[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Fwd: Re: Library Defeats Tor



Give me a couple days and I will confirm and report back after running a
sniffer.
I don't use this library node often, so it will be a few days. Besides I
do not have the
firewall logs with me now, so don't want to misstate things until I am
sure and have gathered as much information as I can.




On Fri, 28 Sep 2007 23:57:17 -0500 (CDT), "Scott Bennett"
<bennett@xxxxxxxxxx> said:
>      On Fri, 28 Sep 2007 15:06:48 -0700 mark485anderson@xxxxxx wrote:
> 
> >On Fri, 28 Sep 2007 15:02:53 -0700, mark485anderson@xxxxxx said:
> >> 
> >> On Thu, 27 Sep 2007 21:20:42 -0500 (CDT), "Scott Bennett"
> >> <bennett@xxxxxxxxxx> said:
> >> >      On Thu, 27 Sep 2007 19:05:27 -0700 mark485anderson@xxxxxx wrote:
> >> > 
> >> > >On Thu, 27 Sep 2007 19:52:30 -0500 (CDT), "Scott Bennett"
> >> > ><bennett@xxxxxxxxxx> said:
> >> > >>      On Thu, 27 Sep 2007 20:35:58 -0400 Watson Ladd
> >> > >>      <watsonbladd@xxxxxxxxx>
> >> > >> wrote:
> >> > >> >mark485anderson@xxxxxx wrote:
> >> > >> >> Then after agreeing to the TOS, you are able to connect to tor servers,=
> >> > >> >
> >> > >> >> but all dns requests go through a library computer IP, such that they
> >> > >> >> can see and record where you are going. I am not sure if they can see
> >> > >> >> the TCP content, but the UDP (which I assume is the dns lookups are all=
> 
>      What does your firewall software or other tool at your disposal have
>      to
> say about the TCP packets from your browser?  Do they go to privoxy?  And
> where does it say that packets from privoxy go?  To your tor client? 
> Somewhere
> else?
> 
> >> > >> >> being monitored and probably logged by the library server through which=
> >> > >> >
> >> > >> >> you are connected. Firewall logs clearly show the outgoing and incoming=
> >> > >> >
> >> > >> >> DNS packets to the library IP. Rest of connections to Tor servers in th=
> >> > >> >e
> >> > >> >> firewall log appear normal.
> 
>      Just to confirm:  your firewall log shows that the UDP packets in
> question are destined to some IP address and port 53?
> 
> >> > >> >Make sure to run DNS queries over tor if anonymity is important.
> >> > >> 
> >> > >>      Absolutely.  Check your privoxy configuration file to make sure its
> >> > >> first line is
> >> > >> 
> >> > >> forward-socks4a / localhost:9050 .
> >> > >
> >> > >already is
> >> > >
> >> >      Okay.  Good.
> >> > >> 
> >> > >> If you're using some other port than 9050, change that accordingly. 
> >> > >> Other
> >> > >> programs, e.g. PuTTY, will need to be configured, too, if you use them.
> >> > >> In the case of PuTTY, each remote login site that you configure to be
> >> > >> proxied through tor will need to be set to use socks5 and to do DNS name
> >> > >> lookups at the proxy end (see "Proxy" under "Connection").
> >> > >> 
> >> > >> >>=20
> >> > >> >> I have not run a sniffer yet on this, because my laptop is old and it
> >> > >> >> might not be able to handle it. But tor anonymity is obviously shot whe=
> 
>      Your laptop, old though it may be, apparently has no trouble
>      handling
> wireless IP traffic, so I would bet that a sniffer storing, say, only UDP
> packets to port 53 wouldn't overtax it.
> >> > >> >n
> >> > >> >> connecting to their wifi nodes. I believe I tried to block the DNS
> >> > >> >> lookups to the Library IP with privoxy generic block rules and then I\
> 
>      Because I don't know how that works in privoxy, I'll ask, does your
> firewall allow you to block outbound UDP packets to port 53?  If so, what
> happens if you block them that way instead of via privoxy?
> 
> >> > >> >Using socks-4a should fix this.
> >> > >
> >> > >already set to sock 4a
> >> > >
> >> > >> 
> >> > >>      Right.  Or socks5, though privoxy doesn't yet appear to support
> >> > >>      that.
> >> > >
> >> > >did you just start using tor?
> >> > >
> >> >      About 2.5 years so far.
> >> > >> 
> >> > >> >> could not load any web pages, indicating again that the dns requests ar=
> >> > >> >e
> >> > >> >> first being routed to the library machine, where they are, of course,
> >> > >> >> logged (and maybe sent off to the FBI, if your reading muslim materials=
> >> > >> >,
> >> > >> >> haha).
> >> > >> >Now are these DNS requests for sites you are browsing? It sounds like
> >> > 
> >> >      I think the question posed here may reveal the answer.
> >> 
> >> Already answered that I think, the dns requests APPEAR to be made each
> >> time a new url is looked up and not in looking up tor servers, but I
> >> will only know for certain when I run the sniffer, if that is possible
> >> on my laptop.
> >> 
>      As long as your wireless interface (and its driver) can run in
> promiscuous mode, a sniffer ought to work okay.  Some systems may well be
> able to trap outbound packets without an actual sniffer.  On most/all
> UNIX
> systems, you will need root privileges, too, to run tools like
> tcpdump(1).
> >> 
> >> > 
> >> > >> >that is the case, but I just want to make sure.
> >> > >> 
> >> > >>      Most public wireless locations use no encryption at all.  In these
> >> > >> situations, things like tor and SSH are about the only significant
> >> > >> privacy
> >> > >> protection most users have.
> >> > >
> >> > >no problem with tor and other wifi connections, dns goes to tor, hence
> >> > >my OP title LIBRARY DEFEATS TOR
> >> > >Tentative Conclusion: Tor cannot be used with any confidence on
> >> > >publically maintained machines, but there is no reference to this on the
> >> > >tor website; nor any real illumination from this group, so far.  I
> >> > >suppose now someone is going to tell me to disable javascript and
> 
>      Actually, that's probably worth a shot, given recent postings by the
> author of Torbutton.  It's also trivial to do if you have the Quick Java
> and/or NoScript plugins installed in firefox.
> 
> >> > >cookies, ;-) The encryption is SUPPOSED to occur at the client before it
> 
>      Cookies are just data.  They do not execute and therefore do not
>      query
> name servers, so I wouldn't think that would be worth bothering with.
> 
> >> > >even gets to any outside server, but obviously this is not happening as
> >> > >the dns requests are being subverted. Perhaps the traffic is being
> >> > >shuttled from the kernel OS to a library server. IOW tor should provide
> >> > >the encryption necessary and no wifi encryption should be needed. I will
> >> > >see if I can run a sniffer to find out exactly what's happening.
> >> > >
> >> >      Yes, and I think that may be why Watson asked the question I noted
> >> > above.  Tor does its own name server queries for two purposes:  1) to
> >> > provide exit service when running in server mode, 2) to look up addresses
> >> > of other tor servers, regardless of mode.  These are normal operations
> >> > and reveal only those activities.  When you are using it in a public
> >> > location, I assume that it is running only as a client.  So that returns
> >> > us to the question of exactly what kinds of addresses is tor looking up?
> >> 
> >> the laptop appears to be getting web site dns translations from a
> >> library node rather than from tor, which allows tracking and profiling.
> >> each time a new url is introduced I get a firewall dns request in the
> >> log.
> >> 
> >> > Are they only the addresses of other tor servers?  Or do they also
> >> > include the addresses of the web sites you're trying to reach?
> >> >      Would you also please double check your browser configuration to
> >> > make sure it is forwarding everything through privoxy?  If you're using
> >> > a firefox plug-in module like Torbutton, switchproxy, or foxyproxy, have
> >> > you accidentally disabled the proxy?
> >> 
> >> nope, don't use those, the browser is always set to go through privoxy.
> >> will do some further testing and try to report back, but suprised not
> >> more answers to this post. certainly others should have experienced this
> >> problem.
> >> 
>      I guess that's the point:  we haven't experienced it, which is why
> we've been asking questions to try to debug the problem.  Here are more.
> 
> 	1) Are you using a Microslop operating system?  If so, which?
> 	And if not, then which operating system and version are you using?
> 
> 	2) What is the firewall software that you have referred to several
> 	times?
> 
> 	3) Which version of tor are you running?
> 
> 	4) Which browser and version are you using?
> 
> 	5) Under the assumption for the moment that your connection to the
> 	wireless attach point gets configured by DHCP, which IP address(es)
> 	got assigned to your system for its own address, for an IP gateway,
> 	and for name server(s) to be used?
> 
>      I keep having the feeling that what you think is happening differs
>      from
> what is actually happening and/or something misconfigured somehow is
> being
> overlooked.  Please be patient with us.  We're trying to help figure out
> what's going on, and you're the only one who can provide the
> observational
> data that might lead to a solution.  If it seems like we are just
> grabbing
> at straws so far, rest assured that we aren't there yet and can't get
> there
> until we first have at least the basic facts of the case established. 
> ;-)
>      Anyone else with pertinent questions, please join in!
> 
> 
>                                   Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet:       bennett at cs.niu.edu                              *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good  *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army."                                               *
> *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> **********************************************************************
-- 
  
  mark485anderson@xxxxxx

-- 
http://www.fastmail.fm - Does exactly what it says on the tin