Thursday, January 28, 2010

TOR cracked to catch child pornographers

Tuesday I wrote about TOR, The Onion Router. Wednesday in ZDNets "Zero Day" blog I read about a TOR server patch written for the purpose of catching child pornographers. Not just to the geographic location they are operating from, but to the computer they are working at. A worthy endeavor. But since the author, HD Moore of Metasploit fame, is releasing the source code, modified versions of the patch can be created to track anyone using TOR. This means TOR as a standalone item has become useless for protecting people who need protecting, i.e. human rights activists in oppressive countries, journalists and police under cover, and anyone with a legitimate need to keep their location hidden.

Moore (arguably) had good reason to do this. In Germany, at least, TOR is being heavily used, or is suspected of being heavily used, to traffic in child pornography, and the German authorities have been cracking down on TOR servers. But is the possible benefit in one admittedly important area worth the cost in several other important areas?

But there is an alternative the the TOR package by itself. It is also cross platform, and free. It will run on Intel Macs, Windows, and Linux. It is called JanusVM and runs in a virtual machine. It plugs the holes used by Moore's patch, and keeps your location obscured. From the Janus website:
JanusVM is powered by VMware, built on the Linux 2.6.14 kernel, and brings together openVPN, Squid, Privoxy, and Tor, to give you a transparent layer of security and privacy that is compatible with all your TCP based applications. DNS request are also passed through Tor so even your ISP doesn't know what web site you are looking at.

JanusVM is free, cross platform, and can take a little more setup than the basic TOR package, depending on how your network is setup. But if you need anonymity online, it's the best thing going now.