[tor-talk] Fwd: Re: leak through Antivirus Webscanner possible?
regrowth
regrowth at tormail.net
Mon Jan 30 01:46:54 UTC 2012
Disclaimer: I have worked for a well-known AV company as virus analyst
for a some time, quit due to "corporate-ish culture". (BTW they had
nearly intelligence-agency-level physical security and procedures, but
still achieved to use 6-char passwords on a few accounts in practice.)
>> Do you think legit Antivirus software may compromise anonymity? Any
>> known examples yet?
> I don't have a definitive answer, but here are my proto-thoughts,
> likely yes. This answer is based on support calls and tickets. It
> seems
> most anti-virus/anti-malware providers include some software that
> intercepts and/or replaces 'localhost'. Their software generally does
> one of two things:
[snip]
True. Specifically, AV software employs various OS hooks to inspect
traffic (meaning it is *very* likely it will leak identifying
information). Webscanners will be limited, but proxying traffic through
them will enable profiling.
While having a decent AV software on Windows is generally a good thing,
it will interfere with privacy. Tails live CD or using WinUSB to create
"live windows" would be most likely better option.
> Over time, they get to learn a whole lot about your computer
> usage and build a fantastic profile of it. I've seen documents,
> executables, etc sent to the 'cloud' too, scanned, and returned to
> the
> user. What they do with all of that data is unknown. My first thought
> when working with a user and ESET scanner was 'who needs spyware, you
> paid for your spying to boot'.
I can confirm that it's a real threat.
> The typical support call is when the user's A-V system prompts them
> with 'start-tor-browser.exe' is of unknown safety. do you really want
> to run this?' It then repeats that question for tor.exe and
> vidalia.exe. It seems when you click on some link for 'unsafe' or
> 'check the cloud', you go to the vendor's website and by default
> opt-in
> to upload the aforementioned data.
>
> If enough people tell the 'cloud' that the tor-related executables
> are
> safe, it crosses some threshold and all 'cloud subscribers' no longer
> get the warnings. However, every time there is a new tor release, the
> cycle of approval starts anew.
>
In theory, would Microsoft's code signing program help here? Cost
aside, would that benefit users?
More information about the tor-talk
mailing list