Torpark and security
nosnoops at fastmail.fm
nosnoops at fastmail.fm
Sat Feb 18 21:11:50 UTC 2006
Hi or-talkers!
I´m a fresh user of Torpark 1.5.0.1 (only as end user,
not running a Tor server) and have a few issues here.
First I must admit that I´m not some "computer guru",
so perhaps my questions seems foolish to IT experts.
Also, excuse my pretty bad english.
My platform is Win XP with F-Secure firewall, antivirus,
antispyware (freshly updated) with the settings at level
"High" and the portable Firefox (that is in the Torpark
package) now configured to no javascript. However, the
Torpark is not istalled on some external thing, but in
an own folder on my machines C:\ drive.
When running the F-Secure´s Internet Shield Packetlog
in time of staying connected with Tor, it shows up some
strange details.
One thing is that some arp protocol is going between my
real IP-number and a similar IP-number (maybe the IP of
my ADSL ISP, doing some normal things). Below that, on
the loglist, is to be seen my real IP-number:port-number
doing tcp protocol with a different IP-number:port-number
(probably a Tor entry node).
Another thing (and now the strange begins, I think) is
that when select a logged row of outgoings to examining
it in the detail frame on the log viewer´s bottom, then it
shows up that my network card´s MAC address is transmitted
out every time something going from my IP-number. Not only
with arp to ISP, but also in the tcp outgoings to the Tor
entry node. Don´t know if it stops there, but anyway it seems
somehow unsecure that the MAC address is being transmitted,
regardless if it stops by the Tor entry node and not reach
the exit node. The log detail viewer looks as below. For
security reasons I don´t write its content, only the frame
around it. The MAC address begins from under 06 in plain
text (before and after is other pairs), but under Ascii is
only random garbage when connected to Tor.
Offset 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f Ascii
0000 (here is MAC addr)
0010
0020
0030
...
Next thing I´m concerned about is if maybe the Tor tunnel
effect also works as a "pipeline" for hackers or malware
attacks on the Tor exit node´s IP-number to be transmitted
all the way into my computer, bypassing my F-Secure firewall
because I´ve given the Torpark firefox access throug it and
such as encrypted between, the firewall don´t take notice?
Hopefully still the antivirus/spyware detect if some stuff
comed in, but perhaps any "clean" hacker style tampering
in my computer content going on undetected? What´s made me
concerned about this, are that almost now and then the
ADSL modem indicator lights flashing alot of time (more
than before) but not correlated to the firewall´s alert log
of blocked intrusion attempts, and even when the browser is
idle. Also some more hard drive rattling is to be heard than
before. As far as I know, I´ve disabled every auto-updatings
in every program on my computer. On the network adapter is
only "QoS Packet Sheduler" and "Internet Protocol [TCP/IP]"
enabled (no "File and Printer Sharing" or "Client for Microsoft
Networks") and a bunch of risky services I´ve also disabled.
Maybe you know if that is a natural behavior for Tor/Torpark?
Finally a couple of external concerns. Is there any possibility
that a hostile ISP who already decided to look special on some
particular users, may setup a kind of "simulated URL trap" that
make the user believe it is connecting to Tor (or whatever else
the user want to connect) and serve to the user an "image" of
the supposed Tor server or website?
One step further, on the Tor entry node, is there a possibility
that somebody running the entry node, make some mod´s to the
Tor entry node software in a way that allows separation of the
incoming secure connection from the outgoing for next Tor server
and there inserted a tapping af the data in unencrypted form,
some sort of MITM "insider" attack?
And of course the whole thing relays on how safe and uncrackable
the encrypting itself is. Some people maybe know how to decrypt
it, at least if they are in the right business. Just a guess.
--
nosnoops at fastmail.fm
--
http://www.fastmail.fm - Accessible with your email software
or over the web
More information about the tor-talk
mailing list