Yes, and it was poor tradecraft or bad system security. All the crypto in the world won't save you if you run an OS riddled with 0days.

Of course they do. I also run a dozen high speed nodes myself.

As long as the entire list of nodes isn't the police/government/spies then you are ok.

Also correct. However, there are transport plugins for Tor bridged that can make it look like Skype, regular https traffic, or even email transmission now.

Also, you can layer it inside of a VPN so all your ISP sees is VPN traffic etc.

If you are targeted by your ISP or government because they see a lot of Tor traffic leaving your home or office they will try to exploit you from remote.

If remote exploitation doesn't work they'll black bag your house and install a hardware bug such as a keylogger, slow drill listening system on the outside of your building, etc.

If you reach this level you are probably already fucked by other means anyway. But for the average joe Tor is probably the best option.

Well most exit nodes are run by either governments, or private people who are sniffing passwords and whatever useful to hack the guys. For who does not know, the exit node (last one, who give you the ip) can see all in clear (even if does not know your real IP) so better use vpn/ssl over tor if really one is paranoid. Or you use tor then write your real address or stuff there and it is read.

By the way the best way to go in Tor on a windows is whonix:

http://sourceforge.net/projects/whonix/

Since the "tor browser bundle" for windows let your ip go direct with flash, also you can't use skype, ftp, etc. over tor, I mean you need a whole machine on tor or its a joke.

http://a.fsdn.com/con/app/proj/whoni...ots/whonix.jpg

Did they identify someone accessing Silk Road via TOR, or detect drugs in a physical parcel that was mailed to the recipient? I doubt it was the former.

BTW, hidden darknet/.onion sites like Silk Road never have a "cleartext" exit - encryption is end to end, from the client all the way to the hidden server - so you would have to break the multiple encryption layers of TOR in order to be able to see the content that someone is accessing.

Trouble is much of the net is still plain old cleartext HTTP. It then becomes a choice between letting your ISP, intermediate nodes, and any govt taps seeing your data (no TOR)... or random hack0rs running TOR exit nodes seeing your data. The former are probably more interested in what you're viewing or doing, the latter your passwords...

That happens on public WiFi, VPN exit points, and regular ISPs too. Also, did you forget about PRISM already? What do you think that actually does? :1orglaugh

Tor doesn't magically fix the Internet, but it does enhance privacy a ton.

Also, I'm sure some exits are ran by bad people but there are exits ran by good people as well. I should know. I run some of the high speed exits and I don't monitor shit. Hell, I cripple the kernels so the bpf device doesn't work in the unlikely event that one of my nodes is compromised.

Use SSL with *certificate pinning*. I can't stress this enough. Especially when banking over any ISP/service/vpn/tor/whatever.

Remember that the DHS and Chinese gov have CAs and can sign whatever SSL keys they want. They can easily MITM (Man in the middle) any SSL connection and have been able to do this since 2004. Proof of this was released online back then. There was some commercial product being sold to law enforcement agencies back then.

The best way to use Tor is with a physical router. Setup a Linux/*BSD router and force all traffic to flow from the LAN to the WAN via Tor. You can stop leaks this way.

This will properly hammer all traffic over Tor and prevent any leaky applications.

Also, if you value privacy and security don't use Windows or OSX. I know I'll get some flack for mentioning OSX, but it is closed source and I'm sure that a future Snowden leak will reveal that the NSA has code signing keys for it like they do with Windows. :2 cents:

and you will have internet speed like on 56 kbps modem :1orglaugh:1orglaugh........

Tor's speed has improved a lot over the years. I force all of my traffic here over it.

Sure, it is a tad slower but that's what you pay for privacy. Not a bad trade off in my opinion.

This will stop direct connect attempts from escaping your network, but it won't prevent applications revealing your IP as part of their protocol... for example, non passive FTP sends your IP to the server and invites an inbound connect when you want to fetch a file.

If fact whonix is cool because it runs 2 linux (debian) machines in virtualbox, one the gateway with tor, and then another the workstation who connect to the gateway, and the workstation vm have no idea what's the own IP or even ethernet MAC address (remember every ethernet got an unique id - if they get it then come your home they can verify it was your hardware being used to flow traffic).

Yes, it will leak your IP but can you guess which IP it leaks?

The LAN IP of your computer behind the router which is utterly useless. :winkwink:

This only works until there is an 0day for that vm and an attacker gains ring0 privs. It is hard to do, but I've seen successful vm exploits.

To quote Theo de Raadt: "You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

A separate computer (to do your routing/Torification) with its own memory/MMU/CPU is always more secure. :thumbsup

Ah yeah, didn't think of that. I'm still set up the old school way, my workstation and other computers on my network have their own global IPs.

192.168.0.1 FTW.

a little off topic but interesting:

http://www.theverge.com/2013/6/26/44...ntis-silk-road

Had you ever browsed the linux (or BSD's) source codes. It is full of /* FIXME: */ and /* TODO */ comments, quite scary. Lots .c's are dated 1993 and untouched since. There's sure space for bugs exploits, that's daily. I was just saying, the "average guy" can easily use whonix system for a decent result. As well as tor bundle browser is for the masses even more. Also to return to the VPN for payment topic, makes VPN's less worth a buy.

Just because code is old doesn't mean it has more security holes.

I trust open source software far more than some closed source blob like Windows or OSX

(Yes, I know that *some parts* of OSX are open. It's the closed parts that scare me.)

I remember reading parts of the Linux kernel in 1998 and seeing a lot of todo/fixme/"should this even be here" type comments. That's why I went over to the BSDs. The source was far more mature.

Look at the security track record of OpenBSD for example. It blows most other OSes out of the water. Sure, it has very limited features but it's awesome for a router/torifyed router.

The Tor bundle and the one you mention lower the technical skills required to browse anonymously, but at the expense of a little bit of security.

The biggest problem with VPN is that people buy them for the wrong reasons. They don't fully understand how they work and are sold on an illusion of privacy. That was more or less what I was getting at originally. :2 cents: