Via this thread on or-talk, I noted the following.
Amidst concerns that pedophiles are using public Tor (the Onion Router) servers to trade in child pornography, über-hacker HD Moore is building a tracking system capable of pinpointing specific workstations that searched for and downloaded sexual images and videos of kids.
Moore, the brains behind the Metasploit Project, has come up with a series of countermeasures that include using patched Tor servers and a decloaking engine to detect the exact location of a pedophile within an organization or residence.
The attack is a demonstration of how to compromise certain Tor users’ anonymity. HD Moore maliciously modifies data before it is passed into the Tor network in an attempt to get the victim’s web browser to bypass Tor once it receives that data out the other end of the Tor network. And, I imagine it would be trivial to modify the code to look for other search terms, or just target any Tor user that hits that node. Also, I am sure HD Moore could have just as easily used his malicious Tor node to inject payloads that exploit browser implementation flaws resulting in arbitrary code execution as well.
I have written about this sort of thing before.
Using modern web browsers in an anonymous manner is hard when someone is trying to penetrate that anonymity. All that scripting and dynamic content makes it even harder, as this example illustrates. And, given the vulnerabilities in web browsers that keep being discovered and actively exploited, the ability of an attacker to execute rogue code on an end-user’s machine simply by browsing a malicious web site seems like a given – in other words, no need for Java when you have document.getElementById().createTextRange() [e.g., 1, 2] (recently patched).
Also, it should be noted that this means of gathering an IP address is not an attack on TOR itself. The attack exploits tools being used outside of TOR, in particular a web browser with proxy support (somewhat) and enabled Java support – the end-user is not being protected by, or using, Tor and Privoxy, as their traffic is not being routed through these proxies on its way to the outside world. (Yeah right, crypto this?)
These attacks also illustrate honesty issues with Tor nodes that can impact the anonymity of the end Tor user, which I have commented on before.
While there is often logic thrown about that the larger the number of nodes in a mixnet, the stronger the anonymity, such logic often leaves out one key point, the honesty of the nodes. There is a reason remailer networks have traditionally been very small and (at least partially) maintained by some “trusted” nyms. Such honesty problems are not trivial to solve.
All that sounds bad, but I still think Tor is a good tool to use for general purpose anonymous browsing of the web with Firefox. Sure, it’s not perfect, but it works well enough when properly utilized – the majority of web sites you hit through Tor won’t know your real IP. I know I use it from time to time, on both Windows and FreeBSD machines. (As to attacks outside of those trying to compromise your Tor provided anonymity, well, I tend to think the risks of using Tor here are no greater than the normal risks you assume when you, say, use your computer to play on the Internet.)
The Windows Tor Tor & Privoxy & Vidalia bundle itself includes all the tools necessary to easily get Firefox pumping its traffic through Tor with the click of a green onion button. Add in, say, noscript, which is quite user friendly, and disable Java, javascript, and all plugins, and you are good to go against the attack HD Moore utilized. And, the people on the or-talk mailing list are more than willing to help with Tor related troubles.
Anyway, I think this publicity is a good thing in terms of bettering the usability of Tor. These attacks have been well understood by technical users of Tor since the beginning, and this has lit a fire in the Tor community on how best to teach non-technical users to properly utilize Tor. With the flame burning, you have to love the ultra quick response time of the Tor team. For example,
> >The problem is if it isn’t right on the download page and translated
> >into most languages, people will just assume they are good to go
> >without bothering to read the FAQ until something breaks (as Jason
> >pointed out). I also fall into this category with most software (even
> >stuff I develop for.
>
> Hear, hear!
>Yes. Three cheers. I think this is a fine interim thing to do.
Which has already resulted in a warning being added to the Tor download page.
Warning
Tor by itself is NOT all you need to maintain your anonymity. There are several major pitfalls to watch out for.
As to HD Moore’s countermeasures, this post in or-talk should be noted.
As a survivor of childhood sexual abuse. I’m personally getting annoyed
by this whole “nab the paedophiles thing”. for several reasons:1.) 90+ percent of sexual abuse of children happen from family members
or friends of the family.. so wasting huge resources on 10% while
blatantly (and blissfully) ignoring the 90%, does society a huge
disservice. by focusing the public’s attention on the smallest part of
the problem and away from the real problems.2.) I can almost guarantee that his guys “key words” would trigger on
abuse survivors talking in an online support group and I can’t even
begin to tell you how damaging it would be for an abuse survivor to have
to deal with being falsely accused of being a perp.
I say this a lot, and it fits here as well. Working in IT security means you have to be able to understand how an organization or system works – you build a big picture and then dig down into its parts. While my major interest at the moment is in gaining a better understanding of people, this, of course, also means understanding processes, policies, assets, technologies, etc. Without such an understanding, accurately assessing the risks to an organization or system, and then integrating effective and efficient security measures into that organization or system, is quite difficult or impossible.
[...] has been discussed here in some form before, and I commented on the trustworthiness of nodes in another form before that. While there is often [...]