4.1.10.2 TOR and compromised exit-nodes
One of the highest risks you can take navigating the TOR network is finding
a compromise exit node, the last node exiting to the Internet from TOR. Without
proper precautions, the inbound and outbound traffic
passing through an exit
node may be not encrypted, meaning that an exit node owner (like a spy service)
may monitor the network traffic. The mere connection to the TOR network,
however, can’t help identifying the request sender, since the intrinsic TOR
structure prevents it (remember, TOR is built over multiple computer
connections, this way the request source cannot by traced): however, you can
identify clear data shared in the network, like personal information, emails,
passwords, and so on. Exit-nodes may also re-reroute users to fake websites, in
order to steal personal data from them, and this is
one of the main reasons why
you should always prefer HTTPS connections – in case of fake websites, you
will get an incorrect certificate notification.
4.1.10.3 TOR Browser and the issues with “pre-built” products
The Tor Browser Bundle is developed by The Tor Project together with EFF,
and is the first – and often the only – step to take if you wish to immediately
interact with the Tor network. Using Tor Browser raises a problem, e.g. the
nature of the bundle itself: because it’s an All-in-One package, and then a Starter
Pack, users may feel an illusion of safety, neglecting the next pages and thinking:
“Hey! Why should I bother configuring everything from scratch? The Bundle is
out there for that!” Do you know how the Freedom Hosting (the web service that
hosted many darknet sites) guys got arrested? Because of the inner
vulnerabilities of the Tor Browser Bundle. Word to the wise...
4.1.10.4 TOR, Google & CO.
In years, Google created a network
across their services, capable of
anticipating users demands and needs. Keep in mind that Google services are
almost everywhere: Browser, Operating System (Android and Chrome OS),
Account, Add-ons, Products and more. Once again, it’s not impossible to stay
fully anonymous using Google, but it’s not recommended nevertheless: it would
be better to use search engines that won’t log any IP and search data, like
DuckDuckGo or StartPage.
4.1.10.5 TOR is not idiot-proof
I beg your pardon for this part, but it was somehow necessary... How can one
expect
to be anonymous, if they purchase a new exploit on the Dark-Net staying
connected to their Facebook account at the same time? No, that’s not crazy at all,
since it happens frequently: for example, some Tor users perform the two-step
authentication of their accounts (using their mobile number!), some access their
mail, some register using their personal information and so on. Now I will tell
you a story of TOR abusing against Harvard University.
On December 18, 2013, a 20 years old man, Eldo Kim, was arrested. He was
accused of having triggered a bomb alarm at Harvard University, in order to skip
some final exams.
For this purpose, Eldo used an anonymization software called
TOR and a junk-mail service, Guerrilla Mail, that allows to create and
temporarily send emails with no user data. TOR software worked successfully,
hiding his operations both from the ISP and from the mail service, but not from
his University. Righty-right, the good old Eldo made a mistake: he did all his
tricks using the University WiFi connection, which can be accessed only by the
username and password assigned to each freshman in order to prevent any abuse.
A cross-check of the WiFi access data and the protocols
and servers in use led to
the identification of the guy, who later confirmed the charges. In that case, he
was betrayed by his naiveness: he didn’t realize or mind that he had to enter user
and pass to access the network; like any other Hotspot, data are matched with a
local IP address, which in turn stores any activity into the logs. The man was
sentenced to five years of imprisonment, with a 250.000$ fine.
I think this story is enough to make clear the message I wish to convey: it is
not just about the “stupidity”, you have to think of the possible lack of
proportionality of the penalty to the offense. Just imagine the consequences of
illegally purchasing something in the Dark Net o publishing
an inconvenient
message within a dictatorship where death penalty is still applied. Remember
that TOR is no magic, it’s just a program connecting many users to the same
network. Whether you know the programming patterns or simply have a grasp of
how it works, it’s still a tool written by humans, and it can’t guarantee full
anonymity alone. Be thoughtful.
4.2 I2P
In the Internet world, you may often hear about I2P, the alternative network
to TOR. By default, I2P won’t allow you to navigate the clearnet, the “clean”
part
of Internet, being a project specifically developed to navigate within its own
darknet. For this reason, it cannot be properly compared to TOR. First things