Re: anonymous proxy or tor onion routing for privacy

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

urandom character special device  eloquently indited:

> hi list
>
> for privacy reasons I am searching for solution to browse the web
> (also other protocols than HTTP) anonymously. I tried several FOSS and
> free offers like EFF Tor (onion routing), JAP and web interfaces.
>
> Everything I tried have the same disadvantage... it is very slow. By
> googling I saw a lot of pay services for anonymity. 

If you're paying someone, how can you be anonymous? You have to give
them your name, credit card number, etc. That means by definition
you're no longer an unidentifiable entity. Your proxy or service
provider at the very least knows who you are, and they can be persuaded
to reveal that information in any number of ways. Depending on what
respective jurisdictions you and their service are in, this persuasion
might be as trivial as a letter from an attorney, or even a bribe equal
to the price of a hot meal. Less than that if you factor in
"disgruntled employee syndrome".

Even if you do manage to fake or forge your personal information using
things like prepaid debit cards or snail mail payments and disposable
email addresses, the nanosecond you connect to one of their servers so
you can actually use the service you're nailed by at the very least
your IP address. Again depending on where you live or connect to this
could be a matter of what boils down to public record.

The bottom line is that no subscription service can ever guarantee your
anonymity. They're one-hop proxies, and one-hop proxies can never be
anonymous proxies. If you raise the ire of any sort of moderately
competent adversary your "anonymity" is worth exactly nothing.

Those facts aside, you may be looking for privacy, not anonymity.
They're two different things that overlap in some ways. Privacy is only
allowing authorized access to your personal information. Anonymity is
disallowing all access to it. If you're just looking to keep your
identity obscured from the net-kooks and spammers, then there's no real
reason to be anonymous in the first place.

If you are looking for a privacy provider rather than a way to be
anonymous, I suggest you consider the above and examine what a given
provider says. In essence you're really paying them for their honesty
and integrity, because that is all that stands between you and the bad
guys. If they *are* the bad guys, you're buggered. 

If they feed you lines like "totally anonymous" and "can't be traced"
they're lying to you up front. Buyer beware applies. If they refuse to
identify themselves they have no accountability. And there are several
"anonymity services" operated by "anonymous owners". Most of them also
colo their servers, which means they have no real control over anything
to begin with.

If a service claims they don't log any traffic then ask yourself how
they deal with abuse. Do they terminate accounts simply because
someone complains even if they have no evidence the complain is valid?
Or do they ignore abuse and enable activity that garners the sort of
attention that puts all their customers at risk? Operating any sort of
service provider without logs is pure insanity, or a flat out lie.

If a service preaches "off shore" and "Big Brother" dogma, take a look
at where their servers are located. Start researching the laws of those
jurisdictions and you may find that you'd be safer using servers within
your own borders, even from people inside those borders themsleves. A
considerable number of MLAT agreements are set up in such a way that
it's actually easier for people or officials in country 'A' to get
records and logs from country 'B' than it is from their own country 'A'
providers.

> Can you recommend
> and review me a product or service for Windows? Optimal would be
> support for Linux and Solaris too.

If you want anonymity your choices are slim. Tor is the "standard" at
the moment, and probably the only valid answer to that question. As you
say, it's slow. But it *is* truly anonymous, at least as anonymous as
any real time traffic stream allows it to be. And it's essentially a
SOCKS proxy so it's useful for protocols other than basic web browsing.

If you want privacy, any reputable service offering SSH or VPN tunneling
should do the trick. You'll be able to do 99% of everything you do now
via that tunnel, and performance won't degrade nearly as badly as it
does over an all volunteer, bandwidth-limited, distributed network like
Tor. But of course if you grab the attention of some anti-kiddieporn,
music-police, insert-your-cause-of-the-day-here task force you may as
well just save your money and surf naked. 

> What are you using to browse the web anonymous? How is the speed?
> Anyone use this in corporate environments?

If your entire reason for being "anonymous" revolves around out
smarting your employer, then the answer is real simple. Don't do it.
You won't be anonymous at all to begin with because they already
know you. Besides, they're paying you for your time so give them what
they're paying for. It's only fair. :) And if your IT department is
half as bright as an oxygen starved monkey fetus they'll eventually spot
your proxy traffic, and address it. If you're lucky they'll just
filter it. If you're not so lucky it might get you fired.

So... if you're still with me after all the ranting, I do have a couple
specific suggestions. First is that if you really do need to be
anonymous then put up with the performance hit and use Tor. It's
military grade anonymity. Best money can buy, and it's free. 

If you just want to sneak around a company firewall then consider
setting something up on a machine at home and using that as your proxy.
A Linux box running SSH tunneling, listening on port 80, looks enough
like a HTTPS connection you just might get away with it for a while.
And if you do get caught you always have a bit of plausible
deniability. Tell them you were accessing some sort of business related
info on your home machine. Unless your company has a policy against
using personal machines for work, it might fly.

Fianlly, if you need an all-purpose, pay-for service that's quick and
reliable, and honest to a fault, then consider looking at Cotse.

http://www.cotse.net/home.html

-- 
Hand crafted on 8 November, 2006 at 19:56:53 EST using
only the finest domestic and imported ASCII.

Do not meddle in the affairs of dragons, for you 
are crunchy and good with ketchup.

Attachment: signature.asc
Description: