[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: The best way to run a hidden service: one or two computers?

On Sat, 25 Sep 2010 17:04:14 -0700
Mike Perry <mikeperry@xxxxxxxxxx> wrote:

> Thus spake coderman (coderman@xxxxxxxxx):
> > however, if an attacker has access to read this locally they've
> > already compromised you to a degree that random mac affords no
> > protection...
> Is this really true?

If you are running a hidden service, on a computer with no network
access except through Tor, no -- you might not be hosed just by an
attacker being able to run a shell command, but leaking an actual MAC
address from an actual NIC might get you tracked down.  (An attacker
with shell access can read your MAC address on Linux just by running
ifconfig, even as an ordinary user.)

>                      One of the things I've wondered about here is
> plugins, but since Torbutton disables them for other reasons I haven't
> really looked into it. For insance, I know Java can create a socket,
> and query the interface properties of that socket to get the interface
> IP. Why not mac address? And if not java, can one of flash,
> silverlight, pdf-javascript, or others do this? Already we have
> location features built in to the browser based on nearby Wifi MACs...
> The Java trick to get the interface IP does not require special privs,
> so a randomized MAC would in fact help this scenario, if it were
> somehow possible.

I don't know whether browser plugins can be used to read a MAC address,
but if *they* can run a shell command like ifconfig, yes, you are in
real trouble.

Robert Ransom

Attachment: signature.asc
Description: PGP signature