Tor has pushed out a new version of its privacy enhancing Tor Browser Bundle. We are up to 5.5 now and, according to the Tor Project it is a full stable release. The update fixes a laundry list of bugs and also covers some usability issues that have been plaguing the software for some time. One interesting note is that they are finally working on blocking ways of fingerprinting users through different mechanisms (resolution, keyboard type etc.).
Privacy is something that many people think they want and have on the internet. Of course, most of us actually know that Privacy is not something that really exists in the broader internet. Unless you control all points in the traffic stream, someone can read your communication. Even proxy services like TOR are no guarantee of privacy or anonymity. Proxy services are vulnerable to a multitude of packet and flow monitoring that allow for some fairly easy unmasking techniques.
There is nothing worse than thinking you are protecting your internet travels when in reality you are participating in a giant botnet. That appears to be the case that is happening with VPN provider Hola. According to security researchers the use of the service still leaves you at risk of being tracked regardless of what you do and leaves you at even greater risk than just tracking.
Gasp! There has been another published attack on the TOR Project. This time the attack and compromise technique comes from the gang at Princeton. The Princeton team claims that their new methods are around 95% successful and only require traffic in one direction. The information that they have presented is interesting and certainly could be used to grab information from users of the anonymous service, but it is not really new and not surprising to hear about.
Privacy on the internet is a hard thing to achieve. For starters there are tons of companies that are very interested in what you do and where you go online so they can get you to buy things. On top of that there are the spying eyes of the government watching to make sure you are not a bad guy and storing all of this data in massive warehouses. This mass data collection seems to exist in every single device we own; from laptops to phone to smart TVs. It is enough to make someone paranoid, or at least to look for some form of privacy when connected to the internet.
Edward Snowden is the gift that keeps on giving. After walking out on the NSA with a ton of secret documents detailing the extent that the agency and their partners were digging into ordinary people’s lives he started to release them. Even after the first and very damaging release of documents Snowden promised that there was more and worse to come. We have seen some pretty bad things coming from the classified document stash including a report that was recently published by Der Speigel.
Just when you thought it was safe to get back on the internet privately. Although we have maintained that TOR has never been the end-all of anonymity we are surprised to finally see public conformation of techniques that have been around for years. In a report that discusses the use of flow records for detecting users on proxy networks we find that the tools to track you through TOR and many other networks have been right there all along.
When you hear people talking about anonymity on the internet it most people will think privacy. When companies hear anonymity on the internet they think piracy, crime, hacking and lost revenue. This is probably the biggest disconnect in the internet age, companies want to monetize your personal information. This is big money and (as we have said more than once) is a commodity that they have been trying to legalize for more than a decade.
The words anonymity, privacy and security go hand in hand… in hand. Although the term anonymity is often seen as a bad thing by law enforcement and policy makers the truth is that it is a critical part of the security chain and is something that needs to be addressed in the way communications happen over the internet. Simply put, how can an attacker get to you if they do not know where you are coming from? Anonymity is a form of security that is in common use by the “red” team so why not put this to use in protecting the green?
On Friday we wrote about a talk that was canceled at Black Hat 2014. This talk was to discuss a flaw in the Tor anonymizing network that would allow almost anyone to identify users on the network. This morning we find out that the Russian government is actually offering a reward (around $111,000) to anyone that can come up with a reliable method to do this very thing.