Tor, Sockscap and being a naughty boy.

[Irongeek]

if someone uses Tor[0] and Sockscap[1] to have almost complete anonymity while port scanning or trying exploits on a remote box? If a hack attempt is traced back to one of the end point nodes what legal ramifications would the operator face? There is a bit of information in the FAQs[2] but I would like your opinions. Is there a way I could trace down an attacker using the Tor network?

[0] http://tor.eff.org/
[1] http://www.socks.permeo.com/Download...load/index.asp
[2] http://tor.eff.org/faq.html

Yes, I stole Sec_Ware’s way of linking because it made a lot of sense.

[phishphreek]

Each request would be sent through another node.

If someone scans using that, then it would be a distributed scan?

If you go to www.whatismyip.com and refresh over and over, it will show a new IP address. That proves that each request is sent through another node.

You can script it and use wget to download the page over and over.
Or, use it to scan a remote box that you can see the firewall logs.
(I'll give you my ip if you want... PM me).

If someone misuses a service you are providing or participating in I don't think you can be get in trouble for it. For all you know, you were just participating on the network to help people stay annonymous while SURFING the web. Seeing that its being pushed by the eff... I'm sure their lawyers would help you out if you were being charged for anything.

If someone installs a Wireless Access Point and doesn't secure it... then some attacker comes along (spammer? script kiddie, etc) Can they charge you with a crime you didn't commit? The hardware was yours, but you didn't actually do anything.

If someone were to break into your house and then steal your gun and use it in a crime, can you be charged for that crime? You didn't commit it, but the gun was yours...

If a gun range rents out a gun for shooting at targets and then a customer shoots someone else at the gun range... can the gun range be charged for providing the gun to someone who misused it? It was supposed to be used to shoot at targets, not someone else...

You are using tor to provide a service for annonymous web access. If someone uses it for something else... is that your fault?

Or something that is tech. related. If a hotel or coffee house offers internet access and someone misuses the service... can the hotel or coffee house be liable for the crime of a customer?

I don't think so... But who knows.. I'm not a lawyer...

[Irongeek]

I see what your saying Phish, and respect the logic of it, but logic and law do not always go hand in hand. I imagine if someone wanted to sue a Tor node or a Wi-Fi hotspot perhaps they could do it on the grounds that the owner should have taken more precautions. As for the gun analogy, if I leave a gun laying around my house and a kid wanders in and shoots himself or a friend I think I might still get in trouble. (I’m an NRA member if your wondering, and a big proponent of gun safety over knee jerk laws)

Using http (which is more or less a stateless protocol) the IP (exit node) changes frequently, but not if you are using a state-full protocol like SSH (I tested that a little).

[Negative]

I tend to agree with Phish, but I have some reservations:
to continue with your gun-analogy, you can (and will!) be held responsible if you have knowledge about someone stealing your gun and using it in a crime. That may sound obvious, but there's a fine line: what if you have a gun safe, and you "forget to lock it" one night, your gun gets stolen that exact night and someone is murdered with your gun. Who's going to decide if/whether you're an accomplice or not? The link between not locking your safe, gun getting stolen, and murder being committed is quickly drawn...

What if they (jury/judge) draw the same conclusion on wireless networks? Let's say someone uses phish's wireless network to send 1 million spam emails. If I would be the prosecution, I would guide the jury to Antionline and show them that Phish knows how to secure his wireless network... but he didn't... why didn't he? Because he's perfectly aware of the misuse of his network... that conclusion will sound pretty logical to most jury members...

The same goes for Tor, afaik: if you know how to get that stuff working (I remember messing around with Sockscap a couple of years ago), you're "supposed" to know that it could be misused as well. And then it's just a small step for a lawyer: you know it can be misused, and you allowed it to being misused ("What? You didn't know? You figured out how to get it working... we all assume that you know exactly what it's capable of - we all assume that you know it can be used maliciously")... what's your defense, phishy?

[phishphreek]

I never tested out a state-full protocol such as ssh. Just stuff like http. Of couse the session is going to use one node... but each session will be different. If you open up multiple ssh sessions, they should all have a seperate IP.

I just installed the socks program you linked to.
Looks pretty cool so far. I never messed with it.

I see what you're saying about the gun laying around your house... but if someone breaks in and steals it (hidden in the shoe box in your closet) or even at the gun range... I don't see how that would be your fault.

I know that logic and laws don't go hand in hand.. but I think they would have a very hard time convicting you of a crime that you didn't commit. They may charge you, but good luck getting the charge to stick into a conviction.

I think any jury would dismiss the charge. You didn't commit the crime. Someone else did.
I know if I was on the jury, I would not hold the defendant guilty.

Neg. The tor site has step by step instruction on how to setup Tor and Privoxy. They make no mention of sockscap, AFAIK. Tor is advertised for annonymous web surfing. Not for everything else. Setting it up is rather easy. They have pics and all. Anyone who can read can set it up. Sockscap was brought into this equation by Irongeek. Maybe irongeek knows how to make it all work... but anyone who follows the instructions on the tor site won't. They have to have a more indepth knowedge.

What if someone respect their right to privacy and they come across Tor. They think... Cool! Fight big brother! Thats all they think that they are doing. They didn't know that Irongeek knows how to make thing work in ways it wasn't intended/advertised to.

http://tor.eff.org/cvs/tor/doc/tor-doc-win32.html

[rowdy_yates]

Hi. I like the direction of this thread. I like the gun analogy. It works well to get a point accross. But I would like to add.

If someone attacked a top goverment /military system, it turned out it was a serious attack/crime, and your IP was the last thing logged from that attack. Tor or no Tor, you are in for a heap of trouble and you probably will not get out of it unless you have lots of money and friends in high places. I personally do not have complete faith in the amount of fairness lawyers, judges and jury can muster.

[Negative]

They think... Cool! Fight big brother!

And that's the entire thing that's going to be used against you...
It's the 4-year old finding a gun in the house and shooting his 3-year old brother with it... if you have it "hidden" in a shoe box in your closet, do you think the jury is going to care? I wouldn't...

And that's the entire discussion: is the jury going to care that you "didn't know it could be used for malicious goals"? Compare it to (the old, not the new one) Napster: it *could* be used for legal practices (that was his defence), but it got misused (just like Tor does)... is the jury going to care that it can be used for "anonymous surfing", or are they going to care that it "can be used by terrorists who can surf anonymously"?

[phishphreek]

Neg. You have some good points. Just like with practically every technology... it can be used and misused.

What if I want to use Tor to just protect my identity from the websites I'm visiting?
You use Tor for multiple reasons. Not just protection from Big Brother. Protect yourself if someone doesn't like your views that you may post on a website? Protect your free speech and my identity. Last I checked... protecting my privacy is not illegal. If that was the case... then paper shreders should be illegal. I shred my spam snail mail and bank statments.

I don't see anything wrong with fighting "Big Brother". There is no reason a .gov or big corp needs to know what I'm doing all the time. If I'm doing something illegal, bug my phone, car, computer, follow me in a black helicoptor. I don't care. But if I'm following the law, then don't invade my privacy.

I see what you're saying about the kids finding a gun. I don't have childeren, so I didn't think of that example. I was thinking more along the lines of someone broke into my house and stole my gun and used it in a crime. If I don't have kids, and I live alone... why should I lock my gun in a safe? I know I'm the only one who should have access to it. I may even keep it in my nightstand for protection. If someone breaks into my home in the middle of the night, I'm not going to have time to run into the basement to unlock my gun safe...

You can use the same example with a knife in your kitchen. Yes, I know it can be used to stab someone and possibly kill them. But, I normally use it to prepare my meals. Sometimes I'll use it as a makeshift tool (screwdriver). If someone comes in and steals knife out of my kitchen drawer and uses it in a crime... now I would be liable or an accomplice for a crime they commited just because I knew that a knife could be misused?

If I had to lock up everything that could be misused, my whole house would have to be a safe.
You can use a toothbrush as a weapon... melted and then sharpened on concrete...

Just because a technology exists that can be misused... does that mean that it should not exist or be used? It should be illegal?

Terrorists use computers... they should not exist? They use cell phone and pagers... they should not exist? They use email... it should not exist? They use GPS... but so do air line pilots and boaters and campers... etc. etc. etc.

[phishphreek]

Originally posted here by Negative
It's the 4-year old finding a gun in the house and shooting his 3-year old brother with it... if you have it "hidden" in a shoe box in your closet, do you think the jury is going to care? I wouldn't...

HOUSTON - A 2-year-old remained in critical condition Sunday after being shot by his 4-year-old brother, who may not have known the difference between a real and toy gun, police said.

http://www.kansascity.com/mld/kansas...n/11132502.htm

Did you read that last night? Or is this just a coincidence?

[Negative]

I heard about it, yes... the mother is probably facing criminal charges.

Phish > It's not about someone breaking into your house and stealing your gun to commit a crime (and you're right... if you live by yourself, you can keep your gun in the middle of the living room floor as far as I care ) - the analogy would be you putting your gun in the middle of the room, opening your front door, and going out to a club for the night... if you return in the morning, your gun has been stolen and murder has been committed with it, don't you think you'll be held partly responsible?

It happened with Napster, so why not with this? The judge reasoned that it can be used for criminal activities, and shut them down... the analogy you made with the kitchen knife shows how absurd it is: it would be like a judge making knifes illegal because they can be used to commit murder... absurd, but Napster got shut down because of reasoning like that...