how to use Tor securely (Re: Silk Road founder arrested ...)

Adam Back adam at cypherspace.org
Fri Oct 4 02:01:27 PDT 2013


But the jscript malware was installed via remote compromise onto the Tor
hidden web server.  Being behind Tor does not particularly add any
protection to your server, in terms of remote hacking.  Probably static
content is safer in general even if it doesnt make flashy cursor hover boxes
and client-side form pre-validation.  Ie instal and turn on noscript - 99%
of jscript is of no particular use other than making your browser blink and
show animated ads ;)

Ideally you need Tor to be in a routing box, not your computer so that there
is no way for your computer to connect to the non Tor network, so your
computer doesnt even know its physical IP and has no power to disclose it.

Or simulate that setup in software you need Tor on the main machine, and a
VM that has access to and knowledge only of Tor network for connectivity. 
Do not put ANY identifying information inside the vm.  That rules out vmware
because they leak in your disk serial number as a result of a microsoft law
suit.  (Microsoft accused them of making it easy for people to share windows
serial numbers, because the "is this the same machine" calculation based on
various HW serial numbers always comes up with the same answer in a virtual
machine at that level.) Similarly the VM must not know your physical network
card MAC addresses etc.

Thats the way to do it properly on the client side.  There are Tor focused
distros that let you boot into Tor only OS.  For my taste the Tor connection
and code and physical device identifiers (physical MAC addr, HD serial etc)
should be OUTSIDE of a VM and all client software should be inside the VM. 
The VM should be open so you know they are not leaking physical MAC
addr/serial into the the client in the name of copy-protection.  (It was
microsoft's fault, not vmware).

Adam

On Fri, Oct 04, 2013 at 01:16:52AM -0700, Andy Isaacson wrote:
>On Wed, Oct 02, 2013 at 05:38:36PM -0700, Bill Stewart wrote:
>> At 12:37 PM 10/2/2013, Ted Smith wrote:
>> >The "slip" in this case is that the services were hacked.
>> >Tor (neither TOR, nor ToR) wasn't compromised.
>>
>> A surprising number of things *were* compromised,
>> not even counting the known FBI malware attacks on the Tor network.
>
>The FBI malware didn't attack the Tor network, it just caused vulnerable
>endpoints to connect (outside of Tor) to a tattle-tale network server.
>
>> If you read the indictment, there are a lot of email messages
>
>Not email, but rather, private messages on the Silk Road platform.
>Which apparently stored more or less all messages, forever.
>
>-andy



More information about the cypherpunks mailing list