Anonymous Browsing On Android Phones Using Tor

← Back to Stories (view on slashdot.org)

Anonymous Browsing On Android Phones Using Tor

Posted by Soulskill on Sunday October 25, 2009 @02:43AM from the privacy-on-the-move dept.

ruphus13 writes "Privacy is becoming a scarce commodity, especially with geo-aware phones. Now, Android phone users can browse anonymously using Tor — a capability, until now, limited to the desktop. From the post: 'We have successfully ported the native C Tor app to Android and built an Android application bundle that installs, runs and provides the glue needed to make it useful to end users. Secure, anonymous access to the web via Tor on Android is now a reality,' writes Guardian Project team member Nathan Freitas. The Tor 0.2.2.6-alpha release uses toolchain wrapper scripts to run Tor without requiring root access."

109 comments

Min score:

Reason:

Sort:

!secure by sopssa · 2009-10-25 02:43 · Score: 4, Informative

Secure, anonymous access to the web via Tor on Android is now a reality
People should really stop using the word secure with Tor. Anonymous, sure, but you actually forfeit some of your security and privacy when using Tor. Anyone can snoop your outgoing connections from Exit node, or if you're using https or other secure connection, change the certificates. On top of that there's a change the exit node changes your http pages in addition to stealing or just snooping for information. Implying "secure" in news likes this gives lots of false sense of security to users, like has been seen many times before.

Eavesdropping by exit nodes
In September 2007, Dan Egerstad, a Swedish security consultant, revealed that by operating and monitoring Tor exit nodes he had intercepted usernames and passwords for a large number of email accounts.[15] As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption, e.g. SSL. While this does not inherently violate the anonymity of the source, it affords added opportunities for data interception by self-selected third parties, greatly increasing the risk of exposure of sensitive data by users who are careless or who mistake Tor's anonymity for security.[16]

Another thing is that you are still usually leaking DNS queries to your ISP, which may even return false results if you're being censored in China or something and they still see what sites you're visiting.
The summary also quickly mentions geo-aware phones. If you happen to be using that bad exit node, now your geo-location updates will be transmitted via it too. And goverments should be able to set up a lot different exit nodes all around the world easily.
So no, it's not secure. It's maybe anonymous, if you use it correctly and don't login to your banking, slashdot account or whatever with it.
1. Re:!secure by CharlyFoxtrot · 2009-10-25 02:47 · Score: 2, Insightful
  
  TL;DR : only use Tor if you know what the hell you are doing.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
2. Re:!secure by Anonymous Coward · 2009-10-25 02:59 · Score: 0
  
  TL;DR : only use Tor if you know what the hell you are doing.
  
  Wrong! The point is that if you know what the hell you're doing, you'd understand that Tor isn't necessarily secure.
3. Re:!secure by SlothDead · 2009-10-25 03:00 · Score: 1
  
  I'm not sure I understand this. How is monitoring an exit node different from monitoring any node on the internet? Can't I just intercept usernames and passwords at any node? Or are you saying that TOR exit nodes are just a more popular target, because they route more? I'm puzzled by what you are saying. :-/
4. Re:!secure by sopssa · 2009-10-25 03:12 · Score: 1
  
  In Tor network the traffic is routed encrypted like you->middle node->middle node->exit node. But since protocols like http, ftp, irc and many im networks dont support encryption, the exit node will always be able to monitor traffic. And those exit node's can be set up by anyone.
5. Re:!secure by buchner.johannes · 2009-10-25 03:17 · Score: 1
  
  TL;DR : use Tor for what it was ment to do.
  40 4
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
6. Re:!secure by Anonymous Coward · 2009-10-25 03:21 · Score: 0
  
  All he is saying is TOR exit nodes may be run by black-hats/phishers and you would never know what the exit node will do with your information. The exit node still cannot pin point your IP address, but is really free to store your unencrypted passwords, insert malicious java scripts into pages you browse.
  
  In contrast I (sorta) trust my ISP/any_node_trusted_by_my_ISP to not insert objects into pages I browse.
7. Re:!secure by tolan-b · 2009-10-25 03:35 · Score: 2, Informative
  
  > or if you're using https or other secure
  > connection, change the certificates.
  Am I missing something here? I know about Tor MITM attacks from exit nodes, but how are they supposed to fake a cert? Seeing as proper certificates 'guarantee' identity as well as encryption.
  Assuming they're not using that null in the name string attack. But let's assume they're using a secure browser to begin with :)
8. Re:!secure by sopssa · 2009-10-25 03:40 · Score: 1
  
  Just create self-signed certificate in the middle. It probably wouldn't work for people who always checks the certificate and it's validity, but I can bet there's enough stupid people who just click "OK, continue anyway".
9. Re:!secure by Anonymous Coward · 2009-10-25 03:44 · Score: 2, Informative
  
  THANK YOU!
  Tor is only secure for doing anonymous things.
  The instant you login to anything, you are really risking giving up that information and breaking the point of the system in the first place.
  The creator really needs to put this in as a warning in big red letters.
10. Re:!secure by Arancaytar · 2009-10-25 03:45 · Score: 1
  
  Another thing is that you are still usually leaking DNS queries to your ISP, which may even return false results if you're being censored in China or something and they still see what sites you're visiting.
  
  any traffic passing through it which does not use end-to-end encryption, e.g. SSL.
  Well, like any other security/anonymity tool it only works for users who know their stuff and use it carefully. Don't access sensitive information without end-to-end encryption, and for heaven's sake make sure DNS queries are routed through tor as well (this is possible).
11. Re:!secure by BrokenHalo · 2009-10-25 03:46 · Score: 1
  
  TL;DR : only use Tor if you know what the hell you are doing.
  
  I don't have a problem with multi-sentence posts. But Tor, while a laudable and useful idea, has its limitations with mobile devices...
  
  ...the main one being that someone can whack you over the head in the street, taking your phone, and your security is gone with last year's business management theories.
12. Re:!secure by Arancaytar · 2009-10-25 03:53 · Score: 1
  
  I run an exit node, as can anyone. If I were sufficiently nosy, I could use Wireshark et al to listen in.
  It would be impossible to target or identify a specific person due to the randomized infrastructure, but phishing for non-SSL access to random online accounts is very possible.
  That's why you don't want to use Tor to log in anywhere that doesn't use SSL.
13. Re:!secure by Arancaytar · 2009-10-25 04:10 · Score: 2, Informative
  
  Right in principle, but it's fortunately not as bad as you think.
  SSL is a transparent layer on top of TCP, which means any protocol can be tunneled through it, including HTTP and IRC. (Though for FTP, you'd tunnel through SSH instead.) Admittedly, few IRC networks support SSL at present, but that will hopefully change. Freenode says they're working on it. Either way, IRC traffic is generally semi-public and the most sensitive stuff is your NickServ password (enabling exit nodes to impersonate random people on IRC).
  As for the proprietary IM networks, firstly you really should use Jabber if you care about security. Secondly though, at least the sign-in apparently goes through SSL for AIM, ICQ and Yahoo - and end-to-end encryption is available via Off-The-Record Messaging (the brightest invention since PGP, imho).
14. Re:!secure by _Sprocket_ · 2009-10-25 04:21 · Score: 1
  
  It's an issue of opportunity. If you want to sniff traffic, you have to put yourself in to a position to do so. Either you work for a large enough network that gives you access to the appropriate devices, convince those network owners that they should provide you with information, insert your own devices in someone else's network, or you build your own network large enough for sufficient targets. Setting up an exit node allows you to slip in your own device in a large network with very little cost.
15. Re:!secure by _Sprocket_ · 2009-10-25 04:23 · Score: 0, Redundant
  
  TL;DR : only use Tor if you know what the hell you are doing.
  The Devil's in the details here and the OP provided sufficient details. Your summery doesn't. And furthermore, the "TL;DNR" meme is yet another example of willful ignorance in snarky packaging.
16. Re:!secure by CharlyFoxtrot · 2009-10-25 04:34 · Score: 1
  
  The Devil's in the details here and the OP provided sufficient details. Your summery doesn't. And furthermore, the "TL;DNR" meme is yet another example of willful ignorance in snarky packaging.
  Relax guy. I was only trying to humourously point out that if you wan't to use programs like Tor you have to know about the details (like the OP) otherwise you're actually making things worse. Which excludes most of the population, who will probably understand more of my summary than of the OP's post. You can remove the rod from your backside now.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
17. Re:!secure by schon · 2009-10-25 04:35 · Score: 1
  
  So in other words, it's no more or less secure, and you were just blowing smoke?
18. Re:!secure by CharlyFoxtrot · 2009-10-25 04:41 · Score: 0
  
  That's why you don't want to use Tor to log in anywhere that doesn't use SSL.
  Don't do that. If you go out through a malicious exit node you're leaving yourself wide open to man in the middle attacks.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
19. Re:!secure by CarpetShark · 2009-10-25 05:07 · Score: 0
  
  TL;DR : only use Tor if you know what the hell you are doing.
  I think his point was that people who know what the hell they're doing DON'T use Tor. Tor is a solution for the rest of the users who don't get freenet, or don't care enough to wait on freenet. In those roles, I think it's pretty good.
20. Re:!secure by joaobranco · 2009-10-25 05:27 · Score: 1
  
  Another thing is that you are still usually leaking DNS queries to your ISP, which may even return false results if you're being censored in China or something and they still see what sites you're visiting.
  I believe you don't leak DNS queries if you use tor like a SOCKS proxy (therefore proxying the DNS queries). Although the exit note could mess with your DNS queries if you do so (a hard security trade-off, to be sure).
21. Re:!secure by Anonymous Coward · 2009-10-25 05:56 · Score: 0
  
  Anything you send plain-text over the internet can be intercepted by third parties. Tor just makes it easier for people to do that to you. In other words, Tor just makes an existing flaw in your understanding of security that much more noticeable. You should already be using SSL for all logins and you should be validating those certificates every time. You're just used to security through obscurity which is why you think Tor is so insecure. It's not. You're just stupid and lazy. That being said, I still wouldn't run my banking through Tor because my bank already knows who I am. So not only is your understanding extremely limited, your examples are pointless. We don't want to bank through Tor but thanks Captain Obvious, for telling us not to.
22. Re:!secure by Anonymous Coward · 2009-10-25 06:09 · Score: 0
  
  Only if the exit node has a forged, CA-signed certificate targeting the site you are accessing, or if you're stupid enough to ignore the security warning on the forged, non-CA-signed certificate.
  Granted, forging certs is becoming far too easy these days, so I do agree that using it for sensitive information is unwise, but it is still not as easy as you're suggesting. About on par with using a public WiFi hotspot, I'd guess, since using Tor gets the attacker about the same thing you can get with ARP spoofing. :)
23. Re:!secure by _Sprocket_ · 2009-10-25 06:25 · Score: 1
  
  I understand the attempt at humor. However, your "summary" doesn't point out that you need to know the details. Someone may think they "know what they hell [the're] doing" simply because they know how to use TOR or even the basics of how TOR works. But without understanding the ramifications that the OP pointed out, they fall in to the same danger.
  Yes - your "summary" is nice and easy to digest and I'm sure there's a lot of people who understand it (or at least, THINK they understand it) better than the OP. But ignorance for the sake of brevity is not helpful.
  Sorry if this came across as a personal attack. I'm more interested in the meme than the poster; the meme must die. If that sounds like I'm overly critical, then you'll have to forgive me for (occasionally) expecting more out of this community than, say, a forum on CNN.
24. Re:!secure by TheRaven64 · 2009-10-25 06:27 · Score: 1
  
  It's about opportunity. Any attack that your ISP can perform on a normal connection, a random Tor exit node operator can perform over Tor. It's up to you to decide whether you can trust your ISP more or less than a Tor exit node operator. If you live, for example, in Iran then you possibly can't, but if you live in most of the western world then you probably can.
  
  --
  I am TheRaven on Soylent News
25. Re:!secure by 56 · 2009-10-25 06:49 · Score: 2, Informative
  
  The problem for me is that the actual android phone itself is logged into google! Doesn't that make it insecure by their very nature?
  I have an HTC Magic/G2, and I've often been concerned about this when connecting to an open wifi ap. I only use wifi, so the fact that my cell phone company can see my usage over 3g is a non-issue (canceled my data plan when the free trial ran out). But it seems to me that my google password is probably not well protected from whoever owns the ap I'm connecting to.
  I just downloaded the tor android client and the shadow browser (which tells me that it can't use https, unfortunately), and it seems to work. I just checked my IP and it comes up as somewhere in Vancouver, which is not where I am so that's nice. But I still don't see how one can get past the fact that the phone itself is logged into google at all times.
26. Re:!secure by skeeto · 2009-10-25 07:33 · Score: 0
  
  and don't login to your banking
  Online banking uses https, so it's safe to do over Tor (though pointless anyway). Just don't ignore any self-signed certificate warnings.
27. Re:!secure by Anonymous Coward · 2009-10-25 07:49 · Score: 2, Informative
  
  The count attacks got it wrong. Tor works in combination with privoxy and that routes DNS requests over Tor to avoid letting your ISP know what sites you are surfing. Stop spreading this FUD. Certainly users need to be educated about these issues- and not all will understand the implications. The problem is people here don't seem to understand Tor either and make false or missleading statments about it.
28. Re:!secure by Anonymous Coward · 2009-10-25 09:17 · Score: 0
  
  fuck man i just divided by zero
  OH SHI---
29. Re:!secure by Anonymous Coward · 2009-10-25 10:05 · Score: 0
  
  There are definite security tradeoffs between Freenet and Tor.
  Plus you can't access the web at large with Freenet and freesites aren't as interactive as hidden services.
  Though I must say, I don't particularly trust the anonymity afforded by hidden services or opennet Freenet.
30. Re:!secure by AHuxley · 2009-10-25 10:56 · Score: 1
  
  You could just port filter it for IM, sit back and read, how many use encrypted settings?
  Less risk and something new everyday.
  
  --
  Domestic spying is now "Benign Information Gathering"
31. Re:!secure by Toonol · 2009-10-25 11:06 · Score: 0, Offtopic
  
  And furthermore, the "TL;DNR" meme is yet another example of willful ignorance in snarky packaging.
  
  Agreed. It's aggressive idiocy, like the rephrased quoting with "FIXED IT FOR YOU" meme.
32. Re:!secure by Arancaytar · 2009-10-25 12:18 · Score: 1
  
  SSL has certification authorities. Needless to say, initiating an encrypted connection via tor with a site that is not certified is at least as careless as not using SSL at all.
33. Re:!secure by CharlyFoxtrot · 2009-10-25 17:54 · Score: 1
  
  SSL has certification authorities. Needless to say, initiating an encrypted connection via tor with a site that is not certified is at least as careless as not using SSL at all.
  Because CA signing has never been compromised ?
  IE, Chrome, Safari duped by bogus PayPal SSL cert
  MD5 Weakness Allows Fake SSL Certificates To Be Created
  Or because no one ever gets suckered by a proxy just stripping out the SSL altogether ?
  Man-in-the-middle attack sidesteps SSL
  And no one has ever been tricked into clicking "OK" when a MITM attack passes on its own cert ?
  TOR exit-node doing MITM attacks
  Now I know you (and the guy who modded me "overrated") probably take all possible precautions but they only need to catch you or some less careful type off guard once. I don't know why anyone would route a secure connection through an untrusted node on purpose. Sounds like asking for trouble to me.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
34. Re:!secure by _Sprocket_ · 2009-10-25 18:43 · Score: 1
  
  I'm not sure why you're responding to me. Nothing that I said, nor the OP for that matter, made any mention of DNS - proxied or otherwise. The OP's link talks about a malicious exit node sniffing and analyzing traffic it handles. Hiding your DNS lookups from your ISP doesn't enter in to it. And large-scale count-correlation attacks tend to be a bit more involved than matching DNS lookups to traffic (which is the only thing I could imagine being remotely relevant).
  As a side note - congratulations on getting a +1 informative for that, though. Witness the "TL;DNR" meme in full effect.
35. Re:!secure by cbhacking · 2009-10-25 19:22 · Score: 1
  
  I'd like to quickly expand on the Off-The-Record reference; OTR is a feature that uses end-to-end encryption of instant messenger conversations. It's available as a plug-in for Pidgin (on Windows or *nix) and is built into Adium (on Mac). If you're even slightly concerned about your conversations getting snooped on, you should use it. I believe it uses asymmetric crypto to exchange a shared key that is unique to each conversation. Validating the public key of your friends will provide authentication and protection against MitM attacks as well.
  
  --
  There's no place I could be, since I've found Serenity...
36. Re:!secure by tolan-b · 2009-10-25 21:58 · Score: 1
  
  Latest FF and IE at least make a *huge* fuss about self-signed certs, you have to do something like 3 clicks, including waits, plastered with big warnings.
37. Re:!secure by muckracer · 2009-10-25 23:01 · Score: 1
  
  http://www.cypherpuns.ca/otr
  # apt-get install pidgin-otr
  etc.
38. Re:!secure by muckracer · 2009-10-25 23:03 · Score: 1
  
  correct link:
  http://www.cypherpunks.ca/otr
  Sorry...typo.
39. Re:!secure by Proteus+Child · 2009-10-26 01:51 · Score: 1
  
  TL;DR : Read the manual before using Tor. It explains all of this.
  
  --
  Proteus' Child
  Doko ni datte; hito wa, tsunagette iru.
40. Re:!secure by cbiltcliffe · 2009-10-26 03:12 · Score: 1
  
  People should really stop using the word secure with Tor. Anonymous, sure, but you actually forfeit some of your security and privacy when using Tor. Anyone can snoop your outgoing connections from Exit node, or if you're using https or other secure connection, change the certificates. On top of that there's a change the exit node changes your http pages in addition to stealing or just snooping for information. Implying "secure" in news likes this gives lots of false sense of security to users, like has been seen many times before.
  And this is different from regular web browsing....how, exactly? You're not forteiting any of your security or privacy. You're just not necessarily gaining any more in certain areas. But, this only applies if the exit node you happen to be using for that connection is a malicious node. Yes, governments can set up an awful lot of nodes, but the size of the network itself is going to dwarf anything a government can do. The vast majority of exit nodes are legitimate.
  You can also specify not to use certain exit nodes. If you're in China, and you don't want to risk government interference, then configure your node to not use any Chinese exit nodes.
  
  Eavesdropping by exit nodes
  In September 2007, Dan Egerstad, a Swedish security consultant, revealed that by operating and monitoring Tor exit nodes he had intercepted usernames and passwords for a large number of email accounts.[15] As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption, e.g. SSL. While this does not inherently violate the anonymity of the source, it affords added opportunities for data interception by self-selected third parties, greatly increasing the risk of exposure of sensitive data by users who are careless or who mistake Tor's anonymity for security.[16]
  So, jerks can break your security. Big news. Film at 11. Maybe the fact that this can be done anywhere at all, unless you're using an unbreakable encryption/authentication method, means you shouldn't be worrying about Tor specifically.
  
  Another thing is that you are still usually leaking DNS queries to your ISP, which may even return false results if you're being censored in China or something and they still see what sites you're visiting.
  The summary also quickly mentions geo-aware phones. If you happen to be using that bad exit node, now your geo-location updates will be transmitted via it too. And goverments should be able to set up a lot different exit nodes all around the world easily.
  So no, it's not secure. It's maybe anonymous, if you use it correctly and don't login to your banking, slashdot account or whatever with it.
  This is patently incorrect. All DNS queries from a Tor-surfing browser are routed over the Tor network. There are specific instructions for the setup of a Tor exit node that state basically "If your ISP blocks access to certain sites, make sure your Tor node knows about them, otherwise Tor users will get NORECORD results from DNS queries, and think the site is down/missing. If your node knows about them, the Tor network will not use your node to attempt access to those sites."
  I've stumbled across a misconfigured Tor exit node before that did this. Trying to access a site over Tor resulted in an error page, but the same site over the Internet worked fine. Waited for 10 minutes for the Tor connection to cycle to a different route, and all of a sudden I could access it over Tor, too.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
41. Re:!secure by Impy+the+Impiuos+Imp · 2009-10-26 06:15 · Score: 1
  
  This is true.
  Scammers and thieves aside, do you think the CIA, FBI, and whoever, don't have servers deliberately placed on the input and output routes to Tor and similar and then match them up? Even if you-to-Tor is 100% encrypted and unbreakable, they can still build up a statistical chronal and rough size relationship between you and the Tor-to-destination side.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
42. Re:!secure by Anonymous Coward · 2009-10-27 06:39 · Score: 0
  
  STFU. If you used it you would understand how it works (ie,You can not even do a simple google search via tor-for one. Browsing is the key word idiot.
Privacy is the next killer ap by Presto+Vivace · 2009-10-25 02:45 · Score: 2, Interesting

The company who figures out how to protect our privacy while using all the cool gadgets and online tools is going to make a boat load of money.
1. Re:Privacy is the next killer ap by CharlyFoxtrot · 2009-10-25 02:50 · Score: 3, Insightful
  
  The company who figures out how to protect our privacy while using all the cool gadgets and online tools is going to make a boat load of money.
  Because you know these days we need companies to do what the governments should be doing.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
2. Re:Privacy is the next killer ap by sopssa · 2009-10-25 02:52 · Score: 0, Troll
  
  So goverment should disallow "all the cool gadgets and online tools" so stupid people who dont know how to use them can maintain their privacy?
3. Re:Privacy is the next killer ap by CharlyFoxtrot · 2009-10-25 03:09 · Score: 1
  
  So goverment should disallow "all the cool gadgets and online tools" so stupid people who dont know how to use them can maintain their privacy?
  No, they should regulate the companies based in their countries to respect people's privacy. Mind blowing concept, huh ? The EU actually has made some progress towards this but not enough.
  The whole reason we have this representative government thing is to make sure the rights of the many aren't violated for the good of a few. It'd be nice if governments grew a pair and started doing their job.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
4. Re:Privacy is the next killer ap by Anonymous Coward · 2009-10-25 03:15 · Score: 0
  
  The whole reason we have this representative government thing is to make sure the rights of the many aren't violated for the good of a few. It'd be nice if governments grew a pair and started doing their job.
  in other words, mob rule.
  fucking idiot.
5. Re:Privacy is the next killer ap by TheLink · 2009-10-25 03:53 · Score: 1
  
  > It'd be nice if governments grew a pair and started doing their job.
  
  It'd be nice if voters grew some brains and started doing their jobs too.
  
  Hopefully the US people get lucky with Obama...
  --
  
  Too many replies beneath your current threshold
6. Re:Privacy is the next killer ap by Arancaytar · 2009-10-25 04:16 · Score: 1
  
  In most of the "cool gadgets" cases, the problem is a security/convenience trade-off. You wouldn't be using them for entertainment if they were inconvenient enough to guarantee privacy.
  However, in other respects you have a point - political dissenters are still using Facebook and Twitter to organize (eg. in Iran), and these users have to be provided either with a secure if inconvenient way to use them, or with a better (if inconvenient) alternative.
7. Re:Privacy is the next killer ap by timestride · 2009-10-25 06:10 · Score: 1
  
  Are you kidding me? Perhaps for the /. crowd, but what about the average Facebook wielding user? Almost every "application" on the site states that you are forsaking your own privacy and that of your "friends." Those requirements don't stop many from agreeing to the terms of use. The average user doesn't even think of privacy.
8. Re:Privacy is the next killer ap by dontmakemethink · 2009-10-25 06:18 · Score: 1
  
  Companies are already making too much money abusing our lack of privacy. Why stop now?
  
  --
  
  War as we knew it was obsolete
  Nothing could beat complete denial
  - Emily Haines
9. Re:Privacy is the next killer ap by Presto+Vivace · 2009-10-25 07:29 · Score: 2, Funny
  
  the more companies that make money by abusing our privacy, the more demand there is for privacy tools. The company which solves this problem will make a boat load of money.
10. Re:Privacy is the next killer ap by Presto+Vivace · 2009-10-25 07:55 · Score: 1
  
  but what if you could make it convenient to protect your privacy? People might even pay money for that.
11. Re:Privacy is the next killer ap by muckracer · 2009-10-25 23:10 · Score: 1
  
  > the more companies that make money by abusing our privacy, the more demand
  > there is for privacy tools.
  Oh you mean like the business model of the anti-virus industry? :-)
12. Re:Privacy is the next killer ap by Arancaytar · 2009-10-30 03:45 · Score: 1
  
  That would be wonderful.
  I'm skeptical that it can be done, though. As Bruce Schneier says, security is a state of mind. Cryptographic technology and security protocols are now so advanced that the most significant vulnerability is the user.
  For example, SSL's CA implementations may have had (and still have) a few nasty technical holes, but the easiest way to stage a MITM attack is probably to simply self-sign your fake certificate and trust that the user will scroll past the "WARNING WARNING DO NOT IGNORE THIS" text, check the "ABSOLUTELY DO NOT CHECK THIS WITHOUT KNOWING WHAT YOU'RE DOING" option and then click "Add exception" to get rid of the annoying warning.
  Making these warnings more insistent costs convenience, and making them less obtrusive costs security.
Tor-bots and Tor-jans..... by Bob_Who · 2009-10-25 02:52 · Score: 1

....respect your anonymity while making you feel so much more secure... just like car alarms, free buffets in Vegas, and condoms.
1. Re:Tor-bots and Tor-jans..... by Anonymous Coward · 2009-10-25 02:58 · Score: 0
  
  Cmon now, free buffets in vegas actually work...
2. Re:Tor-bots and Tor-jans..... by Anonymous Coward · 2009-10-25 03:28 · Score: 0
  
  Cmon now, free buffets in vegas actually work...
  
  They sure do. They keep you inside the casino so you'll continue gambling after you finish eating.
Except you must still trust Tor by Gothmolly · 2009-10-25 03:02 · Score: 2, Interesting

You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added. If you really care, you need something like Opportunistic Encryption.

--
I want to delete my account but Slashdot doesn't allow it.
1. Re:Except you must still trust Tor by poofmeisterp · 2009-10-25 03:19 · Score: 2, Funny
  
  You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added. If you really care, you need something like Opportunistic Encryption.
  So you shouldn't use it if you don't want to be a Tor-get of investigation? :>
2. Re:Except you must still trust Tor by dagamer34 · 2009-10-25 03:20 · Score: 1
  
  If you have data that's so important that you don't want the Chinese or NSA looking at it, send it by snail mail on a disk!
3. Re:Except you must still trust Tor by BrokenHalo · 2009-10-25 03:58 · Score: 1
  
  If you have data that's so important that you don't want the Chinese or NSA looking at it, send it by snail mail on a disk!
  
  Too easily intercepted. The only way to keep it secure is to whisper it in someone's ear on a lonely beach. Time was when crowded streets and shopping malls might have been good, but there seem to be cameras everywhere these days...
  
  When I was a kid, Mr Blair's "1984" seemed a little improbable. Now it's just old hat.
4. Re:Except you must still trust Tor by sopssa · 2009-10-25 04:10 · Score: 1
  
  Too easily intercepted. The only way to keep it secure is to whisper it in someone's ear on a lonely beach.
  Until you realize that there's a guy listening to your conversation under you in the sand.
5. Re:Except you must still trust Tor by interkin3tic · 2009-10-25 06:23 · Score: 1
  
  So you shouldn't use it if you don't want to be a Tor-get of investigation? :>
  
  That was torrible.
6. Re:Except you must still trust Tor by TheRaven64 · 2009-10-25 06:29 · Score: 1
  
  No, use end-to-end encryption with either pre-shared keys or keys signed by a mutually trusted party in addition to Tor. Don't just use Tor by itself and expect it all to be happy and magic.
  
  --
  I am TheRaven on Soylent News
7. Re:Except you must still trust Tor by Thinboy00 · 2009-10-25 07:19 · Score: 1
  
  If you have data that's so important that you don't want the Chinese or NSA looking at it, send it by snail mail on a disk!
  Too easily intercepted. The only way to keep it secure is to whisper it in someone's ear on a lonely beach. Time was when crowded streets and shopping malls might have been good, but there seem to be cameras everywhere these days...
  When I was a kid, Mr Blair's "1984" seemed a little improbable. Now it's just old hat.
  Why not just encrypt the disk? Are you worried about the two generals problem?
  
  --
  $ make available
8. Re:Except you must still trust Tor by arevos · 2009-10-25 08:59 · Score: 3, Insightful
  
  You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added.
  Tor is a service for browsing anonymously, not securely. Security is handled by SSL.
9. Re:Except you must still trust Tor by AHuxley · 2009-10-25 11:03 · Score: 2, Interesting
  
  not hacked NSA?
  The NSA could set up front companies ie telcos or cut out political rights groups, students, uni profs boxes and just connect the dots in the USA.
  As the NSA is every telco, ips in the USA, getting a entry IP and tracing back to the exit ect. is not hard with their budget.
  As the NSA now faces inward, TOR in the USA is now another fun computer project at best.
  Sneaker net people or meet and greet with an understanding of one-time pads :)
  
  --
  Domestic spying is now "Benign Information Gathering"
10. Re:Except you must still trust Tor by muckracer · 2009-10-25 23:15 · Score: 1
  
  > Sneaker net people or meet and greet with an understanding of one-time pads :)
  I am still hoping for some bright person to come up with public key encryption that does not involve a computer and its math power, but can be done with pencil and paper...
11. Re:Except you must still trust Tor by HTH+NE1 · 2009-10-26 09:18 · Score: 1
  
  Anonymity and security are generally incompatible concepts. I.e. to be anonymous you have to be anybody, but to be secure you have to be someone in particular.
  And if you OK with being identified, then the only thing you have that remains secret in Tor is your locality. So logging in somewhere with something that is geo-aware and thus can leak your location over Tor is especially foolish (like logging into your pedophile-ring's server and uploading live the geo-tagged video you're making with your cellphone's camera -- Tor won't protect you from outing yourself).
  Tor could use its own paranoid version of Clippy that says, "It looks like you're about to disclose your identity and/or location over an anonymizing network. Would you like me to inform the authorities directly instead?"
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
12. Re:Except you must still trust Tor by arevos · 2009-11-04 12:07 · Score: 1
  
  Anonymity and security are generally incompatible concepts. I.e. to be anonymous you have to be anybody, but to be secure you have to be someone in particular.
  No you don't. You're confusing security with authentication.
security is a many splendored thing by Anonymous Coward · 2009-10-25 03:07 · Score: 0

It isn't that TOR is insecure. It is that TOR provides limited protection against adversaries. End users need to understand those limits and work within them.
cell co.s will be thrilled by quickOnTheUptake · 2009-10-25 03:21 · Score: 1, Insightful

I'm sure cell companies will be thrilled to hear this, with Tor and other onion routing systems using several times the bandwidth of a typical direct connection.

--
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
1. Re:cell co.s will be thrilled by sopssa · 2009-10-25 03:28 · Score: 1
  
  I'm pretty sure they dont really care, this isn't going to be in that widespread use anyway.
2. Re:cell co.s will be thrilled by Anonymous Coward · 2009-10-25 04:08 · Score: 0
  
  I'm pretty sure it doesn't use several times the bandwidth of a typical direct connection. It just connects to another peer.
3. Re:cell co.s will be thrilled by quickOnTheUptake · 2009-10-25 07:14 · Score: 0
  
  let me clarify: since a given tor node is not just handling its own demands, but is also relaying other nodes' traffic, other people are routing through you (that's a down and up for each request you relay), such that on average Tor is going to multiply the total bandwidth used.
  Take an example, if you relay an average of 1 request for each one that you make (assuming that on average all requests are of equal size) you will be using about 3x the bandwidth you would need if you weren't a Tor node (the down for your request, the fetch for the relayed request, and resending the relayed request).
  For Tor to remain sustainable I assume that the network needs each node to relay about 2 or 3 x as many requests as it makes, so this means that the single relay would need to be a 2 or 3 (unless you are leaching) so the factor goes up to something like 5 or 7.
  
  --
  Mod points: Guaranteed to remove your sense of humor.
  Side effects may include gullibility and temporary retardation
4. Re:cell co.s will be thrilled by skeeto · 2009-10-25 07:55 · Score: 3, Insightful
  
  The phone won't be acting as a node, though. Cell towers wouldn't carry any extra traffic than normal.
5. Re:cell co.s will be thrilled by Smurf · 2009-10-25 13:26 · Score: 2, Informative
  
  let me clarify: since a given tor node is not just handling its own demands, but is also relaying other nodes' traffic, (...)
  That's where you're wrong. A Tor client isn't required to be a node, i.e., he is not required to relay traffic for others. It is basic etiquette to become a node if you use the client, but no one is forcing you. Why do you think Tor is so slow? Leechers!
  So, if relaying traffic is turned of on the cell phone client (and it IS turned off by default on the desktop clients), the total bandwidth consumed is going to be the one of the direct connection plus the overheads of all the layers of encryption, which is not too much.
6. Re:cell co.s will be thrilled by quickOnTheUptake · 2009-10-25 14:16 · Score: 1
  
  Thanks for the correction. I assumed (I know, I know) it was considered impolite not to run as a relay.
  
  --
  Mod points: Guaranteed to remove your sense of humor.
  Side effects may include gullibility and temporary retardation
7. Re:cell co.s will be thrilled by cbhacking · 2009-10-25 19:25 · Score: 1
  
  Well, there's a little extra information (the routing data that the Tor node uses to direct your packet to its destination, or inform you of an incoming packet's origin). It's pretty minor, though.
  
  --
  There's no place I could be, since I've found Serenity...
Use it for .onion only by zoloto · 2009-10-25 03:43 · Score: 4, Interesting

I use TOR mostly for browsing .onion sites, inaccessible without it. Also, if you set up your connection/system properly, you *can* browse anonymously. The idea is that your ISP and external website (and exit node) can't identify who you are. This is a VERY good thing. I would, however, not log into any service that could identify me as "me" online through tor. Ever.

As a personal opinion, many of the .onion services (forums etc) are more interesting than what's on the rest of the public internet anyways. It's amusing and interesting to see what people have to say on forums when they are really able to be anonymous (trolling aside).
1. Re:Use it for .onion only by muckracer · 2009-10-25 23:18 · Score: 1
  
  > It's amusing and interesting to see what people have to say on forums when
  > they are really able to be anonymous (trolling aside).
  I CAN HAZ CHEEZBURGER?!
brb fbi by Anonymous Coward · 2009-10-25 03:58 · Score: 0

Of course, as soon as you connect to Tor your device will become a conduit for people accessing contraband. Have fun explaining that to the authorities, your boss, your family...
1. Re:brb fbi by Anonymous Coward · 2009-10-26 01:56 · Score: 0
  
  Only if you run an exit node instead of a middleman node.
not secure by bananaquackmoo · 2009-10-25 04:23 · Score: 1

Um, I'm actually quite sure that the cellphone companies can still track your surfing based on your phone number, chip, and hardware. If you mean anonymous browsing via wifi, that might be a different story.
While parent is an obvious troll... by Anonymous Coward · 2009-10-25 04:24 · Score: 0

I am not answering specifically to parent, but to the "Democracy == mob rule" argument in general, which I know some people to take very seriously.
First we got to determine the meaning of mob rule. Usually I would take it to mean lynch mobs ("My sheep died... And that woman looks like a witch! Let's kill her!" without proper investigation) but it is rather obvious that democracy has nothing to do with this, to either direction. (Unless direct democracy is used in trials, which doesn't happen anywhere in the world)
So, I guess that by mob rule the makers of that claim mean "The many oppress the few" but it just doesn't work like that. The judicial process in democracy is slow (it must be so that people could state their opinions on upcoming laws, etc.). As a result of this... Yes, some small group's rights may be taken away if that is the will of the majority. However, in that case the oppressed group can move to a country that doesn't oppress their rights if they want to.
No group is ever really oppressed if they still have the right to leave if they want to. Unless the overwhelming majority in every country in the world is against them. At that point... Well, they are screwed, no matter what happens.
Of course you might think "What? So if gays for example felt that they were oppressed, they should leave the country? That's hardly fair..." and it's true, the system isn't perfect. But the marjority of people who have to live in a society get to make the rules and those who don't like them can choose to take their business (or their lives, in this case) elsewhere if the amount of oppression more than makes up for the good parts of the society.
I find it funny how libertarians have the greatest opposition to these ideas. They think that businesses have the right to do what they wish but people also have the right to vote with their feet. But when the exactly same concept (majority of the people make the rules but if you aren't happy, vote with your feet) is applied to any other aspect of the society, that's horrible.
One can't even say "But governments have the unfair advantage if they can tell you what to do and you *have* to comply...". No, you don't. Alternatives exist (going to jail, for example). Somehow this is much worse than the alternative of starving to death if the local food monopoly has unfair business practices.
1. Re:While parent is an obvious troll... by Truekaiser · 2009-10-25 04:54 · Score: 1
  
  the problem is justice it's self is the will of the majority, because of this what is viewed as justice constantly changes.
  200 years ago blacks had no rights, less then 100 years ago they were considered secondary citizens, now were taking away rights from middle eastern looking people.
Android is spyware by Anonymous Coward · 2009-10-25 04:31 · Score: 0

Why would anyone interested in protecting their privacy even use an Android phone?
With Android being made by Google, the company that wants everything about you to live in the benevolent Google cloud, Android is one huge violation of privacy.
1. Re:Android is spyware by Moridin42 · 2009-10-25 06:18 · Score: 1
  
  You.. are clueless.
  Don't want your Android phone's data in the cloud? No problem. The gmail account that ties to your phone need not have any personal information in it. Don't want your phone's contacts to sync to the Google account? Turn off contact syncing. Its that simple.
  Don't want Google Latitude to function with your phone? It'll ask when Google wants to know your location. Tell it to fuck off forever more. It does.
  I know.. what an invasion of privacy. Those bastards. If this is the sort of behavior that you believe is an invasion, then you'll definitely want to not pick up any cellular phone of any make, from any provider.
  
  --
  I don't expect morality, equality, consistency, or justice from the law. I expect only legality.
2. Re:Android is spyware by Anonymous Coward · 2009-10-25 09:47 · Score: 0
  
  At least with phones from Apple and MS you can use Google without being indelibly on their radar the entire time. You can cloak yourself by deleting Google's cookies in Mobile Safari and Pocket IE, but not in the Android browser. Shows you what Google's priority is with developing Android (and Chrome), which is pervasive and unavoidable user tracking.
  I'll stick with Apple and MS. As crazy as it sounds, compared to Google, at least they protect my privacy.
  Google has grown into a scary data warehousing behemoth which is keeping secret files on everyone with little to no proper explanation of why they're doing so.
3. Re:Android is spyware by AHuxley · 2009-10-25 11:15 · Score: 1
  
  If a state task force or the feds have a roving warrant, unless you remove the battery, you are fair game.
  As mentioned, talk in the ocean, change phones every week, never use your home computer for anything but games and sport ect.
  
  --
  Domestic spying is now "Benign Information Gathering"
Just in case 3G isn't slow enough already... by Shag · 2009-10-25 04:34 · Score: 1

Wonderful, now we can route our already-pokey 3G connections through a whole bunch of nodes to make them feel like old 2G connections.
Is retro back in style?

--
Village idiot in some extremely smart villages.
1. Re:Just in case 3G isn't slow enough already... by Tumbleweed · 2009-10-25 06:21 · Score: 1
  
  Wonderful, now we can route our already-pokey 3G connections through a whole bunch of nodes to make them feel like old 2G connections.
  Is retro back in style?
  I just spoke with kibo; he says yes.
2. Re:Just in case 3G isn't slow enough already... by interkin3tic · 2009-10-25 06:29 · Score: 1
  
  Not to mention the localization issues. The one time I used tor, loading up google gave me a brief scare when it appeared in Cyrillic. For a split second I though I had somehow accessed some secret KGB google.
  Subsequent split seconds were spent laughing at that first though.
Why not use VPN to maintain the speed? by lisany · 2009-10-25 05:12 · Score: 1

As an iPhone user I prefer just using the built-in L2TP over IPSec. Surely the android phones can do the same thing.
1. Re:Why not use VPN to maintain the speed? by TheRaven64 · 2009-10-25 06:35 · Score: 1
  
  That doesn't do the same thing. It actually does something more useful; preventing the owner of the random WiFi hotspot you're using from snooping on your traffic. Tor, on the other hand, prevents the remote site identifying you. If you connect to Slashdot, for example, through Tor then you will connect to a Tor peer and it may then relay your connection via other Tor peers, and eventually it will be bounced out and Slashdot will think your connection comes from a random Tor exit node. In theory, the Tor node that you connect to can not tell if packets from you originate with you or are simply being forwarded by you. In practice, there are several attacks where someone with sufficient resources to do basic traffic analysis (i.e. most ISPs or governments) can detect this, and can also poison the Tor network by seeding it with a number of evil nodes that log everything and do arbitrary rewriting things on any unencrypted traffic.
  Also, I don't know why I'm following the headline's capitalisation and saying Tor, when it's an acronym for The Onion Router (not affiliated with The Onion).
  
  --
  I am TheRaven on Soylent News
2. Re:Why not use VPN to maintain the speed? by fustar · 2009-10-25 06:42 · Score: 1
  
  Both LT2P and IPSEC (preshared and certificate) are supported by the OS
Tor is useless by harmonise · 2009-10-25 07:57 · Score: 1

Tor is useless. It's a neat idea but doesn't work in practice due to bandwidth problems. Every time I have tried it, connections almost always time out without receiving data. The few times I do receive data it can take minutes for a web page to appear, say nothing of the images which would still need to load.

--
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
1. Re:Tor is useless by Proteus+Child · 2009-10-26 01:59 · Score: 1
  
  So help the project. Write some code that speeds it up a little. Fix bugs in the source tree. Run a middleman (or better yet, exit) node with a decent allocation of bandwidth. Rent a VM someplace and run a Tor node. Advocate for the project to get more people to run middleman and exit nodes.
  
  --
  Proteus' Child
  Doko ni datte; hito wa, tsunagette iru.
Speed by YourExperiment · 2009-10-25 07:58 · Score: 3, Funny

Tor is a wonderful piece of software, but browsing with it can be somewhat slow at times. Mobile internet is also a great invention, but can be frustratingly slow. Thank heavens that no-one is proposing using these two technologies in combination!
Not even anonymous in some situations! by renoX · 2009-10-25 10:09 · Score: 1

>>Secure, anonymous access to the web via Tor on Android is now a reality
>
>People should really stop using the word secure with Tor. Anonymous, sure
Not even anonymous in some situations!
Let's think about China: they control the network so they can easily know *who* is using Tor (by monitor Tor's access gateways) and even though they don't know what you're doing with Tor, they know that you're trying to bypass the filtering..
Now it depends on the number of Tor users, if they are numerous, you're safe, otherwise using Tor, you risk to draw government's attention to you: it's not a very good kind of anonymity..
Out of web paper ? by dbcad7 · 2009-10-25 13:58 · Score: 1

What the heck happend here ? .. there was a story on Tor, and then a story about AT&T and somehow the Tor replies are in here ?

--
waiting for ad.doubleclick.net
1. Re:Out of web paper ? by Soulskill · 2009-10-25 14:07 · Score: 1
  
  There was a disturbance in the force. This is not the post you're looking for.
2. Re:Out of web paper ? by ethan0 · 2009-10-25 14:15 · Score: 1
  
  good question. as far as I can tell:
  - story about tor on android goes up at http://yro.slashdot.org/story/09/10/26/0130200/Anonymous-Browsing-On-Android-Phones-Using-Tor
  - story about tor disappears - that url gives "The item you're trying to view either does not exist, or is not viewable to you."
  - story about at&t congestion shows up at http://mobile.slashdot.org/story/09/10/25/1316233/A-Possible-Cause-of-ATampTs-Wireless-Clog-mdash-Configuration-Errors
  - comments from tor story are on at&t story
  - a few minutes later, the tor story reappears at the url of the at&t story, but now in the mobile section instead of yro. at&t content disappears from that url.
  - at&t story appears as a new story at http://mobile.slashdot.org/story/09/10/26/0152214/A-Possible-Cause-of-ATampTs-Wireless-Clog-mdash-Configuration-Errors
  weird.
Tor for iPhone by dUN82 · 2009-10-25 16:48 · Score: 1

May we have an iphone version of it plz...
Time for go to bed! by Tetsujin · 2009-10-26 03:06 · Score: 1

And furthermore, the "TL;DNR" meme is yet another example of willful ignorance in snarky packaging.
Agreed. It's aggressive idiocy, like the rephrased quoting with "FIXED IT FOR YOU" meme.
There, I fixed that for you.

--
Bow-ties are cool.