Remain Anonymous with Javascript on ?

Discussion in 'privacy problems' started by Peter Griffin, Jan 10, 2010.

Thread Status:
Not open for further replies.
  1. Peter Griffin

    Peter Griffin Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    1
    Is it possible to stay 100% anonymous under the following conditions?

    1. Running secure VPN tunnel software (ie. Total Net Shield)
    2. Running firewall to ensure that your browser can only make connections to the local proxy (VPN)
    3. Disable Java and ActiveX
    4. Enable JavaScript
     
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I have Xerobank and use all of the javascript I please...Woo Hoo!
     
  3. oldymin

    oldymin Registered Member

    Joined:
    Oct 31, 2008
    Posts:
    25

    LOL...Caspian, you always crack me up with your spamvertising answers to people concerning xerobank. How much are they paying you ? Or do you get free service for promoting a US one-man-show ? :)

    As for javascript; js alone will not do much harm, at least so far no single attack based alone on js demonstrated it could reveal the IP of computer. But i'm happy to hear if anyone has some tests we can check !
     
  4. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    @oldymin

    What internet anonymity approach do you recommend, and why?

    Using your preferred approach, what results do you get at <http://decloak.net/> and <http://deanonymizer.com/>? I'm using multi-hop XeroBank, and neither finds my true IP. If you know of a site that might be more thorough, please post the URL.

    What are your <http://Speedtest.net/> results? I'm currently getting ca. 2 Mb/s down and ca. 0.9 Mb/s up on multi-hop XeroBank.
     
  5. jesusjesus

    jesusjesus Registered Member

    Joined:
    Jul 21, 2009
    Posts:
    61
    I remember there was a thread here that was deleted by a mod that linked to an article talking about ''a new weapon'' available to police cyber crime units that could locate people who were using secure vpn or tor proxies using any form of internet connection cable/fibre/adsl etc. Not much detail was given except that it relied on the person having a wireless router.

    I guessed it worked in the same way that googlemaps knows your approximate location based on the known mac address's of wifi signals in the vicinity of your home. This requires the google gears browser plugin. I don't know how police are doing this, could it be as simple as a script that activates the wifi geolocation when a person visits a particular website or maybe it's a trojan the person gets infected with?

    It's reasonably man power intensive. The software identifies your approximate location, and then a tracking vehicle would have to locate the home from where your wifi signal is coming from.

    So, i'm not sure you are as safe as you think if you get on the wrong side of the government/police.
     
  6. Dogbiscuit

    Dogbiscuit Guest

  7. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I have yet to see an example where javescript ALONE is used to get a user's real IP.
     
  8. bryanjoe

    bryanjoe Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    380
    hi there,

    any recommendation beside xb?
    hopefully is free.... going to install either packetix or ultravpn......
    any thoughts?
     
  9. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    I believe that Caspian’s confidence in XeroBank is warranted. If technical information exists that shows otherwise, it would be worth highlighting in this thread.
     
  10. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I believe that Caspian’s confidence in XeroBank is NOT warranted. If technical information exists that shows otherwise, it would be worth highlighting in this thread.

    You see, there are 2 different sides of the same "coin". The beautiful part is that you can't prove yours and I can't prove mine :)

    And to answer to the original poster's question: yes, it is possible.
     
  11. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    I'm connected to XeroBank multi-hop via OpenVPN and exiting in Amsterdam. Only the XeroBank exit IP shows up in testing at <http://decloak.net/> and <http://deanonymizer.com/>, in both cases with scripts permitted. Also, only XeroBank's DNS nameserver at the same exit IP shows up in Steve Gibson's DNS spoofing test <https://www.grc.com/dns/dns.htm>, and it gets a moderate-excellent grade.

    Of course, any properly-configured Tor setup should yield analogous results, I presume (although I'm not sure what DNS nameserver would appear).

    Any y'all know tougher decloaking tests?
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I can confirm that a properly-configured Tor setup gives good results with both anonymity checkers.
     
  13. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Those two anonymity checkers aren't a good way to check anonymity really. I checked them with a simple http proxy I wrote myself, I have Java and Javascript enabled, only one of them and only through flash could detect my real IP....
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No. Anyone who tells you it is possible to be 100% anonymous is wrong. Anonymous from whom is the question. Who are you trying to be anonymous from? Snoops and hackers? Your ISP? Your destination address? Your local authorities? Your state authorities? Your national authorities? International authorities? Multinational authorities? It all depends on what level of observation you are trying to evade.
     
  15. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Mea culpa. It's tempting to focus on anonymity from destination sites, because failure is readily observable and success is reassuring. The rest is a morass. If one of us goes down, perhaps the rest will see the news, and learn something about how not to proceed.
     
  16. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    XeroBank describes the xB Browser as being “incapable of leaking. It can view full flash and Java and JavaScript without worrying about man-in-the-browser attacks, hijacks, or exploits” (see here). Doesn’t the same statement apply to xB VPN?

    With respect to JavaScript specifically, how is xB VPN less than "100% anonymous"?
     
  17. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No. That means that your anonymity level won't drop because of running javascript; Although the anonymity level XeroBank provides is very substantial, it is not an evaluation of the anonymity level provided. That statement should be evaluated as you're still x-degrees anonymous from y-observers, even using javascript and rich medias.

    I could say that it is possible that you could craft a javascript-based attack that would be specifically trying to do things like turn off your VPN and change your routing, which could be true, but I've never seen one. However in a universe where that doesn't happen, it is not a generic threat like javascript relatively can be. Using the XeroBank VPN is active protection against semi-passive threats like Javascript.
     
  18. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    You probably never saw one simply because it is not possible. If you think it is possible to do such things, then by all means, a proof-of-concept is more than welcomed :)

    So is using other VPN solutions or Tor.
     
  19. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    They can track down anyone they want to if they choose to do so by performing entry/exit correlation. Xerobank is a lot more vulnerable to this than TOR due to the fact that TOR has hundreds of thousands of users in its network where as Xerobank probably only has a few hundred.
     
  20. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    That's probably true. However, someone would have to be rather interesting to warrant global traffic analysis, no? OTOH, I can imagine that evil Tor exit nodes could troll passively. Are there ways to minimize that risk?
     
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    anybody who has access to traffic logs can perform entry/exit correlation and there are many people who do have access.

    with regards to tor the best option would be to donate your own server to the tor network that way you can connect to it directly and ensure that it is not logging.
     
  22. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    XeroBank is actually stronger anonymity than Tor due to our multiplexing and node optimization and traffic controls. We have significantly higher crowding per node than Tor does by an order of magnitude. Sadly, anonymity can't be measured yet, as no metric exists, but... It is a fallacy to think the more nodes you have the higher your anonymity. A computer can correlate traffic and does not distinguish between a network of 2 computer or 2 million computers, it can track it all. XeroBank employs anonymity techniques and technology that Tor does not have nor deploy, nor is it vulnerable to evil participants as Tor is. Btw, same traffic + more nodes = less crowding = smaller anonymity set = lower anonymity. If you want to increase the anonymity of tor, the best method is to NOT run a node, lol.

    Lol. I'm not saying I never saw one period, i've never seen one in the wild. We've used javascript to completely destroy anonymity before. Look at the control port exploit against tor, 100% compromised. There is another unpublished attack against IE that has been developed that can turn on javascript in the browser, even if you have turned it off, and then it can be used to turn on java, even if you have it disabled, which can then do almost anything. The issue with javascript isn't that it can't be done because it certainly can and has, it is that nobody is really doing it actively.
     
    Last edited: Jan 19, 2010
  23. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    This is FUD, not proof.

    That is a 2 years old issue, that was solved since then.

    This is a specific browser vulnerability, that will also be patched (probably).

    As you were saying, there is no 100% anonymity, but that is not because JS, but because other vulnerabilities.
     
  24. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Javascript is primarily and almost exclusively used in... wait for it... web browsers. Trying to say "oh, well that is a web browser issue, i'm talking about just javascript" is foolish. They come together, they get exploited together. A javascript bug to exploit a browser flaw, a browser bug to exploit a javascript flaw, it doesn't matter. The two culprits are always together. As for the tor control port exploit, it happened. It used javascript as the primary method of attack and deanonymized the entire tor network. It doesn't matter if it was patched, as the exploit is a demonstration of what is possible if you have enough determination and intelligence; the fact is that javascript was the primary attack vector in the largest successful anonymity compromise that ever existed. Is javascript a threat to anonymity? Absolutely, no question, proven, case closed. It doesn't matter specifically that it was javascript, but javascript was weaponized and worked across every single browser, firefox, ie, even the text-based lynx browser got compromised! Anytime you allow foreign code to run on your computer, there is potential for compromise.
     
    Last edited: Jan 20, 2010
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    JanusVM is free, and it should pass the various anonymity tests, even with JavaScript, Java, Flash, etc. on.
     
Loading...
Thread Status:
Not open for further replies.