[BBLISA] Re: Looking for Internet anonymizer

seph seph at directionless.org
Sat Jul 18 01:40:39 EDT 2009


I've seen a couple rounds of tor fud recently. 

> "Tor hack reports downplayed by developers" -
> http://arstechnica.com/old/content/2007/03/8964.ars

The official response to that is
http://blogs.law.harvard.edu/anonymous/2007/02/26/the-rumors-of-our-demise/
It covers a couple things. Briefly skimming the introduction to that
paper, it sounds to me like it's poking at how many nodes you'd need to
compromise before you can make reasonable guesses about the
traffic. (and some ways to increase the compromised node's
attractiveness). This is certainly an idea that has always been part of tor.

> Security expert used Tor to collect government e-mail passwords -
> http://arstechnica.com/security/news/2007/09/security-expert-used-tor-to-collect-government-e-mail-passwords.ars
> (someone was operating a fake Tor node and sniffing the traffic going though it)

I think it's highly questionable to associate this with tor. If you use
plaintext auth, then yes, your network transport will see your
password. No matter how anonymous your speech is, if you start it with
an introduction, you've gone and killed it.

Which, leads back to the original question... When you say no trace in
the logs, is the mere existence of the query enough to expose the
searcher?

seph




More information about the bblisa mailing list