Anonymous Surfing

[E.V.ilyn]

If for whatever reason you need to cover your tracks or spoof your true identity in cyberspace, what can you do? Oh no I'm not advocating that you all visit http://www.singaporepools.com or other objectionary sites in the office. Neither am I suggesting how you can post anti-(fill in the blank) comments in online forums without being tracked down (not so easily anyway). This is just to provide some advisory how you can protect yourself. Yes, you read me right. How to protect yourself.

 

How by? Packet sniffers and network analyzers are not difficult to lay hands on these days. What used to be power tools for the developers and administrators have now become tools used for invasion of privacy and identity thefts. Imagine someone is trying to "hack" into one of your accounts. What if the account bearing site does not implement security protocols for communication? Nothing much, just that your password may be compromised.

 

An adversary can capture your password and use it for his own log in later and create mischief in your name. How about if you used that same password for your other online accounts say, internet banking? The adversary need just to try the password he captured form say SBF to your POSB internet banking account and you'd just have made his day. Or what if the adversary had been monitoring your webmsn chat sessions and finds out where you live, etc.? All these create a basis for social engineering attacks.

 

Or how about that your company network administrator knows of your surfing pattern. The site you visit, the amount of time you spend each day in SBF, etc. Or how about some sites that you desparately need to go to is blocked by your company policy? The very last thing you probably want your boss to know is that you just sent in your job application to the rival company.

 

Or how about that the fact that your IP address is blocked by some sites due to mischief caused by others on the same network?

 

Previously, people like to connect to what is known as anonymous proxies. No doubt by going through an anonymous proxy websites are not able to get your true IP as easily. No doubt by going through anonymous proxies you work your way around blocked sites. But that's probably all about it. Is it really that useful? Does it really work like it should?

 

What am I trying to say here? Well, firstly, in a locked down environment (read: office), you probably are required to connect to the company's proxy server before you can reach the Internet. So how then do you connect to a third party anonymous proxy server? It's not so bad if your company uses transparent proxy but that is usually not the case. If you configure your browser to proxy out through the company proxy server you can't have connect to other anonymous proxy servers. Not forgetting, even if you connect to anonymous proxy servers this only solve your limitation of blocked sites and blocked IPs.

 

So what can you do? Or rather, what should you do? ipconfig /release, wait for lease expiry then ipconfig /renew to get a new IP address? Ok, this will probably solve your blocked IP issue. but what if your IP is static and not dynamic? What next? Run a search on "onion router" and "torpark" on your favourite search engine and see what it churns out.

 

Read and digest the information and decide for yourself how you should conduct your online activities.

 

Torpark is a variant of Firefox that is heavily modified for security conscious people. Torpark is self executable, meaning you do not need to install it. Perfect for some office environments where you are not allowed to install any software. This also means you can have it on USB thumb drives and carry with you on the go whereever you go. You can use it in cybercafes, etc. You carry around with you your security profile and surfing lifestyle.

 

So what does Torpark do for you? Torpark protects your online identity and preserves your privacy. No one will know what sites you're visiting and no one can sniff your information. No one can stop you from going to sites you want to go.

 

Essentially, your connection to torpark is totally secured. Torpark tunnels through "The Onion Router" (hence the "TOR" in the name) transparently. You no longer connect to websites directly. You rather, connect to the onion router and the onoin router connects to the website on your behalf. Your internet traffic from the torpark browser to the onion router is encrypted. The onion router then decrypts your encrypted data and passes the decrypted data over to the website in the clear. This means that if someone is sniffing your traffic, and what used to be your HTTP-REQUEST for "http://www.singaporebikes.com" becomes some unintelligent message. No one knows that you're connecting to SBF. This also means that your password is not available to others in the clear. This gives you enhanced privacy and confidentiality.

 

So is that all torpark has to offer? In fact, that is just the tip of the iceberg. The onion router works in a much more sophisticated way. The onion router is anonymous proxy brought to a new level. What was described earlier is simply the connection from your browser to the onion router. What about leaving the onion router? The data leaves the onion router in the clear. So this makes no difference to the websites on the other end. This is a transparent process. But you achieved your need to defeat sniffers on your end. You have privacy and confidentiality.

 

Since torpark connects to the website on your behalf, the IP address that the webiste sees is the IP address of the onion router, just like if you connect through proxy servers, the website will see the proxy servers' IP address instead of your own. However, there's a marked difference between the two. Website may be able to get your real IP address since proxy servers does what is known as HTTP-FORWARDING. Your IP address is merely encapsulated a layer deeper. So this means that website might still be able to get your real IP if they dig deeper.

 

The onion router works in a different way. The onion router does what resembles "scrambling". It connects to websites through a pool of IP addresses. Say if you're connecting to a particular website using IP A out of the onion router, the website will see you as IP A. But things do not end here. The IP address is "scrambled" (as in shuffled) every now and then. So if SBF sees me as IP A now, few moments later, I'm IP B. Next moment I'm IP C. I'm still the same me but SBF doesn't know that. SBF is not able to track me down. So what does this mean again? This means that SBF for example, is not able to know who I am that easily even if they wanted to.

 

Maybe you don't see the value here as I'm using SBF as the example but imagine I'm visiting say my ex-company's website and leaves an angry comment. Now that's where things becomes fun. I'm venting my frustrations by saying bad yet truthful things about my ex-boss and they can't trace it back to me! Or how about... Hmm... I shalln't touch on the things that can be done by left. Just imagine what you can do... You'll probably benefit if you're like the majority... Movies, music, etc. :x

[38C]

so do you mean if my real ip will not be known to any website? so sbf banned me by ip also no use?

[E.V.ilyn]

If your concern is to work around banned IPs, there're numerous ways.

 

1) Do a IP renewal by issuing ipconfig /release, then ipconfig /renew until you get a new IP address. Usually you have to wait for a few minutes or off/on your modem so that your lease with the ISP expires.

 

2) Connect to an anonymous proxy server. Just do a search for "anonymous proxy" and you'll get one whole list. As they are very dynamic and volatile by nature, just keep trying until one works and change to a new one of the one you're using no longer works.

 

3) Download and use torpark.

 

I don't see the point of banning by IP address. It doesn't serve much real purpose. Maybe it does to scare the ill-informed but for those in the know, it's plain silly. As most of us are dosmestic subscribers, we are given dynamic IP address by the ISPs so that they can reuse the IP address for others when you're not online and effectively have a larger customer pool to their allocated IP range.

 

What is your IP today may be my IP tomorrow and vice versa. So if a website ban your IP today, what if your IP today gets allocated to me as my IP tomorrow? Then I cannot access the website? Plain stupid. Self denial of users. Not to mention that it is unfair for me to suffer the consequence of the mischief of others. So whoever still does banning by IP should wake up their idea. It's not all powerful anyway. There are so many ways to work around banning by IP.

[redbeacon]

Originally posted by E.V.ilyn@Oct 16 2006, 12:43 AM

So if SBF sees me as IP A now, few moments later, I'm IP B. Next moment I'm IP C. I'm still the same me but SBF doesn't know that. SBF is not able to track me down. So what does this mean again? This means that SBF for example, is not able to know who I am that easily even if they wanted to.

If you have a randomly changing IP address, how are you going to remain logged on if SBF requires one user to stay with the same IP address for login tracking purposes?

[E.V.ilyn]

To further illustrate my original post, see this:

http://www.ethereal.com/mm/image/tcpstream-20010427.gif

 

This is a sample screen capture of a network sniffer. See the Source and Destination fields? They are what are contained in a network packet (TCP/IP, UDP, etc.). Without going into too much details, this show the kind of information that an adversary or your network administrator can see. The Info field will show the details of the packet, maybe your MSN message or password even.

 

As this packet moves from host to host or through the OSI layers, more headers may be added or removed as it gets routed. At the application layer, they will see the "originating" IP address and not the intermediate routes. So if there's a need to reply say an acknowledgement packet, the application will know how to address the destination.

 

Imagine that you're using torpark tunnelling out of the onion router. The onion router sees your real IP in the Source field, and the onion router's own IP in the Destination field. the Info field is encrypted. So in between your PC to the onion router, no one make any sense of what is sent from you to the onion router.

 

When your packet reaches the onion router, the onion router creates a new IP packet using a IP address from the pool of IP addresses that the onion router has in the Source field, and the IP address of the website that you want to visit in the Destination field. The encrypted Info payload is then decrypted and placed in the new IP packet.

 

So to the website, it thinks that the IP that the onion router gives is the original sender. When the website replys to the onion router, the onion router looks up the internal table and then forwards the website reply to you using your real IP address. Of course the payload once again is encrypted. This serves 2 folds.

 

1) Your network administrator will only see you communicating to the onion router. But he cannot know what is being sent and received. Only "rubbish".

 

2) The website will not see your real IP. It will only see the IP given by the onion router which changes so frequently every now and then. So the website cannot block you, cannot trace you.

[E.V.ilyn]

Originally posted by redbeacon@Oct 16 2006, 01:27 AM

If you have a randomly changing IP address, how are you going to remain logged on if SBF requires one user to stay with the same IP address for login tracking purposes?

That's not how the forum software works. The notion of "logged in" is based on time and this thingy called the cookie.

 

You have to understand that the Internet is largely a packet switching network. It is not circuit switching like your phone. This means there is no dedicated connection from your machine to where ever you're connecting to (let's just leave session connections and downloads aside for now). The forum will not give you a dedicated port for connection for prolonged periods. Afterall you do not need to talk to the server continuously. Each time you're reading a page you're inactive. So after a certain period, you're timed out and the server closes the connection to you.

 

The next time you send a request or something to the server, it gives you another connection. Noticed how you are surfing SBF but next time you click another link you're lagging, get error page, etc. If you're on a dedicated connection to the server this won't happen. This happens due to resource request.

 

Going back, when you log in, the server registers your login time into the database. If the next time you visit the forum, and the time is within the timeout period, you remain as "logged in". If you have exceeded the timeout period, the server will present you with a login screen asking you to login. Then this brings us to the topic of cookies. Cookies is a token stored in your browser containing session information with certain websites. SBF uses cookies and if you enabled cookies (by default) in your browser, your cookie will tell the website that you're logged in and hence you do not have to login yourself.

 

No where in the process does the IP come into play.

[IzPhotoWerkz]

post there bro. Shall try it out

[E.V.ilyn]

At the same time, you can also run a search on Hacktivismo.

[none]

A hash file block on Torpark or similar product in the company will render the user disappointed.

 

Putting a block on these anonymous proxies IP makes the user more disappointed.

 

So to surf safe internet, do it at home.

 

BTW anonymous proxies are slow and painful to use.

[E.V.ilyn]

Originally posted by none@Oct 16 2006, 07:55 AM

A hash file block on Torpark or similar product in the company will render the user disappointed.

 

Putting a block on these anonymous proxies IP makes the user more disappointed.

 

So to surf safe internet, do it at home.

 

BTW anonymous proxies are slow and painful to use.

If the company goes to that sort of extent, then they might as well block port 80 outright. Do not forget that Torpark is opensource. All I need to do is to add a silly line of dummy code i.e. sleep(1);, recompile and voila! There's only so much you can do. The problem with security is always a function of usability...

[E.V.ilyn]

Oh BTW, maybe I should reiterate that free anonymous proxy servers services in the Internet are dynamic and volatile. They come up and down faster than a lady changes her mood. The administrator have my deepest sympathy if he is given instruction to block access to them. On the lighter side of things, that will probably mean he'll always remain gainfully employed since he'll always be kept busy...

 

And you know what, if you do silly things in the office, you are leveraging off the company's network infrastructure. I'm behind a 3-tiered architecture with at least 2 hardware firewalls, proxy servers, subnets, NAT, etc. All prevent others from trying to hunt me or take me down. I'm more or less assured that malicious content can't get to me that easily... If I do not use of such infrastructure, I'll be kinda dolt...

[redname]

Originally posted by redbeacon@Oct 16 2006, 01:27 AM

If you have a randomly changing IP address, how are you going to remain logged on if SBF requires one user to stay with the same IP address for login tracking purposes?

cookies maybe? i dnt tink they use IP rite?

[redbeacon]

Originally posted by E.V.ilyn@Oct 16 2006, 01:18 AM

If your concern is to work around banned IPs, there're numerous ways.

 

1) Do a IP renewal by issuing ipconfig /release, then ipconfig /renew until you get a new IP address. ...

 

2) Connect to an anonymous proxy server....

 

So whoever still does banning by IP should wake up their idea. It's not all powerful anyway. There are so many ways to work around banning by IP.

Hey, I've read your interesting article and have not used Torpark before (only tried annonymous proxies). I'll follow up on its praises before I try it out.

 

Anyways, maintaining (heheh) the "devil's advocate" mentality, I feel that it's okay for forums to implement the single-IP-address blacklist scheme. At least let them. Even if it's just a small lock on the door -- we do know that it can be cut using a heavy duty lock cutter, at least they themselves feel that (false) sense of security.

 

There are some who goes to the extent of banning an address block, shutting out all users from an ISP -- just to deny access to one malevolant individual. *That*, IMO, is unreasonable.

[E.V.ilyn]

Anonymous proxies may or may not work. You only have to try.

 

You can always go to http://www.whatismyip.com to find out.

 

Remember that Torpark is a Firefox variant. Remember that you're doing circuit randomizing and channel encryption. It is surely SLOW... It's not really suitable intended for casual surfing. Torpark can dynamically turn on/off the onion router connection by clicking on the status bar at the bottom of the browser. Try for yourself how slow it can get...

 

For those who are skeptical just download Torpark and try connecting to whatismyip. No installation required so it won't screw up your system. Try again with your normal browser or with the tor connection disabled. This will be quite a shocker for people who think that banning by IP is omnipotent...

[Enotsol]

Banning by IP has never been a good way to restrict access. This is especially true with the old IPv4 system that is still the de facto standard since there's simply too few IP addresses available.

 

As mentioned, ISPs do not issue static IPs unless you pay an additional monthly fee coz people who need static IPs are usually operating servers etc, but that can also be circumvented by using an service to update the DNS servers everytime your IP address changes.

 

SBF and practically every other forum "remembers" your login via cookies and not IP. Otherwise when your old IP is issued to another person who happens to be from SBF as well, havoc can ensue.

 

But let's put it this way, there's is no true anonymity on the Internet no matter whether you go through proxies or any other masking methods. There are always traces and logs that can be obtained with legal methods.

[josean]

why so troublesome, just connect to your neighbour's wireless network and post whatever comments u want can liao.

 

another way i can think of off hand now is to bring your lappie to wireless zones , eg. macdonalds, starbucks etc and do your surfing

 

 

either way, it wont be traced back to you

 

 

edit.

contrary to what entosol said abt tracing back ,

im pretty sure if u pay $2 per hour at a LAN shop to do your stuffs, dun think it can ever trace back to you

[Enotsol]

Originally posted by josean@Oct 18 2006, 08:35 AM

why so troublesome, just connect to your neighbour's wireless network and post whatever comments u want can liao.

 

another way i can think of off hand now is to bring your lappie to wireless zones , eg. macdonalds, starbucks etc and do your surfing

 

 

either way, it wont be traced back to you

 

 

edit.

contrary to what entosol said abt tracing back ,

im pretty sure if u pay $2 per hour at a LAN shop to do your stuffs, dun think it can ever trace back to you

Well yes that slipped my mind.

[E.V.ilyn]

Originally posted by Enotsol@Oct 18 2006, 02:06 AM

Banning by IP has never been a good way to restrict access. This is especially true with the old IPv4 system that is still the de facto standard since there's simply too few IP addresses available.

 

As mentioned, ISPs do not issue static IPs unless you pay an additional monthly fee coz people who need static IPs are usually operating servers etc, but that can also be circumvented by using an service to update the DNS servers everytime your IP address changes.

 

SBF and practically every other forum "remembers" your login via cookies and not IP. Otherwise when your old IP is issued to another person who happens to be from SBF as well, havoc can ensue.

 

But let's put it this way, there's is no true anonymity on the Internet no matter whether you go through proxies or any other masking methods. There are always traces and logs that can be obtained with legal methods.

Anonymous servers and the onion router are not commercial entities. They are not bounded by audit requirements, etc. They go up and down at the wink of the eye. Traces and logs? Good luck. And logs are probably kept for 6 months or so generally speaking. BTW, it is always debatable that logs can be made up unless the logs are created with non-repudiation which to my knowledge, is not a practice. In fact, there are no mainstream products to serve this purpose.

 

And if anyone is thinking along the line of MAC addresses, they can be spoofed as well.

[redbeacon]

Interesting debate being put up here, I must say.

 

I think we should be thankful that SGBikes aren't as infested as other forums when it comes to a group of people who would stoop so low to flame others...

[Enotsol]

The few of us posting here probably all work in the IT industry and we know there are always ways to work around the system, take for example the numerous attempts to prevent piracy etc.. they were all broken in record time after the companies spent fortunes to find a way to safeguard their intellectual property. But for the average home user who is less savvy in such aspects, they could be misled into thinking that they are safe behind their faceless identities on the Internet.

[moccajava]

"Security is a myth". Famous quote.

[E.V.ilyn]

Originally posted by moccajava@Oct 20 2006, 11:59 AM

"Security is a myth". Famous quote.

I would not refute that. It is my believe that if something can be made, it can be broken - it's only a matter of the amount of effort and the degree of difficulty in doing so.

 

I would justify the statement if you're talking about absolute security as in it cannot be defeated. Security is a relative descriptive. Something is deemed secure with reference to a baseline or benchmark.

 

Back in the days of Julius Caesar, a simple transposition algorithm is consider secure enough for the transport of top secret military messages. Some 30 years back, DES cipher is thought to be secure. Not many years later, DES is thought no longer secure and 3DES is the buzzword. These days people are phasing out 3DES and talking AES.

 

What I am trying to put across is that security is a notion of relativity. There is no security to speak of if there is nothing to compare against. The fundamental of designing or implementing a security solution is to provide a deterrant to adversaries such that the cost of breaking the security exceeds the value that the security measures were intended to protect.

 

Suppose you have a safe that you use to stash your life savings of $200K. If all it takes for the burglar to break open the safe to retrieve the money is a $100 drill (or any other tools), then the safe cannot be considered secure for the application. However, if the safe requires that the burglar purchase specialised equipment amounting to $200K or more to break open, then the safe is considered secure as breaking the safe no longer holds any value for the burglar since he would not be "making" any money out of the episode. This is what security is all about.

[redbeacon]

I'm getting the gist of it... If i'm not wrong, the metaphorical $200k is actually representing time: If you implement a strong security solution that is proven for a hacker to, say, take 100 years to crack it, then for any aspiring hacker, this would "provide no value" since he'd be in his grave by then.

 

** Taken from an comic advert by a security company in the Straits Times (last year, forgot what article)

 

Tell me about security in the workplace; i'm a neophyte to this, still uninitiated and am depending on firewalls to do the job