TOR vulnerabilities discovered
rAt | 24.12.2011 22:36 | Technology
Recently vulnerabilities have been discovered which make this software insecure.
Users are advised to upgrade to the latest (fixed) version
rAt
A network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues.
rAt | 24.12.2011 22:36 | Technology
rAt
www.indymedia.org
Projects
print
radio
satellite tv
video
Africa
Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia
Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela
Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney
South Asia
india
United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester
West Asia
Armenia
Beirut
Israel
Palestine
Topics
biotech
Process
fbi/legal updates
mailing lists
process & imc docs
tech
Comments
Hide the following 7 comments
Chill
25.12.2011 13:40
open a terminal and type:
tor --version
Look for the version "Tor v0.2.2.35" if it says v0.2.2.34 or below then you need an upgrade.
Now a rant...
TOR is awesome, but it isn't perfect. It's very possibly the best that is available to us a the moment. Be sure that the feds have ways around it. If they want to know who you are they will find ways around it. but it sure as hell makes their lives a hell of a lot harder, and hence cost them more to do the same thing. In general, the greatest weak point of TOR is the exit node. A rouge exit node can leave you vulnerable, it can make your https connection into insecure http using a man in the middle technique. if it can convince your client to connect to the rouge exit node then they in essence jack your connection.
To see what TOR is doing, you need to send it a SIGUSR2, this will enable debug output.
$killall -SIGUSR2 tor
$tail -f /var/log/tor/log
If anything looks wierd, restart tor and check again
$/etc/init.d/tor restart
This tor hidden service has some useful information about how to block an exit node
http://xqz3u5drneuzhaeo.onion/users/badtornodes/
unfortunately, it is no longer up to date, but still has plenty of exit nodes you should block.
http://torstatus.blutmagie.de/
This has some more up to date list, but isn't a hidden service...
Now, this is a call for anyone with a server and a decent bandwidth to donate. we need a UK-ish based security infrastructure for activists. we need to set up a few things before the killswitch is implemented.
This is a sort of call out to the techies out there...
We need a VPN, urgently! this will give us another layer of anonymity.
We need some hidden services host. In particular I would like (though we don't actually need it) a hidden diaspora service.
We need to start setting up mesh (ad hoc) networks across the UK to bypass a killswitch, this is still largely experimental technology, but very soon we could be relying on it, so if you have a small community anywhere with wireless reach, start setting up BATMAN or netsukuku, and start making easy install methods. this is the only way we'll have to communicate once the internet is down.
We need to educate the masses, desperately. I am surprised every time when I hear that most people still don't know how to encrypt files and emails. Everything you send in plain text remains in plain text on your mailing server. anything encrypted is extraordinarily difficult for the feds to access (providing they don't have your private key). People still don't understand the importance of online anonymity. please start educating yourself ASAP.
Don't panic,but be prepared!
missing
+1 ... and a request
25.12.2011 14:55
but to be honest I am not a techie but I am certainly willing to consider helping out as I can. I study and work. but have some available band-width, use GNU/Linux, run Tor and am all up for the cause. Now what? How do I find the quickest way of getting up to speed with assisting activist and liberated computer networking and security without having to study computer science to do so effectively? Don't even know how to phrase this in a meaningful - more precise and non-commercial - phrase for Scroogle. Any pointers for we non-techies?
Willing but dumb
Can exit nodes eavesdrop on communications? Isn't that bad?
25.12.2011 15:26
This is why you should always use end-to-end encryption such as SSL for sensitive Internet connections. (The corollary to this answer is that if you are worried about somebody intercepting your traffic and you're *not* using end-to-end encryption at the application layer, then something has already gone wrong and you shouldn't be thinking that Tor is the problem.)
Tor does provide a partial solution in a very specific situation, though. When you make a connection to a destination that also runs a Tor relay, Tor will automatically extend your circuit so you exit from that circuit. So for example if Indymedia ran a Tor relay on the same IP address as their website, people using Tor to get to the Indymedia website would automatically exit from their Tor relay, thus getting *better* encryption and authentication properties than just browsing there the normal way.
We'd like to make it still work even if the service is nearby the Tor relay but not on the same IP address. But there are a variety of technical problems we need to overcome first (the main one being "how does the Tor client learn which relays are associated with which websites in a decentralized yet non-gamable way?").
FAQ pointer
Homepage: https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#CanexitnodeseavesdroponcommunicationsIsntthatbad
OccupyOS anonymous operating system for activists
25.12.2011 15:36
download pointer
Homepage: http://www.hacker10.com/internet-anonymity/occupyos-anonymous-operating-system-for-activists/
Regarding GnuPG integration...
25.12.2011 15:48
using public computers
NEVER been secure!
25.12.2011 17:22
invention of Onion Routing was, "Can we build a system that allows for
bi-directional communications over the Internet where the source and
destination cannot be determined by a cacheing mid-point?"
The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering
of forward deployed assets, whatever).
Not helping dissidents in repressive countries. Not assisting criminals in covering their
electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA
prosecution. Not giving a 10 year old a way to bypass an anti-porn
filter.
Of course, we knew those would be other unavoidable uses for
the technology, but that was immaterial to the problem at hand we were
trying to solve (and if those uses were going to give us more cover
traffic to better hide what we wanted to use the network for, all the
better...I once told a flag officer that much to his chagrin). I should
know, I was the recipient of that question from David, and Paul was
brought into the mix a few days later after I had sketched out a basic
(flawed) design for the original Onion Routing.
The short answer to your question of "Why would the government do this?"
is because it is in the best interests of some parts of the government
to have this capability...
Michael G. Reed
Michael Reed
cryptome reader
spy guide
31.12.2011 14:47
http://cryptome.org/isp-spy/TOR-spy.pdf
~~~