Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

May 16, 2019

Free Online Proxy Servers (Review)

Filed under: Cybersecurity,Proxy Servers,Tor — Patrick Durusau @ 3:59 pm

The Best Free Online Proxy Servers You Can Use Safely by Dan Price.

From the post:

Proxy sites and proxy servers allow internet users to bypass internet restrictions and access content that would otherwise be blocked.

Lots of free proxy providers exist, but which are the best? Are there any risks of using a free online proxy? And what alternatives are available?

Price has a top 5 free proxy servers that starts with HideMyAss and goes down from there. 😉 Links to several paid proxy services are listed as well.

HideMyAss uses cookies so best to approach them using a VPN and a Tor browser. You should be using a VPN and a Tor browser by default. Even if you don’t need that level of security, it helps to generate traffic that benefits others.

February 19, 2019

OnionShare 2 adds anonymous dropboxes, … [Potential Leakers/Cleaning Staff Take Note!]

Filed under: Cybersecurity,Tor — Patrick Durusau @ 1:28 pm

OnionShare 2 adds anonymous dropboxes, supports new Tor addresses, and is translated into a dozen new languages by Micah Lee.

From the post:

After nearly a year of work from a growing community of developers, designers, and translators, I’m excited that OnionShare 2 is finally ready. You can download it from onionshare.org.

OnionShare is an open source tool for securely and anonymously sending and receiving files using Tor onion services. It works by starting a web server directly on your computer and making it accessible as an unguessable Tor web address that others can load in Tor Browser to download files from you, or upload files to you. It doesn’t require setting up a separate server, using a third party file-sharing service, or even logging into an account.

Unlike services like email, Google Drive, DropBox, WeTransfer, or nearly any other way people typically send files to each other, when you use OnionShare you don’t give any companies access to the files that you’re sharing. So long as you share the unguessable web address in a secure way (like pasting it in an encrypted messaging app), no one but you and the person you’re sharing with can access your files.

Depending on the cyberfails at your organization (How to Block Tor (The Onion Router)), secure leaking may be as easy as installing OnionShare, adding the files you want to leak and transmitting an Onion address to a member of the media.

Well, some members of the media. Western main stream media is extremely risk adverse and will take no steps to assist leakers. That is leaks have to arrive on their doorsteps with no direct effort on their part. I suspect that applies to obtaining files with OnionShare but you would have to ask a reporter.

On the other hand, cleaning staff can read passwords off sticky notes as easily as users and with OnionShare 2 on a USB stick, could be sharing files during their shift. Deleting OnionShare 2 before leaving of course.

OnionShare 2 is a project to support, follow, use and share as widely as possible.

October 3, 2018

New Release: Tor Browser 8.0.2 – Upgrade Time!

Filed under: Privacy,Tor — Patrick Durusau @ 10:25 am

New Release: Tor Browser 8.0.2

From the post:

Tor Browser 8.0.2 is now available from the Tor Browser Project page and also from our distribution target=”_blank”directory.

This release features important security updates to Firefox. We picked up the necessary patches, but because we needed to start building before Mozilla was ready with a first candidate build, we did not bump the Firefox version to 60.2.2esr. Thus, users are fine with Tor Browser 8.0.2 even though the Firefox version is 60.2.1esr.

Grab the latest version of Tor Browser today!

You are the last and best hope for your personal privacy.

September 6, 2018

Using cURL through Tor on Ubuntu 18.04

Filed under: Cybersecurity,Tor — Patrick Durusau @ 3:01 pm

When I found Making Tor Requests with command-line cURL by NanoDano, I thought I had hit gold!

Easy enough:

Except that when I do:

curl –socks5-hostname localhost:9150 https://check.torproject.org

I get:

curl: (7) Failed to connect to localhost port 9150: Connection refused

Quick answers: Yes, the Tor browser is running, the syntax is correct, ….

I spent several minutes trying to identify the source of the problem before doing this:

curl –socks5-hostname 127.0.0.1:9150 https://check.torproject.org

Success!

Yes, I have a local mis-configuration, which I can correct, but you may find situations where correction isn’t possible.

Try substitution of 127.0.0.1 for localhost and vice-versa, before looking for more obscure causes. (That also quickly identifies this particular mis-configuration.)

September 4, 2018

Tor Sites – Is Your Public IP Showing? [Terrorist-in-a-Box]

Filed under: Cybersecurity,Dark Web,Tor — Patrick Durusau @ 9:32 am

Public IP Addresses of Tor Sites Exposed via SSL Certificates by Lawrence Abrams.

From the post:

A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls of not knowing hwo to properly configure a hidden service.

One of the main purposes of setting up a dark web web site on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark web site, though, the administrator must configure the web server properly so that it is only listens on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet.

The failure of people who intentionally walk on the wild side to properly secure their sites holds out great promise that government and industry sites are even more poorly secured.

If you are running a Tor site or someday hope to run a Tor site, read this post and make sure your public IP isn’t showing.

Unless your Tor site is a honeypot for government spy agencies. They lap up false information like there is no tomorrow.

Not something I have time for now but consider mining intelligence reports as a basis for creating a Tor site, complete with information, chats, discussion forums, etc., download (not public) name “Terrorist-in-a-Box.” Unpack, install, configure (correctly) and yet another terrorist site is on the Dark Web. Have an AI running all the participants on the site. A challenging project to make it credible.

The intelligence community (IC) makes much of their ability to filter noise from content, so you can help them test that ability. It’s almost a patriotic duty.

August 2, 2018

Archives for the Dark Web: A Field Guide for Study

Filed under: Archives,Dark Web,Ethics,Journalism,Tor — Patrick Durusau @ 4:48 pm

Archives for the Dark Web: A Field Guide for Study by Robert A. Gehl.

Abstract:

This chapter provides a field guide for other digital humanists who want to study the Dark Web. In order to focus the chapter, I emphasize my belief that, in order to study the cultures of Dark Web sites and users, the digital humanist must engage with these systems’ technical infrastructures. I will provide specific reasons why I believe that understanding the technical details of Freenet, Tor, and I2P will benefit any researchers who study these systems, even if they focus on end users, aesthetics, or Dark Web cultures. To this end, I offer a catalog of archives and resources researchers could draw on and a discussion of why researchers should build their own archives. I conclude with some remarks about ethics of Dark Web research.

Highly recommended read but it falls short on practical archiving advice for starting researchers and journalists.

Digital resources, Dark Web or no, can be emphemeral. Archiving produces the only reliable and persistent record of resources as you encountered them.

I am untroubled by Gehl’s concern for research ethics. Research ethics can disarm and distract scholars in the face of amoral enemies. Governments and their contractors, to name only two such enemies, exhibit no ethical code other than self-advantage.

Those who harm innocents, rely on my non-contractual ethics at their own peril.

June 11, 2018

Speaking of Being Vulnerable: Tor Browser 7.5.5 and 8.0a8 released!

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 10:03 am

Tor Browser 7.5.5 is released (stable)

Tor Browser 8.0a8 is released (experimental)

BTW, if you want to use Tor in more than name only, follow these instructions (no exceptions):

Want Tor to really work?

You need to change some of your habits, as some things won’t work exactly as you are used to.

  1. Use Tor Browser

    Tor does not protect all of your computer’s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.

  2. Don’t torrent over Tor

    Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that’s how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.

  3. Don’t enable or install browser plugins

    Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity andprivacy.

  4. Use HTTPS versions of websites

    Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private
    encryption to websites, Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website. Also see EFF’s interactive page explaining how Tor and HTTPS relate.

  5. Don’t open documents downloaded through Tor while online

    Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files, unless you use the PDF viewer that’s built into Tor Browser) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.

  6. Use bridges and/or find company

    Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you’re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less
    dangerous it will be that you are one of them. Convince other people to use Tor, too!

Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn’t complete, and we need your help identifying and documenting all the issues.

Volunteer, donate, spread the word about the Tor project! The privacy you protect, could well be your own!

May 9, 2018

Increasing Your Security (As Opposed to Thinking You Are Secure)

Filed under: Cybersecurity,Security,Tails,Tor — Patrick Durusau @ 8:36 pm

You can increase your security, against known hazards/bugs, by installing and using:

along with other appropriate practices and cautions.

Bear in mind that no software or encryption scheme is a defense against a $5 wrench.

February 8, 2018

Running a Tor Relay (New Guide)

Filed under: Privacy,Security,Tor — Patrick Durusau @ 10:45 am

The New Guide to Running a Tor Relay

Have we told you lately how much we love our relay operators? Relays are the backbone of the Tor network, providing strength and bandwidth for our millions of users worldwide. Without the thousands of fast, reliable relays in the network, Tor wouldn’t exist.

Have you considered running a relay, but didn’t know where to start? Perhaps you’re just looking for a way to help Tor, but you’ve always thought that running a relay was too complicated or technical for you and the documentation seemed daunting.

We’re here to tell you that you can become one of the many thousands of relay operators powering the Tor network, if you have some basic command-line experience.

If you can’t help support the Tor network by running a relay, don’t despair! There’s are always ways to volunteer and of course to donate.

Your support helps everyone who uses Tor and sometimes results in really cool graphics, like this one for running a Tor relay:

If you want something a bit closer to the edge, try creating a graphic where spy rays from corporations and governments bounce off of secure autos, computers, homes, phones.

December 13, 2017

Making an Onion List and Checking It Twice (or more)

Filed under: Privacy,Tor — Patrick Durusau @ 3:51 pm

Bash script to check if .onions and other urls are alive or not

From the post:

The basic idea of this bash script is to feed a list of .onion urls and use torsocks and wget to check if the url is active or not, surely there are many other alternatives but it always nice to have another option.

Useful script and daily reminder:

Privacy is a privilege you work for, it doesn’t happen by accident.

December 8, 2017

Contra Censors: Tor Bridges and Pluggable Transports [Please Donate to Tor]

Filed under: Censorship,Tor — Patrick Durusau @ 1:08 pm

Tor at the Heart: Bridges and Pluggable Transports by ssteele.

From the post:


Censors block Tor in two ways: they can block connections to the IP addresses of known Tor relays, and they can analyze network traffic to find use of the Tor protocol. Bridges are secret Tor relays—they don’t appear in any public list, so the censor doesn’t know which addresses to block. Pluggable transports disguise the Tor protocol by making it look like something else—for example like HTTP or completely random.

Ssteele points out censorship, even censorship of Tor, is getting worse, so the time to learn these tools is now. Don’t wait until Tor has gone dark for you to respond.

December seems to be when all the begging bowls come out from a number of worthwhile projects.

I should be pitching my cause at this point but instead, please donate to support the Tor project.

October 27, 2017

New York Times Goes Dark (As in Dark Web)

Filed under: Journalism,News,Tor — Patrick Durusau @ 1:06 pm

The New York Times is Now Available as a Tor Onion Service by Runa Sandvik.

From the post:

Today we are announcing an experiment in secure communication, and launching an alternative way for people to access our site: we are making the nytimes.com website available as a Tor Onion Service.

The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.

The Times is dedicated to delivering quality, independent journalism, and our engineering team is committed to making sure that readers can access our journalism securely. This is why we are exploring ways to improve the experience of readers who use Tor to access our website.

One way we can help is to set up nytimes.com as an Onion Service — making our website accessible via a special, secure and hard-to-block VPN-like “tunnel” through the Tor network. The address for our Onion Service is:

https://www.nytimes3xbfgragh.onion/

This onion address is accessible only through the Tor network, using special software such as the Tor Browser. Such tools assure our readers that our website can be reached without monitors or blocks, and they provide additional guarantees that readers are connected securely to our website.

The New York Times (NYT) “going dark,” benefits the Tor project several ways:

  • Increases the legitimacy of Tor
  • Increases the visibility of Tor
  • Lead to more robust Tor relays
  • More support for Tor development
  • Spreading usage of Tor browsers

Time to press other publishers, Wall Street Journal, the Washington Post, ABC, NBC, CBS, the Daily Beast, The Hill, NPR, the LA Times, USA Today, Newsweek, Reuters, the Guardian, to name only a few, for Tor onion services.

Be forewarned, a login to the NYT destroys whatever anonymity you sought by accessing https://www.nytimes3xbfgragh.onion/.

You may be anonymous to your local government, but the NYT is subject to the whims and caprices of the US government. A login to the NYT site, even using Tor, puts your identity and reading habits at risk.

October 26, 2017

Test Your Qualifications To Run A Web Hidden Service

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 10:30 am

Securing a Web Hidden Service

From the post:

While browsing the darknet (Onion websites), it’s quite stunning to see the number of badly configured Hidden Services that will leak directly or indirectly the underlying clearnet IP address. Thus canceling the server anonymity protection that can offer Tor Hidden Services.

Here are a few rules you should consider following before setting up a Onion-only website. This guide covers both Apache and Nginx.
… (emphasis in original)

Presented as rules to preserve .onion anonymity, these five rules also test of your qualifications to run a web hidden service.

If you don’t understand or won’t any of these five rules, don’t run a web hidden service.

You are likely to expose yourself and others.

Just don’t.

October 17, 2017

Tor Keeps You Off #KRACK

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 12:44 pm

You have seen the scrambling to address KRACK (Key Reinstallation Attack), a weakness in the WPA2 protocol. Serious flaw in WPA2 protocol lets attackers intercept passwords and much more by Dan Goodin, Falling through the KRACKs by John Green, are two highly informative and amusing posts out of literally dozens on KRACK.

I won’t repeat their analysis here but wanted to point out Tor users are immune from KRACK, unpatched, etc.

A teaching moment to educate users about Tor!

September 28, 2017

Tails 3.2 Out! [Questions for Journalists]

Filed under: Cybersecurity,Journalism,Security,Tails,Tor — Patrick Durusau @ 8:48 pm

Tails 3.2 is out

From the about page:

Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.

It is a complete operating system designed to be used from a USB stick or a DVD independently of the computer’s original operating system. It is Free Software and based on Debian GNU/Linux.

Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc.

Does your editor keep all reporters supplied with a current version of Tails?

Are reporters trained on a regular basis in the use of Tails?

If your answer to either question is no, you should be looking for another employer.

September 20, 2017

Testing Next-Gen Onions!

Filed under: Cybersecurity,Government,Security,Tor — Patrick Durusau @ 9:53 pm

Please help us test next-gen onions! by George Kadianakis.

From the webpage:

this is an email for technical people who want to help us test next-gen onion services.

The current status of next-gen onion services (aka prop224) is that they have been fully merged into upstream tor and have also been released as part of tor-0.3.2.1-alpha: https://blog.torproject.org/tor-0321-alpha-released-support-next-gen-onion-services-and-kist-scheduler

Unfortunately, there is still no tor browser with tor-0.3.2.1-alpha so these instructions are for technical users who have no trouble building tor on their own.

We are still in a alpha testing phase and when we get more confident about the code we plan to release a blog post (probs during October).

Until then we hope that people can help us test them. To do so, we have setup a *testing hub* in a prop224 IRC server that you can and should join (ideally using a VPS so that you stick around).

Too late for me to test the instructions today but will tomorrow!

The security you help preserve may be your own!

Enjoy!

September 18, 2017

Darkening the Dark Web

Filed under: Cybersecurity,Privacy,Security,Tor — Patrick Durusau @ 8:47 pm

I encountered Andy Greenberg‘s post, It’s About to Get Even Easier to Hide on the Dark Web (20 January 2017), and was happy to read:

From the post:


The next generation of hidden services will use a clever method to protect the secrecy of those addresses. Instead of declaring their .onion address to hidden service directories, they’ll instead derive a unique cryptographic key from that address, and give that key to Tor’s hidden service directories. Any Tor user looking for a certain hidden service can perform that same derivation to check the key and route themselves to the correct darknet site. But the hidden service directory can’t derive the .onion address from the key, preventing snoops from discovering any secret darknet address. “The Tor network isn’t going to give you any way to learn about an onion address you don’t already know,” says Mathewson.

The result, Mathewson says, will be darknet sites with new, stealthier applications. A small group of collaborators could, for instance, host files on a computer known to only to them. No one else could ever even find that machine, much less access it. You could host a hidden service on your own computer, creating a way to untraceably connect to it from anywhere in the world, while keeping its existence secret from snoops. Mathewson himself hosts a password-protected family wiki and calendar on a Tor hidden service, and now says he’ll be able to do away with the site’s password protection without fear of anyone learning his family’s weekend plans. (Tor does already offer a method to make hidden services inaccessible to all but certain Tor browsers, but it involves finicky changes to the browser’s configuration files. The new system, Mathewson says, makes that level of secrecy far more accessible to the average user.)

The next generation of hidden services will also switch from using 1024-bit RSA encryption keys to shorter but tougher-to-crack ED-25519 elliptic curve keys. And the hidden service directory changes mean that hidden service urls will change, too, from 16 characters to 50. But Mathewson argues that change doesn’t effect the dark web addresses’ usability since they’re already too long to memorize.

Your wait to test these new features for darkening the dark web are over!

Tor 0.3.2.1-alpha is released, with support for next-gen onion services and KIST scheduler

From the post:

And as if all those other releases today were not enough, this is also the time for a new alpha release series!

Tor 0.3.2.1-alpha is the first release in the 0.3.2.x series. It includes support for our next-generation (“v3”) onion service protocol, and adds a new circuit scheduler for more responsive forwarding decisions from relays. There are also numerous other small features and bugfixes here.

You can download the source from the usual place on the website. Binary packages should be available soon, with an alpha Tor Browser likely by the end of the month.

Remember: This is an alpha release, and it’s likely to have more bugs than usual. We hope that people will try it out to find and report bugs, though.

The Vietnam War series by Ken Burns and Lynn Novick makes it clear the United States government lies and undertakes criminal acts for reasons hidden from the public. To trust any assurance by that government of your privacy, freedom of speech, etc., is an act of madness.

Will you volunteer to help with the Tor project or place your confidence in government?

It really is that simple.

September 5, 2017

Tor Browser 7.0.5 is released – Upgrade! Stay Ahead of Spies!

Filed under: Privacy,Tor — Patrick Durusau @ 4:47 pm

Tor Browser 7.0.5 is released

From the webpage:

Tor Browser 7.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release makes HTTPS-Everywhere compatible with Tor Browser on higher security levels and ensures that browser windows on macOS are properly rounded.

Well, no guarantee you will stay ahead of spies but using the current release of Tor is the best one can do. At least for browsers.

Enjoy!

August 25, 2017

DOJ Wanted To Hunt Down DisruptJ20.org Visitors

Filed under: Censorship,Free Speech,Government,Politics,Protests,Tor — Patrick Durusau @ 2:34 pm

National Public Radio (NPR) details the Department of Justice (DOJ) request for web records from DisruptJ20.org, which organized protests against the coronation of the current U.S. president, in Government Can Search Inauguration Protest Website Records, With Safeguards and Justice Department Narrows Request For Visitor Logs To Inauguration Protest Website. (The second story has the specifics on the demand.)

The narrowed DOJ request excludes:

f. DreamHost shall not disclose records that constitute HTTP requests and error logs.

A win for casual visitors this time, but no guarantees for next time.

The NPR stories detail this latest governmental over-reaching but the better question is:

How to avoid being scooped up if such a request were granted?

One word answer: Tor!

What is Tor?

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

Why Anonymity Matters

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

What’s your default browser?

If your answer is anything but Tor, you are putting yourself and others at risk.

August 9, 2017

Defeat FBI Video Booby-Trap

Filed under: Cybersecurity,FBI,Government,Porn,Tor — Patrick Durusau @ 10:25 am

Joseph Cox details “…deanonymizing people in a targeted way using novel or unorthodox law enforcement techniques…” in The FBI Booby-Trapped a Video to Catch a Suspected Tor Sextortionist.

Not an attack on Tor per se but defeated the use of Tor none the less.

Can you spot the suspect’s error?

From the complaint:


F. Law Enforcement Identifies “Brian Kil’s” True IP Address

51. On June 9, 2017, the Honorable Debra McVicker Lynch authorized the execution of a Network Investigative Technique “NIT” (defined in Clause No. 1:17-mj-437) in order to ascertain the IP address associated with Brian Kil and Victim 2.

52. As set forth in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the Dropbox.com account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

57. When Kil viewed the video containing the NIT on a computer the NIT disclosed the true IP address associated with the computer used by Kil.

Where did “Kil’s” opsec fail?

“Kil” viewed content of unknown origin on a networked computer.

“Kil” thought the content originated with Victim 2, but all remote content on the Internet should be treated as being of unknown origin.

No one knows if you are a dog on the Internet just as you don’t know if the FBI sent the video you are playing.

Content of unknown origin is examined and stays on non-networked computers. Copy text only to networked systems. If you need the original content, well, you have been warned.

You can see the full complaint at:
https://assets.documentcloud.org/documents/3914871/Hernandez-NIT-Complaint.pdf

Best practice: Remote content, even if from known source, is of unknown origin. (A comrade may have made the document, video, image, but government agents intercepted and infected it.)

PS: I’m no fan of sextortionists but I am concerned about the use of “booby-trapped” videos against political activists. (Makes you wonder about “jihadist” videos on YouTube doesn’t it?)

July 25, 2017

We’ll Pay You to #HackTor

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 4:02 pm

We’ll Pay You to #HackTor

From the post:

THERE ARE BUGS AMONG US

Millions of people around the world depend on Tor to browse the internet privately and securely every day, so our security is critical. Bugs in our code pose one of the biggest threats to our users’ safety; they allow skilled attackers to bypass Tor’s protections and compromise the safety of Tor users.

We’re constantly looking for flaws in our software and been fortunate to have a large community of hackers who help us identify and fix serious issues early on, but we think we can do even more to protect our users. That’s why if you can #HackTor and find bugs in our software, we want reward you.

JOIN OUR FIRST PUBLIC BUG BOUNTY

With support from the Open Technology Fund, we’re launching our first public bug bounty with HackerOne. We’re specifically looking for your help to find bugs in Tor (the network daemon) and Tor Browser. A few of the vulnerabilities we’re looking for include local privilege escalation, unauthorized access of user data, attacks that cause the leakage of crypto material of relays or clients, and remote code execution. In January 2016, we launched a private bug bounty; hackers helped us catch 3 crash/DoS bugs (2 OOB-read bugs + 1 infinite loop bug) and 4 edge-case memory corruption bugs.

Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online. Help us protect them and keep them safe from surveillance, tracking, and attacks. We’ll award up to $4,000 per bug report, depending on the impact and severity of what you find.

HERE’S HOW TO GET STARTED

Sign up for an account at HackerOne. Visit https://hackerone.com/torproject for the complete guidelines, details, terms, and conditions of our bug bounty. Then, start finding and reporting bugs to help keep Tor and Tor Browser safe.

Happy bug hunting!

The pay isn’t great but it’s for a worthy cause.

Any improvement individual security is a net win for individuals everywhere.

June 29, 2017

Tor descriptors Ă  la carte: Tor Metrics Library 2

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 1:23 pm

Tor descriptors Ă  la carte: Tor Metrics Library 2.

From the post:

We’re often asked by researchers, users, and journalists for Tor network data. How can you find out how many people use the Tor network daily? How many relays make up the network? How many times has Tor Browser been downloaded in your country? In order to get to these answers from archived data, we have to continuously fetch, parse, and evaluate Tor descriptors. We do this with the Tor Metrics Library.

Today, the Tor Metrics Team is proud to announce major improvements and launch Tor Metrics Library version 2.0.0. These improvements, supported by a Mozilla Open Source Support (MOSS) “Mission Partners” award, enhance our ability to monitor the performance and stability of the Tor network.

Tutorials too! How very cool!

From the tutorials page:

“Tor metrics are the ammunition that lets Tor and other security advocates argue for a more private and secure Internet from a position of data, rather than just dogma or perspective.”
— Bruce Schneier (June 1, 2016

Rocks!

Encourage your family, friends, visitors to all use Tor. Consider an auto-updated display of Tor statistics to drive further use.

Relying on governments, vendors and interested others for security, is by definition, insecurity.

June 25, 2017

Improved Tracking of .onion links by Facebook

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 8:51 pm

Improved sharing of .onion links on Facebook by Will Shackleton.

From the post:

Today we are rolling out two new features on Facebook to improve the experience of sharing, discovering and clicking .onion links to Tor hidden services especially for people who are not on Tor.
ďżź
First, Facebook can now show previews for .onion links. Hidden service owners can use Open Graph tags to customise these previews, much like regular websites do.

Second, people who are not using Tor and click on .onion links will now see a message informing them that the link they clicked may not work. The message enables people to find out more about Tor and – for hidden services which have opted in – helps visit the service’s equivalent regular website. For people who are already using Tor, we send them straight through to the hidden service without showing any message.

Try sharing your favorite .onion link on Facebook and let us know in the comments what you think about our improvements!

This is a very bad plan!

If you are:

not using Tor and click on .onion links will now see a message informing them that the link they clicked may not work.

and, Facebook captures your non-Tor accessing of that link.

Accessing .onion links on Facebook, without using Tor, in the words of Admiral Ackbar, “It’s a trap!”:

June 7, 2017

Tor 7.0! (Won’t Protect You From @theintercept)

Filed under: Cybersecurity,Privacy,Tor — Patrick Durusau @ 7:11 pm

Tor Browser 7.0 Is Out!

The Tor browser is great but recognize its limitations.

A primary one is Tor can’t protect you from poor judgment @theintercept. No software can do that.

Change your other habits as appropriate.

April 30, 2017

Tor 0.3.0.6 is released: a new series is stable!

Filed under: Cybersecurity,Tor — Patrick Durusau @ 7:47 pm

Tor 0.3.0.6 is released: a new series is stable!

From the post:

Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.

With the 0.3.0 series, clients and relays now use Ed25519 keys to authenticate their link connections to relays, rather than the old RSA1024 keys that they used before. (Circuit crypto has been Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced the guard selection and replacement algorithm to behave more robustly in the presence of unreliable networks, and to resist guard- capture attacks.

This series also includes numerous other small features and bugfixes, along with more groundwork for the upcoming hidden-services revamp.

Per our stable release policy, we plan to support the Tor 0.3.0 release series for at least the next nine months, or for three months after the first stable release of the 0.3.1 series: whichever is longer. If you need a release with long-term support, we recommend that you stay with the 0.2.9 series.

If you build Tor from source, you can find it at the usual place on the website. Packages should be ready over the next weeks, with a Tor Browser release in late May or early June.

Below are the changes since 0.2.9.10. For a list of only the changes since 0.3.0.5-rc, see the ChangeLog file.

I’ve been real lazy with Tor, waiting for packages, etc.

Not that I can “proof” the code but I should at least be building from sources.

Good practice if nothing else.

I’ll take a shot at building from source for Ubuntu 16.04 this week and report on how it goes.

February 24, 2017

Fingerprinting Every Browser But Tor

Filed under: Browsers,Cybersecurity,Tor — Patrick Durusau @ 3:44 pm

Browser Fingerprinting Tech Works Across Different Browsers for the First Time by Amy Nordrum.

Yinzhi Cao and colleagues have developed browser fingerprint code that identifies 99.24 percent of users across browsers.

Cao’s paper, (Cross-)Browser Fingerprinting via OS and
Hardware Level Features.

Github: https://github.com/Song-Li/cross_browser.

Demo: http://www.uniquemachine.org

The lead for the story was buried at the end of the post:

The only browser that his method didn’t work on was Tor. (emphasis added)

Your call, you can take care of your own security or be provably insecure.

January 13, 2017

Ultrasound Tracking Defeats Tor (Provides Pathway Into Government Offices)

Filed under: Cybersecurity,Government,Security,Tor — Patrick Durusau @ 2:26 pm

Tor users at risk of being unmasked by ultrasound tracking by Danny Bradbury.

How close is your phone to your computer right now?

That close?

You may want to rethink your phone’s location.

From the post:

A new type of attack should make Tor users – and countless dogs around the world – prick up their ears. The attack, revealed at BlackHat Europe in November and at the 33rd Chaos Computer Congress the following month, uses ultrasounds to track users, even if they are communicating over anonymous networks.

The attack uses a technique called ultrasound cross-device tracking (uXDT), which made its way into advertising circles as early as 2012. Marketing companies running uXDT campaigns will play an ultrasonic sound, inaudible to the human ear, in a TV or radio ad, or even in an ad delivered via a computer browser.

Although the user won’t hear it, other devices such as smartphones using uXDT-enabled apps will be listening. When the app hears the signal, it will ping the advertising network with details about itself. What details? Anything it asks for the phone for, such as its IP address, geolocation Coleman’s, telephone number and IMEI (SIM card) code.

That’s creepy enough in marketing. Now, advertisers can tell what TV or radio ads you’ve been listening to, matching them with the universe of other information they have about you from your web searches, social media activity and emails.

In essence the technique uses an ultrasound “beacon” to trigger your phone to “call home.”

Hmmm, betrayed by your own phone.

Danny outlines a number of scenarios of governments using this technique against users.

Ultrasound tracking poses a significant risk for Tor users, but they are security conscious enough to be using Tor.

Consider the flip side of using ultrasound tracking as a pathway into government offices. A phone that can “call home” can certainly listen for keystrokes.

Where do you think most sysadmins keep their phones? 😉

November 14, 2016

Tor Risks for Whistleblowers

Filed under: Cybersecurity,Security,Tor — Patrick Durusau @ 7:57 pm

Exclusively Relying on Tor Risks Detection and Exposure for Whistleblowers by Michael Best.

Eighteen (18) slides to remind you that just using Tor can leave you vulnerable to detection and exposure.

Depending on who you are exposing, detection may be hazardous to your freedom or even your life.

Unfortunately, like other forms of cybersecurity, avoiding detection and exposure requires effort. Effort that is rare among casual users of computers.

Depending upon your risk factors, you and your colleagues should review security practices on a regular basis.

I would include these slides and/or an adaptation of them as part of that review.

Pointers to regular security practice review cheatsheets?

September 23, 2016

Tor 0.2.8.8 is released, with important fixes

Filed under: Privacy,Tor — Patrick Durusau @ 4:49 pm

Tor 0.2.8.8 is released, with important fixes

Source available today, packages over the next week.

Privacy is an active, not passive stance.

Steps to take:

  1. Upgrade your Tor software.
  2. Help someone upgrade their Tor software.
  3. Introduce one new person to Tor.

If you take those steps with every upgrade, Tor will spread more quickly.

I have this vision of James Clapper (Director of National Intelligence), waking up in a cold sweat as darkness spreads across a visualization of the Internet in real time.

Just a vision but an entertaining one.

September 4, 2016

Running a Tor Exit Node for fun and e-mails

Filed under: Dark Web,Tor — Patrick Durusau @ 7:34 pm

Running a Tor Exit Node for fun and e-mails by Antonios A. Chariton.

From the post:


To understand the logistics behind running a Tor Exit Node, I will tell you how I got to run my Tor Exit Node for over 8 months. Hopefully, during the process, some of your questions will be answered, and you’ll also learn some new things. Please note that this is my personal experience and I cannot guarantee it will be the same for you. Also, I must state that I have run other exit nodes in the past, as well as multiple non-exit relays and bridges.
ďżź…

A great first person account on running a Tor Exit Node.

Some stats after 8 months:

  • It has been running for almost 8 months
  • It costs 4,90 EUR / month. In comparison, the same server in AWS would cost $1,122, or 992€ as of today
  • The total cost to date is 40€. In comparison, the same server in AWS would cost about 8,000€.
  • It is pushing up to 50 Mb/s, every second
  • It relayed over 70 TB of Tor traffic
  • It generated 2,729 Abuse E-Mails
  • It is only blocking port 25, and this to prevent spam
  • It helped hundreds or thousands of people to reach an uncensored Internet
  • It helped even more people browse the Internet anonymously and with privacy

If your not quite up to running an exit node, consider running a Tor relay node: Add Tor Nodes For 2 White Chocolate Mochas (Venti) Per Month.

Considering the bandwidth used by governments for immoral purposes, the observation:


Finally, just like with everything else, we have malicious users. Not necessarily highly skilled criminals, but people in general who (ab)use the anonymity that Tor provides to commit things they otherwise wouldn’t.

doesn’t trouble me.

As a general rule, highly skilled or not, criminals don’t carry out air strikes against hospitals and such.

Older Posts »

Powered by WordPress