I've heard people say that TOR is no longer safe. How true is this? I know that letter agencies do everything they can to control nodes etc. and that Mozilla runs a ton of relays, so idk. It scares me because I don't know of an alternative.
Is TOR still a viable way to stay anonymous?
>staying completely anonymous on the internet.
No way to do it OP
>>52033067
>I know that letter agencies do everything they can to control nodes etc.
the US millitary own like half the nodes, that does not automatically mean they have full access, but researchers at Carnegie Mellon found a way to find people through Tor. they were about to present their findings on DEF CON a couple of years ago, but canceled the day before or something and would not say why. so we don't know if they really did, but we do know that if NSA individually pick you up, then they might find out about you. I do not think you will get be part of the mass surveilance that the rest are. there are alternatives to 'Tor like i2p and freenet wich no known weaknesses.
>>52033090
I understand it as a perpetual cat and mouse game. Obviously nothing is foolproof
>>52033325
Yes but think of it as more of a Godzilla and mouse game. Most hardware companies are installing back-doors on their devices. The NSA has been proven able to decrypt almost all forms of communication and as >>52033199 said the government owns about half of the Tor nodes. It's pretty much hopeless to be honest family.
>>52033199
>but researchers at Carnegie Mellon found a way to find people through Tor
They did not.
They cancelled because it was a false alarm.
Tor is as secure as it ever was. Nothing has changed.
Tor itself is still secure. The hardware you use and the software you use might not be though.
>>52033199
If you're doing low level stuff you'll probably just be lost in the noise right? I doubt they have the budget/manpower to track an individual simply for using TOR without prior suspicions
>>52033493
A lot to risk for likely little gain.
Dont listen to this idiot >>52033399
The government doesn't run half the nodes. The government requires third parties like Carnegie Mellon to find vulnerabilities, why would it need to use them if they have so much control?
In any case, you can look at who owns which servers here: https://atlas.torproject.org/
https://www.torproject.org/docs/faq.html.en
>>52033493
This. Buying some drug occasionally is different from preparing a mass-killing with explosives.
>>52033524
https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/
Besides, even if all nodes can be considered trusted, your hardware can't be.
>>52033540
Terrorists don't use tor anyway so government agencies don't really bother with it.
>>52033540
Tails and Tor protected Snowden, I have no doubt that there is no way to make yourself a bigger target than Snowden did. If it can protect him, then you're safe too. That said, you should take other measures in concert with Tor to remain safe. Search for "Jolly Roger Guide"
Even if the government did own half the nodes you'd still be fine. The way tor works, someone needs to own at least 80% of the nodes before it becomes dangerous to use.
Nobody controls enough of the nodes to matter. There's never been an exploit against it demonstrated. Just a lot of baseless FUD. For all we know, the Carnegie Mellon researchers discovered an error in their data or procedure that changed their conclusion. More likely what they had was a timing attack that requires you to be able to listen to a huge percentage of Internet traffic, which is an exploit that's been known to be theoretically possible for quite a while. It doesn't work if you run a relay, though.
>>52033578
I use libreboot with Tails. Its as safe as you can get. As long as you haven't been previously targeted, Tor will protect you.
Exit nodes can look at http data, everything else is safe. HTTPS Everywhere is installed by default on the Tor Bundle Browser.
>>52033643
The CM research was subpoenaed by the FBI and used to arrest a few dark market vendors. It's since been fixed. There was also an attack against a Firefox bug that had been fixed at the time, so it only effected out of date Tor Browser Bundles.
>>52033608
That likely brought it to the limelight though. Even though most terrorists are simply using SMS on burner phones, you know the NSA is fishing for vulnerabilities 24/7, and probably would not bust anyone until they got the maximum amount of people
>>52033784
It's a cat and mouse game. The Tor project has been alive for 15 years. As of 2013 we know that they cant penetrate the network on a large, or even targeted, scale. There have been vulnerabilities that leaked some data, but they could never pick and choose whose data they were intercepting.
You must also be aware that intelligence agencies often use shadow games to make people think they're omnipotent.
>>52033067
There is the alternative russian malware makers use: socks proxies from cibercrime sites, for 0.3$ a day you get a proxy
>>52033067
>TOR
https://www.torproject.org/docs/faq.html.en#WhyCalledTor
>Safe to use?
https://www.torproject.org/docs/faq.html.en#Backdoor
>Alternative?
https://prism-break.org/en/categories/gnu-linux/
See Anonymising networks
>>52033849
What do you mean by shadow game?
Pay attention to when china breaks tor. They're actually trying.
>>52033965
He means yugioh m8
>>52033965
They use disinformation, outright lies, and posturing to hide what their capabilities are. The only information that should be trusted is the information they shared amongst themselves when they thought nobody was listening: the Snowden leaks.
>>52033656
Yeah if you've already been targeted there's not much you can do.
its also slow as fuck. the only point to have Tor is getting around ip bans and anonymous surfing. they got to scrap firefox and build from scratch.
>>52034002
I play my /g/tard in defense position
Your move weevil
>>52033436
>They cancelled because it was a false alarm.
Then they would have said it, now wouldn't they. why be secretive about why they canceled and just cancel at the last minute?
>>52033524
>The government requires third parties like Carnegie Mellon to find vulnerabilities
I believe that was found without government involvement, which is why they were forced to close the talk, if it was secret from the beginning they would not publish preliminary papers and set up a talk.
>>52033849
This post got me thinking. What if the Snowden leaks were an elaborate ploy by the US government? Think of what it may have accomplished.
>Scared into submission many would be terrorists and cyber criminals
>Planted an agent into a competing foreign power
>Leaked false sensitive data that many foreign powers believe to be real.
Highly unlikely but just imagine.
>>52033608
>If it can protect him, then you're safe too.
They know who he is and where he is.
>>52034071
not unlikely.
what he did wasnt that big of deal.
we all know the government spies on its people.
theyve been doing it since the late 1800s
>>52034023
Dumb question: could Mozilla potentially fuck TOR over by releasing a Firefox update with TOR-specific vulnerabilities? Or would develpors see that?
>>52034124
Ah ha, you've activated my trap card, Butthurt Loneliness on Xmas Eve. Your monsters now go into defense position. Your move, Rex.
>>52034160
>tfw that's actually true
Just fuck my shit up pham
>>52034151
I would assume developers would do a byte to byte comparison to confirm the only changes are the listed ones each update
>>52034009
I agree.
>>52034081
They didn't know during the leaks. He was communicating with Poitras and Greenwald for months prior to actually meeting them.
>>52034151
They could. It's unlikely though because they review changes prior to bundling it. There's been alot of talks about moving away from Firefox lately.
A few years ago there was a patched vulnerability in Firefox that the FBI used to attack people with out of date Tor Bundle Browsers. ALWAYS UPDATE YOUR TBB. It only takes a second.
>>52034071
It's an interesting theory. The idea that you shouldn't take anything at face value is critically important and it is being taught less and less in schools, for obvious reasons.
There are numerous DEFCON talks on the subject. Watch them if you actually care.
TL;DR version
- Yes, Tor is safe if used correctly
- No, Tor is not totally invincible. There are known flaws, but they require time and effort to exploit. You would need to be specifically targeted by a large agency before you'd need to worry about them.
- Every Tor user who has been caught got caught because they fucked up somewhere. Either by enabling Java, giving away personal info, or just doing other dumb shit that gave them away
Here's a DEFCON talk about avoiding getting caught while doing shady shit.
https://www.youtube.com/watch?v=J1q4Ir2J8P8
>>52034349
This. In order to get hit with an NSA exploit, they have to be very sure you're a big fish. They won't waste their zero days on some nobody browsing for drugs.
That being said, your bigger threat is the FBI and local law enforcement, basically the idiots who can't do more than rely on your stupidity to catch you. Almost all Tor busts have been due to user error.
>>52034545
>Almost all Tor busts have been due to user error.
By the way, to clarify this I meant to say that I don't know of any instance where Tor was the culprit. You could count the outdated Tor browser being exploited, but that was a firefox exploit rather than a Tor one. If anyone knows a story where Tor has been hacked and someone got caught because of this, let me know.
Nothing is bulletproof
>>52034545
>>52034623
I think all of the drug busts I've read about regarding tor had to do with something on the physical side of things rather than the internet side. Most of the cops in those situations didn't know that tor/internet drugs were even a thing, they just thought they caught someone doing business with a bigger fish, or that the person they caught was the big fish themselves. pretty much the busts were by chance, had to do with a honeypotted vendor or by someone ratting them out.
so basically cops won't have any knowledge of using tor/what it even is for that matter. they'll just think its some yahoo sending drugs through the mail.
I did hear a bunch of tor servers got busted and never really replaced
>>52035082
What?
>>52035065
I doubt there's cops that haven't at least heard that you can purchase stuff online. They likely don't understand it but they've at least heard that it's possible
>>52033578
Computer hardware? Or like routers/modems?
>>52035275
Most of it.
https://en.wikipedia.org/wiki/NSA_ANT_catalog
>>52034545
How would that "waste" zero days? Because they're time sensitive?
>>52033493
>>52033540
What if I want to do my banking through tor? This thinking only perpetuates the deception that privacy is only pertinent when doing something unlawful. There is nothing wrong with using Tor and using it does not make you a criminal*.
>*yet
>>52035784
Banking through TOR? The exit nodes can see everything right? Or will https protect that? Idk but sounds sketchy
>>52033199
So, why do most people prefer TOR over I2P or freenet?
>>52035921
i don't know if that's the case.
if it is it's probably just because tor is more well known.
>>52035921
can i2p or freenet access onion sites?
>>52035972
No.
>>52033199
>there are alternatives to 'Tor like i2p and freenet wich (have) no known weaknesses
come on anon you can't be that naive
>>52034296
>A few years ago there was a patched vulnerability in Firefox that the FBI used to attack people with out of date Tor Bundle Browsers. ALWAYS UPDATE YOUR TBB. It only takes a second.
hahaha I remember that
newfags were all yelling that Tor is fucking backdoored
so much rage in tech support channels
>>52035909
>>52035921
>TOR
FFS
https://www.torproject.org/docs/faq.html.en#WhyCalledTor
>>52036213
That's how my phone autocorrects it
>>52036206
Tor backdoors? No. Hardware backdoors? Yes. Correlation attacks? Yes. Zero day exploits? Probably. I always wonder if letter agencies have secret zero days and are gathering information until they can bust as many people as possible. Like data mining for a year and then catching thousands of people
>>52035732
Because when the public learn they exist, they get patched.
How beneficial is using tails over windows or OS X? Or a common Linux distro?
>>52038021
Much better. At least regarding windows it is completely useless to use Tor. that is like putting on a mask inside a bank after talking to the people who work there. if you are doing something illegal they know who you are, what you do and so on. there is no privacy on windows at all. if you can see it then microsoft can see it as well. including the files on your computer.
>>52038122
Is what you do on Tor still private though? Or they just see that you have Tor and using it?
>>52038749
not safe. I'm sure there's a way to view your content there if they can browse your files
>>52038749
On windows they say the can see what you type, what programs you run, and look at files. They may be able to see much more
>>52038021
By over do you mean in a vm? That would be safer, but not by much on Windows and OS X. Linux it would be ok, but booting to tails would always be preferred
>>52039942
Not that anon, but I think the only instance where tor on windows is less safe is if your advesary is a nation-state and you are a high value target.
>>52040019
Windows is also one of the least secure operating systems. It doesn't take more than a script kiddy to hack
I heard that you can be traced somehow but whomever is doing the tracking must have all encompassing info to be able to connect dots.
>>52040059
Without disk encryption, yes, windows is the absolute easiest to break into
I hear Tails is pretty safe, but Tor was definitely compromised by the FBI and NSA a couple years back.
>>52040713
That is partly correct. Tor has been compromised in a select few cases. Its never been completely compromised and the government has never been able to selectively deanonimize users. Its a cat and mouse game. As soon as an exploit is used or or found, it's corrected. The NSA has had very, very marginal success against Tor, as evidenced by the thriving markets on Tor.
>>52033090
Obviously. Nothing is ever 100%
But there are steps you can take that will mitigate the ability to de-anonymize
>>52040817
would using tor under a vpn be pretty much the works? not a stateside one either, i forget the name but it starts with an m or w based in sweden and accepts btc
or is that only wishful thinking? would just tails be good enough?
>>52041423
Tails would be enough. If you use Tor with a VPN, make sure that you use Tor to connect to the VPN and not the other way around. The location of the proxy doesn't really matter because alot of foreign proxies simply rent space on US servers to save costs.
>>52041582
Connect von first l* flush dns then connect tor. You would want to.hide the fact that you are on tor. Of course you must have a trust worthy vpn
Bump for info
>>52042866
What more info do you want?
I want to buy drugs on the dark net spoon feed me what I need to know or link me /g/
>>52043337
Google: Jolly Roger Guide. It's hosted on deepdotweb.com It walks you through everything.
>>52043337
Nice try DEA.
>>52043337
3/10 bait
>>52043263
Nothing specific. I was just bumping to draw in more replies. I want more general info on things I might not have known/not though to ask for
>>52044016
Well here is some knowledge I can give on the subject that hasn't been covered much yet. If you can use public Wi-Fi, it is a pretty good way to increase anonymity. Also I would recommend a less used, and arguably more secure Linux distro: Tin Hat. Libre boot is also a nice addition if you can manage the install.
>>52033090
Go to Starbucks and changs your hostname to "Mikes-iPhone"
>>52033493
The NSA is the one doing the spying. They only care about terrorism and shit. Basically don't try to buy terrorist stuff and they will leave you alone.
>>52043337
go on reddit
find a subreddit for your drugs
wait for a druggie whore
get her PGP
talk to her
suck her toes
Then buy the drugs with bitcoin
When you buy, make sure you say, "You're under arrest for selling illegal substances to a federal officer. We are on our way"
>>52044165
Using public Wi-Fi is just to keep your ISP from seeing your Tor usage, correct? Are there other benefits?
>>52044245
No not really. It keeps your ip from being on exit node logs and keeps you out of suspicion.
>>52044277
>keeps your ip from being on exit node logs
That sounds like a huge problem from the get go, if your actual ip is stored on a actual exit node.
>>52044320
No Tor decrypts IP traffic. Using other networks is unnecessary.
>>52044354
Sorry encrypts*
>>52040675
They also have a bad track record when it comes to closing venerabilities.
There was the exploit that let you turn there computer into an FTP server, that was left open for a while.
Window may also have key loggers, and record encryption passwords, but that would only be a problem if the government wanted in.
>>52041884
You could a pluggable transport for that, one makes Tor look like skype traffic
>>52041884
What VPN would you recommend?
bump, whoole.
>>52045555
checked
was literally about to do the same.
I would like to post on le Reddit and Twitter some questions about the viability of some projects I have been working on [sadly 4 chan is no longer a viable place to do so due to changes in the majority of its userbase] and I don't really want to have their database log my IP address - most all places where I live require some kind of traceable action for their free wifi - what would be the best solution?
>>52045811
Tor should be fine for that, or hack someones wifi.
aircrack-ng and rever are good tools
>>52046036
I have no idea about hacking, never had control of a Gibson, it's nothing sinister, file sharing related, guess I'll give Tor a try then, thanks anon
>>52046036
Whats the success rate of of those?
>>52046254
Aircrack is great with wep, and I it can be used for wpa theoretically.
Reaver is supposed to be better for wpa, but I've never used it
>>52046298
Kali linux?
>>52033607
>Terrorists don't use tor anyway so government agencies don't really bother with it.
nigga, what? I'd like to think that people who are plotting on murdering hundreds would actually be smart about it. Maybe that's just something I tell myself so I don't lose sleep at night, so I don't have to face the fact that there's a possibility that terrorists are actually just tech illiterate and still aren't being disappeared/arrested/whatever before they commit any sort of attack.
Don't ruin my night for me, anon.
also
>cybercrime
>>52046419
IIRC Parisian attackers communicated over plain SMS without any encryption or anything.
Yes, they are THAT stupid.
Sleep tight.
>>52046419
Terrorists use Twitter and Gmail to communicate. Tor is useless to them.
>>52033399
NSA is good at cracking improperly configured hardware and software (which is an awfully high number of setups), but the communication protocols and recommended standards themselves remain fundamentally secure. Don't be a retard who uses mis-configured setups or outdated protocols and the NSA won't be able to break your security (the leaked documents courtesy of Snowden admitted this much). I'm speaking of security in general, not just Tor.
>>52046435
Intelligence agencies are too busy spying on people who use encryption than people using fucking plaintext SMS.
>>52033067
It's FUD created by the government to keep people from anonymizing themselves in the first place. Why break encryption when you can stop encryption from ever being used?
>>52046400
I think Kali has both and more. Or you can download and install them on your OS
>>52046419
The people who shot up paris used facebook.
Governments are all like 'encryption is evil' and terrorists don't even bother using it.
>>52046604
Makes sense, once you think of it. Say you're cyber security operative for a letter agency. What'd you prefer - play cat-and-mouse with fellow nerds using latest cool tools like Tor/I2P/Tails and whatnot, or dig through tons of some dirty goatfucker's plaintext SMSes (most of which aren't even about terrorism, and more about football, that bitch he fucked yesterday, etc)?
>>52046677
I would have expected terrorism related messages to be easy to find automatically with scraping software and that would be easier than attacking encryption. I guess obscurity is better than security.
>>52046644
They're lost in the noise. Hiding in plain sight. There simply isn't enough manpower to monitor 7 billion people, and that's why it's bad to indiscriminately collect data. It adds more hay to the stack you're trying to find the needle in
>>52048956
Good afternoon, Mr. Snowden.
>>52048956
Xkeyscore is really good at finding that needle actually. But it takes time to take action.
>US government donating money to TOR
sounds safe to me
>>52045811
Your IP address is encrypted along with browsing data.
>>52049971
>being so uniformed that you don't know that various governments (including the American government) use Tor so other governments will have difficulty snooping on their communications
>>52050010
What? No. Your IP address is only seem by the first tor node, which connects to a second, which connects to a third, which connects to the Internet. The traffic is encrypted, your IP is only seen by the first node.
>>52050068
Doesn't really matter. Any competent user will be using a secure VPN.
>>52050170
A VPN is next to pointless, unless your country/ISP blocks tor, or you want to hid the fact you're using it. All a VPN may log IPs even if they say they don't, you shouldn't trust them for security.
>>52050321
You can make your own vpn from an old computer.
>>52050321
It adds another layer of obscurity and it does not have to be a commercial VPN.
>>52050396
That's what i intend on doing during the holiday break from work.
I have a gentoo box that's just been doing F@H for like a year that I'm going to use.
>>52033067
>TOR is no longer safe
who said it was safe in the first place?
I just want to buy one acid how do I do it with your?
>>52050933
*tor
>>52050933
>>52050940
- Get buttcoin
- Make an account on nucleus or dream market
- Make a PGP key pair (obviously use a false name and bullshit email. It's just there as contact info.)
- Ensure Tor is set up correctly
- Transfer buttcoin to your account (tumbling coins is optional.)
- Select a dealer with a good rep in your country and buy your acid
- Use their PGP public key to encrypt a message and send them your address/name that way when the site prompts you to send the info. They suggest using your real name but that's up to you.
- Await a generic looking piece of mail, possibly disguised as junk mail
It will be scary and confusing, but it's actually safer than buying in the street.
>>52051530
>- Get buttcoin
>- Transfer buttcoin to your account
You do realize that everyone can see this? Even if you tumble it, people can still just look at where the fucking coins end up after that too. You'd have to get bitcoins without using any identifying information, and pretty much the only way to do that is to mine it yourself or find an ad on craigslist that's selling some for cash.
>>52041582
how the fuck do you post here without a vpn or something? all tor nodes are banned on sites like 4chan. how to post here? im not getting a vpn.. fuck paying for shit im poor
>>52052769
Do you even know what coin tumbling is?
>>52033199
>like i2p and freenet wich no known weaknesses.
https://www.deepdotweb.com/2015/11/27/police-log-ips-making-arrest-by-planting-own-nodes-in-freenet/
>>52052999
>see coins going to a bunch of addresses
>see coins from those addresses going to a different address
Wow like fucking magic.
Do people ever use public wifi networks to smuggle drugs with Tor and such?
>>52053086
>make a service, it will accept coins from everyone and will pay back the same amount to addresses you tell it to, when you tell it to by parts.
>since the service will use the same wallet for all transactions it will help to anonymize them.
>tell the service to send the coins to several separate addresses.
>done/better than nothing
>>52050396
What's the point if it still uses your home IP?
>>52052962
A 4chan pass will get around IP blocks. I post from Tor with the pass. 20 dollars a year is worth it. You can lurk from Tor for free.
You should be using Qubes regardless. There isn't any reason to use anything else. It allows you to create a separate VM for each set of activities: one for banking, one for reading news, one for checking email, etc. This way if one VM gets compromised through downloading a malicious PDF for instance, you are still safe. You can also configure a windows 7 VM or a Whonix VM. I have a "vault" VM that doesn't have access to any network, where I store PGP keys and passwords.
>>52053166
>MMXV
>not smuggling drugs over wifi
On a serious note, alot of vendors use Qubes+Whonix over a public WiFi connection or a neighbor's WiFi. You can find out all about it on leddit's. DarkNetMarkets page.
>>52053065
This is relevant. If freenet has been compromised then its bad news.
>>52033436
>>52034046
https://en.m.wikipedia.org/wiki/Operation_Onymous
this is why they didnt give the talk. they sold it or were convinced to hand it over.
>>52053086
You do realize that that kind of analysis is very difficult, right? A tumbling service is serving thousands of people and splitting coins through many addresses. You'd have to examine hundreds of thousands of transactions to figure out what is going where.
Obviously it is not as easy as you seem to think, or the feds would be nailing people every day with info from the blockchain.
>>52054774
>You'd have to examine hundreds of thousands of transactions
You make it sound like that's hard for a fucking computer to do. They have literally ALL the fucking data they need to do it directly in the blockchain, and the feds/whoever the fuck wants to dig through that has more computing power than 50 little girls.
>>52054831
I suppose you should ring up all the federal agencies and call them a bunch of retards for their failures then. Go on, tell them how they're doing their jobs wrong. Show everyone how easy it is to hunt down drug buyers through the blockchain.
>>52054831
Thats not enough. You clearly dont understand how tumbling works.
The feds need to compromise entire tumbling service/company to be able to figure out where money came from and where it went, whose money it is, etc and even then its not enough.
>>52053065
Any more info on this story? Any idea how they done it?
>>52033493
>>52034151
>>52033607
>>52033638
>>52033996
>>52035065
>>52035082
>>52035784
>>52040019
>>52041423
>>52041884
>>52049971
>>52050068
>>52050321
>>52050446
>>52050940
>>52052962
>tor
>TOR
https://www.torproject.org/docs/faq.html.en#WhyCalledTor
>>52055038
GNU/ToR?
>>52053910
It's been patched and the researchers scolded for actually using the exploit on the live network and for selling the exploit to the FBI.
>>52055034
>Any idea how they done it?
only rumors
this assumes they targeted him specifically - presumably they deployed several nodes that were close to him in terms of Freenet network location (which is just a number between 0 to 1, randomly chosen by the node on startup)
this meant that requests from his node were routed through FBI-controlled nodes and they were able to use traffic correlation attacks to confirm he was downloading CP
>>52055090
You're killing me here.
>>52055132
I thought the same thing, given how both police and the downloader were based in the same area thats the likely reason, also using high speed university network and downloading gigabytes of traffic over long periods of time might have made his node "stand out"
However all files/chunks on freenet are encrypted so how police knew what he was downloading is a mystery. Could they have planted the files themselves, run several nodes close to each other just waiting for someone fall in their trap?
tails is the best way to go for privacy
>>52055396
Yes, the contents of the chunks are encrypted, but when you download a file's master block (that's not what it's called, but you get what I mean) it tells you which chunks comprise that file and what the decryption key is.
You could say they simply served him CP that they had downloaded before.
(this is still just a theory, of course)
>>52055396
>>52055690
Could also just be an "educated guess". If he was doing other stuff like torrenting films, games, music, whatever outside of tor, then why would he be transferring huge amounts of data over tor?
>>52055450
Easiest, not best. It's sufficient for pretty much everyone though yeah. Very simple to use as well
>>52055450
No, that's Qubes-Whonix.
>>52056703
Is there a good tutorial on this?
>>52056703
OpenBSD with jails, properly configured
>>52056888
https://www.whonix.org/wiki/Qubes
>>52056953
Sure, that's basically the same thing. Requires a bit more manual tweaking though.
>>52057028
Learning how to do it yourself helps you understand security better. BSD patches vulnerability quicker.
>>52056703
In this case it's Tin Hat
http://opensource.dyc.edu/tinhat
