[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Email provider for privacy-minded folk

> Joe Btfsplk:
>> On 2/18/2013 9:01 PM, Mysterious Flyer wrote:
>>> Ummmmm.  I am the REAL mysteriousflyer@xxxxxxxxxx  I guess it's 
>>> super-duper easy for a person's user names and passwords to get
>>> hacked when accessing e-mail over Tor.  I also noticed that
>>> someone has been reading my gmails (since they were marked as
>>> read), so I changed my password over there and will never access
>>> gmail through Tor again. Someone ALSO made a copy of my debit
>>> card and tried to use it in another state, but that may be
>>> coincidence.  Does anyone have any knowledge as to HOW a hacker
>>> may get this information?  Is it through an exit server?  I
>>> certainly never made any online purchases through Tor.
>>> On 2/11/2013 9:51 PM, Griffin Boyce wrote:
>>>> There are some good ones out there, but if you're using Tor to
>>>> create the account and login, you should know that many have
>>>> started blocking Tor users (or deactivating their accounts in
>>>> the case of Yahoo). Size could also be an issue, but if you're
>>>> deleting them off the server on download, then that problem
>>>> goes away.
>>>> ~Griffin
>>>> On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer < 
>>>> mysteriousflyer@xxxxxxxxx> wrote:
>> Will the real Mysteriousflyer please stand up?  Maybe the list
>> admins can trace the 1st mysteriousflyer & your emails, back to the
>> origin & gain some knowledge. I don't know about the dual use /
>> acct hacking, but if you send unencrypted data through a Tor exit,
>> a malicious relay operator could capture it.  This is & has been
>> well documented for ages. "DON'T send any critical data, if not
>> using secure connection (or encrypted file) through Tor."  Treat it
>> like you would dealing w/ your bank - you wouldn't do business on a
>> non secure connection (with the destination site).
>> Do you use gmail's https connection - both w/ Tor & w/out?  You
>> should. If you don't, they could have gotten your PW, if using a
>> regular browser or Tor Browser.
>> If you use gmail's (or any) https connection, it's no easier for an
>> exit relay to steal your PW than anyone else, AFAIK.  It's still an
>> encrypted connection.
>> But, as news stories point out, there are many ways for hackers /
>> con men to get your PW other than running a Tor relay.  If your PW
>> wasn't that strong, they could easily hack it using software.  I
>> assume they didn't have your PW reset, but that's another way
>> hackers do it - if they can guess security question answers, or
>> they know you or something about you (or can look it up).
>> How would they make a copy of a debit card through Tor or your
>> Gmail acct?  Do you keep a picture or all data of the card,
>> unencrypted in your email acct? Also, using a credit card is
>> generally safer than debit cards. You're better protected by the
>> contract of most CC companies. 
>> _______________________________________________
> When I read this I was thinking "hmm, if he was using https" then it's
> unlikely that this could occur. I'm pretty sure that's the default
> nowadays anyway, especially for authentication.
> You can further tighten security by using two-factor authentication.
> My guess would be they got the password some other way other than
> posing as a malicious tor exit node.

Or he just ignored the SSL warning like so many people do.
tor-talk mailing list