I had been meaning to run a Tor relay for a while. The EFF Tor Challenge [0] motivated me to get it done. It was incredibly easy. If you have a VPS with unused bandwidth, please consider taking a few minutes to set up a Tor relay.
Keep in mind though when setting this up to take a close look at your exit policy settings, to ensure you only route the traffic you want and where you want it.
I span up a relay at home to play around with, but just skimmed over the exit policy settings and ended up running an exit node. Not big deal really, as it was only advertised for about 14 hours before I noticed and disabled it. It was only after a few weeks when my girlfriend was complaining she kept getting messages from websites refusing to show her content on the basis that she was connecting over the Tor network (which she wasn't) that I realised my home IP was blacklisted, and it took a while for me to get a new lease and IP.
I'm not telling people to not run exit nodes, but people shouldn't just go and spin up a Tor relay with default settings, because it will by default run as an exit node, and depending on the hosting provider, this may or may not be an issue.
I have a very strong suspicion that Tor is completely compromised, and that's actually how they caught Ross Ulbricht (Silk Road). All the stuff about his previous posting, etc, is tenuous and circumstantial-- it seems totally feasible that it is parallel construction.
The "Tor Sucks" document is from 2012. It talks about the GCHQ running Tor nodes. What could have happened in the years since?
What many people don't realize is that Tor has only ~5000 exit nodes and ~3000 relays. If you control 50% of the nodes, Tor is essentially compromised. Half is ~4000 servers.
Seems like a lot for an individual person, right? Just a rough estimate, at $40/month for a cheap linode VPS, 4000 nodes would cost $160k/month.
But that's _nothing_ for a nation-state. $160k/month isn't even a rounding error. And that's all it costs to _completely_ compromise Tor.
These nation states don't want anyone to know they compromised Tor, so they won't waste it on little fish. They'll save it for real terrorists and major criminal actors like Ulbricht. But if they compromised Tor, they're certainly recording _all_ that activity somewhere. It's sitting in archived storage ready to be mined if necessary.
My suspicion is essentially the opposite: Tor is secure, but the two high profile arrests (Freedom Hosting and Silk Road) where given priority to make the general public a.) feel that the entire function of Tor is illegal and often repulsive activity b.) that Tor is not safe.
The latter part of that theory, that law enforcement agencies intentionally stepped up the resources for both the FH and SR cases in order to intentionally create disgust and distrust of Tor, is of course merely conjecture. Basically I find it an amazing coincidence that the two most notorious parts of the Tor hidden service world where busted very quickly after a huge amount of positive public attention was brought to Tor right after the Snowden leaks. Additionally if you actually look at the details of the FH exploit the FBI unleashed it is fairly useless, but very terrifying when you read just the headline. Legally there seems no useful reason to use such an easy to discover exploit that would have delivered no particularly interesting information. However from the stand point of creating public fear it worked marvelously. If you talk to even technical people that don't understand security and Tor well they often assume that the feds "hacked Tor". Which, in my opinion, is exactly what state actors want people to think.
As for the former part of the claim, that Tor is secure, look at the Snowden leaks about the methods that the NSA was thinking about for attacking Tor. Egotistical Giraffe, the attack used on FH, as mentioned was not a particularly useful exploit, and attacks user behavior not the network. Other similar leaks also suggest that neither the NSA nor any other state agency, has the ability to completely compromise Tor.
Finally,if you are a state agency and you have completely compromised Tor, you would actually want the general public to think it is safe. It is an amazing advantage to have your adversary think they are on a secure line when they absolutely are not. On the other hand if you haven't (and probably can't) compromised Tor you want the majority of people to think you have so that they disregard one of their best tools for defense.
Now of course there is plenty of evidence that federal agencies can perform targeted timing attacks against specific individuals. Tor does not and really cannot guard against this, and this has always been the case and fairly well known. If a state agency is targeting you specifically, I don't think there is anything you can do. However, given the information that is available to us, I do think it's reasonable to assume that Tor is secure from general, large scale, untargeted surveillance.
> All the stuff about his previous posting, etc, is tenuous and circumstantial-- it seems totally feasible that it is parallel construction.
I've done similar things in the past (trying to find a user's real identity, when that user has taken active steps to stop anyone finding out - before you ask, tracking scammers, not doxxing innocents) and to me it sounded totally plausible. He made exactly the same kind of mistakes many of the people I've tracked down did, and they found him the same way I would have gone about it.
- Accessing BBC Liveplayer as if I'm in England (using lots of normally discouraged add-ons and defined exit-nodes)
- Bypassing paywalls (possibly still criminal?)
- Bypassing censorship (which is what it really is) on organizational wifi networks (in Canadian hospitals). The funniest block was to ginger.io, a big data smartphone data analysis play (but blocked by an over-aggressive filter for obvious reasons).
Does anyone else have some unexpected/interesting use cases?
I use Tor hidden services to punch through NATs (mostly for SSH); it's also useful in that only you can access the service (since only you know its address), so a hidden service + random port is a cheap "port knocking" implementation.
I've also used Tor to debug firewalls. It's a good way of saying "put me in a random spot on the Internet."
Outside of that, I use Tor for whatever I can: downloading RSS feeds, instant messaging, downloading email, mostly. There's no reason not to have Tor on these things because they're all either batched or tolerant of bad latency, and it destroys a little bit of my personal information that would otherwise leak.
Commenting on news site which shows IP address from work after some incident where IP got banned for a while for some comment. Problem is simple google search with IP and the site in question shows all the comments you wrote "anonymously" from work and it may cause problems.
Also TOR is heavily used by shills in same sites (namely Russian ones), so it's not too uncommon to stumble upon IP that is already banned.
:( on the bbc one. There are plenty of free proxies that you could use that wouldn't waste the tor network bandwith for something that doesn't really need 100% anonymity.
I'm probably going to take some flack for this, but I don't trust Tor. When you access Tor, you're masking your origin IP to the remote address by trusting one of a couple hundred volunteer exit nodes who raised their hands and said "Trust me! You can route all of your internet traffic through me and I promise I won't monitor or inject anything..."
I think most Tor users don't have an adequate understanding of the threat model. It doesn't help that the Tor Project has at times upsold the anonymity provided to a ludicrous extent[1] (to be fair, they do address the risk in their FAQ[2]). Is it more likely that that Comcast will MITM me, or some random exit node? I might expect Comcast to maybe inject an ad into an HTTP connection or do some DNS redirect to shoot me an advertisement, but I don't worry about them stealing my credit card or injecting a buffer overflow or something. In fact, they have a profit incentive to not do so. I don't have that guarantee with a random exit node. It might be a generous privacy advocate, or it might be someone who has more nefarious profit incentive in mind[3]. If you're only connecting through Tor just to avoid the NSA, then you have to assume that both a) the NSA is targeting you to begin with, and b) that exit node you're going through isn't controlled by the NSA (or GCHQ/FSB/PLA/etc).
sslstrip[4] undermines the prospect of protecting yourself by connecting solely over SSL through Tor. Even then, in my experience more than half of the sites I visit don't support SSL to begin with. The HTTPS Everywhere plugin that EFF provides and is included in the Tor Browser Bundle is implemented backwards - it connects over SSL only when the site matches a whitelist[5] (I use KB SSL Enforcer on Chrome myself).
Sorry if this came off as a rant - I just see too many articles like this that prop up Tor as a silver bullet without discussing the risks and establishing an adequate threat model that allows the user to make an informed decision regarding the risks/benefits of using Tor.
Lets address your concern by talking about security and probability for each of those issues.
Credit card thieves in Comcast vs in TOR. Given the number of employees who has remote access to customers routers (ie support), sysadmins that has remote server access, and personale who has physical access to switching equipment, whats the risk that one of those people has a criminal record? This will always be non-zero, and one can never actually test it.
In TOR, this risk can be tested[1]. Exit note can be probed by sending unique credit card numbers or other profitable personal information, and then observed by seeing what the node owner does. If they act on the information, the node then get blocked. You can not do this with Comcast since your identity is known to the personal of Comcast.
The NSA threat, as talked about, is reduced by using TOR. Doing statistical analysis is in theory possible but in practice very hard. Out of all the Snowden leaks, not a single one present this as a ongoing work happening. Non-tor traffic analysis is however presented as business-as-usual and should be assumed to happen at every point in the network.
Last, the HTTPS Everywhere you mention is a direct answer to the SSLstrip for the most commonly used websites. Claiming it is implemented backwards because it uses a blacklist is a bit unfair, since blacklist and whitelist each has their own tradeoff in security. HTTPS Everywhere has no false positive and protect against the common threat, but will be vulnerable against uncommon ones. If they had gone with a HTTPS-only approach, it would have caused a extreme amount of false-positives, and users would have turned it off. This trade-off (security vs false positives) is commonly the distinction between user products and server products.
KB SSL Enforcer do not protect against sslstrip and MITM[2] for new installations. If the Tor Browser Bundle included KB SSL Enforcer, it would worsen the security of the Bundle compared to HTTPS Everywhere, and would be counter to the design. Rather than leaving no records of the sites you go to, KB SSL Enforcer have to record and permanent store it.
I hope you realize you just described the entire Internet. Which is the ultimate irony of complaining about the security of tor: you're trusting someone else to forward your packets. Yes, yes they can modify the traffic to and from your host, and yes, yes they can monitor everything you're doing. The difference with the non-tor Internet is that it's far far easier to do that.
I think the key is that Tor should only be used with HTTPS connections. Anyone that's like "zomg, my HTTP connections are being recorded by Tor exit nodes don't use Tor!" is kinda being a bit silly. I know personally people the have designed hardware for major ISPs to specifically record HTTP traffic for non-benign purposes.
I don't trust Tor for a completely different reason: you become a threat. Just by sending Tor traffic from your home, you're flagged as a potential active monitoring target, and I don't really need the additional heat.
>you're masking your origin IP to the remote address by trusting one of a couple hundred volunteer exit nodes
No! When using Tor, you are not trusting any single node, and that's the whole point. The exit node does not know your IP or anything else about you, and the other nodes do not know what server you're communicating with. And you should never send any personal information over Tor, such as your credit card, because the end server would be able to identify you and steal that information (and why would you trust the end server? The idea is not to trust anyone when using Tor.)
The simple answer is most people that use an electronic device -- Tor or otherwise -- have no idea what they are doing. Because Tor is advertised as extremely safe, they think they are safe. Anyone wanting an interesting stream of data just has to operate as many exit nodes as their budget can handle.
a) The NSA collects first and targets later
b) The NSA may control the exit node your traffic is going through vs the NSA collects all network traffic from everywhere.
"It is also important to remember that if you log into services like Google and Facebook over Tor, you will be sacrificing your anonymity to those services."
It is important to note that both Google and FB can track you on 3rd party websites through things like "Like" button. Consider disabling 3rd party cookies completely or using plugins like Ghostery.
I've been browsing the internet for 15 years with 3rd-party cookies disabled.
I never had ANY problems with any website - no idea if there would have been more functionality with 3rd-party cookies enabled. But then again, how can functionality depend on THIRD parties?
Also activated the setting for my girlfriend years ago, no complaints so far.
This feature should really be the default for any browser and any user. Too bad Android Chrome doesn't have such a setting. Too bad for Google I'll use something else instead.
I have always wondered about that. What if I completely switch all my network traffic to Tor continue using all the services as I currently do? What are the implications involved here?
It ate all my monthly bandwidth limit within an hour. By simple analysis I found out it's mostly BitTorrent traffic, but I didn't dig very deep so I might be wrong.
I would love to run a Tor relay, but I just do not have unlimited bandwidth to do that.
It would seem there is more demand than supply when it comes to Tor relays. If there were a safe, anonymous way to pay for using Tor relays (Torcoin?), then there would be a lot more incentives to have people run relays. That means the speed will be bumped up and at one point there will be an equilibrium between supply and demand. The system might also provide preferential treatment to users who are willing to pay more.
There is an option in the config to limit the amount of bandwidth used by the relay.
BandwidthRate N bytes|KBytes|MBytes|GBytes
In combination with accounting you can limit monthly or daily usage - has to be over 30kb/s to be usable by the network, so may not be feasible, but worth knowing.
"4. No One in the US Has Been Prosecuted For Running a Tor Relay"
That's a bit of a misleading statement. I'll agree that there haven't been any people prosecuted because they ran a TOR relay directly but there has been at least one case where they prosecuted or at least harassed a guy on child pornography charges because he was running a TOR exit node and saw the activity coming from his IP. Perhaps that wasn't in the US but still.
I agree Tor isn't as slow as many think. It's just slightly slower. My biggest problem with Tor, though, is having to enable Javascript even for common tasks, like logging in to Reddit, which hopefully they aren't doing on purpose, considering Reddit is known for a site where you can use pseudonyms as much as you want.
One usually sees a list like this presented as debunking myths. The myths are given bold headings that state the opposite of what the author wants to say. This format is so much clearer because they state the position they are taking instead of the opposite of their position.
>A live CD would not have helped any FreedomHosting victim.
Yes it would have. That attack relied on both a Windows-specific vulnerability, and accessing the internet without Tor. Neither would have happened to a user of Tails.
established accounts are allowed to use tor on HN. If you make an account over tor, its posts will be killed for two weeks, then it will be a normal account.
I guess we should also should include that with every Linux kernel release too. The US government has funded a lot of publicly available security technology that you may not even be aware of, even through the NSA (SELinux).
It is a good thing the US government supports these things.
The protocol and the code is open. It doesn't matter who funds it, but let it be also clear that the US government is one of the funders. Also, the government is not one coherent entity that all of its bodies want to spy on people.
>They have been able to compromise certain Tor users in specific situations. Historically this has been done by finding an exploit for the Tor Browser Bundle or by exploiting a user that has misconfigured Tor.
I'm not touching TOR until I figure out how they managed to capture Ross Ulbricht.
He exposed his email address containing his name as a contact email for silkroad business, so he pretty much gave himself in. With that kind of "attention to details", I wouldn't be surprised if he even had misconfigured TOR.
This isn't accurate. It doesn't mention that the u.s government can in very high likelihood de-anonimize users , sometimes even without cooperation from foreign governments , and sometimes even ISP's can do that.
[+] [-] cottonseed|11 years ago|reply
[0] https://www.eff.org/torchallenge/
[+] [-] iamtew|11 years ago|reply
I span up a relay at home to play around with, but just skimmed over the exit policy settings and ended up running an exit node. Not big deal really, as it was only advertised for about 14 hours before I noticed and disabled it. It was only after a few weeks when my girlfriend was complaining she kept getting messages from websites refusing to show her content on the basis that she was connecting over the Tor network (which she wasn't) that I realised my home IP was blacklisted, and it took a while for me to get a new lease and IP.
I'm not telling people to not run exit nodes, but people shouldn't just go and spin up a Tor relay with default settings, because it will by default run as an exit node, and depending on the hosting provider, this may or may not be an issue.
[+] [-] hendersoon|11 years ago|reply
The "Tor Sucks" document is from 2012. It talks about the GCHQ running Tor nodes. What could have happened in the years since?
https://metrics.torproject.org/network.html
What many people don't realize is that Tor has only ~5000 exit nodes and ~3000 relays. If you control 50% of the nodes, Tor is essentially compromised. Half is ~4000 servers.
Seems like a lot for an individual person, right? Just a rough estimate, at $40/month for a cheap linode VPS, 4000 nodes would cost $160k/month.
But that's _nothing_ for a nation-state. $160k/month isn't even a rounding error. And that's all it costs to _completely_ compromise Tor.
These nation states don't want anyone to know they compromised Tor, so they won't waste it on little fish. They'll save it for real terrorists and major criminal actors like Ulbricht. But if they compromised Tor, they're certainly recording _all_ that activity somewhere. It's sitting in archived storage ready to be mined if necessary.
[+] [-] Homunculiheaded|11 years ago|reply
The latter part of that theory, that law enforcement agencies intentionally stepped up the resources for both the FH and SR cases in order to intentionally create disgust and distrust of Tor, is of course merely conjecture. Basically I find it an amazing coincidence that the two most notorious parts of the Tor hidden service world where busted very quickly after a huge amount of positive public attention was brought to Tor right after the Snowden leaks. Additionally if you actually look at the details of the FH exploit the FBI unleashed it is fairly useless, but very terrifying when you read just the headline. Legally there seems no useful reason to use such an easy to discover exploit that would have delivered no particularly interesting information. However from the stand point of creating public fear it worked marvelously. If you talk to even technical people that don't understand security and Tor well they often assume that the feds "hacked Tor". Which, in my opinion, is exactly what state actors want people to think.
As for the former part of the claim, that Tor is secure, look at the Snowden leaks about the methods that the NSA was thinking about for attacking Tor. Egotistical Giraffe, the attack used on FH, as mentioned was not a particularly useful exploit, and attacks user behavior not the network. Other similar leaks also suggest that neither the NSA nor any other state agency, has the ability to completely compromise Tor.
Finally,if you are a state agency and you have completely compromised Tor, you would actually want the general public to think it is safe. It is an amazing advantage to have your adversary think they are on a secure line when they absolutely are not. On the other hand if you haven't (and probably can't) compromised Tor you want the majority of people to think you have so that they disregard one of their best tools for defense.
Now of course there is plenty of evidence that federal agencies can perform targeted timing attacks against specific individuals. Tor does not and really cannot guard against this, and this has always been the case and fairly well known. If a state agency is targeting you specifically, I don't think there is anything you can do. However, given the information that is available to us, I do think it's reasonable to assume that Tor is secure from general, large scale, untargeted surveillance.
[+] [-] ZoFreX|11 years ago|reply
I've done similar things in the past (trying to find a user's real identity, when that user has taken active steps to stop anyone finding out - before you ask, tracking scammers, not doxxing innocents) and to me it sounded totally plausible. He made exactly the same kind of mistakes many of the people I've tracked down did, and they found him the same way I would have gone about it.
[+] [-] Scoundreller|11 years ago|reply
- Accessing BBC Liveplayer as if I'm in England (using lots of normally discouraged add-ons and defined exit-nodes)
- Bypassing paywalls (possibly still criminal?)
- Bypassing censorship (which is what it really is) on organizational wifi networks (in Canadian hospitals). The funniest block was to ginger.io, a big data smartphone data analysis play (but blocked by an over-aggressive filter for obvious reasons).
Does anyone else have some unexpected/interesting use cases?
[+] [-] tedks|11 years ago|reply
I've also used Tor to debug firewalls. It's a good way of saying "put me in a random spot on the Internet."
Outside of that, I use Tor for whatever I can: downloading RSS feeds, instant messaging, downloading email, mostly. There's no reason not to have Tor on these things because they're all either batched or tolerant of bad latency, and it destroys a little bit of my personal information that would otherwise leak.
[+] [-] cLeEOGPw|11 years ago|reply
Also TOR is heavily used by shills in same sites (namely Russian ones), so it's not too uncommon to stumble upon IP that is already banned.
[+] [-] glomph|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] csandreasen|11 years ago|reply
I think most Tor users don't have an adequate understanding of the threat model. It doesn't help that the Tor Project has at times upsold the anonymity provided to a ludicrous extent[1] (to be fair, they do address the risk in their FAQ[2]). Is it more likely that that Comcast will MITM me, or some random exit node? I might expect Comcast to maybe inject an ad into an HTTP connection or do some DNS redirect to shoot me an advertisement, but I don't worry about them stealing my credit card or injecting a buffer overflow or something. In fact, they have a profit incentive to not do so. I don't have that guarantee with a random exit node. It might be a generous privacy advocate, or it might be someone who has more nefarious profit incentive in mind[3]. If you're only connecting through Tor just to avoid the NSA, then you have to assume that both a) the NSA is targeting you to begin with, and b) that exit node you're going through isn't controlled by the NSA (or GCHQ/FSB/PLA/etc).
sslstrip[4] undermines the prospect of protecting yourself by connecting solely over SSL through Tor. Even then, in my experience more than half of the sites I visit don't support SSL to begin with. The HTTPS Everywhere plugin that EFF provides and is included in the Tor Browser Bundle is implemented backwards - it connects over SSL only when the site matches a whitelist[5] (I use KB SSL Enforcer on Chrome myself).
Sorry if this came off as a rant - I just see too many articles like this that prop up Tor as a silver bullet without discussing the risks and establishing an adequate threat model that allows the user to make an informed decision regarding the risks/benefits of using Tor.
[1] http://betaboston.com/news/2014/05/07/as-domestic-abuse-goes...
[2] https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRo...
[3] http://threatpost.com/small-number-of-malicious-tor-exit-rel...
[4] https://www.youtube.com/watch?v=ibF36Yyeehw
[5] https://www.eff.org/https-everywhere/faq
[+] [-] belorn|11 years ago|reply
Credit card thieves in Comcast vs in TOR. Given the number of employees who has remote access to customers routers (ie support), sysadmins that has remote server access, and personale who has physical access to switching equipment, whats the risk that one of those people has a criminal record? This will always be non-zero, and one can never actually test it.
In TOR, this risk can be tested[1]. Exit note can be probed by sending unique credit card numbers or other profitable personal information, and then observed by seeing what the node owner does. If they act on the information, the node then get blocked. You can not do this with Comcast since your identity is known to the personal of Comcast.
The NSA threat, as talked about, is reduced by using TOR. Doing statistical analysis is in theory possible but in practice very hard. Out of all the Snowden leaks, not a single one present this as a ongoing work happening. Non-tor traffic analysis is however presented as business-as-usual and should be assumed to happen at every point in the network.
Last, the HTTPS Everywhere you mention is a direct answer to the SSLstrip for the most commonly used websites. Claiming it is implemented backwards because it uses a blacklist is a bit unfair, since blacklist and whitelist each has their own tradeoff in security. HTTPS Everywhere has no false positive and protect against the common threat, but will be vulnerable against uncommon ones. If they had gone with a HTTPS-only approach, it would have caused a extreme amount of false-positives, and users would have turned it off. This trade-off (security vs false positives) is commonly the distinction between user products and server products.
KB SSL Enforcer do not protect against sslstrip and MITM[2] for new installations. If the Tor Browser Bundle included KB SSL Enforcer, it would worsen the security of the Bundle compared to HTTPS Everywhere, and would be counter to the design. Rather than leaving no records of the sites you go to, KB SSL Enforcer have to record and permanent store it.
[1] http://www.slideshare.net/FreeLeaks/exposing-malicious-tor-e...
[2] https://code.google.com/p/kbsslenforcer/wiki/FAQ
[+] [-] growupkids|11 years ago|reply
[+] [-] 3pt14159|11 years ago|reply
I don't trust Tor for a completely different reason: you become a threat. Just by sending Tor traffic from your home, you're flagged as a potential active monitoring target, and I don't really need the additional heat.
[+] [-] darsham|11 years ago|reply
No! When using Tor, you are not trusting any single node, and that's the whole point. The exit node does not know your IP or anything else about you, and the other nodes do not know what server you're communicating with. And you should never send any personal information over Tor, such as your credit card, because the end server would be able to identify you and steal that information (and why would you trust the end server? The idea is not to trust anyone when using Tor.)
[+] [-] AJ007|11 years ago|reply
The simple answer is most people that use an electronic device -- Tor or otherwise -- have no idea what they are doing. Because Tor is advertised as extremely safe, they think they are safe. Anyone wanting an interesting stream of data just has to operate as many exit nodes as their budget can handle.
[+] [-] totoroisalive|11 years ago|reply
When you use TOR you should be aware of the trade offs.
The golden rule is don't trust something you don't understand, even if you do, don't trust.
[+] [-] gipp|11 years ago|reply
[+] [-] bigbugbag|11 years ago|reply
Using tor do add an additional anonymity layer.
[+] [-] lsh123|11 years ago|reply
It is important to note that both Google and FB can track you on 3rd party websites through things like "Like" button. Consider disabling 3rd party cookies completely or using plugins like Ghostery.
[+] [-] thejdude|11 years ago|reply
I never had ANY problems with any website - no idea if there would have been more functionality with 3rd-party cookies enabled. But then again, how can functionality depend on THIRD parties?
Also activated the setting for my girlfriend years ago, no complaints so far.
This feature should really be the default for any browser and any user. Too bad Android Chrome doesn't have such a setting. Too bad for Google I'll use something else instead.
[+] [-] spenvo|11 years ago|reply
Ghostery is great but lacking in some respects, check out the https://www.eff.org/privacybadger project
[+] [-] donniezazen|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] runn1ng|11 years ago|reply
It ate all my monthly bandwidth limit within an hour. By simple analysis I found out it's mostly BitTorrent traffic, but I didn't dig very deep so I might be wrong.
I would love to run a Tor relay, but I just do not have unlimited bandwidth to do that.
[+] [-] maest|11 years ago|reply
Discuss.
[+] [-] deathcakes|11 years ago|reply
BandwidthRate N bytes|KBytes|MBytes|GBytes
In combination with accounting you can limit monthly or daily usage - has to be over 30kb/s to be usable by the network, so may not be feasible, but worth knowing.
[+] [-] frozenport|11 years ago|reply
[+] [-] Istof|11 years ago|reply
[+] [-] nanoscopic|11 years ago|reply
The described attack on Tor may not be well known, but at the very least I told the FBI how to do it myself, so they certainly know about it.
[+] [-] maerF0x0|11 years ago|reply
[+] [-] pmorici|11 years ago|reply
That's a bit of a misleading statement. I'll agree that there haven't been any people prosecuted because they ran a TOR relay directly but there has been at least one case where they prosecuted or at least harassed a guy on child pornography charges because he was running a TOR exit node and saw the activity coming from his IP. Perhaps that wasn't in the US but still.
[+] [-] hackerboos|11 years ago|reply
https://rdns.im/court-official-statement-part-1
[+] [-] higherpurpose|11 years ago|reply
[+] [-] SquareWheel|11 years ago|reply
[+] [-] zargon|11 years ago|reply
[+] [-] mschuster91|11 years ago|reply
The only way to do secure TOR is to use a distinct machine (NOT a VM!) as a gateway.
[+] [-] dublinben|11 years ago|reply
Yes it would have. That attack relied on both a Windows-specific vulnerability, and accessing the internet without Tor. Neither would have happened to a user of Tails.
[+] [-] zoobear|11 years ago|reply
[+] [-] woniesong|11 years ago|reply
[+] [-] throwaway2048|11 years ago|reply
[+] [-] cowbell|11 years ago|reply
How did the feds take down silk road?
The "tor stinks" slide was over a year old when these events occurred. A lot can change in a year.
[+] [-] rsync|11 years ago|reply
Any list of things you should know about tor should include that.
[+] [-] jonnybgood|11 years ago|reply
It is a good thing the US government supports these things.
[+] [-] growupkids|11 years ago|reply
https://www.torproject.org/about/sponsors.html.en
[+] [-] pekk|11 years ago|reply
[+] [-] middleclick|11 years ago|reply
[+] [-] sirdogealot|11 years ago|reply
I'm not touching TOR until I figure out how they managed to capture Ross Ulbricht.
I highly doubt that he had his TOR misconfigured.
[+] [-] cLeEOGPw|11 years ago|reply
[+] [-] paletoy|11 years ago|reply