[tor-talk] "If you have access to certain tools, you can completely ignore Tor."

Mon Dec 19 02:36:46 UTC 2011

>
>>> From:
>>> http://www.wired.com/vanish/2009/09/interview-with-pi-steve-rambam-evan-can-be-found/
>>>
>>> Wired: How much can one do with IP addresses that have been run through
>>> Tor?
>>>
>>> SR: If you have access to certain tools, you can completely ignore Tor.
>>> You
>>> can trap your subject's IP address without wasting your time busting
>>> through Tor. Without revealing too many tricks, for example, it's easy
>>> enough to send someone an e-mail that broadcasts location info back to
>>> a
>>> server. Someone operating a trap website can grab Evan's cookies and
>>> see
>>> his entire browser history and his current IP address. With only a
>>> minimal
>>> amount of work, you can determine where Evan is viewing a website from.
>>>
>>> Does this make any sense?  I assume that what the PI means is that if
>>> you
>>> send an e-mail to a non-webmail client (like Thunderbird) which does
>>> not
>>> go
>>> via Tor, then the IP can be determined when it loads the 1x1 HTML pixel
>>> from the website.  However, if the victim uses webmail then surely all
>>> responses would go via Tor?
>>>
>>> Or does he mean something else?
>> This is exactly why users should be running through an account where
>> non-Tor traffic is blocked. Such attacks can't be performed as the
>> application either goes through Tor or does not get out to the Internet
>> at
>> all.
>>
>> The problem right now is that the TBB makes it difficult to set it up
>> this
>> way. Tor and the TBB (firefox, plug-ins, etc) need to be separate pieces
>> in order to have then run under different user accounts with different
>> levels of permissions.
>>
>> There also needs to be better commercial ties for Tails or any other
>> similar distribution so that users can easily resolve compatibility
>> issues.
>>
> It is quite easy to configure Thunderbird to run through tor using
> Vidalia, without leaking DNS requests either...then the "received from"
> IP address will be the exit node. (instructions here
> <https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail#SendingmailusingSMTPthenormalwayoverSSH>)
>
> It's a bit slower of course, but with SSL security, there's no reason
> why it wouldn't be just as secure (at least up to your web mail
> server)... once it's on the open Internet, it's free for all ;)
>

An incorrectly configured application should not leak anything. That is
why a distribution like Tails is needed where the applications are already
configured and it is harder to make these potentially dangerous changes.
There are way too many technical people who don't know what they are doing
making these configuration changes. The less technical users are making
really stupid choices too. I'm talking about downloading applications from
random sources (megadownload) and similar.