Security Basics mailing list archives
Re: anonymous proxy or tor onion routing for privacy
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Wed, 8 Nov 2006 20:55:37 -0500
urandom character special device eloquently indited:
hi list for privacy reasons I am searching for solution to browse the web (also other protocols than HTTP) anonymously. I tried several FOSS and free offers like EFF Tor (onion routing), JAP and web interfaces. Everything I tried have the same disadvantage... it is very slow. By googling I saw a lot of pay services for anonymity.
If you're paying someone, how can you be anonymous? You have to give them your name, credit card number, etc. That means by definition you're no longer an unidentifiable entity. Your proxy or service provider at the very least knows who you are, and they can be persuaded to reveal that information in any number of ways. Depending on what respective jurisdictions you and their service are in, this persuasion might be as trivial as a letter from an attorney, or even a bribe equal to the price of a hot meal. Less than that if you factor in "disgruntled employee syndrome". Even if you do manage to fake or forge your personal information using things like prepaid debit cards or snail mail payments and disposable email addresses, the nanosecond you connect to one of their servers so you can actually use the service you're nailed by at the very least your IP address. Again depending on where you live or connect to this could be a matter of what boils down to public record. The bottom line is that no subscription service can ever guarantee your anonymity. They're one-hop proxies, and one-hop proxies can never be anonymous proxies. If you raise the ire of any sort of moderately competent adversary your "anonymity" is worth exactly nothing. Those facts aside, you may be looking for privacy, not anonymity. They're two different things that overlap in some ways. Privacy is only allowing authorized access to your personal information. Anonymity is disallowing all access to it. If you're just looking to keep your identity obscured from the net-kooks and spammers, then there's no real reason to be anonymous in the first place. If you are looking for a privacy provider rather than a way to be anonymous, I suggest you consider the above and examine what a given provider says. In essence you're really paying them for their honesty and integrity, because that is all that stands between you and the bad guys. If they *are* the bad guys, you're buggered. If they feed you lines like "totally anonymous" and "can't be traced" they're lying to you up front. Buyer beware applies. If they refuse to identify themselves they have no accountability. And there are several "anonymity services" operated by "anonymous owners". Most of them also colo their servers, which means they have no real control over anything to begin with. If a service claims they don't log any traffic then ask yourself how they deal with abuse. Do they terminate accounts simply because someone complains even if they have no evidence the complain is valid? Or do they ignore abuse and enable activity that garners the sort of attention that puts all their customers at risk? Operating any sort of service provider without logs is pure insanity, or a flat out lie. If a service preaches "off shore" and "Big Brother" dogma, take a look at where their servers are located. Start researching the laws of those jurisdictions and you may find that you'd be safer using servers within your own borders, even from people inside those borders themsleves. A considerable number of MLAT agreements are set up in such a way that it's actually easier for people or officials in country 'A' to get records and logs from country 'B' than it is from their own country 'A' providers.
Can you recommend and review me a product or service for Windows? Optimal would be support for Linux and Solaris too.
If you want anonymity your choices are slim. Tor is the "standard" at the moment, and probably the only valid answer to that question. As you say, it's slow. But it *is* truly anonymous, at least as anonymous as any real time traffic stream allows it to be. And it's essentially a SOCKS proxy so it's useful for protocols other than basic web browsing. If you want privacy, any reputable service offering SSH or VPN tunneling should do the trick. You'll be able to do 99% of everything you do now via that tunnel, and performance won't degrade nearly as badly as it does over an all volunteer, bandwidth-limited, distributed network like Tor. But of course if you grab the attention of some anti-kiddieporn, music-police, insert-your-cause-of-the-day-here task force you may as well just save your money and surf naked.
What are you using to browse the web anonymous? How is the speed? Anyone use this in corporate environments?
If your entire reason for being "anonymous" revolves around out smarting your employer, then the answer is real simple. Don't do it. You won't be anonymous at all to begin with because they already know you. Besides, they're paying you for your time so give them what they're paying for. It's only fair. :) And if your IT department is half as bright as an oxygen starved monkey fetus they'll eventually spot your proxy traffic, and address it. If you're lucky they'll just filter it. If you're not so lucky it might get you fired. So... if you're still with me after all the ranting, I do have a couple specific suggestions. First is that if you really do need to be anonymous then put up with the performance hit and use Tor. It's military grade anonymity. Best money can buy, and it's free. If you just want to sneak around a company firewall then consider setting something up on a machine at home and using that as your proxy. A Linux box running SSH tunneling, listening on port 80, looks enough like a HTTPS connection you just might get away with it for a while. And if you do get caught you always have a bit of plausible deniability. Tell them you were accessing some sort of business related info on your home machine. Unless your company has a policy against using personal machines for work, it might fly. Fianlly, if you need an all-purpose, pay-for service that's quick and reliable, and honest to a fault, then consider looking at Cotse. http://www.cotse.net/home.html -- Hand crafted on 8 November, 2006 at 19:56:53 EST using only the finest domestic and imported ASCII. Do not meddle in the affairs of dragons, for you are crunchy and good with ketchup.
Attachment:
signature.asc
Description:
Current thread:
- anonymous proxy or tor onion routing for privacy urandom character special device (Nov 08)
- Re: anonymous proxy or tor onion routing for privacy monica (Nov 09)
- Re: anonymous proxy or tor onion routing for privacy Steve (Nov 10)
- Re: anonymous proxy or tor onion routing for privacy Tsu (Nov 09)
- Re: anonymous proxy or tor onion routing for privacy Jeffrey F. Bloss (Nov 10)
- Re: anonymous proxy or tor onion routing for privacy Jeffrey F. Bloss (Nov 09)
- Re: anonymous proxy or tor onion routing for privacy R.E.Willet (Nov 09)
- Re: anonymous proxy or tor onion routing for privacy monica (Nov 09)