Nice. I am hoping onion services become more ubiquitous for desktop use. So many decentralized networks work so hard to solve things like NAT busting and network issues, and they still forget about anonymity.
I am personally working on a tiny side project to build a chat/forum/etc platform based around onion services for all users. Traditionally, it was annoying to have to ask users to install Tor and open up the control port so your app could leverage it. In a recent alpha there is an experimental tiny little C API that can start the Tor system in-app [0]. Leveraging some of the work from [1], I put in some effort to get all the steps working to compile Tor statically in a a single Rust exe on Windows [2]. As Tor's embeddability game increases, I hope more apps will consider using it as part of their network stack. Granted I know the problems that are inherent with "vendoring" security libs like these, but for some uses the benefits outweigh the costs of requiring separate downloads and separate daemons running.
Yeah, I've seen that. OpenBazaar's onion transport is similar to what I'm talking about when I mean the user has to have their own tor process IIRC. I would have used Go instead of Rust of CGO on Windows and static compilation didn't suck so much.
Would it be possible for you to port your work to I2P as well?
It's good to have a fallback network in case issues arise in Tor and something needs to plug the gap in the interim, and I2P would fulfill that roll pretty well.
There's not really much work to speak of yet. Last I looked at i2p, it carried a JVM with it and the C impl was not full featured iirc. Will have to look again.
The C++ routers have now largely become feature complete, IIRC they've even ported I2P-Bote to work on them.
And you have the JVM reference router still being developed, so there's at least three different implementations of the router and that helps with finding bugs and the like.
They're running a Tor website... that requires JavaScript. smh
>Error! :(
>Your browser is not running Javascript that is required to use the whistleblowing client.
>It's common believe that Javascript and security don't sound well together, for this reason we suggest to use the Tor Browser, an extremely tuned FireFox browser with Tor integrated. Here you can found and download the latest release of: Tor Browser.
Note that those who want a JS-free whistleblowing platform should look for SecureDrop.[1] It's also harder to setup and may not be possible for certain threat models.
You are right in the first part (I'm italian).
Regarding people doing a good job, I don't know if this is the case. I tried to use this service (just to see how it works), and:
- "anonymous reports will be considered only in particular cases" (!)
- you cannot report if you are a private person/company
- you have no kind of legal counseling / protection
- other limitations
I'm not sure if it was designed to get actual reports or not.
In fairness, some of that might just be inherent to the problem space; for instance, only considering anonymous reports in some cases could be a defense against random accusations with no actual evidence.
Also - fellow Italian here - I guess we must apologize for the English grammar/syntax in:
>Error! :(
>Your browser is not running Javascript that is required to use the whistleblowing client.
>It's common believe that Javascript and security don't sound well together, for this reason we suggest to use the Tor Browser, an extremely tuned FireFox browser with Tor integrated. Here you can found and download the latest release of: Tor Browser.
This said, the issue revolves more generally about the Italian Law, anonymous reports have much lesser credit/relevance than signed ones (this is understandable).
Besides the internet/modern way, the concept of "esposto anonimo" (anonymous report ) is well planted in the Law, but has very low "relevance", basically if you send one you are just suggesting the Authority to look in a certain direction, but there is no guarantee whatever that they will do so.
Not really, they ask you other information and only these market with * are required.
In fact, only a few information are required. Your job title aka position (make sense in case is a manager reporting an illegal activity other than a cleaner which might have really small amount of information) the entity involved and if you work in that entity or you just had some sort of relationship.
After all it make sense to have a big set of data to investigate in. If not would be complicated for anyone to understand what's going on. You're still reporting it at the anti corruption authority, so even if you give them more details you should be confident that they'll treat it carefully.
All the personal data (such as name, last name and so on) are optional. And, if you choose to not share your personal data, the form will be considered only if you complied with a level of detail that's enough to do an eventual investigation (if not, since they can't reach you out to ask you or details, would be useless to say "on December 2014 I saw a guy giving 10 euro to another one in the aisle of the department X in the state company Y. But was too dark and I can't tell who they are").
This opinion is controversial, and I’m not going to go into all of the reasons why, but unless you REALY know what you’re doing Tor can’t be trusted.
I’d wager only 1% of people on Hacker News would be capable of using a Tor setup for more than a day without getting owned.
You’re better off buying a burner iPod or iPad, stick to public wifi spots, and factory reset it once a week. Even then, watch what you type since vocabulary is fingerprintable.
Do you by any chance have any refs or links at hand explaining the topic more into depth. There are quite a lot on Tor www but covering more common use.
If you're good enough to understand how to use Tor securely you're good enough to know why random "newbuser"s shouldn't be on it. Tor is far more fingerprintable than people think it is and its riddled with adversaries and malware. Even if you're good you have a separate problem now: Keeping the USG et al from painting a target on you.
It isn't worth it.
You're in league with wannabe terrorists, misguided natsec journalists, blackhats, child pornographers. For what? What problem are you solving that warrants this heat?
Just use a burner iPad and wipe it frequently. If you're truly paranoid light up a DigitalOcean droplet with a pre-paid credit card and a false name and install OpenVPN on it make an image and cycle your IP. But short of being both a data scientist & cybersec expert (or an actual state actor with training from both) you aren't going to stay black from the NSA and to pretend otherwise is stupid.
> Tor is far more fingerprintable than people think it is
You seem to have no idea about the existence of pluggable transports.[1][2]
> and its riddled with adversaries and malware.
Yes, and so is I2P... Freenet... the Internet?
> Even if you're good you have a separate problem now: Keeping the USG et al from painting a target on you.
Isn't that an argument for using Tor? As Mike Perry (who works now on the vanguard proposal implementation) puts it, "we want enough people to actually use Tor Browser such that it becomes less interesting that you're a Tor user. We have plenty of academic research and mathematical proofs that tell us quite clearly that the more people use Tor, the better the privacy, anonymity, and traffic analysis resistance properties will become."
> Just use a burner iPad and wipe it frequently. If you're truly paranoid light up a DigitalOcean droplet with a pre-paid credit card and a false name and install OpenVPN on it make an image and cycle your IP.
Your IP will be known since you connect directly using your IP to the droplet. Also doesn't protect you from browser fingerprinting which alone may have leaked enough information to identify you.
[2] : https://www.pluggabletransports.info/ (really good folks work on them, and we should appreciate the amount of work that they put in obfs research)
I've been on HN for almost 10 years. You aren't going to get a cut and dry answer from most pros because most pros aren't going to post things in public forums. Pluggable transports have nothing to do with it. I've actually helped defenders against Tor based attackers. I've de-anon'd them. It was easy as fucking shit because most attackers are dumb and the Tor browser isn't 0day proof or as network isolated as people think it is.
Who is your adversary and what are the costs you are willing to bear to hide from them?
There are very few answers to that question that come out with: "Use Tor"
For the 99.9% of adversaries having a wipeable iPad will stop browser fingerprinting and switching up IPs or cafes will stop IP tracking. It wont stop network attacks, but you'll be pretty safe from 0days. For most journalists (or even drug dealers) it's the right approach.
"For the 99.9% of adversaries having a wipeable iPad will stop browser fingerprinting and switching up IPs or cafes will stop IP tracking."
Down my way, the streets are littered with cameras and I suspect they can match time and IP address and id you easily. This is the same in most industrialized nations probably.
(Not hiding from anybody here, just a thought experiment)
Edit: Very frequently the Police will ask for drivers who have in-car cameras when there is a crime or accident. And a lot of them do have cameras. In Australia.
The theory is that making your computer less finger printable and hence less unique is near impossible compared to a iPad you wipe on every use (you still have to use the iPad for other things). https://panopticlick.eff.org/ is pretty scary I'm almost always unique unless I do a trick like that.
An iPAd or any mobile device, including Android or Windows Mobile ones, runs mostly off closed software and drivers. You can wipe it completely but if the network device firmware instructs it to send a small magic packet somewhere to tell which terminal is that and where to find it, you're lost. If it had eavesdropping malware on it, it will be installed back with the next upgrade.
Unless one can set up packet inspection and filtering on a mobile network, and manufacturers release everything (hardware+firmware+software) as open source, there's no way to have security on any mobile device, including those sold as super secure.
This sadly also applies to bench PCs too, although the choice of the OS to install and being able to implement filtering lessens the problem just a bit.
And while ios might be a harder target for malware, Safari has plenty of problems -- such as inability to block JS unless needed, no adblocking. And iOS is quite chatty, sends all sorts of info back to Apple. No potential to filewall at all.
Of course you can. This is the argument used by governments in the UK and other countries, e.g. for key disclosure law (it’s illegal to possess encrypted data which you are unable to decrypt upon demand).
Even 5 - 10 years ago, basic disk encryption was seen as pretty sophisticated, in a “what’s at risk if you’re willing to do that?” kind of way. Now it’s standard. You can say similar things for 50 char randomized passwords encrypted on the client, TPMs, TLS by default, etc. etc.
The ratios are likely to change over time as more people realize that their privacy is important.
> To bolster your argument in a non-technical way: if Tor made users untrackable by US intelligence, would US intelligence really keep funding it?
Maybe; if US intelligence's high-value targets can be targetted by means that Tor does not protect (compromising endpoints, emissions-based techniques, etc.), and Tor provides US intelligence agents a way to exfiltrate information in a way immune to any but more involved, specifically targetted techniques, it might still be valuable to both have Tor exist and have it used by enough people not on US intelligence payroll that it's mere use didn't finger people as agents.
You have to remember that US intelligence does more than monitor people's communications, it also needs communication channels that are accessible, unmonitored, and deniable for its own agents.
Right, that's the theory, and certainly they do need users on Tor to create noise for their own agents. But considering their nonstop drive to weaken other forms of encryption and insert backdoors, I'd be a little bit cautious about taking that at face value if I wanted to start the next Silk Road.
" if Tor made users untrackable by US intelligence, would US intelligence really keep funding it?"
On top of dragonwriter's answer, I'll point out that "U.S. intelligence" doesn't exist as one entity in the way you ask that question. There are a number of groups that cooperate in some ways and compete or just diverge in others. The NSA and FBI want Tor cracked the most to find their targets. Whereas, the State Dept and/or the CIA that back Tor's funding want to protect both dissidents and assets overseas from state-level agencies monitoring communications. They need it to be unbreakable for some set of nation-state attackers.
Now, that doesn't mean that it needs to be unbreakable for the NSA, etc. The original guidance I read on Tor even warned that global adversaries would probably break it. The Many Eyes collaborations have visibility into a lot of the network. They're probably also honeypotting it with high-bandwidth links. It's also written in a tricky protocol in unsafe language on OS's done similarly running untrustworthy apps. They'll probably always have attacks on it for at least worthwhile targets even if State and CIA don't want that. It will still be valuable in many threat models, including NSA if combined with other methods. Especially if about delaying rather than permanently denying them info.
Of course it is true that US intelligence is far from monolithic, but I think it's a useful-enough abstraction for the purpose of thinking about the issue.
There is a wide and growing gulf between what cyber experts know and what the tech savvy public knows. The world is changing so fast right now you almost need to invent your adversary's tools to be free from them.
If you're talking with large numbers of people that don't trust Tor then it speaks more to the quality of your friends than it does about the prevalence of this opinion.
Even if you use it perfectly, between fingerprinting techniques which could be used to cross-reference your logged-in "normal" use and some of the communications Yasha Levine dug up (showing that Tor gave intelligence services early notice of vulnerabilities that had not been patched), I would be sure someone couldn't pierce the veil of anonymity.
That article is four years old. This claim I heard in an interview from him for his book that just came out (he got a bunch of e-mails through FOIA requests, as I understand it), and isn't addressed by this "very concise refutation." And some of the claims seem a little bit of a stretch (using the "Gate" suffix is a nod to Gamergate?
Isn't it more plausible that this is the same reference to Watergate that's been applied to every political scandal since 1973?). And it seems like that article mostly agrees with all the factual claims it examines but disagrees with the interpretation or their level of significance, rather than exposing anything as a falsehood.
> That still doesn't contradict the fact that using Tor is better than not.
Is it a fact? If Tor achieves nothing for someone trying to hide from the government except announcing that you have something you want to hide (is that the case? I don't pretend to be certain, but it seems possible) then I'm not sure it's better.
I haven't really had time to go through everything, so I was just going by what I remembered from the interview. The idea that they were sharing zero-days seemed like a big deal but I didn't really see which one he was referring to skimming those earlier, so I didn't bother linking. The other point he harped on a lot was them taking marching orders (for instance, that the application should be localized for Farsi during a time when the US was looking to promote dissenters in Iran).
I am reading the book now so I feel like I'll have a better judgment once I've finished. I didn't find your Twitter exchange very illuminating either way.
Can he give a legitimate source for that very serious claim? Note how he overplays a lot of things that are publicly and openly known. Yes, the Tor Project got funding at various points in time from the state department to improve "human rights" and "freedom of speech" around the world, especially certain countries deemed hostile to the US. So what? Yes, Roger Dingledine publicly stated (in a CCC talk) that he gave a talk at the NSA and another one at the GCHQ. So what? Does that mean that he's suddenly an NSA shill that will try to implement a backdoor in Tor for the simple reason that he gave a talk to them?
If the Internet is such a surveillance threat, and Tor doesn't help, why doesn't this Yasha Levine point to a single alternative?
He's just a FUD spreader, as demonstrated on the other posts, so just move on. If you think Tor isn't a technical solution then please provide alternatives.
So? It was just an example to show how Mr. Yasha misrepresents and twists facts to fit his preconceived conspiracy theory.
> Is it a fact?
Yes, because of the three hops design.
> If Tor achieves nothing for someone trying to hide from the government except announcing that you have something you want to hide (is that the case?
Millions of people use Tor nowadays that the mere fact that you connected directly to the Tor network doesn't reveal much. Not to mention that there are ways to hide the fact that you're using Tor thanks to pluggable transports.
As I said, I don't see anything in that article that makes me think that "Mr. Yasha" twisted any facts; simply that the author of the article doesn't agree with his interpretation.
> As I said, I don't see anything in that article that makes me think that "Mr. Yasha" twisted any facts; simply that the author of the article doesn't agree with his interpretation.
Are you joking? He wrote entire paragraphs on Tor in his book to push his thesis and you're thinking that it comes down to a matter of differing "interpretations".
> and suggest an up to date OpSec guide to using Tor?
Use Disposable Whonix VMs in Qubes OS (available in the 4.0-rc4) for the best secure experience that you can get right now. For less security, an alternative would be to use Tails or Subgraph.
You can also control how much attack surface you expose in your browser in the Security Settings in the Tor Button (Medium (now termed Safe) disables JS on HTTP websites, JIT optimization, and sets media files to click-to-play. High (now termed Safest) disables JS everywhere, and SVG...).[1]
In what way are Disposable Whonix VMs in Qubes OS more secure than Tails? I understand that the VM won't have access to the real IP address, but isn't there a possibility of breaking through the VM (while with Tails the entire system is disposable)? Are there other ways that it is more secure?
> In what way are Disposable Whonix VMs in Qubes OS more secure than Tails?
To de-anonymize Tails one needs to exploit Tor Browser first, then get root access. For Disposable Whonix VMs in Qubes OS one would need the additional availability of a Xen exploit to break out of the VM in order to de-anonymize it.
The more one studys the mechanics of corruption, the more one begins to understand that a similar battle has been waged in biology since the dawn of time.
The corrupting entity can not replace the corrupted entity, because it does not have the sufficient structures- and would fall prey to other corrupting entitys almost instantly. It can not grow bigger then the corrupted entity, due to its being dependent regarding nourishment on the corrupted entity.
All is fair in this little war. Strategys include shedding hard to corrupt matter (skin, muscus, nails and hair), have tissue with incredible replacement rates (colon-cells). Fast pace the life cycle of the corrupted entity, and have not enough nourishment in the offspring to continue the corruption.
Remedys include using of all natural substances (eat leaves to kill the worms), to behaviour changes (famous the way foxes bath, with a brush of hair forming a flea-raft)
Synchronize breeding cycles, to starve parasites and diseases. Destroy breeding grounds and switch locations, for stationary parasites.
Diversify into different corrupted entity-types to prevent specialized parasites from target hopping.
Im aware that this is dangerous comparison, and thus want to press that i do not compare humans with vermin. I do compare organizations made up by humans with organisms and parasites.
This measure is basically encouraging the parasites infrastructure to turn upon themselves. There is no reward and there is no protection of the parasite being damaged.
So it will be used mainly by other parasites to battle among one another (leak information about the neighboring clan)- or to have parasites on the parasites (aka the lower echelon members of the mafia removing upper echelons to raise).
My father is a hunter- he observed foxes, with lots of fleas ripping out hair and then going slowly into ponds, letting the raft of hair float away with the fleas on them.
I have to admit i never observed this myself, so for what is worth is currently hear say.
Ahh ok good question I didn't really flesh that out.
>"Why do you think tor is going to 'inevitably win'?"
Not just tor, but p2p in general. Basically the theory is that, as a species, we're used to few-source/many-sink communications networks.
We've been using them from the printing-press all the way up to DVDs. The internet & its "many-source" capabilities represents a threat to the prior (and existing) information-source monopolies...such as any media industries, national-banks, or governments.
A great way not completely lose control of information dissemination is to control the paths information must take.
Two great examples of threatening p2p protocols are Tor and the distributed bitcoin-ledger. Taken in conjunction with "criminal activity" historically being the way to demonize most cutting-edge tech when it challenges the status-quo, and a pattern starts to present itself.
To answer your question: I think our regulators are being reactionary Luddites & that p2p is sort of the spirit of what's driving this whole internet-thing...otherwise it would be interactive television.
i understand your sentiments, but i think the p2p model is never going to become so mainstream that they take over the equivalent centralised model. The reason being that "normal" people prefer ease and convenience.
The internet is practically already interactive television! very few people create and host, compared to the number of consumers.
> The reason being that "normal" people prefer ease and convenience
You're assuming we can't build a p2p network that is faster and better than the centralized ones we have today. People will eventually choose p2p because it brings them more ease and convenience.
Stupid question: there are so many public places that provide free wifi without authentication. If you go into one of these places and it is populated enough, and you have MAC randomization on, no smartphone on you, isn’t it good enough? Surely there are CCTV. But if you connect from a changing room or toilets of a busy mall, I don’t see how anyone could trace the connection.
At the very least you need to add a VM into that mix to stop (most of) the fingerprinting. You also need a trusted VPN, all kinds of JS and privacy blockers.
And that's assuming there are no hidden backdoors in your hardware. Which will be used, if you're important enough to track.
But Tor won't protect you against hardware backdoors either. If you disable javascript and open an incognito chrome session, I don't think browser fingerprinting can do much harm. If all you are doing is submitting a form on a whistle blower hotline, I'd expect it to be reasonably secure.
Unique doesn't mean identified (and if you disable javascript browser fingerprinting doesn't really works). In any case Tor doesn't help with that either.
Too bad onions was compromised by the NSA. that makes speaking up against the Bad Guys a bit more dangerous.
Admittedly there is a high chance that the Italian high brass has NO finger on the American high brass, however as long as there is no certainty it's a safety risk.
Well, anything special you do that covers your tracks may make you look suspicious. If Tor becomes more ubiquitous, maybe it won't draw suspicion anymore.
Right. Reporting corruption over Tor makes you look suspicious, but they probably don't know what you're doing. Reporting corruption without using Tor means they know exactly what you're doing and will catch you.
Tor was /targeted/ by the NSA, but I haven't read anything that makes me believe it (or onion routing in general) has been compromised. I get the feeling tor has proven so effective that the only reasonable attack against it is sowing mistrust.
If you access an http site, a government controlled exit node could inject js and eventually gather enough info through profiling mouse movements and browsing habits to ID you.
Even with https, if the feds are in cahoots with the certificate authorities, you would be just as vulnerable to this sort of injection right?
However, tor hidden services is another story. I think this is where a bad actor would hit a wall.
I keep toying with the idea of building a system that allows services to authenticate with you. It's not going to be useful for the general population, but for people who have a clue it would be useful for detecting CA hacks. Theoretically it's not so hard -- you send the service a key when you first start using it. The service signs challenges to prove that they have the key. Now an attacker must both hack the CA and get the private key to impersonate the service. I tried to figure out a way to do it with a plugin, but unfortunately it looks like it requires modifications to the browser to make it work. Thinking pragmatically, I suspect that it would never make it into a mainstream browser (for the same reasons that things like Persona never made it).
You're probably at more risk of a criminal-controlled exit node stealing your login details than you are of a government-controlled exit node working out your physical location.
> If you access an http site, a government controlled exit node could inject js and eventually gather enough info through profiling mouse movements and browsing habits to ID you.
> If you access an http site, a government controlled exit node could inject js and eventually gather enough info through profiling mouse movements and browsing habits to ID you.
It's impossible for Tor to magically encrypt the whole Internet. With any network that will allow you to access the clearnet, the endpoint will see the plaintext if the website you're communicating with doesn't have HTTPS. You're criticizing Tor for something that's impossible to solve. If you think that's possible then please open a ticket to https://trac.torproject.org/ outlining the solution. (Note that the Tor network is scanned to detect bad exits, and authorities flag them with a bad exit flag but they're still used for onion services and stuff)
Also now HTTPS usage is in the 70% from FF telemetry, and onion services are end-to-end encrypted.
> If you access an http site, a government controlled exit node could inject js and eventually gather enough info through profiling mouse movements and browsing habits to ID you.
Do you realize that the Tor Browser comes with loads of patches to Firefox that seek to minimize the amount of entropy leaked by your browser fingerprint? To be specific,[1]
> Timing-based Side Channels
> Attacks based on timing side channels are nothing new in the browser context. Cache-based, cross-site timing, and pixel stealing, to name just a few, got investigated in the past. While their fingerprinting potential varies all timing-based attacks have in common that they need sufficiently fine-grained clocks.
> Design Goal: Websites MUST NOT be able to fingerprint a Tor Browser user by exploiting timing-based side channels.
> Implementation Status: The cleanest solution to timing-based side channels would be to get rid of them. This has been proposed in the research community. However, we remain skeptical as it does not seem to be trivial even considering just a single side channel and more and more potential side channels are showing up. Thus, we rely on disabling all possible timing sources or making them coarse-grained enough in order to render timing side channels unsuitable as a means for fingerprinting browser users.
> We set dom.enable_user_timing and dom.enable_resource_timing to false to disable these explicit timing sources. Furthermore, we clamp the resolution of explicit clocks to 100ms with two Firefox patches. This includes performance.now(), new Date().getTime() , audioContext.currentTime, canvasStream.currentTime, video.currentTime, audio.currentTime, new File([], "").lastModified , new File([], "").lastModifiedDate.getTime(), animation.startTime, animation.currentTime, animation.timeline.currentTime, and document.timeline.currentTime.
> While clamping the clock resolution to 100ms is a step towards neutering the timing-based side channel fingerprinting, it is by no means sufficient. It turns out that it is possible to subvert our clamping of explicit clocks by using implicit ones, e.g. extrapolating the true time by running a busy loop with a predictable operation in it. We are tracking this problem in our bug tracker and are working with the research community and Mozilla to develop and test a proper solution to this part of our defense against timing-based side channel fingerprinting risks.
Yasha Levine just released a book which is supposed to give a lot of documentation for his claims. It sounds compelling from a few interviews I listened to but I'm not that far into the book.
I am personally working on a tiny side project to build a chat/forum/etc platform based around onion services for all users. Traditionally, it was annoying to have to ask users to install Tor and open up the control port so your app could leverage it. In a recent alpha there is an experimental tiny little C API that can start the Tor system in-app [0]. Leveraging some of the work from [1], I put in some effort to get all the steps working to compile Tor statically in a a single Rust exe on Windows [2]. As Tor's embeddability game increases, I hope more apps will consider using it as part of their network stack. Granted I know the problems that are inherent with "vendoring" security libs like these, but for some uses the benefits outweigh the costs of requiring separate downloads and separate daemons running.
0 - https://blog.torproject.org/tor-0331-alpha-released-back-uns... 1 - https://github.com/iCepa/Tor.framework 2 - https://github.com/cretz/rtsw-poc