Installing Tor on OBSD3.8

Jens Ropers ropers at ropersonline.com
Wed Aug 23 14:07:19 PDT 2006 

On 23/08/06, openbsd-newbies-request at sfobug.org
<openbsd-newbies-request at sfobug.org> wrote:

> Subject: Re: Installing Tor on OBSD3.8

> > Marius and others have noted the drop-off in speed. That is really a
> > no-no. One of the pleasures of DSL is the speed. So, an alternative
> > approach: how does one go about anonymizing one's IP address in the way
> > described? The three computers behind the firewall at present still are
> > assigned to my DSL's fixed IP address. This means of course that the IP
> > address is not anonymized to the outside world. Is there a way to
> > anonymize that or would privoxy do the trick?
> >
> Anonymizer.com used to have a free service years ago that worked with
> most browsers/platforms, but  I just looked at their site and it
> appears that now it's a Windows-only download.
>
> You might want to Google for "anonymous proxy" or "open proxy", and
> find a list of open proxy servers that you can bounce your traffic
> through. Of course then you have to trust the proxy to not monitor
> your traffic, and not be an NSA listening post. ;-)
>
> I've used some open proxies to test localisation features on a client
> site (detecting the location of the IP address), but I assumed that
> anything I entered was neither anonymous nor private.
>
> //mts

I was going to suggest one-hop proxies, but mts said it first
(Anonymizer is one example of a one-hop proxy. proxify.com is another
I know of.) Most surviving one-hop proxies (that I know of) are not
however free, or their free service is limited. Most offer a very
*moderate* amount of anonymization for a fee. Proxify has a page up
that you can visit and it will tell you everything that just about any
webpage out there can trivially easily find out about you based on
your IP address and environmental variables. That page is
http://proxify.com/whoami/
If you surf through a proxy (including Proxify themselves) that page
should give different information about you -- this is good for seeing
if your proxy/TOR install works.
I am not sure whether proxify only allows web-based anonymization, or
whether you can directly send traffic from your OpenBSD box through
their service.

!!! Be very aware however of the __limitations__ of one-hop proxies
and consider carefully what your threat model is. !!!

One of the best ways to learn about this is by visiting the websites
of the various HOPE conferences. Go to 2600.com -- the HOPE pull-down
menu on the top right has links to the first five conference sites and
the link to the recent sixth HOPE is above. Except for the very first
HOPE, there are audio recordings online for most of the talks and you
can even buy DVD recordings for the more recent ones. I think on the
fifth HOPE there were several very good panels about anonymity -- go
look^Wlisten.

Basically it runs down to this:
Let's say you're Bob, your one-hop proxy is (run by) Isaac, the web
site you're visiting is (run by Alice) and Eve is an Eavesdropper out
there.

Going through Isaac's one-hop proxy can prevent Alice from collecting
your IP and environmental info IFF Alice is not sharing data with Eve.
For this you will have to trust Isaac absolutely. Isaac knows your
real IP and may keep logs (you can't check whether he does or
doesn't). If Isaac keeps logs then maybe Eve can subsequently get a
warrant or steal that log data from Isaac and bingo -- By teaming up
with Alice, Eve now knows everything you did.
And if Eve is already actively wiretapping in real time, and if Eve
has sniffers sitting on the network both between you and Isaac and
between Isaac and Alice, then your privacy and anonymity is also
toast.
Thus:
One-hop proxy:
Protection against minor dishonest web site operators casually
collecting your info -- Yes.
Protection against major "first world" governments really intent on
snooping on you -- No.

TOR is much better than a one-hop proxy, but its improvement in
security comes at a major speed penalty and because of the low latency
that web surfing requires, it's still FAR from perfect. Anonymous
email systems are MUCH more secure, because the higher latency of
email allows for that.

It really depends on what you want to do.

For secure communication I would recommend open source public key
cryptography (compiled on known good, non TPM** infested hardware)
coupled with steganography.
If your life and/or liberty depends on whether you're found out to
have looked at a webpage your government doesn't like, I would get a
REALLY trusted friend WELL outside of that government's reach to surf
to that "hot" page, encrypt the page's content with PGP, encapsulate
it with steganography, and email it to me via an anonymous remailer
(Mixmaster/Mixminion/Cypherpunk or similar), but not after first
sending me some fairly innocuous porn in the same fashion, so I'll
have both plausible denyability and a lesser "crime" to confess to if
questioned. Theoretically your friend could also steganographically
hide the PGP encoded content in porn pictures and spam them to a few
hundred thousands of addresses, including yours. He won't be making
any friends doing that though. None of this will do you any good,
though, if Eve is the government and can seize your PC and
forensically analyze it. Also, both hardware and software keyloggers
are not unheard of in the business. What you could do is use a Live-CD
system that runs entirely in RAM and never save the "hot" content
anywhere on your end. ESPECIALLY NOT on magneto-optical disks or mass
storage devices! And do a fair bit of "burn-in" RAM testing after
looking at the "hot" content.

If however you want a system that will allow live full-speed
websurfing and protect you from Eve finding out what you're looking
at, forget about it. That system doesn't exist, and moreover, if Eve
is the NSA, then she's already got your data -- it's just a question
of whether or not you're interesting enough to warrant anything above
and beyond aggregate data analysis.

Good luck, and whatever you do, don't ruin anyone's life in doing it!
Jens

PS: http://en.wikipedia.org/wiki/Steganography
http://en.wikipedia.org/wiki/OS_fingerprinting
http://en.wikipedia.org/wiki/GPG
http://en.wikipedia.org/wiki/Characters_in_cryptography
Also read Bruce Schneier and his Crypto-Gram newsletter (As of this
writing, Schneier.com is inexplicably offline, though.)

Glossary:
**TPM -- http://en.wikipedia.org/wiki/Trusted_Platform_Module
"A trusted computer is literally and exactly a computer you cannot
trust." -- Michael Sims

-- 
www.ropersonline.com

More information about the Openbsd-newbies mailing list