Tor

It's easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL).

Their paper, Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, is to be presented in November at November's Conference on Computer and Communications Security (CCS) in Berlin. While it's been published at the personal page of lead author Aaron Johnson of the NRL, it remained under the radar until someone posted a copy to Cryptome.

A Tor exploit pertaining to be one used by the FBI in a recent child pornography bust has been released on the Metasploit penetration tester forum.

The exploit was posted by Metasploit user sinn3r who claimed to have found it during a joint cyber forensics operation at the Defcon hacker conference mere hours after word of its use broke.

Links between a exploit targeting users of the Tor network and US spy and law enforcement agencies should now be consider tenuous, researchers say.

The attack involved a JavaScript exploit targeting an old version of Firefox then commonly used in the Tor Browser Bundle. It served to identify the IP addresses of vulnerable users and tie them to the Freedom Hosting Tor Hidden Services they were visiting.

The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network.

The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network.

On Friday, Eric Eoin Marques, a 28 year-old Dublin resident, was arrested on a warrant from the US on charges that he is, in the words of a FBI agent to an Irish court, "the largest facilitator of child porn on the planet." The arrest coincides with the disappearance of a vast number of "hidden services" hosted on Tor, the anonymizing encrypted network.

Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they're collected inadvertently, according to a secret government document published Thursday.

We all know that Prism is most likely just the tip of the snooping iceberg. While some of us may run Tor on our PC or Mac, there may be times when when we are working on a device that is not our own, or perhaps even a Chromebook, tablet or phone.

Enter the stalwart Raspberry Pi, which can be transformed into a portable Tor device for browsing on the go.

Authorities in Japan are so worried about their inability to tackle cybercrime that they are asking the country's ISPs to block the use of Tor.

According to The Mainichi, the National Police Agency (NPA, a bit like the Japanese FBI) is going to urge ISPs to block customers if they are found to have "abused" Tor online. Since Tor anonymizes traffic, that can be read as a presumption of guilt on anyone who anonymizes their Web activity.

Developers are brewing an anonymous general purpose computing platform, dubbed Whonix.

Whonix is designed to ensure that applications (such as Flash and Java etc) can only connect through Tor. The design goal, at least, is that direct connections (leaks) ought to be impossible. "This is the only way we know of that can reliably protect your anonymity from client application vulnerabilities and IP/DNS and protocol leaks," the developers explain.

There is no fragment in program code where you cannot make mistakes. You may actually make them in very simple fragments. While programmers have worked out the habit of testing algorithms, data exchange mechanisms and interfaces, it's much worse concerning security testing. It is often implemented on the leftover principle. A programmer is thinking: "I just write a couple of lines now, and everything will be ok. And I don't even need to test it. The code is too simple to make a mistake there!". That's not right.