Обновить

How NOT to use I2P and TOR

Время на прочтение 5 min
Количество просмотров 74K

Or, a tale about unexpected ways of revealing users of distributed anonymizer networks.

Users of anonymous networks and browsers are likely to use them to visit primarily blocked/protected sites. At the same time, not all of them expect that the fact of this visit will remain anonymous. If anonymity does not bother you, then the further contents of the article most likely will not interest you.

For the rest of the users, I ask you to follow the cat, where you can get acquainted with the abstract reasoning of a novice paranoid about how users of anonymous browsers can be exposed.

Statement

The author does not bear any responsibility for any attacks of paranoia that you may experience while reading this publication. Well, and for the reliability of the information contained in it.

Attack vectors

In our discussions, we will not go into the intricacies of the functioning of the listed networks and try to hack them. As you know, even in the most advanced means of protection, the bottleneck is the person. Therefore, we will talk about methods that bypass distributed protocols and exploit typical errors of users, settings, or the software itself.

By de-anonymization we will mean disclosing the user’s real IP address.

Fingerprinting

If a user uses the same browser to surf the regular and “anonymous” networks, then he can be easily identified through a fingerprint. The fingerprint is saved from an “anonymous” browser session, and then found in fingerprint databases that are stored by billions of Google, Facebook and other, including government, institutions in different countries..

There are many ways to take fingerprints, and they are all known, so I will not list them here. It is worth using a separate browser to surf the “closed” Internet. And, even there, it is advisable to erase the history after each use.

Ability to access a regular network

Suppose you use a separate browser to surf a “closed” network. But, if this browser retains the fundamental ability to access the regular Internet, bypassing the “secure network”, then a site from the onion/i2p domain can use this opportunity to de-anonymize you by sending a request where necessary. This can be done via HTTP, DNS, WebRTC, etc..

To avoid this, at a minimum, block this browser on your Firewall from all incoming and outgoing connections to all IPs except localhost and the port on which your anonymizing proxy is running.

You will not be able to do this if your anonymizer is built into the browser and works with it in the same process.

In addition, you need to somehow make sure that your browser, under no circumstances, will use the operating system API to resolve DNS names, etc...

You can check the latter by generating a request through the address bar while simultaneously viewing the traffic via wireshark or tcpdump.

Non-standard protocols

Well, besides http:// and https://, there are other protocols that may have their own holes. For example, file:// and smb://, with which you can try to force your browser/OS to send a request to the desired address.

All protocols except http:// https:// must be permanently disabled in the browser.

GPS coordinates/microphone/camera in browser

Obviously, but you can get burned very simply and stupidly.

Holes in the browser

This is a fairly obvious thing, but browsers are a sieve. They need to be updated regularly. But this won’t really save you either. Sooner or later a new hole will appear.

Browser plugins

Yes. Be careful with browser plugins. They may have vulnerabilities. They can see everything you do and, in some cases, can send data externally.

Antiviruses

Your antivirus can de-anonymize you. How?

A site in the onion/i2p domain will simply allow you to download a unique page/file. The browser will save it to disk. Your antivirus, before scanning your file for the "billion" existing viruses, may first look for a hash of this file in the antivirus company's database, or a distributed network connecting all users. Thus, you will be de-anonymized.

OS telemetry

Yes. Perhaps your OS has a built-in antivirus or telemetry tools that are also not above collecting and sending hashes of your files to the clouds".

How to be

I recommend using a virtual machine isolated from the network, which automatically stops when unexpected traffic (other than tor|i2p) is detected from its IP address.

Control must be external. Using another VM or, better yet, another physical host.

I recommend an approach based on three types of traffic from a virtual machine:

  1. Green - only access to the I2P/TOR proxy running on ANOTHER virtual machine. The VM itself should fundamentally not be able to access the open Internet and know the user’s external IP.

  2. Yellow - previously analyzed third-party traffic that was found to be acceptable. It must be completely blocked. Its “tolerance” means that we will not stop the VM when it is detected, but simply block it. These are, for example, Windows attempts to reach Windows Update or send telemetry.

    (Just in case, I’ll clarify that the mention of Windows OS here as a guest is more of a joke than a recommendation.)

  3. Red is everything else. Completely blocked. In addition, when detected, the VM is immediately stopped, and the recording of traffic (which is continuously maintained by monitoring tools) and the state of the VM is analyzed. Based on the results, the traffic is either recognized as “yellow” or its source/hole in the system is determined. In the latter case, if the traffic cannot be guaranteed to be recognized as “yellow”, I recommend rolling back the VM to “factory settings”. In general, I recommend reverting to factory settings after each use..

This VM should not be used for anything other than surfing secure networks. And, be careful with the license software keys, MAC addresses and hardware serial numbers that the OS of this VM sees. Because all this can be successfully leaked through a secure network without triggering automatic shutdown mechanisms for the VM. For this reason, I highly recommend not doing all this on real hardware..

Cameras/microphones within reach

Cameras are a fairly obvious thing. I hope no one will think of climbing closed sites on camera. About microphones on other devices - this is not entirely obvious, but.

When you type a message on a “secure” site, this site (or a script inserted there) can measure the intervals between keystrokes on the keyboard.

Interestingly, this information can be extracted even from a protected/encrypted TCP/HTTPS user session by measuring the intervals between IP packets.

A microphone (for example, in your cell phone) within reach can do the same thing. Based on this, you can create a special index which, by analogy with the service for determining the name of a musical composition playing in the background, can determine that it is you who are typing the message.

Disabling JS partially helps, but mouse clicks when navigating through pages do not disappear, so keep microphones away from your workplace.

P.S. Happy paranoia, comrades.!

Tags:
Hubs:
Всего голосов 93: ↑82 и ↓11 +71
Комментарии 155

Comments 155

Well, somehow very weak. There is the Tor browser, which makes most of this article irrelevant. And connecting a regular browser to Tor is even more difficult (for an ordinary user) than downloading a Tor browser. In general, I don’t know who this article is intended for - the average user will just go and download the Tor browser, and advanced users are already aware of fingerprints and everything else

I think that the article is intended mainly for ordinary users who download TorBrowser in order to slightly dispel the illusion of security that it creates.
Because TorBrowser does not protect against “antiviruses”, “telemetry”, etc. current from the first 2-3 points.
Do you have facts confirming the danger of “antivirus” and “telemetry”? It’s just that these two points already look like paranoia. And in general, the article describes not just “anonymous” access to the Internet, but rather, ways to hide from the intelligence services, as retold for AiF readers.
All these exercises with VM will not save you if they are already following you, and you will quickly get tired of playing Neo every time you want to go to a library site on the darknet.
Well, it seems you correctly understood the message of the article. Tor and I2P will not save you from the intelligence services. You need a huge pile of everything except... And, yes. Get bored quickly.
There are indirect signs about antiviruses. Namely, the facts of the discovery and arrest of the authors of viruses who were tracked “through signatures”, “the details are not distributed».
There is no reliable information about telemetry and “clouds”. This is an extrapolation based on the fact that everything necessary to do “similarly” is there.
If you are already being watched/discovered, nothing will save you. This is an axiom.
I focused on a method that increases the chances of not being detected. Determine the directional attention to your person in time and, perhaps, clean your tails/lay low in time. And then, without a guarantee.
No one will ever give you guarantees in this matter. Most likely, I guarantee that, sooner or later, you will get caught.
And, yes. The title of the article clearly states that these are just notes from a novice paranoid.
Tor and I2P will not save you from the intelligence services.

How can they be saved? If you are not Navalny, then the special services are not faced with the task of imprisoning you. They just need to show the appearance of work - to imprison at least someone. And since they don’t know how to work and don’t like to work, they will take the path of least resistance.


If you have Tor, I2P and you encrypt traffic via VPN, then they will not arrest you, but your lazy neighbor.

Good luck with your confidence!

It looks like an improved version of the Elusive Joe principle. “You don’t have to run faster than the bear, the main thing is to run faster than the slowest one.”."

Perhaps you will be arrested after all, and not your neighbor. According to the principle “an honest man has nothing to hide.” After all, you have encrypted traffic, a VPN tunnel to a foreign server, and then it turns out that TOR with I2P is definitely a terrorist. This is also the path of least resistance - arrest the most suspicious person and extract the necessary confessions from him.
A UFO flew in and published this inscription here
Absolutely not.
It’s much easier to register a proxy for certain domains (my option), and for those who don’t understand networks, install a free browser extension.
This is also the path of least resistance - arrest the most suspicious person and extract the necessary confessions from him.

How will this bring the employee closer to his goal? It’s faster and without any problems to push the case to court and finally do normal men’s things - ride around the city in a Helicopter or do some cashing?


They choose those who are simpler, so that there is less fuss.

shadowsocks or softether ssl vpn will help you

Sorm 3 at the end of your provider perfectly grazes the use of both vpn and tor, etc. And then everything depends on the plan... Or the cops will come to you with rubber batons and you will be aware not only that porn was downloaded through VPN, but also in all the unsolved IT cases. Or the door will be taken out by heavy FSB special forces, and it’s good if you and those who live with you don’t have a heart attack... And most likely, a couple of operatives will just hang around you and find and find everything from drugs to child molestation....

You can't live in fear!


Yes, all this can happen. But if you lead the lifestyle of an obedient sheep and don’t do anything that could potentially upset the nearest predator, you will still be gobbled up, because that’s what they need obedient sheep for—to eat without problems and stress. “It’s your fault that I want to eat” - remember? Nothing has changed since then, it's still relevant.


Using a VPN does not yet violate any laws, and if such laws are passed, there will be other ways to circumvent them. So you have every right to hide your traffic from nosy neighbors, your provider and SORM - and it’s stupid not to do this for fear that someone might not like it.

Well, if you consider yourself a sheep and are trying to hide behind a fig leaf, I feel sorry for you…
What does this have to do with workarounds? By going through Sorm 3 you uniquely identify yourself... It’s stupid to hide your traffic out of fear of your neighbors, etc..
It’s easier for me to overwhelm the regulatory authorities with a huge volume of traffic and sleep peacefully, knowing full well that it will be difficult to sort through so much crap under any conditions…
«And since they don’t know how to work and don’t like to work,” some, not all.
I have come across all four options: those who know how to work and love, those who love but don’t know how, those who know how to work but don’t love, and those who don’t know how and don’t love. Which person will investigate your case is unpredictable.
If you do not trust Windows and antiviruses, then there is no point in taking risks with the VM. If you have already done something that allows you to be identified by the pauses between keystrokes, then the VM will not stop them. We buy a Raspberry Pi, break Wi-Fi there (so that the SSID is not visible), download processors only through it. A nice bonus is that when there is a knock on the door, the SD card can be chewed and swallowed.
Where is the guarantee that there will be no bookmarks in Linux, the browser, the Raspberry Pi or the keyboard? You never know…

Here here they say that Linux Mint accepts the letter e instead of a password and unlocks the desktop.

I wouldn't say it's paranoia. Read about domestic sorm 3 and what it collects.
There was an article about keystrokes and microphones a couple of years ago. Israeli students seem to have made a product that allows you to restore text by sound from any keyboard.
Almost everything described was presented at various conferences in the form of finished products... Of course, no one used everything together at once, but I, for example, am not very sure that this was not done.

Read about domestic sorm 3 and what it collects.

They can collect anything. As already written above, the very fact of using IPSec, SSL, TOR or I2P is not illegal and does not lead to any “consequences”. My friend, for example, uses TOR to download stupid sitcoms with Russian translations from blocked sites. A toad is stopping him from buying a VPN, so he plays hacker. Those. TOR is not a sign of something completely illegal, but a fairly common phenomenon, especially in Russia.

There was an article about keystrokes and microphones a couple of years ago. Israeli students seem to have made a product that allows you to restore text by sound from any keyboard.


All deanonymization methods presented in this article can be divided into three types:
1. Obvious ones. You can read about them in the tips of the same Tor browser. There, for example, they do not recommend expanding the browser window to full screen so that the attacker does not recognize the resolution of your monitor.
2. Esoteric. For example, this one is about a microphone and keyboard. In most cases, such attacks only work well when the attacked computer is in the attacker's laboratory. A device that translates the sound of keystrokes into text must somehow be placed in the suspect’s room. And if there is a special services microphone in your room, then it’s too late to play Neo.
3. Paranoid. About antivirus (For some reason in quotes), telemetry and other urban legends, like “the phone’s microphone is always on, through which Google listens to you».

To counteract this, the author suggests becoming an expert in several disciplines. Instead of the completely logical purchase of a left-handed laptop for “hacking” and other reasonable advice, the author suggests accurately setting up a VM, a firewall, writing a couple of scripts that will monitor the approach of people in black, etc. Personally, I got the impression that the author simply does not understand what he is writing about.
Apparently you haven't heard of Whonix. I just wanted to hint that even that might not be enough. Well, about the fact that if you are not an expert in some areas, you should not count on anonymity simply because you use the Tor browser.
About advice…
1. Obvious ones. You can read about them in the tips of the same Tor browser. There, for example, they do not recommend expanding the browser window to full screen so that the attacker does not recognize the resolution of your monitor.

And we get a unique ID based on the resolution; if there are millions of monitors like 1024x768, then 1047x668 is only a few. Or, every time you start, you FIRST need to change the resolution to some random one. But again, no one will make a 1600x1500 window when the monitor is 1024x768, quite an analysis.

They have been writing about the leaking of information from microphones and contextual advertising based on keywords, which was simply discussed, for many years. And yes, the microphones of all Alices are constantly on, and it even happened that Yandex wrote this stream to disk (with an attempt to excuse it as a bug and a debugging mode that ended up in production)

And generally speaking. If you are not paranoid, this does not mean that you are not being watched. At least those for whom you are a source of monetization. Corporations have long been better at surveillance than intelligence agencies, because here EVERY client means money. A customer is a product that needs to be sold.
And we get a unique ID based on the resolution; if there are millions of monitors like 1024x768, then 1047x668 is only a few. Or, every time you start, you FIRST need to change the resolution to some random one. But again, no one will make a 1600x1500 window when the monitor is 1024x768, quite an analysis.
Tor Browser opens in a window of approximately 1000x600 at startup, and you just don’t need to touch its size, and you won’t be different from all other users of this browser.

It also rounds the dimensions to 200x100 to reduce entropy: support.torproject.org/tbb/maximized-torbrowser-window
They have been writing about the leaking of information from microphones and contextual advertising based on keywords, which was simply discussed, for many years.

They have also been writing about aliens for many years, so what? There is NO evidence for these rumors. Dull journalistic “experiments” like “we talked about cats all day and in the evening we saw an advertisement for cat food” are not proof.

And yes, the microphones of all Alices are constantly on, and it even happened that Yandex wrote this stream to disk (with an attempt to excuse it as a bug and a debugging mode that ended up in production)

I don’t know about Alice, but I read that on Android it doesn’t write anything, but waits for “Ok, Google” and only after that it starts recording and sending the recording for analysis.

At least those for whom you are a source of monetization.

There is a difference between maintaining a profile and deanonymization. Google can know which brand of toilet paper a user #654918967 prefers, but why does it need to know his name? Moreover, collecting such information is illegal.
but why does he need to know his name?
Then, when he logs in on another device under his Google account, or Facebook account, or logs into his account on Habré, continue his story, and not start from scratch. To do this, Google needs to know that abcd123 is on Habré, and sergrey.ivanov@gmail.com and Ivanov1234@mail.ru are the same person.
Yes, de-anonymization is just a side effect here. In general, I looked at my profile that Google created for me... it turned out quite accurately.
In general, I was looking at my profile that Google created for me


Tell me, how can I watch it??

Thank you! I read my work profile - it turns out I’m 15..20 years older, I love movies and TV series (I hate it), I’m interested in beaches and islands (I haven’t been), SEO (never), railway transportation (from where ?), dance and electronic music (suddenly), and then - about IT (this is for work). This is probably due to the fact that at work I am logged into a “service” account, which is constantly used by 2-3 people, but with age it’s completely gone - we don’t have pensioners working for us.

I think that I will not be much mistaken if I say that due to the fact that several people use the account, there is a certain diversity of interests, which is typical for older people who have more free time.
Recently, on Habré there was a translation of an article by one of the journalists of a human rights publication. The author of the original text requested a dossier on his identifier from the US NSA and found out that he had been qualitatively de-anonymized in violation of several norms of the criminal law of several states. “WTF” requests addressed to the culprits received unsubscribes or ignored.
You apparently didn’t manage to read what sorm 3 is. It doesn’t separate legal from illegal, and doesn’t check what software you have…
The main task is to obtain a fingerprint. And I very much doubt that all your hardware goes only through a random VPN…
The main task is to obtain a fingerprint.

But how? They cannot open encrypted traffic. Behind my router are six computers, several phones, a TV and a couple of consoles. And from three to five users. Fingerpint of what they'll get?

And I very much doubt that all your hardware goes only through a random VPN…

Why "random"? I bought a commercial VPN with servers all over the world, but I most often use three countries. In them, as far as I remember, servers are selected based on load level.
Well, this already looks like naivety
Does TorBrowser write the contents of pages to disk??

If it’s not easy to go through the torus to the root tracker, then it is logical to have a separate laptop + router, the torus rises on the router and no matter what the laptop does, it does not get into the network directly. The laptop should only write to the ramdisk, if suddenly a mask show - click the battery and thank you all.

An attack through a mobile phone and its microphone is too targeted.
Example. Google receives 63,000 queries per second. Total users 4 billion.
Let the error in determining a click on the phone be 1 second (this is not important, just a little more or less clicks will be needed).
One click - 63,000 users are highlighted.
Based on the correlation of two clicks, the circle narrows to about a thousand users.
By correlation of three clicks, you can be identified among 4 billion Google users.
Still think that the attack is specific, and believe that no one is using it yet?

Let me warn you right away that these calculations are a spherical horse in a vacuum. It only works if you know a priori that the user clicks on Google. In reality, you need to highlight the user among all traffic on the network, not just Google, and this will require about 10 clicks.

The option that the microphone on the phone is blocked via XPrivacy is not considered?


In general, if you allow spying microphones to be used near you, you will get burned much earlier than you do something “anonymously” on the Internet - even at the stage of thinking through and discussing plans to do it. :)

The first is the issue of trust in XPrivacy, etc. It automatically implies trust in the Android OS, which does not exist.

Secondly, you are right. I indicated this here solely so that users remember this and do not allow)
There is trust in Android, the kernel is built from source, there is nothing suspicious in framework.jar, because it decompiles well and modders have hacked it up and down.

Unfortunately, there is no trust in the firmware and processor of the modem. It has its own closed axis, which has full access to the hardware, and there is no way to look into it at all - no logs, no debug access. It is only known that it weighs a hundred or two megabytes, this can be seen from the firmware modules.

But here the attack turns out to be too specific. One user has Samsung, another has Honor. If there are backdoors in the firmware, no one has a complete database of all backdoors.
The core is simply excellent. Try working with the bare Linux kernel sometime in your spare time... Without modules, without a repository, and mind you, without a network and other nonsense... In Android too.
Most device modules are proprietary, and many even have closed documentation. Google software is also not particularly open (naked Android is not a particularly edible animal).
HTC uploads the sources, everything from them is assembled normally with modules. There is some kind of 'magic' there, because of which the kernel you assembled will not be able to work with other people's modules, so you are forced to post the source code of the modules too.
Htc publishes the sources of their add-ons and the open part of the android. But all drivers, for example for qualcomm, are proprietary. Like everything related to the graphics system, modems, etc. similar for most manufacturers. The same AMD and Nvidia do not have open source…
I looked at the source tree and the firmware file tree.
Large closed modules are WiFi and exFAT from tuxera.
There are also some small Qualcom *.ko, but literally 20-30KB.

Working with the modem is /system/vendor/lib/libril-qc-*.so, a closed component, but in userspace.
To be honest, I don’t understand the algorithm for such an attack at all..

Like, for some reason I go through the torus to Google and type in the search bar “you can’t catch me”».

At this time, my phone is nearby, listening to all the noises with a microphone and sending them to Google so that Google can recognize “ok Google” (it doesn’t do this, I know, but theoretically it can).

Google somehow correlates this search query (even if it’s 10 queries) and the clicking of the keyboard (unknown to it) and links this query to a Google account, so?

How can such an attack, even IF it is possible, connect me with the Russian hacker who hacked the Pentagon??
A user makes on average about 500 mouse clicks per day. That's about 0.005 clicks per second from one user.
Correlating one click with an accuracy of up to a second gives you approximately 7 bits of information necessary to identify the user.

Let's say a hacker made 32 requests more than a second apart during a hacking attempt. Let's assume that 10 of them were initiated by a mouse click.

Let’s assume that all users’ phones are lying on the table, in addition to OK Google, they also passively collect information about mouse clicks. Let's assume that only a report with click timestamps for the day is sent to Google in the form of telemetry. Let’s assume that this may not be done by Google itself, but by a messenger/other application installed on the phone..

From the global flow of information about clicks, sections corresponding in time to all 32 requests that were part of the attack are identified.

Find the device that occurs the maximum number of times in these ranges.

If the number of clicks found is 5 or more, we have a suspect. If it is 10, then this is almost a guarantee that the phone was near the attacker at the time of the attack. This is a trace that needs to be further developed using other methods..

All this, of course, must also be normalized to the total number of events from a specific device. In case, suddenly, the unfortunate owner of the found phone played Diablo II as a paladin during hacking.
You are proceeding from the premise that the attacker at the computer next to the phone is only engaged in hacking and, having completed it, stops activity on the computer. There is no reason for this. Now, if we have many facts of activity on different days, then we can try to compare. But you need to be absolutely sure that all this activity is caused by one person. And it’s hard for me to estimate how many activity facts are needed.

Further, there is not an infinite number of applications. And if the conditional Alice works for the FSB, then this database will eventually be used by everyone (see punching services). If some unknown flashlight “knocks”, then the problem arises of reaching the audience with this application. For this reason, I am extremely suspicious of services in which you can watch/download only through a specific video player or application carefully laid out.
There are no prerequisites that you mentioned. Only the number of correlations needed for identification depends on the user behavior scenario. Of course, the more scattered events are in time, the more bits of information we can get from each. The more events come from the device, the less. But some information, 1-3 bits per event, can be obtained even in bad cases.

If you simply forget about possible bookmarks in the OS or Firmware, which is really not worth doing, and focus only on applications, then you need to look towards frameworks for integrating advertising or in-app purchases into applications for third-party developers.
I wrote above that the problem of restoring text from the sound of keyboard keys was solved and presented as a finished product at one of the conferences in the form of a working software product, not a prototype.
Do you need to train the algorithm for a specific keyboard and a specific environment (desk, room), or will it work right away under any conditions? If you need to train, how much data is needed for training and where will the attacker get it from??
No need to train... It’s based on something built on identifying bigrams and trigrams
I mean, the program listens not to the sound characteristics of specific buttons, but to the manner in which certain words are typed by a certain person? Then it should be trained not according to hardware, but according to man.
Yes, everything is simple there, install the Tor browser, install Vidalia, register the paths, install the proxy extension in the browser, add 127.0.0.1:9050 and sites that should go through Tor to this extension, and everything works
If I'm not mistaken, the nuance is that all Tor browsers leave the same fingerprint.
A UFO flew in and published this inscription here
A couple of years ago, under this same whonix, my multi-account was burned on one forum. Maybe, modern tor is more advanced.
What kind of forum is this? They could have burned based on some more obvious signs, like speech patterns and the like..

4yeah ;)
Maybe. I just forgot the password for the first account, and the mail was one-time, and they burned it on the second message. Either there is a great psychologist there as moderators, or something was still leaking.

You may be the only user who has accessed the forum via TOR in the last month. Then it’s clear - if the new account came through TOR again, it means it’s you again.
How can you be sure of this??
I came across on sites, who analyzed my browser and told me how unique it was. You can look for them. But here you will have to trust the creators of these sites. What if they are THEY and their task is to create an illusion of safety for you?
Are there ways to make this very fingerprint less unique??
It would be nice if such sites gave advice based on statistics.

For example, your user-agent: Firefox/83.0 occurs in 2% of users, it is recommended to upgrade to Firefox 85 to increase this number to 7%.
A UFO flew in and published this inscription here
You can see, for example, here: coveryourtracks.eff.org
About two dozen parameters that are used for fingerprinting are shown. It’s hardly enough to be sure, but you can get some idea.
connecting a regular browser to the torus is even more difficult

This is what I do, Proxy Switch Omega and Tor console.

Console - that is, the window is always visible? If yes, then it is better to run it as a daemon/service.

The TOR browser has telemetry enabled, which sends it to the mozilla. You can check it yourself. Why don’t security specialists write about this and in TOP reviews is unclear.
Here is an example of articles about telemetry in FF
spy-soft.net/firefox-anonymity
optimakomp.ru/kak-otklyuchit-vsyu-telemetriyu-v-browzere-mozilla-firefox
I even specifically downloaded the current TOR browser and looked to see if telemetry was enabled there. So, it’s turned off and you can’t even turn it on - the option is blocked to false.

just type telemetry - there are about 20 more items included
I got it with some recent update
devtools.onboarding.telemetry.logged - was enabled
what exactly does this setting do? As the name suggests, developer tools telemetry. and you use the debugger in TOR?
And by the way, the enabled options don't mean anything by themselves..
The feature and functionality have been removed, but there are no options from settings in order to minimize the patch imposed on the main branch when preparing Tor Browser.
Do you want anonymity? Then use specialized OS. There is no anonymity on Windows and there never will be.
Are you sure that Linux has it??
Are you sure that there are no other Linux distributions besides Ubuntu, incl. tailored to solve article problems (Subgraph OS, Tails, etc)?
Linux is much more manageable; if you need to find who is sending what where and disable it, this is not too big a problem.
I had such experience in this regard. Not too long ago I happened to spend the winter in the far south, where for 20 people the Internet was 64 kilobits through two proxy servers, accessible from six computers - the station manager, the radio operator, the system administrator (me) and three “public».
Several people asked me to connect to Sberbank Online from my phone once a month to make sure payments were on time, for this I raised the access point on my Linux laptop.
The situation with a regular phone - a person connects, traffic starts - Google, Amazon, Yandex, etc., the Sberbank application just hangs, after 3-4 minutes packets appear on the Sberbank server and the application begins to respond to input.
On my phone - Lineageos + firewall - GoogleServices - after connecting to wifi there is silence on the interface. On the laptop - the same picture.
A similar situation happened in the port after a month in the open ocean without the Internet. People buy local SIM cards with an Internet package of 100-200-500G and do not have time to send a letter because everything is consumed by the phone/Windows on the laptop.
On a laptop with debian - silence on the interface.
This is also possible in Windows, in 7ke, at least. A firewall with the ability to block application access is enough... And on a regular Android you can use adguard.
On Windows, telemetry is not at the application level. Look at the outgoing traffic with a configured firewall (not even built-in, but from a third-party manufacturer).
Adguard without root is also of little use.
On Windows, telemetry is not at the application level. View outgoing traffic with a configured firewall

Those. does telemetry bypass the firewall? Where can I read about this? I couldn’t find anything on this issue; on the contrary, I found manuals on how to block telemetry using a Windows firewall.

and a third party manufacturer

Many “third-party” firewalls are simply a beautiful interface to the Windows one. What programs are we talking about exactly? What kind of third-party firewall is it that cannot block telemetry??
A more or less convenient add-on over the built-in Windows firewall is . I know that third-party Comodo does not block telemetry (we looked at the traffic on the perimeter). A firewall on the perimeter will definitely save you, but you need to be careful, because... The functionality of any Skype may be limited.
Comodo does not block it because, by default, it considers everything signed with a Microsoft certificate trusted. But this can be changed in the settings.
A UFO flew in and published this inscription here
It's a bit strange and stupid to use Windows for such purposes. It’s even weirder to use a Windows virtual machine for such purposes..
I think that from the transparent hints about telemetry and built-in antiviruses, it is clear that the use of Windows on a VM is shown purely as an example of running “untrusted software in a sandbox” which, however, will not lead to dire consequences. Well, a little banter and subtle humor.
Obviously, it is better not to use Windows, MacOS, Android and iOS for such purposes at all.
The author subtly hinted about windows, read carefully the word “joke”».
Here I should note that I added the remark about the “joke” to the article after that comment about Windows, because it became clear that the humor turned out to be “too subtle».

There are Linux builds for a virtual machine for the server and the client from which they surf. For virtual boh. I wonder if this will solve the problem? It works on Windows.

On Linux with X there is also an option to build an image for Docker.
Tails in virtual reality will probably be a little more reliable than Tor Browser.
Fingerprinting
I wonder how? Most people use the tor browser, which has javascript disabled by default. And those who installed Tor manually and independently configured the browser to work with it - there are not many such people and they themselves must be aware of what they are doing.

This can be done via HTTP, DNS, WebRTC, etc.
Well, somehow?
HTTP - only if the author of the onion site is a deer and has built Google Analytics into the HTML (or did not remove it from the finished engine).
DNS - sock5 protocol has the feature of resolving through the proxy itself, which is enabled by default in the Tor browser.
WebRTC - doesn't work without js.

I can describe for each point where the author is wrong. It feels like the article was written by a person who doesn’t know how Tor works, how it’s customary to make websites in Tor, and who generally doesn’t know how a regular (non-anonymous) browser ensures security.

The only two normal arguments are "Holes in the browser" and "Browser plugins". This is really the problem.

In general, in recent years around the torus, I have noticed a large amount of conspiracy theories growing out of people’s ignorance. Many times I have come across the opinion that “tor is a trap for criminals”, “tor is all scorched”, “tor is full of holes”. And every time I ask a person about specific vulnerabilities of the Torus, I ask them to describe their technical problems, it turns out that the person does not understand the Torah at all and his opinion is formed by some rumors on the Internet.

The reason for the Deanons in the Torah is not that it is “leaky” but because of the human factor. The article is bad and is, at best, a pick-me-up. The hub requires technical details of each vulnerability. And the context in which the problem is considered is important: using the default Tor browser in a bare Linux virtual machine or using a Yandex browser under Windows with Kaspersky.

Six months ago, every fourth Tor exit node was malicious.


Redirection from https to http was enabled on managed servers. Now the probability of getting to a malicious node is about 10%.


You can read about it here https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac

Most people use the tor browser, which has javascript disabled by default.


And most sites don't work without javascript.
And most sites don't work without javascript.

And they require a phone number for authorization :)
Here everything depends on the context. Why anonymity is needed in a particular case?.
But in general, even with js enabled, you can configure the browser so that as little information as possible is leaked. Using noscript, you can allow content and JavaScript to be loaded only from the domain you are visiting. And all sorts of Google Analytics and other trackers will be cut off.

In general, visiting sites on the open Internet through Tor is not advisable. The Tor browser is more designed for visiting onion sites, but they work fine without js.
Using noscript you can allow loading of content and JavaScript only from the visited domain.

on half of the sites, JS libraries like Bootstrap, jQuery and other things are loaded from CDN to speed up page display

In general, visiting sites on the open Internet through Tor is not advisable. The Tor browser is more designed for visiting onion sites, but they work fine without js.

Who said? Tor is mostly used for ordinary sites and it works well with them, but i2p is more tailored for hidden resources
HTTP - only if the author of the onion site is a deer and has built Google Analytics into the HTML (or did not remove it from the finished engine)
Don’t forget that the FBI hacks tor sites and infects them with Trojans to de-anonymize visitors. Therefore, the tor site cannot be trusted.

And the fingerprint works not according to the filling, but according to your actions... Keep track of the sequence and what sites you visit, and what are the pauses between them…

js scripts (for example, the most popular fingerprintjs) that form a fingerprint do not have access to the history of pages, much less the timing of their visits.
A UFO flew in and published this inscription here
Are some of the paranoid people not cutting out Google analytics at all levels? (etc/hosts, uBlock, uMatrix)
A UFO flew in and published this inscription here
A unique approach, and what next? When you close the browser, the cookies are erased.
That is, to carry out an attack, it is necessary for the user to go to two different underground sites in one session, Google Analytics should be installed on both sites, after which the administrators of these sites will be able to link this user into one?
In the latest version, cookies, by the way, are not saved by default. At all. Even within one session. You need to manually add sites to the white list…
A UFO flew in and published this inscription here
Yes, I was surprised myself. I went to habr.com, ya.ru, google.com, then about:preferences → Privacy → Manage Data, and there was nothing there…

There is also a message there: In permanent private browsing mode, cookies and site data will always be cleared when Tor Browser is closed.
A UFO flew in and published this inscription here
No, I do not suggest installing uMatrix in tor browser.
I say that I cut out domains like
www.google-analytics.com
www.googletagservices.com
pagead2.googlesyndication.com
an.yandex.ru
mc.yandex.ru
counter.yadro.ru
...

in all possible ways, from etc/hosts to extensions. Specifically in the tor browser they can be killed with the file proxy.pac
by installing an extension not included in the package
By the way, how can a site find out the list of installed extensions??
A UFO flew in and published this inscription here
This is where, as they say, you burned yourself
Analytics domains killed = burned? Or 1 bit of entropy appeared in exchange for the loss of 10 bits, which will be collected by analytics scripts?
A UFO flew in and published this inscription here
So you don’t mind using your own domain, let it collect repeat logins.
It is important not to be associated with logins on other domains, and this can only be done by global systems like Google and Yandex analytics.
run “new identity” between transitions to different sites and nothing will link
A UFO flew in and published this inscription here
1. A fingerprint is not an attack.
2. What's on your side in terms of technology doesn't affect anything at all.
3. It is a fingerprint because it is a unique property of the subject, and not of his computer and browser.…
4. Absolutely all people have completely different ways of constructing figures of speech, different associative actions, and from the point of view of the Internet, they visit different sites in a certain sequence - this is an imprint. You can only get rid of it by completely restructuring your brains and becoming a different person.…
1. A fingerprint is not an attack, but taking a fingerprint is an attack that you can defend against (successfully or not is another question, but it is possible). For example, placing a pebble in a shoe to change the “imprint” of the gait.

2,3,4. We are not talking about the “fingerprint” of a person, but about the fingerprint of the browser/OS. Why are you replying to this thread if you want to talk about another topic?.
The author forgot to mention correlation attacks on TOR and others like it

Are there any examples of using Yarovaya for such purposes? Not “they saw one IP -> looked to see who else connected to it,” but correlations.
Theoretically, with the help of additional servers, this problem can be solved by creating a communication channel that consumes a fixed amount of traffic. Let's say a megabit there and a megabit back. Constantly. Then, before exiting this channel, extract useful information by discarding noise. Has anyone come across such a ready-made solution? Such a channel in itself will be suspicious, but if you create it in advance, it will be difficult to guess what events it is connected with.

A ready-made solution is a torrent client. Consistently eats 100 megabits in both directions, allowing you to browse and watch videos in the background. If the traffic is wrapped in a VPN that is not connected to Yarovaya, I will see a stable 100 Mbit in both directions, but it is impossible to understand how the traffic disperses further.

Can't you tell by the size of the packages? For example, printing in a terminal is a group of short packets. Torrent can drive packets that are mostly filled to the maximum. However, you need to look to see if the VPN is merging packets..

obfsproxy For example
I2P fullfeed
I use the following scheme:
The Tor browser on the host additionally listens to the port on the IP of the virtual adapter from the VM. In the VM, the Tor launcher is disabled in the Tor browser (it turns out a Tor browser without Tor), and the IP of the virtual adapter is specified as a proxy. Windows in the VM does not have any access to the network, except for the above proxy.
I would like to know the disadvantages/vulnerabilities of this scheme.
This is a very good scheme. Much better than just using the TOR browser.
However, there is a risk of using a browser hole. In this case, due to the fact that you may not detect in time that this happened and fail to stop the VM, the attacker will have time to analyze the environment and download an exploit for your hypervisor. External traffic control with VM stopping is needed precisely to prevent this scenario. But even he does not give a guarantee. Just increases the chances.
Well, just in case, remember that your mouse clicks may end up in the telemetry of not only the guest OS, but also the host.
I understand correctly that someone can match the host's clicks with the guest's and thus link them?
But on the guest OS nothing was configured for the proxy, except for the Tor browser. If only the telemetry is so smart that it can detect the proxy itself and start transmitting through it…
It is possible to correlate host clicks with requests to a hacked onion site. It will not matter what you have configured on the guest OS.
Therefore, the host should use an OS without telemetry? By and large, I don’t care what OS it is, as long as the proxy raises it to the tor. What's up with Linux based OS??

And I understand that we are being extremely paranoid here, but should this someone have access to both telemetry (in this case, carte blanche from Microsoft) and the site? It must be someone very powerful, for him I am Elusive Joe.
I believe that the host OS should not have network access. And, this OS must be rolled back to its initial state after each use. Ideally, boot from a read-only device».
The torus must be raised on a neighboring physical piece of hardware or a VM running there.
This scheme not only prevents leakage of host telemetry, but also provides additional protection against exploits of the VM hypervisor.

This, by the way, is the recommended scheme for using Whonix.
How exactly do you recommend implementing this external traffic control??

To bypass blocking, it makes sense to set up a Tor server and use SwitchyOmega to redirect the necessary domains to Tor through a regular browser.
To ensure anonymity, install Whonix and do anonymous things there. There is little risk due to speculative execution vulnerabilities, holes in virtual machines, and potential bugs from the Whonix authors. But, as far as I understand, this option covers everything described in the article..

Whonix, this is a very good option if it works in conjunction with two computers. You described the risk absolutely correctly. If the VM insulation breaks, the equipment ID may leak. What it lacks is a mechanism for rapid response to intrusion/parasitic traffic.
Well, you can still track clicks if your phone is nearby. Built-in randomization of keyboard/mouse event timing makes this very difficult, but does not prevent this. Simply, it will take longer to collect data.
It's good that there are laptops with touch screens and on-screen keyboards.
A UFO flew in and published this inscription here
I'm sorry if my publication offended or upset you in any way. I honestly tried not to offend anyone anywhere, and not to offend anyone. I would be glad to see the same in response from commentators.
As for the prosecutor’s office... I would actually be glad if the “prosecutor’s office” carried out an inspection and confirmed/refuted assumptions about antiviruses, telemetry, and de-anonymization via telephone. After all, this way you can track users not only in anonymous networks, but everywhere in general, and if this is true, this is a big security problem.
You need a router with a normal firewall (MikroTik), a local virtual machine and a foreign virtual machine with a Tor bridge installed, wrapped in obfs4
We create a new bridge on the router, attach a separate network to it and block everything with a firewall except the IP address of the foreign virtual machine
We connect to the created bridge, launch a local virtual machine, install Tor and connect to the Tor bridge on a foreign virtual machine

In this scheme, no included antiviruses, telemetry, plugins or vulnerabilities are dangerous.
You will simply be burned by the MAC address of your MicroTik.
In MikroTik it is very easy to change the MAC address on any interface. Done with one command in the console.
Like many other things that will have to be hidden/changed in this scheme for it to work.
The idea is clear, but in fact it’s simply similar to a scheme of two virtual machines - a controller/host like Whonix, only for some reason you stuck an extra part in the middle in the form of a MicroTik, thereby creating a new vector for attack, and bought the wrong hosting from leftist office, which also lacks trust, thereby creating a threat.
You can simply buy hosting from WhoNix for cryptocurrency and use it as a personal VPN server, connecting only through a VPN over TOR. At the same time, there should be zero trust in the hosting.
My scheme with MikroTik and a foreign virtual machine makes it possible to use any convenient operating system, not just WhoNix, and at the same time not reveal your real IP address
MikroTik performs only one function - it drops all packages, except those that flow to a foreign virtual machine. No new attack vector has been created here.
In your scheme with WhoNix, your Internet provider is already aware that you are using Tor. With my scheme, no one except the hoster of the foreign virtual machine knows.
Which is better: when your Internet provider knows about it or when a foreign hoster knows about it?? :)
Also, I don’t see anything wrong with buying a foreign virtual machine through Clearnet on your own behalf, because the country from which you access Tor does not know that you are accessing Tor.
except for the hoster of the foreign virtual machine

In this case, the foreign hoster not only knows that you are using Tor, but can also de-anonymize you. This is orders of magnitude worse.
The foreign hoster knows my real IP address and that I use Tor through its virtual machine.
The Internet provider knows the same thing, but also much more: MAC address, passport data (specified when concluding the contract), physical address and sees all traffic in general.

The likelihood that a foreign hoster will start writing to a Russian comrade major is very small than the likelihood that an Internet provider will do this.
You also need to take into account SORM, which mirrors all the traffic of subscribers of the Russian Internet provider, which, perhaps, stores all the information about those who use “bad” programs.
Apparently, you don’t travel much if you think that you can do things through foreign hosting, leave a mark there, and nothing will happen to you for it.
As soon as you find yourself in the jurisdiction of this hosting, you will immediately understand where the error is..

So, what about Tails, which is stupidly installed on a flash drive and launched only from it? Paired with Thor.

You know, often the defendants give themselves away. For example, go to your Facebook page through a secure connection, while at the same time “walking” somewhere else.
But I’m not an expert, I’m speaking purely from the point of view of the layman.. :)))

It is worth using a separate browser to surf the “closed” Internet

In the case of fignerpring, using a “regular” (that is, without additional protection) browser will not help you in any way. And even using a virtual machine will not help, because at least part (canvas, for example) of fingerprinting occurs at the hardware level. You can test it somewhere here.
The solution is to use something that can prevent fingerprinting (Tor Browser, extensions that intercept and replace IDs via js, antidetects, etc.).

This can be done via HTTP, DNS, WebRTC, etc..

Therefore, it is better to disable WebRTC and other things that are not particularly necessary, completely.

In general, everything has long been invented, there is Whonix, there are other tools in which most of the vectors described in the article are provided.
In the case of fignerpring, using a “regular” (that is, without additional protection) browser will not help you in any way. And even using a virtual machine will not help, because at least part (canvas, for example) of fingerprinting occurs at the hardware level. You can test it somewhere here.
Didn't understand. I opened this page from 3 browsers (ff, edge, chrome) without any protection and got completely different things in the hashes section! I opened the tor browser, and not a single hash matched these three. Is it that for dark things it’s enough to use another browser, like Opera, and that’s it, no fingerprinting works?

I conclude that all these hashes are non-working horror stories.
Look not at the hashes (which are ubercooks and so on, this is like the total value of everything together), but at the value of canvas, audio and fonts. The first two metrics are hardware metrics, the third is the fonts installed on the system. More accurate data can be obtained by running an advanced test.
Perhaps you have some kind of protection that replaces canvas and so on, then during a full test it will detect the substitution and will be written about “fake canvas detected».

The only place where these fingerprinting does not seem to work is on poppies. For some reason there are different values ​​everywhere from different browsers, including hardware metrics.

Tor Browser does have protection against tracking via canvas and so on. But there are other figurine prints that are not represented in the test, I don’t know if Tor has protection against them.
A UFO flew in and published this inscription here
It’s strange, at least my canvas matches, if you don’t replace it separately.
A UFO flew in and published this inscription here
Look not at hashes (which are ubercooks and so on, this is like the total value of everything together), but at the value of canvas, audio and fonts
What should I see there? On Canvas, some picture is drawn, and at the bottom there is the inscription “hash”, which does not match in all browsers. Audio has only 2 values, hash and summary, which are also not the same in different browsers.
And fonts are generally funny. Firefox shows: Fonts(182), Chrome: Fonts(328). And what conclusion can be drawn?
Perhaps you have some kind of protection that replaces canvas and so on
No, standard browsers. I'm not interested in extensions, only uBlock/uMatrix. On Edge and Chrome I don’t even have that - I only use these browsers to see how the page works in them.
It’s strange that it doesn’t work for you, my hashes are the same, at least fonts between chromium browsers and canvas, which even matches between the host and the virtual machine (though I haven’t checked between Chrome and FF). Audio matches between chromium browsers (e.g. Vivaldi and Chrome), but doesn't really match with FF.
Only full-fledged users can leave comments. Sign in, Please.