[hackerspaces] SpaceFED

Ward De Ridder 42 at warddr.eu
Tue May 29 12:40:45 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Op 28-05-12 22:15, Moritz Bartl schreef:
> Also, we should be the ones educating people about this as well.
> Most of us are used to not trusting their upstream, and instead
> tunnel using VPN or even Tor.

Just a side note, but Tor doesn't add security, it even takes security
away.
Tor is designed to bypass government firewalls and things like that,
this doesn’t have anything to do with security, but everything with
browsing the web anonymously, those are two completely different things.

The traffic from tor to tor relay is secured, so no problem there, but
unencrypted data leaves the TOR endpoint. As everyone is allowed to
host a tor endpoint this is not secure. I'm quite sure that if I'd
start a tor endpoint and let it run for a couple of hours, and log all
messages containing a post value with the name password or passwd or
pass I'd have hundreds of passwords of hundreds of different HTTP
websites.

I should actually do this once (not to store and abuse the passwords,
but just to generate some statistics and show everyone that TOR isn't
a solution to your security issues).
I'd rather send my password using a public hotspot at mcdonnalds as
send it using tor (if HTTP is used, with HTTPS I feel quite safe doing
it ider way). To get passwords at mcdonnalds you'd have to leave your
house and go there, but in order to harvest passwords from tor you
don't even have to leave your comfortable couch at home..

This being said I don't accuse anyone of actually doing this, and I
know there are a lot of hackerspaces with tor endpoints. I don't
believe they do things like this, but if you make a connection using
tor you get a random endpoint (that changes every couple of minutes),
and that can be everyone who installed tor and uncommented some lines
in the config that tells tor it can be used as endpoint.

Ward
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPxKetAAoJEKWbkpzPufBSnGcH/0hhCLK9TVamg89RjqKld151
+0j2F5BYOM6TjrcldVtmIu5z8YPESXoitlRBZ8fo1uo3RJI349X+8A9NY469kTDk
Z5ypV9Myp5fEIitUCkryOtDxCKryx4/jKLJQiJ8OC3VRBNs6aFEW7ciaS4nFnLng
bdjj3cBixQZiotVeIOrSTzWnM4erRa5tbqjylO1V9ak4u47fiR/pYvKRHuRn3dss
pG7dETZ2Tp2ESbeRzxw7iLd8OizazW7fxm3lfJCmL85vX6FkmeI+gcvXj6wwu/n3
LqkYlM4+h1KnDX+XglkI0syW2MwFPap1uliCV2/g81Ke4wrXE7alAqb0MpoXkP8=
=ThMH
-----END PGP SIGNATURE-----


More information about the Discuss mailing list