High-Traffic Colluding Tor Routers in Washington, D.C., and the Ugly Truth About Online Anonymity

May 2nd, 2007

2013 Update

How Unique – and Trackable – Is Your Browser?

Software Can Identify You from Your Browsing Habits

Linguistics Identifies Anonymous Users

—End Update—

With the U.S. Government trying to shut down websites and stealing gold, I feel the need to discuss communications security, surveillance and anonymity as the U.S. collapses further into overt fascism.

I need to get this off my chest, once and for all, because people, who don’t know much about computers, are being bombarded with nonsense, and they’re bombarding me with nonsense as a result. I want a single post that goes all the way, and this is it.

“Have you heard about Tor?” I am routinely asked via clear text email.

Yes, I know about Tor, but we need to take a much closer look at what remaining anonymous online really requires.

First of all, since this is a long post, I don’t want to waste your time. If you’re a computer expert or network engineer, etc. you will already know this stuff. If, however, you’re a casual computer user who doesn’t know much about the underlying principles of information systems, this will be way over your head. If you’re a casual computer user who is thinking about anonymity online, this article might be useful for letting you know some more about what you don’t know.

A lot of times, ignorant people refer to things they don’t understand as “tinfoil.” (The gatekeeper Left loves this term.) What follows, however, is so far out that it seems like tinfoil even to me. But then again, I haven’t been targeted by a death squad for my activities online, like some people are in many countries around the world. So, is it tinfoil? For you, maybe. For people struggling against repressive regimes, maybe not.

When I use the term “tinfoil” below, I’m not making fun of you, I’m making fun of myself, and the roles I’ve had to play in corporate IT departments. You don’t know tinfoil unless you’ve worked in a corporate IT department. Corporate IT is a technocratic pyramid built on paranoia, surveillance and fiefdoms of specialized knowledge and privileges (rights and permissions). Since all modern fascist organizations are essentially the same, I hope that my grim experiences within these organizations will help you understand more about the nature of the dire situation that we’re all facing.

If you think that you’re thinking outside of the box, my main purpose in writing this is to inform you that there are actually boxes within boxes, and that if you plan on engaging an opponent as powerful as the American Corporate State (or any other maniac fascist regime), it’s not going to be easy. I don’t know how many boxes within boxes there are. What I do know is that the U.S. Department of Defense built the underlying technologies that make the Internet possible. They built “this” world.

So, you want to be anonymous in a world that was thought up by the U.S. Department of Defense?

Most computer users don’t have what it takes, in terms of technical skills, or discipline, to pull it off. I’m sorry if that sounds harsh, but it’s absolutely true. I’m not claiming to be any kind of expert at all. If knowledge of computers and networks represented all the grains of sand on a beach, I’d say that I was familiar with about 5 of those grains of sand. I would like to hear from people who know more than me about any flaws in this information.

A long time ago, as a sort of theoretical challenge to myself, I tried to define a reliable protocol for remaining anonymous online. Why? Ask any nerd, “Why?” and the nerd will usually respond: “Why not?” If the nerd is unusually honest, he or she might respond, “Because I can’t help it.” So, somewhere between, “Why not?” and “Because I couldn’t help it,” I set out on this quest.

As you might already know, I studied information warfare in college and I did several years of time in corporate IT environments. I knew about the types of surveillance and control that are possible at the client, server and network levels.

I looked at the challenge as all IT people look at all IT related challenges: Assume the absolute worst.

I went even further with this. I made irrationally negative assumptions.

I assumed that everything I did online was compromised. I assumed the worst tinfoil nightmares about commercial operating systems. I assumed that my ISP was a subsidiary of the NSA, etc.

Got the idea?

Let’s look at each level in a bit more detail (in no particular order):

Servers: Potential Honeypots

Many technologies that amateur anonymity fetishists are attracted to are actually designed to harvest information. Put yourself in the shoes of the NSA. If you wanted a concentrated haul of the most interesting information what would you do?

You would establish a honeypot: a service (free or paid) that purported to provide an anonymous web browsing/email capability. Who knows what people might get up to if they thought nobody was looking? That, of course, is the idea with honeypots.

If you’re relying on a proxy server, how will you know that it’s not simply recording your entire session for examination by acreages of the Homeland’s supercomputers that are running advanced statistical Magic 8 Ball algorithms? Because the company or individual providing your proxy service says that they don’t keep logs? HA

Am I saying that all proxies are run by the NSA. No. Am I saying that some number of them are. I’d bet my life on it. How many of them are run by governments? I don’t know. Unless you know which governments are running which proxies, you must assume that all of them are compromised.

In reality, the NSA would probably be the least of your worries when using a proxy server or open base station.

Nerds with too much time on their hands get up to all kinds nonsense. Do they set up anonymous proxy servers and open base stations just to see what people do with them? Yes. Do criminals do it to find out personal information about you? Yes.

So even if the proxy or base station you’re on isn’t run by the NSA, who is running it? And why?

Maybe you’re eLitE and use several proxies. You can probably assume that the proxies aren’t colluding directly, but what about the networks? Which leads us to the next level…

Networks: If You Feel Like You’re Being Watched, It’s Because You Are

The network providers are keeping end to end records of every session. The question is: Are the network providers colluding with the U.S. Government? Since you can’t assume that they’re not, you must assume that they are. I would assume that the U.S. Government has end to end coverage of every IP session that starts and ends on U.S. networks. With corporate collusion and off the shelf hardware and software, this isn’t a stretch at all. For non U.S. networks, the NSA gets in with multi billion dollar tools like the U.S.S. Jimmy Carter, and who knows what else

There are dozens of off the shelf products that you would swear were designed for use by intelligence agencies, but they’re routinely peddled to—and used by—corporations. If corporations have and use these surveillance capabilities, what are the intelligence agencies running on the service providers’ networks? I’ll be buggered if I know, but I know it’s not good. That recent ATT/NSA thing is just a tiny/trivial tip of the iceberg.

Clients: NSA Side Projects?

Microsoft and Apple sought assistance from the U.S. National Security Agency.

Evil Corporations Working with the NSA + Closed Source Binaries = Not Good.

What is that thing actually doing? I don’t know. Thank you. That’s all I need to know.

Countermeasures

Access the Internet Using an Open Wireless Network, Preferably from Great Distance

In terms of a threat assessment, for our purposes, I see the networks as posing the biggest problem.

People write to me all the time raving about the dreaded Google cookie. HA. “We must use scroogle!” for freedom and safety, etc.

When I mention that their ISP is, most likely, keeping every URL that they visit in a database, at a minimum, and that NSA boxes are probably analyzing every FORM tagged submission, well, that’s a hard lesson for people. Go ahead, use scroogle. Maybe the people running it aren’t evil. So what. Scroogle might make you feel good, but it has nothing to do with security or anonymity, not when you consider the capabilities of the enemy on the network.

Give any 14 year old hacker access to the right network switch and, unless you know what you’re doing, he or she will use a packet sniffer to find out what you had for breakfast. Now, the difference between most 14 year old hackers and the NSA is that the pimply faced kids don’t have physical access to the network that would allow them to conduct man in the middle surveillance on you. The NSA does. Again, that NSA/ATT thing is fly fart level. That’s nothing. That’s just the piece of the program that got outed.

You need a false flag connection to the Internet. In other words, access the Internet via someone else’s open wireless router, preferably from great distance. Lots of organizations, businesses and individuals provide free, wireless Internet access; on purpose, believe it or not. Ideally, you would use a cantenna or a high performance parabolic antenna to authoritatively distance yourself from any surveillance cameras that are likely saturating your local coffee shop or other business that provides free Internet access. Hitting the base station from hundreds of meters away would be nice.

If you were to carry the paranoia to an extreme level, you would assume that They would show up at your access point and use direction finding equipment to spot your physical location. “Tinfoil!” you say? Keychain WiFi access point finders have had crude DF capabilities for years. Then you have civilian grade WiFi network engineering stuff like the Yellow Jacket. Direction finding is as old as the hills and trivial to do. If you do happen to attract the wrong kind of attention on an anonymous base station, pinpointing your location would be a simple matter.

Solution? If you are playing this game as if your life is on the line, don’t use the same open base station twice. Hey, this post is going out to those of you who send me the paranoid emails. You wanted to know, I’m telling you! I mean, it would suck to look toward your friendly anonymous WiFi provider with a pair of binoculars and see a guy in a suit looking back at you. Hint: if you see a van with several antennas arranged in some geometric pattern on the roof, that would not be a positive development. But that was 1980s era technology, the last time I dabbled with DF gear with a buddy of mine. Here’s a nice little integrated soup to nuts solution that is probably more like what They would be using.

Surf Away: Just Don’t Do Anything That You Normally Do Online

All of the stuff that you do with your “normal” online persona, you know, online banking, checking email, discussion groups, etc: You can’t do any of that. The second you associate a user profile on a server with your behavior, you’re back to square one. The Matrix has you. You would have to create what the intelligence business calls a “legend” for your new anonymous online life. You may only access this persona using these extreme communications security protocols. Obviously, you can’t create an agent X persona via your anonymous connection and then log into some site using that profile on your home cable modem connection. To borrow another bit of jargon from the people who do this for real, full time, you must practice “compartmentalization.”

If you actually attract the wrong kind of attention on a server, OR a network, with your agent X persona, if you haven’t f@#$%& up in some way, all roads will lead back to the open base station.

“After connecting through the open WiFi network, should I also use an anonymous proxy?”

I would assume that even if the proxy is clean, and there is no way to know that it is, They will have that thing covered on the network, end to end. Physical disassociation from the access point is the best proxy.

Client Side

Never write anything to disk. Oh, you weren’t planning on using your Windows or MacOS laptop with all of those closed source binaries whirring away, were you? Man, I don’t know where you got your tinfoil hat, but that thing is obviously defective.

You will have to learn about Live CD distributions of Linux.

You boot that thing. Do your business. Turn off the computer. Nothing is written to the hard disk.

“But I need to save my work?”

If you want to save your work, the easiest way of routinely handling encrypted workflow is to use an encrypted volume and a tool that only decrypts your data on the fly, in RAM. The best tool I know of for handling encrypted volumes is TrueCrypt. Hint: Use cascading encryption algorithms. [UPDATE: Is TrueCrypt a Honeypot?] Do They have some technology, in an underground hanger at Area 51, that’s capable of breaking one of those cascading crypto schemes? I don’t know. I doubt it, but anything is possible when infinite budgets are involved.

Hey, man, you wanted to save your work, right? That’s the score when you’ve got half a role of Reynolds Wrap® Aluminum Foil around your head.

“But I need to send email.”

For our purposes here, I wouldn’t. Email is locked down and heavily surveilled, partially because of the plague of spam, but read on…

I don’t believe in web based email solutions that purport to provide strong encryption and/or anonymity. Who knows what their applets and servers are doing? Not me. And if they rely on SSL, well, that’s ok for buying a book online, but no tinfoiler in his right mind would bet his life on SSL. The Thunderbird/Enigmail/GPG solution is the best way to send and receive VERY secure email that I know of. But will your agent x persona be able to deliver email via SMTP? I wouldn’t count on it. And from which domain? Unless you are very naughty, you shouldn’t be allowed anonymous access to a SMPT server anyway.

You might have to go with a throw-away web based email account and then cut and paste your encrypted messages into that. As a rule, however, never compose a message that you plan on encrypting in a web based form. Some of them use technologies that transmit what you’re typing over the web AS YOU TYPE. This is so you don’t lose what you typed if the session cuts out, but guess what? That’s right, you just blew it.

Use open source tools that are running locally on your system to encrypt and decrypt messages.

An effective way of communicating with someone, outside of email, would be via newsgroup or bulletin board that allows anonymous posting. (Note: If you try it here, I’ll just delete it.) You are, in effect, using the board as a numbers station. You’re not trying to hide the signal. You assume that it will be intercepted. You encrypt your message to the recipient, using his/her public key, and post the ciphertext to the board. The recipient goes on there, copies the message and decrypts it. I first encountered this in the mid 1990s on usenet. Of course, the person on the other end needs to have the same level of discipline and paranoia as you for this to work properly.

Last but not least: Make sure that you spoof your MAC address EVERY time you go online. Funny story: I worked at a place that was locked down to the point that every MAC address was screened at the network level. Say, for example, that someone brought in a personal laptop from home, even though there was no chance of being able to use the network for much (domain sign on was required) the switch would alert a sys admin indicating that an alien device was plugged into the network, along with the jack/cube/desk number.

MAC addresses are unique, and perfect for surveillance purposes. Always spoof your MAC address when you’re running in agent x mode.

Well, that’s pretty much it. (Actually, I’m tired of typing.) I didn’t say it was going to be easy, and you should watch out for people and products that make those claims.

Of course, evil people could use the above techniques to do evil things, and that is the argument that the government will use to convince you to submit to total surveillance of everything you do.

In case you’re curious about how I get online: I use Windows XP on a five year old laptop, from home. While I’m running two firewalls, there’s no onion routing, proxies, live CD operating systems and I don’t bother with spoofing my MAC address. If you use a bank that knows where you live, They know where you live. Since I’m forced to use such a bank, I don’t bother with the rest. The Matrix has me.

If you think being anonymous online is hard, try living without a bank account…. Sorry, being homeless in a city park doesn’t count.

Oh yeah, what about Tor…

HAHA. Imagine my shock.

Via: tin0.de:

A group of 9 Tor routers also functioning overtly or indirectly as Tor exit nodes have been observed colluding on the public Tor network.

Due to the sheer amount of traffic apparently passing through this collusion network, consolidation and analysis of exit node traffic is only one of several forms of anonymity attacks made more feasible. Hence these 9 routers appear to pose a significant anonymity threat to users of the public Tor network.

For Gearheads: Read the Comments by Shaunc on This Reddit Thread

Just don’t read them before bed. Creeeeeeeepy.

More: Believe in Tor, Require Fewer Layers of Tinfoil, U.S. Government Not Your Enemy? This Might Do

33 Responses to “High-Traffic Colluding Tor Routers in Washington, D.C., and the Ugly Truth About Online Anonymity”

  1. Jack says:

    Hey Kevin,

    Thanks for the great post, sorry I don’t anything anything useful to add. 😛

  2. Eileen says:

    I read the whole post Kevin, and sheesh, I realize what an ignoramous I am re Internet protocol. What to do, I dunno. I think you just wrote the “Internet War Manual” – kind of a new S.O.S. Morse Code.
    In any case, I went to Cryptogone (for the first time) after your post re them being shut down. Absoulutely (mispell intentional) ridiculous that this site was shut down for questioning “authority.” I wish I had gone to this site previously. We have a government magazine in our office that I also read for the first time today, and I can’t see what that magazine had in it that was any different than the site. I’m going to send the author $25 bucks for his archive disk. Dunno what else to do tonight. Thanks for allowing readers like me to post to your site even if Big Bro finds this post totally, majorly, annoyingly, BORING.
    After all, isn’t it all supposed to be zeroes and ones?

  3. pookie says:

    Whoah! This calls for another glass of vino as I gently ease my eyeballs back into their sockets. My tinfoil hat is suddenly looking decidedly shabby and ineffectual. As the Founder and President of the CCC (Clueless Cryptogoners Club), I respectfully request a translation of the last sentence of Kevin’s post, in such terms that even the most clueless members of the CCC (and that would include the Pook) can understand.

  4. bob m says:

    Tor is considered to be a more secure form of anonymous surfing. this suggests that isn’t the case and hasn’t been for a while.
    great post kev. a nice cut at the knot.

  5. Kevin says:

    It just means that you shouldn’t trust Tor. The system is vulnerable to traffic analysis and, in fact, a large amount of traffic is flowing through just a few nodes in Washington, DC. Someone is trying to ID the origin and endpoints of that traffic.

  6. Dennis says:

    Kevin, this is. perhaps, slightly off-target here but I read about Pharming recently and it is just another way that the unwary can have their systems subverted.

    http://samadhisoft.com/2007/02/23/a-new-computer-hacking-attack-called-pharming/

  7. Kevin says:

    Pharming. Network delivery of an attack that wardrivers have been using for about 7 years.

    Firefox + NoScript, I say.

    But forget the browser level for a minute…

    You wouldn’t believe how many times I’ve encountered default passwords on open WiFi routers DURING SECURITY AUDITS for clients!

    I kinda miss seeing the reactions of PHBs (executives) when I demo that trick for them.

    “Imagine I’m a greasy haired, pimply faced, 14 year old kid sitting outside your office on my skateboard with a laptop just like this… laaaaaaaate at night,” I’d say in an ominous tone.

    The PHBs would tremble in horror, and their skin tone would change from their normal shade of pink/purple to white.

    HA

    While we’re off topic, the most hilarious IT related commercial of all time:

    Internet Security Systems
    “Capitalistic Police”

    http://www.kaneva.com/asset/assetDetails.aspx?assetId=6507&communityId=0

  8. souls says:

    hm, i am wondering a little. this post is really old (may 2006) and by now it has also been cleared why this happened: some admin wanted to run virtualization on a server and installed a tor instance on every virtual machine. tor has reacted since then and created a policy that will not place more than one exit node per /16 in your routing table. sound policy, should work.

    in general i can only recommend usage of Tor as I fully trust the service and the capabilities of those that created it. I agree that using Tor is not all to staying anonymous but it makes a good beginning.

    best ones

  9. Kevin says:

    @ souls

    http://reddit.com/info/1hoyr/comments/c1htwc

    Setting up 2 TOR servers on the same machine, I can easily understand how that could be an innocent mistake. But 30 nodes across 2 machines? Whoops, an accident? I don’t buy it. Forgot about a transparent proxy? I can even envision that. Yet when a TOR developer tracked him down last year, instead of fixing the network issue, he instead killed off two thirds of his TOR servers and left the rest running? No, I don’t think so.

    To set up 30 TOR servers on different interfaces across two boxes takes a conscious effort, and I seriously doubt that there exists Some Dumb Guy From Dubai who knows enough about FreeBSD to set up 30 instances of TOR for “private use,” but doesn’t know enough about ipfw or pf to properly secure them.

    The full thread from Reddit user Shaunc, very interesting:

    http://reddit.com/info/1hoyr/comments/c1hswq?opt_cstyle=nested

    – – –

    Also, you wrote, “in general i can only recommend usage of Tor as I fully trust the service and the capabilities of those that created it”

    Actually, the U.S. Navy created the underlying technology, and yes, I know it’s open source, blah blah. I get it.

    http://www.wired.com/politics/law/news/2001/08/46126

    Patent number 6,266,704

    http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=7&f=G&l=50&co1=AND&d=PTXT&s1=6,266,704&OS=6,266,704&RS=6,266,704

    But then there’s always the Tor homepage which says:

    http://tor.eff.org/

    “remember that this is development code—it’s not a good idea to rely on the current Tor network if you really need strong anonymity.”

    So…….

    “Fully trust” and “Tor” don’t belong in the same sentence, even according to the current developers.

  10. […] cryptogon.com » Archives » High-Traffic Colluding Tor Routers in Washington, D.C., and the Ugly Tr… Kevin provides a nice summary about Internet security and how commonly thought of tactics are lame. (tags: computers internet security j00_R_pwn3d) […]

  11. cryingfreeman says:

    Excellent article, Kevin. Pure gold, actually.

    Good point too re user profiles online. I’ve long been aware that I could be identified from anywhere on the globe due to my surfing pattern. Taking a fictional example derived loosely from my own:

    1. Each day, citizen X visits a site for a small German soccer club – maybe 100 daily visitors.
    2. Then he visits a news site covering a small town in rural Scotland from whence his parents come. Again, a limited readership.
    3. After that, he checks out a blog site discussing weather forecast models.

    How many people on earth would have those specialised interests? In that combination? In regard to my own surfing habits, I would have to conclude that mine are as unique as my DNA. But at least knowing this gives me some kind of advantage should things take a turn for the worst.

  12. Mike says:

    That’s a pretty good summary of what the rabbit hole looks like from the outside, Kevin. =)

    Seeing the inner workings of large scale marketing databases and how the infomation is collected and used has given me some additional insights into the machine. The most interesting detail is that a lack of information is interesting information by itself.

    For example, you have an address on your driver’s license. That provides a particular location that allows one to infer demographics. An address to a house in a nice part of town implies a certain range per month either in loan or rental payments. That implies a minimum income range. There are all sorts of things that build profiles of what you would look like if you were normal as well as standard deviating patterns. If you’re missing too much of that information, you stand out.

    This is why I have to roll my eyes when people talk about things like only buying firearms from private parties to avoid a paper trail. The same people will frequently purchase several cases of ammo on a credit card or get a concealed weapon permit. The fundamental misunderstanding is that you can hide a piece of information. It’s the pattern that you want to show or hide, not the individual data point.

    Often times when people talk about anonymity, they really want plausible deniability. There’s little difference if you’re on your own. However, if you have a group of people that you can trust, it becomes much easier. For many years, a group of friends and I did this. When one person has 10 pagers and another has 6 cell phones, it just screws up the data. For a couple of years, I didn’t even “own” the car I was using exclusively.

    Poisoning databases with useless or bad information is worse for the data aggregators than trying to hide it. I’ve maintained multiple valid mailing addresses for at least 15 years. Bogus information can be detected and removed, but conflicting valid information is just weird. Missing data can be filled in with assumed norms to complete the overall picture. Known goofy data points to something else entirely. One person with several cell phones screams “small business” apparently. =)

  13. Goggles Paesano says:

    Quote: “Use open source tools that are running locally on your system to encrypt and decrypt messages.”

    Uh oh. I just thought of something…

    The rabbit hole goes still deeper. Try reading Ken Thompson’s (of UNIX fame) Turing Award lecture:
    http://www.acm.org/classics/sep95/

    Ken describes how to modify a computer system to insert a backdoor undetectable by source code inspection. The trojan can replicate itself, by compromising the compiler used to turn source code into a runnable program.

    Using open source and compiling things yourself won’t help in such a case. If this kind of attack were made on, say, your favourite LiveCD Linux and anonymization tools, you’d be toast.

    Download clean source code for your favourite tool and recompile… no good. Recompile the compiler using clean source? Toast again: the trojan recognizes the attempt to compile the compiler, and inserts the bug into the newly built compiler.

    Ken’s lecture concludes:
    “You can’t trust code that you did not totally create yourself. […] No amount of source-level verification or scrutiny will protect you from using untrusted code.”

    Gads… Now I’m wishing I hadn’t gotten out of bed this morning.

  14. […] if you thought online anonymity was a tough nut to crack, try keeping your financial life […]

  15. JD says:

    To quote Tor Overview:

    A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

    Still, Tor is useful for things such as getting around the Caribou Coffee Internet Filter – which is what I’m doing right now. Don’t trust it for anything more.

  16. Kevin says:

    Oh sure. Nobody said Tor was useless. There are lots of tools that are great for use against idiot PHBs and organizations that expect their employees to be working when they’re on the clock. My favorite for that purpose was logmein.com, which, by some miracle, wasn’t blocked in the most locked down corporate environment I’d ever worked on. HAHAHA. Works right inside your browser. Excellent.

    Be careful, though, about keystroke logging when playing these games at work.

  17. I’m so glad you posted this, Kevin. I too, have experimented with TOR, Firefox, Linux, etc. etc.

    Now, I lack comprehensive IT knowledge. However, I am aware of my limitation. One limitation I do not have, fear of assuming the worst. See, assuming the worst is like a game. When you assume the worst, you shoot your self up with liquid fear. Then you try to banish the fear by adjusting to the reality that you do not have control over everything, and move on.

    The lesson, in my opinion, of TOR and other so-called tools conveniently marketed by allegedly benevolent haxxors like those at Cult of the Dead Cow, is “Caveat Emptor.”

    Sure, you may not have to cough up an fiat currency to pay for such tools, but by using them, you put yourself at risk into buying into the intangible ideas and values they sell.

    If I didn’t make it, and I don’t understand it, and I know, assuming the worst, that even if I take a million classes in computer science, I may never understand it because key pieces of knowledge are omitted from those courses for National Security Reasons, or for Corporatocracy Intellectual Property Reasons, or for Chaos-Induced Idiot Savante-Stupidity Reasons, then I must confront the REALITY that there is no such thing as absolute security and anonymity. The whole thing is one just computer-geek pipe-dream sold to idiots useful for their willingness to buy minute chunks of knowledge they were too lazy to earn the hard way.

    Example1: you purchase a $10,000 biometric security device, but the Meth-Fiend merely jumps through your plate-glass window to rape your wife and devour your children. You NOOB, you got PWNED by the t33ts who sold you their crappy security device!

    Example2: having just witnessed an entire generation of young men bled dry, you build a giant, state-of-the-art, Maginot line to protect you from your blood-thirty Teutonic neighbors, only to find that they go around your armored shell to get your soft underbelly, through Belgium. You NOOB, you got PWNED by the l33ts who sold you their crappy, outdated military offensive and defensive systems!

    Interesting Side-note: Read about how the Swiss prepared for WWII. If every country could be “neutral” like the Swiss, we would never have wars, ever. Of course, Switzerland was formed by ex-mercenaries, latter-day Blackwater types; so it was easy for them to set up their “free” state; they just picked a patch of mountains, and fortified the hell out of it. Switzerland, is/was the microcosm of what the United States tried/tries to be the macrocosm of.

    Anyway, Boingboing shilled TOR for awhile, constantly linking to it, then one day, it posted a link that mentioned a Prof. who as teaching TOR and how he was confronted by a sysadmin who told him that only he and one other person were USING TOR. If the sysadmin knows your computer is using TOR, than it ain’t much good, if you wish to be TRULY anonymous.

    But then again, like you said, it was never anything more than a honeypot.

  18. fallout11 says:

    Windows Vista has confirmed backdoor/trojan functionality built right in, which is how Vista’s much maligned device driver confirmation and revocation process is accomplished.
    A crack in the shell…..

  19. Jack says:

    As I’ve suggested elsewhere, perhaps it’s time to start using things like the “Echelon Spoofer”:

    http://echelonspoofer.com

  20. doug says:

    My two bits of chaff are: avoid directional sensing by being totally remote from the transmitter that connects to the network. I.e. move a secondary lap top with can tenna around, and connect to that one, ideally from a random remote location.

    two: Stegnography is really going to be better than crypto. My assumption is that They can crack any code you have. PGP, yeah, go ahead sure. Then the idea becomes to hide the information in something innocuous that wouldnt be searched. Lets say, in spam. Or, a series of spam messages. Also, identity spoofing/ theft would come in here, based on the good analysis above stating that you can never really be anonymous. You just make it look like someone else is doing it.

  21. Nemo says:

    I can certainly understand the military not trusting TOR, but do you have any thoughts on their blocking access *from* TOR? Not playing nice with other agencies, or do they know something (they think) you and I don’t?

  22. Anakaine says:

    If we were to simply omit the whole internet / geek thing for just a short moment in time, and consider the gathering of information here, I’m sure that a carrier pigeon, and a job that pays cash only is a fantastic start.

    There are some old school guides available around the place if you look hard enough, written in the 60’s/70’s that still contain some excellent information for everyday anonymity. Mind you, I think they are a little ‘out there’ as far as their purpose goes.

    But the moral of the story, if you have nothing to hide, you have nothing to worry about. Even at corporate level, it’s quite often a trivial matter to bypass security and gain secure access to the outside world.

    The government isn’t going to sit and whatch all your doings on the net, simply because they can. You, quite frankly, are a waste of resources unless you are of particular interest. If you are of interest, you should know better than to use electronic communication.

    Simple concept.

    Ana.

  23. Kevin says:

    @ Anakaine

    >>>But the moral of the story, if you have nothing to hide, you have nothing to worry about.

    I don’t know who started this silly theory, but it’s wrong. Dead wrong:

    Princeton Professor, Former U.S. Marine Colonel On Terrorist Watch List for Criticizing Bush

    https://cryptogon.com/?p=596

    What does he have to hide?

    See also:

    They Thought They Were Free: The Germans, 1933-45 by Milton Mayer

    http://www.amazon.com/exec/obidos/ASIN/0226511928/ref=nosim/cryptogoncom-20

  24. Great post. I’d like to see Part 2 on how to make as much noise as possible.

  25. DaveX says:

    Who says they (and I mean ANY “they”) has to catch you doing anything wrong at all? If they want you dead/maimed/out of the picture for whatever reason, they can do it. The ultimate end to all the paranoia is a person who is willing to do anything whatsoever to get what they want, regardless of law or effort. There are more people like this in the world than you’d think. It’s best to shoot for reasonable security against opportunists, and just hope you never attract the attention of the rest in any way.

  26. ioerror says:

    // MOD

    https://cryptogon.com/?p=624#comment-7467

    Setting up 2 TOR servers on the same machine, I can easily understand how that could be an innocent mistake. But 30 nodes across 2 machines? Whoops, an accident? I don’t buy it. Forgot about a transparent proxy? I can even envision that. Yet when a TOR developer tracked him down last year, instead of fixing the network issue, he instead killed off two thirds of his TOR servers and left the rest running? No, I don’t think so.

    To set up 30 TOR servers on different interfaces across two boxes takes a conscious effort, and I seriously doubt that there exists Some Dumb Guy From Dubai who knows enough about FreeBSD to set up 30 instances of TOR for “private use,” but doesn’t know enough about ipfw or pf to properly secure them.

    Thank you,
    Kevin

    // MOD

    You’re mistaken. This was an accident and people in the Tor community actually know about this.

    See this link for the emails on the Or-Talk list.

  27. dog says:

    It’s actually nice to see some people with lot of paranoia. To a certain degree it’s a good thing, but paranoia can kill you – if you have lost your common sense and common sense is based on knowledge and logic.
    You cannot do everything just because of a unlimited budget. There are certain boundaries in technology and there are great minds out there who actually don’t work for some government, but open-source community. But maybe you don’t trust them, maybe the government is using alien technology, maybe, maybe … and endless limbus of maybe. And in the end you’re already dead, you cannot move anymore, you’re seeing spies everywhere, your whole life is a life in the matrix. Welcome to fantasia, you’re lost in your imagination, far far away from reality.

    If you want to believe in an evil empire, you will actually “see it” everywhere and nobody can prove it otherwise. It’s up to you to build some common sense, try it – it’s hard. There are real dangers out there, but you do see only your very own nightmares. It’s a pity, there is lot of potential in this website.

  28. All very interesting. Look if the superdupper guys want to read my stuff ok. I am sure they might have a chuckle and tag me as something near the idiot ref . But I just want to feel Ok about buying something online without some nasties scum ripping me off. I am so not sure anymore that I will not buy online, I really wish I could. Then there is the pn;ine sales who say oh oh we use ssl or some other thing that mean nothing to me. So the data maybe sucure in transmission but will it be stored securely and for sure the sales peeps have no clue. Damm, if the online store got their ^$&%#^*$E&IRiu right and give me some confidience rather than tring to feed me a bunch of blub blub, they could make way more sales. I am so fed up with the nasties virus etc… that I rarely bother to use email.

    The Net and Web great tools and seem to have arrived at the commons crisis, online stores looking for their nickel and not caring about the security of the data.

    I guess I am off topic but that is my venting 50cents.

  29. switch says:

    the so called “neutral” Swiss were just collaborators with the Germans in the war. This is how the Germans kept their war production machine free from attack. The Swiss tripled their gold reserve during the war ! Neutral, my ass!

  30. Anonymous says:

    I haven’t actually heard of any of those Evil Terrorist-Support Child-Pornography-Making Software-Pirating Communist Freedom-Hating Scum being caught on Tor, so I’d have to say it’s pretty secure. Would I trust it to keep /me/ safe from an attack on /me/ (not the network, but /me/ specifically) from the NSA? No. But, I wouldn’t trust a tank for that, so, I still think it’s OK.

  31. BlueTone says:

    The very Great thing here is what am I paying the congressmen that are suppose to be safe guarding my rights for? How should I feel about this? I like respect all around.

  32. cryingfreeman says:

    This missive and thread remains the best and most important article I’ve yet seen on the web on this subject.

Leave a Reply

You must be logged in to post a comment.