Anonymous Living

Tor is a Internet security tool which provides properties such as traffic analysis communications and anonymity. It can be used to browse and participate on the Internet without fear of covert government torture in tyrannical pretend-to-be-democracy NATO-regimes such as Norway. A new version of the “stable” branch is now available.

The new version has some software fixes, but more importantly, the addresses of two directory authorities have been changed and their IPs are hardcoded into the Tor software. Thus; you really should upgrade - specially if you happen to be serving location hidden services.

Official Tor maintainers story regarding this release is:

Tor 0.1.2.14 changes the addresses of two directory authorities (this change especially affects those who serve or use hidden services), and fixes several other crash- and security-related bugs.

We’ll put out 0.1.1.27 in the next week or so for people who absolutely can’t upgrade — but really, please upgrade to 0.1.2.14 if you can. Those still running 0.1.0.x should now consider it obsolete and unsupported.

https://tor.eff.org/download.html

Changes in version 0.1.2.14 - 2007-05-25

• Directory authority changes:
  • Two directory authorities (moria1 and moria2) just moved to new
    IP addresses. This change will particularly affect those who serve
    or use hidden services.
• Major bugfixes (crashes):
  • If a directory server runs out of space in the connection table
    as it’s processing a begin_dir request, it will free the exit stream
    but leave it attached to the circuit, leading to unpredictable
    behavior. (Reported by seeess, fixes bug 425.)
  • Fix a bug in dirserv_remove_invalid() that would cause authorities
    to corrupt memory under some really unlikely scenarios.
  • Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
  • Avoid segfaults when reading from mmaped descriptor file. (Reported
    by lodger.)
• Major bugfixes (security):
  • When choosing an entry guard for a circuit, avoid using guards
    that are in the same family as the chosen exit — not just guards
    that are exactly the chosen exit. (Reported by lodger.)
• Major bugfixes (resource management):
  • If a directory authority is down, skip it when deciding where to get
    networkstatus objects or descriptors. Otherwise we keep asking
    every 10 seconds forever. Fixes bug 384.
  • Count it as a failure if we fetch a valid network-status but we
    don’t want to keep it. Otherwise we’ll keep fetching it and keep
    not wanting to keep it. Fixes part of bug 422.
  • If all of our dirservers have given us bad or no networkstatuses
    lately, then stop hammering them once per minute even when we
    think they’re failed. Fixes another part of bug 422.
• Minor bugfixes:
  • - Actually set the purpose correctly for descriptors inserted with
  • purpose=controller.
  • - When we have k non-v2 authorities in our DirServer config,
  • we ignored the last k authorities in the list when updating our
  • network-statuses.
  • - Correctly back-off from requesting router descriptors that we are
  • having a hard time downloading.
  • - Read resolv.conf files correctly on platforms where read() returns
  • partial results on small file reads.
  • - Don’t rebuild the entire router store every time we get 32K of
  • routers: rebuild it when the journal gets very large, or when
  • the gaps in the store get very large.
• Minor features:
  • - When routers publish SVN revisions in their router descriptors,
  • authorities now include those versions correctly in networkstatus
  • documents.
  • - Warn when using a version of libevent before 1.3b to run a server on
  • OSX or BSD: these versions interact badly with userspace threads.

The popular search engine Google, who appear to be working closely with the CIA, has changed it’s english startpage. The new page uses JavaScript to print out the new menu in the upper left corner, which means that it does not appear if you are using a non-JS browser or you’ve turned JS support off.

The new startpage looks like this when JavaScript is enabled:

And like this when JS is disabled:

As you may see in the above screenshots, the JS menu is not there if the browser has JavaScript disabled.

JavaScript allows websites to gather huge amounts of information about visitors, JS can tell what screen resolution you are using, color depth, window size, what browser extentions are installed and the exact version of those extentions, etc. There are many ways to identify a computer by using JS. Anonymity-software like Tor will not protect your privacy if information is leaked over the anonymous connection. Thus; Tor-users - and non-Tor users who value their privacy - should only enable JS when absolutely needed.

It’s not the end of the world that Google appears to have adapted a policy which requires their users to browse with JS enabled, but it is a bad trend. What if they suddenly decide to require JS to view search results in their search-engine - like a few search-engines already do?

The paranoid answer: once. I’ve written about how you can make your own Tor-on-a-USB stick package by pieceing together the parts you need (Tor, Privoxy and a browser like Opera). But a minor detail didn’t even cross my mind until I read a short post about security at polysyncronism.com about the issue of can you trust .exe files?

Well, can you? You can trust what is on your Tor-USB keystick if you compiled the .exe files on it or downloaded them from trusted sources (like the software vendor’s site and verified the archives signatures), but for how long?

Consider this: I run a Internet caf’s, the adversary finds some way to get to me, he asks me to run a piece of software on all the café’s machines, you come by, this program installs something bad on the .exe files when a USB device is mounted, now you’re screwed.

Well, you’d be anyway if the attacker is running bad software on the Internet café you’re stopping by with your Tor on a USB stick, but the key point here is that now your Tor-USB keystick is compromized. So. You should only trust that the software is intact until you have used it at a untristed computer. Then you need to wipe it and reinstall your Tor-USB package.

Does it sound paranoid? Perhaps. But re-installing your USB package when you come home or get to a trusted computer is yet another one of the many better safe than sorry measures you should take if you’re using Tor when you’re at public places - I mean, if you have a reason to do that in the first place then you’ve also probably got a good reason to make sure it actually does what you think it does. And just another short related security tip: A computer can write to USB filesystems when they are connected, but they can’t write to CDs. A live-cd is bigger, less practical and slightly less accepted at libraries and café’s, but you can use those more than once without having to wonder if the computer you just used put something nasty in the .exe files on it.

PSI is a very popular Jabber-client which supposedly supports SOCKS-compatible proxies in the upcoming version. This support is, sadly, utterly broken from a security point of view.

What’s Jabber, anyway?

Jabber is a protocol for user-to-user messages which to the end-user works just like MSN, ICQ and similar systems. The difference is that Jabber is a open protocol. No single corporation owns the network, you can use any software which follows the standard to communicate, and you can run your own Jabber-server if you don’t want to use any of the many public servers who are available.

PSI is one of the many programs you can use to communicate with other Jabber-users (it is also possible to talk to MSN and ICQ users over “gateways”) and PSI is in many ways the best Jabber-client.

It’s proxy “support” is, sadly, totally broken in both the latest “stable” version and the developer SVN version as of March 28th, 2007.

Why is proxy-support so important?

There is a great number of reasons why you would want to communicate with the rest of the world without revealing your location. The Tor-network is a great traffic analysis resistant proxy network which allows you to do that. But not by using PSI.

Let’s tell the world by leaking DNS

The proxy support in the latest version of PSI insists on doing DNS queries locally and then connects to the IP resolved over the configured SOCKS-proxy. If the adversary is watching your local connection or your DNS-server then the adversary will learn enough information to know that you’re communicating over Jabber. PSI insists on trying to resolve DNS queries locally and will only try to resolve over the SOCKS-proxy if local DNS reslution fails. So it can act securely and resolve DNS over SOCKS, it just won’t, and you can’t configure it to behave properly unless you are willing to change the source-code.

Are there any working alternatives?

If you know about a Jabber-client with working SOCKS proxy support then please, do share. The PSI developers were informed about their broken SOCKS support ages ago, and nothing has changed. There really should be a Jabber client which allows you to communicate with the world without having to reveal exactly where in the world you are.

There is a nice bundle of the Tor network security tool, Privox and the Opera browser available called OperaTor. It includes a non-open-source .exe file, which is my eyes makes it not worth trusting, but you don’t need to: There’s also a Build-Your-Own version available which let’s you make your own custom “OperaTor” variant.

You can go the official OperaTor - Opera + Tor + Privoxy website and scroll down to where it says “MakeOperaTor“. This package is simply a install program which installs configuration files for Tor, Opera and Privoxy - and a .exe file for OperaTor.

The idea is that you can download a copy of Tor, Opera and Privoxy, extract them to those folders and run the install program to magically configure them in a way which is suited for a Tor-USB keystick.

Why would I want these programs on a USB keystick?

There are a good number of reasons you’d want to use the Internet in a public place without giving away your location. Perhaps your a celeberty and don’t want the press storming in for interviews. A USB keystick with a browser and anonymity software allows you to use nearly any Internet-connected computer to suft anonymously - without installing anything on the computer. You only need to be able to run the software on your USB device.

So why do I need all these programs?

Tor is a traffic analysis resistant network secuity tool which provides many excellent properties, including anonymity. In bullet summary: If you are at a Internet cafe and you check your e-mail then the adversary can’t learn your location by watching your e-mail provider, and so on.

Web browsers leak all sorts of information through the anonymous Tor connection, so you need something in between Tor and your browser. Privoxy is a great filter. That’s why you need it as part of your bundle.

And last: A browser. OperaTor is package made for the Opera browser, that’s what it includes, and that’s what MakeOperaTor configures. But it doesn’t have to be. You can easily use a browser such as FirefoxPortable instead (It’s also possible to use Polipo instead of Privoxy). You could just use the browser installed on the computer you’re at, but then you’d have to configure it’s proxy settings, and not all computers allow you to change such settings. You’re better off starting a browser with a ready-to-use configuration from your USB keystick

When you run MakeOperaTor then it makes configuration files for Tor, Privoxy and Opera. You have to download and install these packages seperately.

The generated configuration files..

Running the installation program creates these files:

./Tor
./Tor/torrc
./Opera
./Opera/spellcheck.ini
./Opera/OperaDef6.ini
./Opera/profile
./Opera/profile/opera6.ini
./Opera/operator.ico
./Privoxy
./Privoxy/config.txt

You don’t have to install anything before running the installer, you can run it without having any of the parts of the package installed in order to just create the needed config files. MakeOperaTor also installs a .exe file which starts all of the seperate programs, but you don’t need that. Here’s the above listed files who are generated, without the OperaTor.exe:

makeoperator-21-generated.zip (4 KB)

Now, when you have these files, from this .zip or generated using MakeOperaTor, all you need to do is to download a copy of Tor, Oprea and Privoxy, extract them to their respective folders and then copy the configuration files into those folders. And you’re (almost) done.

You can start each of these programs seperately, but you may want an “automatic” solution which does this for you - like the OperaTor.exe binary included in OperaTor does (the alternative bundle “TorPark” also does this). The very important detail here is that both OperaTor.exe and Torpark’s executable’s only function is to start three seperate files.

So why are there .exe files in those bundles? And why is the source of these executable files not available? Nobody but nobody seems to be talking.

The obvious thing to do is to create a file called start.bat which contains:

start “Tor” /DTor /MIN tor.exe -f torrc
start “Privoxy” /DPrivoxy /MIN privoxy.exe
start “Opera /DOpera Opera.exe

(start.bat is included in the above zip)

This will start Tor, Privoxy and Opera for you. Just like the .exe files do. Except that you can read what the .bat file does, you can verify what it does and it must also be noted that this batch file does not take up 200KB of space like OperaTor.exe does. You have to exit each of the seperate programs yourself, which is a drawback compared to using a .exe file, but it’s really not that hard (it’s also not that hard to start them seperately).

The Opera configuration…

As mentioned: What you want to do is:

1. Create (or download) the configuratio files.
2. Install Tor, Privoxy and Opera into subfolders Tor/ Privoxy/ and Opera/ in a ThisWillBeOnMyUSB/ folder.
3. Copy the configuration files into those folders

And then there is 4): Start and configure Opera. The included configuration files for Tor and Privoxy are just fine, but the Opera configuration has some issues. You need to start Opera and change at least the following settings:

1. Go to Tools -> Preferences -> Advanced -> History
2. Set addresses under “Remember history” to zero.
3. Set “Disc cache” to zero.
4. Check if there are any other settings you’d want to fine-tune.

The reason this is so vital is that you never know when you loose your USB device, or the adversary steals it from you, or I pick-pocket you and get it, and now I get to see all the websites you’ve visited using Tor. It’s essential to make sure that no evidence is left on your USB stick (except intentionally saved documents) when you leave the cybercafe / library / etc.

Now make a .zip file of what you’ve got for future reference, and copy ThisWillBeOnMyUSB/ onto your USB keychain, test it on a trusted computer and now you’re all set to start using your Tor + Privoxy + Opera package in the wild.

Note: If you find this information hard to understand then you really should spend some time learning a thing or two about computers. As the Warning on the official Tor website says:  There are many things who can make Tor less secure than it can be, and you can only be sure you’re actually anonymous if you know what you are doing. You could just go with the ready-to-use OperaTor package (and the included OperaTor.exe file), but you’ll both learn more and get a better package if you make one yourself, and you really should know which seperate package does what and how they work together if you rely on the security properties Tor provides.

Articles with headlines such as “Here is how to expose Tor-users” appear regularly in the mainstream press. Most of these articles have nothing to do with Tor itself and everything to do with users who by mistake allow their software to send personal information over the anonymous connection or allow their software to connect to the Internet without going through Tor. Like the recient “Hacker builds tracking system to nab Tor pedophiles” article which outlines how to “expose” the 0.001% of Tor-users who browse with Java enabled in their browser.

The Tor-project have now responded to the “attack” outlined in this article and articles like it: They’ve put up a WARNING!! WARNING!! section on the Tor download page. It outlines what was already clearly stated in the documentation: Tor makes your connection anonymous, but does not make your software act anonymous. This warning is a good move in the right direction:

Anonymous Internet-usage requires you to disable plugins such as flash, java, active x and other plugins who can seriously compromize your anonymity. And every Tor-user should know this. Now it’s not even possible to download the software without getting a basic understanding of the steps you need to take to actually make it work.

The warning should also put a stop to these “Here’s how to attack Tor-users… if they are extremely stupid”-articles since the warning being there makes it very clear that people who claim to be able to attack Tor are either knowingly ignoring that their attack doesn’t apply to anyone who’ve read the documentation or unable to read and/or understand English, in which case it should be apparent that their supposed attack probably ain’t going to work.

Oh, btw. Every Tor-user should take a look at the warning. The information there really is essential to making good decisions regarding which software is and isn’t safe to combine with Tor.

A paper technical paper released in February by UColorado/Boulder outlines how to attack Tor using a few evil servers. A spokesperson for the Tor-project was quick to respond, saying that they are aware of the problem and that nothing indicates that such an attack has been launched “in the wild” yet.Yesterday “respectable” publication ZDNet repored that “Hacker builds tracking system to nab Tor pedophiles“. Such tracking has nothing to do with nabbing pedophiles and everything to do with compromizing the security of the entire Tor-network and all it’s users. So this article should be very alarming.

However. A close inspection of the “tracking measures” outlined in the article indicates that the supposed “tracking” is no threat at all.

Here’s why:

The supposed tracking method what ZDNet calls “über-hacker HD Moore” proposes is:

1. Run a patched TOR server. The patches embed a Ruby interpreter into the TOR connection engine and allow arbitrary Ruby scripts to process data before sending it back to the client.

2. When child porn-related keywords are seen (either the Web request, or the response), inject a little extra HTML code into the response going back to the Web browser. This HTML code would connect to my decloaking engine.

3. The decloak engine is based on the following techniques:

Now. 1). Running a patched Tor-server is a bad thing and a threat to the network. Depending on patch. This patch, however, as described in 2), would have to be used on a Tor exit server and all it would do is to modify the HTML file passed back to the client. This, on it’s own, doesn’t do any kind of traffic, it only means that you would get a modified page back. Tor-exits modifying the traffic would on it’s own be a very bad thing, such servers mean that you would have to reload the page from another exit node if it comes back modified, but that alone is no security threat and doesn’t do any tracking.

The tracking would be done by the users browser, triggered by the extra HTML code. This concept could just as easily be done with anyone with a webserver, now can’t it? You’re reading this page, which means that I’m in control of the HTML your browser got. Pretty much the same situation of a patched Tor-exit node giving you “tracking” HTML, don’t you think? So the “Tor-server-patch” described would - at best - only be somewhat annoying.

But wait. It this kind of HTML tracking possible?

Let’s take a close look at ZDNet story regarding the actual tracking described.

a) A unique identifier is created to track this user.

b) The browser is asked to resolve a unique host name, containing the identifier, that is part of a special domain hosted on my server. I run a modified DNS server that updates a database with the address from which the DNS request is received. The goal of this step is to determine the ISP of the user.

As people who have any idea what they are talking about are aware, Tor resolves hostnames through the Tor-network. Thus; b) would determine that Someone used the patched Tor-exit, and then resolved the identifier domain using another Tor-exit. This does not reveal anything about the users ISP, it reveals.. that the same user is (still) using the Tor-network. This information is useful because..? Well, you already know the person in question is using the Tor-network, don’t you, how else would someone have fetched the page using Tor, eh?

And then there’s this:

c) The browser is asked to load a Java applet. This applet uses two different techniques to obtain information about the user.

d) The first method uses the Java API to determine the local IP address of the user. This value is then passed back to the JavaScript code in the Web HTML snippet hosting the applet. The goal of this step is to get the real *internal* IP address of the user.

e) The second method involves the applet sending a raw DNS packet, directly to my server. Since this is UDP, it does not pass through TOR, and since it is sent by the Java code, it does not go through the ISP. This packet contains the unique identifier and if received, gives away the real *external* IP of the user. The goal of this step is to get the address of the user’s NAT gateway.

Now. This information is true. Java does allow tracking of Tor users. This is true regardless of someone running a patched Tor-server. Any website with a Java-applet can track users who browse with Java enabled. This information is in every Tor-howto. You have to disable Java when you’re using Tor. You should also disable Javascript and disable Active X.

So. Tracking is still possible if you have Java enabled in your browser. And every Tor-user who even glanced at the documentation knows this. Yes, c), d) and e) are possible if the Tor-user haven’t read the fine manual, but it simply won’t work on Tor-users who have disabled Java - which is about 99.99% of Tor-users.

Oh. There’s a claim f) after e). It’s..

f) At this point, my server is able to determine the internal address of the user, the external address from which they access the internet, and the ISP they use to provide DNS resolution, as well as the IP address they come from through the TOR network. This information, along with the unique tracking ID, allows me to identify a specific workstation within an organization or residence.

Again, true for the 0,01% percent of Tor-users who browse with Java enabled.

I don’t.

So, at this point, Mr. Moore, your server still has no idea what my address is, which ISP I use for DNS resolution or the IP address I came through the Tor network, and since your server has none if this information except some tracking ID which is useless you still can’t identify me, my organization or residence.

In bullet summary:

• Yes, you should disable Java when you’re using Tor - and the Internet in general - because Java doesn’t respect - or even care about - the web browsers proxy settings.
• The supposed tracking system does work for the 0.01% of Tor-users who never bothered to read the documentation.

Technorati Tags: Tor, security, anonymity, internet

DNS censorship is a form of sensorship where DNS servers are (mis)configured to give the wrong answer to given domains. You want to go to a website, the name (www.something.tld) is translated by your ISP’s DNS servers into a IP, and your browser goes to that IP. But DNS servers do not need to tell you the correct IP for the website you are asking for, and some ISPs in tyrannic regimes such as Norway intentionally misconfigure their DNS-servers in order to censor the Internet.

A close examination at various ISPs reveal that Norwegian ISPs:

• Telenor and
• NextGenTel

..are doing DNS censorship. These ISPs will give you the wrong IP for many websites and take the user to a page which basically says “You can’t have this page, and you’re a bad person for wanting to view it”.

These Norwegian Internet providers does not censor their customers DNS queries on behalf of the tyrannical Norwegian government:

• Ventelo (Bluecom)
• Halden Dataservice
• Powertech
• BKK BredbÃ¥nd
• Monet
• UiO

Source: DNS censorship

Thus; Norwegian Telenor and NextGenTel are very alone in doing this kind of censorship. It’s interesting to note that many within the Norwegian government are pushing agressively to force all ISPs to do thing kind of censorship.

One minor detail: You don’t have to use your ISPs DNS servers. It is very easy to configure your computer to use DNS servers located abroad - or other local DNS servers - if your ISP’s DNS servers are misconfigured to to this kind of censorship. It’s also possible to use the network security tool Tor to by-pass your ISP’s DNS servers.

I’ve used quite some time to read the legal documents and other documents regarding the EFF v. AT&T lawsuit. The suit is a EFF class-action suit against the AT&T because AT&T are helping the NSA spy on US citizens by giving them access to the Internet backbone at various central points.

Now, the interesting thing isn’t really that the EFF are suing AT&T for helping the NSA spy on citizens. It’s that AT&T are in fact helping the NSA monitor the Internet activities of citizens in the US. That is what the lawsuit is about. Check out the legal documents, see for yourself. This is yet another good reason to use traffic analysis resistant software such as Tor when browsing the Internet…

The suit: EFF’s Class-Action Lawsuit Against AT&T for Collaboration with Illegal Domestic Spying Program

It’s also worth knowing that they do keyword filtering of plain-text http connections in real time. You browse some page which contains the word foo, the word foo happens to be flagged, now you’re on their list. You browse 10 pages with the word foo, now your on the watch-list, you browse a hundred, now you’re scheduled for termination.

Or not. Because, generally speaking, they don’t come hunt you down just because you read the wrong thing. What really makes them upset is people who are publishing information, describing new information, acrively taking part in forums, peace-groups, writing blogs, and so on. Now, I’m not saying you shouldn’t do such things, you should. But you may want to learn a thing or who about how invasive the surveillance of the Internet really is and what you can do to hide your identify, location and so on when you are using the Internet. It’s really not that hard, it only takes some reading, learning and most importantly, motivation.

Many people, including my self, search using the Google scraper Scroogle to get search-results from Google and Yahoo without letting them know that it is actually me who is doing the search-request. You type your keywords into Scroogle, it passes them on to Google or Yahoo, fetches the results, and presents it in a beautifully clean way. But how much do you actually hide when you are using Scroogle? Nothing and everything.

Google learns nothing about you and your IP, and it can’t set or check a browser-cookie or anything else for that matter, all Google sees is that Scroogle, or someone using Scroogle, is searching for a set of keywords.

So it’s safe to use if you want to avoid being tracked by Google and Yahoo, right? Yes, that’s right.

But imagine that you’re a advesary who want to be able to profile people who want privacy on the Internet. How would you go about doing that? Simple. Create a honeypot which “protects you” from Big Brother and direct the privacy concerned users there.

Scroogle doesn’t set a cookie or attempt to track you in any obvious way, but it does record your IP when you are doing a search. Scroogle claims that they only store it for 48 hours, and perhaps they do. Perhaps they don’t. Lets assume they do delete the logs within 48 hours and that Scroogle is run by good and honest people. That’s an assumption, one you have to make by using any service who scrapes a search-engine in order “to protect you” from Big Brother. It’s not something you can rely on as a fact. So, at the end of the day, you’re still taking a chance.

Scroogle, and services like it, may be good and have value, but they are basically nothing more than services who allow you to shift your blind trust in one service over to another service who could be “good” or “evil”.

The only way you can be sure that search-engines or search-engine scrapers are not tracking you and your search-keywords is by making sure they can’t. Use secure solutions who allow you to browse the Internet anonymously, disallows cookies who are not required to use a service and remove those who are required immediately after logging out of a site - and you’re all set.

Search-engine scrapers are basically one-hop proxies who do a specific task. And one-hop proxies should not be trusted. Not because you think or don’t think that a given one-hop service is tracking you, but because they can. Onion-routing systems like Tor use three hops where no single hop can track you.

Someone could be tracking you when you’re using a search-engine scraper or a traditional one-hop proxy. Why take the chance? Use something like Tor and make sure they can’t.