[tor-talk] "If you have access to certain tools, you can completely ignore Tor."

Andrew Lewman andrew at torproject.org
Tue Dec 20 04:44:15 UTC 2011

On Sun, 18 Dec 2011 23:33:13 +0000
Matthew R <magickrot at gmail.com> wrote:
> SR: If you have access to certain tools, you can completely ignore
> Tor. You can trap your subject’s IP address without wasting your time
> busting through Tor. Without revealing too many tricks, for example,
> it’s easy enough to send someone an e-mail that broadcasts location
> info back to a server. Someone operating a trap website can grab
> Evan’s cookies and see his entire browser history and his current IP
> address. With only a minimal amount of work, you can determine where
> Evan is viewing a website from.

This also requires the user not being very sophisticated. If you load
up html emails full of web-bugs, javascript, and your normal browser
pointed at Tor, then I believe most of what 'SR' says is correct. I
don't believe this is true for Tor Browser users, but I welcome
research and proof otherwise.  Also, we'll fix any leaks found.

If the 'wiretappers ball' has shown anything, there are plenty of
well-marketed solutions for surveilling and stalking unsuspecting
users. Ask them how well they work against even moderately
sophisticated users, like junior agents of foreign agencies, you'll get
a different answer and lots of weasel words.

I've seen these tools used by abusers against their victims as
well. If you can infect the operating system, such as carrier IQ,
keyloggers, software to 'know where your kid/spouse/dog are at all
times', and the like, you've won. Tor alone cannot protect you if your
operating system is compromised. Tails can help in these situations. If
your hardware is compromised, tails can still help, with caveats.

If you're trying to be anonymous with Tor while someone with an
automatic weapon is standing behind you, you've lost in many ways.

It's all about understanding and managing risks.

pgp 0x74ED336B

More information about the tor-talk mailing list