[tor-talk] Operating system updates / software installation behind Tor Transparent Proxy
torboxdev at yahoo.com
Fri Mar 2 15:55:36 UTC 2012
>I'm more worried about the risks to user anonymity. It sucks to be
>the user reading about some sensitive subject when your apt cron job
>decides to poke every package source you install from. “Oh, that guy
>who keeps reading about Foozer's Disease must be in the
>Antarctica/McMurdo time zone!”
This does not apply to TorBOX, client OS is set to UTC.
>An operating-system installation which was set up without Tor, then
>stuck behind a Tor transparent proxy, receives location privacy from
>Tor. If the person who set up that system was careful to turn off all
>the automatic network operations that could otherwise make a system's
>traffic identifiable, the system could even be anonymous. You aren't
>likely to get there from a Debian or FreeBSD system without serious
>effort. I don't think it's possible at all with Windows.
The TorBOX Client VM is based on Ubuntu, in the default set up
there are no automatic network operations at all (at least that's what
monitoring the traffic told me). You are more familiar
with Debian. The TorBOX client is basically a minimal Debian server,
no automatic apt-get was set up, ntp was removed, no running servers.
I don't see what could want to initiate an outgoing network connection
without explicit consent and initiation by the user.
>sucks that ‘apt-get upgrade’ tells your exit node what Debian
>mirror you installed from and what updates you want to install. Sucks
>that the apt cron job told the exit node that you were reading about
>an embarassing medical condition through what Debian mirror you
>installed from and what time zone your VM is set for.
We use the default US mirror. If the user manually updates, this
will indeed leak that she's using Ubuntu/probably TorBOX to exit nodes,
for a limited amount of time. This could be mitigated, but I don't see
that as a priority as it's infrequent and apart from kernel updates
the update process takes a minute or so.
As long as the default set of applications isn't changed this fingerprint
will be generic.
>If you couldn't bother to
>SOCKSify an application's source code properly, did you audit it for
>all the possible information leaks that could nuke what little
>anonymity you had left after the cron jobs?
The threat model of TorBOX is that an adversary has
unrestricted root access to the Client OS but must never learn
the IP of the user.
The generic Client VM image leaks (AFAIK) only one thing about the
host system: the CPU. The rest of the hardware is the same for all
users. Further, there is the local IP of 192.168.0.2, gateway at *.01;
the same for everyone. Anything else applications (or exploits) in the
VM could leak is data the user supplied - nothing we can do about if
>(I no longer think I'm capable of setting up an anonymous Debian
>system using a transparent proxy. Fortunately, I never got around to
>that back when I did think I was capable of it.)
I still think we just did and it was easy, way to easy. Please tell me
what I missed!
>> If someone were to promote an easy-to-use per-configured >anonymous >> torified operating system >>TAILS?
TAILS users don't receive timely security updates. I asked the devs
about this and they said debdelta update (for high risk applications at least)
within the live session would be welcome...
More information about the tor-talk