Re: What can see a server of a Bittorent when I contact with it through Tor?
On 02/23/2010 05:04 PM, Marco Bonetti wrote: > Bill Weiss wrote: >> They can all see your real IP. That's how other nodes know how to get >> packets to you. > only peers of the swarm you connect to will have your real ip. the > tracker will probably just see your exit node one and announce it to > other peers as well. > there was a similar thread in this very mailing list last year, we also > end digging up a proposed BitTorrent RFC too :) > I run a 500kb/sec~ exit node and all my logs (IMAP, SSH, HTTP, etc) are completely flooded with bittorrent connection attempts when Tor is running... *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Create a SAFE TOR Hidden Service in a VM (Re: Please Help Me Test my Hidden Service Pt. 2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One update that should be noted is that this doesn't protect against "bad nanny" attacks. With full disk encryption, the boot partition isn't encrypted (as you have to load it so it can ask for your passphrase and decrypt the rest of the drive). If the machine isn't physically secured, it's vulnerable to this type of attack. Solidarity, Ringo 7v5w7go9ub0o wrote: > Good job! > > IMHO this is a very nice paper; well written! > > (Adjusted the title of this post a bit, in case the readers weren't > aware your goal ) > > (FWIW, some might want to read the paper - to gain a lot of insight and > background - and then download/test a copy of your (sanitized) .img > file. First running of the VM would be -with- saving of any changes to > the VM so as to create and save a unique, permanent service name; > subsequent runs discard changes!?) > > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkuEtK8ACgkQETpif9i/srq2lwCfZfhJCegkIYZcCkaQMMmXqIq4 aogAn1P1WK/BooxiS7hC44gRAmp4RVxb =AAH9 -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
TorChat is a security hazard
Hello. I'm in no way a security expert. I never ran "TorChat" but I did read the source code. Read on why I haven't run it. "TorChat" is an inofficial chat client for the Tor network. I like the idea behind "TorChat": easy to use, usb-stick portable and runs on Windows 98. These are the problems I see with "TorChat": 1. No authentication. There is no way you can know for sure that the person you are chatting with is the person you chatted with yesterday. Tor's hidden services don't make any such guarantees about incoming connections. The clients stay anonymous. 2. To make things even worse, the only information needed to impersonate a buddy is their .onion address. 3. Buddies have control over your buddylist. It is just a matter of identifying as a buddy and telling the software to remove this said buddy. I don't think these are the only problems, but the first one alone is enough to conclude that "TorChat" cannot give adequate security. It's too easy to impersonate people. "TorChat" lives off the name of the Tor Project, but unfortunately doesn't deliver. It is possible to run Off-the-Record Messaging over Tor. Off-the-Record Messaging has all kinds of features: encryption, perfect forward secrecy and deniable authentication. And it doesn't have the problems of "TorChat". Best regards, Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Create a SAFE TOR Hidden Service in a VM (Re: Please Help Me Test my Hidden Service Pt. 2)
Good job! IMHO this is a very nice paper; well written! (Adjusted the title of this post a bit, in case the readers weren't aware your goal ) (FWIW, some might want to read the paper - to gain a lot of insight and background - and then download/test a copy of your (sanitized) .img file. First running of the VM would be -with- saving of any changes to the VM so as to create and save a unique, permanent service name; subsequent runs discard changes!?) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: What can see a server of a Bittorent when I contact with it through Tor?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Weiss wrote: > They can all see your real IP. That's how other nodes know how to get > packets to you. only peers of the swarm you connect to will have your real ip. the tracker will probably just see your exit node one and announce it to other peers as well. there was a similar thread in this very mailing list last year, we also end digging up a proposed BitTorrent RFC too :) - -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuD/KcACgkQTYvJ9gtgvF+AZwCfa+353awOWE7nFd/wlWGRCMaL ex4AoID+j8hCy5GjsNO+0tC+D90zh7zY =AhHj -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: What can see a server of a Bittorent when I contact with it through Tor?
On Feb 23, 2010, at 07:36 AM, Bill Weiss wrote: > James Brown(jbrownfi...@gmail.com)@Sun, Feb 21, 2010 at 04:05:33PM +: >> I set my Bittorent client for contacting with tracker through Tor. >> What can see a server of a Bittorent when I contact with it through Tor? >> As I understand there are ip-adresses of exit-nodes in the headers of >> ip-packets. But I want to know are there my real ip-addresses in the all >> content of such ip-packets? How the Bittorrent server give other users >> about me - through ip or by another way? >> I want to be anonimous at least for the tracker, its ISP and state >> powers control the territory when its server are based. > > They can all see your real IP. That's how other nodes know how to get > packets to you. > > You could configure it to do everything through BitTorrent, but: > 1) Don't do that. The speed will be horrible. Like, slower than getting > a second job at minimum wage and making enough to buy whatever you're > downloading. Even free stuff, which you could pay someone to burn to > disk and mail you. > > 2) Don't do that. DMCA notices to exit nodes by people who don't realize > the above suck, and will cost us exits in the long run. This is why specialized anonymity services for filesharing exist, like MUTE, Gnunet, and Freenet. Prehaps Tor FAQ's on bittorrent should include them as alternatives. > > -- > Bill Weiss > > you know me, I like to remove as much personal freedom as I can > when programming > which we can call API Developer's Jock Itch --- Watson Ladd > > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: What can see a server of a Bittorent when I contact with it through Tor?
James Brown(jbrownfi...@gmail.com)@Sun, Feb 21, 2010 at 04:05:33PM +: > I set my Bittorent client for contacting with tracker through Tor. > What can see a server of a Bittorent when I contact with it through Tor? > As I understand there are ip-adresses of exit-nodes in the headers of > ip-packets. But I want to know are there my real ip-addresses in the all > content of such ip-packets? How the Bittorrent server give other users > about me - through ip or by another way? > I want to be anonimous at least for the tracker, its ISP and state > powers control the territory when its server are based. They can all see your real IP. That's how other nodes know how to get packets to you. You could configure it to do everything through BitTorrent, but: 1) Don't do that. The speed will be horrible. Like, slower than getting a second job at minimum wage and making enough to buy whatever you're downloading. Even free stuff, which you could pay someone to burn to disk and mail you. 2) Don't do that. DMCA notices to exit nodes by people who don't realize the above suck, and will cost us exits in the long run. -- Bill Weiss you know me, I like to remove as much personal freedom as I can when programming which we can call API Developer's Jock Itch *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
