot Act provision which allowed”
This sadly, was not put up to vote. It was passed by Democrats and Republicans alike through all three branches of the US Gov. Much to the dismay of a majority of Americans. Very few people are willing to just offer up the right to privacy unless they are already in the government and know that it will not affect them nearly as much as the average citizen.
“And don’t even get me started how little it takes these days to get the FBI, NSA or CIA up your behind. Been there, done that…”
For some reason I doubt that because according to you if you had actually done that you would be locked up in a secret torture chamber for the rest of your life. Which one is the lie?
“There are tons of documented cases where US government agencies have helped those regimes to track down their opponents on the Internet.”
Please please please give me some documented cases. I mean I dont need to read 2000 (The definition of just 1 ton not plural) how about 100?
“Europeans don’t torture”
Almost every country in the world engages in torture and yes that even includes blessed Germany
“…and planes not even bound for America were forced to land here because the CIA…”
Ahh another slip up using the word here… Im almost falling off of my chair now laughing.
“And before anyone here claims “but Tor servers do use encryption”, I have to reply:yeah, that is what they tell you and you just trust that. if I don’t know who runs that server, then I don’t know what happens with my traffic on it.”
Oh come on, Did you read one word from the tor Documentation. Tors encryption is started in your server on your machine and your reply? Yeah thats what they tell you? Yeah thats what I saw when I read the code… Wow pro Programmer wow…
“I wish you good luck trying to track me down via that connection. You’re gonna need it.”
Dont you remeber? The Head of Tor development posts as anonymous sometimes and that is no doubt them. The fact that you believe the lame crap you spout is actually worth someone trying to track you down is sad. They simply looked at their logs of your IP in each post and noticed that ironicly it was the same for every post. Mine is different because I use Tor! Wow, Im sure they have noticed that as well. I am honestly amazed that Shava has tolerated you for so long and in that note, Im sorry Shava that I have posted such a long reply but after missing this whole Convo up until now I was bugged by this person as well. Shava is right. By calling you a troll she means that you are someone just looking (aka trolling) to spout political bull and stirr up trouble because it makes you feel good about yourself. Obviously Shava is way smarter than you but doesnt have the time to dedicate to respond to all of your crap (Shes smarter than me in that way too lol) Interestingly enough, you should be thanking her because even after all the stuff you have done here she still didnt post your IP because she knows its your real IP and people who you have bugged enough to try and hack you know its your real IP even though you deny it. (Does any troll admit their real IP has been leaked?) Obviously you do not use any system to hide your identity, even “Weak” ones… which would have protected you in this case lol… Based on all the other personal information you accidently leaked in your writing we can all draw the following conclusions. You are young, you are not a “professional” programmer, you live in the south (Virgina as Shava pointed out) you lack ANY real data to support your claims. BTW sites like 911truth are not fact and cannot be used in any debate no matter how pretty the pictures are. You have absolutly no idea how privacy works. Im sure you are using a windows machine and windows machines by their very nature leak privacy from many “Secret” points. ( I still use em) No one ever said anything about JAP washing DNS requests, or any other points I raised for that matter. You can reply and pretend you are still from Germany but you used “Here” way too many times to be from any country other than USA and finally, Harvard is also a fairly liberal college based in the USA that does not condone your statements because most of them are too far out there to be supported by evidence. Now that I am done I am prepaired to stand corrected on many points. Obviously not by you but maybe from Shava. I welcome your statements.
edyshor
March 18, 2007 @ 4:44 am
awww .. i was hopping for more ..
.. just when it became more interesting 
DA
March 24, 2007 @ 10:36 pm
Zzzzzzzzzzzzzzzzzzzzzz man, this shit is boring. Personally, I don’t go out of my way to be either well-known nor anonymous. And it is apparent from this entire thread that there is no foolproof way to remain anonymous. So why waste the clock ticks trying? The funniest thing I think that I read here was where some commenter takes a shot at American egos and in practically the same breath goes on to boast about what a remarkably capable coder they are … sheez. I was surprised that commenter didn’t claim to have collaborated with Al Gore on the invention of the Internet. Gimmie a break. And hey George, if the boys in the basement of Ft. George Meade, Maryland bring you this ditty for review … fuck you and the horse you rode in on.
DA
TOR user
March 27, 2007 @ 1:13 am
Do you know that one:
http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf
What do you think about it?
Tor User The 1St
March 29, 2007 @ 4:12 pm
I am glad you posted this because it is a real problem. Before I go any further I want to reiterate a point I brought up before and that is the issue I have with JAP, which also suffers from this weakness, as does almost any proxy service, is that JAP does not practice full disclosure. They claim that they are 100% secure and Tor isn’t at all and has been hacked with is just simple fan boy lies to plug their product.
The reason this article is important but not a shock is that the Tor read me already covers this. I for example run Firefox with a few plug ins
Adblock, which lets me block all kinds of sites and wild cards like every directory called banners.
NoScript - Which I recommend to everyone in the world. It blocks all javascript of every site initially and then if it is a trusted site you can allow just the main sites javascript and still block all off site javascript.
FlashBlock - Which initially blocks all flash, still a bit buggy and not 100% secure
And of course the Firefox Tor Button enabling me to turn on Tor routing at a moments notice. Even with all these fancy things im still not 100% secure but I am still quite a bit more secure than say any other browser configuration and its fast and easy to turn off and on all those things like javascript and flash.
I also run peer guardian with almost all blacklists as well as my own custom one. This is almost silly but can help block “Corps” like RIAA from shunting information from your computer to theirs via flash in a direct connection method which is what the article claimed was the only effective method.
In conclusion, please read the Tor manual and don’t just jump into Tor and start bouncing around without taking some steps that the manual mentions. Any other thoughts anyone?
blog.code.ae » Blog Archive » UAE blocks TOR network
March 31, 2007 @ 9:14 am
[…] Despite rumors of the guys at TOR of stopping it, they won’t be able to utilize my tor node nor have U.A.E users anymore. I’d think we have other problems in UAE, and not just blocking network protocols. Sad. […]
tor oder ein kleines bisschen anonymität @ DerEinzige
April 2, 2007 @ 3:30 am
[…] http://blogs.law.harvard.edu/anonymous/2007/02/26/the-rumors-of-our-demise/ […]
qiuye
April 2, 2007 @ 10:18 am
I didn’t agree with you about “Some number of dissidents and bloggers in places such as China abandon Tor. As a result, they might be arrested, jailed, or disappeared.”
It’s ridiculous!You were a alarmist.I am a Chinese.Nobody would arrested, jailed, or disappeared just because of their word.It’s the FACT!
John B Brown
April 2, 2007 @ 8:43 pm
Correct me if I am wrong. Doesn’t an “attack on TOR” really constitute an attack on an individual user’s identifying data and not at all an event easily noticed? There is no guarantee attacks have never occurred. In fact, it is impossible to prove that negative because individual security is not easy to see and the breach is not easy to detect.
Name
April 7, 2007 @ 1:38 am
I humbly think you guys need to break the seal on that bottle of chill pills and, IF you need anonymity that bad AND you can’t trust anyone but yourselves, go to school and learn programming. Then, make the BEST ANONYMIZER YET, EVER and, for the love of God, go post in your own blogs and forums.
Oh yes, another option is to take a double dose of chill pills and go do something real for a change.
Former Tor User in UAE
April 9, 2007 @ 7:39 am
There are two possible attacks against Tor (and other anonymity servers): The attack of greatest concern here, from people who seem to be based in the West, is of a group like the NSA breaking the Tor anonymity, finding the identities of people expressing animus against the War on Iraq, and providing those people with free, all-expense-paid vacations in Cuba.
Those of us in the Orient face a very different form of attack: the government tries to block all anonymizers, including Tor, JAP, and any others it knows about. Tor not only allows one to blog anonymously, it also allows one to surf sites whose positions are considered offensive by the governments: e.g., sites that do not depict the Falun Gong as a band of vicious cutthroats, sites that display Danish cartoons, sites that criticize the US invasion of the Phillipines in 1898, etc., etc.
These governments try to block all open proxies. They block all known download sites for the Tor (and JAP) clients.
They also try to block all known Tor nodes. Anyone using Tor gets an unencrypted list of IP addresses of some current tor servers, and the typical Oriental government uses this information to block all the sites on the list.
At first, my Tor client managed to find other sites, but eventually the government managed to block all of the default dirservers.
The Tor client on my laptop sometimes manages to connect, using information from the cached-status directory.
Strangely, while the Tor client on my laptop is sometimes able to connect when I am plugged into my company’s landline, it cannot connect over the wireless network, nor from my home.
Projects like Tor are currently very valuable for those of us living in the Orient. Since the government uses overt blocking, I am currently less worried about the other kind of attack, where they ascertain the identities of those who use the anonymizer and then prosecute.
I know there is software that identifies anyone exiting from a Tor network, because some places (e.g., Wikipedia) ban comments from Tor users.
I do not know if there is simple software that identifies persons using Tor that could be used by these governments. Currently, I have not heard of anyone arrested just for using Tor, or even of being identified as a Tor user. The government where I live prefers to make Internet crime impossible, rather than prosecuting violators.
I hope the Tor project continues to flourish. And I suggest encrypting the IP addresses of Tor nodes.
TorUser007
April 9, 2007 @ 8:57 pm
@Former Tor User in the UAE. The tor coder be working on that blocking fo shiz my niz. Dem peeps totaly be all up in dat isht, col’ coding out some hizzacks in the bizzaks, ma brotha. Col’ check out dat blocking.pdf fo so’me street kicks in da brain. 4realz.
Unkle Nuke
April 12, 2007 @ 3:04 pm
Well, all this trolling, Tor bashing, and JAP love is sure entertaining, but these statements about how the German government is so law-abiding while the U.S. government is a cesspool of deceit…
Oh yeah? Go do a search on what the German BDA was doing with Project Rahab, just to name one incident out of many.
Wonderful thing about trolls…they’re as ignorant as they are obnoxious.
Dave
April 12, 2007 @ 8:43 pm
It never ceases to amaze how many people can’t recognize satire when they see it.
I guess the poster calling themselves “Dick Helms” figured that people who are interested in privacy should know who “Dick Helms” from “Langley, VA” is - Richard Helms was the director of the CIA under Nixon.
Bravais
April 13, 2007 @ 4:29 am
Nick, how would we in the UAE know that a new reworked JAP code is available, and more importantly get the new release, because the dresden website is blocked by the proxy?
Regards,
Bravais
CNC
April 18, 2007 @ 2:04 am
Hi,
This is nice blog, we will get more information here.
thank you,
Sudhakar
Former Tor User in UAE
April 18, 2007 @ 4:39 am
This blog has now been blocked in the UAE.
Tor works intermittently in the UAE, but only if one can seed it with some cached statuses. I can get Tor to work on a Wintel platform sometimes, but not from a Macintosh at all.
Without Tor, attempting to access this blog from the UAE just gives a network error (as opposed to the standard, ‘This site is blocked.’ message).
Howard
April 22, 2007 @ 12:05 am
Superman can kick Batman’s ass.
Long live Tor!
Uncle Che
April 22, 2007 @ 1:32 am
I have more fear of tin pot dictators and juntas then I do of the the US or European countries. Tor USer for UAE has it spot on the money. Asian governments want to control information and keep people from finding out alternative viewpoints. Tor helps in that, but if they are blocking us from getting onto it, what can we do? Freedom is more important than being anonymous, but right now, some get neither.
USConstitution
April 23, 2007 @ 4:50 pm
You want privacy? What for? Don’t you TRUST your government?
Use TOR. Use JAP. I am a 3rd Generation American citizen. “They” know that. “They” see that my ancestors served in WWII and sacrificed their lives for our freedom and the freedom of others. When I use TOR I am confident that my use of TOR doesn’t raise a red flag to highly trained, educated, free thinking, socially conscious employees of the NSA, FBI, or other secret organization. I am not afraid of my Federal Government. After all, we have the U.S. Constitution. “We the people…”
I don’t mind that every bill retrieved from an ATM is ordered such that even my cash spending can be tracked and monitored. “They” don’t do anything with data pertaining to me .. that data tracking is just for bad guys
Same with TOR. Just use it big time because if you are good, no one watching will care at all ..
Ohh .. lets face facts and not go overboard by trying to organize and assemble. Nobody does that anymore ..
If people started doing that .. then some TOR inventor will have to invent disguises for peoples faces and create noise/voice cancellation and acoustic scrambling technologies for public assembly halls .
Yours truly,
Nephew Sam
papa01
April 26, 2007 @ 12:16 pm
You are being cited, o brethren, in polish
https://echelon.warszawa.pl/?q=node/315#comment-61
So is the study paper from Colorado. BTW the attack is very thin indeed, because it simply can’t happen in reality, the folks needed to have some results in the field. It means only that TOR works, otherwise wouldn’t be studied upon on public universities.
The Torment is cited too, with negative response. Mr.Moore aspires to some governmental job on the utmost according to the street. His Torment outfit can easily be put out of function - block javascript.
JAP is cited too, and with positive marks, altough I cannot be sure of the intergrity of the code anymore, as the original project on sourceforge.net was by the end of 2006 discontinued. There are two lines of JAP by now: the open-source one (discontinued) and the new one, proprietary with additional functionalities called and marketed something like ‘anonymity on the internet’. Maybe some kluger Mensch can enlighten my humble self and explain this tortuos marketing policy, where JAP isn’t JAP anymore, but by this name stays known and used.
I use both: JAP and TOR and both can be recommended.
Ralph
April 26, 2007 @ 1:37 pm
Presumably any smart person or group using Tor or other security-enhancing technology would not rely on one technique, but rather would build caution into all aspects of what they are doing. For example, such a smart organization would use physical security, unobtrusive behavior and location, knowing one’s friends (and, if possible, one’s enemies), sparse communication of any kind, and all the other more or less common-sense ways to keep things private. To assume that any one methodology would provide comprehensive protection would be… well, just silly, wouldn’t it?
bjak
May 2, 2007 @ 2:02 pm
Hi to all of you guys .Here is something that you might have a look.
http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf
Is there any truth in it?
Maybe this is not the place to ask but I did not find any forum about tor.I wonder why. I2P network have a forum where newbies can ask for help.
I have a lot of questions regarding tor and its configuring, using and so on.Is there some kind of a specialized tor forum?
papa01
May 7, 2007 @ 7:49 am
Once more to the JAP quarrel: I see no clear explanation for bipath development of the JAP- project:
1. why is the project splitted?
2. where is the divorce line?
3. how can a user choose, which one he uses, as both run on the same infrastructure?
4. how comes marketing dychotomic disaster into being? There are two things alike, but noone can tell them apart.
5. isn’t it a bit confusing and suspect?
Here are the two projects, side by side, with twin names, twin locations, twin development (synchronous). With synchronous I mean new versions appear exactly at the same moments.
jap-development 00.08.027 released (PRIVACY AND ANONYMITY IN THE INTERNET)
infoservice-development IS.07.073 released (PRIVACY AND ANONYMITY IN THE INTERNET)
Former Tor User in UAE
May 8, 2007 @ 11:04 am
IRS wants data on users from Internet firms
German
May 20, 2007 @ 6:53 am
Anyway, at the Moment the US and EU are not really far apart regarding anonymity, or lack thereof. I guess the same forces and fears have brought the German Government to ratify the “Vorratsdatenspeichrung” law. A law that requires ISP to keep nearly all data of the connections of the clients for at least 6 month. Even worse: it is an EU-directive, wich is to be implemented all over EU with varying time frames from 6 month to 2 years.
Shame on governments that try to control their citizens and not the other way around.
Further reading:
http://en.wikipedia.org/wiki/Telecommunications_data_retention
http://www.vorratsdatenspeicherung.de/index.php
Denis Michel
May 27, 2007 @ 5:40 pm
No security is perfect. Also some of the blogging software has security vulnerabilities, witness the wordpress problem of a few months ago.
David
May 30, 2007 @ 4:31 am
“Zzzzzzzzzzzzzzzzzzzzzz man, this shit is boring.”
You’re not kidding. Bunch of dumb chauvinists who keep yelling “dumb chauvinist” back and forth at each other. The only interesting comment here was Shava Nerad’s “I’m… quite female.” Sounds like she’s very proud of it. If I were, I would be, too. Women have lots of natural class and style.
Thanks.
David (An old man who grew up in the days when men and women were expected to have a natural love for each other.)
Java Resources
June 1, 2007 @ 1:21 am
Hi
Nice blog. Good Information
Java Home
clóvis
June 1, 2007 @ 9:20 pm
In may universty the ´´monitors´´ havy one mode tho damage Tor! I have the image off the damage, what the email to contac´´ i send the image of print screen, to us give me a solution´´
Bimsay
June 8, 2007 @ 4:23 pm
I was wondering if there is any system that can cloak the identity of the users computor AND the data stream, thus to protect against a data stream phoneline tap equivalent of a regular voice tap on the phoneline (or key word flagging by such places like the Uk’s GCHQ)….for uses such as websurfing or whatever -everything basically…so that all the communication between the users computor and the proxy server anonymizer is secret? I read about ‘tunnels’ for email, newgroups…but what about websurfing? i.e. everything basically.
Bimsay
June 8, 2007 @ 4:39 pm
I downloaded Tor some time ago - when I ran the program on the
computor it switched into what ever it is I’ve forgotten mode - a very
basic black screen with txt coming up asking for incomprehensible
directions. I quickly forgot about it. It (Tor) doesn’t seem as all
covering as this sort of (quite expensive system) anyway…. thus:
http://www.anonymizer.com/consumer/products/total_net_shield/
…which claims….(and I quote):
“Technically savvy Web users require sophisticated online identity
protection that provides them total control over their privacy.
Anonymizer Total Net Shield works by creating an encrypted “virtual
tunnel” to and from your computer to shield you from even the most
complex methods of online spying and snooping. Total Net Shield is
similar to the secure Virtual Private Networks (VPN) that corporations
use, but it’s designed for personal use.
Secure tunneling creates an impregnable Secure Shell (SSH) connection
from your computer to your destination site, protecting you from man
in the middle (MITM) attacks and evil twin scams.
MITM attackers are able to read, insert, and modify online
communications between two parties without either one knowing that
their communications had been compromised. Total Net Shield protects
you from this attack by encrypting all of your online communications
with SSH tunneling.
Evil twins trick wireless users into connecting a laptop or PDA to a
tainted hotspot by posing as a legitimate wi-fi provider at the
airport or your local coffee shop. Once you connect to their wireless
network, the evil twins can watch your online activities and steal
your confidential information. Total Net Shield safeguards you from
this threat by encrypting all of your online activities so the evil
twins are unable to access your passwords, credit card numbers, and
other personal information.”
So, sorry to be think, does this include websurfing, (or just special
stuff that you ringfence, like credit card transactions and the like)?
ALSO. Does it (Total Net Shield thing) protect against (presumably high tech) governmental spying?
Thanks in advance.
Claus
June 18, 2007 @ 9:13 am
There are many interesting messages here and its really nice topic. Im interested in it. Thanks all for informative and usefull messages
http://pissedthumbs.com/index.php
gcol
June 26, 2007 @ 7:06 am
just blog hopping…great site.
plinker
June 26, 2007 @ 12:32 pm
see my ip? (not all of you, just the admins… :P)
Im 6 hops away from that ip, wich is a firewall, router and proxy…
the other five are 2 cisco routers, 2 masquerading routers, and my shdsl router,
meaning, although I have a real ip, its somewhat complicated tracing me…
thats the way the network over here is designed, take a guess on where I am…
anyhow I chose to use tor, simply because although Im a network admin myself,
Im not THE netadmin, and I love giving headaches… just because…
But the time when the admins will begin to filter the nodes ip its not far, its
always the same and a solution for that kind of problem will be most welcomed and Im sure the bandwidth consumption can be optimized.
Also reading all the blog gave me some useful impressions, thats for sure…
One thing is certain, it reminded me:
“In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels than man-made codes and corruptible devices, there is no such thing as a secret.” - This Alien Shore
Marmura
June 27, 2007 @ 7:53 am
I wish you good luck trying to track me down via that connection.
You’re gonna need it. Other than that, you of course have the liberty to simply denounce anyone trying to stand up for a realy safe approach to anonymity and against the myth of “only a US system can guarentee liberty” as a troll.
Not that it has anything to do with anything and it most certainly doesn’t validate the bad mouthing of JAP or other none-US based anonymity systems, which happen on a routine basis both in this BLOG and on other US based ones.
JAP & other none-US based systems are at least as secure as Tor *and* have the added advantage that in countries like Canada, Germany, Sweden and so on, they at least still need a Judge & Jury before they can send you of to the Executionor.
Marmura Semineu
July 1, 2007 @ 1:38 pm
Ich will ein free blog machen und meine www.whitemarble.home.ro zu unterstuzen mit geld. Wie kann ich mache. Wer mich helfen. Ich will fur ein Free Blog sein.
Vielen Dank
Siderite
July 5, 2007 @ 6:42 am
Har Har, ‘Marmura Semineu’!
Anyway, about Tor and Jap, I think it would be a great idea to actually test route both Jap and Tor on the same few dedicated servers, sending messages and stuff, while the monkey army, with full access to the servers, tries to gather as much data as possible.
Then both vulnerabilities and strong points, as well as a lot of publicly available test data, would be revealed. Not rivalry, but comparison; not supremacy, but wisdom.
karl
July 10, 2007 @ 7:25 am
In this age of never knowing who is watching you both on the streets of our cities but more of concern whilst using the internet, that TOR offers protection to our anonymity. Great blog and is now bookmarked
grube300
July 15, 2007 @ 9:28 am
In the last time, using vidalia I can see that all the connections of my tor client all are through onion routers of group lefkada, which pretend to offer 3500 kB/s bandwith. So - is my client encirceled by lefkada routers and thus open to analyis ( offering even less anonymity than surfing without tor ) ?
Popescu
July 28, 2007 @ 6:11 pm
Does anybody know how can i configure TOR to use a new exit-node evey time i load a new page? I mean if i used TOR to load page A, when i click on a link from page A to page B, or i simply load page B in the browser, to use a new exit-node. I’ve heard that for security reasons the exit-node is periodically changed. Can i set the periode time?
Popescu
July 28, 2007 @ 6:12 pm
Does anybody know how can i configure TOR to use a new exit-node evey time i load a new page? I mean if i used TOR to load page A, when i click on a link from page A to page B, or i simply load page B in the browser, to use a new exit-node. I’ve heard that for security reasons the exit-node is periodically changed. Can i set the periode time? http://toatechestiile.ro
waveshaper
August 2, 2007 @ 3:42 pm
I would recommend reading the faq for a few tips or perhaps you might contact the tor team directly.
as well as using tor, vigilance is also a good quality of you want to stay anonymous.in other words. read tips, act on alerts. be creative.above all, DON’T INCLUDE PERSONALLY IDENTIFIABLE DATA IN ANY COMMUNICATION.
Dear Popescu
August 7, 2007 @ 7:55 pm
After all Tor works with less than 2k ips so…
Dear Popescu
August 7, 2007 @ 7:56 pm
After all Tor works with less than 2k ips so it doesnt worth the effort http://msdonline.ro
Seven
August 8, 2007 @ 4:31 am
just blog hopping…great site.
my site: http://www.w3csites.net
Nickolas
August 12, 2007 @ 5:40 pm
Cool.
seocompany
August 14, 2007 @ 12:15 pm
http://www.seocompany.sh.cn
Nice~
Papa
August 14, 2007 @ 12:16 pm
You are being cited, o brethren, in polish
https://echelon.warszawa.pl/?q=node/315#comment-61
So is the study paper from Colorado. BTW the attack is very thin indeed, because it simply can’t happen in reality, the folks needed to have some results in the field. It means only that TOR works, otherwise wouldn’t be studied upon on public universities.
The Torment is cited too, with negative response. Mr.Moore aspires to some governmental job on the utmost according to the street. His Torment outfit can easily be put out of function - block javascript.
JAP is cited too, and with positive marks, altough I cannot be sure of the intergrity of the code anymore, as the original project on sourceforge.net was by the end of 2006 discontinued. There are two lines of JAP by now: the open-source one (discontinued) and the new one, proprietary with additional functionalities called and marketed something like ‘anonymity on the internet’. Maybe some kluger Mensch can enlighten my humble self and explain this tortuos marketing policy, where JAP isn’t JAP anymore, but by this name stays known and used.
I use both: JAP and TOR and both can be recommended.
webdesign
August 14, 2007 @ 12:17 pm
It never ceases to amaze how many people can’t recognize satire when they see it.
Sempralon
August 15, 2007 @ 1:55 pm
Sorry for my bad english …
Jap or Tor, that is not the question, that is a state …
The Question is, how someone can prove, that “my Ip-Address” was connected with an “evil address”, that is the question …
JAP has a “mixcascade”, a good idea, but it give in Germany some Paranoid men (Schäuble [current Secretary of the Interior, totally Germany], Beckstein etc.), they are like Erich Mielke from GDR (formerly Secretary of the Interior, East Germany), they have fear of the own population. Why ? Bad politics !
Anxiety as well as Erich Honecker before Nov 1989.
The “countrysecurity” from the GDR (”Stasi”) had used nothing, they thought would have it the control.
The question at that time was:”Who spoke when, with whom and about what?”
Today that is not differently … we talk now more over computer or mobile phone.
Our politicians have today the same target: Control !
Today … it are more the trade groups, pay that the politicians so that they come at customer data, the music industry know wants the consumers why its rubbish no longer buy and why that 80′ it in the Filesharern more traded become, than the rubbish of today … “BSI” becomes of the economy sponsored, any questions yet ?
web
August 19, 2007 @ 11:06 am
http://www.web-sh.net
Dating
September 3, 2007 @ 6:03 am
I didn’t agree with you about “Some number of dissidents and bloggers in places such as China abandon Tor. As a result, they might be arrested, jailed, or disappeared.”
gfbvbxv
September 6, 2007 @ 12:42 pm
people are stranger
Tvorba webu
September 10, 2007 @ 6:44 pm
Is Tor for mac too?
bio
September 18, 2007 @ 5:34 am
just blog hopping…great site.
my site: http://www.52bio.com.cn
An Old Man
September 18, 2007 @ 8:49 pm
Hello Everyone,
Seems to me that there is plenty of room in this (internet) world for both TOR and JAP. A rule of thumb, no governments are to be trusted — ever! The sad part is that here in the US, we pretty much have the government we deserve, after all, we voted for the bums.
Good Luck to you both!
An Old Man
September 18, 2007 @ 8:57 pm
Security Holes.
You talk about cookies, and java, and activeX and I am sure these are all security “problems”. However, there are a lot more. Pentium IIIs and better each have a personal ID in them,and I have a hard time believing the bios can disable it, after all, it is an op code. Also, I suspect that most bios have a serial number that could be accessed, and what about your windows key code, your ethernet card’s mac address. I am sure there is more, but this should be enough to make you think.
Makina
October 9, 2007 @ 11:15 am
nice web log..
Nelly
October 19, 2007 @ 3:14 pm
Phentermine, http://www.cs.wisc.edu/dbworld/messages/2007-10/1192719580.html
Sempralon
October 22, 2007 @ 2:30 pm
@ An Old Man … Mac-Address ? My Networkcard has the MAC from a Networprinter, and if you run an HTML access to the Address … you will become an answer … a window from a Networkprinter, protected by a password naturaly …
How it works ? It’s working very fine … but why should I tell the know how all ?
Tercume
October 26, 2007 @ 10:26 am
The Torment is cited too, with negative response. Mr.Moore aspires to some governmental job on the utmost according to the street. His Torment outfit can easily be put out of function - block javascript.
Unknown
October 28, 2007 @ 5:11 pm
I almost think that their assertion that they haven’t seen the attack carried out “in the wild” really doesn’t disprove the argument that such an attack is possible or already being carried out.
Obaid
October 30, 2007 @ 11:46 pm
even though ! everyone knw its a big example of crime…. wot happening ? its definatily our fault.. if we’ld good our leaders must b good.. so look at YOU..
Bob
November 17, 2007 @ 11:58 pm
Phentermine, http://www.cs.wisc.edu/dbworld/messages/2007-10/1192344478.html
beculetzu
November 29, 2007 @ 3:39 pm
Do we really think that? Today … it are more the trade groups, pay that the politicians so that they come at customer data, the music industry know wants the consumers why its rubbish no longer buy and why that 80′ it in the Filesharern more traded become, than the rubbish of today … while “BSI” becomes of the economy sponsored, any questions yet ?
beculetzu
November 29, 2007 @ 3:43 pm
Do we really think that? Today … it are more the trade groups, pay that the politicians so that they come at customer data, the music industry know wants the consumers why its http://mytrailer.ro rubbish no longer buy and why that 80′ it in the Filesharern more traded become, than the rubbish of today … while “BSI” becomes of the economy sponsored, any questions yet
Mini Storage
December 10, 2007 @ 10:16 pm
Is Tor for mac too?
Catalin
December 17, 2007 @ 5:55 pm
http://cvalutar.ro curs valutar
Dimi
December 19, 2007 @ 9:46 am
The good news is that this isn’t happening. To quote from the Tor developers’ blog: We are aware of these kinds of potential attacks — but such a bandwidth overstatement attack, to be successful, would leave fingerprints all over the Tor directories.
Gun Dog Breeder Directory
December 20, 2007 @ 5:33 pm
I don’t see what the big deal is. If we knew about half of the key-loggers and spywares we would never surf the web again. Paranoia never seemed like the right solution for me. If your frightened, just build your log cabin in Montana and live off the grid in isolation.
Web Site Çeviri
January 7, 2008 @ 12:39 pm
Thanks Tor, TorPark and Torrify. I love Tor and I’m so greatful. I am also elated by the fact that Tor is OPEN-SOURCE..
Web Site Çeviri
January 7, 2008 @ 4:31 pm
Thanks Tor, TorPark and Torrify. I love Tor and I’m so greatful. I am also elated by the fact that Tor is OPEN-SOURCE…
php blog
January 13, 2008 @ 11:15 pm
Thanks Tor, TorPark and Torrify. I love Tor and I’m so greatful. I am also elated by the fact that Tor is OPEN-SOURCE…
Юникс
January 13, 2008 @ 11:29 pm
Correct me if I am wrong. Doesn’t an “attack on TOR” really constitute an attack on an individual user’s identifying data and not at all an event easily noticed? There is no guarantee attacks have never occurred. In fact, it is impossible to prove that negative because individual security is not easy to see and the breach is not easy to detect.
рецепт салат оливье
January 13, 2008 @ 11:32 pm
двух яйцах и фунте (454 граммах) прованского оливкового масла[2]. В конце XIX века один из поваров, Иван Иванов, украл секрет соуса и перешёл в ресторан «Москва», где подавал свой салат под названием «Столичный». Однако многие считали, что «Столичный» уступает настоящему салату Оливье (то есть Иван Иванов сумел украсть лишь часть рецепта соуса).
Рецепт Люсьена Оливье был тайной, которую тот унёс с собой в могилу. После недолгого забвения рецепт был восстановлен в 1904 году по памяти одного из гурме-завсегдатаев ресторации.
inşaat
January 16, 2008 @ 7:23 pm
nice..
thomas and friends
January 25, 2008 @ 10:24 pm
This site is interesting and very informative, nicely interface. Enjoyed browsing through the site.
http://www.mini-strage-hk.com/
bob n.
January 27, 2008 @ 11:06 pm
has anyone heard of a service called relakks? its supposed to be a good VPN i think coupled with tor it might provide the best protection.is it open source has anyone used it?
Hi, my sites:
January 31, 2008 @ 9:12 am
Great boys3cba53ea90774d050f8c369e61990aaf
Bachelors Degree
February 4, 2008 @ 4:38 am
Thanks for this informative article.
indir
February 18, 2008 @ 1:05 pm
Thank you for your work. This is a fantastic article.
Petre
February 18, 2008 @ 4:33 pm
Here at http://toatechestiile.ro you can see that you can obtain all the info regarding this topic.
Florinescu Mihaela
February 18, 2008 @ 4:34 pm
Thanks for this informative article. has anyone heard of a service called relakks? its supposed to be a good VPN i think coupled with tor it might provide the best protection.is it open source has anyone used it? двух яйцах и фунте (454 граммах) прованского оливкового масла[2]. В конце XIX века один из поваров, Иван Иванов, украл секрет соуса и перешёл в ресторан «Москва», где подавал свой салат под названием «Столичный». Однако многие считали, что «Столичный» уступает настоящему салату Оливье (то есть Иван Иванов сумел украсть лишь часть рецепта соуса).
Рецепт Люсьена Оливье был тайной, которую тот унёс с собой в могилу. После недолгого забвения рецепт был восстановлен в 1904 году по памяти одного из гурме-завсегдатаев ресторации.
çeviri bürosu
February 25, 2008 @ 6:30 am
nice article..
Arti
February 29, 2008 @ 8:59 am
Music to me is vibrations and vibrations are universal a heart beat is music. I think music is in our blood. Music is like math its universal and always …
Harry
March 18, 2008 @ 1:08 am
Presumably any smart person or group using Tor or other security-enhancing technology would not rely on one technique, but rather would build caution into all aspects of what they are doing. For example, such a smart organization would use physical security, unobtrusive behavior and location, knowing one’s friends (and, if possible, one’s enemies), sparse communication of any kind, and all the other more or less common-sense ways to keep things private. To assume that any one methodology would provide comprehensive protection would be… well, just silly, wouldn’t it?
pumps
March 23, 2008 @ 1:59 pm
just blog hopping…great site.
my site: http://www.sn-pumps.com
net-market
March 23, 2008 @ 2:01 pm
You talk about cookies, and java, and activeX and I am sure these are all security “problems”. However, there are a lot more. Pentium IIIs and better each have a personal ID in them,and I have a hard time believing the bios can disable it, after all, it is an op code.