Re: [Cryptography] Are Tor hidden services really hidden?
"Also keep in mind that there are no confirmed on the record cases to date of a Tor 'break/weakness' having been used to find a user. It appears to be only user error." One of the perdurable claims of comsec promoters is that comsec breaks and weaknesses inevitably turn out to be user errors. Exactly who the fictitious user is remains obscure but assuredly means somebody other than the comsec promoter user who inevitably offers a greatly improved product, trust them. Tor is especially adept at blaming users, itself faultless except for lack of volunteers to patch its innumerable holes (caused by clueless users), so much so one might think that is a feature derived from the religion of national security (actually that is its source and shows its heritage of exculpability) which inevitably fails due to lack of funding, political will, public support, unwillingness of youngsters to die for officer careers, that is customers must suffer for company profits. Has there been a better account of inevitable exculpability for inevitable comsec failure than that by NSA in 1998? <http://www.nsa.gov/research/_files/publications/inevitability.pdf>http://www.nsa.gov/research/_files/publications/inevitability.pdf Still hope continues -- thanks to Edward Snowden and his legions of inevitable comsec failure promoters: Cyber Security Market Forecast 2014-2024: Prospects For Leading Companies in Military, Government, Critical Infrastructure & Private Sector Protection Defence report Cyber attacks continue to dominate the headlines, and with good reason. While the threat of cyber security is often exaggerated, there is no doubt that the enhanced networking of society has created substantial vulnerabilities lurking within its interconnected pathways. With attackers able to strike from anywhere and inflict damage on a significant (but often unnoticed) scale, the threat has never been greater to the reams of knowledge held by governments and enterprise. There is also the threat to military information sharing networks representing a significant challenge: in an era of increased integration between systems and platforms, the very webs which act as force multipliers could collapse. Efforts to counter these extensive vulnerabilities are presently ongoing to an impressive degree, and the speed of these developments is not expected to lessen unduly. As a consequence, visiongain has assessed that the value of the global Cyber Security market in 2014 will reach $76.68bn. Why you should buy Cyber Security Market Forecast 2014-2024: Prospects For Leading Companies in Military, Government, Critical Infrastructure & Private Sector Protection
Dnia piątek, 7 marca 2014 14:31:58 John Young pisze:
"Also keep in mind that there are no confirmed on the record cases to date of a Tor 'break/weakness' having been used to find a user. It appears to be only user error."
One of the perdurable claims of comsec promoters is that comsec breaks and weaknesses inevitably turn out to be user errors. Exactly who the fictitious user is remains obscure but assuredly means somebody other than the comsec promoter user who inevitably offers a greatly improved product, trust them.
Tor is especially adept at blaming users, itself faultless except for lack of volunteers to patch its innumerable holes
Would you care to elaborate on the innumerable holes of TOR, please? -- Pozdr rysiek
John Young wrote:
"Also keep in mind that there are no confirmed on the record cases to date of a Tor 'break/weakness' having been used to find a user. It appears to be only user error."
One of the perdurable claims of comsec promoters is that comsec breaks and weaknesses inevitably turn out to be user errors. Exactly who the fictitious user is remains obscure but assuredly means somebody other than the comsec promoter user who inevitably offers a greatly improved product, trust them.
If your hidden service isn't a clusterfuck of unpatched Apache and sketchy PHP scripts, then it's not likely to get taken down or located. If you're a terrible webmaster, you're obviously running a huge risk with running a website, even if it is a hidden service. Tor isn't magic. It can't magically make a terrible website awesome. It just adds additional security -- it can't be the *entire* security plan. ~Griffin
If your hidden service isn't a clusterfuck of unpatched Apache and sketchy PHP scripts, then it's not likely to get taken down or located.
I agree with your meaning, but not your conclusion. Sketchy PHP and idiot sysadmins (and methylenedioxypyrovalerone) are certainly the primary reason for the recent rash of high profile 0wnage which has been going on lately, that doesn't mean that avoiding those problems will cover your ass in any way. Given enough time, your hidden service can be deanonymized, as shown here: http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf As I stated in a previous thread, I think the key is likely to be to a) redundancy and b) constant movement. R
On Fri, Mar 7, 2014 at 7:39 PM, Rich Jones <rich@openwatch.net> wrote:
Given enough time, your hidden service can be deanonymized
As I stated in a previous thread, I think the key is likely to be to a) redundancy and b) constant movement.
c) Don't get too big, too complicated, or too fancy. Keep your pages or your apps or your web services tightly focused, and not integrated with anything that can be stripped out. If you have multiple services, separate them logically if not physically, and do not provide the convenience feature of automatically logging a user into a second if logs into a first. Don't bring in outside JavaScript or stylesheets or images that you can avoid. This is not specific to hidden TOR services, or to the blacknet, or to selling drugs by mail. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209
Dnia piątek, 7 marca 2014 20:10:53 Steve Furlong pisze:
On Fri, Mar 7, 2014 at 7:39 PM, Rich Jones <rich@openwatch.net> wrote:
Given enough time, your hidden service can be deanonymized
As I stated in a previous thread, I think the key is likely to be to a) redundancy and b) constant movement.
c) Don't get too big, too complicated, or too fancy. Keep your pages or your apps or your web services tightly focused, and not integrated with anything that can be stripped out. If you have multiple services, separate them logically if not physically, and do not provide the convenience feature of automatically logging a user into a second if logs into a first. Don't bring in outside JavaScript or stylesheets or images that you can avoid.
With just a few corner cases (but hey, who embeds YT videos on their site, srsly) ALL external JS/CSS/images/fonts/etc can be avoided. And should be avoided. You need to use a particular library or image resource? Keep these on your server and serve them from there. Can't legally do that? Find other media or libraries instead. Want to use Google Analytics? Why don't you have a seat over there. Over there.
This is not specific to hidden TOR services, or to the blacknet, or to selling drugs by mail.
Indeed. -- Pozdr rysiek
participants (5)
-
Griffin Boyce
-
John Young
-
Rich Jones
-
rysiek
-
Steve Furlong