[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000

To: "tor-talk@xxxxxxxxxxxxxxxxxxxx" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
From: C B <cb736@xxxxxxxxx>
Date: Thu, 3 Jul 2014 21:52:37 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 04 Jul 2014 00:57:15 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1404449557; bh=A3mdyA3hSFJ0vsUlidcPcYYXnhMsll9WSXqk7w0DEXk=; h=References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=pQxHiSdsUw9yQHpme3YsgjEbUSYDCHqBNNfhAW6dH6Pbn8qn7oklptfuDLlNxAFJaXL1Ys1No/Y4Vcx69/YVXHtfGuT6Sd6Kc7W2T+xqa1W9Fw86s6vMq9z5yqihb/9vYSd1rOz2Uast7hYQHLCMIGZf60ddAw31YLoDEzP/Ajk=
In-reply-to: <53B60B13.2020004@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAD2Ti28UgXbB6wEry3VZjaWg4-8j7Ddi6stAfP7y+DrXWQn-0A@xxxxxxxxxxxxxx> <53B5CFE6.8000102@xxxxxxxxxxxxxx> <CACbaT3YTV045R8=TuGUb=uxE0F+3Nay25QHzv512eeCFtJXcJw@xxxxxxxxxxxxxx> <53B60B13.2020004@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

It also has to be a hollow claim. To actually "deanonymize" someone would mean making a list of every website that was visited by that client. Not just identify one client that visited one website. And how many clients were you planning on doing that with? It would take an NSA size budget not a $3000 budget to try to do that for everyone. And the NSA apparently can not do it for everyone.

about:tor starts out by saying "Tor is NOT all you need to browse anonymously! You may need to change some of your browsing habits to ensure your identity stays safe" and has some tips at https://www.torproject.org/download/download.html.en#warning which says at the bottom "This list of pitfalls isn't complete, and we need your
help identifying and documenting
all the issues" with a link to https://www.torproject.org/getinvolved/volunteer.html.en#Documentation

Basically we know that Tor is pretty robust, and yes it is being improved. I certainly benefit from using it every day. And all I really care about is no one making a list of my searches and sending me targeted advertising, which is very offensive. But others have much more serious reasons for using Tor.

--
Christopher Booth

________________________________
 From: Yuri <yuri@xxxxxxxxx>
To: tor-talk@xxxxxxxxxxxxxxxxxxxx 
Sent: Thursday, July 3, 2014 10:01 PM
Subject: Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000

On 07/03/2014 16:17, Adrian Crenshaw wrote:
> Best guess, many client side and web app attacks Tor can't do much about.
> (My talk at Defcon will cover a bunch of folks that got Deanonymized, but
> in every case it was not Tor that was really broke)

This actually depends on what to mean by "Tor". If just the network 
level part, then yes. But tor project also provides and promotes TBB, 
which attempts to prevent various client side exploits and web app 
attacks, but apparently can't prevent all of them. If tor project went 
one step further, and developed security-by-isolation approach (using 
virtual machines, like Whonix does), this could prevent practically all 
client side exploits. And pretty much the only way user could be 
deanoned is if he himself typed in his personal information, or logged 
into some service shared with other identities.

Yuri

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] BlackHat2014: Deanonymize Tor for $3000
  - From: grarpamp
- Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
  - From: krishna e bera
- Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
  - From: Adrian Crenshaw
- Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
  - From: Yuri

Prev by Author: Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
Next by Author: Re: [tor-talk] washingtonpost.com: In NSA-intercepted data, those not targeted far outnumber the foreigners who are
Previous by thread: Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
Next by thread: Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
Index(es):
- Author
- Thread