Re: Practical onion hacking: finding the real address of Tor clients
George Shaffer [EMAIL PROTECTED] wrote: On Wed, 2006-10-18 at 12:47, Fabian Keil wrote: . . . They aren't attacking Tor, but misconfigured applications behind the Tor client. Which they said quite clearly in different words: Clearly Tor's designers have done a pretty good job: I couldn't find any weaknesses in Tor itself . . . So instead, I attacked the data which Tor carries the most of: web traffic. Please don't quote out of context. I wrote: I also think the title of the paper is intentionally misleading. ^ For a user new to Tor, the documentation is often confusing or ambiguous, important information is missing, and sometimes minor details over emphasized (especially in Tor FAQ). Tor is a young product and hopefully these problems will be remedied as it grows. In the meantime though, some users are depending on it for anonymity. You can be sure that someone in Red China, searching for information his or her government does not want them to see, is not likely to have mis configured or misused Tor for want of trying to get it right. I assume you mean the opposite of the last sentence? Anyway, there will always be some people who don't understand the documentation, or don't even bother to read it. That's the case for every product and not a Tor specific problem. The risks of JavaScript, Flash and friends are mentioned several times in the docs. It's also a good idea not to trust any exit nodes, except the ones you run yourself. If this is true, then the Tor network serves no useful purpose for the large majority of users who don't run Tor servers, let alone exit nodes. Why? Just because you can't trust a exit node, doesn't mean you can't use it. You just have to be aware that unencrypted traffic might have been altered. Even if in the future, some auditing process is set up for exit nodes, anyone using Tor, implicitly trusts whoever does the auditing, and he or she is likely to be self selected. Besides technical knowledge and connection limitations, there is at least one other valid reason for not running a Tor server. Comcast, the largest ISP in the U.S., has Terms of Use that very clearly prohibit any and all servers, including p2p, on any residential connection. I suspect some other ISPs have similar provisions. That's a rather lame excuse. Even if your local ISP doesn't allow you to run a Tor server, you can always get your own rootserver and run your exit node from there. Maybe I'm missing something, but except for a large company with many valid public IP addresses, what anonymity can you hope to gain by using your own exit node, except hiding from a network sniffer in the clutter of the other traffic which leaves the node. Whoever you connect to will still have the exit node's IP, which can presumably traced back to you. That's right, but I'm not saying you should only use your own exit nodes. Fabian -- http://www.fabiankeil.de/ signature.asc Description: PGP signature
Weird behavior of google and yahoo...
Hi folks, Just tried to use google, it told me 403 forbidden, my network is DOS google servers and i should check my system for virus or spyware. The same with yahoo, I think someone using tor is doing something evil there. ExitNode was 82.103.132.227 (freetux4ever). Regards, Ricky. -- Ich bin Jack's vergeudetes Leben. -Fight Club- PGP-Fingerprint: 475A 89EC 8E4D AD64 FCCE BEB7 A699 13D9 84A8 A349 Jabber-ID: [EMAIL PROTECTED] www.life-lover.de.vu signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Weird behavior of google and yahoo...
On Oct 20, 2006, at 10:37:58, Ricky Fitz wrote: Just tried to use google, it told me 403 forbidden, my network is DOS google servers and i should check my system for virus or spyware. The same with yahoo, I think someone using tor is doing something evil there. ExitNode was 82.103.132.227 (freetux4ever). http://wiki.noreply.org/noreply/TheOnionRouter/ TorFAQ#head-24b240c0329b118e4947357fb584b5579804b2ef /jgt -- http://tamboli.cx/ PGP Key ID: 0x7F2AC862B511029F PGP.sig Description: This is a digitally signed message part
Building from svn source on Mac OS X
Hi, I have installed libevent via darwinports, but ./autogen.sh seems unable to find it. I have tried setting the directory to point at where the dylib is and where the header is, but neither has worked. Any ideas? Thanks, Watson Ladd -- They who would give up essential Liberty to purchase a little temporary Safety, deserve neither Liberty or Safety --Benjamin Franklin signature.asc Description: OpenPGP digital signature
Re: Practical onion hacking: finding the real address of Tor clients
On Friday 20 October 2006 14:53, Fabian Keil wrote: For a user new to Tor, the documentation is often confusing or ambiguous, important information is missing, and sometimes minor details over emphasized (especially in Tor FAQ). Tor is a young product and hopefully these problems will be remedied as it grows. In the meantime though, some users are depending on it for anonymity. You can be sure that someone in Red China, searching for information his or her government does not want them to see, is not likely to have mis configured or misused Tor for want of trying to get it right. I assume you mean the opposite of the last sentence? I can't speak for the OP but I think he meant what he said. If someone is using Tor, they are *trying* to be anonymous. Whether they are successful or not depends on how well they've digested the FAQ - and I think it is a fair point that some things (such as javascript/flash and the perils of unencypted traffic) require more emphasis than others (e.g. why is tor so slow, how often does tor change its paths). Anyway, there will always be some people who don't understand the documentation, or don't even bother to read it. That's the case for every product and not a Tor specific problem. I think there are subtleties to the safe use of Tor that require some technical understanding. And that is a Tor specific problem which shouldn't be overlooked. -- KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net TorK - A Tor Controller For KDE - http://tork.sf.net
Re: Practical onion hacking: finding the real address of Tor clients
These hacks are very ancient news. We first wrote about them in I think 1998, and many of them especially concerning Java, Javascript, and ActiveX were not original to us even then. We were also all aware of GUIDs being imbedded in Office Docs, Windows Media Players, Real players, etc. Mike Reed wrote a snoop server that we used to have posted on the onion routing site back then. A nice one that was new at the time was to embed into the HTML a call to use the RTSP protocol to load shells of movies into Quicktime, and other media players specifically to identify the IP address of the sender. There were other snoop servers and similar demo pages available from Anonymizer, Digicrime, JAP, and others. I don't know first who put up a demo of the obvious point that using an anonymous pipe does not imply an anonymous data stream nor the prevention of opening up a nonanonymous pipe if one doesn't shut down all other pipes or calls too them through the anonymous pipe. So what? 1. It's pretty annoying that every few years someone announces a big discovery in which they re-invent a wheel that we and others had invented, implemented and announced many times. Then some press report jumps all over it like it's a new discovery that surprised the anonymous communications people unawares or something like that. 2. If the appalling lack of scholarship is annoying, the concerns are real. It's simultaneously true that it's unfair to yell at someone still trying to get a core TLS implementation done right for not having solved all the phishing attacks that might occur over applications that use it and true that people will get hurt by a browser that simply offers an OK crypto interface but doesn't cope with all the exploits that come from not understanding what it protects and what it doesn't (that's a metaphor, don't take it literally as about current Tor issues). What we don't need is anyone else telling us that there's a problem as if we didn't know that. People have to reinvent wheels a bit as they learn about something. That's fine, and they should be encouraged and coaxed not ridiculed. But they shouldn't be tolerated if they put themselves forth as experts showing something new to the world while refusing to read any of the documentation, the specs, the code, or the scientific literature. What we do need are answers. 3. This is forever an arms race, and, once you get beyond the early adopters or systems for specialized use, telling people to RTFM is always nonanswer. What exactly is an answer? I don't know. Many people who are on this list have hints of ideas that will help somewhat and they have been raising them, implementing them, analyzing them in papers, etc. I make one suggesting here so that I'm not just grousing, even constructively. It might be good to have a testing page that is part of the setup wizards in some way as well as being fairly prominent on the homepage. Apologies if someone has already suggested that and I forgot (and especially apologies if that someone was me). There's lots of issues implicit in this suggestion, but nunc scripsi totam pro publio, da mihi potum. aloha, Paul -- Paul Syverson () ascii ribbon campaign Contact info at http://www.syverson.org/ /\ against html e-mail
end-to-end encryption
Hi, this is not directly connected to Tor, but I think it is important issue because we need good support programs for Tor. By support programs I mean Firefox, etc. which USE Tor. The problem is people are extensively using webmail. They can use mobile Tor (TorPark), but the problem is the content of the webmail is not encrypted. So they can get anonymity, but not end-to-end encryption (so anonymity is also downgraded). I was reading this blog: http://www.links.org/?p=130 and comments, and got an idea how to enable better security for users using web mail. My idea is to build GPG into Firefox or at least integrate it more deeply. GPG keyring (user's private and public key) should be an object similar to certificate. User will be able to create/import keyring into Firefox, export it or delete it. Keyring could be secured with password (with FireFox security device), and additionaly with passphrase. Public keys could be easily retrieved from public key servers wia Firefox. How decryption will work? If FireFox will detect PGP/GPG code (in a form), it will enable decryption. This need more thinking in detaila, but in general when decrypted, it will be grabbed, decrypted and shown in plaintext. Similar to Enigmail extension for Thunderbird. So user could be able to use strong end-to-end encryption + anonymisationn from his/her USB drive. My observation is, that more and more services are moving into the iternet - and mostly into web. So web browser is a central technology for browsing, reading email, writing teksts (Writely), publishing things, configuring software, watching movies... even runnig OS (see YuOS for example) And web browser is becoming independent from other systems. In a future local operating system could be only web browser with connection to the internet. That is why we need end-to-end encryption built into it. If you find this idea reasonable and interesting, please promote this feature request: https://bugzilla.mozilla.org/show_bug.cgi?id=357310 bye, Matej
Re: Practical onion hacking: finding the real address of Tor clients
On 10/20/06, Paul Syverson [EMAIL PROTECTED] wrote: ... What exactly is an answer? I don't know. Many people who are on this list have hints of ideas that will help somewhat and they have been raising them, implementing them, analyzing them in papers, etc. i'm fond of the transparent proxy router approach we've used to try and fail safe for most protocols (at least with respect to the DNS leaks and covert TCP connections via Java/Flash/etc).[1] this doesn't do much for identifiers in the data stream (although privoxy/squid do scrub the transparent HTTP which is visible), and probably won't until significant effort is employed for protocol/application specific content filtering proxies. until then, user beware... It might be good to have a testing page that is part of the setup wizards in some way as well as being fairly prominent on the homepage. it would be nice to have a detailed proxy checker available that looks at these Java/Flash/RealPlayer/etc holes. right now there are a handful of common http proxy checkers but these look for headers and IP at best. does such a thing exist? i would be willing to host (although i suspect others would have done so already were a tool available). 1. http://janusvm.peertech.org/ uses a pptp vpn connection to force a default route through the virtual machine providing transparent TCP and DNS proxy through Tor. this defeats all of the covert TCP connection attacks designed to circumvent browser/application level SOCKS/HTTP proxy settings, but does not address identifying data within the TCP streams. [people have been asking about non-Win support, and this will be forthcoming in the next few months via openvpn for *bsd/linux/solaris/mac]
Re: Practical onion hacking: finding the real address of Tor clients
On Fri, Oct 20, 2006 at 03:31:22PM -0700, coderman wrote: i'm fond of the transparent proxy router approach we've used to try and fail safe for most protocols (at least with respect to the DNS leaks and covert TCP connections via Java/Flash/etc).[1] [snip] it would be nice to have a detailed proxy checker available that looks at these Java/Flash/RealPlayer/etc holes. right now there are a handful of common http proxy checkers but these look for headers and IP at best. Right, this would be great. There are a few checkers out there that hand a java program to the user that fetches his IP address. We (Tor) get mail every so often from people who say hey, I went to this site and it knows who I am! Tor's broken! One of these days I'll get around to writing the single clear paragraph that will explain everything to everybody. That's still in the works though; feel free to beat me to it. It would go between http://tor.eff.org/docs/tor-doc-win32#verify and http://tor.eff.org/docs/tor-doc-win32#server as a new section. 1. http://janusvm.peertech.org/ uses a pptp vpn connection to force a default route through the virtual machine providing transparent TCP and DNS proxy through Tor. this defeats all of the covert TCP connection attacks designed to circumvent browser/application level SOCKS/HTTP proxy settings, but does not address identifying data within the TCP streams. Right. Yay JanusVM. I think the eventual solution for packaging Tor correctly will be to run a VM or something similar that handles all network traffic correctly, so people don't have to worry so much about configuring things. It still won't be perfect though, because your Firefox's Java program can still run whatever it likes, and because cookies and other application-level issues need to be solved too. See also http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#TransportIPnotTCP [people have been asking about non-Win support, and this will be forthcoming in the next few months via openvpn for *bsd/linux/solaris/mac] See also http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy for Linux, BSD, and probably OS X. --Roger
Re: Practical onion hacking: finding the real address of Tor clients
On Fri, Oct 20, 2006 at 06:49:45PM -0400, Roger Dingledine wrote: On Fri, Oct 20, 2006 at 03:31:22PM -0700, coderman wrote: i'm fond of the transparent proxy router approach we've used to try and fail safe for most protocols (at least with respect to the DNS leaks and covert TCP connections via Java/Flash/etc).[1] [snip] it would be nice to have a detailed proxy checker available that looks at these Java/Flash/RealPlayer/etc holes. right now there are a handful of common http proxy checkers but these look for headers and IP at best. Expanding what I was suggesting in my previous message, which I know is just one little piece of the pie, is that when you run the installer wizard for your favorite OS. Part of it is to run a configuration check. This causes you to connect to a snoop server that identifies you every which way it can think of both within and by bypassing the anonymized circuit, maybe compares to info from an unanonymized connection from you. There should then be warnings/suggestions/links/more-wizard-dialogues/etc for things to do if you come up found. I think there are already servers out there that do a moderate job at this, and there are at least a few people I can think of to suggest other things to do (who no doubt have plenty of time to do this ;). There can also be a link from the Tor home page for general use, and/or for periodic rechecking, etc. Gotta go, Paul -- Paul Syverson () ascii ribbon campaign Contact info at http://www.syverson.org/ /\ against html e-mail
Re: Building from svn source on Mac OS X
On 20/10/06, Watson Ladd [EMAIL PROTECTED] wrote: Hi, I have installed libevent via darwinports, but ./autogen.sh seems unable to find it. I have tried setting the directory to point at where the dylib is and where the header is, but neither has worked. Any ideas? Why aren't you installing Tor via MacPorts also? The port is up to date, AFAIK. -- Darren Bane
