NSA using Firefox flaw to snoop on Tor users An NSA presentation released by Edward Snowden contains mixed news for Tor users. The anonymizing service itself appears to have foxed US and UK government snoops, but instead they are using a zero-day flaw in the Firefox browser bundled with Tor to track users. "These documents give Tor a huge pat on the back," security guru …
@panhead20 - "Time to start running your browsers in a VM that is deleted when your session is closed to avoid 'staining'"
Like another commentard posted recently - be sure to hold your laptop over a barrel of saltwater while you browse the internet with that deletable VM, and don't forget to slowly roll the cyanide capsule around in your mouth.
There is Tails - A Linux livecd (Linux was safe from the zero day attack..)
Tails is good as
- Its Linux so safer (the latest zero day attack just targeted Windows), Thanks to Snowden it is sensible to assume there are backdoors in closed source OS's.
- It forces ALL connections through the Tor network - i.e you can't accidentally open a PDF, Video file, etc and de-anonymise yourself (like you can if you just run the Tor bundle browser)
- you can run off live cd/usb - no data gets written to any storage (unless you want to) , only your computers RAM - this solves any cookie issue also - i.e the same cookie being used in clearweb
- Your RAM gets securely wiped on shutdown
- You could run it in a VM - however then you would leave traces on your PC..
Surely the way to do it would be to use a livecd for anything you didn't want sniffed.
Or a thumbdrive with something like grml booting to ram. (Plausable other usage such as rescuing servers).
Work out how to set tor up manually.
Then on everything else just behave normally.
Putting anything potentially incriminating on disk ever seems like a bad idea if you are doing something these guys care about.
..."They are using the kind of techniques that federal prosecutors send people to jail for decades for using," she said. "These are tools that are criminal, and I'm still wondering what's the authority? What kind of authority are they claiming that they can do this?"...
If you ask this you are not a patriotic American.
In fact, you are probably a Commie sympathiser. Or whatever the bogie-man is at the moment...oh, yes, a Muslim Terrorist.
So you are not allowed to ask any questions by law, and if you do, we'll ship you to the Gitmo that Obama was going to close down...
...It's just conjecture. Please therefore do not take it to heart or hold it against me:
One of the things that the 'intelligence community' is supposedly particularly good at is 'non-linear' behaviour. What I mean is: devious schemes, e.g. playing games. Yet in recent months it seems this NSA has been completely laid bare by a single, brave young man, now hiding in Russia after a highly publicised jaunt around the world, during which he successfully ran the gauntlet of all the naughty acronyms - NSA, FBI, CIA, MI6, GCHQ.
He's been telling us all about the NSA. Thanks to him, we know exactly what they are up to. Every day, there's something new. Some things, we now know, they can do (shock horror, better watch our step). Other things, we've found out, they cannot do (so it's safe for us to do these things with total peace of mind). It helps that the young man is able to leak to us PowerPoint presentations in which NSA operatives candidly inform one another about what they can and cannot do about this or that technology. These fall into our lap and we smirk, knowing that we've found their weakness.
But doesn't it sound strange to you that it's so straight-forward, even a teenager could outfox these guys? Or rather: that now, thanks to this young man they failed to catch and to shut up, anybody can find easy solutions to keep the NSA at bay?
I don't think this is fully some kind of misdirection play to get everyone onto Tor. The NSA has taken a lot of hits domestically and internationally from this, including the cancellation of a summit with Brazil's president. There might also be significant reductions to the NSA's legal authorities to conduct surveillance within the U.S. And trust in government in general has suffered in the U.S. because of this, and the Obama administration's poll numbers have suffered noticeably from the NSA fallout.
I doubt Obama and company would endorse real damage to their poll numbers and their ability to get their legislative agenda passed in order to enable the NSA to get everyone onto a favored data communications platform.
just another conjecture:
I agree with the point on "non-linear behaviour". This leads to the following conclusions:
1. Let's suppose that the leaked information is correct. In that case the NSA could try to dissuade people from using TOR by stipulating that the leak could have been intended.
2. On the other hand the information could have intentionally leaked. If people now start to conclude that this could have been the case and assume that using TOR could be unsafe then it would be advisable to get someone to publicly conclude my first point and so to assume that TOR is actually safe to use.
3. On the first foot (as I just ran out of hands): GOTO 1
He's been telling us all he knows about the NSA. Thanks to him, we know exactly more or less what they are up to. Every day, there's something new. Some things, we now know, they can do (shock horror, better watch our step). Other things, we've found out, they cannot do yet (so it's safeish for us for the moment to do these things with totalrelative peace of mind). It helps that the young man is able to leak to us PowerPoint presentations in which NSA operatives candidly inform one another about what they can and cannot do about this or that technology. These fall into our lap and we smirk, knowing that we've found part oftheir weakness.
Now you come to mention it... their compartmentalization looks very weak compared with what Peter Wright described in his memoir "Spycatcher". Unless, of course, there are some other departments to which Snowden never had any access.
NSA have got their people into a shoestring-funded Tor Project and created enough delays in upgrading the TBB's base Firefox, to buy time. From January until August, the NSA have has their fun and allowed the FBI one big final blowout to catch as many users as possible in the Freedom Hosting raid (and likely the Silk Road raid too, since they ditched cover on that one around the same time).
As Bruce Schneier says, not mathematics, but cheating (well not even tech, but cheating, in this case)...
I do find it somewhat incomprehensible that they based the TOR browser bundle on an ancient version of FF.
The real mistake they made was re-enabling javascript (which had been blocked by NoScript in earlier releases of the bundle) for 'user convenience'. If there's one set of users anywhere, ever, whose priorities should value security over convenience, it's TOR users.
You couldn't write a better spy novel...
Find it amazing that any of this can be legal, they are effectively hacking peoples computers and installing unauthorised software without a users knowledge of mass scale.
The more interesting part is the issues with huwaie and not allowing their equipment due to concerns china could spy using backdoors, from what's emerging about us companies collaboration its more likely huwaie wouldn't put in the back doors they wanted themselves.
"Find it amazing that any of this can be legal, they are effectively hacking peoples computers and installing unauthorised software without a users knowledge of mass scale."
3 little words I'll keep repeating.
THE PATRIOT Act.
Your 360+ clause mechanism to dismantle the American Constitution without Americans realizing it.
"You really have to question if there is a rule of law anymore?"
It does seem to have been missing for quite some time. In particular, during the Blair era, law seemed to take on whatever complexion the government, police, security services or business wanted it to on that particular day. If there was a symbolic low point, I think it was probably the Labour party conference where protesters outside were arrested for wearing tshirts bearing slogans that put the spin doctors noses out of joint, although arresting an 80 odd year old who'd fled the nazis from heckling Jack Straw might deserve equal billing.
It's seemingly lower key now, but what Snowden has given us a glimpse of suggests its much worse.
Abuse of power is what power, unchecked, does.
It does seem to have been missing for quite some time
Personally, my aha moment didn't come as much with the sexing up of the Iraq WMD report as the highly suspicious death of David Kelly. It demonstrated just how far some people were willing to go. The US is merely doing what it always does: take a concept and massively scale it up.
"There are also indications that the NSA had been trying to influence the design of Tor to make it more crackable, a somewhat Kafkaesque approach given that Tor is primarily funded by the US government itself to provide anonymity to internet users operating under repressive governments."
This was expected and the NSA have a clear history of this type of behavior. Now, start thinking about other products that they might have had more success with ... are you using a commercial router/firewall? And you are sure that it's good with no sneaky little backdoors?
Once a packet leaves your network I think you can assume they the NSA have a copy of it but you think that inside your network, behind your firewall you're safe? Probably not so if you bought your firewall from any of the major manufacturers in the USA.
Relay nodes are easy. Rent a VM somewhere, install software. Done. You don't need high amounts of memory, storage or processing power but you will need a host that is happy with you consuming large amounts of bandwidth both ways.
Exit nodes are a trickier thing, but something the network is in dire need of. The problem is that if you run an exit node there is a chance you will be falsely blamed for the actions of those who use it - which may include things like spaming, scams, hacking or downloading child pornography. You'll probably be able to counter any charges in court, but not without spending your life savings on legal fees and having your reputation shredded - plus you have next to no chance of ever getting back any of your data, as policy procedure is to sieze not only computers but everything on the property capable of storing information right down to games consoles and memory cards, and then hold on to it indefinitely.
So running an exit node requires either a dedication to the cause deep enough to place yourself in legal danger, or the recklessness to do so anyway.
"Are there particular jurisdictions where you could host an exit node with less concern about the potential legal blowback?"
I don't really see any. The exit node problem is basically the same as the "trusted storage" problem: the authorities there can get access to the data in either case, and if it is against their law, BOBHIC.
In such a case, DTA seems to be the operative procedure. Anything that's friendly to the west is likely friendly to the US, which means friendly to the NSA. Out of what's left, you have (1) regimes even more oppressive or domineering like China and North Korea, (2) countries that, while not oppressive, still have their own rules you probably wouldn't like, or (3) countries whose internet is basically too weak to use.
Second idea. Since the NSA will probably eventually compromise Tor funding through the State Department in some manner (Which do you think the State Department values more--A) funding a platform used by dissidents or B) having the NSA bug other governments leadership and diplomatic communications for them. I'm betting option B. ) How about forming some kind of non-profit agency that funds Tor nodes and assumes the technical and legal liabilities of running those nodes.
I'd gladly donate to that organization, as long as it was unduly influenced by spammers and pornmeisters.....
If you're happy with a non-exit relay, you can probably run it at home. Obviously it's not going to be contributing a super high amount of bandwidth to the network, but having a large number of nodes should help anyway, even if they're not too fast. I did this and haven't had any complaints form my ISP, I guess some are stricter than others though.
I actually ran an exit node at home in the early days, but stopped because I ended up getting blocked on various websites, either specifically for being a proxy, or presumably because a spammer, troll or whatever used my exit at some point. Plus I started it realize there was at least a theoretical risk of more serious consequences. I don't think anyone's actually been raided due to Tor exit traffic in my country, but I wouldn't like to be the first.
Normally I abhor Snowden leaks, but I found this an interesting read and easily digestible. It's too late to fight this kind of thing. It's the new reality brought upon us by technology. I'm not a player or a user in this case, but the outcome of these new cyber wars will define my average existence none the less.
The only thing I actually have control over in any real sense is how I react and deal with things that occur to me in life.
To my mind, not rolling over and kissing the governments arse *is* something that is in my control.
To the properly prepared mind, opportunities to further your intentions will always present themselves. I have no illusions that I can somehow single-handedly put the world to rights, but I will do what I can, when I can.
If *everyone* did the same thing, I believe that might add up to slightly more than a hill of beans.
...Or hey, you can opt to at least strike a small, even rather passive role for freedom and justice. But perhaps it's easier to roll over and hope that the government runs out of surveillance and law enforcement bandwidth before they get to your ability to watch kitten videos and email your fantasy football league about the next season.
.deb packages The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
