Re: The best way to run a hidden service: one or two computers?
Well--I'm still convinced that running two physical computers is the best way to run a critical hidden service (instead of one computer optionally with a VM). Like this: Linux Web Server - Linux Tor Gateway - DSL Router - No wireless equipment, just LAN cables between them. The so far arguments against this setup, for rather using a VM on one single computer, are these (might be more, and I'm willing to learn!): #1 An attacker with root access gained can read off hardware serial numbers on the Linux Web Server, like using tools as dmidecode. With that knowledge, those serial numbers can be linked to a certain purchase of those components, like having used a VISA card on a web shop. That also goes for the MAC address of the NIC. #2 Direct attack on the NIC on the Linux Tor Gateway box. As Robert Ransom wrote: Yes. I read a report years ago that at least one model of Ethernet card had a remote âfirmware upgradeâ âfeatureâ built in, with absolutely no authentication of the new firmware blob. The card firmware had access to the host's DMA hardware, which can be used to root the host. So here are my arguments against those: #1 I've been able to find a brand new motherboard that doesn't leak any serial numbers of any components attached to it. I had to buy a few to find that one, but they do exist and it was worth it! When I run tools like dmidecode on that motherboard, the serial number lines for all the components are either blank, has just 'OEM' written or '123456789'. No serial numbers are shown. Neither any MAC addresses when running dmidecode. Though MAC-s are easilly read off by running 'ifconfig', even as an unprivileged user. But it does show the model of the motherboard, and the models of some of its components, so having a brand new one might narrow down the buyers some. But still it would be hard to find ONE buyer world wide without one single serial number. By using some older components from here and there--the secondhand marked is drowning in decent computer parts for give-away-prices--that additionally doesn't leak serial numbers during DMI decoding, should be very very very safe IMO. The MAC address can be temporary spoofed, and it's very easy to do on a Linux system. Just one simple command in the Terminal, and 'sudo ifconfig -a' shows your spoofed MAC until you reboot, not the real one. You'll just have to remember to change it after a reboot! #2 Regarding attacks on LAN devices, you can just buy a really simple one, without any firmware upgrade features at all, just a cheap and simple LAN card with a ROM chip, that just works. Nothing spicy or fancy. The simpler, the better, right? :) And I think it will generally be harder to crack hardware than cracking software, if we look at VMs in compare. My point is that a VM is a software guest computer inside a host OS. Firewalling the VM with apparmor or selinux might help a lot. But braking out if a hard box seems way more difficult, and cracking a hardware LAN interface just by sending packets to it. And the server box will be totally isolated from the Internet anyway--it will only listen on the webserver ports, and only allow outgoing traffic that matching the incoming webserver requests. But all this is only relevant if the attacker gains root access on the server. So I guess running a hardened simple Linux OS on the server, without a GUI, like OpenBSD or something, would make it extremely hard to contact and gain root on the gateway box--while I think it's a lot easier gaining root on a host machine that runs a guest OS inside a VM, because they're both on the same box. I'm just thinking loudly here, I'm not pretending to be a wise guy nor a specialist. I appreciate to be proven wrong and learn something new! :) -Hikki *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
--- On Wed, 11/10/10, hi...@safe-mail.net hi...@safe-mail.net wrote: Like this: Linux Web Server - Linux Tor Gateway - DSL Router - No wireless equipment, just LAN cables between them. I have a question related to the tor client and hidden service protocol designs which may be relevant? Can a tor client/hidden service sitting behind a NATting router query its router's internet facing public IP from other tor nodes? If so, could the protocol be changed to prevent this somehow? It seems like ideally we would want tor clients and hidden services to be able to be forced into the dark from a tor network perspective about their own identifying info. If a tor client/hidden service host is setup with a private internal IP (say 192.168.1.2) and appropriately firewalled from the internet via a NATting router (likely with a spoofed MAC) so that it can only speak with other tor nodes (or bridges) on the appropriate ports, could this node if compromised, still gain identifying info about itself from its network connections (ignoring iternal hardware info leaks)? Does the tor project have preventing this type of info leaking, from this internal attack vector, as an objective? Should it, could it? Thanks, -Martin *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Wed, 10 Nov 2010 10:39:34 -0800 (PST) Martin Fick mogul...@yahoo.com wrote: I have a question related to the tor client and hidden service protocol designs which may be relevant? Can a tor client/hidden service sitting behind a NATting router query its router's internet facing public IP from other tor nodes? Yes. Current Tor relays send the IP address of the other node in a NETINFO cell at the beginning of each TLS connection. If so, could the protocol be changed to prevent this somehow? No. This would break both bridges and relays operated behind a NAT, even with the ORPort forwarded to the internal IP address on which the bridge or relay is listening. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
--- On Wed, 11/10/10, Robert Ransom rransom.8...@gmail.com wrote: Martin Fick mogul...@yahoo.com wrote: I have a question related to the tor client and hidden service protocol designs which may be relevant? Can a tor client/hidden service sitting behind a NATting router query its router's internet facing public IP from other tor nodes? Yes. Current Tor relays send the IP address of the other node in a NETINFO cell at the beginning of each TLS connection. If so, could the protocol be changed to prevent this somehow? No. This would break both bridges and relays operated behind a NAT, even with the ORPort forwarded to the internal IP address on which the bridge or relay is listening. I suspected so. Do you agree that it would be valuable if the change were possible? It seems like changing the protocol to use another port (to easily be able firewall it) to get sensitive info for bridges and relays might make clients and hidden services much more easily securable. I realise that this likely a major change, but if it could make all tor users much more secure... (would it?) Thanks, -Martin *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
Use the macchanger utility. Make sure you write down your original MAC first, in case you need to switch back to it later. Original is commonly available in Unixlike boot dmesg output. I'm as yet unaware of an available changer that will burn the hardware itself, as opposed to simply programming the running MAC register till next reboot. sudo ifconfig eth1 hw ether 00:00:00:00:00:00 # make this something believable Beware setting the layer2 multicast frame bit. Note also its tricky position and endianness. See some preliminary design thoughts [1] we've been having for T(A)ILS to try and find an approach that makes your network interface appear different from the one it really is, and at the same time prevents it to appear real weird (a bit like the default User-Agent used by Torbutton). Set to current Intel vendor prefix, randomize suffix, ban original MAC, 0x0, 0xf, other obviousness, etc. Full random might look like a flaky nic to various hats, mostly old ones. you'll likely need to have the interface down before changing mac: Some will bounce interface, all should gratuitous arp unless forbidden. Be careful with ipv6 emissions on ifup. however, if an attacker has access to read this locally they've already compromised Unknown here if original MAC can be read, or reset the nic for reading, via the same original boot-time routines at any given later runtime. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Sun, Sep 26, 2010 at 09:16:12PM -0700, coderman wrote: Chrome only has a prayer as live browser instance (which it does well by the way!). This means you discourage use of Chrome for Tor-related issues, did I get that correct? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/27/2010 05:46 AM, grarpamp wrote: Original is commonly available in Unixlike boot dmesg output. I'm as yet unaware of an available changer that will burn the hardware itself, as opposed to simply programming the running MAC register till next reboot. This used to be possible on some Sun machines, usually in the context of resetting the NVRAM for some reason (like replacing the chip). There was a how-to floating around that you could use at the OpenBoot prompt and change the MAC addresses of the network interfaces. searches http://www.squirrel.com/sun-nvram-hostid.faq.html http://www.obsolyte.com/sunFAQ/faq_nvram.html (older version) This is, however, probably not helpful to the previous poster. I don't know if this is possible if the machine in question runs EFI (but I'm curious to find out). - -- The Doctor [412/724/301/703] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: http://drwho.virtadpt.net/ File not found: A)bort, R)etry, M)assive heart attack? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkygxkoACgkQO9j/K4B7F8GRAQCglVQUlzDMJuv30bb8Agj5odWy iC8AoOYnGlAVC78y3dmpRQ+JiV0GXaaT =KFdc -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Sat, Sep 25, 2010 at 5:04 PM, Mike Perry mikepe...@fscked.org wrote: ... however, if an attacker has access to read this locally they've already compromised you to a degree that random mac affords no protection... Is this really true? yup. for the very few situations it is not true, you've designed a virtual network and client environment with this class of information leakage covered (read: you know what you're doing and what you're defending against :) One of the things I've wondered about here is plugins, but since Torbutton disables them for other reasons I haven't really looked into it. yes. this is one reason why Torbutton is great regardless of other protections. the list of plug-ins exposing dangerous interfaces / attack surface is about as long as the list of plug-ins for FFox, Chrome only has a prayer as live browser instance (which it does well by the way!). IE, Opera, Safari, most are hopeless. For insance, I know Java can create a socket, and query the interface properties of that socket to get the interface IP. Why not mac address? yup, and/or upstream router details sufficient to geo locate you, expose public IP endpoint, etc. (like the how i met your girlfriend attacks, many others...) And if not java, can one of flash, silverlight, pdf-javascript, or others do this? yes. Already we have location features built in to the browser based on nearby Wifi MACs... yes. :) The Java trick to get the interface IP does not require special privs, so a randomized MAC would in fact help this scenario, if it were somehow possible. yes. :P *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
*Use the macchanger utility. Make sure you write down your original MAC first, in case you need to switch back to it later.* There is need to remember the mac address because it will be resetted on start up! So if you don't put that in a start up script, after the next boot you will have again the real mac address. Regards, Michael 2010/9/24 Robert Ransom rransom.8...@gmail.com On Fri, 24 Sep 2010 17:34:05 -0400 hi...@safe-mail.net wrote: Robert Ransom: Also, if you haven't bothered to change your MAC address, an attacker with any UID can read it using ifconfig; your hardware manufacturers may have kept records of where the device(s) with that MAC address were shipped. I have heard of these attacks, like an attacker reading off your MAC address and even hardware serial numbers. I should be safe regarding serial numbers, but I am some concerned about the MAC address. It would be very nice to know how to change the MAC address so it says something different when you run the ifconfig utility. Could you, or anyone, please help me with that? I'm using Linux. Use the macchanger utility. Make sure you write down your original MAC first, in case you need to switch back to it later. Robert Ransom -- Michael Gomboc www.viajando.at pgp-id: 0x5D41FDF8
Re: The best way to run a hidden service: one or two computers?
Thus spake coderman (coder...@gmail.com): however, if an attacker has access to read this locally they've already compromised you to a degree that random mac affords no protection... Is this really true? One of the things I've wondered about here is plugins, but since Torbutton disables them for other reasons I haven't really looked into it. For insance, I know Java can create a socket, and query the interface properties of that socket to get the interface IP. Why not mac address? And if not java, can one of flash, silverlight, pdf-javascript, or others do this? Already we have location features built in to the browser based on nearby Wifi MACs... The Java trick to get the interface IP does not require special privs, so a randomized MAC would in fact help this scenario, if it were somehow possible. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpbuCnlxvSEj.pgp Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
On Sat, 25 Sep 2010 17:04:14 -0700 Mike Perry mikepe...@fscked.org wrote: Thus spake coderman (coder...@gmail.com): however, if an attacker has access to read this locally they've already compromised you to a degree that random mac affords no protection... Is this really true? If you are running a hidden service, on a computer with no network access except through Tor, no -- you might not be hosed just by an attacker being able to run a shell command, but leaking an actual MAC address from an actual NIC might get you tracked down. (An attacker with shell access can read your MAC address on Linux just by running ifconfig, even as an ordinary user.) One of the things I've wondered about here is plugins, but since Torbutton disables them for other reasons I haven't really looked into it. For insance, I know Java can create a socket, and query the interface properties of that socket to get the interface IP. Why not mac address? And if not java, can one of flash, silverlight, pdf-javascript, or others do this? Already we have location features built in to the browser based on nearby Wifi MACs... The Java trick to get the interface IP does not require special privs, so a randomized MAC would in fact help this scenario, if it were somehow possible. I don't know whether browser plugins can be used to read a MAC address, but if *they* can run a shell command like ifconfig, yes, you are in real trouble. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
Thus spake Robert Ransom (rransom.8...@gmail.com): On Sat, 25 Sep 2010 17:04:14 -0700 Mike Perry mikepe...@fscked.org wrote: Thus spake coderman (coder...@gmail.com): however, if an attacker has access to read this locally they've already compromised you to a degree that random mac affords no protection... Is this really true? If you are running a hidden service, on a computer with no network access except through Tor, no -- you might not be hosed just by an attacker being able to run a shell command, but leaking an actual MAC address from an actual NIC might get you tracked down. (An attacker with shell access can read your MAC address on Linux just by running ifconfig, even as an ordinary user.) Hah, yah, I forgot the context of this thread was hidden service threats. This thought popped into my head a day after reading coderman's original post and thinking about securing plugins in Google Chrome. But yes, your statement about command injection is absolutely true. In fact, in some cases commands that run may even be restricted by an AppArmour or SELinux policy (if you run Ubuntu 10 or Centos 5), but an attacker still could run some socket syscalls and commands with these limited privs. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpdIfxx8b5aZ.pgp Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
Robert Ransom: Also, if you haven't bothered to change your MAC address, an attacker with any UID can read it using ifconfig; your hardware manufacturers may have kept records of where the device(s) with that MAC address were shipped. I have heard of these attacks, like an attacker reading off your MAC address and even hardware serial numbers. I should be safe regarding serial numbers, but I am some concerned about the MAC address. It would be very nice to know how to change the MAC address so it says something different when you run the ifconfig utility. Could you, or anyone, please help me with that? I'm using Linux. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Fri, 24 Sep 2010 17:34:05 -0400 hi...@safe-mail.net wrote: Robert Ransom: Also, if you haven't bothered to change your MAC address, an attacker with any UID can read it using ifconfig; your hardware manufacturers may have kept records of where the device(s) with that MAC address were shipped. I have heard of these attacks, like an attacker reading off your MAC address and even hardware serial numbers. I should be safe regarding serial numbers, but I am some concerned about the MAC address. It would be very nice to know how to change the MAC address so it says something different when you run the ifconfig utility. Could you, or anyone, please help me with that? I'm using Linux. Use the macchanger utility. Make sure you write down your original MAC first, in case you need to switch back to it later. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
On Mon, 20 Sep 2010 11:00:41 -0400 Gregory Maxwell gmaxw...@gmail.com wrote: On Fri, Sep 17, 2010 at 10:41 PM, Robert Ransom rransom.8...@gmail.com wrote: If your hidden service really needs to be annoying to find, run it: * using only well-written, secure software, * in a VM with no access to physical network hardware, * on a (physical) computer with no non-hidden services of any kind running on it (so that an attacker can't use Dr. Murdoch's ‘Hot or Not’ clock-skew detection attack), * and over a fast enough Internet connection that the adversary cannot easily determine your connection's speed. I think you've missed some points. * The (Virtual) machine running the hidden service should probably also have no _outbound_ network connectivity except via tor. This is because it can be even easier to trick a software on a server into making a network connection than it is to remotely compromise the server. E.g. your GNU/Linux distribution may have installed some extra CGIs in your webserver that you are unaware of... Yes. I knew that, and forgot to mention it (at least in that list). These defenses, and the attacks they are intended to block, need to be written up in a (hidden?) wiki article, so people setting up sensitive hidden services can read all of them in one place. And here is a potentially controversial suggestion, lets see what others say about it: * You should run your hidden service behind tor bridges rather than directly connecting to the tor network. The rationale for this suggestion is that it may make it more difficult for a network observer to enumerate a list of tor clients in order to apply things like the clock-skew attack or subject them to additional network surveillance. No. An attacker *will* find your entry guards (see http://freehaven.net/anonbib/date.html#hs-attack06); you want them to have as many clients as possible, so that you still have some chance of getting lost in the crowd. The above precautions are probably enough, unless a three-letter agency (or four-letter association) knows about your hidden service and wants to find and ‘neutralize’ its operator. In that case, you have to worry about the near-global passive adversary and other threats that Tor can't afford to defeat. I fear that you're overstating the security provided. For example, I think that if you managed to piss off the ISP community vigilantes that go after spammers and botnets that they would have a decent chance of tracking you down in spite of your efforts to stay hidden. Probably. The first time I read the Murdoch-Zieliński paper http://freehaven.net/anonbib/date.html#murdoch-pet2007, I didn't notice that someone was actually planning to use the sFlow data to locate spammers. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
On 09/24/2010 03:10 PM, Robert Ransom wrote: On Fri, 24 Sep 2010 17:34:05 -0400 hi...@safe-mail.net wrote: Robert Ransom: Also, if you haven't bothered to change your MAC address, an attacker with any UID can read it using ifconfig; your hardware manufacturers may have kept records of where the device(s) with that MAC address were shipped. I have heard of these attacks, like an attacker reading off your MAC address and even hardware serial numbers. I should be safe regarding serial numbers, but I am some concerned about the MAC address. It would be very nice to know how to change the MAC address so it says something different when you run the ifconfig utility. Could you, or anyone, please help me with that? I'm using Linux. Use the macchanger utility. Make sure you write down your original MAC first, in case you need to switch back to it later. Robert Ransom Try the following by hand: sudo ifconfig eth1 hw ether 00:00:00:00:00:00 # make this something believable All the best, Jake *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
Hi, Jacob Appelbaum wrote (24 Sep 2010 23:01:22 GMT) : Try the following by hand: sudo ifconfig eth1 hw ether 00:00:00:00:00:00 # make this something believable See some preliminary design thoughts [1] we've been having for T(A)ILS to try and find an approach that makes your network interface appear different from the one it really is, and at the same time prevents it to appear real weird (a bit like the default User-Agent used by Torbutton). This has not been implemented yet in T(A)ILS yet, mainly due to UI/integration issues that still need to be thought of and discussed... as the rest of the linked page will show you. [1] https://amnesia.boum.org/todo/macchanger/#index4h1 Bye, -- intrigeri intrig...@boum.org | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc | Every now and then I get a little bit restless | and I dream of something wild. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Fri, Sep 24, 2010 at 4:01 PM, Jacob Appelbaum ja...@appelbaum.net wrote: ... Try the following by hand: sudo ifconfig eth1 hw ether 00:00:00:00:00:00 ... you'll likely need to have the interface down before changing mac: sudo ifconfig eth1 down sudo ifconfig eth1 hw ether random mac sudo ifconfig eth1 up / or dhclient / or pump / or ... however, if an attacker has access to read this locally they've already compromised you to a degree that random mac affords no protection... (remember mac only visible on link-local or host) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Sun, 19 Sep 2010 07:11:21 -0400 hi...@safe-mail.net wrote: Robert Ransom: The VM is optional *if* and *only if* an attacker cannot possibly get root on your hidden service. How do external attackers get root access on a Linux system, and how do they then communicate with the system as root, like listing directories and changing configuration files as you would have done in a shell, when they're basically limited to a hidden website with the browsers address bar and maybe a few input forms? It gets more sensible when we're talking about default and open websites with the server's true IP addresses and ports out in the public, and exploitation of SSH servers. I'm just curious about that. If your web server and all of the interpreters and programs it runs are competently written, there is no way for an attacker to get root access, or even run a shell command. Web applications and the special-purpose interpreters they run on are often incompetently written. BTW how do you reply to specific posts? All I'm doing here is replying to my own original post. Thanks. I select the message I want to reply to, and then I click the “Reply” button in my mail client's toolbar. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
Robert Ransom: If your web server and all of the interpreters and programs it runs are competently written, there is no way for an attacker to get root access, or even run a shell command. Web applications and the special-purpose interpreters they run on are often incompetently written. I've noticed that on most Linux distributions, Apache 2 (just an example) runs as a non-privileged user on the system. Though one Apache 2 process does run as Root, but it spawns unprivileged process children. So if it was to be a flaw in Apache 2, or PHP, that an attacker knew about, would he then be able to gain Root access if the software runs as a non-Root user? I select the message I want to reply to, and then I click the âReplyâ button in my mail client's toolbar. The same as I do. It must be my mail provider that sucks. :) Thanks for all your help BTW! *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Fri, Sep 17, 2010 at 10:41 PM, Robert Ransom rransom.8...@gmail.com wrote: If your hidden service really needs to be annoying to find, run it: * using only well-written, secure software, * in a VM with no access to physical network hardware, * on a (physical) computer with no non-hidden services of any kind running on it (so that an attacker can't use Dr. Murdoch's ‘Hot or Not’ clock-skew detection attack), * and over a fast enough Internet connection that the adversary cannot easily determine your connection's speed. I think you've missed some points. * The (Virtual) machine running the hidden service should probably also have no _outbound_ network connectivity except via tor. This is because it can be even easier to trick a software on a server into making a network connection than it is to remotely compromise the server. E.g. your GNU/Linux distribution may have installed some extra CGIs in your webserver that you are unaware of... And here is a potentially controversial suggestion, lets see what others say about it: * You should run your hidden service behind tor bridges rather than directly connecting to the tor network. The rationale for this suggestion is that it may make it more difficult for a network observer to enumerate a list of tor clients in order to apply things like the clock-skew attack or subject them to additional network surveillance. [snip] The above precautions are probably enough, unless a three-letter agency (or four-letter association) knows about your hidden service and wants to find and ‘neutralize’ its operator. In that case, you have to worry about the near-global passive adversary and other threats that Tor can't afford to defeat. I fear that you're overstating the security provided. For example, I think that if you managed to piss off the ISP community vigilantes that go after spammers and botnets that they would have a decent chance of tracking you down in spite of your efforts to stay hidden. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Mon, 20 Sep 2010 09:58:14 -0400 hi...@safe-mail.net wrote: Robert Ransom: If your web server and all of the interpreters and programs it runs are competently written, there is no way for an attacker to get root access, or even run a shell command. Web applications and the special-purpose interpreters they run on are often incompetently written. I've noticed that on most Linux distributions, Apache 2 (just an example) runs as a non-privileged user on the system. Though one Apache 2 process does run as Root, but it spawns unprivileged process children. So if it was to be a flaw in Apache 2, or PHP, that an attacker knew about, would he then be able to gain Root access if the software runs as a non-Root user? Maybe. Most Linux distributions do not put much effort into protecting a system against a malicious user with shell access. Even if you have no local privilege-escalation holes, there are usually scary side-channel attacks (e.g. cache-related leakage of AES keys), and you may have already given the compromised UID permission to send arbitrary network packets (if it can run VirtualBox, for example, the attacker can set up a VM with a bridged network device, log in as root in the VM, and send evil packets at will). Also, if you haven't bothered to change your MAC address, an attacker with any UID can read it using ifconfig; your hardware manufacturers may have kept records of where the device(s) with that MAC address were shipped. I select the message I want to reply to, and then I click the âReplyâ button in my mail client's toolbar. The same as I do. It must be my mail provider that sucks. :) If you have a Linux system with persistent storage, try Claws Mail. If you have a Windows system, gpg4win includes Claws Mail for Windows. (Unfortunately, it leaks its version number, your GTK version number, and its build target (including processor architecture) in an X-Mailer header.) Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
Robert Ransom: The VM is optional *if* and *only if* an attacker cannot possibly get root on your hidden service. How do external attackers get root access on a Linux system, and how do they then communicate with the system as root, like listing directories and changing configuration files as you would have done in a shell, when they're basically limited to a hidden website with the browsers address bar and maybe a few input forms? It gets more sensible when we're talking about default and open websites with the server's true IP addresses and ports out in the public, and exploitation of SSH servers. I'm just curious about that. BTW how do you reply to specific posts? All I'm doing here is replying to my own original post. Thanks. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Fri, 17 Sep 2010 16:36:16 -0400 hi...@safe-mail.net wrote: Robert Ransom: Only if you trust the hardware firewall/router. I wouldn't. Okay so there aren't that many safe options to run a hidden service really, if any at all? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ The router issue is only relevant if you're exploited, and if you're running a firewall, get exploited on the root level, too. I'd look into privilege separation software if you're really serious about security, specifically AppArmor and SELinux, or systrace if you're on *BSD. (AppArmor is much simpler than SELinux, though SELinux is probably more powerful. Personally, I like systrace the best.) Just make sure you update frequently, and you'll probably be good. :-) -- more than just a leitmotif PGP Key ID: 33E22AB1 signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
Robert Ransom: Only if you trust the hardware firewall/router. I wouldn't. Okay so there aren't that many safe options to run a hidden service really, if any at all? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Fri, 17 Sep 2010 16:36:16 -0400 hi...@safe-mail.net wrote: Robert Ransom: Only if you trust the hardware firewall/router. I wouldn't. Okay so there aren't that many safe options to run a hidden service really, if any at all? If your hidden service really needs to be annoying to find, run it: * using only well-written, secure software, * in a VM with no access to physical network hardware, * on a (physical) computer with no non-hidden services of any kind running on it (so that an attacker can't use Dr. Murdoch's ‘Hot or Not’ clock-skew detection attack), * and over a fast enough Internet connection that the adversary cannot easily determine your connection's speed. The VM is optional *if* and *only if* an attacker cannot possibly get root on your hidden service. The physical computer with no non-hidden services on it, and the fast Internet connection, are optional if you do not need to keep your service hidden at all. Using secure software to run your hidden service is absolutely essential; if an attacker can get a list of files in /bin, /usr/bin, /usr/local/bin, /sbin, /usr/sbin, /usr/local/sbin, and /command, and a list of directories in /usr/local and /opt, he probably knows enough to identify the service's owner, and more importantly, he knows enough to recognize another service owned by the same person. Your preferred Unix distribution, your favorite editors, your favorite command-line utilities, etc. are not especially easy to hide. (For example, if you find a hidden service running Plan 9 or Inferno, or with 9base or plan9port installed on it, you're going to look at me first -- I'm on both the Tor mailing lists and Plan-9-related mailing lists, and I don't think anyone else is at the moment.) The above precautions are probably enough, unless a three-letter agency (or four-letter association) knows about your hidden service and wants to find and ‘neutralize’ its operator. In that case, you have to worry about the near-global passive adversary and other threats that Tor can't afford to defeat. Another, safer, option is to keep your hidden service below the radar entirely -- it's a lot harder for your adversaries to find something if they don't know it exists. I assume that's the approach that the US Navy uses. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
Do you say that Ethernet cards may have backdoors built in, or did I misunderstand that? - What if you put a hardware firewall router between the first computer and the second: [Server box with web server] - [Hardware firewall router] - [Gateway box with Tor] - Internet/Tor entry node And computer 1 and computer 2 operate on two different IP ranges, while the firewall router sets all the firewall directives between them. Could this be safer? - Thanks for help! (I'm not sure if this message came within the thread, since I'm not yet sure about how to reply like that.) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: The best way to run a hidden service: one or two computers?
On Thu, 16 Sep 2010 15:32:21 -0400 hi...@safe-mail.net wrote: Do you say that Ethernet cards may have backdoors built in, Yes. I read a report years ago that at least one model of Ethernet card had a remote ‘firmware upgrade’ ‘feature’ built in, with absolutely no authentication of the new firmware blob. The card firmware had access to the host's DMA hardware, which can be used to root the host. or did I misunderstand that? No. What if you put a hardware firewall router between the first computer and the second: [Server box with web server] - [Hardware firewall router] - [Gateway box with Tor] - Internet/Tor entry node And computer 1 and computer 2 operate on two different IP ranges, while the firewall router sets all the firewall directives between them. Could this be safer? Only if you trust the hardware firewall/router. I wouldn't. (I'm not sure if this message came within the thread, since I'm not yet sure about how to reply like that.) It did. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
On Mon, 13 Sep 2010 14:12:35 -0400 hi...@safe-mail.net wrote: When running a hidden service, obviously hidden so no one can find the true source and IP of the web server because lives may be depended on that, I've heard that the best and safest way is to use a dedicated server computer with two operating systems and the server being inside a virtual machine. So if the web server should get cracked, the cracker will be locked inside the virtual machine and cannot do side-channel attacks or any other clever methods to reveal the true source. Then I read somewhere that theres even a more secure way, and that is by using two dedicated computers. One computer with the web server running, being connected with a LAN cable to the second computer which works as a firewalled router with Tor running on it with the hidden service keys. Again, if a cracker cracks the server machine, he will be physically trapped inside the server and cannot access the second computer nor the internet directly. He *would* be able to access the Ethernet card in the Internet-connected gateway box, and I have seen reports of at least one Ethernet card with an unauthenticated remote-update backdoor which could be used to take over the entire computer through DMA. At the very least, virtual network adapters are unlikely to have intentional backdoors hidden in them. What are your opinions on this? What should be done and what should be avoided while setting up such systems? * First, operate the hidden service using software with no security holes, and on a (physical) computer that does not operate any Internet-visible services (especially not a Tor relay). Putting your hidden service in a virtual machine won't protect you from the side-channel attack described in “Hot or Not”. * Second, if you must use software with security holes to operate your hidden service, keep that software in a virtual machine, and do not let it communicate with a real network adapter. (The ‘host-only network’ option in VirtualBox should be safe enough, for example.) I don't see a big reason to run Tor in a VM, unless you need to set up transparent proxying and don't want to mess up your main OS installation. Robert Ransom signature.asc Description: PGP signature
Re: The best way to run a hidden service: one or two computers?
There's a good guide for this which was written around a year ago available at: http://www.olyhackbloc.org/hidsec.pdf The original post seems to be found here: http://www.mail-archive.com/or-talk@freehaven.net/msg11575.html As for virtual machines, if an adversary is able to break through a fully virtualized machine, another level of protection won't do you much. If you're worried about an attacker with those kind of skills, you're better setting up a drop box which contains a hidden service server that you can drop in any area that isn't connected to you. Be creative ; ) Jimmy Dioxin On 09/13/2010 03:45 PM, Robert Ransom wrote: On Mon, 13 Sep 2010 14:12:35 -0400 hi...@safe-mail.net wrote: When running a hidden service, obviously hidden so no one can find the true source and IP of the web server because lives may be depended on that, I've heard that the best and safest way is to use a dedicated server computer with two operating systems and the server being inside a virtual machine. So if the web server should get cracked, the cracker will be locked inside the virtual machine and cannot do side-channel attacks or any other clever methods to reveal the true source. Then I read somewhere that theres even a more secure way, and that is by using two dedicated computers. One computer with the web server running, being connected with a LAN cable to the second computer which works as a firewalled router with Tor running on it with the hidden service keys. Again, if a cracker cracks the server machine, he will be physically trapped inside the server and cannot access the second computer nor the internet directly. He *would* be able to access the Ethernet card in the Internet-connected gateway box, and I have seen reports of at least one Ethernet card with an unauthenticated remote-update backdoor which could be used to take over the entire computer through DMA. At the very least, virtual network adapters are unlikely to have intentional backdoors hidden in them. What are your opinions on this? What should be done and what should be avoided while setting up such systems? * First, operate the hidden service using software with no security holes, and on a (physical) computer that does not operate any Internet-visible services (especially not a Tor relay). Putting your hidden service in a virtual machine won't protect you from the side-channel attack described in “Hot or Not”. * Second, if you must use software with security holes to operate your hidden service, keep that software in a virtual machine, and do not let it communicate with a real network adapter. (The ‘host-only network’ option in VirtualBox should be safe enough, for example.) I don't see a big reason to run Tor in a VM, unless you need to set up transparent proxying and don't want to mess up your main OS installation. Robert Ransom signature.asc Description: OpenPGP digital signature
