[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: "Practical onion hacking: finding the real address of Tor clients"

These hacks are very ancient news. We first wrote about them in I
think 1998, and many of them especially concerning Java, Javascript,
and ActiveX were not original to us even then. We were also all aware
of GUIDs being imbedded in Office Docs, Windows Media Players, Real
players, etc.  Mike Reed wrote a snoop server that we used to have
posted on the onion routing site back then. A nice one that was new at
the time was to embed into the HTML a call to use the RTSP protocol to
load shells of movies into Quicktime, and other media players
specifically to identify the IP address of the sender. There were
other snoop servers and similar demo pages available from Anonymizer,
Digicrime, JAP, and others. I don't know first who put up a demo of
the obvious point that using an anonymous pipe does not imply an
anonymous data stream nor the prevention of opening up a nonanonymous
pipe if one doesn't shut down all other pipes or calls too them through
the anonymous pipe.

So what?

1. It's pretty annoying that every few years someone announces a big
discovery in which they re-invent a wheel that we and others had
invented, implemented and announced many times. Then some press report
jumps all over it like it's a new discovery that surprised the
anonymous communications people unawares or something like that.

2. If the appalling lack of scholarship is annoying, the concerns are
real. It's simultaneously true that it's unfair to yell at someone
still trying to get a core TLS implementation done right for not
having solved all the phishing attacks that might occur over
applications that use it and true that people will get hurt by a
browser that simply offers an OK crypto interface but doesn't cope
with all the exploits that come from not understanding what it
protects and what it doesn't (that's a metaphor, don't take it
literally as about current Tor issues). What we don't need is anyone
else telling us that there's a problem as if we didn't know
that. People have to reinvent wheels a bit as they learn about
something. That's fine, and they should be encouraged and coaxed not
ridiculed. But they shouldn't be tolerated if they put themselves
forth as experts showing something new to the world while refusing to
read any of the documentation, the specs, the code, or the scientific
literature. What we do need are answers.

3.  This is forever an arms race, and, once you get beyond the early
adopters or systems for specialized use, telling people to RTFM is
always nonanswer.  What exactly is an answer? I don't know. Many
people who are on this list have hints of ideas that will help
somewhat and they have been raising them, implementing them, analyzing
them in papers, etc. I make one suggesting here so that I'm not just
grousing, even constructively.

It might be good to have a testing page that is part of the setup
wizards in some way as well as being fairly prominent on the homepage.
Apologies if someone has already suggested that and I forgot (and
especially apologies if that someone was me). There's lots of issues
implicit in this suggestion, but nunc scripsi totam pro publio, da
mihi potum.

Paul Syverson                              ()  ascii ribbon campaign  
Contact info at http://www.syverson.org/   /\  against html e-mail