Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#2870 closed enhancement (invalid)

Security breach? Windows version always goes through same 'suspected' USA servers

Reported by: Al Owned by: chiiph
Priority: Medium Milestone:
Component: Archived/Vidalia Version: Tor: unspecified
Severity: Keywords: tbb windows
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Since less than 2 weeks in Mexico, I suddenly could not connect anymore with Tor to torproject.org, all of my email accounts, google.com, news.google.com, ixquick.com. But yes; indymedia.org, bing.com and most others.

I noticed I suddenly had new USA servers I hadn't had before, like BADASSx, Blackbox x, FordmodelA/x.

I tried to click them away, but it was like a virus and same or similar names returned at the same speed.

I used Tor for a few months before on a daily base and had never seen this type of errors.

I reinstalled from the torproject.org website (the usb one with pidgin), but always the same sites come back with the same connection problems. Also there is some file about settings, but it just looks ok and doenst have the names of these servers mentioned as favorite.

Accidently I installed Linux as second OS a week ago on my notebook and was very surprised that Tor just worked as before and having everytime other servers (only yesterday I saw one of these servers showing up and clicked it away to be sure, what went ok without problem).

So I dont understand how it is possible:

  • With windows tor doesn't work for me anymore and goes through these obliged strange servers;
  • With Linux there -still- is no problem with the Tor install and I dont get these servers from the same location in Mexico.

Then everyone can start a Tor server + its known that some scrupulous countries do, next to possible USA gov involvement in some. Then for Mexico the USA has a recent even stronger strategy and cooperation for security control, while we were at that time in a personal extreme delicate situation with USA-officials for political work.

Child Tickets

Attachments (1)

Start Tor Browser.exe (30.5 KB) - added by Al 8 years ago.
Start Tor browser.exe (is this Videlia?)

Download all attachments as: .zip

Change History (11)

Changed 8 years ago by Al

Attachment: Start Tor Browser.exe added

Start Tor browser.exe (is this Videlia?)

comment:1 Changed 8 years ago by Al

To be clear:

  • in the weeks before IN Mexico at the SAME location, the Windows Tor just worked fine without these servers;
  • it's a brandnew HP notebook (skipped down a bit) and almost no ocasion someone could have had access to it before these events happened. Also the newest Kaspersky PURE installed with all settings at maximum. Gives an report about pdm.keylogger in a BIOS update (while there doesn't exist a file), but this seems a common 'false-positive', as a specilist on the Kaspersy site points out (I'm not sure as USA gov wants producents to build in spy features).

comment:2 Changed 8 years ago by arma

What makes the relays 'suspected'?

I don't understand your bug report at all. What do you mean by "but yes" in the bug report?

Are you saying there's some conspiracy somewhere?

The set of relays that Tor uses changes over time, depending on who is volunteering fast relays at the time. That's how Tor works.

comment:3 Changed 8 years ago by Al

I gave all the info; extract aan bout "what makes the relays 'suspected'":

  • suddenly could not connect anymore with Tor to torproject.org, all of my email accounts, google.com, news.google.com, ixquick.com.
  • I noticed I suddenly had new USA servers I hadn't had before, like BADASSx, Blackbox x, FordmodelA/x.
  • I tried to click them away, but it was like a virus and same or similar names returned at the same speed.
  • I used Tor for a few months before on a daily base and had never seen this type of errors.

"But yes":
I can connect to the mentioned sites through Tor

Conspiracy:
That is the definition about what humans do when they are together and not all exactly the same: There are a lot of servers from a lot of different individuals, groups and also gov related in one way or the other. I can understand that maybe a lot suddenly have blocked some services to free load for China and Africa, but it also blocks my anonymity using my email and looking for specific news. Maybe it is on ISP level in (parts of) Mexico. Maybe its another program in my compu that suddenly does this, maybe without conspiracy. I don't know.

Follow-up:

After I changed to the USB Tor browser bundle *without* IM, the obliged servers BADASSx, Fordmodelx, Blackbox x, are gone. Well not always, but if one of them shows up, I finally *can* click them away (terminate) and another server shows up.

Still the problem remains with some important sites I can't reach through Tor *on Windows*; now I can change many servers with the different browser bundle, that second problem might not to be server related. So I suspect something in Windows is triggering that second part. In Linux I can mostly reach the websites that seem to be blocked in Windows (only blocked when using Tor). I will re-try one of these days in my Linux install on the same compu, to see if the situation has changed.

comment:4 Changed 8 years ago by Al

Follow-up:

Tor now works as before (since 3 days)!

I can't be sure what causes it to work as before, as there are a lot of different possibilities in what I have no insight. Have there been server changes? Has my ISP or some secret service made something different? Etcetera?

But what I do now, is that the change coincided with removing Kaspersky PURE. The program made unasked for connections (not-permitted Cloud file analyses) to their servers in China to Washington, Britain to Russia, etcetera. Trying to block it with PeerBlock, was impossible, it just started to make 10 different connections a second, until it found one of their IP's that was not blocked. Sandboxing the avp.exe with Comodo, worked, but then Kaspersky started sabotaging the internet connections of my other programs.

After removing Kaspersky (again: could be accidental and coinciding with some other change), I can connect again with Tor to my email accounts, to the torproject.org page itself, to news.google, etcetera.

Before, I had another positive change after removing the Tor browser+IM download and changing it for the Tor download without IM: Then I didn't have anymore the obliged USA servers BADASSx, Blackbockx, FordmodelA/x that I always got and could not click away even when clicking away 2 a second. Thereafter this part of the problem was resolved, but the other part (emails and some other connections blocked) continued until I removed Kaspersky.

OK; now I like to have some feedback here: Has there been major changes to the Tor servers (in USA/Mexico) that accidentally coincided with one of the two positive events I mention?

If not; can you investigate if its possible that a security issue in Tor+IM could have been used to give me always those obliged USA servers?

Same for Kaspersky; could that have blocked some specific Tor made connections, while I at the same time could reach those IP's without using Tor?

For your information: we have an official government document that we are listed (although on intelligence falsifications for higher power politics and to protect their crimes of corruption), so it would be strange to think that we would not monitored; that is just what they have to do.

comment:5 Changed 8 years ago by Al

Type: defectenhancement
Version: Tor: unspecified

(have the browser bundle 1.3.24 since a week)

I haven't got the obliged servers back, until today:

My irc disconnects while I have the server dieseltorrelay (83.233.38.94)

It mostly seems to be connected to Brama2 and openBRAMA, which don't cause problems, but seem to call dieseltorrelay in a later stage (if not already there in the first place).

And when I want to click dieseltorrelay away, it comes back at the same speed, or openBRAMA or Brama2 seems to call it again.

The days before none of these problems. However; sometimes a server breaks my irc, so I just click that one away and doesn't return as I have now again with dieseltorrelay (&Brama2 / openBRAMA).

So I just can't chat anymore, as dieseltorrelay breaks my chat and I can't get rid of that server, or the ones that seem to call this one.

=>

a)
Maybe a new feature in Vidalia with the Tor Network Map, so that one can specify what servers one doesn't want to connect to?

b)
Settings about what features one as user needs, so that servers that provide all the users features, get a higher priority in making the connections?

comment:6 Changed 8 years ago by Al

I could get rid of the problem by installing Tor again. It seems that Torbrowser stores all kind of connection data (privacy?) in sub-dirs. This data caused the error & was resolved after reinstalling. Only had to copy my plugin dir from the old install with all my plugins and user settings, but know now where to find this.

comment:7 Changed 8 years ago by erinn

The Tor Browser Bundle stores the same kind of information that Tor installed in other ways stores. All of the Tor information you found was written by Tor itself. The difference is that it is kept in a localized directory structure so that you can remove it all, use it from a USB stick, etc.

comment:8 Changed 8 years ago by arma

It's entirely possible that kaspersky was preventing you from browsing to certain websites directly. Anti virus programs pretty much uniformly suck.

As for the "my tor client picks a small set of relays to use as its first hop", that's a security feature:
https://torproject.org/docs/faq#EntryGuards

comment:9 Changed 8 years ago by rransom

Resolution: invalid
Status: newclosed

comment:10 Changed 8 years ago by karsten

Keywords: tbb windows added
Milestone: Tor Browser Bundle for Windows
Note: See TracTickets for help on using tickets.