Re: Building tracking system to nab Tor pedophiles
On Wed, 2007-03-07 at 14:02 -0500, Michael Holstein wrote: > > I've seen a VM that routes all traffic over TOR, invisibly to the O/S. > > (Not sure what they do about UDP). > > Developed at Georgia Tech. > > One better .. TOR on OpenWRT on a Linksys router. > > Tor at the *hardware* level. WRT and things liket this have not enought juice for Tor But something similar already exist http://www.winstonsmith.info/pbox/index-e.html HTH -- +--- http://www.winstonsmith.info ---+ | il Progetto Winston Smith: scolleghiamo il Grande Fratello | | the Winston Smith Project: unplug the Big Brother | | Marco A. Calamari [EMAIL PROTECTED] http://www.marcoc.it | | DSS/DH: 8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B | + PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 --+ signature.asc Description: This is a digitally signed message part
Re: Building tracking system to nab Tor pedophiles
The approaches suggested won't work if you use Firefox with NoScript set to disable JavaScript, Java, Flash and any other plugins. Agreed. Firefox work better on security site nor IE is a big hole. Cesare
Re: Building tracking system to nab Tor pedophiles
On 2007-3-8 11:35 CST(UTC+8), Paul Syverson wrote: > On Wed, Mar 07, 2007 at 09:53:08PM -0500, James Muir wrote: >>> Heheh, well speaking of dreaming big, while both what you and Jason >>> Edwards said are great goals to have, I think we shouldn't get >>> distracted from "stopping the bleeding" now with a few sentences right >>> up front while something more elaborate is devised (or a volunteer >>> steps up). >>> >>> The problem is if it isn't right on the download page and translated >>> into most languages, people will just assume they are good to go >>> without bothering to read the FAQ until something breaks (as Jason >>> pointed out). I also fall into this category with most software (even >>> stuff I develop for ;). >> Hear, hear! >> > > Yes. Three cheers. I think this is a fine interim thing to do. Maybe > I'm overly sold on install wizards but I think a step in the install > that says something about not being secure against responding web > sites by default and a pointer to a couple of things to do before > continuing is probably going to catch more people than anything on the > download page. Of course there will still be some (most?) people who > will just say "yeah, whatever" and click continue. But this is an > interim idea. (Now someone has to write installers in every > language. Perhaps _that_ could be added to the volunteer page. > In the interim interim, something on the download page will get > caught be our volunteer translators sooner than anything I said > above). Put them all: 1. "Things to know before downloading" on the download page. 2. "Things to know before installing" on the installer wizard. 3. A "Tor checker" web page or whatsoever after installing and configuration. 4. "A bubble from Tor GUI (Vidalia, etc.) saying 'Tor cannot completely protect you from eavesdroppers, for more information, ...'" each time Vidalia starts. .. The more, the better. Hanru
Re: Building tracking system to nab Tor pedophiles
On Wed, Mar 07, 2007 at 10:35:54PM -0500, Paul Syverson wrote: > On Wed, Mar 07, 2007 at 09:53:08PM -0500, James Muir wrote: > > >Heheh, well speaking of dreaming big, while both what you and Jason > > >Edwards said are great goals to have, I think we shouldn't get > > >distracted from "stopping the bleeding" now with a few sentences right > > >up front while something more elaborate is devised (or a volunteer > > >steps up). > > > > > >The problem is if it isn't right on the download page and translated > > >into most languages, people will just assume they are good to go > > >without bothering to read the FAQ until something breaks (as Jason > > >pointed out). I also fall into this category with most software (even > > >stuff I develop for ;). > > > > Hear, hear! > > > > Yes. Three cheers. I think this is a fine interim thing to do. Maybe > I'm overly sold on install wizards but I think a step in the install > that says something about not being secure against responding web > sites by default and a pointer to a couple of things to do before > continuing is probably going to catch more people than anything on the > download page. Of course there will still be some (most?) people who > will just say "yeah, whatever" and click continue. But this is an > interim idea. (Now someone has to write installers in every > language. Perhaps _that_ could be added to the volunteer page. > In the interim interim, something on the download page will get > caught be our volunteer translators sooner than anything I said > above). Now that we all agree, could somebody draft the statement as a patch for the download page source at http://tor.eff.org/svn/website/en/download.wml ? Who will be first to get their patch to [EMAIL PROTECTED] Whose patch will be best? Only you can decide! ;) peace, -- Nick Mathewson pgpKRAgRueFPB.pgp Description: PGP signature
Re: Building tracking system to nab Tor pedophiles
On Wed, Mar 07, 2007 at 09:53:08PM -0500, James Muir wrote: > >Heheh, well speaking of dreaming big, while both what you and Jason > >Edwards said are great goals to have, I think we shouldn't get > >distracted from "stopping the bleeding" now with a few sentences right > >up front while something more elaborate is devised (or a volunteer > >steps up). > > > >The problem is if it isn't right on the download page and translated > >into most languages, people will just assume they are good to go > >without bothering to read the FAQ until something breaks (as Jason > >pointed out). I also fall into this category with most software (even > >stuff I develop for ;). > > Hear, hear! > Yes. Three cheers. I think this is a fine interim thing to do. Maybe I'm overly sold on install wizards but I think a step in the install that says something about not being secure against responding web sites by default and a pointer to a couple of things to do before continuing is probably going to catch more people than anything on the download page. Of course there will still be some (most?) people who will just say "yeah, whatever" and click continue. But this is an interim idea. (Now someone has to write installers in every language. Perhaps _that_ could be added to the volunteer page. In the interim interim, something on the download page will get caught be our volunteer translators sooner than anything I said above). aloha, Paul
Re: Building tracking system to nab Tor pedophiles
Heheh, well speaking of dreaming big, while both what you and Jason Edwards said are great goals to have, I think we shouldn't get distracted from "stopping the bleeding" now with a few sentences right up front while something more elaborate is devised (or a volunteer steps up). The problem is if it isn't right on the download page and translated into most languages, people will just assume they are good to go without bothering to read the FAQ until something breaks (as Jason pointed out). I also fall into this category with most software (even stuff I develop for ;). Hear, hear! -James
Re: Building tracking system to nab Tor pedophiles
Thus spake Paul Syverson ([EMAIL PROTECTED]): > I don't think it was off topic. To repeat what I already said in > an individual response. > > I think it was not OT since your post addressed the reality of a > situation for which people were designing Tor modifications and > deployments and you evaluated their applicability to intended > application. Good. Solid post all around then. > I had advocated something similar some time ago. Actually what I proposed > was that some sort of test server be set up. I know there are already > many of them, but I was thinking that there could be testing stages > in an install wizard (or a post-install testing wizard) > that takes the user through various tests and what to do in response > to results. I know a lot of work, maybe another suggestion to be > listed on the volunteer page or a candidate for summer of code? > > You dream big (not sure which is the bigger dream ;>) Heheh, well speaking of dreaming big, while both what you and Jason Edwards said are great goals to have, I think we shouldn't get distracted from "stopping the bleeding" now with a few sentences right up front while something more elaborate is devised (or a volunteer steps up). The problem is if it isn't right on the download page and translated into most languages, people will just assume they are good to go without bothering to read the FAQ until something breaks (as Jason pointed out). I also fall into this category with most software (even stuff I develop for ;). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
As suggested on IRC, I think the Tor documentation strategy needs to be rethought. Most people barely read the download page, let alone the reems of FAQ questions. We've had two "attacks" now on Tor that rely on unmasking users who use Tor incorrectly. One of them actually published a paper and had decent results at unmasking this way (mostly Asian users who probably can't read our english mailinglist or english FAQ), and the media still doesn't seem to understand that these attacks are well documented. The Tor download page should have a concice "Things to know before downloading" section that lists a few key points about the most easy ways your identity can be revealed through Tor. Something like Things to know before you download Tor: - Browser plugins can be made to reveal your IP. - This includes Flash, Java, ActiveX and others. - It is recommended that you use FireFox and install the extensions NoScript, QuickJava, and FlashBlock to control this behavior if you must have these plugins installed for non-Tor usage. - Make sure your browser settings have a proxy listed for ALL protocols (including Gopher and FTP). - For further details, please consult the Tor FAQ. I had advocated something similar some time ago. Actually what I proposed was that some sort of test server be set up. I know there are already many of them, but I was thinking that there could be testing stages in an install wizard (or a post-install testing wizard) that takes the user through various tests and what to do in response to results. I know a lot of work, maybe another suggestion to be listed on the volunteer page or a candidate for summer of code? As a new user (about a week now) and without much of a background, hopefully I can offer some insight. The installation and documentation to get up and started is very helpful, especially the screen shots. However I am lost with Privoxy configuration, e-mail config (especially about the smtp port 465 in Thunderbird), and if.. how.. and when I need to modify modify the torrc file. I have subscribed to all the lists and am doing my best to absorb the info. I usually learn new programs by futzing with them until I have learned the ins and outs. However, this is different because the learning curve could do some damage (stories of how Tor users were not protected). My suggestions/responses to help protect green users like me from those who can take advantage of our lack of information are: - A hold your hand walk through of add ons to Firefox and Thunderbird to be installed before attempting to use the programs ( just like the set info instructions, they were great) - A few predefined configurations of Privoxy, Noscript etc. with a WALK THROUGH on how to access them, what they mean and how to tweak them in the future. - The test server sounds like a great idea. I keep reading about things which break pages and reveal your identity but I have no idea if it is actually happening. Is there a way to set an alert which notifies the user that his/her anonymity has been compromised? - Again, a list of IMPORTANT things you should not do is a great idea. I don't know if I can use another browser without privoxy etc installed after I have disconnected from Tor and wish to surf as I did previously. Is that bad? I am also pretty sure that I should not use any other programs which don't go through Tor while I am connected to Tor. Is it ok to use them after I disconnect? The takeaway from my rambling is that compromises to security and the networks reputation are going to come from users like me, not from a developer or experienced user. To maintain integrity it is a good idea to devote time to developing better walk throughs regarding use after initial setup and to help new users from hurting themselves or the reputation of the network. Jay
Re: Building tracking system to nab Tor pedophiles
On Wed, Mar 07, 2007 at 02:14:33PM -0600, Mike Perry wrote: > Thus spake Freemor ([EMAIL PROTECTED]): > > > I think what needs to be done here is to create a FAQ or other standard > > document that will 1.) inform the vastly misinformed public. 2.) list > > places and ways they can make a difference. > > Excellent post, even if slight off-topic. I don't think it was off topic. To repeat what I already said in an individual response. I think it was not OT since your post addressed the reality of a situation for which people were designing Tor modifications and deployments and you evaluated their applicability to intended application. > As suggested on IRC, I think > the Tor documentation strategy needs to be rethought. Most people > barely read the download page, let alone the reems of FAQ questions. > > We've had two "attacks" now on Tor that rely on unmasking users who > use Tor incorrectly. One of them actually published a paper and had > decent results at unmasking this way (mostly Asian users who probably > can't read our english mailinglist or english FAQ), and the media > still doesn't seem to understand that these attacks are well > documented. > > The Tor download page should have a concice "Things to know before > downloading" section that lists a few key points about the most easy > ways your identity can be revealed through Tor. Something like > > Things to know before you download Tor: > - Browser plugins can be made to reveal your IP. > - This includes Flash, Java, ActiveX and others. >- It is recommended that you use FireFox and install the extensions > NoScript, QuickJava, and FlashBlock to control this behavior if > you must have these plugins installed for non-Tor usage. > - Make sure your browser settings have a proxy listed for ALL >protocols (including Gopher and FTP). > - For further details, please consult the Tor FAQ. > I had advocated something similar some time ago. Actually what I proposed was that some sort of test server be set up. I know there are already many of them, but I was thinking that there could be testing stages in an install wizard (or a post-install testing wizard) that takes the user through various tests and what to do in response to results. I know a lot of work, maybe another suggestion to be listed on the volunteer page or a candidate for summer of code? > Maybe this will stop the same attack from hitting the blogosphere > every 2 months. Even better, maybe it will stop that attack from > actually working.. > You dream big (not sure which is the bigger dream ;>) aloha, Paul
Re: Building tracking system to nab Tor pedophiles
Thus spake Freemor ([EMAIL PROTECTED]): > I think what needs to be done here is to create a FAQ or other standard > document that will 1.) inform the vastly misinformed public. 2.) list > places and ways they can make a difference. Excellent post, even if slight off-topic. As suggested on IRC, I think the Tor documentation strategy needs to be rethought. Most people barely read the download page, let alone the reems of FAQ questions. We've had two "attacks" now on Tor that rely on unmasking users who use Tor incorrectly. One of them actually published a paper and had decent results at unmasking this way (mostly Asian users who probably can't read our english mailinglist or english FAQ), and the media still doesn't seem to understand that these attacks are well documented. The Tor download page should have a concice "Things to know before downloading" section that lists a few key points about the most easy ways your identity can be revealed through Tor. Something like Things to know before you download Tor: - Browser plugins can be made to reveal your IP. - This includes Flash, Java, ActiveX and others. - It is recommended that you use FireFox and install the extensions NoScript, QuickJava, and FlashBlock to control this behavior if you must have these plugins installed for non-Tor usage. - Make sure your browser settings have a proxy listed for ALL protocols (including Gopher and FTP). - For further details, please consult the Tor FAQ. Maybe this will stop the same attack from hitting the blogosphere every 2 months. Even better, maybe it will stop that attack from actually working.. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
A non-issue. The DNS request from the first trick will get routed through TOR. The second trick is easily avoided by blocking Java via NoScript. ~Mike. Fergie wrote: Hmmm. http://blogs.zdnet.com/security/?p=114 Comments? -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Building tracking system to nab Tor pedophiles
I've seen a VM that routes all traffic over TOR, invisibly to the O/S. (Not sure what they do about UDP). Developed at Georgia Tech. One better .. TOR on OpenWRT on a Linksys router. Tor at the *hardware* level. ~Mike.
Re: Building tracking system to nab Tor pedophiles
O.K. I've been biting my tongue on this one for a while now. I'll try to keep this short as it is not specifically TOR related As a survivor of childhood sexual abuse. I'm personally getting annoyed by this whole "nab the paedophiles thing". for several reasons: 1.) 90+ percent of sexual abuse of children happen from family members or friends of the family.. so wasting huge resources on 10% while blatantly (and blissfully) ignoring the 90%, does society a huge disservice. by focusing the public's attention on the smallest part of the problem and away from the real problems. 2.) I can almost guarantee that his guys "key words" would trigger on abuse survivors talking in an online support group and I can't even begin to tell you how damaging it would be for an abuse survivor to have to deal with being falsely accused of being a perp. I think what needs to be done here is to create a FAQ or other standard document that will 1.) inform the vastly misinformed public. 2.) list places and ways they can make a difference. I do appreciate that people are actually trying to look at this.. it would just be nice if they were looking at the real problem. in short trying to destroy anonymity (which is necessary for many abuse survivors to begin the healing process) to waste the courts time with illegally obtained evidence, from chasing a small fraction of abusers, while ignoring the real problem and misleading the public while doing so is NOT a service to me nor to society in general. To the people on this list that are all gung ho to stop internet paedophiles I'd suggest you leave TOR alone and get involved with an established group such as perverted justice ( http://www.perverted-justice.com/ ) who have a history of working with law enforcement and making a real difference. Better yet volunteer at your local rape crisis centre. hound your government officials so perps don't walk with a 6 mo sentence after abusing their children for years. etc. I do apologize for the lack of brevity and the slightly OT post. 'nuff said Freemor On Wed, 2007-07-03 at 05:28 +, Fergie wrote: > Hmmm. > > http://blogs.zdnet.com/security/?p=114 > > Comments? > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > -- Freemor <[EMAIL PROTECTED]> Freemor <[EMAIL PROTECTED]> This e-mail has been digitally signed with GnuPG signature.asc Description: This is a digitally signed message part
Re: Building tracking system to nab Tor pedophiles
On Wednesday, March 07, 2007, at 07:42AM, "Roger Dingledine" <[EMAIL PROTECTED]> wrote: >On Wed, Mar 07, 2007 at 12:56:22AM -0500, James Muir wrote: >> > http://blogs.zdnet.com/security/?p=114 >> >> The approaches suggested won't work if you use Firefox with NoScript set >> to disable JavaScript, Java, Flash and any other plugins. > >You still have to be careful though -- if you enable them for some >domains that you trust (say, foo.com), then you can still get nailed >when you visit foo.com from an evil exit node, it inserts some malicious >applets, and your noscript says "well yeah, but the user typed in foo.com, >therefore this applet is from foo.com, so I trust it". > >So the moral of the story appears to be turn the plugins off, period. >The broader moral is: don't run code from strangers on your computer. The >even broader moral would be to lament that we're still not using SSL on >most Internet interactions. And maybe the fourth is that we (somebody >here) should work on easy instructions for locking down common OS network >interfaces so only Tor communications can get through. Or Tor LiveCDs >that have that already done. Or VM images that can be run as routers >between your computer and the Internet. > >--Roger > Actually the moral of the story would be to surf using Lynx w/SSL from a Linux or BSD Tor enabled LiveCD. Unfortunately you won't see any pictures or movies so that will eliminate most users who use Tor for "private" surfing. ;-) Or you could get REALLY secure and just unplug the computers from the net and go outside for some fresh air and get a life! IMHO, Brad
Re: Building tracking system to nab Tor pedophiles
On 3/7/07, Nick Mathewson <[EMAIL PROTECTED]> wrote: [...] and fangirls reading harry/ron slashfic online. The picture! It's burning into my brain-patterns! ARGH! Cheers, Alex. -- "I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped." -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901.
Re: Building tracking system to nab Tor pedophiles
On Wed, Mar 07, 2007 at 02:50:34PM +0100, Alexander W. Janssen wrote: > OK, we heard a lot of technical details, I'll cover the non-tech part of it. > > On 3/7/07, Fergie <[EMAIL PROTECTED]> wrote: > >Comments? > > Yes, it's stupid. Well, it sounds like a pretty thorough implementation of a well-known attack. If the goal was getting press coverage, it's successful. If the goal was "let's embed a scripting language in everything!" then it's also a success there. If the goal was getting talks at hacker cons, then I bet it will work fine. These are all laudable goals, and I sympathize with them all as far as they go. But if the goal were actually to send criminals to jail, then I rather suspect that the fellow would've had a talk with law enforcement, or a lawyer, beforehand. Similarly, I hope that in his interview, the author of this attack mentioned that the attack depends on bad configuration choices on the part of the user, and that the interviewer just didn't that would be interesting. It would be a bit misleading to say "I have an attack on this system" when you only have an attack against users using the system wrong. > First, the legal issues. What he does is overtaking a TOR-user's > machine by malicious code. He's accusing people of being childporn > consuments based on the fact that *some* childporn keyword was found - > we all know how good that works! (just have a look at the available > internet filtering-software out there). Right. I don't see what keyword set you could possibly use to reliably distinguish between real criminals, people reading Nabokov, people reading reports _about_ the real criminals, and fangirls reading harry/ron slashfic online. [...] > Secondly: It's harming the TOR-project in two ways: > * TOR will lose valuable reputation and the rest of the world will > denounce us of bigotry. > * If the anti-child-porn patch will be applied the next lobby-group > will demand a backdoor. Why not the PETA? They could as for all > customers who bould furry clothes online. It's for the animals! Why > not the RIAA or MPAA? It's for the better good and the artists! Right. This _is_ a general-purpose attack tool; there's no reason it can't be just as useful for identifying the IPs of misconfigured Tor users looking for information on democracy in China, or for the nearest VD clinic, or for information on how to run for office, or whatever. Snoops everywhere should be pleased. peace, -- Nick Mathewson pgppeRSPxFdbf.pgp Description: PGP signature
Re: Building tracking system to nab Tor pedophiles
OK, we heard a lot of technical details, I'll cover the non-tech part of it. On 3/7/07, Fergie <[EMAIL PROTECTED]> wrote: Comments? Yes, it's stupid. First, the legal issues. What he does is overtaking a TOR-user's machine by malicious code. He's accusing people of being childporn consuments based on the fact that *some* childporn keyword was found - we all know how good that works! (just have a look at the available internet filtering-software out there). I don't know about other countries legislations but evidences which weer gathered illegally are worth shit at court. So if you got a real child molester he'll be found not guilty and when you find just some innocent dude you're still going to destroy his personal life. Just the rumor "oh, that dude does child-porn" is enough to destroy a lot of personal relationsships. Secondly: It's harming the TOR-project in two ways: * TOR will lose valuable reputation and the rest of the world will denounce us of bigotry. * If the anti-child-porn patch will be applied the next lobby-group will demand a backdoor. Why not the PETA? They could as for all customers who bould furry clothes online. It's for the animals! Why not the RIAA or MPAA? It's for the better good and the artists! The idea is - and sorry for my language - a big pile of crap. Just my 2c, Alex. -- "I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped." -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901.
Re: Building tracking system to nab Tor pedophiles
On 3/6/07, Roger Dingledine <[EMAIL PROTECTED]> wrote: ... So the moral of the story appears to be turn the plugins off, period. The broader moral is: don't run code from strangers on your computer. The even broader moral would be to lament that we're still not using SSL on most Internet interactions. the depths of just how badly security in general sucks well captured. at least some areas of the technology landscape are showing signs of improvement. bitfrost and mac(with parrallels?). otherwise, the capriciousness of users encouraged by the inherent architectural vulnerabilities sold in mass quantity by vendors more concerned with profit and appearance than customer vulnerabilities ensures lots of targets... i need a drink... *g* And maybe the fourth is that we (somebody here) should work on easy instructions for locking down common OS network interfaces so only Tor communications can get through. Or Tor LiveCDs that have that already done. Or VM images that can be run as routers between your computer and the Internet. ah, at least this can be worked on in a straightforward fashion. (unlike transnational market forces with lots of momentum :) and even various combinations of the above for additional compartmentalization without excessive overhead. some relevant links: http://virt.kernelnewbies.org/TechComparison http://wiki.laptop.org/go/Bitfrost (btw: if anyone has some bandwidth they would like to donate for janusvm dev torrents please email me so i can contact you for early seeding...)
Re: Building tracking system to nab Tor pedophiles
On Wed, Mar 07, 2007 at 05:28:13AM +, Fergie wrote: > Hmmm. > > http://blogs.zdnet.com/security/?p=114 > > Comments? They seriously expect me to use JavaScript and Java when using Tor? Some uber-hacker, indeed. More of the propeller beanie kind. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
Re: Building tracking system to nab Tor pedophiles
I've seen a VM that routes all traffic over TOR, invisibly to the O/S. (Not sure what they do about UDP). Developed at Georgia Tech. On Wed, Mar 07, 2007 at 12:56:22AM -0500, James Muir wrote: > http://blogs.zdnet.com/security/?p=114 The approaches suggested won't work if you use Firefox with NoScript set to disable JavaScript, Java, Flash and any other plugins. You still have to be careful though -- if you enable them for some domains that you trust (say, foo.com), then you can still get nailed when you visit foo.com from an evil exit node, it inserts some malicious applets, and your noscript says "well yeah, but the user typed in foo.com, therefore this applet is from foo.com, so I trust it". So the moral of the story appears to be turn the plugins off, period. The broader moral is: don't run code from strangers on your computer. The even broader moral would be to lament that we're still not using SSL on most Internet interactions. And maybe the fourth is that we (somebody here) should work on easy instructions for locking down common OS network interfaces so only Tor communications can get through. Or Tor LiveCDs that have that already done. Or VM images that can be run as routers between your computer and the Internet. --Roger
Re: Building tracking system to nab Tor pedophiles
On Wed, Mar 07, 2007 at 12:56:22AM -0500, James Muir wrote: > > http://blogs.zdnet.com/security/?p=114 > > The approaches suggested won't work if you use Firefox with NoScript set > to disable JavaScript, Java, Flash and any other plugins. You still have to be careful though -- if you enable them for some domains that you trust (say, foo.com), then you can still get nailed when you visit foo.com from an evil exit node, it inserts some malicious applets, and your noscript says "well yeah, but the user typed in foo.com, therefore this applet is from foo.com, so I trust it". So the moral of the story appears to be turn the plugins off, period. The broader moral is: don't run code from strangers on your computer. The even broader moral would be to lament that we're still not using SSL on most Internet interactions. And maybe the fourth is that we (somebody here) should work on easy instructions for locking down common OS network interfaces so only Tor communications can get through. Or Tor LiveCDs that have that already done. Or VM images that can be run as routers between your computer and the Internet. --Roger
Re: Building tracking system to nab Tor pedophiles
Thus spake Mike Perry ([EMAIL PROTECTED]): > At any rate, I welcome a good open source implementation of this. If > nothing else, it will be nice to pit it against my scanner on a test > network to make sure this sort of thing can be reliably detected. Oh, and we can also use this as an opportunity to definitively settle once and for all the age old question of which is the superior language, python, or ruby? He does have to waste an awful lot of lines on "end" statements... ;) -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
Thus spake Fergie ([EMAIL PROTECTED]): > Hmmm. > > http://blogs.zdnet.com/security/?p=114 > > Comments? Will they write a ZDnet article about me when my node scanner starts to delist his compromised exit nodes? ;) There's of course no way that these nodes can be allowed to continue to be exits if discovered. Any of them can be retooled into targeting a lot more than just pedophiles, for fun, profit, or via subpoena. He's also putting himself in an interesting position here wrt federal wiretap law as well (as mentioned on the Tor legal faq). Though of course, he picked a good target to pick on. The anonymous typically have little legal recourse. Especially when you claim they all just want child porn. Of course, anyone utilizing common Tor best practices will not be affected by this. (Though the one gripe I have is that NoScript allows Java if you allow scripts.. But there are also extensions that block Java globally - like QuickJava). At any rate, I welcome a good open source implementation of this. If nothing else, it will be nice to pit it against my scanner on a test network to make sure this sort of thing can be reliably detected. As an aside, it's recently become clear that a lot of people are using these Internets things to transmit child pornography. Perhaps we should just shut 'er down? Sure would be easier than actually finding the PRODUCERS of such content... -- Mike Perry Mad Computer Scientist fscked.org evil labs
Re: Building tracking system to nab Tor pedophiles
Fergie wrote: Hmmm. http://blogs.zdnet.com/security/?p=114 Comments? The approaches suggested won't work if you use Firefox with NoScript set to disable JavaScript, Java, Flash and any other plugins. -James
Re: Building tracking system to nab Tor pedophiles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Also note that browsing with Firefox using the NoScript http://noscript.net/ extension renders this attack and most others useless, since that java applet never gets executed. Michael_google gmail_Gersten wrote: > Well, first, this is just the normal exit node exposure of tor. > > The exit node in your circuit gets to see the raw communication > between you and your destination. If you are using an SSL channel > (SSH, https, etc) then nothing is a problem. Otherwise, the exit node > can do things like spy on usernames and passwords, etc. > > There are already sites that modify the HTML of web pages going > through them -- I've had scripts munged on some sites, for example -- > and this is just another case of that. > > Now, I believe tor allows you do exclude nodes from ever being used as > exit nodes. > > On 3/6/07, Fergie <[EMAIL PROTECTED]> wrote: >> Hmmm. >> >> http://blogs.zdnet.com/security/?p=114 >> >> Comments? >> >> >> -- >> "Fergie", a.k.a. Paul Ferguson >> Engineering Architecture for the Internet >> fergdawg(at)netzero.net >> ferg's tech blog: http://fergdawg.blogspot.com/ >> >> > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) iQIVAwUBRe5T4KYAM/AiUno8AQKfoA//ZCEtnh7VsfiuaZFXCbQ89u0Jyqqo2WKy JXp2xt2PVYDSFnVuMdu7fIPjtlujG1nVNZOlGo/rffXmJDYU0+enwARNtkif9aKr cspnqRKVToL8hvPLOgGjeTnxFNcXXAXJGzKwQyP4I0x2S8fsKGpE0dRUeFSKwcz4 78e44jd9K6gq6wFGDR7mtZf9xTvwb2O5k4ltass0D3qzQBIm/+tvkGyLDTkZ9gBo /3VN56iax6xD+/lFK7uRL5BaJ5UriX4RwvsHB+CZYLv+hYo2VRdNTV3Y6gAj2E6i Fs1sPwRFprHqJhBpb7ggLvdNGCeaFmzDUI7Zwg6OVjxpPfCW1kd/mdulMIoTwAvx pPdbyuTfQ9uBAuqLLh4sV2GyXFmIyLDSEaTpCyCGJEiZ8J40d5AdoffPL7PK4FXe Edg0OLHmG3qnKS/DrmE/R9KrqAynb+IUb3f3IcEe/fBT72Y36Ugbw0hMhc5YUcYY u/gTeAYgLQpveWGof7w8DA8Y3er5j/rNJ0CKMb5JPfaj7eArxbN5YWQDZabYP2T8 rtbTo9kml2g8LltbzmH5wlrpVqt7n3+u49aq+2/Y5X1nc3D/JZEQ0S40aNTotr+V XWE0mBHORC9JF8ugcJiejI9p8x7sSryY3fNk9Ub6cpbvRaKDL0GCD1o5glIGliML y/Z5eYky5aU= =Pei3 -END PGP SIGNATURE-
Re: Building tracking system to nab Tor pedophiles
Well, first, this is just the normal exit node exposure of tor. The exit node in your circuit gets to see the raw communication between you and your destination. If you are using an SSL channel (SSH, https, etc) then nothing is a problem. Otherwise, the exit node can do things like spy on usernames and passwords, etc. There are already sites that modify the HTML of web pages going through them -- I've had scripts munged on some sites, for example -- and this is just another case of that. Now, I believe tor allows you do exclude nodes from ever being used as exit nodes. On 3/6/07, Fergie <[EMAIL PROTECTED]> wrote: Hmmm. http://blogs.zdnet.com/security/?p=114 Comments? -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/