scarp: > Joe Btfsplk: >> On 2/18/2013 9:01 PM, Mysterious Flyer wrote: >>> Ummmmm. I am the REAL [email protected]. I guess it's >>> super-duper easy for a person's user names and passwords to get >>> hacked when accessing e-mail over Tor. I also noticed that >>> someone has been reading my gmails (since they were marked as >>> read), so I changed my password over there and will never access >>> gmail through Tor again. Someone ALSO made a copy of my debit >>> card and tried to use it in another state, but that may be >>> coincidence. Does anyone have any knowledge as to HOW a hacker >>> may get this information? Is it through an exit server? I >>> certainly never made any online purchases through Tor. >>> >>> >>> >>> On 2/11/2013 9:51 PM, Griffin Boyce wrote: >>>> There are some good ones out there, but if you're using Tor to >>>> create the account and login, you should know that many have >>>> started blocking Tor users (or deactivating their accounts in >>>> the case of Yahoo). Size could also be an issue, but if you're >>>> deleting them off the server on download, then that problem >>>> goes away. >>>> >>>> ~Griffin >>>> >>>> On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer < >>>> [email protected]> wrote: >>>> >>>> >> Will the real Mysteriousflyer please stand up? Maybe the list >> admins can trace the 1st mysteriousflyer & your emails, back to the >> origin & gain some knowledge. I don't know about the dual use / >> acct hacking, but if you send unencrypted data through a Tor exit, >> a malicious relay operator could capture it. This is & has been >> well documented for ages. "DON'T send any critical data, if not >> using secure connection (or encrypted file) through Tor." Treat it >> like you would dealing w/ your bank - you wouldn't do business on a >> non secure connection (with the destination site). > >> Do you use gmail's https connection - both w/ Tor & w/out? You >> should. If you don't, they could have gotten your PW, if using a >> regular browser or Tor Browser. > >> If you use gmail's (or any) https connection, it's no easier for an >> exit relay to steal your PW than anyone else, AFAIK. It's still an >> encrypted connection. > >> But, as news stories point out, there are many ways for hackers / >> con men to get your PW other than running a Tor relay. If your PW >> wasn't that strong, they could easily hack it using software. I >> assume they didn't have your PW reset, but that's another way >> hackers do it - if they can guess security question answers, or >> they know you or something about you (or can look it up). > >> How would they make a copy of a debit card through Tor or your >> Gmail acct? Do you keep a picture or all data of the card, >> unencrypted in your email acct? Also, using a credit card is >> generally safer than debit cards. You're better protected by the >> contract of most CC companies. >> _______________________________________________ > > When I read this I was thinking "hmm, if he was using https" then it's > unlikely that this could occur. I'm pretty sure that's the default > nowadays anyway, especially for authentication. > > You can further tighten security by using two-factor authentication. > > My guess would be they got the password some other way other than > posing as a malicious tor exit node.
Or he just ignored the SSL warning like so many people do. _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
