On Mon, 20 Sep 2010 11:00:41 -0400 Gregory Maxwell <gmaxwell@xxxxxxxxx> wrote: > On Fri, Sep 17, 2010 at 10:41 PM, Robert Ransom <rransom.8774@xxxxxxxxx> wrote: > > If your hidden service really needs to be annoying to find, run it: > > > > * using only well-written, secure software, > > * in a VM with no access to physical network hardware, > > * on a (physical) computer with no non-hidden services of any kind > > Ârunning on it (so that an attacker can't use Dr. Murdoch's âHot or > > ÂNotâ clock-skew detection attack), > > * and over a fast enough Internet connection that the adversary cannot > > Âeasily determine your connection's speed. > > I think you've missed some points. > > * The (Virtual) machine running the hidden service should probably > also have no _outbound_ network connectivity except via tor. > > This is because it can be even easier to trick a software on a server > into making a network connection than it is to remotely compromise the > server. E.g. your GNU/Linux distribution may have installed some extra > CGIs in your webserver that you are unaware of... Yes. I knew that, and forgot to mention it (at least in that list). These defenses, and the attacks they are intended to block, need to be written up in a (hidden?) wiki article, so people setting up sensitive hidden services can read all of them in one place. > And here is a potentially controversial suggestion, lets see what > others say about it: > > * You should run your hidden service behind tor bridges rather than > directly connecting to the tor network. > > The rationale for this suggestion is that it may make it more > difficult for a network observer to enumerate a list of tor clients in > order to apply things like the clock-skew attack or subject them to > additional network surveillance. No. An attacker *will* find your entry guards (see <http://freehaven.net/anonbib/date.html#hs-attack06>); you want them to have as many clients as possible, so that you still have some chance of getting lost in the crowd. > > The above precautions are probably enough, unless a three-letter agency > > (or four-letter association) knows about your hidden service and wants > > to find and âneutralizeâ its operator. In that case, you have to worry > > about the near-global passive adversary and other threats that Tor > > can't afford to defeat. > > I fear that you're overstating the security provided. > > For example, I think that if you managed to piss off the ISP community > vigilantes that go after spammers and botnets that they would have a > decent chance of tracking you down in spite of your efforts to stay > hidden. Probably. The first time I read the Murdoch-ZieliÅski paper <http://freehaven.net/anonbib/date.html#murdoch-pet2007>, I didn't notice that someone was actually planning to use the sFlow data to locate spammers. Robert Ransom
Attachment:
signature.asc
Description: PGP signature