[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Email provider for privacy-minded folk

Hash: SHA512

Joe Btfsplk:
> On 2/18/2013 9:01 PM, Mysterious Flyer wrote:
>> Ummmmm.  I am the REAL mysteriousflyer@xxxxxxxxxx  I guess it's 
>> super-duper easy for a person's user names and passwords to get
>> hacked when accessing e-mail over Tor.  I also noticed that
>> someone has been reading my gmails (since they were marked as
>> read), so I changed my password over there and will never access
>> gmail through Tor again. Someone ALSO made a copy of my debit
>> card and tried to use it in another state, but that may be
>> coincidence.  Does anyone have any knowledge as to HOW a hacker
>> may get this information?  Is it through an exit server?  I
>> certainly never made any online purchases through Tor.
>> On 2/11/2013 9:51 PM, Griffin Boyce wrote:
>>> There are some good ones out there, but if you're using Tor to
>>> create the account and login, you should know that many have
>>> started blocking Tor users (or deactivating their accounts in
>>> the case of Yahoo). Size could also be an issue, but if you're
>>> deleting them off the server on download, then that problem
>>> goes away.
>>> ~Griffin
>>> On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer < 
>>> mysteriousflyer@xxxxxxxxx> wrote:
> Will the real Mysteriousflyer please stand up?  Maybe the list
> admins can trace the 1st mysteriousflyer & your emails, back to the
> origin & gain some knowledge. I don't know about the dual use /
> acct hacking, but if you send unencrypted data through a Tor exit,
> a malicious relay operator could capture it.  This is & has been
> well documented for ages. "DON'T send any critical data, if not
> using secure connection (or encrypted file) through Tor."  Treat it
> like you would dealing w/ your bank - you wouldn't do business on a
> non secure connection (with the destination site).
> Do you use gmail's https connection - both w/ Tor & w/out?  You
> should. If you don't, they could have gotten your PW, if using a
> regular browser or Tor Browser.
> If you use gmail's (or any) https connection, it's no easier for an
> exit relay to steal your PW than anyone else, AFAIK.  It's still an
> encrypted connection.
> But, as news stories point out, there are many ways for hackers /
> con men to get your PW other than running a Tor relay.  If your PW
> wasn't that strong, they could easily hack it using software.  I
> assume they didn't have your PW reset, but that's another way
> hackers do it - if they can guess security question answers, or
> they know you or something about you (or can look it up).
> How would they make a copy of a debit card through Tor or your
> Gmail acct?  Do you keep a picture or all data of the card,
> unencrypted in your email acct? Also, using a credit card is
> generally safer than debit cards. You're better protected by the
> contract of most CC companies. 
> _______________________________________________

When I read this I was thinking "hmm, if he was using https" then it's
unlikely that this could occur. I'm pretty sure that's the default
nowadays anyway, especially for authentication.

You can further tighten security by using two-factor authentication.

My guess would be they got the password some other way other than
posing as a malicious tor exit node.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313

tor-talk mailing list