Monitored tracker problem

Okay, so, I keep hearing people rant and rave about tor all the time, and how it's the cure all for privacy and whatnot. I'll come right out and say it, for 99% of you using it - tor is not the answer nor is any other darknet, and you're fools for thinking a darknet is the answer. Tor is actually *hurting* most of your privacy and security. I'll post this in debates because I'm sure there's going to be a debate afterwards.

I'll start with backround on how onion routing works. Every tor circut is 3 nodes long(or four if you're accessing a hidden service).

Application -> tor => node1 => node2 => node3(exit) -> WAN .
Encrypted links are colored green, with => as the path instead of ->. As you can see, node1 and node2 cannot see your traffic - but the exit node can. Node3 does not know where the traffic is coming from, but that doesn't mean that it can't identify you.

Consider these identifying attributes that can go over these forums alone, not including external images such as the image in my sig , which the exit node has complete access to:
1) Cookies, which include authenticated sessions
2) Your user name
3) The content you post, and view
4) Contact information listed in your profile such as AIM/MSN/email.
5) MTU(the maximum size of your packets, not all machines have their MTU at 1500, some are lower. If it is lower, then that stands out and I can determine who's who via the MTU.)
6) The DNS request tunneled over TOR

These four properties of traffic can allow a rogue exit node(of which their are *many*) to build a profile on you, tracking you through the sites you visit. Not only can exit nodes view your traffic, they can manipulate it. They can change out google ads with their own, include malware in your requests, insert their own tracking cookies, so on and so forth. And the cookies going over the line to log you into the forums? Yep, they've got those too, and can now log in as you if they'd like. #6 is important - if you're tunneling DNS over TOR, they can poison your DNS cache and redirect you to their website even after you turn off and stop using tor , because of DNS's TTL. Not all sites use hashing functions on passwords, if you've got the same password for multiple things, it only takes one slip to empty your bank account.


Browsing through tor is inheritedly insecure, because you cannot trust the exit node as anybody can run them. The tools to do this tracking already exist(dsniff, ettercap, wireshark, so on and so forth), and take about five minutes to setup. Recommending that everyone use tor is retarded, as using tor securely requires discipline and knowledge of what's actually going on behind the scenes. If you are really so worried about someone looking at your traffic, there's four things this former blackhat advises you to do:



1) Stop doing what you believe has people looking at your traffic, if it's honeslty that serious, you're going to get caught. There's always someone smarter than you, with more experience, more creativity, and a brain that works better at picking things to pieces. I got caught, so will you. Behaving is the only true option if you value your freedom.

2) If #1 doesn't work for you, RTFM. You probably hear that alot, it's great advice. If you don't understand how something that you use works in and out, you are incapable of assessing how it effects your privacy. Yes, it's work, but it's worth it. I'm only 20, self educated, and I can explain in extreme detail how the packet gets from my computer to this website, and can even craft the packets to do so by hand if needed. There is no excuse for ignorance, and the fact that you're willingly submitting yourself to monitoring via rogue nodes proves ignorance.

3) Form a seperate e-identity. Google pwns you, just start googling your nick/IM nick/email and see what I mean.

4) Consider getting a dedi/colocated server(they're cheap!) in an asian country, and using a layer 2/3 VPN. Dynamic SSH tunnels work too, but less so. Asian ISPs are a PITA to get to cooperate w/ abuse emails/legal threats unless they're coming from that countries law enforcement. Use a prepaid credit card purchased with cash to pay(and prepay) for the dedi. Don't use your real contact info. Learn a bit about securing a system - it really isn't that hard, it just requires that you think ahead.