Silk Road forums
Discussion => Security => Topic started by: hatedpatriot on May 13, 2012, 05:42 am
-
I see the thread about VPNs died after I posted the snippet from and a link to the security basics article at HackBB's wiki. Guess you guys had your fill of talking VPNs by the time I showed up. Anyway, I wanted to repeat something from that article that I believe the majority of us are guilty of mixing up, anonymity and privacy. Most people's first reaction is they are the same or only marginally different, that was mine. But it really helps to know there is a difference when you are playing such a game as this one we are playing. The author of the security basics paper brought it to my attention that I had not fully respected the difference between anonymity and privacy. Tor is for anonymity, as you may have heard. Hiding the source and destination of data within tor is what it does well. Hiding the data, or giving you good privacy, is not what it does well. VPNs are the opposite in they provide excellent privacy, but not so good anonymity.
The reason I started a new thread for this is because I'm hoping some of the resident geeks will have something to say about this. I'd love to learn more about the different tools available to us for increasing both anonymity and privacy. Just by reading that one little part that made me aware of how different the two are, several things made more sense to me right away. For instance, I had been told to steer clear of using a VPN with tor, unless I knew what I was doing and fully understood the implications of mixing the two tools. That didn't make much sense at the time, but now it makes plenty of sense. It was surprising to me how just failing to give those two words equal yet opposite weight would doom you from the start. Some of us don't feel like the chances we take are too hardcore, but some of us can't afford any fuck ups. That's the biggest reason why I started a new thread. I know there is someone who needs to hear this, but they missed it yesterday.
Anybody got anything add? I seriously would love to hear it.
-
I see the thread about VPNs died after I posted the snippet from and a link to the security basics article at HackBB's wiki. Guess you guys had your fill of talking VPNs by the time I showed up. Anyway, I wanted to repeat something from that article that I believe the majority of us are guilty of mixing up, anonymity and privacy. Most people's first reaction is they are the same or only marginally different, that was mine. But it really helps to know there is a difference when you are playing such a game as this one we are playing. The author of the security basics paper brought it to my attention that I had not fully respected the difference between anonymity and privacy. Tor is for anonymity, as you may have heard. Hiding the source and destination of data within tor is what it does well. Hiding the data, or giving you good privacy, is not what it does well. VPNs are the opposite in they provide excellent privacy, but not so good anonymity.
The reason I started a new thread for this is because I'm hoping some of the resident geeks will have something to say about this. I'd love to learn more about the different tools available to us for increasing both anonymity and privacy. Just by reading that one little part that made me aware of how different the two are, several things made more sense to me right away. For instance, I had been told to steer clear of using a VPN with tor, unless I knew what I was doing and fully understood the implications of mixing the two tools. That didn't make much sense at the time, but now it makes plenty of sense. It was surprising to me how just failing to give those two words equal yet opposite weight would doom you from the start. Some of us don't feel like the chances we take are too hardcore, but some of us can't afford any fuck ups. That's the biggest reason why I started a new thread. I know there is someone who needs to hear this, but they missed it yesterday.
Anybody got anything add? I seriously would love to hear it.
It is a little bit more complicated than that. VPNs are far worse than Tor for some sorts of privacy. The primary difference between Tor and a VPN is that with Tor far more people see your exit traffic. Some of those people log unencrypted exit traffic to spy on exit traffic for various reasons. With a VPN your exit traffic is concentrated often to a single point, and rarely more than a few. If this single point is not spied on then nobody is spying on any of the traffic. However, if someone is spying on that point then 100% of the unencrypted exit traffic is compromised by that attacker. Tor decreases the amount of information that any one attacker can intercept by increasing exposure to many nodes, although VPNs generally say they wont spy on exit traffic they are much more likely to be forced to by a court order and to comply with the court order. VPNs in most countries that don't deal with abuse traffic get shut down pretty quickly, and if its serious enough Abuse that the feds care they will spy on it at the VPNs data centers in many cases. Often times it is the upstream hosting provider who doesn't tolerate abuse traffic even if the police don't get involved. So in theory a VPN can offer much better privacy than Tor can by restricting all traffic to a single point that they protect from being spied on, and in some places this might even work like in Russia or other countries with providers who can ignore or delay foreign complaints, but generally almost all VPN services offer stronger privacy than Tor does only to people who are not breaking any laws, and worse privacy by far (100% of exit traffic intercepted by your primary attacker) to anyone who is breaking the law.
VPNs also offer anonymity to various degrees, although most of them only to a very minimal extent. If you use a single VPN solution you automatically leak the small list of entry nodes you could be using, and you leak that you are someone who uses the VPN service. Different corporate structures seem to add strength to some VPN services claims of anonymity, instead of getting a court order to force a single company to hand over records they can use a split corporate structure with each node run in a different jurisdiction its own. Some services manage to offer pretty good protection from law enforcement, there are specialized cyber crime server hosts in countries like Russia that resist abuse complaints very well. In the end Tor and VPN services are both defeated by the same primary attack, entry/exit traffic correlation, and in either case it is only a matter of time for a dedicated attacker to be able to deanonymize a target, especially if they target a lot of people. Tor does protect from a significant number of attacks that VPNs do not protect from though, and Tor is widely considered to be substantially superior to VPNs, but there are case studies where targets using VPNs proved untraceable to FBI (although there are many case studies where people using VPN services were traced), however there are no examples of Tor ever having a user deanonymized by LE. The person who uses Tor and gets a bad entry:exit on their first circuit to SR is going to be screwed faster than someone who gets a VPN that isn't currently being worked on by LE.
But don't take this to be an endorsement for VPNs , Tor is the clear winner. When it comes to more VPN type technology people seem to think JAP is the role model (and it has certainly received more technical scrutiny from the academic anonymity community than any other anonymity VPN service has) , they have a nice arrangement where node operators sign legally binding contracts saying they will not spy on traffic content or store headers or content without a valid court order in their jurisdiction forcing them to do so, and then they chain these nodes together into two or three hop international cascades often in countries without data retention laws. And that is great for the amount of time it takes LE to produce valid court orders on the path back to you (or even leak frogging potentially). Tor is great until you rotate to a new entry node that is pwnt by someone who can watch traffic arrive at your destination.
-
Correct me if i´m wrong. But from what i understood if you are .onion sites no matter if the exit node is eavesdropping they still can´t see your traffic because it´s encrypted end-to-end?
So let's say the last node is run by LE and somebody is connecting to SR it would not matter because the traffic is encrypted.
With clearweb sites indeed they would be able to see your traffic.
Is this correct or am i thinking to easy here?
-
.onion is encrypted client to server so exit nodes can not spy on plaintext.
-
Correct.
Correct me if i´m wrong. But from what i understood if you are .onion sites no matter if the exit node is eavesdropping they still can´t see your traffic because it´s encrypted end-to-end?
So let's say the last node is run by LE and somebody is connecting to SR it would not matter because the traffic is encrypted.
With clearweb sites indeed they would be able to see your traffic.
Is this correct or am i thinking to easy here?
-
nothing past your router will see the MAC
-
Our government has a long history of lying as well as being the world leaders in the manufacture of propaganda. I think it's certainly within the realm of possibility that they lied about what they were able to do.
kmfkewm; your reply is exactly what I hope for when I make threads like this. Thanks for taking the time to teach us something!