New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Wasn't it revealed a number of years ago US law enforcement was able to bust some activity conducted via Tor?
Yes, and it does that to this day. FBI has very substantial amount of relay and exit nodes in tor network.
@xHosts this is the reason why we don't want to do KYC
Never trust any VPN. If I was a goverment trying to catch people I didn't like, the first order of business would be to build or purchase a privacy-oriented VPN brand. All the marketing about how their RAM-only VPN servers can't log you data is nonsense. RAM-only doesn't prevent sending log data over the network to some other server.
What providers claim they nor their upstreams do not sell netflow data?
Cogent famously is one of the few (possibly only?) T1 carriers that does not sell flows.
Thank you. Never thought I’d be looking for a Cogent only hosting company.
From what I see, it is only a claim.
The article is also from 2021 so it's very possible they changed their mind.
Recently saw this article was skeptical at first but I don't love these connections to government from Tor... https://bible.beginnerprivacy.com/opsec/torhoneypot/
Links between Tor and Cymru as well. sigh
Actually, the majority of nodes are run by people who are well-known in the community. The way Tor is attacked usually involves guard discovery attacks which do not require running nodes. Tor is not perfect, but there is no evidence that feds are running even a small fraction of the network. The most effective attacks don't require running nodes anyway.
With that said, the latest attack against Tor took years, an entire major German ISP assisting for a prolonged amount of time, and international cooperation to catch a few people, one of whom was only caught because they were using an outdated version of Tor running a hidden service themselves (a bad idea given guard discovery attacks are easier against HSes) that lacked the vanguards mitigation, along with some minor opsec mistakes.
If you're interested in learning about some of the real vulnerabilities (which are more involved than a mere sybil attack), it's documented pretty well on prop344: https://spec.torproject.org/proposals/344-protocol-info-leaks.html
Yeah, Team Cymru was kicked out of Tor a few years ago because of the huge conflict of interest.
Interestingly, the most effective attack against Tor is disinfo to scare people off of it and onto less secure platforms.
Hey thanks for this, was hoping you would respond because I wasn't sure about that info. Glad to hear Cymru isn't involved anymore.
When they first joined the project, they were only a generic security company that was interested in networking and helped provide infrastructure. They later evolved into the data broker they are now, and when that was uncovered, they got removed.
People love to jump into conspiracies wrt Tor and its limitations, but the actual dangers are not feds donating to Tor to influence them or infiltration of the organization or running the majority of the network (all oft repeated, easy to remember and repeat, but unfalsifiable claims). The real dangers, with varying levels of feasibility, are:
But those are less catchy and harder to repeat and explain than "Tor is a honeypot because feds".
Nor simply logging in and checking existing connections in real time when investigating abuse, which is what these companies typically do. That way they can still pass 3rd party audits without lying about not keeping logs, simply because they don't need to in order to deanonymize someone.
You often see netflow data used by security companies like Recorded Future. They're able to map multi-tiered/proxied threat actor infrastructure and identify which IPs have prolonged ssh connections to the backend, for example.
Doesn't seem far off that this could deanonymize multi-hop VPNs, Tor or I2P. At least in targeted cases.
Yep, that's why it's so important to fight against the centralization of Tor in the Netherlands and Germany, as it makes traffic information recorded by just a few exchanges more valuable. Tor does have some features that make NetFlow-type information less valuable, but it's not invincible.
Can you explain further why the centralization is bad? Because they could be linked to the same netflow data broker? I always assumed it was due to the favorable Tor laws in those countries
It's bad because the circuits have a higher potential to go through the same few ASes. At the moment, there's a non-negligible chance that any given Tor circuit will have all three hops in OVH or Hetzner. The reason so many people run relays there is because bandwidth is very cheap.
Nice that Tor has features that try to mitigate this, gonna look into that.
I wonder if they could deanonymize traffic even if they don't have insight into every hop. Even in a paranoid ISP->VPN*...->Tor->(Optional proxy)->Internet setup, your exit node netflow is still somewhat correlated to your ISP input netflow, and together with AI traffic analysis that should allow them to narrow down a small list of suspects, at the very least.
That being said, I've never seen something like that mentioned in any court documents. It's common to see "Suspect communicated with (VPN IP) at similar times when (VPN IP) communicated with (Victim IP)", but never with something like Tor. Could still be used to narrow down suspects to then collect more clear evidence on though.
Yep, that's generally possible, although not trivial unless you have a specific person you want to monitor. That's called an end-to-end correlation attack. The passive version is the least reliable. More reliable are active versions that tamper with the stream in order to send a covert signal to the other end (a so-called "tagging attack" where the exit uses a covert channel to encode, for example, the URL that was just visited). One of the most severe variants of this, called the crypto tagging attack, was recently prevented by overhauling Tor's cryptography.
The purpose of the middle node is not to make end-to-end correlation attacks harder, but to decouple the guard (which knows who you are but not what you are visiting) from the exit (which knows what you are visiting but not who you are).
The tweet says:
Any idea which Tzulo location is still using Sharktech?
I have a GreenCloud VPS in Phoenix that usees Tzulo.
Possibly related; when I hear Sharktech, this is what I think about.
They bought these IPs but this was actually from fdcservers. I asked them if I could get a VM with that IP for the funny and they said no