| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Jul 2005 15:59:35 -0500 From: S_Dorn/CIB@...KCIB.COM To: gandalf@...ital.net Cc: bugtraq@...urityfocus.com Subject: Re: Anonymous Anonymity - Request For Comments Why not encapsulate the data portion by encrypting it inside a jpeg file, or something like that? Trying to hide it inside HTML tags wouldn't be all that hard to detect by using a specialized proxy or firewall. Proxies already can filter out invalid html headers and line sizes, amongst other things. Not to mention the overhead you'd be creating with all the HTML tags in an effort to make it look like a standard web page. Considering the data itself could be used to determine the originator, (names, phone numbers, etc) you'll want to make sure that not only the transaction is anonymous, but the content is as well. Overall, quite an interesting concept. Stefan Dorn gandalf@...ital.net wrote on 07-19-2005 12:57:24 PM: > Greetings and Salutations: > > From: Craig Skelton <cskelton@...il.com> > > Take a look at Tor. > > http://tor.eff.org/ > > One of the biggest problems with Tor is bandwidth disparity. > > Many people have suggested that I take a look at TOR, and I have. > In fact I was able to talk to some of the authors of that system (I > need to add a reference to TOR in my paper). Extremely > knowledgeable I must say. > > I have installed TOR on a network that I have pretty well locked > down. My router filled up the syslog file with packets to "strange" > ports when I started TOR up. If I wanted to block TOR it would be > fairly easy. > > The other issue (I think I understand TOR correctly) is that if one > of the "routers" is not a "trusted" machine (specifically the first > one) then a rogue "router" can "act" like it is the other "routers" > and will know the entire transaction. There is also a centralized > server to hold the addresses of servers (which could be > compromised). I don't want to have anything centralized. I propose > that all nodes are servers. I am trying to get away from trusting > anybody yet spreading the information around so much so that nobody > can piece together the information. > > One other issue with TOR and FreeNet is searching. They do not have > searches integrated into the design. Someone has to produce a web > page that does the searching. The system I propose has searching as > an integral part. > > I am looking for something that is almost invisible (i.e. port 80, > 81, 443, 21, 22, 23, 8080 etc.) to any monitoring system. The > alternative is to do like AOLIM and just start trying ports until > something works. The other issue is making the traffic "look" like > standard HTML to bypass application level firewalls. > > I like the idea of TOR, tho', and it is interesting and the people I > spoke to gave me tons of pointers on other issues with Anonymous > Systems. I will add / update to the file at: > http://digital.net/~gandalf/Anonymous_Anonymity.htm > > Ken Hollis > > --------------------------------------------------------------- > Do not meddle in the affairs of wizards for they are subtle and > quick to anger. > Ken Hollis - Gandalf The White - gand...@...ital.net - O- TINLC > WWW Page - http://digital.net/~gandalf/ > Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html > Trolls crossposts - http://digital.net/~gandalf/trollfaq.html > Woodworking For Geeks - http://digital.net/~gandalf/woodmain.htm >
Powered by blists - more mailing lists