VMs are your friend
Time to start running your browsers in a VM that is deleted when your session is closed to avoid 'staining'
An NSA presentation released by Edward Snowden contains mixed news for Tor users. The anonymizing service itself appears to have foxed US and UK government snoops, but instead they are using a zero-day flaw in the Firefox browser bundled with Tor to track users. "These documents give Tor a huge pat on the back," security guru …
@panhead20 - "Time to start running your browsers in a VM that is deleted when your session is closed to avoid 'staining'"
Like another commentard posted recently - be sure to hold your laptop over a barrel of saltwater while you browse the internet with that deletable VM, and don't forget to slowly roll the cyanide capsule around in your mouth.
There is Tails - A Linux livecd (Linux was safe from the zero day attack..)
Tails is good as
- Its Linux so safer (the latest zero day attack just targeted Windows), Thanks to Snowden it is sensible to assume there are backdoors in closed source OS's.
- It forces ALL connections through the Tor network - i.e you can't accidentally open a PDF, Video file, etc and de-anonymise yourself (like you can if you just run the Tor bundle browser)
- you can run off live cd/usb - no data gets written to any storage (unless you want to) , only your computers RAM - this solves any cookie issue also - i.e the same cookie being used in clearweb
- Your RAM gets securely wiped on shutdown
- You could run it in a VM - however then you would leave traces on your PC..
Surely the way to do it would be to use a livecd for anything you didn't want sniffed.
Or a thumbdrive with something like grml booting to ram. (Plausable other usage such as rescuing servers).
Work out how to set tor up manually.
Then on everything else just behave normally.
Putting anything potentially incriminating on disk ever seems like a bad idea if you are doing something these guys care about.
..."They are using the kind of techniques that federal prosecutors send people to jail for decades for using," she said. "These are tools that are criminal, and I'm still wondering what's the authority? What kind of authority are they claiming that they can do this?"...
If you ask this you are not a patriotic American.
In fact, you are probably a Commie sympathiser. Or whatever the bogie-man is at the moment...oh, yes, a Muslim Terrorist.
So you are not allowed to ask any questions by law, and if you do, we'll ship you to the Gitmo that Obama was going to close down...
...It's just conjecture. Please therefore do not take it to heart or hold it against me:
One of the things that the 'intelligence community' is supposedly particularly good at is 'non-linear' behaviour. What I mean is: devious schemes, e.g. playing games. Yet in recent months it seems this NSA has been completely laid bare by a single, brave young man, now hiding in Russia after a highly publicised jaunt around the world, during which he successfully ran the gauntlet of all the naughty acronyms - NSA, FBI, CIA, MI6, GCHQ.
He's been telling us all about the NSA. Thanks to him, we know exactly what they are up to. Every day, there's something new. Some things, we now know, they can do (shock horror, better watch our step). Other things, we've found out, they cannot do (so it's safe for us to do these things with total peace of mind). It helps that the young man is able to leak to us PowerPoint presentations in which NSA operatives candidly inform one another about what they can and cannot do about this or that technology. These fall into our lap and we smirk, knowing that we've found their weakness.
But doesn't it sound strange to you that it's so straight-forward, even a teenager could outfox these guys? Or rather: that now, thanks to this young man they failed to catch and to shut up, anybody can find easy solutions to keep the NSA at bay?
I don't think this is fully some kind of misdirection play to get everyone onto Tor. The NSA has taken a lot of hits domestically and internationally from this, including the cancellation of a summit with Brazil's president. There might also be significant reductions to the NSA's legal authorities to conduct surveillance within the U.S. And trust in government in general has suffered in the U.S. because of this, and the Obama administration's poll numbers have suffered noticeably from the NSA fallout.
I doubt Obama and company would endorse real damage to their poll numbers and their ability to get their legislative agenda passed in order to enable the NSA to get everyone onto a favored data communications platform.
just another conjecture:
I agree with the point on "non-linear behaviour". This leads to the following conclusions:
1. Let's suppose that the leaked information is correct. In that case the NSA could try to dissuade people from using TOR by stipulating that the leak could have been intended.
2. On the other hand the information could have intentionally leaked. If people now start to conclude that this could have been the case and assume that using TOR could be unsafe then it would be advisable to get someone to publicly conclude my first point and so to assume that TOR is actually safe to use.
3. On the first foot (as I just ran out of hands): GOTO 1
He's been telling us all he knows about the NSA. Thanks to him, we know
exactly more or less what they are up to. Every day, there's something new. Some things, we now know, they can do (shock horror, better watch our step). Other things, we've found out, they cannot do yet (so it's safeish for us for the moment to do these things with totalrelative peace of mind). It helps that the young man is able to leak to us PowerPoint presentations in which NSA operatives candidly inform one another about what they can and cannot do about this or that technology. These fall into our lap and we smirk, knowing that we've found part oftheir weakness.
Now you come to mention it... their compartmentalization looks very weak compared with what Peter Wright described in his memoir "Spycatcher". Unless, of course, there are some other departments to which Snowden never had any access.
NSA have got their people into a shoestring-funded Tor Project and created enough delays in upgrading the TBB's base Firefox, to buy time. From January until August, the NSA have has their fun and allowed the FBI one big final blowout to catch as many users as possible in the Freedom Hosting raid (and likely the Silk Road raid too, since they ditched cover on that one around the same time).
As Bruce Schneier says, not mathematics, but cheating (well not even tech, but cheating, in this case)...
I do find it somewhat incomprehensible that they based the TOR browser bundle on an ancient version of FF.
You couldn't write a better spy novel...
Find it amazing that any of this can be legal, they are effectively hacking peoples computers and installing unauthorised software without a users knowledge of mass scale.
The more interesting part is the issues with huwaie and not allowing their equipment due to concerns china could spy using backdoors, from what's emerging about us companies collaboration its more likely huwaie wouldn't put in the back doors they wanted themselves.
"Find it amazing that any of this can be legal, they are effectively hacking peoples computers and installing unauthorised software without a users knowledge of mass scale."
3 little words I'll keep repeating.
THE PATRIOT Act.
Your 360+ clause mechanism to dismantle the American Constitution without Americans realizing it.
"You really have to question if there is a rule of law anymore?"
It does seem to have been missing for quite some time. In particular, during the Blair era, law seemed to take on whatever complexion the government, police, security services or business wanted it to on that particular day. If there was a symbolic low point, I think it was probably the Labour party conference where protesters outside were arrested for wearing tshirts bearing slogans that put the spin doctors noses out of joint, although arresting an 80 odd year old who'd fled the nazis from heckling Jack Straw might deserve equal billing.
It's seemingly lower key now, but what Snowden has given us a glimpse of suggests its much worse.
Abuse of power is what power, unchecked, does.
It does seem to have been missing for quite some time
Personally, my aha moment didn't come as much with the sexing up of the Iraq WMD report as the highly suspicious death of David Kelly. It demonstrated just how far some people were willing to go. The US is merely doing what it always does: take a concept and massively scale it up.
"There are also indications that the NSA had been trying to influence the design of Tor to make it more crackable, a somewhat Kafkaesque approach given that Tor is primarily funded by the US government itself to provide anonymity to internet users operating under repressive governments."
This was expected and the NSA have a clear history of this type of behavior. Now, start thinking about other products that they might have had more success with ... are you using a commercial router/firewall? And you are sure that it's good with no sneaky little backdoors?
Once a packet leaves your network I think you can assume they the NSA have a copy of it but you think that inside your network, behind your firewall you're safe? Probably not so if you bought your firewall from any of the major manufacturers in the USA.
Relay nodes are easy. Rent a VM somewhere, install software. Done. You don't need high amounts of memory, storage or processing power but you will need a host that is happy with you consuming large amounts of bandwidth both ways.
Exit nodes are a trickier thing, but something the network is in dire need of. The problem is that if you run an exit node there is a chance you will be falsely blamed for the actions of those who use it - which may include things like spaming, scams, hacking or downloading child pornography. You'll probably be able to counter any charges in court, but not without spending your life savings on legal fees and having your reputation shredded - plus you have next to no chance of ever getting back any of your data, as policy procedure is to sieze not only computers but everything on the property capable of storing information right down to games consoles and memory cards, and then hold on to it indefinitely.
So running an exit node requires either a dedication to the cause deep enough to place yourself in legal danger, or the recklessness to do so anyway.
"Are there particular jurisdictions where you could host an exit node with less concern about the potential legal blowback?"
I don't really see any. The exit node problem is basically the same as the "trusted storage" problem: the authorities there can get access to the data in either case, and if it is against their law, BOBHIC.
In such a case, DTA seems to be the operative procedure. Anything that's friendly to the west is likely friendly to the US, which means friendly to the NSA. Out of what's left, you have (1) regimes even more oppressive or domineering like China and North Korea, (2) countries that, while not oppressive, still have their own rules you probably wouldn't like, or (3) countries whose internet is basically too weak to use.
Second idea. Since the NSA will probably eventually compromise Tor funding through the State Department in some manner (Which do you think the State Department values more--A) funding a platform used by dissidents or B) having the NSA bug other governments leadership and diplomatic communications for them. I'm betting option B. ) How about forming some kind of non-profit agency that funds Tor nodes and assumes the technical and legal liabilities of running those nodes.
I'd gladly donate to that organization, as long as it was unduly influenced by spammers and pornmeisters.....
If you're happy with a non-exit relay, you can probably run it at home. Obviously it's not going to be contributing a super high amount of bandwidth to the network, but having a large number of nodes should help anyway, even if they're not too fast. I did this and haven't had any complaints form my ISP, I guess some are stricter than others though.
I actually ran an exit node at home in the early days, but stopped because I ended up getting blocked on various websites, either specifically for being a proxy, or presumably because a spammer, troll or whatever used my exit at some point. Plus I started it realize there was at least a theoretical risk of more serious consequences. I don't think anyone's actually been raided due to Tor exit traffic in my country, but I wouldn't like to be the first.
Normally I abhor Snowden leaks, but I found this an interesting read and easily digestible. It's too late to fight this kind of thing. It's the new reality brought upon us by technology. I'm not a player or a user in this case, but the outcome of these new cyber wars will define my average existence none the less.
The only thing I actually have control over in any real sense is how I react and deal with things that occur to me in life.
To my mind, not rolling over and kissing the governments arse *is* something that is in my control.
To the properly prepared mind, opportunities to further your intentions will always present themselves. I have no illusions that I can somehow single-handedly put the world to rights, but I will do what I can, when I can.
If *everyone* did the same thing, I believe that might add up to slightly more than a hill of beans.
...Or hey, you can opt to at least strike a small, even rather passive role for freedom and justice. But perhaps it's easier to roll over and hope that the government runs out of surveillance and law enforcement bandwidth before they get to your ability to watch kitten videos and email your fantasy football league about the next season.
Actually I have changed the world in my own small way, but I think I should point out to you that continuing to suggest that if you cannot save the entire world with a single act then you simply shouldn't bother is simply defeatist.
I'm not objecting to you having this opinion of course, it just comes across as limited in scope fwiw.
Perhaps I should say to you: If you want to live in an idealist world in 25 years, then you should start now.
"'WE ARE THE LAW!!!' The NSA said."
This is quite untrue and seriously misstates the problem, to the extent there is one. NSA activities, in the main, are authorized by numerous laws passed by US congresses, signed by US presidents, and subject to supervision, in the area of data collection, by US courts composed of Federal judges nominated by presidents and confirmed by the Senate. The Senators and Representatives on the responsible committees were privy to most of it (or would have been had they taken the trouble) and mostly approved it without comment, at least until it became a bit of an embarrassment. And the overwhelming majority of voters are so uninformed or care so little that all of this has gone on for over half a century with little objection.
Most of the outrage about alleged NSA unlawful and unconstitutional actions is mere opinion, and much of it is not very well informed and contributes little to a reasonable discussion of the proper limits of government power. In the world as it is, as opposed to the way we might wish it, there is a clear need for police and military agencies and with them intelligence agencies. That need is not going away anytime soon, and we need to arrive at a reasonable agreement about what they are to be allowed to do and what controls are to be emplaced to try to prevent misbehavior. The Patriot Act, the FISA and FISC, and various NSA internal controls that have been revealed by Snowden's leaks or declassification represent one possibility, but only one. Those who disagree need to address alternatives rather than simply whining about the evil intelligence agencies.
When you have the Director of National Intelligence lying to Congress and finally admitting that he did so, there is now such an unbalance between the forces of good and evil that it is practically impossible to tell who the good guys are any more. Of course, the authorities will, as you imply, always claim they are fighting against terrorism, but is Snowden a terrorist for lifting the stone covering those lies? What about Assange and others who blew several whistles? Since the government gets ALL its wherewithal to do its business spying on us from the taxpayers -- that's us -- shouldn't we be allowed to know exactly what laws the authorities bend or even break occasionally, so that we are also allowed to break them with impunity?
Or do you believe that we should *never* break *any* laws? Okay for the government to do it, but not us?
Could be that the NSA has Tor pwned and just wants to steer folks that way, too. Secure comms are going to require something new and entirely different, say 20 people that you want to talk to, with frequency jammers, inside a Faraday cage, inside a Dyson Sphere, while actively being sucked into a black hole... IDK, if it comes out of a Fed's mouth, you have to check current definitions of common words, determine context, fact check, and then just assume it's a damn lie. Sucks.
The thing about being paranoid is, are you paranoid enough?
While I was reading this thread, I decided to be a good netizen and setup a Tor Bridge Relay
After I got it going (some bugs in the current distribution regarding geoip location), I pressed the "Show Network" button.
I am in scandinavia and lo, something called "SwedishNSA" appears to be a participant in my part of the network.
Their is something slightly disturbing about the realisation that I am not even close to being paranoid enough :(
"I am in scandinavia and lo, something called "SwedishNSA" appears to be a participant in my part of the network."
Credits to milos that's a joke name. Given my very limited understanding of Swedish, the appropriate initialism for what would be Sweden's national security agency (if any) would be a different arrangement altogether.
The authority probably is to be found in the defense authorization acts, as NSA is, after all, a component of the US DoD. Their mission includes both developing and breaking cryptographic systems, and the latter activity historically has included subverting them as well as developing technical attacks on the ciphers. Lack of authorization is not a problem here.
Of course everyone using Tor is a sex offender, terrorist, or international criminal! Why would a law abiding citizen care about the government reading their communications... It's not like supposedly democratic governments are using flying killbots to execute their own citizens without regard to due process...
"We will never be able to de-anonymize all Tor users all the time,"
1. There is being able to track a person as they trundle round the InterWeb and build up a profile.
2. Then there is being able to tie that tracking record to a (physical) address, name, NI number &C.
3. There is also being able to associate a tracking record/history as accumulated in 1) with a physical location.
I'm sure the chaps and chapesses from Cheltenham can do 1.
As regards 2, why can I still walk into PC World and buy a t-mobile mobile internet dongle for £10 cash then put credit on it using cash with the payment card enclosed in any newsagent? If I use that with new hardware (no previous network use) you don't know who I am. And can't.
3. I guess you can tie 1) the tracking record to physical location as shown by the cell tower records. Good luck if that is in the centre of a major city and you don't have a name/credit card/address &c
The tramp: anonymity through insignificance
You're not paranoid enough.
"As regards 2, why can I still walk into PC World and buy a t-mobile mobile internet dongle for £10 cash then put credit on it using cash with the payment card enclosed in any newsagent? If I use that with new hardware (no previous network use) you don't know who I am. And can't."
Oh heck YEAH I can. The phone can track its general location from the network masts it accesses (you can't avoid that; it's part of the system), and if your phone has a GPS receiver, that'll nail you down to within a meter. Now just pass by SOME camera that's either posting to the Internet at large or is accessible to the plods and BANG: face linked to a space-time stamp. More than a few crooks have been nailed by that kind of link (if not cell phones, then ATM records or the like). And good luck avoiding the cameras. Like I said, they don't have to be owned by the government for them to be able to access them. That includes things like cell phone cameras and store surveillance systems. Big Brother's got plenty of buddies.
I would have little problem with the NSA cracking Tor if it was to rid the world of the inevitable scum that are likely to be found on it. However, the interests of the NSA being what they are, the scum are probably safer from them than the rest of us.
Plus I can't get the niggling worry out of my mind that with all the potentially criminal abilities the security agencies have, they must be tempted to make use of things like Tor to enhance their ability to fund black ops without the need to account for the monies spent, after all, accountability is not amongst their strong points.
granted I think the guy has done both good and damage.. but he seems to have collected a lot of information over time into one nice easy to grab folder and did so..... most government sites know who is looking at what and copying the data, even if it is to another secure folder on their network...
There's a little paranoid thing in the back of my head that had a running commentary when I read this:
"Nope, we really can't crack Tor and can't easily identify users from it, honest, cross our hearts and hope to die.. Would we lie and tell you that it's all nice and secure when we've really worked out ways in? We really have no first public hop monitoring going on to help us with this, nope, no siree, that'd just be a blatant lie. It's also a lie that we left this presentation in a folder marked 'ultra confidential stuff do not read this unsecured folder if you're a bad guy. By the way did you like that little gimme we gave you on an outdated Firefox flaw that was fixed and is no longer of value to us, that was our only tool, we have no others, really."
Just far, far too convenient for my liking. And that's me not normally a conspiracy theorist nutjob!
For one it has replaced (kind of) the letter and the telephone call.
But it's also opened up a whole new world of forms of communication. From the drunken rant replying to some idiot posting extreme racist hate filth on Youtube - the equivalent of coming home from the pub in the old days and screaming into the mirror - to hanging around at random places that really have little interest to you, but you do, just because you can - I frequent maybe once a month, one of the British Army forums, and maybe once every 3 months a well known UK Electricians forum.
I have no interest in joining the army (not like they would have me anyway) and I couldn't operate a multimeter even if you put a gun to my head. I don't troll, I join in where I can and there are some extremely warm and witty people to be found in both places.
New forms of communication. Just coz we can.
In the old days, it was assumed that no one opened your mail or listened in to your phone calls. There was no way of knowing and most people just assumed that if this was done it was done for very good reason and only to the deserving few. Common folk being 'communication raped' as a matter of course, wholesale across the board, if known to be a fact would have caused outrage.
Now we just accept it. The lines are blurred. Depending who you talk to, and even before all this storm blew up - who you talked to - the opinion was either: Yes everything you do is monitored, if not in real time, then stored in a database for retrieval, or, Oh no, they wouldn't dare do that, that is against the law, and besides they do not have the resources or manpower.
Still the argument about Tor. Very few people, even those working in the higher echelons of IT have the ability to know for sure just how compromised this system is. Too many unknown variables. Most cite the point about it being 80 percent funded by the US govt. and that is a good point in deed. Some cite the actual technical infrastructure of the system and lay claim that in these roots lie the inherent anonymity that has been claimed.
Now, I'm no IT bod. But this is what I think. Because I do not know. I think, that maybe Tor is pretty solid if you use it properly - Tails distro etc. - but I would never use it for any nefarious purpose with impunity. As a good hacker friend told me once: If you don't want to get caught - don't do it! And that has been my mantra ever since. It is fortunate that I don't want to buy illegal drugs, have enemies bumped off, or download images of vulnerable humans being abused. But that's just me. YMMV :-)
I think it is fair to say, that no one will completely trust Tor from now on, if they ever did before. But it still has its uses.
I use it for visiting websites where I don't want to be tracked or identified. All perfectly above board. It's a personal thing, that I wish sometimes. Nothing nefarious at all. And even if the spooks could see where I go, they would think 'wtf is this dude using tor?'. And even if the people at the other end _could_ identify me, it would merely be an embarrassment, not a disaster.
I could have worked out how to use Tor to access the Silk Road to have a couple of keys of doobie do delivered. But apart from being ripped off at the end point of some long game of one of their sellers, I trust my postman even less. It's just all so much damn effort.
Anyway, computing has become a funny old game, like I said. We now know that even if our communications are not compromised, the powers that are hanging on, are doing their damndest to rifle through our knicker draw.
I coined the term 'Internet Rape' a couple of years ago after being horrified that my ugly mug appeared on a forum to do with music hardware and software. I confronted them about this and they actually denied it. The photos were from a blog and I believe the culprit was Gravatar who had 'sold my arse'. The music software and hardware company actually denied it. I mean, after this photo of mine only ever being uploaded to a totally different site on ONE occasion and this very same photo appearing on their website, they actually freaking denied it. What balls! And when I emailed Gravatar, they ignored both of my emails totally. Class act.
Congratulations my son, you have just been 'Internet Raped'!
And now I coin the term 'Communication Rape'. You can work out what it means. Steaming open your letters is the least of it. Everything, every single thing you communicate will be violated against your will. The internet has become a cess pit. And the greatest offenders are not the purveyors of abusive images, they are the creators of its infrastructure and the very governments that some supposedly voted into power, through a 'democratic process'.
A large boot, stamping on humanity's face. For ever!