It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Tor : Anonymity Online - Hide Your IP

page: 1
8
<<   2 >>

log in

join
share:

posted on Jul, 11 2008 @ 11:12 AM
link   
Hi there, I wanted to put this out there and try and get some feedback..
TOR, the anonymity network is a program that protects its users from

"traffic analysis, a form of network surveillance that threatens personal freedom and privacy"

Ive used TOR a few times, it's a bit slow but indeed your IP is totally different making you seem anonymous.

My question is, to those with big brains
, how effective is TOR really?

Surely data from my PC goes through my internet provider before it goes through TOR so BT in this case know what sites I'm browsing but the sites don't know where I came from?

Anyway heres the site...
www.torproject.org...

It might be useful, especially considering the way the net is going...




posted on Jul, 11 2008 @ 12:03 PM
link   
As a longtime user of TOR, I'll try and give a coherent response.

For those of you that are not familiar with TOR it works like this. A number of volunteers, very often universities and techies, run software that enables their computer to be a TOR node.

When you install a TOR client on your computer, you can configure certain applications to be routed through TOR instead of getting to wherever they are going directly. When an application uses TOR, you direct its messages to the TOR client. Lets use Firefox as an example. When I "TORify" Firefox, I set it up to use my TOR client as a proxy. If I were to come to ATS, I would enter www.abovetopsecret.com... as usual into my browser.

Then TOR takes over. My TOR client hunts for a TOR node which becomes the starting point of a chain of TOR nodes that leads to the site www.abovetopsecret.com... When my browser sends a request, my TOR client encrypts it and sends it to the first TOR node. The first TOR node then re-encrypts the message and sends it to the next TOR node in the chain. Finally, message reaches a TOR node that acts as an exit point and decrypts the message and sends it to www.abovetopsecret.com...

Since the message is encrypted when it leaves my machine, the only thing my ISP knows is that I am sending some data to the IP address that corresponds to a TOR node in, say Germany.

The response from www.abovetopsecret.com... is sent back to the exit TOR node and the same process is followed to send the message back over a chain to my TOR client that finally decrypts it and sends the result to Firefox. The message is encrypted until it gets tomy machine.

One of the reasons that TOR is effective is that no TOR node in the chain knows the whole path, it only knows the address of the node it got the message from and the address of the node it is sending it to.

I use TOR whenever I do research on websites that are either blocked to me (my ISP is a cable company and blocks websites owned their competitors) or when I do online investigations for clients. I also use it for anonymously using my instant messaging and for hiding my or my clients IP address when using webmail for sensitive communications with my confidential sources or whistle blowers (or current lovers).

Because of the latency in sending a TOR message, it is not intended for P2P or downloading files since the bandwidth requirements put a real strain on the system.

There are two security risks. The first is that the Torified application may embed your IP addess in the body of its message -- browsers in particular are bad for this, so TOR often has to be used with another application, like Privoxy, to get true anonymity.

The second is risk that is being debated as the result of this paper Tor exploit but I think is questionable enough to not make me give up TOR.

The danger is that a hacker or gov't agency could set up an Tor node and after decrypting your message, scan it for your embedded IP address if it has not been scrubbed out by an app like Privoxy before re-encrypting it and sending it on to the next node.

The big trick to TOR is making sure that you set it up correctly to avoid "leakage" of IP information. The TOR documentation is pretty good. I am a total supporter of TOR.





[edit on 11-7-2008 by metamagic]



posted on Jul, 11 2008 @ 12:29 PM
link   
i never use TOR or anything to block my I.P theres no point in the UK.
but if a hacker wanted to get into your computer its easily done no matter what software you where running.
some of the best hackers in the world have done work for the government
just google kevin poulsen he could hack your computer in 10 minutes


sty

posted on Jul, 11 2008 @ 12:33 PM
link   
reply to post by tomatoevine
 


well, using Linux instead Windows would make it harder for the hacker.



posted on Jul, 11 2008 @ 01:04 PM
link   

Originally posted by tomatoevine
i never use TOR or anything to block my I.P theres no point in the UK.
but if a hacker wanted to get into your computer its easily done no matter what software you where running.
some of the best hackers in the world have done work for the government
just google kevin poulsen he could hack your computer in 10 minutes


Tor has nothing to do with making your computer secure or not. You appear to be confusing Tor with other applications that harden your system like iptables and Bastille, if you are a Linux user. Since I don't do Windows, I don't know what the MS equivalent products might be.

Tor is software for anonymizing your on line activities, nothing more. It is certainly not a firewall. However the one things that Tor might do is to make it harder for hackers to find you if they are trying to locate you via your IP address, However, given the sort of botnet activity we see out there, it would seem that hackers are more interested in just finding any jackable machine regardless of who you are.

[edit on 11-7-2008 by metamagic]



posted on Jul, 11 2008 @ 01:41 PM
link   

Originally posted by sty
reply to post by tomatoevine
 


well, using Linux instead Windows would make it harder for the hacker.


Using Linux AND proxy hopping makes it practically impossible!


Yeah, I'm a linux user, Ubuntu 8.06



posted on Jul, 11 2008 @ 06:37 PM
link   
reply to post by metamagic
 


Ok thanks for making that more clear



posted on Jul, 11 2008 @ 06:47 PM
link   
TOR is not secure. It never has been.


Google:

Dan Egerstad

Deranged Security



posted on Jul, 11 2008 @ 09:41 PM
link   

Originally posted by makeitso
TOR is not secure. It never has been.


Google:

Dan Egerstad

Deranged Security



I think the problem is that you are confusing the notion of "secure" and "anonymous"

To say that our data is secure means that anyone who intercepts our data in transit cannot read or understand the data. Normally we secure data with some sort of encryption which most users do by using some form of encryption software. For example, HTTPS is secure because it sends all HTTP requests and responses in an encrypted form.

However, secure is not anonymous. Based on the information contained in the headers of the HTTPS messages, if we monitor traffic we can still tell who is talking to who even though we cannot understand the messages. By using Tor, we remove the ability of anyone monitoring to identify the path or who is taking to who -- we make the message anonymous.

Tor encrypts messages between nodes, but at each node, the received messages are decrypted and then re-encrypted for the hop to the next node. The node itself has access to the raw message payload. This is how the Swedish hacker Dan Egerstad hacked into people's data -- he set up a Tor node and looted the unsecured messages that came through.

The problem is not with Tor, the problem is that the banks and NGOs and other users were sending sensitive information over Tor unencrypted and relying on TOr to encrypt between nodes but leaving it vulnerable within nodes.

My company uses Tor on a regular basis. Any confidential data that is sent over Tor must be secured via encryption or other means. But there is a lot of data we send over Tor that only needs to be anonymous, not secure. For example, if we are posting a government UFO document on ATS, it doesn't have to be secure because we are making it public anyway, but we want it to be anonymous to prevent the men in black
from finding out who we are. On the other hand my bank login info should be secure but does not need to be anonymous. The data that Dan Egerstad stole should have been secured in ANY transmission, Tor or not, but was not. This a security procedure failure, not a flaw in Tor.

The other thing we have to keep in mind is that no system can be totally secure. What we want are systems that are secure enough. Organizations that search the internet traffic are hunting through massive amounts of data, so for our purposes Tor and other tools lower our profile enough to let us slip under the radar of hackers and the government data mining programs. But if we were specifically targeted, then nothing available can protect us. Just like a bank vault, if someone really wants to break in, they will even if it takes tactical nuke, so we design bank vaults secure enough to make the effort to break in greater than the reward gained by breaking in.

There are a lot easier pickings out there for hackers and governments to focus their attention on then those using Tor and other security tools effectively. Remember the old saying, when you go into bear country. make sure you can run faster than at least one of your companions. Tor and encryption give data sneakers.

[edit on 11-7-2008 by metamagic]



posted on Jul, 11 2008 @ 10:45 PM
link   
Thank you, no.
I'm not confused about the differences in security and anonymity. The loss of security at the exit nodes automatically infer's the loss of anonymity.

Dan E's story exposed that there is neither full security nor full anonymity in TOR. It can be a useful tool, but not the silver bullet people think it is.


Originally posted by metamagic
By using Tor, we remove the ability of anyone monitoring to identify the path or who is taking to who -- we make the message anonymous.


You are only half right about TOR's anonymity.
Firstly, its reported that TOR is incorrectly configured more than 50% of the time. This misconfiguration allows anyone monitoring the traffic find them.

There are other issues. To quote security expert and TOR user Sam Stover:


"I would not use or recommend the tool to hide from people between you and your endpoint. It's really purely a tool to hide from the endpoint," he says.


This is the same anonymity issue with any proxy server or router. Anyone between you and the place your sending the data to has the potential to access the data, and identify the origin/endpoint. It also shares the same issue of being subjected to subpoena.

As I said, half right about anonymity.




Tor encrypts messages between nodes, but at each node, the received messages are decrypted and then re-encrypted for the hop to the next node. The node itself has access to the raw message payload.
[edit on 11-7-2008 by metamagic]


I think you meant to say the node itself and anyone monitoring that node has access to the raw data.

This is especially true of the exit node, where the data is decrypted so that the next non-TOR router/server can read it . In doing so it gives anyone monitoring the node access to the data. Thus the lack of security I mentioned.


With this additional information in mind, it truely begs the question, who is running the nodes you bounce the data thru? Who is paying for the large bandwith nodes that everyone prefers because they are faster? Who is paying thousands a month for that bandwidth? Why?



posted on Jul, 12 2008 @ 10:07 AM
link   
Thanks makeitso for a great post. After carefully reading through it, I think that we are actually in agreement on all the substantative points and disagree only in places were either I have not explained myself well enough or where we draw different conclusions about what level of security we need.

For example, you state


Dan E's story exposed that there is neither full security nor full anonymity in TOR. It can be a useful tool, but not the silver bullet people think it is.

Absolutely correct. I tried to get that message across when I said


The other thing we have to keep in mind is that no system can be totally secure.

I get very frustrated dealing with people who are in the magic bullet mindset -- if they just get this product or that server, all their security problems will go away, but they won't change the default password on the admin account. Hey, they don't have to worry about security, the product does that for them.


I think you meant to say the node itself and anyone monitoring that node has access to the raw data.

Mea Culpa, that is exactly what I meant but I guess the inference was not as obvious as I thought it was.


This is especially true of the exit node, where the data is decrypted so that the next non-TOR router/server can read it . In doing so it gives anyone monitoring the node access to the data. Thus the lack of security I mentioned,

Again, totally correct, which is why I stressed the importance of securing the data by other means instead of relying on Tor encryption when I say


Any confidential data that is sent over Tor must be secured via encryption or other means.


I suspect the figure of 50% misconfigured Tor clients is low, based on my experience. It's also my experience that many of our clients who misconfigure Tor have not even read the documentation! That's not a Tor problem, that is a stupidity problem. In other words, it doesn't have to be so. As Sam Stover points out


The discovery that sensitive, government emails were passing through Tor exit nodes as unencrypted, readable data was only mildly surprising to Egerstad. ..."People think they're protected just because they use Tor. Not only do they think it's encrypted, but they also think 'no one can find me'," Egerstad says. "But if you've configured your computer wrong, which probably more than 50 per cent of the people using Tor have, you can still find the person (on) the other side."

Initially it seemed that government, embassy, NGO and corporate staffers were using Tor but had misconfigured their systems, allowing Egerstad to sniff sensitive information off the wire.



Anyone between you and the place your sending the data to has the potential to access the data, and identify the origin/endpoint. It also shares the same issue of being subjected to subpoena.


Again, I agree totally which is why the data should be secured before it is sent over Tor.

There are a couple of other points that I think you raise that I should have also stressed but didn't get around to in my post and I'll do that in my next post. But I see I am running out of characters.....



posted on Jul, 12 2008 @ 10:31 AM
link   
I find Tor to be really useful. I'm in the UK & it enables me to watch content on US websites (tv shows etc on the CBS website) which is normally unavailable to users outside the USA.
Enabled me to watch "Jericho" months before it aired in the UK.
Fairly slow, but hey I'm not complaining ;-)



posted on Jul, 12 2008 @ 10:37 AM
link   
reply to post by makeitso
 


A major point you raise from the Sam Stover article is worth serious consideration.


Tor was developed by the US Navy to allow personnel to conceal their locations from websites and online services they would access while overseas. By downloading the simple software, personnel could hide the internet protocol address of their computers - the tell-tale number that allows website operators or intelligence services to determine a user's location.


In addition to hackers using Tor to hide their origins, it's plausible that intelligence services had set up rogue exit nodes to sniff data from the Tor network.

"Domestic, or international . . . if you want to do intelligence gathering, there's definitely data to be had there," says Stover. "(When using Tor) you have no idea if some guy in China is watching all your traffic, or some guy in Germany, or a guy in Illinois. You don't know."

Egerstad is circumspect about the possible subversion of Tor by intelligence agencies. "If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on," Egerstad says. "Who would pay for this and be anonymous?"


To be fair, many nodes are run by Universities and other institutions that do have the bandwidth and who also benefit from anonymity tools. But you always have to assume that everything you do is monitored on line if you really want to be secure.

There are four ways to be secure.

The first is encryption. This is generally a good defense against hackers and those those just out cherry-picking. It's just too much effort to to bother cracking the data when so much other juicy stuff is being sent in the clear. The problem with using encryption is that it is like putting a big neon sign on your data saying "I have something to hide" In other words, it may draw attention from those who you really don't want attention from.

The second is steganography. That is the hiding of messages in data so that they are available to only the receiver. An ancient technique (eg. invisible ink) used by products like BlindSide or Stegcomm to hide text inside digital images.

The third is allegorical substitution. You see this all the time in spy movies where the secret agent calls his contact and says "The birthday party has been canceled" to mean that he has just blown up the bad guys. Rather than hiding one message inside another, we use a n innocent message that has a second prearranged meaning.

The fourth is to not use the internet for certain types of data.

So what do you do if you know that someone, NSA or CSE is listening? Well, first of all you have to realize that unless you have attracted their special attention, they are probably not listening to you. There are just capturing terabytes of data daily that is mined using various data mining techniques for patterns that interest them. To be secure enough often means that you have configured your data so that you don't match the patterns they are interested in -- you stay below their threshold of interest. The sheer amount of monitoring that is going on actually works in your favor.

Security and anonymity are achieved with a planned security policy and protocol that utilizes variety of tools and techniques. As makeitso rightly points out, relying on any one tool for security is dangerous, but we also have to decide how much security is enough security and then act accordingly. Tor is a tool and used correctly, as with any tool, serves a very useful function.

If anyone out there wants to use Tor, at the very minimum, read the documentation and configure it correctly! Please.



posted on Jul, 12 2008 @ 10:39 AM
link   
reply to post by Niall197
 


You are right, we got so caught up in our discussion on Tor security we forgot..


However, Dmitri Vitaliev, a Russian-born, Australian-educated computer security professional who lives in Canada, says Tor is a vital tool in the fight for democracy. Vitaliev trains human-rights campaigners on how to stay safe when online in oppressive regimes. "It's incredibly important," he said in a Skype chat from the unrecognised state of Transnistria, a breakaway region in Moldova where he's assisting a local group working to stop the trafficking of women. "Anonymity is a high advantage in countries that perform targeted surveillance on activists."

It's also used to bypass website censorship in more than 20 countries that censor political and human rights sites, he says.



posted on Jul, 12 2008 @ 11:42 AM
link   

Originally posted by metamagic
I think that we are actually in agreement on all the substantative points


You are quite correct. We do agree on the vast majority of the points.

I just wanted to take a moment to point out (for those who are not aware) that there are security/anon issues with TOR despite claims to the contrary.

It is just another tool in our kit, and as with all other tools, its usefulness is limited by the users knowledge, and the unknown node/router/server owners ethics/loyalties/laws.

One other point is that of the Universities hosting the large nodes.
For some reason this is inevitably brought up when discussing TOR nodes as if they or their staff/admin are above any nefarious activity. Just as inevitably I always take a moment to point out that the major funding for Universities around the globe comes from the very sources they fear is monitoring them. The governments and large corporations of those countries. Those Universities have intelligence members on their staff and the Gov's.Corps have the ability to strong arm the University into doing their bidding. Just something to think about.


I would also like to thank you for your quality, non-combative posts, and for highlighting how TOR can be useful bypassing non-democratic processes.



posted on Jul, 12 2008 @ 12:28 PM
link   
And kudos to you too for improving elevating the quality of this thread with your posts -- and forcing me to work harder at improving my own posts!



posted on Jul, 15 2008 @ 12:43 AM
link   
good information on the pros and cons , thank you guys



posted on Jul, 15 2008 @ 08:04 PM
link   
Having done some tracking of folks (spammers) who are using anonymizers, I can say that IF someone has very very high level skills (and some connections with folks who run certain computers) and IF they are really angry and determined and IF you post more than once, we can find you and track you down.

I learned White Hat Hacking back in the 1990's, with the old Make Money Fast Hall Of Horrors gang. Every once in awhile I still use the old skills -- not into it as much these days, but yes you can be tracked.



posted on Jul, 15 2008 @ 11:24 PM
link   
hi y'all! just wanted to add that TORproject can't be accessed by default here in the UAE (along with flickr, skype, etc). Other sites that host lists of proxy servers (anonymous http, https, socks, etc) are blocked as well. But, as they say, there are other ways of getting around this digital wall.



posted on Jul, 15 2008 @ 11:33 PM
link   
i was told that if someone wants to track you down bad enough then they will, doesnt matter what your using. is this true?



new topics




 
8
<<   2 >>

log in

join