The best way to run a hidden service: one or two computers?
Robert Ransom
rransom.8774 at gmail.com
Sun Sep 26 00:21:14 UTC 2010
On Sat, 25 Sep 2010 17:04:14 -0700
Mike Perry <mikeperry at fscked.org> wrote:
> Thus spake coderman (coderman at gmail.com):
>
> > however, if an attacker has access to read this locally they've
> > already compromised you to a degree that random mac affords no
> > protection...
>
> Is this really true?
If you are running a hidden service, on a computer with no network
access except through Tor, no -- you might not be hosed just by an
attacker being able to run a shell command, but leaking an actual MAC
address from an actual NIC might get you tracked down. (An attacker
with shell access can read your MAC address on Linux just by running
ifconfig, even as an ordinary user.)
> One of the things I've wondered about here is
> plugins, but since Torbutton disables them for other reasons I haven't
> really looked into it. For insance, I know Java can create a socket,
> and query the interface properties of that socket to get the interface
> IP. Why not mac address? And if not java, can one of flash,
> silverlight, pdf-javascript, or others do this? Already we have
> location features built in to the browser based on nearby Wifi MACs...
>
> The Java trick to get the interface IP does not require special privs,
> so a randomized MAC would in fact help this scenario, if it were
> somehow possible.
I don't know whether browser plugins can be used to read a MAC address,
but if *they* can run a shell command like ifconfig, yes, you are in
real trouble.
Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100925/fe43d1e1/attachment.pgp>
More information about the tor-talk
mailing list