Slashdot Mirror
VPN Flaw Shows Users' IP Addresses
AHuxley writes "A VPN flaw announced at the Telecomix Cyphernetics Assembly in Sweden allows individual users to be identified. 'The flaw is caused by a combination of IPv6, which is a new Internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. ... The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to the connection broadcasting information that can be used to identify it. It's also relatively easy to find a MAC address (which identifies a particular device) and a computer's name on the network that it's on.' The Swedish anti-piracy bureau could already be gathering data using the exploit."
it's also relatively easy to spoof an IP address or MAC address.
has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.
You don't need PPTP if you're using IPSEC and IPv6. Even Microsoft clients don't need it any more.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I seriously doubt any reasonable level of donations will ever allow the Tor network to add the kind of capacity required to torrent. I think it has many more important needs than that anyway.
IPv6, which is a new internet protocol due to replace the current IPv4
My grand kids will probably be saying that to their grand kids.
Not only that, but Tor isn't nearly as secure as most people think it is
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Good point, anyone can host a Tor node, and I'm sure we can bet the bad guys are hosting just as many or more than the good guys. Web of trust for Tor, anyone?
In order to have a web of trust, don't you need to be able to establish the identity of the other people in your web to a reasonable degree of certainty? Wouldn't verifiable identities undermine the concept of anonymity that is the whole purpose of Tor?
The Tor nodes themselves are actually quite identified, as you can see by the hostnames/IP's of the nodes themselves. The clients are the ones who are anonymous, as is intended.
That only matters for exit traffic, onion site traffic can't be easily sniffed by nodes
Now they have my IP address: 192.160.0.1
The only flaw is when people believe that VPN or any other network technology streaming on the public superhighway via telecoms and satellite networks is absolutely private and secure 100% of the time. Once you fix that defect, the rest won't matter anymore. Too bad our national security experts are having so much difficulty with that concept, since its bad for business to accept reality or to tell the truth, in general.
And information that resides on the Tor network itself never needs an exit node at all.
On the Oregon Cost born and raised, On the beach is where I spent most of my days
What, then, is the best way to preserve anonymity when using, for instance, BitTorrent? I have looked at services like BTGuard & Predator, but there's always a little spidey-sense tingle of lack of trust...
doesen't IPv6 drop some of need for VPN?
But then the ISP need to do there part and give you more then 1 ip.
The conference video apparently.
I think persistently sending a file over SSL over Tor to wikileaks might be somewhat suspicious to a malicious man in the middle listening for as much. Hiding who one is talking to is still as important as hiding what is said.
http://www.i2p2.de/
Considerably more secure than TOR, but not any faster.
And, the donations most needed by any such community, is the donation of BANDWIDTH. Exit nodes, or the lack of exit nodes, are the most limiting factors with any of the darkweb softwares.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
rather wish I had not.
Hey um... I was just kidding about the whole overthrow the government thing. And the kiddie pics were for a research project. Like Pete Townshend. Yeah, just like Pete Townshend. And I purchased all of those songs and movies and just needed backup copies.
- For the complete works of Shakespeare: cat
Somebody who listens to your tor traffic at your end has absolutely no way of telling who you are communicating with. so who you are talking to is just as hidden as what you say. All packets in the tor network are encrypted in such a way that the contents are only ever known by the exit node. There is little point in using SSL if sending a file to wikieaks via tor, since only wikileaks and the exit node would see the plaintext even over plain old http, and neither would be able to determine who or where the sender was. If wikileaks is going to publish what you sent anyway, so the exit node could see it upon publication, there is little reason to hide anything, unless there is identifying information in your submission that wikileaks has agreed not to republish. In that case using SSL over tor to talk to wikileaks makes good sense.
You would use SSL over Tor only if there was some reason why the it would be undesirable for the exit node to hear what you are saying, and you also want to hide your identity or perhaps only your location from the server you are talking to.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
The exit node might know that there's an SSL connection going through his computer that terminates at wikileaks. If everything is configured properly he should be unable to determine where that SSL connection originated.
Give me Classic Slashdot or give me death!
The Swedish anti-piracy bureau could already be gathering data using the exploit."
Um, not sure about Swedish law, but isn't this similar to like, breaking DVD encryption? Just because the encryption is week or has a security flaw in it, I am pretty sure it is still illegal to break or exploit it. If that's the case, could IP addresses gathered using this exploit be permissable in a court of law?
Just wondering out loud
While what you say is true about bandwidth, unless you are a "bad guy" using your exit node to try to capture useful data, you would have to be bug fucking crazy to run Tor or i2p2 or any of those on your PC as a node. Why? Because guess whose door gets kicked, guess who gets drug off to jail, guess who has their PC confiscated, when some perv looks at CP over your connection...hmmm?
As we have seen with the CP witchhunt innocence don't mean shit as long as they grab somebody to parade in front of the press. Sure you may get proven innocent months later, after having to deal with threats of 30+ year prison sentences and everyone looking at you like a monster, but will anyone care? After all retractions get buried on the back page while arrests get front page headlines.
So as much as I support the idea behind these networks, as someone with a family I wouldn't touch one of them with a 50 foot pole. And unless you have 50k+ in the bank to fight back you shouldn't be running a node either. The risks are simply too high in this witchhunt atmosphere to risk it. And as anyone even tested the whole "plausible deniability" thing that these networks use? They pretty much ALL cache to speed up the network, yes? Now correct me if I'm wrong, but most laws I've seen you have to possess or distribute CP, not that you yourself actually have to have access to it. If you are an exit node they can easily prove YOUR IP address went to a CP site, and as far as I have heard that is all the "proof" they need to fuck your life up royally. Yeah, no thanks.
ACs don't waste your time replying, your posts are never seen by me.
The article wasn't terribly well written. I would say it is not a big deal at all because the traffic between the tunnel end-points is encrypted anyway. I smell an attempt to spread FUD about IPv6 and I happen to like IPv6.
As far as I can see, the vulnerability he talks about in the video is basically "if you use a VPN, but you don't put IPv6 traffic over the VPN, IPv6 traffic won't go over the VPN".
It seems a bit unfair to blame IPv6 for this; after all, IPv4 suffers from the same vulnerability.
PPTP can rot as far as I care. I've been using OpenVPN for a while now. It is much easier to set up, much less intrusive and much more secure.
I noticed just today that Windows 7 was NOT using the standard EUI-64 (derived from MAC address) data in their auto-configured IPv6 addresses. Instead, the addresses seemed to be randomly generated. Maybe someone at Microsoft understood this issue ahead of time.
now we need to go OSS in diesel cars
But AFAIK nobody has actually tested that theory in court have they? Here let me give a scenario, which because I've had business dealings with state police in the past really isn't far fetched. Cop decides your network, I2P, Tor, whatever, is a kiddie fiddler paradise and decides to "do something about it". So he sets up a node, puts on some CP (which yes, they are allowed to do even though I would consider it entrapment) and then writes down the IP addresses of any that "access" this data.
Now since the way I understand it is these networks cache data, and make no difference or checks on data being added to the network, it really shouldn't be hard for the cop to add CP to the network then write down the IP address of anyone whose PC caches said data. Since ALL he is offering to the network IS CP, he could then stand up in court and say ANY PC that hooks to him was accessing CP. Now as far as the law is concerned all one has to do is access or distribute it, nowhere in the law does it say one has to be able to look at it themselves.
So until this whole "encrypted cache" thing actually has some court precedent I would still be leery. Nowhere in the laws does it state you have to LOOK at it, only possess or distribute. Splitting hairs yes, but I have seen people get their lives ruined over hair splitting in the past, and I haven't been able to find any cases where the encrypted cache bit has been tested in court with regards to CP, have you? Considering you will be looking at 30 years + in PMITA prison, that is a hell of a lot of risk to take on something that hasn't even been tested in court. Remember, it doesn't matter what your geek logic says, only what a prosecutor can convince 12 people too stupid to get out of jury duty to believe.
ACs don't waste your time replying, your posts are never seen by me.
However, this can be done by any average user in Windows:
http://www.youtube.com/watch?v=SXmv8quf_xM
...LOL
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
Of course if the sender were really paranoid, that SSL connection's IP destination could be a SSL VPN to another anonymizing service, instead of Wikileaks.
And that anonymize service could open yet another SSL connection through the tor network, through a different TOR client, terminating at Wikileaks.
Someone really paranoid will build a chain of encrypted anonymizers, and sign up for accounts on the additional anonymizer services while already anonymous, so a chain is built of services and nested levels of encryption that have to all be compromised, before the sender could ever be identified.