Anonymizers, do they really work?

[norwegian]

I have a few questions for the IT experts in FFI on anonymizers.

I am currently testing JAP and Torpark to access 'sensitive' sites like FFI. I'm seeking opinions on which one is better at protecting user identity. Performance wise, JAP is at least 10 times faster than Torpark for me. Torpark is frustratingly slow and for me, requires a restart every half hour or so because the connection quality decays rapidly. You can be whizzing along at broadband speed in the first 5 minutes and be crawling at 1.2kbps or even 400bps after that. But for some emotional reason I feel safer with Torpark.

For those not familiar, JAP is a freeware you can download. It constructs a pathway between your browser and the the www through a middleman which is a set of anonymous servers in Europe. Torpark works similarly I think, except that you have to download a special browser (free) which sets up the connection for you. JAP works with any browser.

I've heard of Psiphon and am under the impression that it allows access to state-censored websites. Here I have to ask whether censorship circumvention is NOT the same as anonymous surfing as many people seem to think they are.

I'd like some comments on this scenario. If I work for an oppressive government who wants to catch people who post on FFI, can I do this. I start off with a set of "suspect" ISP accounts which I believe have been posting comments on FFI. I set up a sniffer program to identify all packets that contain the word "FFI" flowing back and forth these accounts. Even if the user uses anonymizers, there are two things present in the data packets. (1) the unencrypted data as free anonymizers do not use encryption, (2) a final destination address (FFI) to be acted upon by the middleman.

If my sniffer program goes on alert when it senses (2), I can instruct it to immediately makes copies all the data packets that flow from the suspect user's computer containing the string "FFI". I can reassemble the packets and prove without doubt who sent the post, EVEN with anonymizers switched on.

My question is, is this a real possibility and do ISPs do this sort of filtering, considering they have hundreds of millions of data packets and a million subscribers to handle every day. My other question is do anonymizers really work if the above is possible? If not, is it false advertising then?

I fully understand the merits of SSH tunneling service although I do not think it is anonymous. You can always be traced to a verifiable ID that you used pay for the subsrciption. The tracing can be done with or without the knowledge of your service provider, example by matching your credit card or paypal records. They can even hack into your service provider's database to get your info. The only redeeming thought is that while you can be proven to be the account owner, message encryption saves your message from being exposed. In the end that may be the only form of security you get. Even then, they can get around by using keyloggers on you... sigh.

Anonymizers are just part of the answer because they can still identify you through many thing: bad OS configuration, spyware, bad passwords, payment records, serial numbers, login data, hacking, usage patterns, etc etc. Can anyone suggest a good end to end solution?

[doubting_thomas]

Hi norwegian.

You've pretty much covered all of the important points. Free proxies may help you circumvent simple censorship by domain or IP. But, as long as there is someone "in the middle" (the ISP, in this case) then they will be able to monitor and record your traffic.

Sniffing packets is not a very reliable way of monitoring network traffic. If the monitoring server is not on the same subnet as either the sender or receiver, then there's no guarantee that the server will "see" all of the traffic. Governments would resort to packet sniffing only if they don't have the authority to monitor the ISP's directly. In most oppressive government countries, the ISP's would be forced to cooperate with the government so that all traffic into and out of there servers could be monitored.

Identifying a user who is visiting FFI wouldn't require analysis of the user's outbound traffic to the proxy. Every page on FFI has some static content which would uniquely identify the page as having come from the FFI server. For example, the banner at the top of every forum page has a link to the FFI main page. The ISP's server only needs to monitor inbound traffic to the user and match patterns which are known to be unique to web pages coming from the FFI server.

The only way to prevent this sort of monitoring is to use a proxy which supports encryption. If all inbound and outbound traffic between the user and ISP were encrypted, then the ISP couldn't look for these patterns. Of course, they would know that you are using a proxy server, and in an oppressive country this could certainly raise suspicions about the user. Any infiltration of the user's computer should be carefully guarded against. Keyloggers can be used to monitor some of the outgoing traffic, but an even greater risk is the theft of the user's private key, which would allow the ISP to unencrypt the traffic between the user and the proxy.

Most public proxies were not designed to protect you from being monitored by your ISP (who may be monitoring you on behalf on the government). They were designed to hide your IP from the sites you visit. A private proxy that uses encryption can do both, but they can't hide the fact that you are using a proxy from your ISP.

By the way, I strongly recommend against using private "peer to peer" proxies like Psyphon. These allow private users in uncensored countries to set up "personal proxies" for private users in censored countries. While it would be more difficult for the ISP to identify that a proxy is being used (the "psyphonode" would probably not be on a known proxy list), the ISP would still know that the traffic was being encrypted, and therefore suspect. The worst part is that the person operating the "psyphonode" server would be able to monitor your unencrypted traffic, including your usernames and passwords. Would you really want to trust an individual with this kind of authority?

The bottom line - if you live in a country where the government could take action against you for visiting sites like FFI, then extreme caution is called for. Unencrypted public proxies do not provide enough protection to hide your traffic from the ISP, and thereby the government. Use a proxy which supports encryption (such as SSH tunneling). Don't use publicly accessible computers (libraries, universities, internet cafes, etc) where your traffic could be recorded locally. Avoid using your own personal ISP account. Instead, bring your own laptop to a wireless hotspot. Limit the amount of time you spend logged on. If you have the ability to change the MAC address of your wireless interface, then do so each time you log on.

Remember - there is no such thing as absolute security or privacy on the internet.

[briann]

JAP has a code installed allowing the possibillity for german government to snoop on you. That may not be a huge issue for you, if you do not beleive that your activities might warrant a snoop from a western government.

Tor does not have this weakness, but yes, it is very slow. You can also pay for a SSH tunnneling service, such as COTSE, if you want reliabillity and speed.

Brian
_________________
Extremism is our only hope.

www.LoyalistParty.com
A Third Party Against Islamic Hate

[norwegian]

DT, thanks for confirming my suspicions about the real nature of anonymizers. Its like giving a robber a paper bag to wear over his head isn't it. He thinks he is safe from being recognized but he completely forgets that his fingerprints, voiceprints and vehicle registration number are there for all to see.

I think serious security is a habit. For the truly paranoid, it means disinfecting one's PC of trojans/spyware at every use, not using secure and unsecure identities on the same IP connection, not using the same PC for secure surfing and normal surfing, and storing sensitive application and data on removable media in addition to the SSH stuff.

On top of that, there's the question of how secure are the operations of your SSH tunneling provider. Notice that most of these providers do not provide any form of assurance against backdoor attacks against their own servers. That is where your account, access and billing information resides.

While it seems daunting, privacy is an end-to-end issue. Your garden variety anonymizer is only one piece of the jigsaw. I think a majority of FFI forumers have a false sense of security.

Briann, yes I am aware about the backdoor issue of JAP. It first came up a few years ago. But because it is used by law enforcement of a western country, I am not too worried. I checked out COSTE and it looks like a reasonable deal.

[doubting_thomas]

[norwegian]

[doubting_thomas]

[norwegian]

DT, I was born a muslim but technically I don't think I meet the criteria of a muslim. So I guess that makes me a non-muslim although I'm sure the authorities would rather have my head than allow me that freedom.

I dug around the net and found that data theft is not all that uncommon. Couple of examples:

Most UK companies failing on data theft - survey
http://www.computerweekly.com/Articles/2006/11/24/220180/most-uk-companies-failing-on-data-theft-survey.htm

8,500 victims in international data theft
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004405

I don't want to be an alarmist but the trends are getting rather disturbing. Spyware is growing as fast as IM growth. Oppressive regimes are known to import cyber security consultants from France, Uk and other places to build their own Echelon systems. I know of at least one Islamic country who already have a department dedicated to building dossiers of internet activity of their unsuspecting citizens.

I find that not only are most users ignorant about internet security, organizations (even western ones) can be just as ignorant. Here's a simple test: find out how many companies you know might pass the ISO 17799 test. This is one standard for end-to-end information security. You can apply this test to the company that hosts FFI itself.

I agree with you, business relationships are generally more secure because a breach can kill the business. However I also know that many business proprietors are too busy to be concerned about technical operations. These are left to the boys in the 'back room'. Most breaches happen because of one thing - the complacency of humans inside that organization. That can be anything from lax audit of security patches, an act of sabotage by a disgruntled employee, a inside sympathizer to rogue employees selling data for money. The business owner himself can be a victim.

I bring all this up because FFI users from non-western countries should be properly educated on the issues. Online security means a lot more than just installing firewalls and anonymizers on a PC. Even the selection of secure service providers should be made with care and not just on price and advertised features. Lives may depend on it. Perhaps someone with the skill can write a primer on security for FFI? I am no expert and am only talking from what I read in magazines.

By the way thanks for yor tip on LiveCD. I am giving it a try.

[doubting_thomas]

[H5N1]

Some you obviously want to be anonymous so here is a non technical way.

Lets take an example

You want to email Your top politician and threaten hin. If you do something that stupid expect a knock on your door within 15 minutes or less. On the otherhand if you want to do the same thing but have a 99.999% chance of getting away with it then

1) write the contents of the email and put it on a floppy
2) remoce your hard drive and drop it into an acid bath (hey recover that!)
3. Put on a tent , pretend you are a muslim female (wear gloves too)
4. go to an internet caf (not your regular one, pay $3 for half an hour.
5. Cut + paste message from floppy to email and send.
6. Take floppy and put it under tent and leave the caf IMMEDIATELY.
7. drop floppy in acid and dispose with hard drive (all should be a guey solution by now)
8. Dispose and burn tent.
9. Go shopping for a new hard drive.
10 you now hace a 0.001% chance of getting caught if you have gotten that far.

In short nothing is 100% but this is as good as it gets.

Good luck

One other thing you wore gloves so there should be no fingerprints around but hopefully you did not leave hair samples, fibers etc near the computer. (Watch CSI on tv for more info)
_________________
Hanging out at
where the REAL posters are.
FFI pussies stay here

America Yesterday: "Land of the Brave, Home of the Free "

America Today: " Most of them are still brave .........."

[nomad]