MetaFilter posts tagged with privacy and anonymity

"Leaving no trace [of our daily lives] is nearly impossible."

amyms — Sat, 16 Feb 2008 00:14:48 -0800

The Anonymity Experiment. Is it possible to hide in plain sight? Privacy-minded people have long warned of a world in which an individual’s every action leaves a trace, in which corporations and governments can peer at will into your life with a few keystrokes on a computer. Now one of the people in charge of information-gathering for the U.S. government says, essentially, that such a world has arrived.

Amazing discoveries in plain-text Tor exit traffic.

Anything — Tue, 04 Dec 2007 18:04:45 -0800

This is an ironic tale of the consequences of inept application of cryptographic tools. Or is it? Dan Egerstad, a Swedish hacker, gained access to hundreds of computer network accounts around the world, belonging to various embassies, corporations and other organizations. How did he do it? Very easily: by sniffing exit traffic on his Tor nodes. Egerstad ran exit nodes on the Tor anonymity network, used as links from the network to the rest of the world. He looked at the traffic going through his nodes and found that many users were logging in to sensitive accounts without using end-to-end encryption. From the Sydney Morning Herald article:

After a couple of months sniffing and capturing information, Egerstad was faced with a moral dilemma: what to do with all the intercepted passwords and emails. If he turned his findings over to the Swedish authorities, his experiment might be used by his country's intelligence services to continue monitoring the compromised accounts. That was a little too close to espionage for his liking. So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. "They wanted to know everything I knew," he says. "That's the only response I got, except a couple of calls from the Swedish security police, but that was pretty much all the response I got from any authority." Frustrated by the lack of a response, Egerstad's next step caused high anxiety for government staffers - and perhaps intelligence services - across the globe. He posted 100 email log-ins and passwords on his blog, DEranged Security. "I just ended up (saying) 'Screw it, I'm just going to put it online and see what happens'."

He later removed the information from his blog, says the hard drives are "long gone"; also, there don't appear to be any public mirrors of the data. Nonetheless, the incident got him arrested and his hardware confiscated. One curious angle in this story is the question of which of the plain-text logins sniffed by Egerstad were made by unauthorized third party attackers instead of unwitting legitimate users.

However, Egerstad now believes the victims of his experiment may not have been using Tor. It's quite possible he stumbled on an underground intelligence gathering exercise, carried out by parties unknown. "The whole point of the story that has been forgotten, and I haven't said much about it, (is that) many of these accounts had been compromised," he says. "The logins I caught were not legit users but actual hackers who'd been reading these accounts."

Here's Bruce Schneier's commentary on the case. Here's the Tor FAQ, which tells you what it's good for and how to use it properly.

yesster — Tue, 12 Feb 2002 13:20:37 -0800

SafeWeb not so safe? It was pitched as a "web anonymizer." It was supposedly even "CIA proof." Now some holes have been found.

tranquileye — Tue, 20 Nov 2001 08:45:38 -0800

Safeweb has turned off their free privacy service. Company spokeswoman Sandra Song said "Consumer privacy is more of an idealistic vision..." Is anonymous use of the Internet dying?

Markb — Fri, 23 Mar 2001 04:43:38 -0800

Be careful what you say online. At least if you're in the UK, where an anonymous poster to 2 message boards now faces charges of defamation after the courts ordered the disclosure of their identity. ISP Totalise used existing law to force Motley Fool to disclose the details of an anonymous poster to their message boards alleged to have made defamatory comments. Landmark case or storm in a teacup?

aflakete — Mon, 12 Feb 2001 13:37:22 -0800

We'll forget it for you wholesale. Privacy portal company Safe Web sells powerful anonymizing software to the CIA. Which can then use it to spy on ? As well as for protecting their agents, of course . . . ;]