lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0712090742230.20541@localhost.localdomain>
Date: Sun, 9 Dec 2007 08:02:41 +0000 (UTC)
From: jf <jf@...glingpointers.net>
To: gmaggro <gmaggro@...ers.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Compromise of Tor,
	anonymizing networks/utilities

> >> In any case, it is a certainty than that some law enforcement agencies
> >> are running tor nodes; it has been spotted in actual use at many such
> >> locales. Tor might a great idea but it is sadly lacking in many aspects
> >> of its implementation.
> >
> > It would help if you were more specific here. Especially, could you
> flesh out
> > what you mean by, "it is sadly lacking in many aspects of its
> > implementation."

It's really quite simple. If you or I can setup a tor node and use it to
mitm/pop people/etc, or use it and the various tracking methods previously
shown (wasnt it hd who did the js/flash callhome stuff?), then any
inclined entity with the resources, can employ the same tactics at a much
larger scale over as diversified and distributed as a region as their
resources will allow.

If you consider who has those types of resources you're basically stuck
with mega-corporations, governments, telcos and potentially some
spammers/botnets. While I think it's doubtful we'll see a mega-corporation
involved in something like that, you never know though a few 'eccentric'
board members can take you to some weird places.. Governments however, are
quite obviously one entity that both has proper motivation and typically
proper resources to employ it and the mega-telco's in places like the US
have pretty much shown their colors already; don't fret though,
i bet your countries telco's aren't any better. The
spammers/phishers/botnets/etc, well it's irrelevant to this point.

That all considered, it becomes obvious that, if you presume that its
goal was anonymity to everyone, which is dubious at best if you consider
some of its .mil background,  that this is a deep design flaw. Or at least
that's my opinion.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ