
SIM Card Forces All of Your Mobile Data Through Tor - walterbell
https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-data-through-tor-brass-horn-communications
======
dogma1138
Nonsense they are an MVNO they don’t really control their network they and
their provider still track you (even if only for signaling purposes) and the
SIM card can’t really block anything they just route all your data through TOR
which is actually a pretty poor thing to do from an OpSec perspective.

Also with mobile phones data only or not all mobile phones must be able to
call emergency services and provide their location data if you are so paranoid
that you elect to use TOR for everything you might considering never touching
a mobile phone again.

~~~
logicallee
>they just route all your data through TOR which is actually a pretty poor
thing to do from an OpSec perspective.

Could you elaborate? (On the second half, i.e. why you say so.)

~~~
dogma1138
Because TOR provides anonymity not privacy, privacy and anonymity are in
principle opposites the more private something is the less anonymous it is and
vise versa.

Privacy is the agency you have over controlling your interactions and
information, anonymity is the level of distance you have between a certain
interaction and your identity.

A private conversation cannot be anonymous because you need to be able to
establish and verify the identity of the parties involved and have trust in
them not to dessiminate that information further.

TOR focuses on anonymity which means that if you use it to access things in
private such as your gmail or bank account that anonymity goes out the window
as you now can be tied to an identity.

Pushing everything through TOR can also include services that are not
anonymous by definition which can expose your identity.

~~~
logicallee
I think this is an interesting perspective but I need more clarification.
Let's take these cases:

1\. I am the only user of my logicallee front-end on a server somewhere.
Nobody knows who I am. I'm also a shitty admin and don't have ssl enabled
properly, everyone between me and the server can see everything between us.

2\. Same thing but now I'm a good admin and the conversation with the server
is private and nobody can break.

3\. Same as 1 except this time instead of being the only user, 1.2 billion
other users use it too. Google is a shitty web admin and anyone can decrypt my
gmail session.

4\. Same thing as 3 except this time Google is a great sys admin and so people
can't decrypt session info.

Can you talk about the privacy and anonymity levels of these 4 scenarios? What
about a scenario 5 where Google is the world's perfect possible admin and
their servers are coded to be so secure, nobody at Google can access anyone's
inbox or what mail they're sending in practice. Obviously they can in theory,
but assume their practice is perfect and doesn't do that.

Really interested in your answers.

~~~
rsync
"Can you talk about the privacy and anonymity levels of these 4 scenarios?"

Your thinking is going in the right direction here, but you should consider
some deeper analysis of your behavior ...

In your example, 1.2B people access gmail - so far, so good.

But how many people access gmail and HN ? How about gmail and HN and MeFi ?
All during US timezone waking hours ? You can see where I am going with this.

Now let's look at a different angle - you _only_ visit gmail, so you're safely
back in the 1.2B herd, right ? But how many people visit gmail with OSX ? With
OSX vX.Y ? With your screen resolution, your enabled fonts, and your patch
level? You might be very surprised at how unique your web hit really is.[1]

The point being made here is that if you funnel all of your usage (traffic ?)
everywhere, you create a usage "fingerprint" that can then be noticed or
logged or tracked or correlated anywhere else you go.

It's not hopeless - you _could_ spin up a throwaway VM that you would _only
use for gmail_ and nothing else, but again - there are opsec considerations
there that can sink the whole operation, just like above, if you aren't _very,
very careful_.

[1] [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
logicallee
Are you specifically saying that if someone wants to post to "get you
killed.com", the web site for "Exposés that'll probably get you killed. Have
an exposé you want to post that'll probably get you killed? Post them here
now! We're on tor, too" then out of these two versions:

1\. Only log in to tor to visit "get you killed.com" once you're ready to post
the stuff that'll get you killed. No other tor usage.

2\. Do all your usage through tor, including making your "get you killed.com"
post but everything else too.

Then out of these two versions, the person who is doing (1) is safer than the
person doing (2)?

------
Rjevski
Nice publicity stunt but completely useless from an anonymity perspective.

On their website, they mention the following:

> Simply, your mobile device can't connect to the Internet, it can only
> communicate with a Tor Bridge within our closed network.

> Configure the Tor daemon on your device to use the bridge at
> 10.11.12.13:9000 and wait for the network to bootstrap.

This means they are hosting the Tor bridge themselves, but the device's
traffic is still going through the carrier's network in plaintext (it's weakly
encrypted over the radio link to the tower but unencrypted after that).

Technically the Tor daemon is still running on your device, but is forced to
use _their_ bridge with no other options. I'm not too familiar with Tor but
surely this can't be good for security right? I can imagine an attacker on the
other side of their bridge spinning up a fake Tor network pretending to be the
real one (a "sybil attack" with tons of fake nodes).

Basically they're giving you the worst of both worlds. The inconvenience of
using Tor with none of the security & anonymity benefits.

I am involved in the mobile industry and this kind of bullshit really makes me
sad. They're eroding customer's trust not just in them but in the industry as
a whole, making it more difficult for anyone that actually provides a good
service.

~~~
aunty_helen
>This means they are hosting the Tor bridge themselves, but the device's
traffic is still going through the carrier's network in plaintext

The traffic is encrypted using the onion layering scheme on the device. The
bridge node is the entry point for this traffic to the tor network.

>an attacker on the other side of their bridge spinning up a fake Tor network

The client creates the 'circuit', all the bridge node knows is who is
connecting to it, it then unwraps its onion layer, finds an encrypted packet
and a forwarding address and then sends it on.

~~~
jarfil
How does the client know which nodes are available to establish a circuit?
Couldn't they create a fake Tor network and supply a list of its nodes to the
client to choose from?

~~~
ikeboy
There's a list of directory authorities hard coded in

------
m-p-3
Yet, you still need to remember that even though your data is going through
Tor you still need to ensure that the data still doesn't contain personally
identifiable info, and a carrier can still track your position by
triangulation of cell sites.

Tor isn't the holy grail of anonymization the media makes it to be, it's just
a tool that you still need to use correctly to protect yourself.

------
hadrien01
Could we change the url from the AMP one to
[https://motherboard.vice.com/en_us/article/d3qqj7/sim-
card-f...](https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-
data-through-tor-brass-horn-communications) ? The normal one loads much
faster.

~~~
lettergram
That is ironic if true...

~~~
Wowfunhappy
AMP _always_ seems to be slower for me. I don't understand what Google is
doing.

~~~
richjdsmith
I'm the same. The only exception to that rule is the Google 'quick launch`
chrome browser. Otherwise, AMP is always slower.

It actually got to the point where I installed a plugin in Firefox Mobile that
autoredirects all AMP pages to their HTML counterpart. Life is better this
way.

[https://addons.mozilla.org/en-
US/firefox/addon/amp2html/](https://addons.mozilla.org/en-
US/firefox/addon/amp2html/)

