Re: Is gatereloaded a Bad Exit?
On Fri, Feb 11, 2011 at 6:58 AM, John Case c...@sdf.lonestar.org wrote: No, there is no _technical_ reason to operate an exit in this fashion. There is no reason, from a myopic, borderline autistic view of the externalities involved, to run an exit in this fashion. However, I can think of many, many reasons to: - run a node with no contact information - run a node with an odd set of exits - run a node with plain (unencrypted) exits - run a node with odd (non standard port) exits Can you please list some of the reasons for doing all of this at the same time? Since you reply here I assume you have read the posts in this very long thread, and Mike have already countered the given reasons, from a non-technical perspective. It would be nice if you could give an example that have not already been brought up, since you seem to know some. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Best Hidden Service web server?
On Sun, Jan 9, 2011 at 7:37 AM, hi...@safe-mail.net wrote: Original Message From: Orionjur Tor-admin tor-ad...@orionjurinform.com Is it a bad idea to use an apache for a hidden serice? Not at all. I'm actually recommending it over any other because it's complex and has a lot of traps for you to fall into. That sounds ridiculous right? No it isn't, because that will force you to learn it and secure it, instead of just relying on a simple and easy to use webserver without having any intention of learning anything about security. Security should be your main concern and main focus as a hidden service operator, not taking the easy route and then lay back and think that your safe just because you installed a simple and lightweight webserver. So you are actually recommending a piece of software with thousands of options with no real idea what the default will allow, 90% of which the average home-hoster will not need and will thus not test. And this over, say, some minimalistic 1000 LOC static-page server? And this for security? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BDS VPNs hosting
On Fri, Dec 31, 2010 at 2:18 PM, Jordi Espasa Clofent jespa...@minibofh.org wrote: 2010-12-31 13:55, and...@torproject.org skrev: Do you allow IRC, torrents? We do not allow IRC servers, bittorrent, open proxies, or any other software that can degrade our network performance or allow for abuse. But after explaining to them that: * it's not an OPEN proxy because I only permit port 80 and 443 (http and https) and no more * I've limited the bandwidth (using BandwidthRate and AccountingMax directives) to assure the impossible degradation of the network performance ... they allow me to run Tor proxy. So, good for me and Tor network! For the moment I will stay will them. To be honest, they can most probably use the or allow for abuse clause to ban an exit node. This covers a lot of things. Running an improperly configured email server, an unpatched old web server etc. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: tor-ramdisk 20101011 released for i686 only
On Mon, Oct 11, 2010 at 11:16 PM, Jacob Appelbaum ja...@appelbaum.net wrote: On 10/11/2010 10:52 AM, Anthony G. Basile wrote: Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Via FTP? It's probably not a good idea to export a private key without using encryption... All the best, Jake My first thought as well. Pretty much every protocol invented is better than FTP, in this case and most other cases. Another question regarding the logging: I hope you include enough to know if the node is working correctly or not. The logs that are generated could also be deleted after a couple of minutes or an hour as well, which might make it possible to log some more information if necessary to verify functionality. Great project though, a lot of people request this. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Rogue exit nodes - checking?
Unfortunately I cannot publish source codes because attackers can adapt own techniques (though it would be very difficult). Yummy. Security through obscurity. Let's hope the bad guys doesn't find out. Or do they already know?.. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: webdav as hidden service?
Yes, people have tried, there are working webdav stores out in onionland. For linux you can use the davfs2 filesystem. It can be used through a proxy, and work with Tor. It was very slow when I tried it though, slower than usable because proxies, tunnels and sockets keep timing out, so the filesystem just locks up and you have no idea what happens because you don't get any feedback. You cold use the filesystem-way to upload, and then use for example wget for retrieving. I think I also tried fusedav. Can't remember why I didn't continue with that, might have been too unmaintained or broken. // pipe On Sat, Jun 12, 2010 at 10:38 PM, Kyle Williams kyle.kwilli...@gmail.com wrote: Yes, you can use WebDAV as a hidden service. FYI, Windows also has it's Web Client, aka WebDAV, built into most newer windows OS's. Security Note: If you're using Windows and shitty browser like Internet Explorer, then it's possible for your Username, Domain/Workgroup, and various other little tidbits of information to be leaked out using WebDav. Best regards, Kyle startx wrote: hi. i was wondering if anybody has tried to set up a webdav directory as a hidden service? on the server site this should be relatively straight forward: webdav is technically nothing else then a http service and apache/mod_webdav would handle that probably the same way it would handle the vhost for a hidden service. however, is there any webdav client which could be used for that? firefox does afaik not support webdav (at least not on linux) and i would have no idea how to torify nautilus (gnome). *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Family specifications (was: Re: perfect-privacy.com, Family specifications, etc)
On Thu, May 20, 2010 at 1:31 PM, Moritz Bartl t...@wiredwings.com wrote: On 20.05.2010 13:28, Oguz wrote: I too do not understand this. Already an evil entry node can list all nodes that it does _not_ control in its family option to try to force circuit through the nodes it controls, though it would obviously be a dead give away listing many unrelated nodes as within the family. Is there a check when a node declares itself to be in a family the descriptor of the other family members are checked to confirm? From what I understand, yes, at the moment both partners have to list each other. That's what the fuss is all about, because this becomes hard to manage when you run a lot of nodes. A two-line shell script run automatically with ssh? 1) sed -i 's/^MyFamily .*/MyFamily [new servers]/' /etc/tor/torrc 2) killall -HUP tor Difficult? Come on, this can all be automated in 10 minutes if they keep a list of the servers they have access to. If you're already operating multiple servers, you will need to have methods like this anyway, when other things change. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: nameserver stats
Qualified guess: These might be so-called BitTorrent trackers. These tracker URLs are embedded in torrent files that you download. You can download these torrent files from various sources, not necessarily (even rarely) from the site itself. When you load these torrents into a BitTorrent client, the client tries to contact all the trackers embedded in the file, and will probably try every 5 minutes or so. Smarter clients would give up or use incremental/exponential back-off, but there are probably enough dumb clients out there to compensate. The sad thing is that people try to use Tor for BitTorrent, though of course there might be a use for BitTorrent on Tor so I hope it's not just for sharing the random average movies and music. On Wed, May 19, 2010 at 5:48 AM, Dyno Tor dyno...@gmail.com wrote: Yup, BT=BitTorrent. I don't know the sites by personal experience, they just seemed to have BT like names. Strange that there's such a correspondence, but it isn't particular to your server -- I replicated your results on a handful of tests, from both my exit and a local non-tor IP. Perhaps these are domains that have been shutdown via court order or over zealous domain registrars? Still, I'd think people would stop trying to connect to them after a bit, but trackedbyet.info is the 6th most popular DNS name, and it doesn't resolve! On Tue, May 18, 2010 at 6:20 AM, Olaf Selke olaf.se...@blutmagie.de wrote: Dyno Tor wrote: Interesting. Olaf, I notice BT destinations seem mapped to nxdomain or servfail. BT stands for BitTorrent, right? Do you do this purposely to reduce abuse reports, or is that done by your upstream provider? neither, the nameserver running on this machine does caching only knowing nothing but the root servers from its config. So there's no upstream provider's ns used. I can't explain the nxdomain and servfail mapping. Olaf *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Reducing relays = reducing anonymity ? Tortunnel.
Just wondering if anybody from the Tor Project has contacted the author to express the concerns with tortunnel. Particularly about it being detrimental to the Tor network. Jim The author is a security researcher, the tool is ages old and abandoned, as far as I know it doesn't work right away unless you change some of the code, and it was written to check what tor exit nodes where running sslstrip or in other ways were messing with the traffic. I'm not really sure what this fuzz is all about. I wonder how many people actually use it these days. Also, *if* Tor can be used in this way, it will be. If no white-hat will write code to do it, the black-hats will, and the only difference is that you'll be unaware of the tool. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: [GSoC] Improving Snakes on a Tor
The way to do better at that one is to teach users and service providers about end-to-end authentication and encryption. From what I've seen I don't think there is any realistic hope for any significant number of web pages to be served with end-to-end encryption (not sure what your reference is to end-to-end authentication) in the foreseeable future. Jim I take it that you don't consider HTTPS to be end-to-end encryption then? Because I don't see why it would be unlikely for at least sensitive websites to switch to HTTPS. // pipe *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Exit Node Sponsorship - looking for partners
On Wed, May 12, 2010 at 6:20 PM, Moritz Bartl t...@wiredwings.com wrote: I would also like theoretically to accept anonymous donations for a node (not for the VPN/webspace stuff of course), but the problem there is not so much accepting it (PSC, Ukash, Liberty Reserve etc), but making sure that the money comes in regularly to fund the node. A thought: Currently there is a Donate! section on torproject.org, that doesn't mention what the money is used for or how much money that comes in. I think a lot more people would donate if they could see that the money went directly to fast tor relays. Why not do something similar, set up a pool that people can donate to, and put it up on torproject.org. (I can see the issues with advertising it on the website, but that's just a suggestion.) // pipe *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
New GETINFO option, bytes
Hi. I added a new option for GETINFO, that will return the total number of bytes that's gone through Tor since process startup. Just exporting the internal stats_n_bytes_read/written. This is very useful for retrieving statistics like bandwidth over time, for use with tools like arm, vidalia, munin, and other monitoring applications. The current method that use events is difficult to use, since you have to listen all the time. With the new method you can for example poll every minute to see how many bytes was transferred in total since last you checked. I wrote a plugin for munin that use this new feature, and it works great. The patch is trivial, and you probably want to change the name of the command if you want to use it. There might also be reasons that you don't want to export and print uint64_t variables. I didn't take time to check any tor internals guidelines. // pipe From d557fc9bc2ec749d4743e3e918289e55c4b9e459 Mon Sep 17 00:00:00 2001 From: Anders Andersson pipat...@gmail.com Date: Tue, 23 Mar 2010 02:07:37 +0100 Subject: [PATCH] Added a new GETINFO item 'bytes' --- src/or/control.c |7 +++ src/or/main.c|4 ++-- src/or/or.h |2 ++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/or/control.c b/src/or/control.c index 771beae..d591065 100644 --- a/src/or/control.c +++ b/src/or/control.c @@ -1328,6 +1328,11 @@ getinfo_helper_misc(control_connection_t *conn, const char *question, *answer = tor_malloc(HEX_DIGEST_LEN+1); base16_encode(*answer, HEX_DIGEST_LEN+1, me-cache_info.identity_digest, DIGEST_LEN); + } else if (!strcmp(question, bytes)) { +*answer = tor_malloc(42); +tor_snprintf(*answer, 42, U64_FORMAT U64_FORMAT, + U64_PRINTF_ARG(stats_n_bytes_read), + U64_PRINTF_ARG(stats_n_bytes_written)); } return 0; } @@ -1810,6 +1815,8 @@ static const getinfo_item_t getinfo_items[] = { Time when the accounting period ends.), ITEM(accounting/interval-wake, accounting, Time to wake up in this accounting period.), + ITEM(bytes, misc, + Number of bytes read/written so far since Tor started.), ITEM(helper-nodes, entry_guards, NULL), /* deprecated */ ITEM(entry-guards, entry_guards, Which nodes are we using as entry guards?), diff --git a/src/or/main.c b/src/or/main.c index 74075b6..0e2b755 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -56,9 +56,9 @@ static int stats_prev_global_read_bucket; static int stats_prev_global_write_bucket; /* XXX we might want to keep stats about global_relayed_*_bucket too. Or not.*/ /** How many bytes have we read since we started the process? */ -static uint64_t stats_n_bytes_read = 0; +uint64_t stats_n_bytes_read = 0; /** How many bytes have we written since we started the process? */ -static uint64_t stats_n_bytes_written = 0; +uint64_t stats_n_bytes_written = 0; /** What time did this process start up? */ time_t time_of_process_start = 0; /** How many seconds have we been running? */ diff --git a/src/or/or.h b/src/or/or.h index 737c197..75c43f9 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -4192,6 +4192,8 @@ void accounting_set_bandwidth_usage_from_state(or_state_t *state); /* main.c ***/ extern int has_completed_circuit; +extern uint64_t stats_n_bytes_read; +extern uint64_t stats_n_bytes_written; int connection_add(connection_t *conn); int connection_remove(connection_t *conn); -- 1.5.6.5 From 94b4451ff20ac8951ba7fa43edba1d4faa053505 Mon Sep 17 00:00:00 2001 From: Anders Andersson pipat...@gmail.com Date: Tue, 23 Mar 2010 22:21:04 +0100 Subject: [PATCH] Documented the bytes option for GETINFO --- doc/spec/control-spec.txt |5 + 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/doc/spec/control-spec.txt b/doc/spec/control-spec.txt index b60baba..17c59f6 100644 --- a/doc/spec/control-spec.txt +++ b/doc/spec/control-spec.txt @@ -498,6 +498,11 @@ with a $. This is an implementation error. It would be nice to add the $ back in if we can do so without breaking compatibility.] +bytes + Total number of bytes passed through the Tor node since startup, in the + form: +read-bytes SP write-bytes CRLF + accounting/enabled accounting/hibernating accounting/bytes -- 1.5.6.5