Torpark and security

nosnoops at fastmail.fm nosnoops at fastmail.fm
Sat Feb 18 21:11:50 UTC 2006


Hi or-talkers! 

I´m a fresh user of Torpark 1.5.0.1 (only as end user, 
not running a Tor server) and have a few issues here. 
First I must admit that I´m not some "computer guru", 
so perhaps my questions seems foolish to IT experts. 
Also, excuse my pretty bad english. 

My platform is Win XP with F-Secure firewall, antivirus, 
antispyware (freshly updated) with the settings at level 
"High" and the portable Firefox (that is in the Torpark 
package) now configured to no javascript. However, the 
Torpark is not istalled on some external thing, but in 
an own folder on my machines C:\ drive. 

When running the F-Secure´s Internet Shield Packetlog 
in time of staying connected with Tor, it shows up some 
strange details. 

One thing is that some arp protocol is going between my 
real IP-number and a similar IP-number (maybe the IP of 
my ADSL ISP, doing some normal things). Below that, on 
the loglist, is to be seen my real IP-number:port-number 
doing tcp protocol with a different IP-number:port-number 
(probably a Tor entry node). 

Another thing (and now the strange begins, I think) is 
that when select a logged row of outgoings to examining 
it in the detail frame on the log viewer´s bottom, then it 
shows up that my network card´s MAC address is transmitted 
out every time something going from my IP-number. Not only 
with arp to ISP, but also in the tcp outgoings to the Tor 
entry node. Don´t know if it stops there, but anyway it seems 
somehow unsecure that the MAC address is being transmitted, 
regardless if it stops by the Tor entry node and not reach 
the exit node. The log detail viewer looks as below. For 
security reasons I don´t write its content, only the frame 
around it. The MAC address begins from under 06 in plain 
text (before and after is other pairs), but under Ascii is 
only random garbage when connected to Tor. 

Offset 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f Ascii
0000                     (here is MAC addr) 
0010
0020
0030
...

Next thing I´m concerned about is if maybe the Tor tunnel 
effect also works as a "pipeline" for hackers or malware 
attacks on the Tor exit node´s IP-number to be transmitted 
all the way into my computer, bypassing my F-Secure firewall 
because I´ve given the Torpark firefox access throug it and 
such as encrypted between, the firewall don´t take notice? 
Hopefully still the antivirus/spyware detect if some stuff 
comed in, but perhaps any "clean" hacker style tampering 
in my computer content going on undetected? What´s made me 
concerned about this, are that almost now and then the 
ADSL modem indicator lights flashing alot of time (more 
than before) but not correlated to the firewall´s alert log 
of blocked intrusion attempts, and even when the browser is 
idle. Also some more hard drive rattling is to be heard than 
before. As far as I know, I´ve disabled every auto-updatings 
in every program on my computer. On the network adapter is 
only "QoS Packet Sheduler" and "Internet Protocol [TCP/IP]" 
enabled (no "File and Printer Sharing" or "Client for Microsoft 
Networks") and a bunch of risky services I´ve also disabled. 
Maybe you know if that is a natural behavior for Tor/Torpark? 

Finally a couple of external concerns. Is there any possibility 
that a hostile ISP who already decided to look special on some 
particular users, may setup a kind of "simulated URL trap" that 
make the user believe it is connecting to Tor (or whatever else 
the user want to connect) and serve to the user an "image" of 
the supposed Tor server or website? 

One step further, on the Tor entry node, is there a possibility 
that somebody running the entry node, make some mod´s to the 
Tor entry node software in a way that allows separation of the 
incoming secure connection from the outgoing for next Tor server 
and there inserted a tapping af the data in unencrypted form, 
some sort of MITM "insider" attack? 

And of course the whole thing relays on how safe and uncrackable 
the encrypting itself is. Some people maybe know how to decrypt 
it, at least if they are in the right business. Just a guess. 


-- 
  
  nosnoops at fastmail.fm

-- 
http://www.fastmail.fm - Accessible with your email software
                          or over the web



More information about the tor-talk mailing list