Slashdot Mirror
Why Tor Users Should Be Cautious About P2P Privacy
An anonymous reader writes "I went across your post a few days ago saying that a machine connected to the Internet was all one needed to spy on most BitTorrent users of the Internet. I followed the link to find out that those researchers from INRIA claimed their attacks also worked for BitTorrent users on Tor. I didn't believe it at first, but then today I found this link on the Tor Project. It seems their attacks don't only link your real IP to your BitTorrent files on Tor but also to the web pages that you're browsing! Tell me it's a joke." No joke, but according to Jacob Appelbaum (a Tor developer), the security flaw is more nuanced — and the fault of software outside of Tor. Read on for his explanation of how the privacy benefits of Tor can be easily lost.
Appelbaum writes "This isn't a failing of Tor, it's a failing of BitTorrent application designers and a privacy failure of their users too. The BitTorrent clients don't appear to double check the information that's ripe for tampering. When combined with common BitTorrent applications that aren't designed for privacy, it's possible to cause a BitTorrent client to leak information about their actual source IP. The BitTorrent protocol is difficult to anonymize with a simple proxy.
Ironically, one of the best points of the paper is that those BitTorrent clients also harm the anonymity of the users' web browsing. The user's browsing will often leave the same Tor Exit Node as their BitTorrent traffic; the user is using the same circuit for browsing as they are for BitTorrent. If the user isn't practicing safe browsing techniques, they're probably going to reveal some more of their traffic to the authors of the paper. This is just like the normal internet too. If you browse unsafely, people can observe you or tamper with the data in transit. So in conclusion, this paper isn't about busting anonymity networks as much as it is about busting BitTorrent client privacy."
Additionally, he says, "Tor can't keep you anonymous if you don't actually use Tor for your connections. ... The real key is that if they had done transparent proxying (that failed closed) and they had a privacy-aware BT client, the user would probably be fine. Please don't use BitTorrent and Tor together."
Pardon my ignorance, but using Tor for P2P stuff is at best abusive, at worst highly destructive. Tor wasn't designed for high bandwidth applications. It was designed for Web browsing and ensuring that packets from an exit node would be very hard to trace back to the sender as the first priority.
Of course, even with the best anonymization methods, if someone has cookies, Flash shared objects, or shared objects stored by add-ons that positively identifies their Web browser, their browsing history can be linked together, and some sort of profile be built.
Tor is half the battle. The second half is making sure your Web browser is anonymous. I prefer running it in a VM which rolls itself back, and has as little customization as possible, so it fits in with the millions of other people running IE with standard XP installs.
I2P is much better suited to anonymous file sharing: http://www.geti2p.org/
There is also http://www.stealthnet.de , but it only does file sharing, while I2P supports a broad range of anonymous communication.
What about i2p? As it uses modified p2p programs (including BitTorrent), is it vulnerable to this flaw or not?
just use peerblock
http://www.peerblock.com/
There's really only one way to do it - run it on a freshly-installed (probably virtual) machine (so there's no personal data on the system) with a non-public IP address, and then firewall it off so it cannot make any non-Tor network connections. Then apps can leak all the data they want, but they have no useful info to leak.
What else could I say?
just join a good private tracker
Surrender and go Amish!
That's the real name of the game, people what to download whatever they want but that nobody recognized them. Just like thieves wear black mask so that they are not recognized when stealing.
Such protocols will be frowned upon by bigger players than RIAA and MPAA, for example international police don't want child predators to be able to share illegal material with such privacy.
Anomos' Key Features:
--------------------
1)UNLIKE BITTORRENT, NO PEERS DIRECTLY UPLOAD/DOWNLOAD TO OTHER PEERS.
Every peer relays to other peers just like Tor. This makes it more difficult for the prying eyes.
2)The more peers connecting to the same tracker, the stronger the anonymity for everyone.
3)runs on windows, mac os x, and linux
4)Based on the original python-based bittorrent sources
5)Tweaked to be tor-friendly
For more information:
http://anomos.info/
Anomos torrent sites are on their way. Seek and you shall find.
It would have the following aspects:
1.Freenet style "you dont know what you are sharing" plausible deniability so when the RIAA come after you for file sharing, you can prove in court that you had no clue that you were sharing that content.
2.A full set of options so you can limit its resource usage (and so it wont just use up all available bandwidth the way some p2p protocols and clients do)
3.Good encryption designed so that you cant tell what someone is downloading unless you are sharing the data yourself (AND have a modified client to record this info). For the encryption, use Diffie-Helman to negotiate an AES key or something with AES then being used for the actual data transfer.
4.The protocol and client would be 100% open source so its impossible to target the developers in the way Napster and others were targeted
and 5.It would have a good in-built search feature (no more torrent tracker sites for the RIAA or MPAA to sue or go after)
US government agencies have been forcing friendly nations into installing "Lawful Interception" (LI) devices in their ISPs for years. These devices mean that those US agencies can remotely trace a packet across the globe no matter how many bounces it takes. If your country wants to trade with the US then installing these LI devices usually becomes part of conditions for trade agreements. Such capabilities may be necessary for tracking down drugs, organised crime child porn/abuse and terrorism. However, how often does such tracking it stop there? Furthermore, whatever protections there are in US law for US citizens doesn't apply to these agencies when looking at foreign traffic (same loophole that Guantanamo solves/exploits, depending on your point of view). Since Tor relies on anonymizing by bouncing packets around but Lawful Interception can see the packets no matter where they end up. Only rational conclusions from this are: Tor is broken, don't use it; don't break the law; and, don't oppose your government (no matter how corrupt or bad they might be) - since Tor can't help you. Encryption is the best solution. But since encryption can be broken if resources are applied to it this only works if everyone uses encryption (just as everyone uses envelopes for physical correspondence rather than postcards.)
Wow, you realize at some point it becomes easier to just buy the content you're trying to hide transfering than what you're doing right?
By the time your transfer is complete, the copyright will have expired, even at lifetime + 75 years.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Highly suprised? Not at all.
a) The same story was about a year ago about embassies using tor and being sniffed on
b) All anonymizing techniques rely on a sufficiently high ration of suitable "good" to "bad" nodes. Nowadays, injecting 1000 bad nodes is not costly. I suppose many secret services have 1000s of machines (or virtual machines) in the Tor network
c) If your endpoint needs to keep a stateful connection for your machine, he will be able to sniff the total connection. At least he will be able to extract metadata, and unless you use encryption, also get the whole content of the stream
d) P2P is inherently not-encrypted, at least no the content level. In the contrary, it is indexed by content, which reduces the effort to analyse what somebody wants to download (which is why P2P works).
e) Your ISP is subject to a contract with you and privacy laws. An arbitrary guy being a tor node is not
f) If you dont trust you ISP, then use a VPN you pay for with a clearly defined policy on when to hand over you records (the one i use specifically states only when forced by a judge). You anyway should have one of these for going online abroad.
Gnunet and Freenet are designed for privacy from the very beginning. It's usually very very bad choise to trying to use systems that aren't designed for privacy. And then trying to fix all the problems that are hidden with these overly complex protocols and plugins.
Easiest way to secure any system is get rid of way too complex systems. Just like web browsers, web servers, extensions like php, python, sql, email clinents and protocols like BitTorrent. Keep it simple, very simple, is the key when dealing with private data.
Same method apply with real world privacy too. Don't use cell phones, don't use credit card. Keep it simple. All modern nice and complex things include many issues that you might not be aware about.
Or you could just pay the $5 a month to superchargemytorrent.com and not have to worry about downloading any new applications, since everything originates from their proxy IP anyway.
You don't sound like you have much grasp of the problem honestly. I doubt the plausible deniability will hold up all that well, plus search gets very difficult. Onion routing definitely could make obtaining evidence harder.
I'd favor instead restricting file transfers to people's social networks and instant messaging connections. I'm aware that some IMs like Yahoo have file sharing functionality, but you might get more traction with a multi-protocol plug-in for the various libpurple based IM clients like Adium and Pidgin.
An even better option would be merely using hashes based upon various online identities. You give the p2p application your login information for social networks, instant massagers, hotmail, gmail, etc. It'll then compute a rough extremely non-injective hash for your identities and your contacts identities. Your own identities hashes are sent through the p2p network along with temporary public keys. Any client recognizing some hash sends an encrypted response with a better more injective hash. If both clients agree they are friends, then direct connections are established, file lists are shared, etc. All clients cache the file lists from other clients, meaning users may peruse their friend's shares while their friends are offline, or even negotiate offline transfers via portable hard-disk. Nobody ever shares with strangers.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Comment removed based on user account deletion
Actually you'd be surprised by the speed.
In case anyone is thinking that this is somehow a 'security flaw' in BitTorrent, we should be clear that privacy is not a design goal of BitTorrent; BitTorrent was designed to provide extremely reliable, efficient file delivery. So while BitTorrent has many strengths (efficiency, etc.) there is a tradeoff between its goals and the goals of a network such as Tor. Specifically, in order to maximize efficiency, BitTorrent distributes your IP address quite openly, has consistent and obvious torrent IDs, etc., which make it efficient and reliable, but pretty much the OPPOSITE of concealing what you are doing from your ISP and the rest of the p2p network. Anyone who was surprised that it's easy to monitor BitTorrent traffic hasn't read the protocol spec - it is EXTREMELY easy to monitor activity in BitTorrent networks, because BitTorrent intentionally distributes everyone's IP addresses, transfer activity, etc., in order to allow the protocol to operate efficiently. So if you want to monitor BitTorrent, you just find tracker addresses and torrent IDs (which are in the .torrent files) and ask the trackers and for the addresses of all of the peers in each torrent, and get back a nice list of peers.
There are other p2p networks that do attempt to conceal what you are doing in the network, but the cost of that is that they generally are inefficient (wasting tons of CPU and bandwidth) and thus perform badly, making them unpopular with people who want to rapidly download files.
And I will second the note that running BitTorrent through Tor is a terrible idea. You end up with the worst of both networks - terrible performance and not much security. Worse, doing so damages the rest of the Tor network, interfering with people who are using Tor for what it is designed for.
Enable 3D printed prosthetics!
... Offer the illusion of privacy.
FUCK everyone who is using Tor with BitTorrent. I hope you all DIE OF CANCER. And then get run over by a truck. And then exhumed and put on display in a freakshow of FUCKING IDIOTS.
This is just a short summary of the blog-post, errors may occur please say so if you find some.
1.) Threat UDP/TCP - Proxy ignore
a.)
The BT-client is at fault not telling the user when selecting to use a socks-proxy, that it will simply ignore your setting. It's because (most) BT-Tracker uses UDP and tor cannot relay UDP
b.)
WORSE: some BT-Clients put your real ip-address into the information they send out to the tracker.
Applies to tracker-data over tor
2.) Threat
Combined 1.a & 1.b
3.) Threat /. login over a non-https connection
in short the exit-nodes can try to identify you,
like when sending your
(you're identifiable, unless you use a totally anonymous account with anon-email etc..) and not telling on twitter that you are Willy Woe.
Your data-stream and all over streams from you going web/out over this exit-node are pointing to you.
Threats 1 2 3 - teach us a lesson
The problem is that devellopers don't build their software (tor)-safe or safe anyway, just ignoring the users wish without telling about the override, reminds me a bit of vista & 7 :)
ps.
even if you think an app like jdownloader is tor-safe, scrap it, it's not it will only use the web-proxy you specified but ignores the socks-proxy setting.
You can watch this behaviour using "an" applicationlevel software firewall on win32, also make sure that dns-requests are reported.
Tor, as a means of obtaining "privacy", is hopeless. If you use a web browser, the browser headers, cookies, single-pixel GIFs, and Java applets still tend to give out identity information. A sizable fraction of TOR exit points are exploits of one kind or another. Give it up.
Yes and when you're in China I am sure the local library will be quite happy to lend you that copy of the dvd on Tankman, just as long as you can show your ID ;)
Tor isn't some magic bullet. You aren't going to get privacy unless you know wtf you are doing with it. It also isn't necessarily really useful for that kind of stuff. It is more useful for those who actually have a need for privacy. People who aren't going to be surfing "safe" and "non-safe" sites or doing "safe" and "non-safe" stuff at the same time. You won't have these types of problems if the environments where Tor is really useful. Tor will protect you if you want to go into hiding. It won't protect you from the RIAA cause the RIAA isn't going to kill you. The RIAA won't drag you out of your house spit in you spit in your face, beat you, lock you up, rape, and torture you for the next 20 years. Then put you on a list and make you live in shitty conditions all so they can do it all over again to you. No. Tor is for people who are being persecuted. It isn't for you ass fucks who think ... ok. I hate the RIAA and i think people who are opposed to bittorrent on the Tor network are ass holes- but they aren't wrong about it degrading the network either. They have a point. I think though some of them take it too far with what they ban passing through their exit nodes. They don't get that some people actually have real needs to get video and other media out to the world. Bittorrent might not be critical to that end. Certainly though those using Tor need to be able to pass large files through it though and there are people blocking "file sharing" sites. Sites that are exactly of the type people who need to get video and other exploitations out to the world would need. Anyway. My two thoughts.
The BitTorrent clients don't appear to double check the information that's ripe for tampering. When combined with common BitTorrent applications that aren't designed for privacy, it's possible to cause a BitTorrent client to leak information about their actual source IP.Advanced Technology
Now, I understand why Tor is so slow.
Pirates: please, don't pollute the Tor network with your files.
Tor is only for web browsing or for low quality video streaming.
If you really want to download pirated stuff, there are tons of other ways than to kill Tor.
If you are able to use Tor (which is for the tech savvy), you should be able to discover the other ways.
Hints: NNTP, HTTP, IRC.
I disagree.
Tor must simply become robust to "bandwidth hogs". They have to come up with a way to anonymously enforce ethical behavior through "bandwidth sharing" (i.e. you can't consume much more bandwidth than you provide for long periods of time), through some form of hashcash or something.
Otherwise, this only means that if some powerful agent (think "China" or "NSA") wants to temporarily disable the whole Tor network worldwide, they only need to saturate it with traffic. This seems to be a flaw that needs to be fixed, if Tor wants to scale and be resilient.
don't you just need a big "erase all disks" key-combo?
or some PCI card that does a EMP pulse?
the weired thing is that if every bit-torrent users ...errr... getting stuff for free
vote would count towards
we'd probably have a majority.
Stop your spamming. The tracker sees your real ip, game over. It's disingenuous to name something "anomos" when it is anything but anonymous (not even pseudo-anonymous).
Yup, all they have to do is subpoena the tracker and everyone on that list is done. Plus, the tracker has a record of everything that was sent to everyone (it must, by nature of the protocol).
In other words, it looks a lot like anonymity, but all it really protects you from is someone in the middle of the cloud sniffing out your IP address. There are services that already find and block such hosts on the network, so you are not really gaining a lot in that respect. It will not protect you from litigation once they hit the tracker. You're only slightly better off than bittorrent, and it's probably a hell of a lot slower.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
I don't have enough time to screw with it, but I'll try the linux build. Thx
Only his tendency toward a dazed stupor prevented him from screaming aloud.
There's another anonymizer on the block, and it's called I2P (Invisible Internet Project). Offers end to end encryption, a hardened web-based bittorrent client, anonymous mail, anonymous webserving and a whole host of other services. More info at: http://i2p2.de/ or http://geti2p.net/
Tor is a known tool for collectors of CP. CP videos are not generally sold in stores.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
See my tagline about i2p, a low-latency onion type network made for anonymous general purpose use. It even has built-in bittorrent. It's been running for over 5 years now, and is reaching maturity (and success).
FWIW, most bittorrent access over tor is for tracker info only... not data transfer. Enabling the tor option in Vuze/Azeurus prefs will not unduly burden the tor network.
If you visit the i2p forums, they would explain to you that tor doesn't have the necessary design to handle anything bandwidth intensive (and the usage pattern of bt--tor is insecure). You need a different anonymizing network stack like i2p.
You can't use it for anything other than transferring files.