Skip to main content

With all of the NSA related diaries on the site recently, I have seen folks mention the use of TOR (an acronym for "the onion router") as a means to do things on the web anonymously.  Personally, I don't use TOR because I don't see the need and I am inherently skeptical of "we can hide you" services such as this.  Over the last couple of days the service, and the browser and network which support it have been in the news - this piqued my curiosity.  Please read on if you are curious too.

So what is TOR?  According to their website:

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.
In addition to providing anonymous access to internet services, the network also allows for anonymous or hidden web site hosting as well.  These hidden websites (which are accessible only through TOR), allow not only the users to be anonymous but the servers as well:
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
According to TOR, this allows the service to:
protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Anonymous web hosting can also be used for nefarious purposes, as is the case with the examples below.

TOR's recent controversy began with the arrest of a man in Ireland named Eric Eoin Marques.  The FBI alleges that the 28 year old Mr. Marques is "the largest facilitator of child porn on the planet."  Mr. Marques is also "believed to be behind Freedom Hosting, the biggest service provider for sites on the encrypted Tor network".

According to The Verge:

Freedom Hosting is the largest and best-known hidden service provider, hosting a number of prominent darknet destinations, including well-known child pornography sites as well as [site name redacted by the diarist], an online marketplace for drugs and other illegal merchandise. Its high profile as a safe haven for child porn earned it the ire of internet activist collective Anonymous, which used DDoS attacks to temporarily take it offline in 2011. Marques is scheduled to appear in Ireland’s High Court on Thursday, reports The Independent.
In all fairness to TOR, they released a statement:
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research.
So, the Freedom Hosting servers are now down (along with the child porn it was serving) and Mr. Marques is in jail awaiting extradition to Maryland to face the FBI charges.  But the story doesn't end here, it just gets more interesting.

Apparently, to make TOR easier to use, the TOR team created a package called the TOR Browser Bundle (TBB).  The TBB is based on a modified version of a Firefox release, named Firefox 17 ESR.  According to TOR:

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.
An exploit of TBB allowed this to occur:
Before being taken down, the Freedom Hosting site was serving malware that targeted users of the Tor Browser Bundle (TBB), which is based on Firefox 17 and is the easiest way for people to access Tor's hidden services. Based on a teardown of the malware, it was an iFrame injection script designed only to plant a universally unique identifier (UUID) on a target's computer. "Ironically, all [the malicious script] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID," the head of intelligence for Israeli cybersecurity firm Cyberhat, Ofir David, told security reporter Brian Krebs. "That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user." David said he believed the hack attack and takedown were tied to Marques' arrest.
Not only were web sites impacted, but according to InformationWeek:
"The outage appeared to take numerous hidden Tor services offline, including the HackBB forums and the anonymous Tor Mail service."
In short, anyone accessing Freedom Hosting servers was not anonymous if they were using anything other than the latest, patched, version of TBB.  It is not clear to me if users of the other affected TOR services were compromised.  It should also be noted that this was not a 0 day exploit, a bug had been opened in June with Mozilla (the organization which develops Firefox) against the vulnerability which allowed this exploit to occur.  According to Mozilla the bug has been fixed and a new version of Firefox ESR has been released.  The TOR project did release a rather interesting statement related to this issue, when it said yesterday (August 4):
We're investigating these bugs and will fix them if we can.
Whether this means that the TOR team has more to do to fix this exploit is unclear to me.

In the interest of full disclosure about this exploit, according to Wired.com:

“The attackers pent [sic] a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsrklevich, who reverse-engineered the Magneto code.

The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website.

In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.

But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it?

Before anyone goes on a tear about Wired's speculation, imagine what would happen if the person writing the malware was not writing code which was not the "embodiment of a carefully crafted court order".  In short, you'd be seriously hosed.  Secondly, I would hope that we all can agree that catching people who traffic in or consume child pornography is the right thing to do.

So what are the takeaways from this?

  • There is no shortcut to protecting yourself on the internet.  If anyone actually reads this, and there are comments which recommend solutions - don't just start using them, do some research first!
  • Understand the technology you are introducing into your lives - whether it's TOR, a cell phone or a smart tv.
  • If you do decide to use TOR to access the secret sites it hosts, do your best to make sure you understand the organization hosting the site.  Since everything is anonymous I have no idea how you would do that.
  • Keep your anti-virus definitions up to date and make sure you are protected by a firewall
  • Keep the applications on your computer up to date too
  • It can't be stressed enough, do your research!

Originally posted to Hey338Too on Mon Aug 05, 2013 at 03:41 PM PDT.

Also republished by SciTech, House of LIGHTS, Anonymous Dkos, and Community Spotlight.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  I think people forget that terrorism isn't the (12+ / 0-)

    ..only issue on Law enforcement also uses the same techniques and the NSA can play a role. That said, it is disconcerting the exploit used to carry this out. At the same time, I will never cry that a facilitator of child sexual abuse got busted.

    We really have to be careful that "freedom" doesn't=freedom to abuse children and "privacy" doesn't=the right to abuse children without interference from the government.

    Clearly those who use Tor should have updated software as well as an awareness of potential vulnerabilities.

    The politicians may be bought, and the system corrupt, but it is our duty to fix these things.

    by sebastianguy99 on Mon Aug 05, 2013 at 03:55:36 PM PDT

    •  Before I read those articles... (7+ / 0-)

      ... I thought that TOR was just an "anonymizer", I had no idea about the site hosting aspects.  The awareness of potential vulnerabilities is truly the point behind this diary.

      "Look before you leap"

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Mon Aug 05, 2013 at 04:07:23 PM PDT

      [ Parent ]

      •  Yes, I read about the exit node vulnerability and (5+ / 0-)

        ..knew the feds were operating within the system. My impression is that while one is traveling around in the system, one is far less vulnerable. But when you exit the network by linking to a site on the outside, the point where you exit can be unsafe-or even operated by some law enforcement agency.

        I wish the network had more users, sites, and speed, but not everyone is comfortable using Tor in part because it seems that one has to be careful not to access a site with child porn. So if they can clean that horror up it might attract more users.

        The politicians may be bought, and the system corrupt, but it is our duty to fix these things.

        by sebastianguy99 on Mon Aug 05, 2013 at 04:20:58 PM PDT

        [ Parent ]

        •  The feds actually fund Tor development (3+ / 0-)
          Recommended by:
          codairem, terrypinder, kharma

          That is the funny thing...it's part of their open-society subversion of non-open societies.  So we have the US government to thank for whatever proliferation of nasty stuff is taking place.

          You know, I sometimes think if I could see, I'd be kicking a lot of ass. -Stevie Wonder at the Glastonbury Festival, 2010

          by Rich in PA on Mon Aug 05, 2013 at 06:06:42 PM PDT

          [ Parent ]

          •  Uh, no the feds do not make people hurt children (7+ / 0-)

            Sorry but child sexual abuse is not another opportunity to push anti-whatever agendas. The fault lies with the abusers and their customers. All of them need to be put away forever.

            It was not the government's fault when they transacted by the U.S. Postal Service and it isn't the government's fault for them using the internet.

            This is a sick compulsion and not another byproduct of government action.

            The politicians may be bought, and the system corrupt, but it is our duty to fix these things.

            by sebastianguy99 on Mon Aug 05, 2013 at 06:46:14 PM PDT

            [ Parent ]

            •  OK but at what point does that argument... (1+ / 0-)
              Recommended by:
              terrypinder

              ...start to sound like the gun manufacturers' argument?  

              You know, I sometimes think if I could see, I'd be kicking a lot of ass. -Stevie Wonder at the Glastonbury Festival, 2010

              by Rich in PA on Mon Aug 05, 2013 at 06:51:40 PM PDT

              [ Parent ]

              •  I don't know what you mean by that and I don't (4+ / 0-)

                ...care. Child sexual abuse is not the same as guns. The government isn't the NRA.

                There is no equivalence here when it comes to hurting children. This is a global issue and cannot be reduced down to another anti-government screed.

                Shame on you for trying use the issue of sexually exploited children to further an agenda that has nothing to do with preventing further exploitation. There was nothing in your comment that even spoke to the children's pain. You raised the issue solely as a platform to further some other gripe. Children cannot protect themselves but I guess it can all be trace back to whatever it is you are blaming the government for.

                Yuck. I'm done talking with you.

                The politicians may be bought, and the system corrupt, but it is our duty to fix these things.

                by sebastianguy99 on Mon Aug 05, 2013 at 07:13:07 PM PDT

                [ Parent ]

                •  Wow (5+ / 0-)

                  Way to miss the point.  

                  You sound like one of those people who want to ban EVERYTHING.  Why?  Because its to protect/save the children.  

                  All he is pointing out is that the government built and supports TOR.  Its own spies use the network to hide communications.  The same features that keep spies, whistleblowers, and activists anonymous, allow other less savory people to be anonymous as well.    

                  •  Yes, I want to ban child pornography I admit it. (2+ / 0-)
                    Recommended by:
                    Hey338Too, sturunner

                    I addressed no other issue other than hurt children. And talking about missing the point-I'm sure I made it clear that using the abuse of children to exploit other issues is NOT what I am about.

                    I am also quite confident that anyone who has read my comments would be quite clear that I abhor "do it for the children" when it has nothing to do with children. For example, I want to end the War on Drugs because I believe it harms children. I also believe consenting adults should be able to contract for sex, or use their bodies as they see fit so long as no children are hurt.

                    For the record, the diarist already pointed out who first started and developed the network. I use Tor and am quite aware, as my comments should have demonstrated.He went on to link Tor to child porn in a way that I felt shifted blame away from the abusers and their customers. His reply did nothing to suggest my initial impression was incorrect.

                    Child porn predates Tor and the internet so it is just silly and harmful to link government activity with abuse. We could end the internet and the government and these sick f**ks would still hunt kids. I'm no crusader. Far from it in fact, but I have zero tolerance when it comes to child predators and their customers. No apologies.

                    The politicians may be bought, and the system corrupt, but it is our duty to fix these things.

                    by sebastianguy99 on Mon Aug 05, 2013 at 11:00:03 PM PDT

                    [ Parent ]

                    •  As do I (1+ / 0-)
                      Recommended by:
                      happymisanthropy

                      and the vast majority of people in the US. It's a terrible crime that appears to have expanded since the advent of computers and internet access.

                      But it doesn't help your case to intimate that anyone who supports internet privacy is a fan of child pornography.  

                      "The international world is wondering what happened to America's great heart and soul." Helen Thomas

                      by Betty Pinson on Tue Aug 06, 2013 at 01:15:23 PM PDT

                      [ Parent ]

                    •  however... (0+ / 0-)

                      Like all, I am against all child trafficking and abuse.  But I am reminded of the differences between the right and left; the left realizes some people will game the system, but the people it helps outweighs the cost of getting rid of it to stop people from gaming it. The right thinks that because people game the system, the system has to go away.

                      People can take advantage of freedoms. That is why we have laws. Casting the net wider and wider to get all the people breaking the law is what has given us all the well publicized government intrusions on our life. You can't ever cast the net wide enough to catch all the people who will take advantage of the freedom to do something. I can drive a tanker all around our lakes district. It's not until I start dumping something in the water or pulling water out of the lake that I am breaking the law. Do we stop every tanker from coming within 100 yards of water to prevent that?

                      The legs of the crane have become short in the summer rain. Buson

                      by Travelin Man on Tue Aug 06, 2013 at 02:05:38 PM PDT

                      [ Parent ]

                      •  Sorry,this isn't philosophical or political for me (2+ / 0-)
                        Recommended by:
                        Hey338Too, sturunner

                        This is not some abstract concept.This is about how do we stop this global network of abusing children? And as I said in my first comment, I will never define "freedom", or "privacy" in such a way as to allow for the exploitation of children.

                        I am perfectly capable of reconciling the need to repeal the Patriot Act with the need to protect children from predators. In my mind, we are nowhere near close to overreaching in pursuing and prosecuting these people.

                        I never thought my comment would be so offensive or hard for people to take:Abusers are responsible for abusing their victims, not the government. Abusers do not enjoy any right found in the concept of liberty to abuse children and sell their abuse as product.

                        I'm done defending those simple principles as if they are implicitly an invitation to "intrude" on anyone's "freedom".

                        The politicians may be bought, and the system corrupt, but it is our duty to fix these things.

                        by sebastianguy99 on Tue Aug 06, 2013 at 03:02:13 PM PDT

                        [ Parent ]

                •  I understand your point, (1+ / 0-)
                  Recommended by:
                  wilderness voice

                  but you're painting this guy with a pretty broad brush and bordering on the ad hominem with your response to him. I know this is an emotional issue, but you may want to take a little step back here.

              •  I would distinguish it (1+ / 0-)
                Recommended by:
                Hey338Too

                just like cars are distinguished from guns.  One is very useful and can kill if misused.  The purpose of the other is primarily to kill.

    •  sounds like a test of TOR it may have failed (0+ / 0-)

      if a system like TOR is working correctly, people using it to do anything (including exchanging pics of naked children) are not being discovered.  if they ARE being discovered, then TOR isn't working. it's that simple.  obviously the NSA or the Iranians will just substitute dissidents or "drug dealers" for child porn afficianados, and there you have it.

    •  Let's also keep in mind (2+ / 0-)
      Recommended by:
      Hey338Too, radical simplicity

      That not everyone wishing to have internet privacy is engaged in immoral or criminal activity.  It's painting with a broad brush to assume anyone who uses TOR or similar services fits that description.  

      As good Democrats it goes without saying we should advocate for privacy protection for the vast majority of the population - non-criminal individuals.  

      "The international world is wondering what happened to America's great heart and soul." Helen Thomas

      by Betty Pinson on Tue Aug 06, 2013 at 01:09:55 PM PDT

      [ Parent ]

  •  Takeaways : more importantly, segregate. (12+ / 0-)

    Keep things apart. Always.

    I'm pretty stunned to learn that the same browser would let a user access both TOR and normal servers. That's completely daft to do that.

    It has nothing do with computer security dark, magic or anything. It's basic security.

    Even I, as vaguely informed as I am on computer security, I know that one basic feature of any security architecture is to KEEP THINGS APART, strictly compartmentalized, isolated from each other.

    You don't need to know anything about computer security to know that.

    You only need to read a John Le Carre novel.

    I deal in facts. My friends are few but fast.

    by Farugia on Mon Aug 05, 2013 at 04:04:26 PM PDT

  •  Thanks for the diary. n/t (7+ / 0-)

    "Stay close to the candles....the staircase can be treacherous" (-8.38,-8.51)

    by JNEREBEL on Mon Aug 05, 2013 at 04:12:08 PM PDT

  •  I prefer using TAILS for anonymous browsing (13+ / 0-)

    The Amnesic Incognito Live System

    It is a bootable live operating system which has built in security enhancements.  When you are finished, you reboot and leave no traces on your computer.

    Of course, nothing is perfect.  Here is the Warning from the TAILS site.

    TAILS Warning

    Even though we're doing our best to offer you good tools to protect your privacy while using a computer, there is no magic or perfect solution to such a complex problem. Understanding well the limits of such tools is a crucial step in, first, deciding whether Tails is the right tool for you, and second, helping you making a good use of it.
  •  Hope you don't mind a repost to SciTech (8+ / 0-)

    Tip'd & Rec'd & Repost'd

  •  Good advice. (7+ / 0-)

    Really good advice. That's why I like this site. Thanks for the diary.

    I would tip you, but the man took away my tips.

    by Tortmaster on Mon Aug 05, 2013 at 05:10:06 PM PDT

  •  oops (1+ / 0-)
    Recommended by:
    Hey338Too

    makes me glad i didn't buy that TOR Raspberry Pi for my wxstation router.

  •  "Understand the technology you are introducing... (10+ / 0-)

    ...into your lives."  That would stop me at radio, which I more or less understand and have a ham radio license to prove it.  But I wouldn't get to TV, and certainly not to computers!  I don't find this too alarming, since I don't understand how medicine works.

    You know, I sometimes think if I could see, I'd be kicking a lot of ass. -Stevie Wonder at the Glastonbury Festival, 2010

    by Rich in PA on Mon Aug 05, 2013 at 06:00:09 PM PDT

    •  I'm beginning to wonder about TV too... (6+ / 0-)

      ... the link in my diary describes a bug (patched for Samsung TVs) which allowed the camera in the TV to be hacked.  It also allowed the browser (along with your credentials) in the TV to be commandeered as well.

      As for the cell phone link above, it document how the phone carriers patched a bug which allowed a hacker to grab data off of your SIM card.  The SIM bug was patched using a known vulnerability in the Java version running on the phone, you think they patched the Java version on their way out?

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Mon Aug 05, 2013 at 06:30:29 PM PDT

      [ Parent ]

    •  The Web is broken. (4+ / 0-)
      Recommended by:
      Hey338Too, WakeUpNeo, semiot, Dirtandiron

      A fundamental principle of computer security is to keep code and data separate.

      Web scripting fails this test.  There is no sane reason for the ubiquity of the "active" web.

      -7.75 -4.67

      "Freedom's just another word for nothing left to lose."

      There are no Christians in foxholes.

      by Odysseus on Mon Aug 05, 2013 at 06:36:47 PM PDT

      [ Parent ]

      •  At the very least a TOR user should be running (5+ / 0-)
        Recommended by:
        Hey338Too, rja, antirove, Odysseus, Miggles

        NoScript, or have scripting disabled entirely.

      •  Security vs. Usability (2+ / 0-)
        Recommended by:
        Hey338Too, wilderness voice

        Begging to differ, there is always a trade-off between security and usability of a system.  If a security system is so complex that it defeats people's ability to use it, they will use it incorrectly, or cut corners in such a way that the security system will not work correctly, or at all.

        I've been using SSL and related technologies almost as long as they've been available, and it's impressive how very difficult the early software was to use, or frankly, to even understand.  Even large corporations in the software industry made very, very serious errors that could potentially compromise the security of users.  It's gotten better, but still, keeping your data secure on the net is still hard to do right, even if you are ostensively an "expert" in technology.

        I don't think that the dynamic web is innately insecure, especially since well designed web software like browsers can enforce a variety of protocols and systems to secure your data.  I'm not going to say it's easy -- keeping up with exploits is a frackin' war.  But I wouldn't make blanket statements about technologies like DOM and AJAX that have done a great deal to make the web more flexible, and easier for people to use.

        Quote of the week: "They call themselves bipartisan because they're able to buy members of both parties," (R. Eskow, Campaign for America's Future.)

        by mbayrob on Mon Aug 05, 2013 at 08:27:07 PM PDT

        [ Parent ]

        •  Yes, and the fact that browsers recompile (1+ / 0-)
          Recommended by:
          Hey338Too

          javascript to native machine code doesn't help with security much either.  Exploiting dynamic recompilation to run arbitrary code seems like it would be relatively easy.  Yes, that means your SNES/GBA/DS games that you downloaded from that rom site could have malware added to in them.

          You have watched Faux News, now lose 2d10 SAN.

          by Throw The Bums Out on Mon Aug 05, 2013 at 09:18:56 PM PDT

          [ Parent ]

          •  Link? (1+ / 0-)
            Recommended by:
            Hey338Too

            I was unaware that current implementations do that.  In fact, I'm  not sure they do; they don't need to.  You have a link concerning any current implementations (e.g., V8) that in fact do that?

            Quote of the week: "They call themselves bipartisan because they're able to buy members of both parties," (R. Eskow, Campaign for America's Future.)

            by mbayrob on Mon Aug 05, 2013 at 10:52:31 PM PDT

            [ Parent ]

            •  Check the Wikipedia page for the V8 javascript (3+ / 0-)
              Recommended by:
              Odysseus, Hey338Too, wilderness voice

              engine.  As you can plainly see it says (bolding done by me).

              V8 compiles JavaScript to native machine code (IA-32, x86-64, ARM, or MIPS CPUs)[3][6] before executing it, instead of more traditional techniques such as executing bytecode or interpreting it. The compiled code is additionally optimized (and re-optimized) dynamically at runtime, based on heuristics of the code's execution profile. Optimization techniques used include inlining, elision of expensive runtime properties, and inline caching, among many others.

              You have watched Faux News, now lose 2d10 SAN.

              by Throw The Bums Out on Mon Aug 05, 2013 at 11:37:33 PM PDT

              [ Parent ]

      •  You could go further than that. (1+ / 0-)
        Recommended by:
        wilderness voice

        Under that paradigm, virtually any object-oriented programming is broken.

        I'll believe corporations are people when one comes home from Afghanistan in a body bag.

        by mojo11 on Tue Aug 06, 2013 at 06:15:49 AM PDT

        [ Parent ]

  •  You can hardly blame TOR for porn (10+ / 0-)

    That's like blaming a car maker for someone's hit-and-run.

    None are so hopelessly enslaved, as those who falsely believe they are free. The truth has been kept from the depth of their minds by masters who rule them with lies. -Johann von Goethe

    by gjohnsit on Mon Aug 05, 2013 at 08:28:24 PM PDT

    •  I was always vaguely interested in TOR (1+ / 0-)
      Recommended by:
      Hey338Too

      but never really had a reason to get around to using it.  With recent coverage about it, I read something that left me doubly skittish about ever doing so.  If I recall, it seemed like it uses your computer as part of a large peer to peer network to bounce other users' traffic around as well.  If that's the case, it seemed to me that other people could be bouncing illegal materials through your computer.  And even if law enforcement maybe couldn't trace such materials back all the way to the original source, what if they traced it as far as your computer.  

      You could simply be using TOR for some non-nefarious purpose, and end up looking like a purveyor or distributor of such materials, sort of like the people with open wireless networks who were being used by child porn distribution in a case that hit the news a year or two back.  (A case that was a really good reminder as to the dangers of leaving your wifi nodes unencrypted.)

    •  The pornographers are insidious (2+ / 0-)
      Recommended by:
      Hey338Too, carlos the jackal

      The child pornographers were running inside/underneath Wikipedia. They were running the links. Further, they had a lot of fun with illustrations. (One of my issues was getting WP to use line drawings instead of photographs of a boy friend's penis or girl friend's bits. I lost. The age skew of participants there doomed any appeal to reason. Consequently, the child pornographers used 'innocent' pictures of naked children for illustration and keyed to links. This is an issue of the past. It was cleaned up years ago.)

      They are constantly looking for exploits, constantly pushing. What was that old porn site in Holland? ALS scans? Back in the days of Usenet, it would send out locally consensual but otherwise pedophilic pictures? Anyway, the site still exists, but no longer flirting with the creeps.

      Nazis and child pornographers are a constant evil on the Internet, a constant . . . virus of exploits.

      Everyone's innocent of some crime.

      by The Geogre on Tue Aug 06, 2013 at 07:03:08 AM PDT

      [ Parent ]

  •  I'm a little confused about this now (2+ / 0-)
    Recommended by:
    Hey338Too, wilderness voice

    I understood this exploit--where the average overly-cautious end-user is concerned--only affected users of Mozilla 17. Did I mis-understand?

    (If so, where did I go wrong? :-))
     

    This all started with "what the Republicans did to language".

    by lunachickie on Mon Aug 05, 2013 at 08:34:17 PM PDT

    •  If the user was using the TOR browser... (2+ / 0-)
      Recommended by:
      wilderness voice, Dirtandiron

      ... (TBB), and the browser wasn't the latest (fixed) version, when the user went to a secret site hosted by Freedom Hosting, she or he was probably compromised by this exploit.  It sounds like the servers were down as of Sunday and the exploit was installed sometime in the middle of last week.  So in essence you were right :-)

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Mon Aug 05, 2013 at 08:43:38 PM PDT

      [ Parent ]

    •  In read the ars technica article... (0+ / 0-)

      ... referenced by TarHeelDem below, it appears that the exploit was specific to the Windows version of the Tor Browser.

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Mon Aug 05, 2013 at 08:58:13 PM PDT

      [ Parent ]

  •  Latest news at Ars Technica (9+ / 0-)

    ...suggests that the exploit called back to an SAIC/NSA IP address block.  Security analysts are still trying to confirm who owns that set of iP addresses.

    Apparently it exploted a hole in Firefox that Firefox recently closed but because Tor does not push updates to users, some users had not updated.

    Some are reading it as a signal from NSA to not think you can gain privacy by using Tor.  Others are waiting for more definitive facts.

    What it was was an offensive cyberattack, something that the United States DoD says it considers an act of war and reserves the right to use nuclear weapons in response.    If it did originate from NSA or its contractor SAIC, that is a very serious matter legally.  Not that rule of law seems to affect NSA and its contractors anymore.

    50 states, 210 media market, 435 Congressional Districts, 3080 counties, 192,480 precincts

    by TarheelDem on Mon Aug 05, 2013 at 08:34:23 PM PDT

    •  Sort of funny (2+ / 0-)
      Recommended by:
      Just Bob, radical simplicity

      Did the NSA hack the DOD?

      •  NSA is a DoD agency (2+ / 0-)
        Recommended by:
        MHB, wilderness voice

        SAIC in this case is US contractor for information technology with the government being its almost exclusive client.

        TOR in this case is not the cybercommand operation but a private anonymizing service that is IIRC based in Ireland.

        But the thought of NSA/FBI (they are joined at the hip on surveillance now it seems) finding child porn on DoD servers, especially highly "secret" DoD servers is an amusing thought.  I wonder if they've ever looked.

        50 states, 210 media market, 435 Congressional Districts, 3080 counties, 192,480 precincts

        by TarheelDem on Tue Aug 06, 2013 at 06:03:32 AM PDT

        [ Parent ]

        •  I know that say on Fort Rucker (1+ / 0-)
          Recommended by:
          Hey338Too

          They are constantly looking for anyone on the network using porn via government equipment.  Immediate big problems for you if discovered.  Are elements within the Fort Rucker network using TOR?  Don't know but I recently read someone within the DOD bragging about the brilliance of TOR, where even criminal activity is giving the military a place to hide some of its hacking and surveillance in the stream.

          •  It seems that (2+ / 0-)
            Recommended by:
            wilderness voice, rja

            ...that is precisely what happened in this case.  DoD/NSA used a vulnerability in Tor to do surveillance.  Wonder if the original tip came out of military investigation.

            You make an excellent point.

            Tor itself is just an anonymized secure ISP and browser in concept.  In and of itself it is no more a criminal activity than Verizon Business Systems is a criminal activity.  Verizon however provides (under compulsion of US law) a backdoor to NSA/FBI.  Tor, which operates outside the US, does not; the NSA/FBI then looked for vulnerabilities to make their own backdoor.

            50 states, 210 media market, 435 Congressional Districts, 3080 counties, 192,480 precincts

            by TarheelDem on Tue Aug 06, 2013 at 07:40:31 AM PDT

            [ Parent ]

    •  I agree with the first part of your post... (1+ / 0-)
      Recommended by:
      Dirtandiron

      ... As for the last paragraph, I would contend that the "attack" was designed to determine who was accessing the children's pornography from those servers.  Granted there may have been other sites hosting other types of content on those servers.  But if the NSA or the FBI wants to fight a war on children's pornography, I'll support that.

      By the same token, since the servers are essentially hidden, there's no way to know if they were physically located in the US (maybe the FBI knew?).  I haven't read any information which specifically states where the servers were located.

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Mon Aug 05, 2013 at 08:56:32 PM PDT

      [ Parent ]

      •  Child porn has gotten like drug possession (3+ / 0-)
        Recommended by:
        semiot, Tinfoil Hat, rja

        ...in internet police/national security cases.  Just publicizing it as a reason makes all laws seem to go away.  And all further watching of the case.

        If child porn was actually involved instead of being a convenient cover story like "Terror, Terror, Terror", we will likely see wholesale arrests of those actually using the site for child porn, will we not?   Including the rich and famous, will we not?  Seems to me that that should happen fairly quickly if it happens at all.

        Until then, my assumption is that the "child porn" justification is an NSA/FBI ruse to deflect criticism just as for the moment I'm assuming  the purported terrorist information that shut down 21 embassies and consulates is an NSA ruse to distract the public from the NSA bulk collection of records during the Congressional August recess when members of Congress might otherwise be hearing outraged constituents.

        I'm quite willing to change my mind when further evidence comes in.

        50 states, 210 media market, 435 Congressional Districts, 3080 counties, 192,480 precincts

        by TarheelDem on Tue Aug 06, 2013 at 05:58:09 AM PDT

        [ Parent ]

    •  a signal from NSA ... (2+ / 0-)
      Recommended by:
      Hey338Too, Eyesbright

      My first thought on reading in the diary that TOR allows for anonymous or hidden web site hosting (I too thought that it was merely an anonymizer) was that any system that purportedly permits hidden anonymous web hosting has to have the same effect on NSA as a red flag supposedly does to a bull.

      Say what you will about the NSA, but they have a lot of very clever people with access to a lot of very powerful computers.  If they decide to focus their attention on something, I wouldn't bet on its remaning anonymous or hidden for very long.

      We must drive the special interests out of politics.… There can be no effective control of corporations while their political activity remains. To put an end to it will neither be a short not an easy task, but it can be done. -- Teddy Roosevelt

      by NoMoJoe on Tue Aug 06, 2013 at 05:00:03 PM PDT

      [ Parent ]

  •  Republished to House of LIGHTS. (1+ / 0-)
    Recommended by:
    Hey338Too

    Thanks for excellent diary, dear Hey338Too.

    I Follow you now.

  •  It requires a high level of attention and (6+ / 0-)

    education in order to try to pull off real anonymous computing.  

    I can't do it.  For one, I'm stuck with Windows, because I enjoy Sims and Far Cry too much and don't like the idea of switchin OS's just to browse.

    Second, I need my cookies.  Too many of the sites I browse require them.  If I were a real anonymity-freak, I'd just avoid such sites, but I'm too lazy to think about it.

    But what people like us CAN do -- and it's what I'm thinking about -- is try to participate in some kind of anonymizing cloud for the benefit of other people who ARE trying to better secure their own Internet usage.  There are things like Freenet and maybe Tor's Cloud that move in this direction.  The idea is this:

    I can run a small server on my system that it takes little time to set up.  I don't have to monitor it.  The server takes a little bit of my bandwidth and shares it with other people in the cloud, encrypting and decrypting their IP requests and forwarding them on to some other node in the same cloud.  The person using the Internet this way (not you, the server) will sacrifice some performance hit in return for being masked behind a shifting antigen of many different portals, each communicating small amounts of encrypting info with each other.  

    The result is, hopefully, to make it EASIER for other people to communicate anonymously by allowing them to piggyback off of a little of your computer when you're not using it.  

    If you really, really hate the NSA and what they are doing, it might sound like a worthy goal.  Flip them the bird.

    I'd like to know more about this, and to know what's the most useful way for me to volunteer some bandwidth this way.  There seem to be a diversity of ideas out there.

    •  To be anonymous you might use a computer (3+ / 0-)
      Recommended by:
      MHB, Hey338Too, carlos the jackal

      that you made yourself, with software that you wrote yourself, connected wireless to a cloud server from someplace mobile you don't intend to return to, that you trash when you are done with each brief session that is completely separate from anything else you do.

      It can't connect to anything that requires you to register or log on, it still gives off its IP, can be packet sniffed, pinged, trace routed and otherwise hacked, infected and traced in under a minute , but you don't care cause you toss it like a cellphone.

      Live Free or Die --- Investigate, Incarcerate

      by rktect on Tue Aug 06, 2013 at 05:00:56 AM PDT

      [ Parent ]

      •  Hmmmm (1+ / 0-)
        Recommended by:
        Hey338Too

        'toss it like a cellphone'.

        Most cellphones are computers these days, albeit limited in their abilities in various ways.  So I'm not sure you'd have to build it and write the software yourself.  Simply buy them anonymously and destroy them after use, connecting only through carelessly unencrypted networks.

        •  you would need to cover the purchase and sale (1+ / 0-)
          Recommended by:
          Hey338Too

          of every component you acquired to make your connection so getting rid of the stamped in identifiers in mass produced parts takes some thought. I'm thinking off the grid Bob's photovoltaic junkyard or other collectors of obsolete dead computers from anonymous sources; but wondering beyond the MAC address what the cellphone equivalents of a VIN are.

          Live Free or Die --- Investigate, Incarcerate

          by rktect on Tue Aug 06, 2013 at 05:41:26 AM PDT

          [ Parent ]

  •  Further details on the Tor attack... (8+ / 0-)

    Courtesy Darker Net:

    The JavaScript code’s payload analyzed by reverse engineering and exploit developer Vlad Tsyrklevich, who reveals that it briefly connects to a server and sends the hostname and MAC address of the victim. “Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname gethostname) and the MAC address of the local host (via calling SendARP on gethostbyname gethostbyname ->h_addr_list). After that it cleans up the state and appears to deliberately crash.”
    For those of you who may be unfamiliar with MAC addresses, they are commonly referred to as "hardware addresses."  They are unique to each device; in most cases, they are 'burned into' the network card (or wireless card) during the manufacturing process.  In most cases, they cannot be modified.

    What this means is that this malware reported to a server at SAIC (a big-time DoD/NSA contractor) and reported:

    * your IP address (as the Internet sees it)
    * the local name of your machine (how it knows itself)
    * the MAC address of the network card in your machine
    * the date/time of the contact

    For a typical home users (i.e. DSL or cable modem),  your IP address can change, depending upon how your ISP operates (I note that the IP address of my DSL connection changes every 10-14 days), but the MAC address of your PC does NOT change.  So, this malware basically reported every device, by name and unique MAC address, that launched a compromised version of Tor.

    This is a nasty bit of business, especially since a GeoIP lookup against an IP address can narrow its physical location to a particular geographic area.  For instance, a GeoIP lookup against my current IP address yields an answer within 40 miles of my house.  (If you want to see this in action, point your browser to freegeoip.net.)

    Now, consider that date/time + IP address + GeoIP narrow your location down to a particular ISP in a particular city for the purposes of examining the ISP's logs (as in "Hey, who had IP address 97.42.232.14 at 9pm on August 4th?"), and that the MAC address will tie your activity to a specific device, whatever it may be.

    If you're using a mobile device or laptop with Tor, this malware would report in every time you launched Tor - thus building a list of the network services you frequent.  For instance, what if you used Tor from your local library's free wifi...and Starbucks the next day...and your local McDonald's the next...plus, of course, your home and/or school network.  Bingo - within a few days, SAIC has a nice little map of where you've been, because the unique MAC address of your device ties together all the different IP addresses you've used around town...

    Nasty.

    The word "parent" is supposed to be a VERB, people...

    by wesmorgan1 on Mon Aug 05, 2013 at 10:00:34 PM PDT

    •  It sounds like the exploit was on the server... (0+ / 0-)

      ... side and did it's business when you hit a "page" on the server.  So I don't think it would report on you every time you launched Tor, it would report on you every time you tried to access a page on the Freedom Hosting servers.  Also, I don't know how wide ranging the use of the script was.  Apparently Freedom Hosting also support TorMail, I don't know if that was affected or if it was only the pornographic sites hosted by the company.

      I didn't get the sense that the exploit stayed resident from browser session to browser session, did you?

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Mon Aug 05, 2013 at 10:13:39 PM PDT

      [ Parent ]

      •  Right, but here's the thing... (0+ / 0-)

        Freedom Hosting is home to quite a few Tor relays; in fact, it's considered the largest single service provider to Tor relays.

        1) Given how Tor operates (using multiple Tor relays in each session), there's a fairly high statistical probability that you'll hit a relay hosted by Freedom in any Tor session of significant duration.

        2) The Hacker News reported that the malware used the JavaScript expoit to "implant a cookie".   I haven't seen the code in question (and I was under the impression that Tor was cookie-hostile anyway), but putting that information in a cookie opens the door to retrieval from any number of sites.

        If both of these conclusions are accurate, then the likelihood of "building a map" from successive Tor sessions seems rather high.  All you'd have to do is sort the server-side logs by MAC address.  That's the first thing popped into my head as I read the article.

        The word "parent" is supposed to be a VERB, people...

        by wesmorgan1 on Tue Aug 06, 2013 at 08:08:13 AM PDT

        [ Parent ]

        •  I'm not sure if the cookie is... (0+ / 0-)

          ... persistent or not.  According to that article and others, the code also:

          cleans up the state and appears to deliberately crash
          Another thing to note is that Freedom Hosting is now down.  So that call home function is no longer effective in that manner (unless other services on Tor are using the same exploit).

          Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

          by Hey338Too on Tue Aug 06, 2013 at 08:23:14 AM PDT

          [ Parent ]

    •  [Sig line] No, it isn't. Just because every noun (0+ / 0-)

      in English can be verbed doesn't mean we SHOULD.

      •  With respect, check the etymology. (2+ / 0-)
        Recommended by:
        Hey338Too, carlos the jackal

        The English "parent" was derived from the Latin parens, whch was derived, in turn, from the Latin verb parere, "to give birth to, to spawn, to produce".  Even in Latin, the verb came first.

        The first English use of "parent" as a verb was in the 1600s, according to Merriam-Webster. Oxford Dictionaries agrees, tracing its use as a verb--"to be or act as a mother or father to"--to the mid-17th century.

        Yes, I enjoy language.  **grin**

        The word "parent" is supposed to be a VERB, people...

        by wesmorgan1 on Tue Aug 06, 2013 at 08:24:42 AM PDT

        [ Parent ]

        •  Tx for the explanation. I'm hopelessly in love (1+ / 0-)
          Recommended by:
          Hey338Too

          with the English language, and take it personally when people can't understand things like its vs. it's. I read an annoying book where the author kept verbing nouns: "He'd been Hiroshima'd, [this]'d, [that]'d," etc. Oy.

    •  MAC address spoofing and host name randomization (1+ / 0-)
      Recommended by:
      Hey338Too

      there are programs for that, for example, MadMAC from Irongeek (freeware, works on Windows 7 at least): http://www.irongeek.com/...

      if you try it, write down your original MAC address and computer name just so you can go back if you have problems, and/or maybe try it on a virtual machine at first.

      another similar software that i've seen (but not tried) is Change MAC Address by Lizard Systems, which is a commercial product.

      for linux i've seen scripts or threads describing how to do MAC address spoofing, but they were a bit too complicated for me as I'm mostly a Windows user.

      •  Many home routers have the capability (1+ / 0-)
        Recommended by:
        Hey338Too

        to spoof MAC addresses.  

        Typically, this facility was used in situations where ISPs (mostly cable providers) tied your connection to the MAC address of the first computer to connect.  So, if you connected directly to the cable modem with your computer, you couldn't then buy a router, connect it to the modem, and share your connection among your various devices.

        I don't believe that cable ISPs behave that way anymore, but the MAC cloning ability is still around.

        We must drive the special interests out of politics.… There can be no effective control of corporations while their political activity remains. To put an end to it will neither be a short not an easy task, but it can be done. -- Teddy Roosevelt

        by NoMoJoe on Tue Aug 06, 2013 at 05:08:36 PM PDT

        [ Parent ]

  •  There is another reason to think twice (5+ / 0-)

    According to NSA, using TOR or strong encryption of attached documents is reason enough to get you watch-listed regardless of being a US citizen on US soil corresponding to others of the same.

    So unless there is some special reason to use TOR, it's probably better left alone.

    On the other hand, if you just want to run the NSA on a goose-chase for the fun of it and are OK being listed, have at it.

    400ppm : what about my daughter's future?

    by koNko on Tue Aug 06, 2013 at 03:36:46 AM PDT

    •  Indeed. (4+ / 0-)

      Encryption software turns you into a haplass lab rat for the NSA's experiments and lets them throw the Constitution out the window.

      The Information Week article referenced in that Diary specifically mentions TOR .

      •  Actually, I read about it first (3+ / 0-)
        Recommended by:
        rja, Dartagnan, Hey338Too

        In the Ars Technica article you linked in your diary.  I have posted that in several comment here, people need to understand some of these measure only raise red flags.

        BTW, my Ars handle (and just about everywhere else but here) is Xiao-zhi. So you can probably read my crappy comments in some of the NSA, Stuxnet and Flame related blogs there, I am sort of an interested party.

        It's interesting to note the US played kind of a clever game with Chinese using TOR. The US promoted TOR to Chinese Netizens as "Freedom Pie" to bypass the Green Dam and set-up TOR sites specifically targeted for Chinese users including subsidizing the "Free Gate" site popular in China 3-5 years ago.

        But what it did with those sites and others, is to plant malware including loggers onto Chinese and other computers. When this became known to Chinese users (not the connection to NSA but the fact Free Gate dropped malware) we abandoned it pretty quickly.

        Now this recent article connects the dots directly from the NSA to the Firefox Java exploits of a few months ago.

        Holy crap, they are really out of control. And this.

        From the tactical viewpoint, all that is pretty clever, but from the ethical viewpoint it really sucks worse than the overt internet blocking done by the Chinese government.

        Name your poison, I guess.

        400ppm : what about my daughter's future?

        by koNko on Tue Aug 06, 2013 at 10:21:20 AM PDT

        [ Parent ]

    •  they watching everyone anyway (1+ / 0-)
      Recommended by:
      Hey338Too

      so big difference.

      imo, in today's world it's prudent to encrypt and anonymize as much as is still practical for you given the inconveniences involved.

  •  Good, sound advice, Hey338Too. (3+ / 0-)

    You can never take too many precautions before installing programs to your computer.  

    Thanks for this public service diary ;-)

    As we express our gratitude, we must never forget that the highest appreciation is not to utter words, but to live by them. John F. Kennedy

    by JaxDem on Tue Aug 06, 2013 at 04:11:45 AM PDT

  •  With the processing power at the NSA's disposal (2+ / 0-)
    Recommended by:
    Hey338Too, happymisanthropy

    You're fooling yourself if you think you can escape monitoring or detection.  All you can do is delay monitoring, much as a lock doesn't prevent a criminal, it just delays them and raises the cost of attacking the locked location.

    Can't break the encryption today? OK, the NSA will just scoop up ALL the traffic and store it until they have a machine that can break the encryption.

    That which can be decrypted can be hacked. Your only recourse is to go dark and avoid any transmission technology when you're doing something that you don't want the government to find out about.

    "Don't be defeatist, dear. It's very middle class." - Violet Crawley

    by nightsweat on Tue Aug 06, 2013 at 07:19:21 AM PDT

  •  @Hey338Too (1+ / 0-)
    Recommended by:
    rhutcheson

    Please read this Ars Technica article: Researchers say Tor-targeted malware phoned home to NSA

    The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested.
    I think the child-porn angle is being used to distract from the real issue: the NSA hijacking privacy services.

    "What could BPossibly go wrong??" -RLMiller "God is just pretend." - eru

    by nosleep4u on Tue Aug 06, 2013 at 07:36:28 AM PDT

    •  The hosting service which was used... (1+ / 0-)
      Recommended by:
      wilderness voice

      ... to inject the malware was a known supplier of child pornography on Tor.  While there were other services which were discontinued due to the shut down of the Freedom Hosting servers, it is not clear that users of anything other than the children's pornography sites were targeted by this exploit.

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Tue Aug 06, 2013 at 08:07:28 AM PDT

      [ Parent ]

      •  DOH! (1+ / 0-)
        Recommended by:
        Hey338Too

        Didn't notice this reply was up till after I posted my own. C'est la vie, eh?

        The particular piece of malware was targeted, as far as we know, at this site. The problem is it's now in the wild, and if they can do it to a child porn peddler, why not others?
        I'll shed no tears for these people, but the broader question of the applicability of the exploit code is cause for concern enough to update.

        Nicht durch Zorn, sondern durch Lachen tödtet man. ~Nietzsche

        by somewierdguy on Tue Aug 06, 2013 at 09:39:28 AM PDT

        [ Parent ]

        •  This particular exploit has been fixed... (0+ / 0-)

          ... in the Firefox version used for Tor and for the "production" versions of Firefox used elsewhere.  The only people who are vulnerable now are the ones that don't update their browsers.  Also it appears that this vulnerability was specific to Windows users.

          Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

          by Hey338Too on Tue Aug 06, 2013 at 09:43:57 AM PDT

          [ Parent ]

  •  Just to point out (4+ / 0-)
    Recommended by:
    Hey338Too, rja, rhutcheson, Larsstephens

    TL:DR Version: This was put out by, apparently, the NSA and affected people who were several versions behind in their firefox updates.

    This was not a "small time" piece of work that was done. This was a sophisticated piece of javascript written by experts, experts who apparently hard coded the IP that the system was to report back too...an IP that belongs to an address block permanently assigned to the NSA.

    http://arstechnica.com/...

    Shocking I know. The bigger problem is it's not wild so everyone, regardless of their child porn sniffing ways, should be updating.

    The whole attack vector is aimed at a specific unpatched version of firefox, not tor itself, which affected people who were not updating regularly when a new version came out.
    Which, of course, goes along with "take security patched updates seriously." The bug hadn't been fixed "in a new version" but had been fixed in several new versions that came out since then, from various quality ranging from alpha (think prototype) to stable (think..er....stable). So the ones this hit were the people who were just not willing to update for whatever reason, be it laziness or ..well whatever.

    The problem of people like terrorists and child pornographers and bankers and such using technologies like this is of concern, but law enforcement have other solutions to catch them since their nature is social, just like yours. It's hardly a mark against a piece of technology that has such broad applications in helping the people trying to get information out and protect themselves at the same time. Hell the new york times runs a tor server (I think it's the times, I think they call it lockbox) for the purpose of anonymous tips being placed there by sources.

    Sadly, there is no silver bullet for privacy, tor alone will not protect you. Though, it does help, considerably. Personally I segregate actions I want kept private from actions I could care less if anyone sees. Reading redmeat.com? Lett'em watch. Reading Vogue well.....that I am kinda embarrassed about..

    Nicht durch Zorn, sondern durch Lachen tödtet man. ~Nietzsche

    by somewierdguy on Tue Aug 06, 2013 at 09:37:52 AM PDT

  •  My guess is that Jupiterbroadcasting.com (1+ / 0-)
    Recommended by:
    Hey338Too

    will be covering this TOR app in depth on their next "Unfilter" show (number 62) which should be available by Thursday 8/8/2013. This show lives for these sort of  stories. If you're technical in nature and want the complete techie story try these guy's site.

    http://www.jupiterbroadcasting.com/

    "WAR IS PEACE FREEDOM IS SLAVERY FOX NEWS IS JOURNALISM"

    by FakeNews on Tue Aug 06, 2013 at 10:18:40 AM PDT

  •  Personally.. (1+ / 0-)
    Recommended by:
    Hey338Too

    I always thought using sites like that flagged you like using a phone scrambler. I have no pretense that the gov can't unscramble anything I do through any network

    The legs of the crane have become short in the summer rain. Buson

    by Travelin Man on Tue Aug 06, 2013 at 02:07:48 PM PDT

  •  My problem with TOR is this... (1+ / 0-)
    Recommended by:
    Hey338Too

    You don't know who the anonymous servers are owned by.  For example...

    1. Your computer may pass through 10 servers before it reaches its destination.

    2.  Its my understanding that at each server your data is UNENCRYPTED and then RE-ENCRYPTED.  Sent on its merry way.

    3.  So in step 1, your data can be unencrypted up to 10 times.

    4.  So who is looking at your data when its unencrypted those 10 times?

    Here is my solution.  I have several computers.  One of those computers is used for surfing the net and doing other stuff I probably shouldn't be doing.  I also use a hotspot to do this.

    I keep absolutely nothing on this computer.  All I have is a browser on it.

    •  Good idea (1+ / 0-)
      Recommended by:
      Hey338Too

      My primary concerns are someone hacking personal financial and other information for identity theft and client files containing private medical information.

      I may just keep those files on a jump drive to plug in as needed.

      Otherwise, I don't think hackers are interested in my dozens of files with my ancestors photos, census records, etc.  

      "The international world is wondering what happened to America's great heart and soul." Helen Thomas

      by Betty Pinson on Tue Aug 06, 2013 at 04:58:10 PM PDT

      [ Parent ]

  •  TOR is completely compromised, (1+ / 0-)
    Recommended by:
    Hey338Too

    and all your data are belong to the partnership of FBI,NSA,CIA, and USA Inc., a wholly owned subsidiary of BP,Exxon,Raytheon, B of A, Wells Fargo and Halliburton et al.
    (IMHO, of course.) Hushmail sold out, TORmail is done.
    http://www.twitlonger.com/...

    I see some people saying that TOR being compromised is hyperbole and nothing has happened directly to TOR other than the FH issue. Correct me if i am wrong "because i know i am not".

    Granted Feds are responsible for FH and all the FH hosted domains being down, but when there is a malicious script on each and every one of those pages that completely NEGATES what TOR was originally intended for "your privacy and freedom" and not only reveals who you are to less than trust worthy people is this not an epidemic?

    This is a bit of a different animal than stripping some one's SSH over TOR. This is full blown government breach of privacy. We must live in completely different realities if this wouldn't be considered being compromised.

    But then again, i can see how Americans would be too used to this by now to be able to tell the difference.

    Thanks for posting this. Best advice ever: "do some research first" !!

    I got some bad news Monday (my mother passed away) and so had a draft of this story and now it shall remain a draft. Good information (not good news) spreads fast these days.
    Some more good information Here( http://pastebin.com/...  ) and Here ( http://pastebin.com/... ) .


    Q: “Quis custodiet ipsos custodes?” A: “Anonymous”

    by Lisa Lockwood on Wed Aug 07, 2013 at 08:17:14 AM PDT

    •  Thank you... (1+ / 0-)
      Recommended by:
      Lisa Lockwood

      ... Those links you provided are pure gold.  I hope you reconsider and post your diary (or some variant of it).  Your information deserves more consideration than to be relegated to a later post in an older diary.  When you feel up to it, I sincerely hope that you feel moved to share your knowledge.

      I am truly sorry for your loss, I hope you and your family are doing well under these difficult circumstances.

      Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

      by Hey338Too on Wed Aug 07, 2013 at 03:18:03 PM PDT

      [ Parent ]

      •  Thank you for your kind thoughts. (1+ / 0-)
        Recommended by:
        Hey338Too

        I just lack the fire to write anything atm.
        Maybe in a few days. Meanwhile, please feel free to post something yourself if you can create a diary from those links as a PSA.


        Q: “Quis custodiet ipsos custodes?” A: “Anonymous”

        by Lisa Lockwood on Wed Aug 07, 2013 at 07:02:05 PM PDT

        [ Parent ]

        •  We are on the Daily Kos... (1+ / 0-)
          Recommended by:
          Lisa Lockwood

          ... which means someone is going to say something silly about "the only real way to protect yourself from the government", and you will be ready to breathe a little life into the breathless hyperbole with your (I'm sure) excellent diary supported by your excellent reference material.  It's time will come.

          As for me, my next opus will be centered on a bluetooth hackable toilet in Japan! Not nearly as weighty as TOR, but I think the comments section could be pure gold (assuming anyone reads the diary) :-)  

          On a personal note: If you read the article, and you had a chance to think about the implications of merging technology and toilets (what could go wrong, right?), I hope it produced a little smile during this stressful time for you.

          Looking through the bent backed tulips, To see how the other half lives, Looking through a glass onion - John Lennon and Paul McCartney

          by Hey338Too on Wed Aug 07, 2013 at 10:10:19 PM PDT

          [ Parent ]

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site