Ask Slashdot: Alternatives To Tor Browser Bundle For Windows?

SonnyJim writes "I frequently use Tor for my anonymous browsing needs, via the Tor Firefox bundle for Windows. I noticed that there are many other applications out there that use Tor as a proxy as well (Janus VM, ChrisPC, etc.) Are any of them more secure than the original Tor bundles, or am I just wasting my time trying these other applications? Is there anything more secure than Tor, as far as anonymous browsing goes?"

Tor

[x*yy*x]

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing. Especially to Google via Google Analytics.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

Re:Tor

[clang_jangle]

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing. Especially to Google via Google Analytics.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

You have some good points, though some of those concerns are easily addressed in your privoxy config. I use tor regularly BTW, and am impressed with its performance compared to a few years ago. I don't drink the kool-aid, but between privoxy and tor you can certainly avoid being tracked by all but the most devoted bad guys. However, if someone competent is targeting you specifically you're screwed no matter what you use, unless you're an uberhacker with access to some heavy hardware.

Re:Tor

[WrongSizeGlass]

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

At least it will arrive securely and anonymously - and isn't that what it's really all about? ;-)

Re:Tor

I personally find it funny when people use Tor and then leave behind [...]same MAC address, don't change DNS servers [...]

Proof that you know less about this than you think you do. MAC addresses become irrelevant after the first network layer hop or an application layer gateway like TOR. Also TOR acts as a socks 5 proxy and will resolve names for you, again the the DNS settings are irrelevant.

Re:Tor

[cdp0]

Use TorButton then (the Windows bundle includes it IIRC). AFAIK it solves most of the problems you mentioned. If you are using Firefox 4 then you need the alpha version from here.

Add to that BetterPrivacy, and you should be much harder to track.

Re:Tor

[93+Escort+Wagon]

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing.

I solved this problem simply by finding out what your user-agent, LSO and Flash cookies, system configuration, screen size, fonts, plugins, MAC address, and default DNS servers were. Now whenever I'm on Tor I pretend to be x*yy*x - so I'm golden.

Re:Tor

[x*yy*x]

DNS resolving depends on settings. You're correct about MAC addresses, but it's good to remember them too since they are still somewhat relevant if you really want good anonymity.

Re:Tor

[Hazel+Bergeron]

Except, of course, if you're running wireless. Then MAC addresses are recorded by various data gatherers and used, among other things, for that Google location guesser thing.

Of course, it's OK if you never speak wireless in the clear and always use an encryption protocol which will never be found insecure in the future.

Re:Tor

[icebraining]

DNS resolving depends on settings.

TorButton - included in the bundle - configures Firefox to use Tor for DNS (using the SOCKS proxy).

Re:Tor

[ibsteve2u]

I don't drink the kool-aid, but between privoxy and tor you can certainly avoid being tracked by all but the most devoted bad guys. However, if someone competent is targeting you specifically you're screwed no matter what you use, unless you're an uberhacker with access to some heavy hardware.

Didn't you know? Is "the good guys" doing the most tracking these days.

lolll..and as a rule you're paying them to watch you.

Re:Tor

[clang_jangle]

Sounds like you're confused. There are no "good guys" trying to track me, only pragmatic reasons I might chose to allow some limited tracking for some limited time (like for street navigation). The "bad guys" are by definition whomever is trying to track you.

Re:Tor

[burni2]

But mostly you can identify tor-users which are not having all plugins switched off, by a java applet which acts as a beacon* , also if you have switched it off in your Firefox, it get's reactivated by every juscheded update ;)

But I also want to point the attention to the lately added
local web storage in the current generation of browsers, like Opera and doing a picture search in opera and just check the link of the thumb nail you will be interested So the question is how long will it take till it get's abused for traking

"data:image/jpg;base64,/.*CONTENT*."

*(udp connection, even through DNS/53 port some PSFs don't catch outgoing connection on this port and won't bring the fact to your attention)

Re:Tor

[lostthoughts54]

what he means is the old good guys are our new bad guys. and good guy doesn't exist anymore, only you vs. them.

Re:Tor

[ibsteve2u]

Sounds like you're confused.

Long as you're aware that someone competent that has uberhardware - much of which is not even available on the open market - is tracking you.

By the way: Did you observe how I did that without incorporating a juvenile insult?

Re:Tor

That's not true either. No matter what OS you are running there is a way to present an incorrect MAC address (ideally you should use a different one every time you log in - generated randomly). Since it is a gigabit+ address space and is only used locally, just use a random 48 bit number. The protocol stacks just want a locally unique 48 bit number. Chance of replicating a local address is approximately zero.

This is one reason wireless MAC filtering is weak protection. It is trivial to spoof a wireless MAC address and a wireless network traffic can be monitored (for legal MAC addresses).

Re:Tor

[vlm]

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing.

If someone is trying to block web browsing by installing a cruddy blocker or whatever, but are not smart enough to block tor connections (think, hotel, restaurant, etc) then tor is a massively overcomplicated proxying solution.

Re:Tor

https://www.torproject.org/about/torusers.html.en

Tor was created as a way for the US military to have secure communications while agents are abroad. It has been shown that tor exit points can capture any data coming out of the network. I'm not saying that tor is a way for the US government to get people to send encrypted traffic through military super computers for later monitoring or anything but x*yy*x might have a point.

Re:Tor

[Opportunist]

...for different definitions of "good"...

Re:Tor

[kwark]

By using TOR directly your browser may be giving away clues to your identify. By using privoxy some identity stuff may get filtered but instead you may be leaking information by DNS (especially if you are on an untrusted network). Torifying UDP is IMHO a PITA.

Re:Tor

VM the os, new browser, change always, random mac.. tor

Re:Tor

[ibsteve2u]

Might, perhaps, have been best to leave out the adjective "bad", which implies the existence of "good" and so leads those of us who are foolish enough to take someone literally into hypothesizing the existence of an anode in their cathode-only universe.

Re:Tor

[Weezul]

It's called the tor "browser bundle" for a reason. You never use your default browser under Tor.

Yeah, end node sniffing must be addressed through https-everywhere or a vpn of course.

Re:Tor

[jvillain]

Once some one has your mac address (assuming they have the real one) they know the manufacturer of your device. From there they can figure out where it was sold and they tie that to a credit card or bank card if you didn't pay cash. If they can tie your mac to some where that you signed up for an account you are also fingered. Every where you go on line no matter how you got there leaves a trail of things that quickly narrow the field of candidates. Your crazy if you think there is anonymity on line.

Re:Tor

Might, perhaps, be a tad more clear in one's communications. What are you, schizophrenic?

Re:Tor

[clang_jangle]

Please quote the "juvenile insult" you imply I made -- and it needs to be an exact quote, not some biased paraphrasing of what I really said.

Re:Tor

Easy to fix when you use user agent switcher, ghostery, better privacy, noscript, google sharing, cloned mac addresses and torbutton.

Check out http://www.decloak.net to see how anonymous you are.

It's hard to beat Tor for anonymous public web browsing, but i2p is already a better darknet.

Re:Tor

[flowwolf]

No. They're not relevant. Your mac address isn't part of the tcp/ip at all. Hell its not even part of the network layer. Its a layer 2 protocol. It will only ever show up to systems on the same subnet and shouldn't even be considered regarding wide internet anonymity. Also, did you know that about half of statistics are made up on the spot?

Re:Tor

[smellotron]

Once some one has your mac address (assuming they have the real one) they know the manufacturer of your device. From there they can figure out where it was sold and they tie that to a credit card or bank card if you didn't pay cash.

Are you telling me that if I tell you 00:50:ba:* you can identify where I bought my NIC? And you can tie it to my credit card? You must be a spook in full collusion with D-Link (for the credit card and inventory records), in which case the mac address reveal is probably the least of my worries. If you look in my windows while you're wardriving, you might even see me, too!

Re:Tor

[causality]

Might, perhaps, have been best to leave out the adjective "bad", which implies the existence of "good" and so leads those of us who are foolish enough to take someone literally into hypothesizing the existence of an anode in their cathode-only universe.

Why would you want to accommodate foolishness and make it more comfortable? It doesn't lead to fewer fools.

Re:Tor

[causality]

By using TOR directly your browser may be giving away clues to your identify. By using privoxy some identity stuff may get filtered but instead you may be leaking information by DNS (especially if you are on an untrusted network). Torifying UDP is IMHO a PITA.

The solution is to configure your browser to not provide such information in the first place, even when you're not using Tor. Those few cookies etc. you may need to use certain sites can be limited to a handful of specific sites and made quite temporary in nature.

I never saw any good reason why HTTP Referrers and user-agent headers were ever included in the HTTP spec in the first place. The first is extraneous information and the second is contrary to a Web based on open standards (and tends to help malicious sites know which exploits to use). Both of those are easily removed or faked as well. I like to use the RefControl add-on to always give a site its own main page as the referrer.

Re:Tor

a java applet which acts as a beacon* , also if you have switched it off in your Firefox, it get's reactivated by every juscheded update ;)

Perhaps in the Windows world a software update that actually goes into your user's application settings and overrides them is considered normal and acceptable but this doesn't happen to user applications under Linux. System updates are not going to touch the contents of your users' home directories which is where things like Firefox settings are stored. The difference of course is that Windows knows what's good for you, after all you might be a clueless idiot so it's "appropriate" to treat every user that way. Who cares if you already expressed your preference in the existing config, right? Naturally the nice centralized database known as the Registry makes that easy for them.

*(udp connection, even through DNS/53 port some PSFs don't catch outgoing connection on this port and won't bring the fact to your attention)

That would fail on my system. I run my own little caching DNS server and my firewall is default-deny. The traffic on UDP port 53 is limited to only the specific IP addresses of the root DNS servers.

If your PSF can't do that, you should ditch it and replace it with a real firewall.

Re:Tor

[ibsteve2u]

Rather than extend this thread and have more people wasting mod points modding down, let me just say that rather than "Sounds like you're confused.", you might have tried "I wasn't clear; although I said 'bad guys' and so implied the existence of 'good guys', that was not my intent." Seems a bit more efficient than assuming that the reader counts telepathy among their skills.

Over and out.

Re:Tor

Again, it's irrelevant. MAC addresses operate on a different network layer. Just accumulating such arguably identifyable technical characteristics into a scary lists doesn't change the fundamental principle that they are not used in TOR.

Re:Tor

[blincoln]

"I never saw any good reason why HTTP Referrers and user-agent headers were ever included in the HTTP spec in the first place. The first is extraneous information and the second is contrary to a Web based on open standards (and tends to help malicious sites know which exploits to use)."

The referrer is useful for a number of reasons. Beyond the obvious one (statistical information), this is helpful for setting up mechanisms to help prevent people hot-linking to images (or other content) on your site. For people who have transfer caps or surcharges, it's really frustrating to have a significant part of that taken up by people who hot-link to your images for use as forum icons or other heavily-used things which don't benefit your site in any way.

re: the user-agent header - just because the web is supposedly based on open standards doesn't mean users should all get the same content. Ideally they should all be able to *choose* to access the same content, but most people are going to be happier if a website detects that they're using a smartphone and sends them a version of the content optimized for display on a smaller screen.

Re:Tor

[clang_jangle]

Oh, well so sorry I triggered your neuroses and failed to fall in line with your belief system. Criminy Crumpets!

Re:Tor

[Jane+Q.+Public]

Which is exactly why, if you REALLY want to be "anonymous", you simply spoof your IP and MAC addresses (ridiculously easy to do in most cases) and use somebody's open wifi.

Re:Tor

[Jane+Q.+Public]

You're really, really reaching. I would guess that you could actually do this in maybe 1 case out of 10,000. MAC addresses are assigned to the network card manufacturer. They are (often) installed in your computer on a Pacific Island somewhere, and shipped to the United States, where they are then further distributed far and wide.

The odds that anything like your credit card number would be associated with your MAC address, in any place that it could, as a practical matter, be found, is vanishingly small.

Re:Tor

I thought that the MAC address only went to the next hop, or am I wrong?

Re:Tor

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing. Especially to Google via Google Analytics.

Did you read the title? It says "Tor Browser Bundle". Not Tor plus some browser that you also use for other stuff. "Tor Browser Bundle" is Tor plus a dedicated install of Firefox that is only used for Tor and completely separate from your everyday browser, and that is as secure and anonymized as possible.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

Off topic. The question wasn't what to use Tor for and what not, it's about how to set up your system to use Tor. It's common knowledge that all the good and bad guys listen in on the exit nodes. Tor was never meant to provide secure connections or protect the content you post, it's just an IP obfuscator and as such it works.

Re:Tor

[SonnyJim]

After all the arguing, debating and name calling, finally an actual answer to the question I asked. Thank you.

Re:Tor

[mywhitewolf]

That is, unless you register your network cards serial number for warranty, I'm sure manufacturer holds the serial number and mac address tied together on a database somewhere, and now they have your address too. getting your identity from your mac address through purchase history would be all but impossible.

Re:Tor

[mywhitewolf]

accessing webservices based in https would fix this surely? but if they don't encrypt the exit tor node -> web server then of course it could be caught by a man in the middle attack. even if they get this information however they would be unable to tell where the traffic is coming from up stream of the tor exit node unless there is identifying information in the sent data (like you've entered in your email or some such).

I'm not an expert though so don't take my word for gospel, but AFAIK that's how it works.

Re:Tor

[Mana+Mana]

Ghostery does LSO, oops! Flash cookies.

Re:Tor

[Lord+Byron+II]

Kids, play nice or you're both going to have a timeout.

Re:Tor

[Lord+Byron+II]

The referrer is the wrong way to fix hot-linking. You're attempting to maintain costs by using the user's browser. Instead, you should use your web server. Something like the JPG is only available if the HTML page it is on has been recently requested by the same IP. (I'm basically making a fox guarding the hen house argument.)

And the user-agent header is the wrong way to fix content issues. The best way would be to supply all of the content to the other browser and let the user decide what format they want to see your site. Or for the browser not to identify itself specifically, but have a more general description of capabilities (such as mobile, small screen, large type, etc). The problem with providing specific browser versions is that website owners tend to over-specialize their content. A few times I have been unable to use a site after I downloaded a new browser since the site didn't recognize the latest version.

Re:Tor

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers

Also, the same underwear, the same tin foil hat!

Re:Tor

[MrNaz]

Your referrer solution: This solution would overload web servers quickly, as every object request would require a log file parsing. It would also suffer from the problem that the image may be loaded from a different server than the HTML file. Thus, your solution is fraught with difficulty in both efficiency of hardware use as well as implementation. Also, its stupid.

Your user-agent solution: So you're saying that my smart phone, which is on a slower network connection, with a lower usage quota should receive both the mobile page AND the multimedia heavy regular page, and then choose which to render? That's massively inefficient and will clog low-power, bandwidth restricted devices. Also, it's stupid.

Re:Tor

It got my IP nothing else.

Re:Tor

[Vegemeister]

Bloom filter.

Re:Tor

[lostfayth]

You're correct.

Re:Tor

noscript
requestpolicy

Re:Tor

[Miaomiao]

As someone who's worked for years as a web developer: Knowing what browser people are using is 100% needed.

Mostly, you use it as a priority list as far as what browser bugs you're fixing, it's not as serious now, but I know there's many web developers waiting for IE6 usage to drop below .1% so they can safely ignore it.

Now, using content headers to "guess" which version of a page to serve up is wrong (you can easily use mobile stylesheets for that) but we're nowhere near that kind of real world application.

Re:Tor

[MstrFool]

To be honest, I have never really understood that mindset. It only comes into play when you wish to flood the page with all sorts of, glamor. And I mean that word in the sense of distracting effects, sounds and movement. It's only needed for making a big show of it, and IMHO, rather few sites benefit from such things. If your business is selling programs for inserting all kinds of special effects, then your page would likely benefit from using such. But if your site is for disseminating information, then all the bells and whistles rather get in the way. Sites that hide and ap that starts playing audio as soon as you load the page? Come on, your taste in music is not that impressive to the random person stopping in, or loud adds that you can't find to shut them up that interrupt what you are listening to while surfing... It's at best rude. I can only speak for my self, but I closed such pages the instant they started, till I got no-scripts and prevented it that way. I've since found my elf back on some of those sites I remembered dumping before. More then once found that exactly the item I was looking for at a better price then I ended up paying on the site that didn't try to scream in my ear. But if I have to fight the site to get through to what I ant, why should I? If you are more interested in showing off your l33t flash skills then you are in trying to sell your product or service, then I'm likely better off going with a company that feels their product or service information matters more then a flash tag or animation, or vulnerable flash plug in. And before any one takes offense, I am using 'you' in a general term, and not meaning any one personally. Or to sum up my feelings on the subject. I am interested in the contents, not how showy the box looks. And honestly, outside of the catalog or ordering system, how many web sites really need flash or scripts? Many here have typed out full web pages with out tools and fancy plug ins that look every bit as good as the web pages with 30 scripts, 6 java applets and a few flash objects. Don't use a tool simply because you have it, use it only when it's needed and most of those compatibility issues would vanish.

Re:Tor

No, you just need collusion with a few employees at D-Link or a distributor which can get access to that information. Also, there is a chance that educated guesses can be made about the distributor based on your locality or other information.

Re:Tor

[mabinogi]

Your user-agent solution: So you're saying that my smart phone, which is on a slower network connection, with a lower usage quota should receive both the mobile page AND the multimedia heavy regular page, and then choose which to render? That's massively inefficient and will clog low-power, bandwidth restricted devices. Also, it's stupid.

That would be why he suggested the other option - a capabilities field.
It amazes me that there still is no capabilities header, despite similar existing for mimetypes and languages....

Re:Tor

[MoeDumb]

Good grief. Time to bail on this thread.

Re:Tor

[gravis777]

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

http://www.ipredator.se/

Problem solved. Also a heck of a lot faster. You just have to pay for it, which I think is a four-letter word on Slashdot

Re:Tor

After all the arguing, debating and name calling, finally an actual answer to the question I asked. Thank you.

He made a blanket statemnet that X was better than Y with nothing backing it up.

Personally, I feel SuperPrivate has them all beat!

Re:Tor

[phatphoton]

yes.

Re:Tor

[mhelander]

In a Time of Universal Confusion, telling things clearly is a Revolutionary Act

Re:Tor

[ibsteve2u]

In a Time of Universal Confusion, telling things clearly is a Revolutionary Act

lollll...unless, of course, you're a politician - in which case telling things clearly would be a betrayal of your species.

Re:Tor

by causality (777677)

Damn! Almost hit the Jackpot!

Re:Tor

[syockit]

If he didn't take that nickname, surely the number could've been jackpot.

Re:Tor

The solution to this: periodically changing your MAC address.

Re:Tor

Whoa! It must be weird to be so paranoid and not realize you are so "out there!". my MAC addy is going to finger where I bought the device/NIC?? Seriously? And I should care about that? Like what, "He bought it at Best Buy -- let's get him!!"

Re:Tor

Google and others were recording the location of wi-fi AP MAC addresses, they really don't give a damn about you laptops MAC because it is no use for location-based services since it can (and is likely to) move around, also your MAC doesn't go past your router so even if they did record it they wouldn't be able to tie it to your online activities.

Re:Tor

[cbiltcliffe]

It's a NIC. Do you really think someone who's so concerned about privacy is going to give a crap about the $12/$35 it'll cost to replace an under warranty wired/wireless NIC _if_ it dies?

Besides the fact that MAC addresses are not globally unique, regardless that they should be in theory, and the only thing that can track them is the subnet you actually connect to, which isn't discoverable to the TOR exit node......

This conversation is stupid. MAC addresses are not a privacy issue, unless you're connected to a subnet that you're not supposed to be, and doing something stupid.

OperaTOR

[webmistressrachel]

The best TOR bundle, includes portability, non-root / admin user required, and no cookies etc. between sessions.

All settings are defaulted safe for Tor.

Re:OperaTOR

Does it have functionality similar to Firefox with TorButton ? Otherwise I assume it offers weaker privacy.

Btw, according to this link OperaTor is not maintained anymore, and it was replaced by YAPO which does not support Tor.

Re:OperaTOR

[webmistressrachel]

Damn... on your first point, no it's stronger because it includes Polipo and Privoxy, which route DNS requests over Tor...

However, despite me using it religiously for years now, you are correct that it's now been deprecated? Why? I don't have to skills to maintain it, and it's something I am sure lots of people have used as their first step to anonymity... it should be maintained. :-(

VPN?

[fysdt]

What about a free/paid VPN connection?

Re:VPN?

[icebraining]

VPN is only one hop between you and any server, so they know both who you are (especially if it's paid), what IPs you connect to and any unencrypted traffic.

If you trust them more than your ISP, sure, but I think it's far from anonymous, even when compared to Tor.

Re:VPN?

[x*yy*x]

Well, you can use several VPN's between. That way the traffic that goes encrypted between you and first VPN won't leave unencrypted there. But yeah, you always have to trust the person or company that keeps it.

Re:VPN?

[fysdt]

By default the MS PPTP client supports VPN chaining. The last VPN hop would send unencrypted data (comparable to a Tor exit node) which is afaik unavoidable.

Re:VPN?

[kwark]

It is simpeler to run TOR on both ends and use VPN between the client and the hidden service (OpenVPN in TCP mode should work). That way the traffic should never leave the tor network.

they're not here

Anyone who's remaining completely anonymous online wouldn't risk a visit to a clearnet site like slashdot and comment.

Re:they're not here

[Runaway1956]

virtual machine, dude. My virtual machine doesn't come to slashdot . . .

Logic Fail

I frequently use Tor for my anonymous browsing needs, via the Tor Firefox bundle for Windows . .. is there anything more secure than Tor, as far as anonymous browsing goes?

So, you want to use a compromised OS and somehow tack privacy on top? Doesn't work that way, sorry.

I don't get Tor

[Hazel+Bergeron]

Can someone explain to me why someone who is monitoring sufficient backbones and running sufficient Tor nodes himself can't just watch a packet stream being bounced between Tor nodes?

Then there are people using Tor really dumbly such that you don't even need a three-letter acronym to work out who it is.

Re:I don't get Tor

[betterunixthanunix]

Can someone explain to me why someone who is monitoring sufficient backbones and running sufficient Tor nodes himself can't just watch a packet stream being bounced between Tor nodes?

This is one of many known attacks on Tor, and is the reason why as many people as possible should be running Tor relays, entry nodes, and exit nodes. This is also why Tor circuits are periodically changed by the client. In general, though, it is possible for someone who can monitor a large enough fraction of the Tor network to break the anonymity of the system, even if they cannot control the nodes themselves.

Re:I don't get Tor

[Nimey]

I'd thought about running a Tor entry/exit node, but I really don't want to get dinged for someone else looking at kiddie porn and using me as an exit point. The authorities won't know the difference, and might not even care.

Re:I don't get Tor

[westlake]

Can someone explain to me why someone who is monitoring sufficient backbones and running sufficient Tor nodes himself can't just watch a packet stream being bounced between Tor nodes?

I've asked the same question about Freenet.

The network depends on users volunteering to route and store high-risk traffic. The files may be in fragments and encrypted. But if your client application, node or supernode is exposed, the consequences may be - unpleasant.

That is not a problem for the three-letter agency, foreign or domestic that can build depth by running tens of thosands of nodes and supernodes, if it chooses.

Re:I don't get Tor

To date, not a single case has been bought against anyone running a tor exit node.

Re:I don't get Tor

That might be the case, but I don't think he wants to risk being the first one. All it takes is an overzealous prosecutor.

Re:I don't get Tor

[Hazel+Bergeron]

I recall a raid in Germany. Depending on police behaviour and accessibility of records, in some countries that can be as harmful as a conviction (e.g. if you're working in a job with vulnerable people).

Re:I don't get Tor

Yea- even not so vulnerable people or no people at all.

Re:I don't get Tor

Better not own a house, then. All it takes is one overzealous lawyer and a clumsy doorbell ringer. Oh, and don't rent, either. One overzealous landlord. Walking down the street? One zealous gang-banger. Driving? 5000 zealous drivers.
And what do you do when you breathe in a patented organism and it breeds in your lungs? One zealous corporate attorney...

Re:I don't get Tor

[betterunixthanunix]

To date, not a single case has been bought against anyone running a tor exit node.

...and yet your life can be ruined just because you were arrested for "downloading child pornography."

Re:I don't get Tor

[Larryish]

From your link:

... In this paper, we show that linkability allows us to trace 193% of additional streams...

193 percent?

Really?

Re:I don't get Tor

There are websites that block access from suspected Tor nodes.

Re:I don't get Tor

[Nimey]

You just went full retard. Never go full retard.

Re:I don't get Tor

[Jane+Q.+Public]

"The network depends on users volunteering to route and store high-risk traffic. The files may be in fragments and encrypted. But if your client application, node or supernode is exposed, the consequences may be - unpleasant."

If you are in the U.S., these assumptions are quite incorrect, in at least a couple of ways.

You are volunteering to take on anonymous traffic, not "high-risk" traffic. There is a very big difference. In effect, you are serving as a "common carrier", and you enjoy the same legal protections as any ISP. In other words, you are only carrying traffic, you are not looking at it in any way, or even accessing it, much less altering it, yourself. You are only a relay. You have nothing to do with the actual content, so you cannot be held liable for that content.

Legally, even if illegal traffic passed through your node, law enforcement has no reason to even look at you twice. Their beef, if any, is only with the source and destination of that traffic. You are further protected by the very nature of Freenet itself: all traffic is encrypted, and it is highly unlikely you would be able to decipher any of that content, even if you wanted to.

Also, the volume of your traffic has absolutely nothing to do with the legality of your actions. You have the same legal protections as Time Warner, or AOL, or Comcast.

Re:I don't get Tor

[DamnStupidElf]

I've always thought it would be nice if the russians or nigerians or chinese would just run Tor on their botnets. I know they probably don't really care for freedom of speech or privacy (in fact, they would like to reduce most people's privacy in terms of financial credentials...) but that is the level of distribution necessary to thwart network analysis. Store-and-forward of all anonymized traffic with random delays and random traffic bursts generated to mask legitimate traffic is essentially the only way to go. Even better if your local gateway just "happens" to be infected with such a botnet client, generating its own stream of random anonymized traffic for plausible deniability.

Alas, it's probably up to some grey-hat hackers to care enough to put something like this together and implement it and keep it running.

Re:I don't get Tor

It's funny. I was going to add 'Ridiculous? Yes. But all these are actual court cases (except the breathing bit). Thinking you'll be the first Tor prosecution in it's 9 year history is simply paranoid delusion.' But I figured only the brain damaged wouldn't realize that. Silly me.

Re:I don't get Tor

[mywhitewolf]

it may not get you convicted, but do you want the extra attention? I'd consider it if my country wasn't balls deep in thought crime persecution, last thing i want to do is gain unwarranted attention.

Re:I don't get Tor

[ColdWetDog]

You are volunteering to take on anonymous traffic, not "high-risk" traffic. There is a very big difference. In effect, you are serving as a "common carrier", and you enjoy the same legal protections as any ISP. In other words, you are only carrying traffic, you are not looking at it in any way, or even accessing it, much less altering it, yourself. You are only a relay. You have nothing to do with the actual content, so you cannot be held liable for that content.

That statement is very much open to debate. I would further argue that westlake's legal budget is significantly lower than TIme Warner, AOL or Comcast's.

Re:I don't get Tor

[lostfayth]

This is a feature:
https://www.torproject.org/docs/faq-abuse.html.en#Bans

Re:I don't get Tor

[Jane+Q.+Public]

WTF??? Your link leads (at least currently) to an article about Repetitive Stress Injury in Australia. I am really not sure at all what you were trying to link to, but I doubt that is it. Just so there is no misunderstanding, I stated quite clearly that I was referring to the U.S.

But to the best of my knowledge, it is not open to debate. And I would argue further that I was talking about the law, not the distorted way the law has sometimes been enforced. Regardless of your budget, if the law is applied unequally to you vs. a person or corporation with more money, then there is something wrong with the enforcement of the law... not the law itself. "Equal protection under the law" is supposed to be the guiding principle of all law in this country. If it is not, in practice, then there is a problem with enforcement. Q.E.D. Don't blame the law.

Re:I don't get Tor

[Jane+Q.+Public]

By the way: EFF, EPIC, and other organizations all back up my point. Please look it up.

Re:I don't get Tor

[EdgeCreeper]

Consider that Tor exit nodes are toxic.

Unfortunately, TOR exit nodes are toxic. I ran a fully open tor exit node for 24 hours and got 4 C&D's for my trouble. You need a full time lawyer, or a lot of time spent tuning which traffic you relay. :-/

Re:I don't get Tor

[jc79]

You can still help by running a relay-only node. No exit traffic necessary.

A better alternative..

[spaceplanesfan]

Just stop trolling :-)

Re:A better alternative..

No, the troll here is the people acting like Firefox is the best browser out there for Windows, OSS or no. I was so glad to get rid of FF on all but one of my systems and I keep it on the one just so I'm not talking out of my ass about it unlike the fanbois who haven't tried IE since 5.5 but still claim they "know" that it sucks.

Hands down Chrome is the best browser for Windows today. Even IE has made modest but noted gains on the once mighty FF.

Firefox is a husk of what it use to be and a disgrace compared to what it could be today.

Re:A better alternative..

[spaceplanesfan]

No, I was going for Funny moderation.
I suggested to stop using Tor, cause you know, its probably was used for trolling.
Its of course just a joke, no offence.

AOR

Advanced Onion Router is a portable (can run off a key drive) and easy to use program that will force a program to work entirely through it. This can get programs without proxy settings to work with the TOR network, and speed up the process of setting up a proxy in other programs. There are some pretty advanced settings inside the program that the average user will probably ignore, but its nice to have them there if you need.

secure net

Haven't uused it in a while, but maybe you people should look into the i1p project. Doesn't have the bandwidth of tor, but is more secure/anonymous

Re:secure net

[Runaway1956]

Did you mean I2P??? http://www.i2p2.de/

It too can be compromised by MIM. Otherwise, yes, I think it is superior to TOR. Downside is, not enough people use it to make it worthwhile.

Coffee Shop

Live boot a Linux distro and surf your kiddie porn at a local coffee shop.

Re:Coffee Shop

[mywhitewolf]

then you got to worry about those other privacy concern... like people being able to view whats on your screen and see you fap. IIRC someone in Australia was caught doing more or less exactly this.

Freenet

Just use freenet :P

MAC Address location

Well, yes and no. MAC addresses are used for the fake GPS found in lots of products, but it's not accurate and the collection works via specialized applications, not browsers. (Plugins excepted)

MAC GPS is essentially done by multiple gathering systems that contain GPS technology to provide 'GPS like reporting' to devices that do not have GPS. However, all it takes is one house to randomize MAC addresses, or clone one in use on the other side of the country, to degrade the locators.

Have you tried tunnelr?

http://www.tunnelr.com/ I think this stuff lets you browse anonymously

Re:Have you tried tunnelr?

[Runaway1956]

It's just another VPN proxy setup. THEY know who you are.

Tor is illegal

...or it soon will be.

After all, it facilitates illegal activity. Never mind that it has legitimate uses.

Sound familiar?

LiveCDs - TAILS v0.7.1, Liberté Linux

[integral-fellow]

First, don't bet your life on this technology or OpenSSH or other tech.

Second, rather than run TOR on an everyday personal or work computer (Windows or Mac or Linux) with sensitive data and identifiable traits, I'd recommend booting a LiveCD: TAILS (v0.7.1 is the latest) and Liberté Linux:

http://tails.boum.org/
http://dee.su/liberte

or get Knoppix and harden it:
http://knoppix.com/

Change your MAC and connect at a coffee shop (if paranoid-- on the other side of town, and wear sunglasses in case of surveillance), not from home. Or connect to someone else's open WiFi, or get the key with Backtrack. Less secure is running a LiveCD in a VM (virtualbox or vmware). Another less secure option is running a hardened Linux, or at least running the Bastille script.

What am I missing? The main trouble with the LiveCD/DVDs is the NIC driver/module, but Knoppix is good for that.

integral-fellow

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

The solution to that is to use your Live CD to make a bootable USB drive. Then you can change/improve/upgrade your drivers.

Then encrypt your bootable drive (it is possible to make bootable encrypted drives).

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

I should add that in the United States, you cannot be legally forced to give up your encryption passwords, unless law enforcement can already show that your encrypted data contains illegal content. In other words, because of the 5th amendment, the standard is a lot tougher than even probably cause.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

"... probable cause." Damn typos.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

Sunglasses are not good enough protection to modern surveillance cameras: http://www.geekologie.com/images/2006/05/kaya.jpg

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

Please detail the process to make a bootable encrypted drive. Is it LUKS or truecrypt or another.

Thanks!

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

The solution to that is to use your Live CD to make a bootable USB drive. Then you can change/improve/upgrade your drivers.

Then encrypt your bootable drive (it is possible to make bootable encrypted drives).

Please describe your method. I'd like to do the same.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

This depends on the particular live CD you are trying to port to your drive. For a good example, try googling "Backtrack 4".

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

I will reply with the same thing I told the other person who asked: google "Backtrack 4" and go from there. There are instructions, but they may need to be modified depending on what version of Linux you are installing.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

To whoever has been modding down questions about this:

The United States Constitution guarantees us the right to be secure in our persons, property, and papers. These days, of course, "papers" includes digital files.

Censorship on Slashdot is most unbecoming. I am being very polite. If I were not so polite, I would use other words.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

I will also add: the methods of making your bootable drive encrypted is actually quite ordinary; there are many means of encrypting bootable drives. The trick is making a USB drive bootable in the first place. From there, you can use the well-known, commonplace methods of encrypting the drives.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

It is possible to DIY (do it for yourself) when creating Live CDs or Live USBs. That way you can use whatever Linux distribution you prefer, or are most comfortable with. As you note, some skills are required, but the tricks are fairly well known. The fine points of Linux startup is somewhat distribution dependent. For my own purposes, I created a rescue environment based on Slackware Linux that boots on a wide variety of hardware "out of the box." I have written a couple of blog posts about it here and here.

One thing that helps a lot is that the Linux device stack is layered appropriately with logical devices before reaching the physical layer of devices. The logical device layers are provided by the device mapper facility. Device mapper provides the toolset that works with a myriad of possibilities (non-encrypted simple snapshots, encrypted snapshots, encrypted physical devices, etc.). These modes can be mixed and matched, and the possibility of using loopback devices further complicates possible designs. In fact, there are so many "correct solutions," that it can be tricky to select which solution most directly meets the users needs. The basic technique is described here.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

hey sounds like you really know what you're talking about, I work with a company techchange.org that is in the middle of trying to develop an activist hacker kit that would fit on a thumbdrive and be preconfigured with the best options for security. I'd love to get any thoughts you have.

Re:LiveCDs - TAILS v0.7.1, Liberté Linux

[Jane+Q.+Public]

I have to wonder who is anonymously modding these posts down... and their motivation for doing so. This seems like a perfectly reasonable discussion of how to make bootable diagnostic utilities for your computer.

DHS:

I'm watching you...yeah YOU.

What is the actual purpose of using TOR?

[Warma]

I understand that what I'm going to ask is almost a logical fallacy in Slashdot, but I'm going to ask anyway.

Why exactly are you making things complicated for yourself and using Tor in the first place? A person as paranoid as you would use only properly secured banking connections and reputable services anyway, so the chance of any identity theft whatsoever is minuscule. I really can't think of any credible motivation for completely endorsing anonymity except the fear of being caught surfing something explicitly illegal. However, the amount of replies in this thread and their tone suggest, that you can't all be 3rd world revolutionists or Chinese students circumventing the Great Firewall.

Is this just a matter of principle, or do you actually have something to hide? If it's the principle, what are you hoping to accomplish and why? If you're into snuff or whatever, I really don't care, but at least one anonymous reply confirming this would be amusing.

This is not a troll. I'm genuinely interested. Technical answers about repercussions I may have not understood, are not only accepted, but appreciated.

Re:What is the actual purpose of using TOR?

[Larryish]

From what I gather (remember this info is all secondhand) some people in former first-world countries (USA anyone?) use TOR, Privoxy, livecds, etc. to research the sort of things that might throw up a flag.

Re:What is the actual purpose of using TOR?

I like to buy certain hard-to-find illegal chemical compounds through Tor. Also I hear you can find CP on there, but I'm not a pedo so I wouldn't really know.
Posting anonymously (and through Tor!) for obvious reasons.

Re:What is the actual purpose of using TOR?

Funny that you mention snuff porn because you can't always predict what motivates other people (including why they would want your information in the first place).

Logically speaking, just because it's improbable that someone would want to track you, doesn't mean that it's impossible.

Re:What is the actual purpose of using TOR?

Before I could afford internet access at home, I used Tor to download porn from sites like youporn.com. That certainly isn't a legal activity, but using my university's internet system to access porn was grounds for being expelled. This even included kids in dorms.

Yes, watching porn in public is a horrible idea and would certainly cause others discomfort. But there is nothing wrong with accessing or viewing it in private.

TL;DR in my country, religious zealots and enforced morality codes forbid University students from accessing pornographic and other controversial materials even in their own dorm rooms. Can you guess which modernized first nation I live in?

Re:What is the actual purpose of using TOR?

I for one don't trust the network at my dorm and don't want the other students to watch my every step on the 'net. No, I'm not talking about porn.

Good enough of a reason?

Re:What is the actual purpose of using TOR?

You have a right to privacy. You don't need a reason to use it. You have the right to a job and a religion, and to privacy. Some people want to use that right, though in this web 2.0 era of social networks is not common.

Re:What is the actual purpose of using TOR?

Besides the "Nothing to hide" argument being fallacious, why can't privacy just be privacy without someone's silly assumptions about your motivations getting in the way?

Re:What is the actual purpose of using TOR?

[Jane+Q.+Public]

"I really can't think of any credible motivation for completely endorsing anonymity except the fear of being caught surfing something explicitly illegal. "

History has clearly shown that the right to free and anonymous speech is essential to maintaining a free society. That fact alone is sufficient motivation to do it. If you don't practice and enforce your rights, you are likely to lose them. Your attitude is exactly why this is true.

Re:What is the actual purpose of using TOR?

[Jane+Q.+Public]

Pardon the multiple posts. That wasn't intended as an insult. What I meant was: the whole concept of "If you aren't doing anything wrong, you have nothing to fear" is the culprit. It is simply wrong. That idea has been disproven by history, many times over.

Re:What is the actual purpose of using TOR?

I use it to download malware which I subsequently reverse then further use Tor to explore their command/control techniques and return traffic.

Re:What is the actual purpose of using TOR?

[metrometro]

> Is this just a matter of principle, or do you actually have something to hide?

Yeah, this: http://en.wikipedia.org/wiki/2011_Chinese_protests

In many parts of the world, basic civil freedoms are not possible without anonymous communications. Given events in North Africa, surveillance combined with brutal repression (see Bahrain, Syria, Yemen, Ivory Coast) is now an expected outcome of trying to organize political discourse in many places.

Re:What is the actual purpose of using TOR?

[SonnyJim]

For me, it is just a matter of principle. It has nothing to do with having anything to accomplish, illegal activities, or having anything to hide. I have the right, as an American citizen, to use the Internet without being tracked or spied on, period. And as I am new to the whole "anonymity online" prospect, I needed some good advice. What you're basically saying is "Why close your curtains? Do you have something to hide, or are you doing something illegal in there?"

Re:What is the actual purpose of using TOR?

[mywhitewolf]

I think he wanted to find out what the motives actually were, not weather you had a right to that privacy in the first place.

Re:What is the actual purpose of using TOR?

[mywhitewolf]

I use it to research anything questionable. I don't trust my ISP & espeically my government to not flag certain informative websites like erowid as "questionable behaviour", which may end up with me being further inconvenienced in the future, (roadside drug searches etc.). I'm not particularly concerned about being convicted based on my browsing habits, but i don't want to risk the extra attention with corruption being rampant in most police forces.

Re:What is the actual purpose of using TOR?

[Altanar]

Anonymous free speech is a by-product of public free speech and is useless if the society doesn't allow public free speech from a known individual. The uncited source is useless if the government doesn't allow the brave individual to include their reference in a public, non-anonymous article. Without someone, anyone standing up to vouch for a story, publicly, anonymous free speech is easily dismissed, easily forgotten, easily covered up.

What good would the Deep Throat informant have done if Bob Woodward and Carl Bernstein didn't publicly vouch for his information?

What are the Federalist Papers without people like Patrick Henry publicly stating "Give me Liberty or give me death?"

Which affected Iran and the world more? Reading @persiankiwi's tweets or seeing Neda Agha-Soltan, dying on a street with the entire world watching?

Re:What is the actual purpose of using TOR?

The common answer that I hear is what ever a ISP/Company or local network (like a student network) might be interested in knowing. Could be porn, could be pages on Wikipedia, could be anything the person would be embarrassed about.

A less common answer is "just for the principle of".

Re:What is the actual purpose of using TOR?

Bypassing corporate restrictions on the network to surf sites that one shouldn't at work

Re:What is the actual purpose of using TOR?

[giltwist]

I use TOR to get around restrictive firewalls at coffee shops and such. For example, the local Panera uses OpenDNS, which seemed to think googlecode.com as a whole was infected with the Conficker worm. TOR let me access it no problem.

Re:What is the actual purpose of using TOR?

FWIW, I was wondering the same thing.

It seems like it's a combination of extreme paranoia, and/or not trusting their ISP and/or simply violating their university's web-browsing policies and/or simply because they can.

I firmly believe in the right to privacy too, but I think it's a little extreme for most purposes.

I could install bullet-proof windows in my home, but I think that's a bit extreme and I have had a bullet come flying through my window and others hit the wall while I was in that room before (although I don't live there anymore).

Personally, I'd be even more paranoid about using Tor than not just because I think it would put me closer to lowlifes who do use it for nefarious purposes and I'd never really be sure I wasn't vulnerable to some new exploit or just because I failed to secure it properly. In fact, that's part of the subject of this entire threat - someone asking about more secure Tor.

I do try to practice reasonable security, but reasonable varies from person to person..

Re:What is the actual purpose of using TOR?

Anonymous speech will do nothing to ensure a free society - you need to be prepared to stand up and be counted and not hide behind a fuzzy layer of anonymity...

I agree with the OP... Why would you want to be anonymous?

Re:What is the actual purpose of using TOR?

[whimmel]

I know of at least one group that teaches techniques like these to spouses in domestic violence situations. It helps the victims get information and resources (legal or otherwise) together before they make their move.

Re:What is the actual purpose of using TOR?

[ColdWetDog]

TL;DR in my country, religious zealots and enforced morality codes forbid University students from accessing pornographic and other controversial materials even in their own dorm rooms. Can you guess which modernized first nation I live in?

Vatican City?

Re:What is the actual purpose of using TOR?

Nothing illegal, I just don't want my girlfriend who works at the FBI to find out how often I really look at lolcats.

Re:What is the actual purpose of using TOR?

To counter your anecdote, I used to lurk 12chan ("-1, troll" if you know what this site was, AC has an image to maintain) from my dorm, without proxies or any other devices of Anonymous Cowards and no one gave a fuck. The connection wasn't even monitored or filtered (though if you were sending "excessive" SMTP traffic, the port might be disabled while they told you to clean your shit up). The only restriction on porn was don't do it in on University owned computers.

I am sure that I live in that same country as you, and the administrative subdivision\sovereign sub-entity (depending on your perspective), are currently fighting tooth and nail to keep science out of children's minds. It sounds like it was your school that was backwards, not the country.

Re:What is the actual purpose of using TOR?

I use Tor to allow access to my mail and docs hosted on google. The company I work for has a WebSense policy in place that prevents access to google apps for more than 20 minutes per day and the Tor network allows me to sidestep this restriction when I need to.

Re:What is the actual purpose of using TOR?

[Jane+Q.+Public]

"Anonymous free speech is a by-product of public free speech and is useless if the society doesn't allow public free speech from a known individual."

I am quite sure that the authors of the "Federalist Papers" and "Antifederalist Papers" would very strongly disagree with you, Patrick Henry notwithstanding. Thomas Paine is probably a better example, and he was not exactly a friend of the existing government. But here is the most telling point: the very people who were writing the Federalist Papers were our Founding Fathers... they just did not dare do it publicly under their own names. To do so would have called unwanted and perhaps disastrous attention to themselves and their families, at a vulnerable time. THAT is the value of anonymous speech. The government doesn't have shit to do with it.

"The uncited source is useless if the government doesn't allow the brave individual to include their reference in a public, non-anonymous article."

You make my point for me! Without government sanction, only anonymous speech can truly be free.

"What good would the Deep Throat informant have done if Bob Woodward and Carl Bernstein didn't publicly vouch for his information? "

It might have actually been believed SOONER if it had come out in Rolling Stone rather than the Washington Post. Seriously, you are making my point for me. You are trying to say that only government-sanctioned sources are reliable, which is precisely the point behind what I originally stated. Woodward and Bernstein had no authority to "publicly vouch" for the information. All they could vouch for was a supposedly "reliable source". Once again, proof of what I say. Deep Throat was an anonymous source. But that source could have used many outlets. Remember, he chose Woodward & Bernstein, not the other way around.

"Which affected Iran and the world more? Reading @persiankiwi's tweets or seeing Neda Agha-Soltan, dying on a street with the entire world watching?"

That is a straw-man argument. It has nothing to do with the issue at hand, which is: is anonymous speech necessary? Regardless of which is more dramatic, anonymous speech has probably had a much larger impact on history.

Re:What is the actual purpose of using TOR?

[Warma]

No problem, I wasn't insulted in any way. I stated the comment as a logical fallacy precisely because I knew, that this was going to be said, and that I also consider it the "correct" answer.

What my actual point tried to be, and what some people here already responded to, was that most of the people here using tor don't really have anything to hide and don't seem to have any use for Tor, yet they worry about these things and make their life more complicated for no apparent reason. I see that as paranoia getting in the way of your daily activities or even gnawing at your quality of life. For example, what would these people do if they didn't have tor at some specific machine? Would they just stop using the internet?

A secondary purpose was to get a random sample of reasons people actually have for using Tor. I'll post it here for your enjoyement too:

Illegal activities - 1
Malware countermeasures - 1
Network restriction circumvention (ie. porn) - 4
Paranoia - 4
Principle - 5

I counted the "ohnoes my ISP will flag me and my roommates totally sniff my packets all the time" as paranoia. I didn't count non-firsthand usage statements as anything and didn't flag any answers as trolls. The ratio of people who needed Tor versus those who just use it seems to be 5:9 in this sample. Interesting stuff.

Re:What is the actual purpose of using TOR?

What about a Woody Allen kind of guy whose therapist suggested to give free expression to his own paranoia?
Seriously, you don't know someone who wouldn't like his daddy and ex-wife to know details about his (legal) lifestyle?
Businesses who wouldn't like their competition to find out where their next investments will be?
Do you know for sure all these info can't be found on the black market? 'Cause I really don't.

It doesn't take Tom Clancy to list a ton of legitimate reasons internet privacy. The first of which being you need relevant motives to violate it, not the other way around. This is how we kept the Great USA Firewall from being built. Or did we?

And, to play your "guess who you are" game, are you somewhat involved in an agency which doesn't like people's right to privacy?
If yes, felicitations for the Osama thing, but please keep focusing on serious targets and leave my phone line alone. I have a mistress.

P.S. I'm writing here AND I'm not a Tor user.

Re:What is the actual purpose of using TOR?

[gl4ss]

well, one thing is for searching stuff that might be illegal to even look information about in your country. because if someone gets to know that, they can try to blackmail you, you have to bribe them or officials or just end up in a chinese jail. and it's useful if you're in a sect and looking for a way out.

another reason is that it makes it harder to track who you are, say if you're looking to download something from a site you know to have an admin who looks at the logs about who's ip it is. this is partially why I keep my images I want to keep public on flickr, were it my own server where I could log the http accesses I could be tempted to guess who's looking periodically at them. but since I'd just get hits and some referrer information from flickrs logs, there's less risk of that for people who view them.

also - and this is important - many university housings etc provide you with an ip address that's trackable to right where you are, so it helps a bit if you have a stalker problem or such. or it might generate you a stalker problem.

but most are just people who are scared of the warez police, scared of the drug police or scared of the porno police. you know, people who wouldn't visit a doctor to get pills, who wouldn't go to booze store to buy booze, who wouldn't have gone to gas station to buy porno. and usually scared of someone stealing their ideas - ideas other people have too already because they're so simple but they don't understand because they don't speak to other people.

Re:What is the actual purpose of using TOR?

[Jane+Q.+Public]

I see. The results are interesting. I would count myself among the "principle" group. I have used Tor, but have also found it to be slow, which rather weakened my resolve to use it for principle alone. However, I still support it because something that may be inconvenient today may turn out to be the only possible avenue tomorrow. One never knows. You can call that paranoia if you like, but I prefer the term "preparedness".

And the assertions by some that "half" of the Tor exit nodes are monitored is ridiculous. There are far too many. I could set up one tomorrow, take it offline the next day, turn it on again 3 days later, etc. While such sporadic availability is discouraged, still it is possible.

Re:What is the actual purpose of using TOR?

[Jane+Q.+Public]

"Anonymous speech will do nothing to ensure a free society - you need to be prepared to stand up and be counted and not hide behind a fuzzy layer of anonymity... I agree with the OP... Why would you want to be anonymous?"

That's GP, not OP, but regardless:

I refuse to go over the last 300-400 years of history to illustrate why this is important. There are so many reasons... but rather than just blow you off (which am half-tempted to do), I will instead point you at the following article: https://www.eff.org/issues/anonymity

If you aren't satisfied with that, just google "anonymity 'supreme court'" and read what you find.

Re:What is the actual purpose of using TOR?

[Jane+Q.+Public]

And by the way: if you don't think our founding fathers (who used anonymity to their benefit) were willing to stand up when it counted, then you don't know your history.

When, at the signing of the Declaration of Independence, John Hancock said that the revolutionaries must be unanimous and that "We must all hang together on this," Benjamin Franklin replied "We must indeed all hang together, or most assuredly, we shall all hang separately."

I think it is pretty clear that he was right on that point. And yet: they wrote anonymously when they felt it necessary to protect themselves and their families from retaliation by the existing government.

That is the difference between bravery and stupidity.

Re:What is the actual purpose of using TOR?

[bradley13]

Various thoughts here:

You may be looking for non-illegal content, but worried that you may come across something illegal in the course of the search.

• It may be that you simply want to ensure that your private activities cannot be easily combined with your public activities.
• Some people view proxy services as an additional defense against malware sites
• There are people with a real need for anonymity, because they are engaging in political speech frowned upon in their country, This is not just China. Example: in most of Europe, it is illegal to express any doubt at all as to the historical truth of the Holocaust. I don't mean denial, but even questioning the number of victims, or how they were selected can get you sent to jail. Before the Americans start touting their "freedom of speech", how about the guy who was arrested for having printed a text-file describing an underage sexual encounter, or the chemistry teacher arrested for discussing (purely theoretically) the processes used to produce meth?
• Finally, many of us use anonymouse services to provide a larger group of anonymouse data - thus allowing people with a real need for anonymity to better hide their activities.

Those are just quick ideas - I am sure that other posters will have other ideas as well...

Re:What is the actual purpose of using TOR?

[WegianWarrior]

While I can't speak for the other users of Tor, I have found it extremely useful and even vital for computer security in the location I am now: Sudan.

Let me explain: I'm working for the UN, and have brought my own laptop. I'm buying "wireless broadband" from a local ISP, who is anything but broad... but thats a different matter. Since I like keeping my computer safe, I need to download the latest patches for Flash and Java and so on and so forth... which is where the problem arises. You see... the US is currently boycotting Sudan, which means that if I go to Adobe's website with a Sudanese IP I can't download the patch I need...

Using Tor I can bypass this problem, for the small price of an even slower connection. I can also access other sites that block traffic from Sudan (which is a few) or which the Sudanese Government sensors (which is more than a few). Naturally I surf without Tor when I don't have to use it - my connection is slow enough as it is...

So at least for me - and many other in my situation - Tor is used to actually access things we couldn't otherwise reach.

Re:What is the actual purpose of using TOR?

[tehcyder]

Example: in most of Europe, it is illegal to express any doubt at all as to the historical truth of the Holocaust. I don't mean denial, but even questioning the number of victims, or how they were selected can get you sent to jail.

Sorry, but that is total and utter fucking bullshit.

Re:What is the actual purpose of using TOR?

I'm attracted to children. I can't expect you to understand or approve, but it's who I am and after a long struggle struggle I came to terms with it.

I don't do anything illegal. I'd never hurt a child and am honestly disgusted at those who do. I take the exploitation of children very seriously, and do not view any pornography.

I do connect to sites which allow me to understand there are others like me, get moral support, and read fiction. Despite not doing anything wrong, I value my privacy in those environments, so that's where Tor comes in.

Re:What is the actual purpose of using TOR?

You have more to lose by having Java and Flash active in your browser than you ever would by not using TOR.

Re:What is the actual purpose of using TOR?

By adding innocuous traffic volume, you raise the noise floor which makes individual signals (people) harder to sort out.

Re:What is the actual purpose of using TOR?

Warma... I'm not sure what nation you live in. But it appears to me that you have something many people don't. Faith.

In their government. In the willingness and ability of its agents to abide by law. To respect uncommon but lawful behavior. To permit people to organize, act, and discuss or study amongst themselves.

Keep in mind that even in first world nations there are a great deal of activities that fall into shades of grey and prosecutorial discretion. If you look at any form of porn at all, you may be breaking the law depending upon local obscenity law and "community deceny" which ...varies.

Even if you're not, even if the first amendment applies, they can still charge you, and you can be raked through the mud at the taxpayer expense, and lose everything you ever worked for trying to defend yourself.

That's assuming you aren't fired from your job for having to show up in court and running out of PTO...

It should be obvious to someone of reasonable intelligence--you probably break several laws a day, any of which can be used to target you. Sure, they probably aren't felonies or anything serious, but enough for harassment purposes. To give you a ticket and force you to show up in court...miss a day of work.

Even if you don't fear criminal activity, you may fear legal ... problems. Not as in lawsuits, but things people can legally do.

By way of example, my housing contract contains terms that are blatantly unlawful in this state. It also has a severability clause. The lawyer who wrote it hopes that the law will change, and those terms will then become valid. The landlord tries to use them against people that don't know their rights, but that's...a different issue.

Can you imagine the reasonable (from their chair) desire for an insurer in the beginning of the aids epidemic to find out if someone was a homosexual? For my insurer to find out if I've googled scuba diving? What if I have a propensity to click on fast food advertisements?

It goes deeper though. What if you research things of "questionable" utility? What if you once had a three letter agency make a note in their file on you that there is no such thing as legitimate computer security research done independently and suggested external review and you found out about this years later due to somebody botching some paperwork? What if somebody somewhere had once labeled you dangerous because you had published some vulnerabilities in common form handling routines? This is the type of bullshit the American government employee in a security position is very capable and willing to do. Repeatedly.

What if you knew you had been surveiled because you had gone on a single date with a really cute girl in greenpeace?

I value my privacy and will take any reasonable means necessary to protect it, because the adversary has already shown they have no respect for it and will use anything they find against the law abiding citizen that gets in their way.

Really, it's a simple matter of trust. I trust the government to label anyone opposed to the two party system as a radical. I trust them to label radicals as a dangerous threat to the state. I trust them to object to any form of communication they cannot monitor, intercept, spoof, and control. I trust them to fear people who understand how to prevent this, and to act on that fear using surveillance, intimidation, and potentially lethal force.

Re:What is the actual purpose of using TOR?

I used Tor once to check job ads and clients of a company with which I had a thorny relationship.

They were small enough that they could have (as I often do) sifted through their web server logs to see who is visiting.

If they got my IP address from there they could have linked to other times I had exposed my home IP to them and knew I was snooping on them after our relationship ended

So I used Tor.

Re:What is the actual purpose of using TOR?

Many colleges are now recommending students not read or report on Wikileaks in case it may effect your future employment, possibly with the government. I use Tor to browse Wikileaks, while protecting my identity for these purposes. Frankly, since such measures are now needed, Wikileaks is proving to be needed more than ever.
Also, Tor has some seedier areas, but it also has a great selection of free thinkers, and atypical people. I find them fascinating. While I am not the OP, this might help to shed some light on the subject for you.

Re:What is the actual purpose of using TOR?

Just because something is legal doesn't mean you don't want people knowing you did it.

Let's say I like porn. Maybe it's gay porn, or bondage porn, or just plain porn. And let's say I'm in a delicate situation either in a PR sensitive position or with a non-understanding boss. For example, say I'm in a southern-conservative town, in a feminist organization or just a random politician.

Anyone finding out about my porn habits would mean the end of my life as I know it. Hell, even something as dumb as trolling 4chan might get me in trouble.

In those cases it would make sense for me to use Tor, not because I'm looking for something illegal or that I'm trying to overthrow some dictatorship, but just because I need my privacy and I should be able to do whatever the hell I want from the privacy of my home computer.

Err... That's hypothetically speaking .. I don't like porn, you know .... better post this one as AC ...

Re:What is the actual purpose of using TOR?

Yeah, it's all about the kiddie porn.
Happy now?

XeroBank Browser?

[antdude]

How about https://xerobank.com/download/index.html ? However, its Firefox is outdated. Supposedly, they are making a new one?

Re:XeroBank Browser?

they also use tor and ff 2.0. I wonder if they are just a tor ripof?

You're doing it wrong.

[atari2600a]

Tor isn't 'a proxy', it's a router. Privoxy / Polipo is the proxy. Either way you offer too little parameters for 'secure'. Do you mean like cache retention or some magical network breach or what?

Simple

[Patrick+May]

Is there anything more secure than Tor, as far as anonymous browsing goes?

Yeah, don't fucking use Windows.

Re:Simple

[SonnyJim]

If that were an option, I wouldn't have asked the question.

i2p

[bjs555]

I was trying out iMule and saw that it uses a network layer called i2p that supports any application that can run using a proxy. You might want to give it a try.
i2p is available at http://www.i2p2.de/
Here's a description of i2p from the introduction:
-----
"I2P is a scalable, self organizing, resilient packet switched anonymous network layer, upon which any number of different anonymity or security conscious applications can operate. Each of these applications may make their own anonymity, latency, and throughput tradeoffs without worrying about the proper implementation of a free route mixnet, allowing them to blend their activity with the larger anonymity set of users already running on top of I2P.

Applications available already provide the full range of typical Internet activities - anonymous web browsing, web hosting, chat, file sharing, e-mail, blogging and content syndication, newsgroups, as well as several other applications under development.

Web browsing: using any existing browser that supports using a proxy.
Chat: IRC, Jabber, I2P-Messenger.
File sharing: I2PSnark, Robert, I2Phex, PyBit, I2P-bt and others.
E-mail: susimail and I2P-Bote.
Newsgroups: using any newsgroup reader that supports using a proxy."

All other programs subject to attack or profiling

They use either Java or centralized servers.

Java should not be used because more Java-based botnets are being developed due to the popularity of Android. Java virtual machines have always been full of vulnerabilities and sluggish performance.

Ostensibly a program using centralized servers would not ask users to donate bandwidth and IP addresses for "exit nodes." The servers, then, would be easy to profile based on IP address. A central authority with control of the entire network could be a weak link.

more truth than you know

As a webmaster for a moderately visited site, I can say I've had nothing but headaches with people using tor for trolling. My solution was to block everything tor. There are plenty of blacklists for tor simply because of the troll abuse. What you end up with is a scenario where, as tor becomes more useful, more trolls will use it, then more services will block it, thus making tor less useful. The equilibrium point will be somewhere close to where it is now, a system that's sufficiently small enough that it makes it rather easy to cause issues with tor, according to comments by others posed above.

I2P

Because it's encrypted end-to-end, no bullshit like Tor. It's got torrent, anonymous websites and any tunnelling capability you might need anonymously and encrypted for any application.

privoxy cant HTTPS

Privoxy is practically useless on https. Only way to filter https is at the browser.

(Someone should really fix Firefox, so that we at least have one private browser)

My Cocktail Mix for Delusional Conspiracism

[znigelz]

Firefox in privacy mode with NoScript, HTTPS Everywhere, Better Privacy, Tor Button extension for Tor and Privoxy, an ip filter (linux: ipblock, windows: peerblock), FlagFox extension to always have a visual cue where the server is located, and a system firewall rejecting everything but the specific ports that you use (22, 80, 443, other program specific ports, etc). If I really was worried about privacy, I would also connect across free online VPN (from your own first world country preferably). It may be possible to daisy chain a few vpns (and also a few proxy servers for that matter), but I'm not really that interested in security. Plus an intrusion detection and prevention system like Snort using a log viewer.

Better than Tor...

[mr_lizard13]

I wear a balaclava and plastic gloves when browsing.

Don't use Torbutton on your everyday Firefox

Torbutton as an addon is a step backwards from Tor Browser Bundle. It was discontinued for a reason. You're not smarter about Torbutton than the developer of Torbutton, and here's what he says:

I realized at that same instant that in hindsight, this decision [to use one browser instance/profile for Tor and vanilla browsing] was monumentally stupid, and that I had been working harder, not smarter. However, I thought then that since we had the toggle model built, we might as well keep it: it allowed people to use their standard issue Firefoxes easily and painlessly with Tor.

I now no longer believe even this much. I think we should completely do away with the toggle model, as well as the entire idea of Torbutton as a separate piece of user-facing software, and rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators.

The Tor Browser Bundles will include Torbutton, but we will no longer recommend that people use Torbutton without Tor Browser. Torbutton will be removed from addons.mozilla.org, and the Torbutton download page will clearly state that it is for experts only. If serious unfixed security issues begin to accumulate against the toggle model, we will stop providing Torbutton xpis at all.

Makes sense to me.

Re:Don't use Torbutton on your everyday Firefox

You're not smarter about Torbutton than the developer of Torbutton

You are comparing a user with a developer. For the user TorButton is very useful, even if the developer now thinks his approach is not the best, because it requires extra work (compared to a different approach). In fact, even if you provide a second browser you would still benefit from functionality offered by TorButton, no matter if it is built-in the browser or offered as an add-on.

Also, TorButton doesn't seem to be discontinued, yet. At least there is nothing on the home page, plus the latest release is from 1 May 2011.

Re:Tor - You have Java.?.

You run java on an internet machine? Really?

Don't use Torbutton, use Tor Browser Bundle

It's strange that the news hasn't made it to the Torbutton page yet: Torbutton is dead. Read this post by Mike Perry, developer of Torbutton (tldr: it's too hard for users to use it safely, it's too hard to maintain, and standard-issue Firefox is too buggy) and install the Browser Bundle.

2600 code/article about Tor hacking

http://www.2600.com/code/253/
There are ways to hack tor easily found on 2600. Check it out... Or not.

Re:http://www.happyshopping100.com

[ColdWetDog]

$10 Bikini (Ed hardy,polo)

I know you're not very bright, even for a bot - but I think you're barking up the wrong tree. You might want to go back to the Viagra stuff. Or maybe Rhogaine.

Firefox plugin: Cocoon

[coherence]

Disclosure: I know the guys behind it. Try Cocoon (getcocoon.com). It's a Firefox plugin that is exactly what you're looking for - an alternative to Tor. Win, Mac, Linux (ahem most of the time anyway). It does more than protect you browsing; for example, I registered for this /. account using Cocoon. The evil overlords at Geeknet don't have my real email address/identity.

OperaTor

[andcal]

I can't believe no one has said anything about OperaTor yet. Mostly because it's the only one I was aware of before this article
Is it because OperaTor doesn't appear to be in development anymore (as in dead).

XeroBank Safehouse: Virtualized Browser + Apps

Greetings, I am Steve from XeroBank, and developer of xB Browser. We will be releasing Safehouse, a new tiny cross-platform virtualized browser very soon. GPL btw. :)

Re:XeroBank Safehouse: Virtualized Browser + Apps

[boing3r]

I just went to xerobank.com, and then went to your 'anonymity checker': https://xerobank.com/tools/anonymity-checker/ which told me this scary stuff:

Network Legal Risk: High (fix)
Warning: ISP Spying Risk (fix)
Critical Threat: Data Interception Detected (fix)

Funny thing is, it told me exactly the same thing whether I was coming through my secure proxy or straight through my ISP. Fess up - it's just canned, and always shows the same 'warning's, right?

Browser ID and the short attention web

[RobertB-DC]

Your point is well-constructed... but it also shows that you have a bias towards content over presentation.

The fact that it's all one long paragraph, is missing occasional letters, and may have small grammatical errors is absolutely irrelevant to the point that you are making. You used concrete examples and came to a logical conclusion.

But the rest of the world is biased toward presentation over content. It's sad, sure... but it's been that way since the Eternal September, and it's not going to change. In fact, the short-attention-span web is hurtling forward 140 characters at a time, thanks to look-a-birdy sites like Twitter and Facebook.

And in that web, you have to know what browser your visitor is using, so that you can give them the brain candy they want before they lose interest and look, a birdy.