Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Anonymous Anonymity - Request For Comments
Date: Tue, 19 Jul 2005 15:59:35 -0500

Why not encapsulate the data portion by encrypting it inside a jpeg file, 
or something like that? Trying to hide it inside HTML tags wouldn't be all 
that hard to detect by using a specialized proxy or firewall. Proxies 
already can filter out invalid html headers and line sizes, amongst other 
things. Not to mention the overhead you'd be creating with all the HTML 
tags in an effort to make it look like a standard web page. Considering 
the data itself could be used to determine the originator, (names, phone 
numbers, etc) you'll want to make sure that not only the transaction is 
anonymous, but the content is as well.

Overall, quite an interesting concept.

Stefan Dorn

gandalf () digital net wrote on 07-19-2005 12:57:24 PM:

Greetings and Salutations:

From: Craig Skelton <cskelton () gmail com>
Take a look at Tor.
One of the biggest problems with Tor is bandwidth disparity.

Many people have suggested that I take a look at TOR, and I have. 
In fact I was able to talk to some of the authors of that system (I 
need to add a reference to TOR in my paper).  Extremely 
knowledgeable I must say.

I have installed TOR on a network that I have pretty well locked 
down.  My router filled up the syslog file with packets to "strange"
ports when I started TOR up.  If I wanted to block TOR it would be 
fairly easy.

The other issue (I think I understand TOR correctly) is that if one 
of the "routers" is not a "trusted" machine (specifically the first 
one) then a rogue "router" can "act" like it is the other "routers" 
and will know the entire transaction.  There is also a centralized 
server to hold the addresses of servers (which could be 
compromised).  I don't want to have anything centralized.  I propose
that all nodes are servers.  I am trying to get away from trusting 
anybody yet spreading the information around so much so that nobody 
can piece together the information.

One other issue with TOR and FreeNet is searching.  They do not have
searches integrated into the design.  Someone has to produce a web 
page that does the searching.  The system I propose has searching as
an integral part.

I am looking for something that is almost invisible (i.e. port 80, 
81, 443, 21, 22, 23, 8080 etc.) to any monitoring system.  The 
alternative is to do like AOLIM and just start trying ports until 
something works.  The other issue is making the traffic "look" like 
standard HTML to bypass application level firewalls.

I like the idea of TOR, tho', and it is interesting and the people I
spoke to gave me tons of pointers on other issues with Anonymous 
Systems.  I will add / update to the file at:

Ken Hollis

Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gand... () digital net - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html
Woodworking For Geeks - http://digital.net/~gandalf/woodmain.htm

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]