[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Metrics in Iran and other countries

Hash: SHA1

On 09/07/2016 11:05 AM, Joe Btfsplk wrote:


> # 2:  Depends partly on how small a number are connecting to Tor 
> and number of users accessing a site at a given time.  And on the 
> laws and government practices in your country.  If you're the only
>  user connecting to Tor network via your ISP @ 8:00 PM and there's
>  only one connection to site XYZ.com from a Tor exit relay at 8:00
>  PM, it's a good bet it was you.  That assumes an entity w/ the 
> ability and desire is actually gathering the data at both ends, and
> that they care about the specific activity.  In that scenario, if
> you're doing something illegal or it's illegal to use Tor *at all*
> in your country & the government is actively monitoring, could be a
> problem.
> If they're only interested in users accessing what they consider 
> anti-government, illegal or subversive sites, but you only access 
> Disney.com, they may not care.  That's one issue for Tor users in 
> certain countries - you can't be positive how many Tor users are 
> accessing a site at a specific time.  This is a _very simplified, 
> incomplete_ explanation of some concerns about using Tor.

In that situation, hitting Tor network through a VPN service would
help. Or better, through a nested VPN chain. Or at least, if more
people in the area use VPNs than Tor. Some VPN services obfuscate
connections, using SSH, SSL, obfsproxy, etc.

> #4  The Tor Project is pretty clear that Tor Browser by itself is 
> probably not enough to provide reasonably reliable anonymity. 
> Especially against advanced adversaries with large resources, and 
> if you're doing something they are keenly interested in.  If users'
> lives or freedom would be jeopardized by using Tor - at all or for
> a specific purpose, they need to study carefully other methods and
> practices to go along with Tor.  Much is discussed on Tor Project
> help / documentation / FAQ pages.  There's not a quick, easy to
> follow recipe to protect all Tor users in all cases, that I know
> of.

Tor Project doesn't make that clear enough, in my opinion. There's
nothing on the front page. Consider the FBI's attack on PlayPen and
its users. Once the site had been compromised, that FBI operation
relied entirely on exploiting a Firefox vulnerability to drop malware
on users that phoned home, bypassing Tor.

Putting tor daemon and userland in separate VMs would have prevented
user compromise. Whonix does that, but there's no mention of Whonix on
Tor Project's site. If you dig around there, you can find old stuff
about the TorBOX project, which Whonix developed from. I have no clue
why Tor Project refuses to even mention Whonix. It's very strange.

Even firewall rules might have prevented FBI malware from bypassing
Tor to phone home. And even VPN services, which Tor Project frequently
slanders, recommend that users use firewall rules to prevent leaks.
Some VPN services provide custom clients with leak-free firewalls. So
why doesn't Tor Project prominently feature firewall rules?

Some may ask why we ought to care about pedophiles. But that's not the
point. We hear about the PlayPen attack because defendants in criminal
cases are questioning FBI practices. And because criminal cases in the
US are public, unless there are national security issues. But we
probably don't hear about similar attacks elsewhere, against political
dissidents etc.


Version: GnuPG v2.0.22 (GNU/Linux)

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to