801
|
Other / Off-topic / Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
|
on: August 05, 2013, 12:46:46 PM
|
In any case, wouldn't it be possible to build it right into the browser? I mean, everything in the browser, all plug-ins, etc... would either not work, or would have to go through tor. Thatd be much more convenient than having to completely re-boot into an entirely different OS just to use tor.
You don't need to reboot anything. It's working with 2 virtual machine on top of your actual OS.
|
|
|
802
|
Other / Off-topic / Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
|
on: August 05, 2013, 03:10:29 AM
|
What? Then whats the entire point of tor? Wtf?
I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?
It's a script so it can do quite a number of things. One thing it can do is launch different protocol handlers, ie. Flash, which when launched won't know to connect through the Tor client and will connect through your regular connection - because that's what it does by default. So you'd load the site on Tor and some component thereof on your regular connection, which needless to say, compromises your identity. Wow, I thought tor protected you from this kind of hack in some way. Isn't there some way of stopping all non-tor connections automatically? I mean, like doing some way of catching all traffic that isn't through tor, and blocking it all. Clearly it would get in the way sometimes, but going without JS sorta makes the majority of websites useless. I was under the impression there was some 0-day firefox exploit that allowed the hacker to download some .exe (or equiv) file to the client computer and execute it, and get the IP in that way. In a perfect world, there would be an https-style warning "this site is attempting to display some content to you outside of the tor network, do you want to allow" or the like. Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[5], Debian GNU/Linux[6] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP. Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. https://whonix.org/wiki/Main_Page
|
|
|
803
|
Other / Off-topic / Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
|
on: August 05, 2013, 02:27:11 AM
|
I am still a bit confused, are the users that were injected/infected the ones affected, or all users of the Tormail, IE the database and all data within it? I really can't derive this from the story. Both are important, but one is a lot more potent!
According to a Sunday blog post by the Tor Project's Executive Director, Andrew Lewman, the servers of Freedom Hosting were breached before the service went offline. "From what is known so far, the breach was used to configure the server in a way that it injects some sort of JavaScript exploit in the Web pages delivered to users," Lewman wrote. "This exploit is used to load a malware payload to infect user's computers. They most likely dumped all databases if they could but didn't physically seized the servers since they don't know the exact location. The servers themselves are likely run on a "bulletproof" hosting service in Romania or Russia; Irish law enforcement authorities told the court Friday that Marques had transferred large sums of money to accounts in Romania and had been investigating obtaining a visa to enter Russia. http://arstechnica.com/tech-policy/2013/08/alleged-tor-hidden-service-operator-busted-for-child-porn-distribution
|
|
|
807
|
Other / Off-topic / Re: Half of all Tor sites compromised, Freedom Hosting founder arrested.
|
on: August 05, 2013, 12:15:37 AM
|
Hmm to be honest I haven't realized the magnitude. What happened exactly?
Was this strictly a client side exploit or was something used to reveal the real ip of the server? The way it seems, people should probably stop from using SR for a while, at least until there is more information on the exploit that was used.
So yes, in contrast to my previous assessment this might really spark some panic regarding SRs future and so the price of Bitcoins.
Somehow they got the IP of the server and put the 0 day exploit up to track the users who were going on the site. That's IF the account of the story is real. My guess is the guy fucked up and got compromised somehow. Nobody knows at this point, even the TOR people are waiting to hear. All users would have been safe if they would have disabled javascript. God damn noobs. That's why Whonix seem pretty safe. It use one virtual machine as a proxy to Tor and a second one for browsing and doing stuff. The second virtual machine only has connectivity to the first virtual machine so IP address can't leak even when compromised.
|
|
|
810
|
Other / Beginners & Help / Re: Is there any way the NSA could associate my public key with my IP address?
|
on: August 04, 2013, 11:09:56 PM
|
If you just receive then no, but if you send and don't have any anomizer(VPN,Tor, proxies ) etc the. The IP is logged Only the IP of the first relaying nodes so it's far from reliable. Still a good idea to setup bitcoin-qt to use Tor (it's build in the options) as a proxy if you're paranoid about staying anonymous. Install Tor and tick that box and you're ready to go.
|
|
|
819
|
Local / Discussions générales et utilisation du Bitcoin / Re: Quelle puissance pour cracker une clé privé ?
|
on: August 04, 2013, 04:18:42 PM
|
Faudra attendre les ordinateurs quantiques ^^
J'ai lu que si l'addresse n'est pas réutilisée, même un ordinateur quantique ne peut cracker la clée privée. [...]
Quantum Computer capable of implementing Shor's algorithm against 256 bit keys (ECC protecting bitcoin addresses) is far beyond capabilities of current systems (we are talking about tens of thousands of qubits). It also requires the public key to be know. A Bitcoin address is a hash of the public key, and the actual public key remains unknown until an address is used to send funds. This is one reason why addresses shouldn't be reused. While not bulletproof it would provide resistance to attack by QC during a transition to a stronger address type. Bitcoin could be extended to support post-quantum cryptography. As for QC being used to mine Bitcoins, generally speaking Shor's algorithm can't be used against hashing functions and symmetric encryption algorithms. Lastly there is no known QC algorithm to solve the somewhat unique problem of Bitcoin mining. Grover's algorithm can be used to reverse a single hash however it only produces a modest speed improvement and in mining Bitcoin one isn't looking for a single valid hash but rather a set which consists of quadrillions of valid hashes. It is not a given that QC will EVER provide a superior/faster/cheaper method of solving blocks.
Old wallets are not a problem. You wouldn't even need to keep the wallet in any particular form. The private keys for the address(es) holding the funds is all that is needed. Bitcoins never expire, and private keys don't go stale. In may help to think of the Bitcoins not in your wallet but being on every copy of the blockchain spread across tens of thousands of nodes. Your wallet doesn't contain Bitcoins it contains the keys which allow you (or your heirs) to spend those Bitcoins. As long as the key remains uncompromised coins can be spent as long as the network exists. I would recommend generating a set of kepairs offline (there are utilities to accomplish this and then storing the private keys and corresponding addresses on more than medium in more than one location (i.e. a MDIC in a home safe, and paper printout in a safety deposit box).
[...] https://bitcointalk.org/index.php?topic=266543.msg2850852#msg2850852
|
|
|
|