Another reason Tor isn’t just for criminals
Tor (The Onion Router) is an incredibly useful large scale automatic proxy network that is mainly used for anonymous web browsing. Tor has taken a lot of heat from critics alleging that it facilitates criminal activities and that no one who isn’t doing anything illegal has any valid need for it (boy, does that argument sound curiously familiar). Well, here’s a good reason to reconsider. A U.S. District Judge has ruled that merely clicking on a hyperlink set up as part of a sting operation is probable cause for the FBI to bust down your door and confiscate all of your computer-related equipment.
That’s right, merely being unfortunate enough to click on the wrong hyperlink can now merit an FBI raid. Heaven help you if one of your online enemies has knowledge of such a link and tricks you into clicking it, kind of like a Rick’Rolling except with a SWAT team in place of a fresh-faced, carrot-topped, trenchcoated British crooner. Using Tor could protect you from the FBI intruding into your home when you’re doing absolutely nothing wrong. Still think there are no legitimate uses for it?
March 21st, 2008 at 04:41
Using Tor is a good step towards maintaining increased anonymity and security online, but by itself it is not a guarantee. To use Tor effectively, one needs to change his or her habits, among other things. I know that this is expounded elsewhere online (Google searches reveal lots of info), but since your blog has somewhat-high visibility, I thought I’d leave at least one bit of info for others.
I recall one blog post about using Firefox and Tor, where Firefox with default settings would make a direct request - as in not via Tor - for the web page’s specified favicon. (I can’t find the post right now.) I don’t know if this has been fixed, but a keen enemy - such as the FBI - might be able to exploit this. When I was using Tor (I don’t currently use it), I switched off all favicons, and I see I still haven’t switched them back on.
Other things are of concern, but I don’t have much info I can think of at the moment, such as cookies and headers.
Using Tor for casual browsing when going into the seedier sections of the Internet (*chan image boards, wikis in general where someone could try to trick you into clicking a link, IRC), seems to me to be a reasonable reaction to this gross practise.
March 21st, 2008 at 09:29
Thanks for your good points. There are also some other caveats with Tor. There are ways to extract information from DNS leakages (DNS requests that don’t end up going through Tor). Additionally, there are ways to find information using Flash and JavaScript that can, among other things, leak information on your browsing history as well as your MAC address.
So if it absolutely, positively has to be anonymous, create a fresh virtual machine, back it up, and route 100% of its traffic through a Tor node running on the host computer. Then each time you’re done browsing, delete the virtual machine and recover from the backup. That way no information is carried across sessions, no DNS or favicon requests can be leaked, and no MAC address can be leaked because the virtual machine doesn’t have one that is traceable to any sort of physical hardware.
Needless to say, this is probably a bit too paranoid for the average user to bother with, but when it absolutely positively has to be anonymous, accept no substitutes.
March 21st, 2008 at 15:18
Don’t forget the importance of securing your wi-fi. Anyone using your wi-fi to go to those links gives probable cause for them to take all your computer related equipment.
March 21st, 2008 at 18:41
The problem I run into with securing Wi-Fi is this: how much is enough? Especially from a legal standpoint. If I have a WAP that’s “encrypted” with WEP, is that secure enough? IE, did someone have to break in or did they merely take advantage of something that was pretty much in the open?
Thinking about it, couldn’t securing your wireless network be somewhat damning from a legal standpoint? I mean, if your networks encrypted with WPA2 or something like SecureW2, it seems like it would be a much harder argument to say “No, it must have been someone that hacked into my network!”
March 23rd, 2008 at 17:20
This is completely bogus and yet another notch on the “America is really starting to suck ass” side. They already think 1 of every 300 American citizens is a terrorist, FFS. Fucking idiots. This government is going to ruin the country if they don’t chill the fuck out.
It’s kind of like that Doug Stanhope routine where he was questioning the apparent wide-spread and rampant issue of child porn. He said he’s spent tons of time looking at internet porn, randomly clicking links and going wherever that leads. 10 billion pop-ups and sites later and he’s never once seen child porn. Seriously, how rampant can it possibly be? Enough to warrant this bullshit tactic from the FBI? Fuck no.
I would advise against securing your wireless network too, so you at least have something to fall back on. I’d say the odds of your computer getting hacked by some random guy accessing your network are less than the party van showing up in your driveway.