i was looking at some articles, and i ended up watching a video of mental outlaw talking about TOR nodes, and i'm wondering how secure you think tor can be and if you think tor can become insecure (or more insecure) over time?
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Every tor circuit have 3 nodes
We have no idea how much of them are malicious ( read controlled by some spec service ). We just know that around 70% of all Tor Nodes are hosted in 3 different countries ( Germany, Usa and Netherlands )
And we can assume that there is not insignificant part being malicious.
yes, every circuit have 3 nodes, and their encrypted between themselves.
But if you have 2 malicious in same circuit your entire node is compromised
And what are chance of encountering 2 malicious nodes ? Lets assume is 5% ( altough I am pretty sure is more ). In that case one of every 20 times you connect to Tor your entire cricuit is visible.
all the conversation of using tor with or without vpn i dont think is even worth having. Cause it boils down to the simple question, and that is "who you trust more, your isp or your vpn ?"
Answer is obvious
To cut the long story short
Tor can be usefull tool for anonimity, but in itself can not be trusted.
Like some shady socks5 service, or some ( or any ) antidetect browser... You can not rely on it to protext your anonimity. No way
Yes, if used properly, with decent opsec measures it can help you improve your anonimity
We have no idea how much of them are malicious ( read controlled by some spec service ). We just know that around 70% of all Tor Nodes are hosted in 3 different countries ( Germany, Usa and Netherlands )
And we can assume that there is not insignificant part being malicious.
yes, every circuit have 3 nodes, and their encrypted between themselves.
But if you have 2 malicious in same circuit your entire node is compromised
And what are chance of encountering 2 malicious nodes ? Lets assume is 5% ( altough I am pretty sure is more ). In that case one of every 20 times you connect to Tor your entire cricuit is visible.
all the conversation of using tor with or without vpn i dont think is even worth having. Cause it boils down to the simple question, and that is "who you trust more, your isp or your vpn ?"
Answer is obvious
To cut the long story short
Tor can be usefull tool for anonimity, but in itself can not be trusted.
Like some shady socks5 service, or some ( or any ) antidetect browser... You can not rely on it to protext your anonimity. No way
Yes, if used properly, with decent opsec measures it can help you improve your anonimity
This one, is an interesting article with some recommendations in the end https://www.malwarebytes.com/blog/n...ed-by-law-enforcement-is-it-still-safe-to-use
You also should always remember that Tor was designed by the U.S. Dept. of the Navy.
TOR has a good design and an excellent community behind it but it is not a magic button that will solve all your OpSec issues. I would be more concerned on your place not about TOR-network but about other different ways for you to leave a fingerprint - starting from your own OS. I do not know why nobody talk more about Qubes OS but it can really help you with Whonix to build something that will be very hard to investigate. Do not forget that in a moment when I write these words - people already started to use not only netflow but complex AI-systems that were built to investigate netflow - to fuck him, her, me and you.
Take a look at:
Also, do not forget that your forum account here is your fingerprint. Your nickname is your fingerprint. All your jabbers, tox-ids are your fingerprints. The way you communicate is your fingerprint. Your personality is your fingerprint. Take every big cybercriminal case during last decade and it was not about compromising Tor-node but about the most retarded OpSec fails and about people talking crazy shit here and there and on each other. Discipline, moderation and stong principles (at least of what NOT to do) will help your OpSec more than conspiracy videos about whom all tor-nodes belong too.
Take a look at:
GitHub - maybenot-io/maybenot: a framework for traffic analysis defenses
a framework for traffic analysis defenses. Contribute to maybenot-io/maybenot development by creating an account on GitHub.
github.com
Also, do not forget that your forum account here is your fingerprint. Your nickname is your fingerprint. All your jabbers, tox-ids are your fingerprints. The way you communicate is your fingerprint. Your personality is your fingerprint. Take every big cybercriminal case during last decade and it was not about compromising Tor-node but about the most retarded OpSec fails and about people talking crazy shit here and there and on each other. Discipline, moderation and stong principles (at least of what NOT to do) will help your OpSec more than conspiracy videos about whom all tor-nodes belong too.
much more than that, I personally owned more than 5% of all Tor nodes having a very limited budget and possibilities, compared to those of FBI or other 3 letter agencies.
so I am pretty sure that at least 50% nodes are malicious and think that the real number could be more than 75%
Последнее редактирование:
- Автор темы
- Добавить закладку
- #6
you reminded me of that USDoD case, it was doxxed because of osint, after that case I was thinking, how can someone let these serious opsec flaws pass?
he literally used the same phrase in his personal instagram bio on twitter, that was too crazy for me (dumb to me)
about QubeOS, it really is great, it was even recommended and praised by Edward Snowden, and yet I don't see many people not using it.
- Автор темы
- Добавить закладку
- #7
wow, tell me what it was like to have at least that 5%?
Did you see a lot of traffic passing through?
Have you picked up anything interesting?
it must be nice to have at least 5% tor nodes
and yes, looking at how much money many agencies have, they probably have much, much more than 5%
nothing special
the most difficult part was to convince all the hosting providers in the different countries that tens to hundreds of Tor nodes I'll run on their VDS's will not be malicious and there will be zero abuse reports.I had up to 10% of all network bandwidth. it seems that many Tor nodes are (were) hosted on slow connections and my 5-10 Mbps per node was much above average.
The reason why QubeOS is not popular is because it's difficult to setup and use. most of the times things dont work and it takes longer to fix them than to do the actual work. It's the most secure because it physically doesn't allow you to work (do crime).
I can't find it but I saw a post somewhere about it being used by nation state actor to deanon users of a hidden service
www.malwarebytes.com
Tor Browser and Firefox users should update to fix actively exploited vulnerability
Mozilla warns that a vulnerability in Firefox and Tor Browser is actively being exploited against both browsers
www.malwarebytes.com
A better way to analyze this would be to split it into 3 parts:
1. Onion routing: the protocol is quite simple.
2. Tor software: Sure, the agencies might have a backdoor or two. Why not? But, everything's right here: https://gitlab.torproject.org/tpo/
3. Tor network: Of course. The 'majority' (IMO) of the relays are already owned.
Qubes is probably the most secure OS, but it comes with a fairly steep learning curve that intimidates people. As bratva said, it rarely is your OS or TOR that gets you caught.
No matter the techology, there is no treatment for "stupid"!
There are so many incorrect, noobish, half knowledge, zero knowledge, irrational, embarrassingly (second hand) idiotic statements in this thread, specifically around crap like Qubes, Tails. If you are a journalist or a person of interest with no technical skills, you would have no choice than to go with such dog crap.
I will say one thing though: Noobs, stop jerking off to Tails, Qubes, Snowden, Mental Outlaw, YouTube channels and rather study something technical, pick a textbook, open the code editor. Come back to this thread a year later and laugh at the stupid ass crap you've written. You would know what I'm talking about then.
I will say one thing though: Noobs, stop jerking off to Tails, Qubes, Snowden, Mental Outlaw, YouTube channels and rather study something technical, pick a textbook, open the code editor. Come back to this thread a year later and laugh at the stupid ass crap you've written. You would know what I'm talking about then.
Do you agree that Qubes and OpenBSD are two different things? At its core, Qubes is a VM management infrastructure based on the Xen hypervisor. You can make an OpenBSD Qube.There are so many incorrect, noobish, half knowledge, zero knowledge, irrational, embarrassingly (second hand) idiotic statements in this thread, specifically around crap like Qubes, Tails. If you are a journalist or a person of interest with no technical skills, you would have no choice than to go with such dog crap.
I will say one thing though: Noobs, stop jerking off to Tails, Qubes, Snowden, Mental Outlaw, YouTube channels and rather study something technical, pick a textbook, open the code editor. Come back to this thread a year later and laugh at the stupid ass crap you've written. You would know what I'm talking about then.
In the end, if your OpenBSD is compromised, they have everything. If your OpenBSD Qube is compromised, they own that Qube. As far as I understand, that is the idea behind their compartamentalization.
Young padawan, you have much to learn.)
Is not hard to use. It is more complicated then the average Linux distro, but if you already have experiance with using Debian and/or Fedora ( depends which template you want to use ), and you have some knowledge of virtual machines is more smooth.
And it takes less time and less effort to do on Qubes certain things, if you want to do certain thing with same levell security, then if you would do it with same levell on other Linux distro
Tor was/is funded by the US government and isn't secure
While the US government is one of the entities that helps fund the Tor Project, they don't do that to make Tor insecure. The US government has used Tor themselves in the past, it is not only helpful to civilians, but it is a valuable tool for government agents when they need anonymity. For instance, when they are in a hostile country and need to contact home. Tor relays are also not ran by the Tor Project, they are run by completely separate entities such as individuals who voluntarily set up relays on their home internet and non-profit organizations.Tor isn't encrypted
This myth is usually spread by VPN companies trying to convince you to use a VPN with Tor. Tor is encrypted, in fact it uses 3 layers of encryption. When you connect to an onion site, the encryption is even more effective because the traffic stays encrypted using Tor all the way to its destination. However, most sites use HTTPS anyway, so this isn't even an issue. The point is, Tor is encrypted using strong and reliable algorithms that are properly implemented.source http://jqibjqqagao3peozxfs53tr6aecoyvctumfsc2xqniu4xgcrksal2iqd.onion/myths.html
your opsec shouldnt rely on one thing, using tor can be pretty helpful as a extension of your opsec.
make sure to tunnel your traffic through different protocols and different vpns also dont use your host as working space.
vpn router and virtual machines in combination with the remote desktop protocol should also be the bare minimum to use.
make sure to use a secure os atleast as host and disable telemetry while using windows (massgrave.dev ltsc .iso ) as vm, privacy.sexy and other privacy scripts can help u with that.
also opsec isnt just your setup, its the way you think, the way you move and the way you talk. you leave prints everywhere on the internet a mistake from years ago can cost you everything years later!
make sure to tunnel your traffic through different protocols and different vpns also dont use your host as working space.
vpn router and virtual machines in combination with the remote desktop protocol should also be the bare minimum to use.
make sure to use a secure os atleast as host and disable telemetry while using windows (massgrave.dev ltsc .iso ) as vm, privacy.sexy and other privacy scripts can help u with that.
also opsec isnt just your setup, its the way you think, the way you move and the way you talk. you leave prints everywhere on the internet a mistake from years ago can cost you everything years later!
The Tor Project | Privacy & Freedom Online
Defend yourself against tracking and surveillance. Circumvent censorship.
www.torproject.org
The mission of The U.S. Department of State is to protect and promote U.S. security