The long standing suspicion, that the anonymizing network TOR is abused to catch sensitive data by Chinese, Russian and American government agencies as well as hacking groups gets new support. Members of the Teamfurry community found TOR exit-nodes which only forward unencrypted versions of certain protocols.

These peculiar configurations invite speculation as to why they are set up in this way. Another tor exit node has been caught doing MITM (Man-in-the-Middle) attacks using fake SSL certificates.

trouble is anyone can set up an exit node.

My bet is they can trace a tor user, if it is worth the effort.
A host running tor shows up like a Xmas tree on a monitored network.

Rock & hard place eh?

www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf

Depends what you use TOR for. I wouldn't recommend doing your online banking with it but if you are using it to surf UK420 from work without logging all those canna urls in the Websense device then it works just fine.

As I don't log out from UK420 ever the admin cookie reauthenticates me each time and Uncle Sam/Ivan/Mao can't see my user login or password or anything else useful but then neither can my employer see that I'm slacking and browsing UK420 when I should be working. They can sniff my traffic all day long but won't ever find anything useful. Still it's a good waste of taxpayers money I guess and it is a bit easier to set up than two machines and an ssh tunnel between them which would then splash my home IP all over the place.

If you were handy you could set up your own proxy, via say lonestar.org, to evade work.

I never thought of that but I'm a ubernoob at such things.

Yeah - the difficulty here is definitely that lots of people who have heard about TOR mistakenly assume that it's a privacy tool, whereas it's most definitely not - it's a tool to aid with maintaining anonymity, which are two completely different things.

It's not too hard to set up an encrypted VNC with SSH to your home machine - you could even put a proxy in the chain if you wanted to, so as to mask your home IP address.

It's kind of a buzz to set these things up and get them working, anyway, I find.

Hasn't Tor always had a backdoor for the authorities so they can catch peados and whatnot? Think they went to court in Germany to get the door closed but it's always been there waiting to be opened.

Or am I thinking of Jap? Or is Jap the safer one? I'm confused.

TOR is open-source, so I don't think that there are any overt back-doors in it as such, but it is important to remember that it is purely a tool to help with anonymisation, and is not to be relied upon for security. I.e. you'd be stupid to do your online banking, password/logins on sites through TOR, as anyone running an exit node could sniff the details out when they're unencrypted at the final stage. (OK, if the sites were SSL, then that would give you a layer of protection, but still...)

As for whether TOR or JAP offer better anonymity - that seems open to debate - they're both open source, which is good, and they both achieve anonymous connections through different methods.

The German case I think you may be referring to is this case from last year:





Google, as always, is your friend. (As is Linux, but it can also be done on Win machines, it's just a bit more hassle, and not half as configurable/powerful - you'd use Win tools like PuTTy and Cygwin.)

It's probably not necessary, certainly for most people in average circumstances, but it is satisfying and fun (if you're into that kind of thing ), and it is certainly wise if you're browsing from work, libraries, internet cafes and public wireless hotspots.

cheers, will have to give it a go, avoiding work is my all consuming passion

sdf.lonestar.org ?

are you sure?

hidemyass.com is ok too if it aint already blocked.

watch out if they have a http proxy running on your network they can track everything you do via your username.
even ssl won't help if the net admin is savvy.