On 04/30/2012 08:41 PM, Brian Conley wrote: > Hi all, > > So it's recently come to my attention that there may be a few issues with > Tor. I'm hoping someone more knowledgeable than me can explain why these > issues exist(our don't exist, inshallah), and what methods(if any) can be > used to mitigate them. I'm just going to cut and paste the commentary in > full, since it's not me but questions from an individual: >
Ok. > TOR can be used. But there are two problems: > 1. Skype routes around TOR I'm sure this is a tired thing to say but I'd highly encourage the use of Jitsi or something other than Skype. There are remotely exploitable flaws in Skype that are not patched and those bugs are used by various groups to compromise computers of activists. These bugs are probably not even known to the Skype team. Hacking Team and FinFisher are the two that I believe have these exploits ready to go - both are active in Syria, for example. It would be nice to catch these exploits in the wild but I'm not holding my breath. With that said - I understand that you work with people that don't care to stop using Skype. My suggestion is for them to download Tails and then to install Skype on Tails: https://tails.boum.org/ Why am I suggesting this? Because frankly, I can't think of another way to mitigate the absolutely stupid use of Skype. It's just a nightmare on so many levels - not the least of which is this latest disclosure: http://skype-ip-finder.tk/ If you're not anonymized, even with Skype, you're in deep trouble if the attacker merely knows your Skype login! At least with Tails, Skype traffic should not leave the machine unless you configure it to use Tor properly - likely by setting a proxy in the configuration screen for Skype. > 2. Using TOR will, if somebody at network central is monitoring, turnon > klaxons. VPN is to common to do that, the network central office becomes to > noisy so nobody can sleep on their desk. TORs biggest utility is for > anonymous surfing. It is not too usable with real time traffic which skype > generates....back to square 1 for live reporting > klaxons? What? Alarms? All the best, Jacob _______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
