CAT | Anonymity
Right after the Lizard Squad finished with a DDOS attack on the PSN and XBOX networks, they launched an attack against the Tor anonymity system. The attack was simple, set up enough Tor relays to be able to identify a significant fraction of Tor users and connect them with their activity. They got caught because they were bozos (perhaps intentionally). They did the attack hard and fast, which made it easy to identify the rogue relays, and they bragged about it (which told people to look for the attack). (more…)
It looks like people who care about Internet anonymity need to look outside Canada for their providers. It is not just a concern that the Canadian government would be able to subpoena the information, but it is also vulnerable to insider and external attack. If the data exists, it will eventually leak.
Starting today Canadian Internet providers are required to forward copyright infringement notices to their subscribers. This notification scheme provides a safe harbor for ISPs but is also expected to result in a surge in piracy settlement schemes. The new law further causes trouble for VPN providers, who are now required to log customers for at least six months.
I have long said that privacy services are all about trust. I this article demonstrating how to use a simple web proxy to compromise the users of that proxy. Of course, the operator of the proxy is being untrustworthy, but that is the whole point. If you don’t have a reason to specifically trust the operator of your privacy service, you need to assume that they are attempting to do you harm. Of course, the same argument applies to Tor. Literally anyone could be running that proxy for any purpose. (more…)
Two new attacks on Tor were recently announced.
Recently a colleague was reading a blog post by a Russian based VPN provider which talked about their privacy stance. He was incredulous. “Why would anyone trust a Russian VPN company?!?!”
It is a reasonable question about many locations. Russia, China, Iran, and many other companies are justifiably known for Internet monitoring and censorship. Of course, in the post Snowden era, a lot of attention has been focused on US surveillance as well.
I think that many people have the feeling that they should trust anyone but their own governments. After all, foreign intelligence services are unlikely to do anything about any intercepts unless they see some kind of global doomsday scenario. You might worry that your local intelligence agency could pass along information to local law enforcement, but that too seems generally unlikely. Exposing such intercepts would also expose sources and methods, which are some of the most highly protected secrets out there.
To me the question is what the VPN / Privacy provider is ALLOWED to keep private. It is clear that many governments put a huge amount of pressure, or actually pass laws, on companies to keep all kinds of user activity records. Interestingly that is not the case in the United States.
Anonymizer has no requirement to keep any records about what our users do through our service, or any way to identify associate any activity with a given user. Our systems are architected so that we don’t need to refuse to provide any of that information, we are simply incapable of doing so.
- The absurd alarmism over the new Facebook Messenger App’s privacy settings
- Brazil’s move to ban anonymity
- How the secrecy of the secret app has been compromised
- and finally how Tor users were put at risk by a fake website
In a brilliant campaign, IO9 and the EFF is having cosplayers pose with pro-anonymity, pro-privacy, and pro-pseudonymity signs. See the whole set here. The most popular seems to be “I have a right to a Secret Identity!”.
It turns out that people say nasty things under their real names, and people also say valuable things anonymously.
It is amazing how often I see respected academics and other thinkers get incredibly sloppy in their reasoning when it comes to anonymity. They frequently assume correlations for which they have no evidence, and propose solutions with no consideration of the consequences.
I appreciate the rational perspective in articles like this.
This article describes a clever attack against Secret, the “anonymous” secret sharing app.
Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.
In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.
A Brazilian court is enforcing a constitutional ban on anonymity by requiring Apple and Google to remove Secret, an anonymous social network chatting app from their app stores. Microsoft is being required to remove Cryptic, a similar windows phone app.
In addition to that, they have been ordered to remove the app from the phones of all users who have installed it. These kinds of retroactive orders to have companies intrusively modify the contents of all of their customer’s devices are concerning. At least these apps are free, if users had paid for them, that would introduce another complication.
One wonders how this will apply to tourists or business travelers visiting Brazil. Will their phones be impacted as well?
The law exists to allow victims of libel or slander to identify and confront their those speakers.
While this ruling only applies to Apple, Google, and Microsoft, and only with respect to the Secret and Cryptic apps, the underlying principle extends much further. There are still final rulings to come, so this is not the last word on this situation.
Anonymizer has had a great many Brazilian customers for many years. Anonymizer provides those users important protections which are well established in international human rights law. We certainly hope that they will continue to be allowed to use our services.