from the hide-away dept.
AnonTechie writes "The Tor Foundation is moving forward with a plan to provide its own instant messaging service called the Tor Instant Messaging Bundle". The tool will allow people to communicate in real time while preserving anonymity by using chat servers concealed within Tor's hidden network. In planning since last July as news of the National Security Agency's broad surveillance of instant messaging traffic emerged the Tor Instant Messaging Bundle (TIMB) should be available in experimental builds by the end of March, based on a roadmap published in conjunction with the Tor Project's Winter Dev meeting in Iceland.
TIMB will connect to instant messaging servers configured as Tor "hidden services" as well as to commercial IM services on the open Internet."
(Score: 5, Interesting) by epitaxial on Sunday March 02 2014, @04:12PM
I don't trust TOR because firstly it was funded by the US government. Secondly a version with a vulnerable version of Firefox was released to bust that kiddie porn ring. Was that build of Firefox bundled intentionally by someone?
(Score: 2, Informative) by e on Sunday March 02 2014, @05:07PM
What? No. Nothing about "Secondly a version with a vulnerable version of Firefox was released to bust that kiddie porn ring. Was that build of Firefox bundled intentionally by someone?" makes any sense. There was at one point a version of the Tor Browser Bundle that people downloaded. Then it was updated, because a vulnerability was found in Firefox. Some people didn't upgrade their browser bundle (even though it warns every time you use it, when it's out of date), and those non-upgraded versions were exploited some time (over a month) after the update became available.
(Score: 1) by epitaxial on Sunday March 02 2014, @09:29PM
Wasn't the build of Firefox included in the Tor bundle already old when it was released?
(Score: 2) by Angry Jesus on Sunday March 02 2014, @10:36PM
It was an extended support release [mozilla.org] as would be appropriate for an embedded application like the Tor bundle.
(Score: 1) by GmanTerry on Sunday March 02 2014, @04:12PM
This is good. Anything that can be done to slow down our overlords is good.
Since when is "public safety" the root password to the Constitution?
(Score: 4, Insightful) by DarkMorph on Sunday March 02 2014, @04:13PM
This reminds me of the idea, "How do you reveal a secret without telling the wrong person? Tell everyone at once." Between the two it's probably better to have the message in the clear but the author remains unknown.
(Score: 1) by e on Sunday March 02 2014, @05:19PM
Huh? It's both anonymous and private, since it uses both Tor and OTR.
(Score: 3, Interesting) by frojack on Sunday March 02 2014, @10:41PM
Slightly dated article on this explains the degree to which the NSA has managed to penetrate TOR.
/ nsa-battles-tor-9-facts/d/d-id/1111857 [informationweek.com]?
A Fag is here: http://www.washingtonpost.com/blogs/the-switch/wp
/ 2013/10/04/everything-you-need-to-know-about-the- n sa-and-tor-in-one-faq/ [washingtonpost.com]
Synopsis: NSA has de-anonymize a very few tor users, but left unsaid is how much traffic they can decrypt even if they don't know who the user is. Bruce Schneier thinks they haven't broken the encryption yet.
No, you are mistaken. I've always had this sig.
(Score: 5, Funny) by martyb on Sunday March 02 2014, @05:58PM
I hear this is the alpha version of the release, or as they'd put it an "experimental release". So that makes it: Tor Instant Messaging Bundle - Experimental Release. (aka TIMBER!)
It's only for lumberjacks.
Wit is intellect, dancing.
(Score: 2, Insightful) by Anonymous Coward on Sunday March 02 2014, @08:28PM
why in gods name does everything have to go through a 3d party?
... well tor provides so called onion domains. .. again.
email? you need gmail, hotmail, ymail?
file storage? you need dropbox?
IM? you need to connect to a server first.
need a unique name (domain)? get ready to be fleeced?
you have internet.
your friend has internet.
connect directly already.
as for "resource location"
anything using tor and NOT going direct is again somebody who is trying
to get in the way
(Score: 2) by maxwell demon on Sunday March 02 2014, @10:35PM
Most people don't have their computer running 24/7. But if you're sending mail, then the receiving computer must be running in the next few days, or the mail delivery fails. Therefore there are mail servers: Computers which are running 24/7, and where the sender can sent the mail whenever he wants, and the receiver can download it whenever he wants.
Dropbox is not about file storage, but about file distribution. It basically serves the same purpose as a mail server: As a sort of buffer between the sending and the receiving computer. Of course you could also use mail for the same purpose; dropbox just makes it easier.
Anyway, if you are using Tor, it also goes through a third party. Several of them, indeed.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by maxwell demon on Sunday March 02 2014, @10:41PM
A slight correction: The "in the next few days" only applies if you use the relay functionality of SMTP, which also needs third-party servers. If you want to really pass the mail directly to the recipient, the recipient's computer must be running at the exact time when the mail is sent.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by monster on Monday March 03 2014, @09:02AM
A slight correction over the correction: Non-instant delivery of SMTP doesn't require third party servers, it just requires both computers to be online at the same time when a retry occurs, not when the mail is sent.
(Score: 1) by NovelUserName on Sunday March 02 2014, @11:18PM
My understanding is that the middleman problem is to deal with the non-static IP problem. If every user has a static IP, then great, you can connect directly, otherwise you will need some method of identifying the current ip of the person you want to talk to. The traditional solution is to have both parties connect to a server, which then assigns connections based on their login credentials. I suppose you could have the server just pass the correct IP to each party, thus facilitating a direct connection, however, a record of the communication still exists. I suppose you could have each party periodically download a full list of the current IP addresses known to the server, thus obscuring the specific connection made to everyone except the ISP. This, however, seems data intensive, and since most people care more about their bandwidth cap than privacy, you and I aren't going to get a solution like that.
(Score: 1) by monster on Monday March 03 2014, @09:06AM
That is precisely what DNS is for. Too bad so many PCs on dynamic IP connections are infected with SPAM-sending trojans that most big email providers require also inverse DNS to accept email from those IPs, which is a lot harder to get (you need to convince your ISP to set it for you, and update it whenever your IP changes).
(Score: 0) by Anonymous Coward on Monday March 03 2014, @02:34AM
One word: IPv6. The limitations in the 32-bit address space of IPv4 ensure that the Internet continues to be divided into those who have a publicly routable static IP address, and those who can only be clients because their IP keeps changing, or worse yet, live behind one or more NATs. All of this goes away with IPv6, and it really is the only way to go forward.
(Score: 0) by Anonymous Coward on Sunday March 02 2014, @10:02PM
Servers can be compromised. In this case, without OTR initially the cleartext of your messages will be sentto unknown servers. Not a good design!
The community needs a design that keeps both the data (your messages) and metadata (your identity) a secret.
(Score: 1) by _NSAKEY on Tuesday March 04 2014, @02:48AM
They're bundling OTR with it, and anyone who is talking about anything worth hiding from prying eyes is going to assume that the servers are compromised anyway. If the origin of the messages from both parties is anonymized (This includes not recycling the same username), and the messages themselves are encrypted, then it can be argued that it doesn't matter as long as the OTR keys are properly verified.
Unless there's a backdoor in OTR...