Discussion in 'privacy technology' started by ronjor, Aug 4, 2017.
by Tom Spring August 4, 2017 , 12:20 pm
Only a very small percentage (< 10 %) of TOR users ever see onion sites, which is where the "dark" comes in. Even in onion there are tons of good things to do under the cover of anonymity.
Personally I'm (still) waiting for TOR Astoria, and to see if it's truly as bullet-proof as they claim it will be in reducing the amount of potential rogue exit nodes... the figure I saw was from 58.8% to 5.8% I believe. But considering it's a joint effort from America & Israel I'm more than skeptical about it. It just might be nothing more than a honeypot to trap unsuspecting victims that think they're greatly improving their anonymity.
Read that carefully, he never said the NSA is not watching you if you use Tor.
What he said is, it is crazy not to use Tor just because, the NSA is watching you.
Really that is just confirming what developers of privacy systems that use Tor have said at different times when they said, this will not protect you from nation state actors.
Well, the NSA is watching everything. The questions are whether using Tor attracts more attention, interferes with their watching, or instead facilitates it, or doesn't make any difference. I tend to assume that using Tor does attract attention, so I only use it through VPN chains. But otherwise, I assume that it helps. And I could be wrong, of course.
IMO, unless you have a good reason to be on TOR, or even must get on for some reason, you're better off without it. Using it in addition to your chained VPN setup will only possibly serve to de-anonymize you, in addition to, of course, as you also pointed out (inevitably) drawing attention to yourself.
But if you must use it then blend in with everyone else by making your footprint the same. That means keep the default settings, except for moving the slider to maximum security (almost everyone does that). Resist the urge to go into your about:config and harden things further. Don't add any more add-ons other than what's already there. And don't ever change your screen size... that alone can give you away more than you might think. That warning isn't for nothing. And use obfs4 bridges that you create yourself even if your country doesn't block direct connections. My advice is to add a bunch of them to a Wordpad document... ones from countries you can generally trust not to dime you out, like Sweden. After awhile you'll come to find that the one you're using will get blocked. When this happens add a new one. And it's best to do it while offline.
But I'd avoid TOR with a ten foot pole right now especially after having 3 letter agencies take down Alphabay & Hansa Market. I'm certain that isn't the extent of the infiltration. Quite frankly you don't know what sites (if any) are safe anymore so you can't trust any of them, if you're one that uses those markets and/or other onion sites.
If you don't absolutely need to use it stick to just your VPN chain.
You know, if we assume the end to end encryption is good, the only other way I can think of, to unmask users is to do something to the IP headers, like use an unused field to carry an id code that isp's could scan for. That would be relatively easy to do if you intercept return packets destined for Tor exit nodes. All you need to do is modify the header then continue it on its way. This would only work if Tor exit nodes do not completely strip and replace the return packets's IP headers. If all they do is remove and replace IP addresses, then there's your weakness.
Wish that there were more big players inside tor network than outside...
Then maybe one sunny day, it will be perfectly normal and nothing special to reach yourfavoritesite.onion or yourfavoritenews.onion
(BTW, why hasn't wilders it's own onion address? or does it?)
Also, it would be great if in some future Tor version, users could have some means to prefer the DNS server that the exit nodes use, like it is now possible to choose exit node country.
Having about 40% of exit nodes to use public Google DNS server is not very comforting ...
Either DNS setting preference or even better, put some real resolving, caching, DNS encryption and DNSSEC supporting server code into Tor (hint: fork unbound DNS and merge into Tor client) instead of just passing the DNS packets inside Tor network and having no control what happens when they come out.
Or learn the IP addresses of your favorite websites to avoid DNS lookups altogether, having said that I have noticed some browsers now refuse to do ip address website connections, surprise, surprise..
P.S. I hope that "Brian Kil" was not a member of Wilders Security.
"Federal authorities on Monday charged a California man in the Plainfield-area cyber threats case that closed two high schools and a shopping center in 2015.
Buster Hernandez, 26, of Bakersfield, Calif. was charged with threats to use an explosive device, threats to injure and sexual exploitation of a child.
Hernandez, authorities say, posed as "Brian Kil" when he posted Facebook messages threatening a violent "bloodbath" at Plainfield High School, Danville High School and The Shops at Perry Crossing in private and public Facebook posts."
"Hernandez, authorities said, masked his identity via the so-called Dark Web,
an encrypted network that lets users access the internet anonymously."
Tracing Brian Kil was like finding a "needle in a haystack," Minkler said.
Hernandez, authorities said, hid his IP address by only communicating with the victims
via the Tor network, which is a browser for the Dark Web.
To crack this, investigators set a trap.
Agents, according to the complaint, posed as a victim and on June 9 uploaded what was supposed to be a sexually explicit video file to a Dropbox account run by Brian Kil.
But there was no video. Instead, the file contained a Network Identification Technique, or NIT, that grabbed the user's real IP address."
@luciddream - It's a hard call. My Mirimir persona just uses VPN chains. With IVPN exits, because that's the VPN I'm most associated with. But I do use Tor for more private stuff. However, I do that through different VPN chains, to avoid cross associations. So even if Tor were a honeypot, it'd take some substantial work to link those other personas to Mirimir, or my meatspace identity. Except for the Erehwon one, anyway.
I've researched many darknet onion takedowns. Many involved stupid mistakes. Disclosing real-name email addresses. Misconfiguring web servers, and failing to properly firewall and isolate servers from clearnet leakage. I only know of one actual Tor compromise, the infamous CMU one. That caused much pwnage. But for most pwned Tor users, it's been malware/NITs that got them. And in all cases that I've read about, it's been Windows malware/NITs. And they were nailed through Tor browser. Now I'm sure that the NSA has OS X, Android, iOS, Linux and *BSD malware/NITs. But I haven't heard of anyone using Whonix getting pwned by TLAs. Or even anyone using Tails or Linux, for that matter.
We will likely never find out but I also wonder IF this guy was using a VM for workspace. I am betting he was not. Another big mistake where NIT's come into play. One reason you don't hear much about Whonix being tagged is because it requires virtual machines (Gateway and Workstation) running. Just guessing it was a Windows bare metal machine with the tor browser and an untrained operator. If you find out let me know on this thread - someone.
Can you hint what browser(s) do such horrible behaviour?
I refuse to memorize all my favorite sites IP addresses, not having very good short-term memory in the first place
Nah, if I want to totally avoid DNS requests, I just put them into my hosts file speaking of which:
Can someone else corfirm this:
1. Put some https only site IP address and hostname into your hosts file
2. Block all outgoing DNS requests in your firewall.
3. Try to reach any of the other sites (http or https, does not matter) than the one you just added into that hosts file. Like expected they should all be blocked.
4. Now, try to reach to that https only site that you added into hosts file.
Does it work? Mine does and until to this very day I was in the believe that https sites always need hostname
After all the TLS/SSL certs need hostname right and won't work with plain IP addresses?
I know that hosts file does not care about the protocol (http or https) but browsers should.
So what magical triggery is happening here?
if I add, say, en.wikipedia.org to my hosts file like this:
and then type https://en.wikipedia.org to browser URL bar then what on earth is happening?
Browser downloads the wikipedia SSL cert from it's IP address (remember, DNS blocked) and then all it does is just check the hostname from that cert to hostname typed in URL bar ?
(after all, if the browser would just internally replace that hostname with the IP address from hosts file, like https://188.8.131.52 , then it really should not work ... I think? )
If true then that would be kinda cool. Encryption and no DNS requests. Can't get any better than that without using additional stuff (Tor, VPN etc..)
But of course, keeping the hosts file updated could be really pain ...
Yes and you know what Stefan I had forgotten you are the developer of the cyberdragon browser, I should have talked to you about such things as IP address pinning before.
The ones that failed to connect to IP addresses directly were android browsers I had tested on my phone and deleted I'm not sure which ones they were but I do remember one of them caused an openssl error.
This isn't a matter of just 1 nitwit being unprepared and fingerprinted as a result. 3 letter agencies are infiltrating TOR as a whole right and controlling the entire operation. I'm sure that the Admins of AlphaBay & Hansa Market weren't noobs. Then along with that comes the threat of turning these people, and in turn more people. All vendors in any of those markets now could be identified, and if given the choice of a long prison sentence or turning snitch, well, that's an easy choice to make for most of them. You can't trust any of the markets on there anymore.
And the markets aside, I don't think TOR period can be trusted. I also don't have any information I've ever used on TOR linked to any indentifiable info. I use on the clearnet. But that's not enough to make me feel safe using it. Who knows what methods they have at their disposal?
I'm at least waiting until TOR Astoria is not only up & running, but polished, and until I know enough about it to feel safe... sit back and watch until I'm convinced it's not just a honeypot, which I fear is the case.
Well, according to the complaint, suspected AlphaBay co-founder Alexandre Cazes allegedly "included his personal email address in one of the site's welcome messages". See https://motherboard.vice.com/en_us/...head-tells-us-about-its-dark-web-market-sting. However, that could be parallel construction.
Yes. That's rather a fatal flaw with some dark markets. Customers do provide mailing addresses, after all. But site admins should never see any of that. And it's a stupid mistake if they do.
Again, I'm talking about vendors here, not the site Admin(s). To buy anything physical from them you must provide them with a mailing address. They would have particularly come down hard on the people selling drugs, guns, and counterfeit goods. And who knows how long ago the sites were actually compromised? It could have been going on for months, and many popular vendors told: "go on as if it's business as usual, and compile a list of names/customers for us, and we'll go easy on you".
And yeah I saw that story about how they nabbed Cazes, and I don't buy it one bit, him making a rookie mistake like that. It's not like they'd admit how they really managed to get in. And of course the 1 person that really knows the truth, whether that cover story was truly the case or not, is now dead... and dead people don't talk. That makes it even more suspicious and makes me doubt that story even more.
I think the truth is that TOR simply isn't safe at all anymore. It really shouldn't come as much of a surprise. After all it was originally created by the same 3 letter agencies that are now bringing it down. There was once a time where the seedy underworld of the darknet, and criminals in general were always 1 step ahead of Johnny Law. But that's no longer the case, or at the very least the gap is closing. What's more many of said seedy people have been turned and are informing for them. The pride of hackers, and the ol' "manifesto" has eroded over time. When I was growing up in the Cyberpunk era the thought of compromising those principles was unthinkable, and if someone got caught they'd gladly take one for the team and endure a prison sentence before giving any information away. But "the man" changed their approach and began offering them cushy jobs working for them instead of the threat of jail time, and it worked. Many of the worlds best hackers from back then are now our enemies, and that's a frightening thought. Even the ones you think are on your side and fighting the good fight could be informants and you'd never know it. Sabu is a good example.
To each his/her own, but I wouldn't touch TOR with a ten foot pole anymore. It's just a trustworthy VPN, a hardened OS with as little attack surface as possible, outbound & application filtering, PGP encrypted messaging, and what you can find on the clearnet (and there is plenty to be found there if you know where to look).
Is anyone using Jondonym these days? I actually quite like the proposition that LE can get my conversations IF properly individually warranted and it takes them some effort (in other words, not indiscriminate automated surveillance). This is basically what Jondo offers as I understand it.
Regarding the Tor marketplace operators, my feeling is that they will - by natural selection if nothing else - gradually improve their opsec. What would be more significant in my opinion is if they started operating a message passing marketplace (something like EDI) between buyer and seller because that would greatly reduce the attack surface against webserver/browser.
The other thing to realise about marketplace operators is that they personally might well be safe - their servers might well be taken over, but their operators may not actually be vulnerable. You need to recognise that their interests are not fully aligned with their customers, it's caveat emptor. So if the "terrifically weak" clients can be owned by server takeover, that's the customers (buyers and sellers) that are owned, not necessarily the server operators.
I've used JonDo occasionally. But there aren't enough users. And I've found the support community annoying.
I don't know about their community but I find JonDo's IP check handy.
Hey, maybe I'm just too sensitive I mean, consider my fate on reddit
This all gets confusing doesn't it. Its the not knowing with any certainty that drives me to insane OPsec. Lucid, I admire your thoughts and I can tell its a well thought out decision on your end. Still, we are guessing somewhat. So for me I understand having your rock solid VPN setups, and I chain them (2) B4 even joining TOR. At least that means that as long as one of those overall protocols holds "up" (VPN and hardened OS, or TOR) I am safe. I don't order anything from darknet that shows up at my address or any place that shows a place that comes back to me. Obviously, I am not going to clarify how that is done here. All we can do is TRY.
Do you mean DNS pinning.
I did not even know that QtWebkit (the engine that CyberDragon uses) had a problem until I looked up
Maybe it has been fixing in the more recent version
Separate names with a comma.