Schneier on Security
A blog covering security and security technology.
« Insider Terrorist Attack |
| London's Security Cameras Don't Help »
September 20, 2007
Anonymity and the Tor Network
As the name implies, Alcoholics Anonymous meetings are anonymous. You don't have to sign anything, show ID or even reveal your real name. But the meetings are not private. Anyone is free to attend. And anyone is free to recognize you: by your face, by your voice, by the stories you tell. Anonymity is not the same as privacy.
That's obvious and uninteresting, but many of us seem to forget it when we're on a computer. We think "it's secure," and forget that secure can mean many different things.
Tor is a free tool that allows people to use the internet anonymously. Basically, by joining Tor you join a network of computers around the world that pass internet traffic randomly amongst each other before sending it out to wherever it is going. Imagine a tight huddle of people passing letters around. Once in a while a letter leaves the huddle, sent off to some destination. If you can't see what's going on inside the huddle, you can't tell who sent what letter based on watching letters leave the huddle.
I've left out a lot of details, but that's basically how Tor works. It's called "onion routing," and it was first developed at the Naval Research Laboratory. The communications between Tor nodes are encrypted in a layered protocol -- hence the onion analogy -- but the traffic that leaves the Tor network is in the clear. It has to be.
If you want your Tor traffic to be private, you need to encrypt it. If you want it to be authenticated, you need to sign it as well. The Tor website even says:
Yes, the guy running the exit node can read the bytes that come in and out there. Tor anonymizes the origin of your traffic, and it makes sure to encrypt everything inside the Tor network, but it does not magically encrypt all traffic throughout the internet.
Tor anonymizes, nothing more.
Dan Egerstad is a Swedish security researcher; he ran five Tor nodes. Last month, he posted a list of 100 e-mail credentials -- server IP addresses, e-mail accounts and the corresponding passwords -- for
embassies and government ministries around the globe, all obtained by sniffing exit traffic for usernames and passwords of e-mail servers.
The list contains mostly third-world embassies: Kazakhstan, Uzbekistan, Tajikistan, India, Iran, Mongolia -- but there's a Japanese embassy on the list, as well as the UK Visa Application Center in Nepal, the Russian Embassy in Sweden, the Office of the Dalai Lama and several Hong Kong Human Rights Groups. And this is just the tip of the iceberg; Egerstad sniffed more than 1,000 corporate accounts this way, too. Scary stuff, indeed.
Presumably, most of these organizations are using Tor to hide their network traffic from their host countries' spies. But because anyone can join the Tor network, Tor users necessarily pass their traffic to organizations they might not trust: various intelligence agencies, hacker groups, criminal organizations and so on.
It's simply inconceivable that Egerstad is the first person to do this sort of eavesdropping; Len Sassaman published a paper on this attack earlier this year. The price you pay for anonymity is exposing your traffic to shady people.
We don't really know whether the Tor users were the accounts' legitimate owners, or if they were hackers who had broken into the accounts by other means and were now using Tor to avoid being caught. But certainly most of these users didn't realize that anonymity doesn't mean privacy. The fact that most of the accounts listed by Egerstad were from small nations is no surprise; that's where you'd expect weaker security practices.
True anonymity is hard. Just as you could be recognized at an AA meeting, you can be recognized on the internet as well. There's a lot of research on breaking anonymity in general -- and Tor specifically -- but sometimes it doesn't even take much. Last year, AOL made 20,000 anonymous search queries public as a research tool. It wasn't very hard to identify people from the data.
A research project called Dark Web, funded by the National Science Foundation, even tried to identify anonymous writers by their style:
One of the tools developed by Dark Web is a technique called Writeprint, which automatically extracts thousands of multilingual, structural, and semantic features to determine who is creating "anonymous" content online. Writeprint can look at a posting on an online bulletin board, for example, and compare it with writings found elsewhere on the Internet. By analyzing these certain features, it can determine with more than 95 percent accuracy if the author has produced other content in the past.
And if your name or other identifying information is in just one of those writings, you can be identified.
Like all security tools, Tor is used by both good guys and bad guys. And perversely, the very fact that something is on the Tor network means that someone -- for some reason -- wants to hide the fact he's doing it.
As long as Tor is a magnet for "interesting" traffic, Tor will also be a magnet for those who want to eavesdrop on that traffic -- especially because more than 90 percent of Tor users don't encrypt.
This essay previously appeared on Wired.com.
Posted on September 20, 2007 at 5:38 AM
• 64 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well written! I get questions about Anonymity vs. privacy all the time. What actually surprised me by this published list was the number of government agencies that actually use Tor. Roger Dingledine spoke at Blackhat 2007 about these groups using Tor.
Two corrections: India's not a third world country, and AOL released 20 million queries, not 20,000.
Great article again, though.
This is exactly why such hacking tools (which are overwhelmingly used by terrorists, communists, criminals and Linux "enthusiasts") must immediately be banned. Those using them sentenced to the harshest possible sentances, up to and including the death penalty. Nothing is more important than the safety of my family!!
This is extremely cogently explained in this wonderful article
These so called Poxie Servers have the ability to bring down our Great Country and even spread disgusting lies and photos about our Great President, as unquestionable authorities such as Bill O'Reilly have attested. We should be vigilant about the threat they pose!
I hope our God-fearing CIA and NSA can spy on these terrible satanists and send them of to Guantanamo Bay until they learn themselves how we do things in a good ol'fashioned Free Country.
Freedom isn't Free! Let's ban Tor before the loonie liberals decide to use it for their next protest march or anti-Diebold anti-America jihad.
Sorry, but in terms of the level and spread of poverty and levels of illiteracy, India very much -is- a third world country. I look forward to the day when this sort of article is of historical interest only:
Aside from the fact that a person who wants to hide *something* is going to wind up hiding everything by using Tor, that's a lousy assumption that everybody who uses Tor is hiding something. In short, there is going to be a lot on Tor that nobody particularly wants to hide.
"If you want it to be authenticated, you need to sign it as well."
Authenticated anonymous messages; there is a concept for you. :-) Makes the onion analogy even more apropos.
@True Patriot, Normally I would not even acknowledge such close-minded ranting, but your religious republican stereotype is so thick, it must be satire. If so, nicely over-done. If you're serious, then may your God help us all. (I refuse to click your links to find out.)
Shelley The Republican is sarcasm, dude. 20 seconds on the site should tell you that. Parody. Go figure.
Years and years before the Tor network, there was the anonymous remailer network which worked more or less following the same rules. So the problem is not new. You can sniff unencrypted traffic before and after. You can even do traffic analysis without even knowing what is the information you are looking at (time stamps, volume, etc..)
I think people tend to forget a crucial point. These anonymity networks are interesting because even if some nodes are compromised (think 3-letters US agencies running a few servers), they still work as intended.
AOL made 20'000 search queries public?
No! They made 36'389'629 queries public!
"And perversely, the very fact that something is on the Tor network means that someone -- for some reason -- wants to hide the fact he's doing it."
While that's technically true, you imply that someone is doing something he shouldn't be. Personally, I use Tor because I don't want anyone to know what I'm doing while I'm readding Slashdot articles. That's hardly nefarious. It's simply an expression of my right to privacy (of which simple source anonymity is an element, even without end-to-end encryption).
Another interesting note, Tor has a very significant weak point in traffic analysis. If you're following a trail of packets to a Tor end-point, you can continue to follow that trail through the Tor network by looking for matching traffic patterns at the various ISPs allowing the route. And since Tor usually only hops traffic 3-4 times, it's not a long trail. Of course, you'd have to be an organization capable of obtaining that data from ISPs, but it's still worth noting.
Don't forget DNS leaks, peeps. Tor will leak the hostnames you resolve to your DNS server. Anyone sniffing on that segment can see what hosts your going to.
@Michael, ""And perversely, the very fact that something is on the Tor network means that someone -- for some reason -- wants to hide the fact he's doing it."
While that's technically true, you imply that someone is doing something he shouldn't be."
Actually the base quote is not even true. All that can be inferred is that the user wants to hide something, not necessarily that he wants to hide everything sent through Tor. This could be motivated by a desire to make traffic analysis even slightly more difficult.
Personally I have considered sending all my traffic through Tor even though 90% or more isn't anything I care about hiding. If I send only that which I care about hiding through Tor, it is easy to infer how much traffic I consider important to hide. I'd prefer to avoid even that information leakage.
Another point, it is unclear that the reason for using Tor is really anonymity, because the other end of the communication may be aware of the user identity (hence the oxymoronic signed anonymity). It seems that many users may be most concerned about preventing eavesdropping and traffic analysis, in other words confidentiality.
This whole area rubs up against another concept that I find interesting, which is anonymous trust. Can you establish trust with an anonymous counterparty? There are some situations in which an anonymous financial transaction might be desired by at least one party, but since financial transactions depend on mutual trust this creates an interesting challenge. Any thoughts?
"The fact that most of the accounts listed by Egerstad were from small nations is no surprise; that's where you'd expect weaker security practices."
I'm curious about this conclusion. Why is it an expectation that security practices would be weaker in a specific geographical/political region? Isn't this something that comes with institutional policies, personal preference, individual user training, etc? Or is the assumption that a smaller nation has a lesser need to practice good security, because the information it cares to transmit isn't as sensitive?
Now, as before, The Government (whether U.S.A., U.K., *stan, ...) has a hand in all of the so-called anonymizing networks. Ultimately, there is no anonymity on the Internet although there can be a degree of privacy.
Even for less important things like comments to Mr. Schneier's blog: If he cares, he can easily figure out who I am, even if I try to pretend my posts are "anonymous."
Security is a product. Like most products (in general) you get what you pay for, and the better it is, the more it costs. Smaller and poorer countries have less money to spend, so cannot afford the kind of security that larger and richer countries can purchase.
Wether or not that's true, I don't know. But I would guess that's the line of reasoning behind the statement.
@Anonymous: Tor does not leak DNS queries. If you use SOCKS4A, DNS queries are tunneled through Tor. See http://wiki.noreply.org/noreply/TheOnionRouter/... for details.
@DZG: Yes and no.
If you only look at software, you get the best security without paying anything. Using OpenSource software costs nothing and you can even verify the security software does what it claims to do.
Considering the whole cost, you normally must pay somebody to implement your security system. THAT is the big cost factor.
I looked at the site that @True Patriot posted and at first I thought it was a big joke, but then I started to read the comments that people were leaving on the site's posts and I got a sick feeling that this person really things this way.
The real question is;
What is the context of the data you are sending?
Will the data be of interest to anyone listening?
Tor is not a security solution just a transport mechanism.
Having faith that ANY network is secure or anonymous is foolish. Even trusted solutions have bugs and hacks that compromise their user's security and anonymity.
"Shelley The Republican is sarcasm, dude. 20 seconds on the site should tell you that. Parody. Go figure."
That is really open to debate. Spend a little while listening to RW talk radio or watching Fox News and you'll get exactly this sort of ignorant, self-righteous, vicious fanatics and there's nothing at all sarcastic about it.
That problem is exactly why JAP exists (now also a commercial product under the name JonDo (in the interest of full disclosure, I'm one of the main developers of JonDo).
Like Tor, JAP/JonDo anonymizes internet traffic using onion routing (i.e. multiple encryption, passing traffic over several nodes, with each node only able to read enough of the traffic to pass it on to the next node).
Unlike Tor, we use know and trusted organizations to run the servers, so you get the same strong anonymization as with Tor, but you know exactly who's handling your traffic.
@not for you
There are some extremely unsettling undercurrents in the world right now.
If history is any teacher it is going to get much worse before it gets better.
My advice: Stay out of the way of the crazies.
This article shows the danger of not understanding the limitations of Tor.
Tor traffic is encrypted between Tor routers, but is un-encrypted at the last Tor-router in the path, in order to deliver it to the final destination.
So if your traffic is an unencrypted protocol (like a lot of POP email), then your account/password goes naked into the first Tor router and out of the last Tor router.
Thus it is open to spying by the first and final Tor router (as in this case), and by anyone else peering between the Tor entry/exit points and their respective source/destination.
But Tor does allow you to choose the Tor routers for your traffic, so you could pick a trusted operator like maybe EFF for that last hop.
One would hope that EFF would operate scrupulously, but you can still bet any traffic going in and out of Tor is scrutinized by governments. (In these times, I would sort of hope so, even though I don't like it.)
Anonymity from determined governments is probably impossible at this point. But if these embassies had used secure email protocols then even unscrupulous Tor operators wouldn't have their account/password info.
Of course, sometimes Tor is used only to obscure the source IP and not the traffic itself. For example, if I wanted this post to be seen by the world, but maybe I didn't want Bruce to know where I was coming from, Tor would still be sufficient.
@not for you:
Just because some of the people posting comments on shelleytherepublican believe what they are reading, doesn't mean that it's not a satire. :)
> Authenticated anonymous messages; there is a concept for you. :-)
> (hence the oxymoronic signed anonymity)
Signing an encrypted message does not reveal the identity of the signing entity off of the encrypted message if it is signed before the encryption, or a bit more formal:
Let M be the clear text, S the signature function, C the encryption function and E the encrypted message, then
E = C(S(M))
It is highly probable that those who have the means to brake the encryption also have the means to follow all of the paths through TOR.
There have been some systems which provide a sort of 'anonymous authentication' in the form of 'deniability.' It's slightly different than a normal digital signature. Instead of using a public-key system as in a normal signature (where you sign using your secret key and the other party verifies against your public key), you use a Message Authentication Code. It's symmetric and similar to a hash. (There's a Wikipedia article on the subject for anyone who's curious.)
The critical aspect of them is that they reveal the MAC after it's done being used, so that anyone after the fact can forge traffic arbitrarily. In theory at least, this means you can always have some level of plausible deniability. (Offer not valid when mere suspicion is enough to get you in trouble.)
One system which implements this is the 'OTR Messaging' IM encryption plugin. There's no real reason why you couldn't implement something similar on a more general basis, say for SSL/TLS, and encrypt arbitrary web traffic. The hard part is just getting everyone to agree on something and support/use it.
@Elmar: "Unlike Tor, we use know and trusted organizations to run the servers, so you get the same strong anonymization as with Tor, but you know exactly who's handling your traffic."
How is the admission process for new node operators defined? What measures are in place to filter out, say, NSA-run cover firms?
Furthermore, running thins like the "Dresden-Dresden" cascade does not seem to do much good with the upcoming logging legislation...
How many "international" cascades are in place?
@Ruminations: "So if your traffic is an unencrypted protocol (like a lot of POP email), then your account/password goes naked into the first Tor router and out of the last Tor router."
AFAIK the connection between your client and the first TOR node is encrypted.
Think about it: The whole thing would be utterly pointless if, say, HTTP requests went out in the clear.
"perversely, the very fact that something is on the Tor network means that someone -- for some reason -- wants to hide the fact he's doing it."
And refusing to consent to a search must mean that you have something to hide?
And the use of encryption means that the contents must be private?
And the use of doorlocks must mean that there's something valuable in the house.
@Paeniteo:"AFAIK the connection between your client and the first TOR node is encrypted.
Think about it: The whole thing would be utterly pointless if, say, HTTP requests went out in the clear."
You are right, I stand corrected on that point. The traffic is encrypted upon entry in such a way that even the Tor entry point cannot snoop it.
(The content is multiply encrypted at the source using a separate key for each Tor router that it will be passing through. As the traffic is forwarded, another layer of the encryption "onion" is removed .)
All that a malicious entry point would actually know is your source IP and the next Tor router in the route. Not the content or the final destination.
Of course, you do still have the limitation of traffic going in the clear between the final Tor router and the destination, for non-secure protocols.
for everyone wondering if shelleytherepublican.com is real or not:
apparently there were some notices on the page originally that stated that it was satire, but they were removed. The links in the blog that verify this are dead now, so who really knows ...
Thanks for the article.
"...perversely, the very fact that something is on the Tor network means that someone -- for some reason -- wants to hide the fact he's doing it."
I'd be interested to hear a little more about this conclusion. If you view anonymity and privacy as a key values e.g. in human rights terms, how does with this fit with Tor being used, say, to preserve/protect these two basic states. Tor may not be very good at doing either, but I could understand using it because I wanted to be anonymous and private as much as possible. The internet does not offer these as services to it's users yet, and willy-nilly, many interests wish to undermine both values.
I would stay FAR AWAY from JAP/JonDo. I'd trust the FBI/NSA/CIA more than I would trust JAP/JonDo.
By 'end to end' encryption do you just mean things like "only use webmail that has 'https' for the entire session" (meaning it's encrypted), or do you mean something else? Is there a way to easily encrypt all of your internet traffic? If the server doesn't encrypt things (or does so poorly), it's not possible (or at least, it's pointless) to encrypt the data you send and receive, right? If so, wouldn't part of being secure on the Internet mean not visiting certain websites at all?
Sorry if these are dumb questions. I just want to make sure I have my thoughts straight. If I use something like GMail, it sounds like my messages would definitely be sniffable if I used Tor...
Suppose I use TOR to post a message on this blog, and sign it with a PGP key. The key is self-signed only, so there's no connection to a real identity.
If I send another message signed with the same key, the messages are still anonymous, but you can be certain that they came from the same source.
This is pseudonymity. Very useful for whistle blowers and those who suspect their organisation has been compromised. You may be talking to the very people who are trying to stop you.
"Unlike Tor, we use know and trusted organizations to run the servers, so you get the same strong anonymization as with Tor, but you know exactly who's handling your traffic."
Unlike Tor, you are willing to include a back-channel purposely designed to allow your anonymity system to leak like a sieve at a moment's notice from the authorities!
Why is it that a client only tor keeps TLS connections open for up to an hour each, sendig data every 5 minutes or so even if no app connects to tor?
What data could there possibly be that must be sent encrypted?
Another back channel by design?
I have been using Tor for a while, and have been of course using SSL to connect to GMail. Today, I ran into a man-in-the-middle attack; one of the links in the Tor chain (exit only?) was presenting a self-signed cert for *.gmail.com and *.google.com. I reset my identity (killall -1 tor) and got the right cert back (signed by Thawte).
If you're not paying attention to the certs, even using SSL over tor isn't safe.
One of the accounts compromised was for Sin Chung Kai, Hong Kong's Legislative Councillor for the Information Technology Functional Constituency. That is, he is the elected representative of the IT industry. His recent newsletter was headlined, "More education on information security is needed", I think he should enrol on a course himself!
And he used his wife's name in his password. There is a difference between preaching and practice. Don't think I'll vote for him, next election.
how to i get past my school filter other than proxy?
Anyone who has got a copy of 'Writeprinte' would also be able to make a writeprint of anyone else. Just use trial and error, try to write like your target, and adjust the text until 'writeprint' identifies the text as your targets text...
The same applies to 'voice fingerprints', any sufficiently advanced intelligence agency could produce a tape that gives a 'voice fingerprint' of anyone else. This probably also applies to video.
HEY "ANONYMOUS" when a country still needs innoculations for bubonic plague, have tens of thousands die annually due to floods, and pay engineers what the U.S. minimum wage is, THAT'S a 3rd world country.
The Schneier article neglects to point out that the tried-and-true ID + Password has been proven ineffective against attacks. The US Department of Justice published a detailed analysis of the cases of network attacks that they prosecuted and found that ID + password was the worst way to protect a system.
One comment on this article spoke rather flippantly about using a tape recording to "spoof" a speaker biometrics system.
Tape recordings are not good for challenge-response systems which randomly select from amonth the things
a person has enrolled (and enrollment can be done incrementally). So, not only does the attacker have to make multiple recordings or somehow access all of the enrolled items, they must also have technology that can separate and combine those item in a second or two. If it takes longer the system will time out.
No tape recording will work for systems that use challenge-response for items the person never said before,
such as “What is today’s date?��?
The person who sent the comment in also spoke about intelligence agencies generating what sounded as if
it could be reverse engineering on biometric models. British Telecom has been working on reverse-engineering
voice models. That is, they are trying to take a model and create a voice from it.
They have poured a lot of time and money into doing this. They still haven’t gotten a scintillating voice out
of it but they are still working on it.
Unlike BT, most hackers and other criminals want to do something as cheaply as possible. Otherwise, it isn't worthe the time and expense. So the kind of work being done by BT is not reasonable for them unless the voice they are reverse engineering will
get them a ton of money - or whatever they want. There aren't very many voices like that. I wish mine were.
Another problem is that reverse engineering would necessarily apply to the models of vendors other than the one who generated the model being reverse engineered.
For either tape recording or reverse engineering it isn’t clear whether, after spending a ton of time and money
on the project, it wouldn’t be better to simply bypass the system. That would allow the attacker to access secured
It seems to me that you cannot make you mind up whether you are talking about voice recognition in a security context or artificial voice for more arts-style or service-oriented purposes?
Nobody is in doubt that security needs improvement, but that is not an excuse to introduce worse security, i.e. system that has open vulnerabilities that can hardly be prevented without fall backs.
It seems to me that you entire argument here is based on Security by Obscurity.
Just because BT haven't been able to make a perfect voice, we should trust that merely cheating a voice recognition system is not possible and fairly easy? This does not require perfection, merely to be good enough to fool the system.
Two relevant questions here:
a) On what grounds do you claim that voices cannot and are not already made spoofable both on a generic level and certainly on a specific level? What is the argument except that you don't know about it?
b) What happens when voices are mapped and spoofed? Not any voice, but your voice and thereby your security for authorizing transactions in your name in case we begin relying on voice biometrics for authentication and identification outside your control.
Rarely do comments posted on a blog motivate me to respond. Today I am motivated by a comment by "A True Patriot."
There were many people, with similar views regarding privacy, that enabled the agenda of the National Socialist Party in Germany (circa 1933). Some of the first laws they passed were those eviscerating the right to privacy and secure/free communications (http://en.wikipedia.org/wiki/Reichstag_Fire_Decree).
It is ironic that the laws were passed under the guise of protecting the "safety" of the German citizens. Consider the following title, "Order of the Reich President for the Protection of People and State." Governments that take your civil liberties to "protect" you are only interested in enslaving you. Read some history!
The point of protecting privacy is to protect what some call "the American way of life." (a.k.a. freedom from government interference in private affairs.) Unfortunately, this way of life is quickly vanishing due to viewpoints such as yours. (See FISA legislation pending in the U.S. Congress)
I bet the Tory loyalists made the same type of Orweillian arguments against the colonists that you make now against "liberals." I can almost hear them saying .... "We must spy on the colonists so they do not revolt against the British Crown. They are 'terrorists.' We must do it to protect the "safety" of the population"
The right to dissent is (used to be) uniquely American. In fact, your right to spew quazi-treasonous venom exists because of "liberal" efforts to protect free speech. Protecting privacy, the right to protest, and stopping police-state type surveilance are some of the most patriotic activities I can think of.
how do you unblock blocked school sites
Great Article .. !
But.. India dosen't count among 3rd world countries.(u haven't been watching NEWS of late)
I'm curious about this conclusion. Why is it an expectation that security practices would be weaker in a specific geographical/political region?
Logically speaking in my mind Tor = Deniability and in reference to the article...... "We don't really know whether the Tor users were the accounts' legitimate owners, or if they were hackers who had broken into the accounts by other means and were now using Tor to avoid being caught." With internet laws the way they are now I don't think there are to many lawyers out there making money on onion network cases.
I think people in todays society are way to paranoid. Don't get me wrong there is good reason to protect yourself online but 9 times out of 10 your are just protecting yourself from advertising agencies who are paying the big bucks for internet adds because tv ads are not the best way to advertise anymore. Major corporations like ABC, NBC, CBS all made the right move by taking the approach everyone else in the US should, they didn't rant and rave they accepted and adapted. Now they generate more revenue online posting a single episode of a prime time television show by granting exclusive sponsorship to the highest bidder. Musicians compensated loss of revenue from pirated music by selling ringtones. Anti-p2p groups are becoming a thing of the past because companies are finally realizing they are getting double dipped by paying someone to protect them who have no authority or jurisdiction to do more than request your ISP to send you a letter saying your doing something bad. Im guessing if your reading this you came across this article because you were either have been scammed already or scared and were looking for a way to "protect your privacy" or you were smart and realized like everything else in life "if it sounds to good to be true it probably is" A group of "hackers" as most would like to call them could care less about your social security number. Why steal something you could just create your own? The good domestic groups are gifted people who have chosen to help their country by snooping other countries. All they are Blackhawk Mercenaries who have the ability to use a keyboard instead of a gun. Feel free to disagree but the only reason our government would be interested in someone like this would be to see if they were looking for a job. I got a little off track when I read over "A True Patriots" post, to you sir I want to remind you the war is over and and remember to make sure all your friends drink the kool-aid first.
Just wanted to say if people just slowed down and thought about the big picture the so called "big brother" figure wouldn't be so big anymore. If you choose to use tor its great your are researching it because it you think its absolutely necessary for everyday websurfing your wrong and unless your committed to routine maintenance security checks your at a bigger risk by being on the network. As said in the article 90% of people don't use encryption, lol well the same people who use it to their advantage good or bad are the same people who write the posting in forums explaining how to set it up. You do the math. Advice, you wouldn't go walking down a dark ally in New York City by yourself, so if you can't use the source code that tor provides and connect yourself... stay off, its that simple. And if you are just interested in it go find a cheap computer that will have no private info and you can screw up a million times, load up linux and have at it.
JAP provides pseudo anonymity.
I want to hide even from my ISP which sites I visit. This is not possible using JAP, which uses the same DNS provided by ISP..
so all an ISP got to do is run a check on the dns queries issued by me to figure out which sites I visit. Am I wrong here?
One idea, just food for thought. What would you do you were a government that needed vital intel which technology threatened to obscure from you in the name of privacy ? I was reading this and I had an interesting idea as to what I would do as a government agency assuming I were at lease as smart as or employing the smartest in the information security field. BTW if I were this smart you'd never know I was employing their services and they would not achieve any recognition or fame only monetary reward for their prowess.
If I were a Government and wanted to be sure I could always track and read anyones data without a court order or without visibility, and had vast time and resources at my disposal.
I would create foundations for privacy, personal security and anonymity. I would introduce excellent, top notch and free encryption solutions as projects donated to the open source community and updated by various individuals who had been contributing random software projects for years and would make sure it was so good that many individuals and even commercial organizations would adopt it. I would ingrain a sophisticated back door via a method that was likely to go unrecognized, and perhaps which was out side of current private sector research scope so as to be off the radar. Then I would insure it was such that if discovered could at most be labeled a bug with no known exploits targeting it.
Then as for traffic monitoring:
I would not attempt to monitor all public traffic where the monitoring would always be subject to some level of oversight or exposure, where I would have to know what I was looking and where someone, somewhere would know I was intentionally monitoring it. I would myself instead adopt the principal of plausible deny-ability in my surveillance and would create and donate the privacy, or anonymous networks which I could unofficially and anonymously scoop for any and all information. From time to time I would grumble about them as letting criminals , software pirates , hackers and child pornographers or worse potently elude me with relative impunity. Local law enforcement would decry them and civil libertarians would defend them. Perhaps feeble legislation would attack them but inevitably be struck down as unconstitutional. Such a system would no doubt be great "honey pot' attracting those with "interesting data" seeking to protect conceal themselves and the ratio of unimportant even if illegal, or simply confidential or embarrassing data by those simply concerned with personal privacy , or petty theft of peoples credit card numbers and so forth to say that of "truly interesting data" such as that of real national security or significant criminal investigative importance would surely be higher than what one would find casting a wide net over general public communications assuming one could justify doing so without specific reason and stating targeted objectives. If I needed to cast a wide net and constantly monitor everything so that I need only know what interests me once I have seen it and can have quick and exhaustive access to the most likely useful information what would it do ? I would leave the public communications mostly alone and protected even though it's security would surely be suspect to those motivated and knowledgeable enough. I would wait for those desperate to avoid it's risk, (those who likely might really have something to hide for good reason), to seek alternatives. rather than try to play catchup via legislation or cracking of technologey that threatened to conceal vital intel from me I would instead make sure people had such alternatives and I would be one to create the best, most popular and totally free alternatives to plainly sending info over exposed public commercial channels. It would be free since I know payment leaves a trail which discourages use by those who truly wish to hide from me and who understand my basic, well known, resources for tracking them. So their would exists services for anonymity and or privacy that would in fact provide this in most cases as far as most user were ever concerned. I would however directly mine them deniabley with impunity for any and all data but never use this information to compromise the privacy or anonymity of 99% of it's users and would not make it known to any other purposed or lesser agencies even in my own organization. It would be setup on a need to know basis and as few as humanly possible would in fact have this need. I would admit to and recant on some feeble, marginally useful public monitoring that would be exposed briefly in the media which would offend civil libertarians and would be my expected panicked attempts at "big brother-ish" information monitoring via quasi-legal backbone and wiretapping schemes.
I would never revel my source to information and would let most illegal, and detrimental information flow freely past my gaze without reaction save in a few most severe cases when an unrelated 3rd party might accidentally be given the chance to possibly notice a red flag that may prompt them to decide examine someone closer using common known surveillance to be ready to catch other slip ups or leaks which would always be the justified and apparent cause of suspicion which prompted the noted legitimate visible legal investigation and prosecution. Otherwise I simply would let the drug dealers, pedophiles, hackers, credit card thieves and so forth enjoy their perceived anonymity and protections while taking their chances with common civil law enforcement agencies just as if my surveillance did not exist what so ever. I would know that while use of my intel in investigating common below the law civil crimes would surely eventually raise suspicion and I would know that conversely the apparent successful use of these services by these elements with no repercussions would encourage trust by those I truly need to be ware of and who's assumed anonymous data I would need to always see in order to make important decisions regarding national security matters above petty common civil law. If the public wanted to have secrecy, anonymity and privacy then I would I be sure at the end of the day, they got it from me , on my network and their data lived in my house. So I (or my select single tasked agents) could quietly be in the know and myself generally valuing freedom of speech, anonymity and privacy could offer such to 99% of them with one important deniable and discrete exception never to be compromised by use for anything other than discreet reaction to matters of true importance to my nations security. Would this be acceptable as long as I could avoid the pitfalls of abuse and not slide down the slippery slope of permanently legislating away my peoples civil liberties? If most people assumed I was bloated , dumb, inefficient and recognized me as seemingly being constantly behind the curve of technological developments always reacting to new technologey when it popped up as if it were but a confusing thorn in my old fashioned bureaucratic side, well then all the better.
Of course even if this could be the case with Tor coming out of the Navy and ending up with EFF which I think it most likely isn't that being more the plot of a Tom Clancy novel or James Bond movie most likely. I'm not sure I'd mind something like this so much given the state of the world today and the assumption that the government is made of people just like you who although not perfect do want to preserve their right to privacy, just like you or I, but recognize a need to balance that with safety and security. Certain examples excluded of course such as the lamentable exploitations by some of our politicians or the ill conceived knee jerk panic legislations by some of our elected officials in the wake of the tragedy we have in the last decade, for what ever reason, (be it oil dependence, corporate greed, poor foreign policy, or simply shear ill fate in an evolving, growing, still competitive and consequently volatile global society) been made as a people to endure and attempt to address as best we can.
Which way is the best currently to be totally anon on the internet even from your ISP ?? Is it JonDo? (Aka JAP) or?
i had a cell phone which is searching by police ......................................................when i switch on the msg that says to cal police ..............................................how can retrive from that
"I wonder privacy vs saftey ?"
If you want more people to read your comment, try using a few more paragraph breaks. Large, unbroken blocks of text are very hard to read.
Nice piece. Exit nodes of TOR, MIXMASTER, and JONDO drop all traffic in the clear mode. Anonymity has been achieved, however the data is not secure.
90% of traffic sent via such networks is not encrypted: Yes and this reveals a serious misunderstanding by the public concerning anonymity and security of end to end traffic sent over such systems..
"All that a malicious entry point would actually know is your source IP and the next Tor router in the route. Not the content or the final destination."
One can avoid this by making your own node an non-exit Tor relay. That's easy (three clicks on the Vidalia control panel), helps Tor, but the point is that there is now a lot of Tor-like traffic through your node, and traffic analysis for your node becomes much more difficult.
"90% of traffic sent via such networks is not encrypted: Yes and this reveals a serious misunderstanding by the public concerning anonymity and security of end to end traffic sent over such systems.."
Why do you think so? If people use Tor for surfing, as many do, they often care only about one question: They want to be sure that nobody can find out what they are looking for.
Maybe The Iran and Turks hacker had sniffed on CIA agents via TOR "dummy" exit node.
So pls choose carefully your exit node.
India, as opposed to the rest of the world, is still primitive.
Don't be so ignorant.
Compare, not just accepting the label.
If the final destination is an onion (tor) site, data is still encrypted end-to-end. If the final destination is an https site, the data should still be encrypted end-to-end (if the SSL works ha ha !). If the final destination is a non-onion, non-https site, the last hop is in the open.
Am I right ?
What about DNS leaks with tor browser bundle, vintage March 2012 ? The tor project doc's are unclear on this issue still . . .
Thanks, and Safe Surfing.
First off, I happy to find this thread on the Schneier site. Great stuff. The poster way above who was blasting anon as punishable by death is very cool tekkie, I think. Anyone who really thought all that would never have found his way here. The only thing that really bothered me here was Mr. Schneierś assertion re use of Tor---"..wants to hide the fact he's doing it." This is kind of foreign-thinking for a security pro~~ Anon/privacy is absolutely critical for even routine communications or browsing. Simply look at the trends. Repent, Mr. Schneier!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.