[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Traces left by Torpark, and other security discussion (was Re: TorPark)

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Traces left by Torpark, and other security discussion (was Re: TorPark)
From: coderman <coderman@xxxxxxxxx>
Date: Sun, 26 Nov 2006 23:25:24 -0800
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 27 Nov 2006 02:25:40 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YcuCPLDI3q1Qwe5IP4xOH01kv+2vhySMNaaH9HbjivUyvNqb4NCzKDafv9xjSy91ieTz7FvuboHbqrdrtUcDJI9HpoDShA39RSmrYJ4Nmi41JdALLOeM6Tk1JAbpbsuTynvdp2Jf3mLSgQ+m/YkftxnCVk/cP/psKlA669LBgwQ=
In-reply-to: <1037087329.20061126210233@gmail.com>
References: <1163340742.31578.275610646@webmail.messagingengine.com> <200611122214.09885.xiando@xiando.com> <1267042977.20061113094556@gmail.com> <20061113192000.GR13617@moria.seul.org> <398440735.20061113151731@gmail.com> <20061127010659.GA23909@cl.cam.ac.uk> <1037087329.20061126210233@gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On 11/26/06, Arrakistor <arrakistor@xxxxxxxxx> wrote:

...
I will check out the claims about the registry. I performed a diff on
it from running and after and found only the SSL seed value changed.
Perhaps there are some other changes.


the exact keys may vary from win98/2k/xp, as they often do.  (are you
using a fixed list of keys to look for, or is there a more in depth
search for particular key names/values?  a static list will be
brittle)

I am wondering if all of that is moot, since we are not actively
destroying the data.


system restore, regsafe, and any number of other snapshot or backup
tools for the windows registry would make this ineffective.  not to
mention remnants on disk but outside the file system view, though such
recovery does take special skill.

... The result there is that we may allow scripts to run, but I
am sure we will be automatically adding an SSL certificate acceptance
to the client so the user doesn't get annoying popups when the client
tries to update.


do you mean adding your own CA cert, or just blindly accepting the
cert presented upon the first connect to the https server?  or
something else?

why the focus on automatic updates?  [we thought we'd need these at
one point, but really, it opened up more problems than it solved.
additional care before releases has proved sufficient]

Regarding the swap, that really isn't my specialty, so you are right,
the claim is overstated. I will try to figure out a solution. I spoke
with a few developers about creating ram drives, but this requires
system drivers and administrator access. It may be that we cannot do
anything about it, or more to the point it may be moot because Tor
creates many network signatures. I would sure be interested in
everyone's input.


wiping swap is difficult in such a situation, and i'd be more
concerned about document fragments and other information than the
network signatures. (network signatures at least are gone once you
exit, but sensitive data on disk can live for arbitrary periods of
time)

a hard problem, i'd be interested in any potential resolutions you
discover.  encrypting the swap is really the "right way" to solve
this, but again, requires administrator.

best regards,

Follow-Ups:
- Re[2]: Traces left by Torpark, and other security discussion (was Re: TorPark)
  - From: Arrakistor
- Re: Traces left by Torpark, and other security discussion (was Re: TorPark)
  - From: coderman

References:
- Win32.Trojan.Agent appear when close Torpark
  - From: Total Privacy
- Re: Win32.Trojan.Agent appear when close Torpark
  - From: xiando
- Re: Win32.Trojan.Agent appear when close Torpark
  - From: Arrakistor
- Re: TorPark (was Re: Win32.Trojan.Agent appear when close Torpark)
  - From: Roger Dingledine
- Re[2]: TorPark (was Re: Win32.Trojan.Agent appear when close Torpark)
  - From: Arrakistor
- Traces left by Torpark, and other security discussion (was Re: TorPark)
  - From: Steven Murdoch
- Re: Traces left by Torpark, and other security discussion (was Re: TorPark)
  - From: Arrakistor

Prev by Author: Re: tor privoxy squid
Next by Author: Re: Traces left by Torpark, and other security discussion (was Re: TorPark)
Previous by thread: Re: Traces left by Torpark, and other security discussion (was Re: TorPark)
Next by thread: Re: Traces left by Torpark, and other security discussion (was Re: TorPark)
Index(es):
- Author
- Thread