So this is something you should only be using tor applications through? The benefit of a tor box is that it's much more immune to exploitation from the local machine leaking data - if done right.
It'd be nice if you could simply point tails at this but afaik it's bad to do tor over tor.
arsome 1082 days ago [-]
Not necessarily only Tor applications, also works well for VMs/physical machines created specifically to be used directly in a Tor only environment, where none of your data is otherwise associated with them.
I use this for malware reverse engineering for example.
EveYoung 1082 days ago [-]
You could use Whonix instead and run the Whonix-Gateway on a different machine (e.g., Rasperry Pi).
hnjst 1081 days ago [-]
I couldn't agree more.
The proposed setup also makes devices properly configured to leverage tor "anonymity" features vulnerable to misconfigurations of other devices using the network that is routed over tor (through the same circuit) in various ways.
GoblinSlayer 1082 days ago [-]
>Also, this pattern can create false sense of security.
Tor provides obscurity, not security, even for applications designed to use tor. And even then obscurity isn't lower, in clearnet you have zero obscurity.
vmception 1082 days ago [-]
Correct, I think the best use case for this is if it functioned as a dedicated Tor Exit Node, but I don't get the impression that it does that
traspler 1082 days ago [-]
It's commendable that the project states "anonymity is hard to get – solely using Tor doesn’t guarantee it" and "it is strongly advised not to use TorBox if your well-being depends on your anonymity". Other such solutions like to gloss over the fact that "using tor !== anonymity" and even the Tor Browser does a lot more to help with anonymity than just route your traffic through tor.
I'm still not sure where such a solution would be a good choice though. Getting access to the broader, uncensored internet is also not as easy as it seems in countries where this applies, e.g. China, as even getting an entry node that works is not easy so this is not a plug'n'play option anymore for that.
BelenusMordred 1082 days ago [-]
> uncensored internet is also not as easy as it seems in countries where this applies, e.g. China
The Chinese mostly use shadowsocks. Tor usage from a mainland ip entry point is incredibly low.
superkuh 1082 days ago [-]
I use shadowsocks-libev for everything these days. It's UDP so unlike TCP it isn't quite as vulnerable to, say, central government or ISP mediated forged TCP reset packets. It's way faster than a ssh socks proxy too since it isn't limited to one connection. And it's tiny and requires very little CPU resources and only about 2 MB of ram.
It's getting less and less funny that I have to use the same methods as chinese citizens living under a dictator for life just to avoid my ISP attacking my HTTP connections.
zo1 1082 days ago [-]
What would you say is a good place to find Shadowsocks? Looks like the main repo is empty: https://github.com/shadowsocks/shadowsocks with the readme stating "Removed according to regulations."
> Shadowsocks is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. It was created in 2012 by a Chinese programmer named "clowwindy", and multiple implementations of the protocol have been made available since.
Shadowsocks and similar tools are mainly about obfuscating your traffic flow so it‘s harder to classify and block by the GFW, right?
The Tor Project has the „obfsproxy“ project for that I think, or is that aimed at something else? I always wondered why that did not overtake shadowsocks.
captainmuon 1082 days ago [-]
There are different kinds of anonymity. If you just want to hide you IP address from a specific website's operator, then you don't care much about being trackable or not. You just use Tor as a fancy IP spoofing technique. They know that you are you, but might find it harder to ban you or call the police on you. (Of course, they can just ban all of Tor. And of course this scenario is mostly useful for trolls... but I can imagine some cases where this you have a legitimate need to spoof you IP like this.)
1082 days ago [-]
traspler 1082 days ago [-]
But any of the VPN services out there do that for you without the incredible stigmata of having an IP of a Tor Exit Node and the reduced performance of the Tor Network.
gruez 1082 days ago [-]
On the other hand we definitely do want people to use tor for relatively innocuous reasons, so there's plausible deniability for all the people using it for legitimate reasons (eg. journalists, whistleblowers, etc.)
butt_hugger 1082 days ago [-]
Most of the stigma just comes from people on HN. Start by fixing that.
gradschool 1082 days ago [-]
Ironically, the project's web page greets Tor users with that ubiquitous Cloudflare captcha.
After a short moment of outrage I saw the important and required notice not too deep in the project description:
> [...] it is strongly advised not to use TorBox if your well-being depends on your anonymity. In such a situation, it is advisable to use Tails [...]
My advice for anyone considering this kind of setup (tunneling blindly a set of clients through tor) would be to 1) make sure they understand the limitations of the approach, especially when clients behave "normally" (a.k.a. actively leaking identifying information) while sharing a circuit and 2) have a look at the considerations that projects like the tor browser or tails are focusing on in order to measure how fragile tor "anonymity" features are.
I feel it's useful to insist on it: DON'T RELY ON THIS KIND OF SETUP FOR CRITICAL OPS.
Besides these warnings, I have a hard time figuring a sensible use case for this (I may lack imagination though). One useful (but unrelated, from what I got from my quick glance on TFA) feature of tor that I enjoy and that is orthogonal to its "anonymity" features is the ease of exposing an onion service (reverse tunnel like) from inside a firewall'd/NAT'd network.
vmception 1082 days ago [-]
Can I just order one of these? I never even glued the raspberri pi and fan and case together to even get to the point of loading this, and this package is supposed to be the convenience
I just want the tiny computer router out the box loading this
anybody have that?
osobo 1082 days ago [-]
Four your consideration: I think the continued updating of the package and the Pi to keep it from turning into a security hazard by itself will prove to be more work than just whacking together a Pi.
yosito 1082 days ago [-]
Ordering one of these is a bad idea because the physical device could easily be intercepted and have a backdoor or spyware installed.
nuker 1082 days ago [-]
> I never even glued the raspberri pi and fan and case together
Me neither... but I heard that hot glue works, on everything!
908087 1082 days ago [-]
If setting up a raspberry pi with this image is too much for you, you probably shouldn't be running it anyway... and that's even before getting into all the potential issues with buying one of these "ready to go" from someone else.
nuker 1082 days ago [-]
Can you switch to OpenBSD? It is the best for such things.
anthk 1082 days ago [-]
Security is not the same as anonymity.
Altough you have torsocks, tor, tor-browser and i2pd in ports in order to try.
I didnt try i2pd yet, tho.
Rendered at 09:06:18 GMT+0000 (Coordinated Universal Time) with Vercel.
Sorry for the uppercase, but transparent proxies are dangerous, *especially* if users are not aware of them.
Applications that are not explicitly designed to use Tor can often leak data or be vulnerable to malicious exit nodes.
Also, this pattern can create false sense of security.
See warnings:
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/Transp...
It'd be nice if you could simply point tails at this but afaik it's bad to do tor over tor.
I use this for malware reverse engineering for example.
The proposed setup also makes devices properly configured to leverage tor "anonymity" features vulnerable to misconfigurations of other devices using the network that is routed over tor (through the same circuit) in various ways.
Tor provides obscurity, not security, even for applications designed to use tor. And even then obscurity isn't lower, in clearnet you have zero obscurity.
I'm still not sure where such a solution would be a good choice though. Getting access to the broader, uncensored internet is also not as easy as it seems in countries where this applies, e.g. China, as even getting an entry node that works is not easy so this is not a plug'n'play option anymore for that.
The Chinese mostly use shadowsocks. Tor usage from a mainland ip entry point is incredibly low.
It's getting less and less funny that I have to use the same methods as chinese citizens living under a dictator for life just to avoid my ISP attacking my HTTP connections.
https://en.wikipedia.org/wiki/Shadowsocks
> [...] it is strongly advised not to use TorBox if your well-being depends on your anonymity. In such a situation, it is advisable to use Tails [...]
My advice for anyone considering this kind of setup (tunneling blindly a set of clients through tor) would be to 1) make sure they understand the limitations of the approach, especially when clients behave "normally" (a.k.a. actively leaking identifying information) while sharing a circuit and 2) have a look at the considerations that projects like the tor browser or tails are focusing on in order to measure how fragile tor "anonymity" features are.
I feel it's useful to insist on it: DON'T RELY ON THIS KIND OF SETUP FOR CRITICAL OPS.
Besides these warnings, I have a hard time figuring a sensible use case for this (I may lack imagination though). One useful (but unrelated, from what I got from my quick glance on TFA) feature of tor that I enjoy and that is orthogonal to its "anonymity" features is the ease of exposing an onion service (reverse tunnel like) from inside a firewall'd/NAT'd network.
I just want the tiny computer router out the box loading this
anybody have that?
Me neither... but I heard that hot glue works, on everything!
Altough you have torsocks, tor, tor-browser and i2pd in ports in order to try.
I didnt try i2pd yet, tho.