The best way to run a hidden service: one or two computers?

Robert Ransom rransom.8774 at gmail.com
Sat Sep 18 02:41:34 UTC 2010 

On Fri, 17 Sep 2010 16:36:16 -0400
hikki at Safe-mail.net wrote:

> Robert Ransom:
> 
> > Only if you trust the hardware firewall/router. I wouldn't.
> 
> Okay so there aren't that many safe options to run a hidden service really, 
> if any at all?

If your hidden service really needs to be annoying to find, run it:

* using only well-written, secure software,
* in a VM with no access to physical network hardware,
* on a (physical) computer with no non-hidden services of any kind
  running on it (so that an attacker can't use Dr. Murdoch's ‘Hot or
  Not’ clock-skew detection attack),
* and over a fast enough Internet connection that the adversary cannot
  easily determine your connection's speed.


The VM is optional *if* and *only if* an attacker cannot possibly get
root on your hidden service.  The physical computer with no non-hidden
services on it, and the fast Internet connection, are optional if you
do not need to keep your service hidden at all.

Using secure software to run your hidden service is absolutely
essential; if an attacker can get a list of files
in /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin, /usr/local/sbin,
and /command, and a list of directories in /usr/local and /opt, he
probably knows enough to identify the service's owner, and more
importantly, he knows enough to recognize another service owned by the
same person.  Your preferred Unix distribution, your favorite editors,
your favorite command-line utilities, etc. are not especially easy to
hide.  (For example, if you find a hidden service running Plan 9 or
Inferno, or with 9base or plan9port installed on it, you're going to
look at me first -- I'm on both the Tor mailing lists and
Plan-9-related mailing lists, and I don't think anyone else is at the
moment.)


The above precautions are probably enough, unless a three-letter agency
(or four-letter association) knows about your hidden service and wants
to find and ‘neutralize’ its operator.  In that case, you have to worry
about the near-global passive adversary and other threats that Tor
can't afford to defeat.


Another, safer, option is to keep your hidden service below the radar
entirely -- it's a lot harder for your adversaries to find something if
they don't know it exists.  I assume that's the approach that the US
Navy uses.


Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100917/12950403/attachment.pgp>

More information about the tor-talk mailing list