Fwd: Re: Library Defeats Tor
mark485anderson at eml.cc
mark485anderson at eml.cc
Sat Sep 29 20:58:37 UTC 2007
Give me a couple days and I will confirm and report back after running a
sniffer.
I don't use this library node often, so it will be a few days. Besides I
do not have the
firewall logs with me now, so don't want to misstate things until I am
sure and have gathered as much information as I can.
On Fri, 28 Sep 2007 23:57:17 -0500 (CDT), "Scott Bennett"
<bennett at cs.niu.edu> said:
> On Fri, 28 Sep 2007 15:06:48 -0700 mark485anderson at eml.cc wrote:
>
> >On Fri, 28 Sep 2007 15:02:53 -0700, mark485anderson at eml.cc said:
> >>
> >> On Thu, 27 Sep 2007 21:20:42 -0500 (CDT), "Scott Bennett"
> >> <bennett at cs.niu.edu> said:
> >> > On Thu, 27 Sep 2007 19:05:27 -0700 mark485anderson at eml.cc wrote:
> >> >
> >> > >On Thu, 27 Sep 2007 19:52:30 -0500 (CDT), "Scott Bennett"
> >> > ><bennett at cs.niu.edu> said:
> >> > >> On Thu, 27 Sep 2007 20:35:58 -0400 Watson Ladd
> >> > >> <watsonbladd at gmail.com>
> >> > >> wrote:
> >> > >> >mark485anderson at eml.cc wrote:
> >> > >> >> Then after agreeing to the TOS, you are able to connect to tor servers,=
> >> > >> >
> >> > >> >> but all dns requests go through a library computer IP, such that they
> >> > >> >> can see and record where you are going. I am not sure if they can see
> >> > >> >> the TCP content, but the UDP (which I assume is the dns lookups are all=
>
> What does your firewall software or other tool at your disposal have
> to
> say about the TCP packets from your browser? Do they go to privoxy? And
> where does it say that packets from privoxy go? To your tor client?
> Somewhere
> else?
>
> >> > >> >> being monitored and probably logged by the library server through which=
> >> > >> >
> >> > >> >> you are connected. Firewall logs clearly show the outgoing and incoming=
> >> > >> >
> >> > >> >> DNS packets to the library IP. Rest of connections to Tor servers in th=
> >> > >> >e
> >> > >> >> firewall log appear normal.
>
> Just to confirm: your firewall log shows that the UDP packets in
> question are destined to some IP address and port 53?
>
> >> > >> >Make sure to run DNS queries over tor if anonymity is important.
> >> > >>
> >> > >> Absolutely. Check your privoxy configuration file to make sure its
> >> > >> first line is
> >> > >>
> >> > >> forward-socks4a / localhost:9050 .
> >> > >
> >> > >already is
> >> > >
> >> > Okay. Good.
> >> > >>
> >> > >> If you're using some other port than 9050, change that accordingly.
> >> > >> Other
> >> > >> programs, e.g. PuTTY, will need to be configured, too, if you use them.
> >> > >> In the case of PuTTY, each remote login site that you configure to be
> >> > >> proxied through tor will need to be set to use socks5 and to do DNS name
> >> > >> lookups at the proxy end (see "Proxy" under "Connection").
> >> > >>
> >> > >> >>=20
> >> > >> >> I have not run a sniffer yet on this, because my laptop is old and it
> >> > >> >> might not be able to handle it. But tor anonymity is obviously shot whe=
>
> Your laptop, old though it may be, apparently has no trouble
> handling
> wireless IP traffic, so I would bet that a sniffer storing, say, only UDP
> packets to port 53 wouldn't overtax it.
> >> > >> >n
> >> > >> >> connecting to their wifi nodes. I believe I tried to block the DNS
> >> > >> >> lookups to the Library IP with privoxy generic block rules and then I\
>
> Because I don't know how that works in privoxy, I'll ask, does your
> firewall allow you to block outbound UDP packets to port 53? If so, what
> happens if you block them that way instead of via privoxy?
>
> >> > >> >Using socks-4a should fix this.
> >> > >
> >> > >already set to sock 4a
> >> > >
> >> > >>
> >> > >> Right. Or socks5, though privoxy doesn't yet appear to support
> >> > >> that.
> >> > >
> >> > >did you just start using tor?
> >> > >
> >> > About 2.5 years so far.
> >> > >>
> >> > >> >> could not load any web pages, indicating again that the dns requests ar=
> >> > >> >e
> >> > >> >> first being routed to the library machine, where they are, of course,
> >> > >> >> logged (and maybe sent off to the FBI, if your reading muslim materials=
> >> > >> >,
> >> > >> >> haha).
> >> > >> >Now are these DNS requests for sites you are browsing? It sounds like
> >> >
> >> > I think the question posed here may reveal the answer.
> >>
> >> Already answered that I think, the dns requests APPEAR to be made each
> >> time a new url is looked up and not in looking up tor servers, but I
> >> will only know for certain when I run the sniffer, if that is possible
> >> on my laptop.
> >>
> As long as your wireless interface (and its driver) can run in
> promiscuous mode, a sniffer ought to work okay. Some systems may well be
> able to trap outbound packets without an actual sniffer. On most/all
> UNIX
> systems, you will need root privileges, too, to run tools like
> tcpdump(1).
> >>
> >> >
> >> > >> >that is the case, but I just want to make sure.
> >> > >>
> >> > >> Most public wireless locations use no encryption at all. In these
> >> > >> situations, things like tor and SSH are about the only significant
> >> > >> privacy
> >> > >> protection most users have.
> >> > >
> >> > >no problem with tor and other wifi connections, dns goes to tor, hence
> >> > >my OP title LIBRARY DEFEATS TOR
> >> > >Tentative Conclusion: Tor cannot be used with any confidence on
> >> > >publically maintained machines, but there is no reference to this on the
> >> > >tor website; nor any real illumination from this group, so far. I
> >> > >suppose now someone is going to tell me to disable javascript and
>
> Actually, that's probably worth a shot, given recent postings by the
> author of Torbutton. It's also trivial to do if you have the Quick Java
> and/or NoScript plugins installed in firefox.
>
> >> > >cookies, ;-) The encryption is SUPPOSED to occur at the client before it
>
> Cookies are just data. They do not execute and therefore do not
> query
> name servers, so I wouldn't think that would be worth bothering with.
>
> >> > >even gets to any outside server, but obviously this is not happening as
> >> > >the dns requests are being subverted. Perhaps the traffic is being
> >> > >shuttled from the kernel OS to a library server. IOW tor should provide
> >> > >the encryption necessary and no wifi encryption should be needed. I will
> >> > >see if I can run a sniffer to find out exactly what's happening.
> >> > >
> >> > Yes, and I think that may be why Watson asked the question I noted
> >> > above. Tor does its own name server queries for two purposes: 1) to
> >> > provide exit service when running in server mode, 2) to look up addresses
> >> > of other tor servers, regardless of mode. These are normal operations
> >> > and reveal only those activities. When you are using it in a public
> >> > location, I assume that it is running only as a client. So that returns
> >> > us to the question of exactly what kinds of addresses is tor looking up?
> >>
> >> the laptop appears to be getting web site dns translations from a
> >> library node rather than from tor, which allows tracking and profiling.
> >> each time a new url is introduced I get a firewall dns request in the
> >> log.
> >>
> >> > Are they only the addresses of other tor servers? Or do they also
> >> > include the addresses of the web sites you're trying to reach?
> >> > Would you also please double check your browser configuration to
> >> > make sure it is forwarding everything through privoxy? If you're using
> >> > a firefox plug-in module like Torbutton, switchproxy, or foxyproxy, have
> >> > you accidentally disabled the proxy?
> >>
> >> nope, don't use those, the browser is always set to go through privoxy.
> >> will do some further testing and try to report back, but suprised not
> >> more answers to this post. certainly others should have experienced this
> >> problem.
> >>
> I guess that's the point: we haven't experienced it, which is why
> we've been asking questions to try to debug the problem. Here are more.
>
> 1) Are you using a Microslop operating system? If so, which?
> And if not, then which operating system and version are you using?
>
> 2) What is the firewall software that you have referred to several
> times?
>
> 3) Which version of tor are you running?
>
> 4) Which browser and version are you using?
>
> 5) Under the assumption for the moment that your connection to the
> wireless attach point gets configured by DHCP, which IP address(es)
> got assigned to your system for its own address, for an IP gateway,
> and for name server(s) to be used?
>
> I keep having the feeling that what you think is happening differs
> from
> what is actually happening and/or something misconfigured somehow is
> being
> overlooked. Please be patient with us. We're trying to help figure out
> what's going on, and you're the only one who can provide the
> observational
> data that might lead to a solution. If it seems like we are just
> grabbing
> at straws so far, rest assured that we aren't there yet and can't get
> there
> until we first have at least the basic facts of the case established.
> ;-)
> Anyone else with pertinent questions, please join in!
>
>
> Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet: bennett at cs.niu.edu *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army." *
> * -- Gov. John Hancock, New York Journal, 28 January 1790 *
> **********************************************************************
--
mark485anderson at eml.cc
--
http://www.fastmail.fm - Does exactly what it says on the tin
More information about the tor-talk
mailing list