It must be mentioned that the service does NOT allow “illegal” files. This may forbid all sorts of interesting content since nothing at the site indicates which country the service is locaed in. This means that it is impossible to know which countries laws apply, and this in turn makes it impossible to know what is and what is not “legal”.

The service offers it’s users their own .onion domain(s), ftp access, a mysql database and resource-restricted PHP scripting.

Check out http://xqz3u5drneuzhaeo.onion/ for more information.

Java exposes a programmatic sockets interface, and a malicious applet can construct properly formed control port commands. If the control port is enabled with the NULL authentication and accessible to the web browser, the malicious applet can authenticate and send arbitrary commands.

To summarize, Tor users with the following conditions may be at risk:

• vulnerable version of Java enabled in web browser
• control port enabled with NULL authentication and accessible

Use of proxy switching browser add-ons (e.g., Torbutton, FoxyProxy)
may increase this risk if the Java Virtual Machine can perform
arbitrary DNS resolution through the native operating system resolver.

Possible workarounds:

• disable Tor control port
• if control port is required, use ‘HashedControlPassword’ option
• disable Java in the web browser and/or uninstall from OS
• If Java is required, consider a virtual machine solution such as JanusVM or firewalled environment that only allows DNS requests through web browser

The latest Java downloads are available at http://java.com/ or http://pseudo-flaw.net/tor/attacking-tor-control-port-with-java/.

Hi people.

In response to a law that passed the german legislative today, I will cease
production, development and distribution of ROCKate binaries and – maybe -
even source code soon.

The reasen is §202c StGB which states (IANAL translation):

“Producing, acquiring, selling, giving, distributing or making-accessible of
passwords or other access codes as well as computer programs whose aim it is
to commi a crime … will be punished with up to one year in jail or a fine.”

See also: http://www.phenoelit.de/202/202.html

Basically, these waters are too hot for me to tread in. Though the official
reading of the wall – reading from politicians that is – says that they only
target ‘criminals’ and there is no need to worry with the wording, nobody
knows when some underworked lawyer thinks he might go on to sue the ass off
of everyone in IT.

If someone wants to mirror/host/develop ROCKate further, be my guest. If you
need technical assistance, I can offer guidance, but I probably won’t write
a single line of code anymore. Sorry.

Greetings, Benjamin

If you are in a country which is slightly more free than Germany and you want to help keep the ROCKate project alive then please do so. It is clear

Well, can you? You can trust what is on your Tor-USB keystick if you compiled the .exe files on it or downloaded them from trusted sources (like the software vendor’s site and verified the archives signatures), but for how long?

Consider this: I run a Internet caf’s, the adversary finds some way to get to me, he asks me to run a piece of software on all the café’s machines, you come by, this program installs something bad on the .exe files when a USB device is mounted, now you’re screwed.

Well, you’d be anyway if the attacker is running bad software on the Internet café you’re stopping by with your Tor on a USB stick, but the key point here is that now your Tor-USB keystick is compromized. So. You should only trust that the software is intact until you have used it at a untristed computer. Then you need to wipe it and reinstall your Tor-USB package.

Does it sound paranoid? Perhaps. But re-installing your USB package when you come home or get to a trusted computer is yet another one of the many better safe than sorry measures you should take if you’re using Tor when you’re at public places – I mean, if you have a reason to do that in the first place then you’ve also probably got a good reason to make sure it actually does what you think it does. And just another short related security tip: A computer can write to USB filesystems when they are connected, but they can’t write to CDs. A live-cd is bigger, less practical and slightly less accepted at libraries and café’s, but you can use those more than once without having to wonder if the computer you just used put something nasty in the .exe files on it.

The Tor-project have now responded to the “attack” outlined in this article and articles like it: They’ve put up a WARNING!! WARNING!! section on the Tor download page. It outlines what was already clearly stated in the documentation: Tor makes your connection anonymous, but does not make your software act anonymous. This warning is a good move in the right direction:

Anonymous Internet-usage requires you to disable plugins such as flash, java, active x and other plugins who can seriously compromize your anonymity. And every Tor-user should know this. Now it’s not even possible to download the software without getting a basic understanding of the steps you need to take to actually make it work.

The warning should also put a stop to these “Here’s how to attack Tor-users… if they are extremely stupid”-articles since the warning being there makes it very clear that people who claim to be able to attack Tor are either knowingly ignoring that their attack doesn’t apply to anyone who’ve read the documentation or unable to read and/or understand English, in which case it should be apparent that their supposed attack probably ain’t going to work.

Oh, btw. Every Tor-user should take a look at the warning. The information there really is essential to making good decisions regarding which software is and isn’t safe to combine with Tor.

Google learns nothing about you and your IP, and it can’t set or check a browser-cookie or anything else for that matter, all Google sees is that Scroogle, or someone using Scroogle, is searching for a set of keywords.

So it’s safe to use if you want to avoid being tracked by Google and Yahoo, right? Yes, that’s right.

But imagine that you’re a advesary who want to be able to profile people who want privacy on the Internet. How would you go about doing that? Simple. Create a honeypot which “protects you” from Big Brother and direct the privacy concerned users there.

Scroogle doesn’t set a cookie or attempt to track you in any obvious way, but it does record your IP when you are doing a search. Scroogle claims that they only store it for 48 hours, and perhaps they do. Perhaps they don’t. Lets assume they do delete the logs within 48 hours and that Scroogle is run by good and honest people. That’s an assumption, one you have to make by using any service who scrapes a search-engine in order “to protect you” from Big Brother. It’s not something you can rely on as a fact. So, at the end of the day, you’re still taking a chance.

Scroogle, and services like it, may be good and have value, but they are basically nothing more than services who allow you to shift your blind trust in one service over to another service who could be “good” or “evil”.

The only way you can be sure that search-engines or search-engine scrapers are not tracking you and your search-keywords is by making sure they can’t. Use secure solutions who allow you to browse the Internet anonymously, disallows cookies who are not required to use a service and remove those who are required immediately after logging out of a site – and you’re all set.

Search-engine scrapers are basically one-hop proxies who do a specific task. And one-hop proxies should not be trusted. Not because you think or don’t think that a given one-hop service is tracking you, but because they can. Onion-routing systems like Tor use three hops where no single hop can track you.

Someone could be tracking you when you’re using a search-engine scraper or a traditional one-hop proxy. Why take the chance? Use something like Tor and make sure they can’t.

Tor also allows you to write a blog – and other web-pages – anonymously, both on the public Internet and on the special location hidden services who are available only to Tor-users. A location hidden service is a website, or other Internet service, which can only be accessed using the Tor-network. These work just like “normal” Internet services, but there are two major differences: 1) It is impossible (or, at least, very hard) to find out where in the world the service is located and 2) you have to use Tor to access them. This has one major drawback, most people do not use Tor, so publishing on one of the free blog/wiki/etc services on the public Internet may be a better way to share your thoughts as a Tor-user.

Well, now you know. The software you need to use the Internet anonymously is there, available, and best of all: It’s free open-source software. Visit http://tor.eff.org/ and check it out for yourself. It makes browsing slightly slower than on the normal Internet, but the extra delay is worth it – at least if you value anonymity. Anonymity may not be important if you are in a truly free country, but if you are a place where your free speech on the Internet may cause your government to torture you, or the corporation you work at to fire you, then you really should try Tor.

Technorati Tags: Free speech, Anonymity, Internet