Researchers improve de-anonymization attacks for websites hiding on Tor

Discussion in 'privacy technology' started by ronjor, Jul 30, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
  2. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Interesting. This is one of TOR's design flaws. They are trying to address it but it seems they are running up that hill.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I don't entirely trust Tor. So I always use it through nested VPN chains (usually with three VPN services, but sometimes just two, if I'll be running many instances, and am just hitting my own hidden services). For more anonymity and deniability, I've used anonymously-leased remote VPS or servers as workspace, and use them via Tor.

    I typically setup anonymously-leased remote servers just like local ones, with FDE (LUKS with LVM2) and VirtualBox. With dropbear in the pre-boot system, I can unlock LUKS volumes via SSH. There's no physical security, of course, but I know whenever the server reboots. And if it reboots spontaneously, I can choose to nuke and reinstall, or move on.

    I run VirtualBox on them, and access VMs via remote desktop (RDP with TLS authentication). I plan to test exposing VirtualBox remote desktop as a Tor hidden service. And of course, I can use nested VPN chains and Whonix, just like on local VirtualBox hosts. I note that this is not Tor over Tor, which is insecure. I'm using a remote desktop via VPNs and Tor, and that remote desktop is accessing the Internet via VPNs and Tor. There's latency for sure, sometimes as much as 1-2 seconds, but you get used to it ;)

    Less elaborately, I just setup anonymously-leased remote VPS with minimal Linux desktop. I either setup VNC server as Tor hidden service, or just use VNC via SSH via Tor. This is more for throwaway play, because there's no privacy with hosted VPS.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594


    There are times that I feel like I have learned so much in regards to security and privacy. Then I read a post like the one I am quoting and I realize I have soooooo far to go. I can tell you fire that stuff off so casually that you may not even realize just how smart you are!!
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    :)

    With two boxes on LAN as VirtualBox hosts, you can practice all of that locally.

    And it's not hard to find instructions for each step online.
     
  6. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    seems like it might be better to confront you govt and speak your mind right to they face instead of hiding behind 25 layers of nested VPNs.

    unless you live in say Iran or some place similar.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I don't live in someplace like Iran, but I'm interested in tools that might help those that do.
     
  8. PallMall

    PallMall Guest

    I do understand that if you're in the logic of anonymity you can perceive it as fuller than full, but still : what can possibly be the motivation of bringing carefulness to such an extent?
    Latency, responsiveness brought to a crawl (unless perhaps connection is basically of very high standard) for the sake of what, unless of course in specific geopolitical areas of the world? I'm not criticizing, only trying to understand the cost of opportunity when it comes to anonymity.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Hunter S. Thompson, Fear and Loathing in Las Vegas

    "Is it doable?" is basically it for me, potential applications aside ;)

    My first machine ran DOS, with third-party disk-based virtual memory and DESQview for multitasking. So I have some experience with high-latency ;)
     
  10. PallMall

    PallMall Guest

    And I presume neither fear nor loathing. Perhaps the thrill of a challenge.
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
  12. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106

    Many people may say we have more to fear from more pervasive paranoid goverments that masquerade as homes of the free, oh and the UK :eek:
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    A technical summary of the Usenix fingerprinting paper. (Tor project response).

    -- Tom
     
Loading...