[nikcub]

Tor being pitched as a one-stop privacy solution like this is going to backfire bad at some point in the future. It is good that they have the warning about cookies, but there are a hell of a lot of other ways you can be identified.

You simply shouldn't be using the same machine you use with your real identity with an identity that needs to be anonymous. Even simply things like ntp time sync request can give you away, let alone features like Windows Update (which will definitely give you away since they send a machine ID), browser fingerprinting, evercookies, etc.

Nobody can think of all the different things a machine can send that need to be blocked or reset, which is why you just use a fresh new machine. It is the only way to use Tor safely.

Any device that makes it easier to use Tor with your existing computer is bad for privacy. Especially something being pitched as an 'on/off' switch for instant privacy.

edit: A good setup is the following: install virtualbox, install a light-weight linux distro as a tor router, setup a private and isolated network behind it and then install your 'client' operating system on that private and isolated network in a second virtual machine. Never use the same client machine for long and use the virtual machines snapshot feature to blow away your data every x hours/days (and never use the suspend feature of virtual machine software, it saves your memory (with passwords, keys, etc.) onto disk).

[grugq]

There is some more indepth info on problems with trusting Tor (or any off the shelf "anonymity" solution) here: http://grugq.github.io/blog/2013/06/14/you-cant-get-there-fr...

Also there's a more secure version of the RaspberryPi Tor router here: https://github.com/grugq/PORTALofPi

It was submitted by someone last night under a terrible title, so it died a sad death in the "new" page.

[dfc]

Even simply things like ntp time sync request can give you away

I'd really like to hear more about this one.

Murdoch's hot-or-not required a lot more than an ntp sync request and was concerned with identifying hidden services.

[nikcub]

The theory is that the frequency of requests, timezone, server being used and time skew (see also[1]) provide enough bits of information to identify a client.

The exit node or ISP could also forge a response and set the clock a unique amount of time out of sync which can later be identified over a non-anon network.

Whonix, the privacy oriented Linux distribution which uses two virtual machines (an isolating proxy and then a client on a private network) disable NTP by default and require the user to sync time out-of-band because of these concerns. There is a section in their docs about NTP[2]

[1] http://www.reddit.com/r/onions/comments/10usgv/clock_skewing...

[2] http://sourceforge.net/p/whonix/wiki/Advanced%20Security%20G...

[dfc]

At first glance the first two paragraphs are hand wavy enough that it is pretty clear that you exaggerated when you said "simply ntp synch requests" and things get a lot worse after paying any attention to the details in your post.

Timezones and NTP? NTP does not use time zones so I am not sure what that has to do with anything.

Exit nodes forging ntp responses? That is going to be pretty tough. Last time I checked tor has a tcp fetish and ntp is squarely in the udp camp.

I checked the reddit link. Lets skip over the fact that you said "identify a client" and the reddit link is about hidden services. In order to work it requires that the hidden service serves http, serves http over plain ipv4, and is running on a computer that is also a relay. So that is not "simple" but most importantly it has very little to do with ntp requests.

I'm not going to lie, I stopped reading the whonix documentation after the first three paragraphs and i have pasted them below:

  Don't wonder... To prevent against time zone leaks, the system clock
  inside Whonix was set to UTC. This means it may be a few hours before
  or ahead of your host system clock. Do not change!

  On the host. If you were a user of TorBOX 0.2.1 or below and removed
  NTP, restore it now.

    sudo apt-get install ntpd

Can you see why I stopped reading when I did? It seems like you may have disremembered the details of the "simple ntp synch requests" can give a way a users identity attack.

[gus_massa]

For example, you can test the browser fingerprint with the Panopticlick service of the EFF: https://panopticlick.eff.org/ My report:

Browser Characteristic: bits of identifying information User Agent: 9.43 HTTP_ACCEPT Headers: 19.19 Browser Plugin Details: 21.51+ Time Zone: 7.13 Screen Size and Color Depth: 5.38 System Fonts: 20.51 Are Cookies Enabled?: 0.43 Limited supercookie test: 4.41

I'm a unique snowflake!

Total (assuming independence): 87.99 Word population (log_2): 32.73