[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: The best way to run a hidden service: one or two computers?

On Fri, 17 Sep 2010 16:36:16 -0400
hikki@xxxxxxxxxxxxx wrote:

> Robert Ransom:
> > Only if you trust the hardware firewall/router. I wouldn't.
> Okay so there aren't that many safe options to run a hidden service really, 
> if any at all?

If your hidden service really needs to be annoying to find, run it:

* using only well-written, secure software,
* in a VM with no access to physical network hardware,
* on a (physical) computer with no non-hidden services of any kind
  running on it (so that an attacker can't use Dr. Murdoch's âHot or
  Notâ clock-skew detection attack),
* and over a fast enough Internet connection that the adversary cannot
  easily determine your connection's speed.

The VM is optional *if* and *only if* an attacker cannot possibly get
root on your hidden service.  The physical computer with no non-hidden
services on it, and the fast Internet connection, are optional if you
do not need to keep your service hidden at all.

Using secure software to run your hidden service is absolutely
essential; if an attacker can get a list of files
in /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin, /usr/local/sbin,
and /command, and a list of directories in /usr/local and /opt, he
probably knows enough to identify the service's owner, and more
importantly, he knows enough to recognize another service owned by the
same person.  Your preferred Unix distribution, your favorite editors,
your favorite command-line utilities, etc. are not especially easy to
hide.  (For example, if you find a hidden service running Plan 9 or
Inferno, or with 9base or plan9port installed on it, you're going to
look at me first -- I'm on both the Tor mailing lists and
Plan-9-related mailing lists, and I don't think anyone else is at the

The above precautions are probably enough, unless a three-letter agency
(or four-letter association) knows about your hidden service and wants
to find and âneutralizeâ its operator.  In that case, you have to worry
about the near-global passive adversary and other threats that Tor
can't afford to defeat.

Another, safer, option is to keep your hidden service below the radar
entirely -- it's a lot harder for your adversaries to find something if
they don't know it exists.  I assume that's the approach that the US
Navy uses.

Robert Ransom

Attachment: signature.asc
Description: PGP signature