Letter Re: Tor and the Illusion of Privacy

I had noticed some mention of Tor and I believe there was some mention of alternatives to Tor as well, to better protect one’s privacy on the web.  I really hate to say this, but, anonymity on the net really only exists as fiction these days.  Tor has had problems with it’s exit nodes for a very long time and there was a lot of talk in the “penetration testing” community about the FBI using Tor to set up stings last summer.  One can use a VPN (virtual private network) that claims to keep it’s users secrets secret, but there is that incident where a member of “anonymous” had his activities reported to the FBI by the VPN provider he was using. (I believe it was the “Hide My Ass” VPN service).  Proxy servers, both public and private, but mostly the public ones, leak tons of information to other people using those networks.  Sometimes, a simple program like Wireshark is all that is needed to gather the info required to identify and track users.  Let’s also mention that the https encryption protocol has also been cracked as well.   There is also the i2p network, which until recently was the best way to go for your proxy server needs (in my humble opinion), but even that has been cracked (look up “Practical attacks against the i2p network”). As a person who has dabbled in the field of “penetration testing” I can tell you with absolute certainty that if someone is properly motivated they will crack the programs and services people use to remain anonymous on line, or, those service providers will gladly turn over your info when pressed by law enforcement.

In summary I would like to say that in this digital age, the programs and services you use to protect your data and anonymity may be safe to use today, but probably won’t be safe to use tomorrow, or next week. – E.

JWR Replies: Your points are valid. Something that most Tor users don’t realize is the last exit node in a Tormail route is not hidden. As far back as 2007, we were warned:

“It should be noted that Tor does not do anything above the protocol level to anonymize traffic. Cookies, browser identification strings and other information can be used to identify who is using the connection to anyone with access to the traffic. Obviously, logging in makes that even easier. Another known threat to anonymity using Tor, even with end-to-end encryption, is timing analysis. If someone can monitor the timing of the packets at the client and those at the server, they can make a statistical correlation between the two.”

What cannot be hidden electronically can be exploited by HUMINT methods like Swallow/Raven honey traps, or good old fashioned coercion–whether it is Luigi threatening to use a baseball bat on some SYS ADMIN’s kneecaps, or just mentioning that he could have his IRS buddies do six years of tax audits on the IT guy, or on his mother.