Re: Reducing java leakage in windows
James Muir wrote: > Arrakis wrote: >> It appears that Java attacks for causing external IP data to be leaked >> can be mitigated to some good degree. The upshot is that you can now run >> Java applets that even when attempting to phone home directly (revealing >> your IP), they are routed through the socks port and thus Tor or any >> other socks speaking application. What we are doing is changing the >> proxy settings of the Java Control Panel in windows. > > Some time ago, I conducted several tests that demonstrated that Java > Applets have the ability to disregard proxy settings in the Java Control > and open direct non-proxied connections. I do not think what you have > described will work. > I remember these tests. I can't seem to find a copy of the applets you used. Are you willing to publish them? Or point me in the right direction should I want to try implementing them? Regards, Jacob
Broken DNS
I followed a link here with the title Earthlink's "broken DNS affecting Tor nodes". Maybe someone here could answer these questions about broken DNS. If you check the two IP's 216.154.211.104 and 65.74.151.220 http://ip-lookup.net/neighborhood.popup.php?ip=216.154.211.104 http://ip-lookup.net/neighborhood.popup.php?ip=65.74.151.220 they show broken DNS. If you check at Robtex http://www.robtex.com/ip/216.154.211.104.html http://www.robtex.com/ip/65.74.151.220.html you find eorrors on both IP's. The reverse of the host name static-65-74-151-220.ey01.engineyard.com was found one time now 220.151.74.65.static.ey01.engineyard.com as the host name. I can use www.agoracom.co agoracom.com and 220.175.74.65.static.ey01.engineyard.com to sign in. Before I could sign in at static-65-74-151-220.ey01.engineyard.com . The DNS looks like it is still broken. What problems could this cause for a client using this site ? Have the DNS records been compromised because the servers have been hacked into ? regards, _ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig
Re: storage privacy (was: Nice quiet, private, anonymous life??)
privacy back-up storage concept: http://sourceforge.net/tracker/index.php?func=detail&aid=1833093&group_id=178712&atid=886242 http://forums.truecrypt.org/viewtopic.php?t=8000 2007/12/3, F. Fox <[EMAIL PROTECTED]>: > > -BEGIN PGP SIGNED MESSAGE- > >
Re: Reducing java leakage in windows
James, Do you have a copy of these tests? I'm definitely interested in seeing it. However, I am NOT posing this as a solution to java issues, just another defense layer. This effectively keeps non-malicious applets from surreptitious leakage. I highly doubt a determined application would be cornered in, but most seem to be. Regarding DNS, well that is again another issue to be looked at, unfortunately. Steve James Muir wrote: > Arrakis wrote: >> It appears that Java attacks for causing external IP data to be leaked >> can be mitigated to some good degree. The upshot is that you can now run >> Java applets that even when attempting to phone home directly (revealing >> your IP), they are routed through the socks port and thus Tor or any >> other socks speaking application. What we are doing is changing the >> proxy settings of the Java Control Panel in windows. > > Some time ago, I conducted several tests that demonstrated that Java > Applets have the ability to disregard proxy settings in the Java Control > and open direct non-proxied connections. I do not think what you have > described will work. > > -James >
Re: Reducing java leakage in windows
Arrakis wrote: It appears that Java attacks for causing external IP data to be leaked can be mitigated to some good degree. The upshot is that you can now run Java applets that even when attempting to phone home directly (revealing your IP), they are routed through the socks port and thus Tor or any other socks speaking application. What we are doing is changing the proxy settings of the Java Control Panel in windows. Some time ago, I conducted several tests that demonstrated that Java Applets have the ability to disregard proxy settings in the Java Control and open direct non-proxied connections. I do not think what you have described will work. -James
Re: Question: How to set where you emerge from the Tor Cloud?
Ringo, thanks. that I think does the trick. Tetsu On Dec 2, 2007 3:33 PM, Ringo Kamens <[EMAIL PROTECTED]> wrote: > See "4.9. Can I control what nodes I use for entry/exit?" at > http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ > Comrade Ringo Kamens > > On Dec 2, 2007 5:39 PM, David Hill <[EMAIL PROTECTED]> wrote: > > That's fine... for this exercise I don't really care about the > > anonymity. Can you literally describe how to do that? the UI has me > > a bit confused on how to do this? > > > > thanks > > > > Tetsu > > > > > > > > > > On Dec 2, 2007 2:27 PM, Ringo Kamens <[EMAIL PROTECTED]> wrote: > > > You can specify which exit node to use, but this makes you less anonymous > > > because tor can't randomize your circuits. The best way (AFAIK) is to > > > block > > > all nodes except those in the particular country you want to use. > > > Comrade Ring Kamens > > > > > > > > > > > > On Dec 2, 2007 5:22 PM, David Hill <[EMAIL PROTECTED]> wrote: > > > > Hey Folks, > > > > > > > > New to Tor, but love the idea and the functionality. Privacy is my > > > > business right now, so I find this a great effort. > > > > > > > > I've installed Tor and all on Firefox, and it works great. Problem is > > > > I can't quite figure out how to control the country from which I > > > > emerge from the Tor Cloud. I need this to be able to check how a > > > > particular website treats me based on my in-country IP addresss. e.g., > > > > I want to go to Facebook through Tor and emerge with a UK IP address > > > > to assess whether Facebook sees me as coming from a UP IP addy. > > > > > > > > Any help would be appreciated. > > > > > > > > thanks, > > > > David > > > > > > > > > > > > >
Re: storage privacy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > I don't think much of the aforementioned physical "destruction" methods; > I also agree in that full disk encryption is the best way to go, if at > all possible. (snip) While I don't think much of physical destruction either, the "encrypted storage" method might be problematic for legal reasons, at least in the UK. If the police were to ask you to provide encryption keys (which they are now allowed to do), and you have "lost" the keys, they can put you away, even if the data on the drive would not have incriminated you. Thoughts? Anyone from the UK? - --- Eugene -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iFcDBQFHU2g4b9W6r3tKSVIRCE5MAQDXT/eaibgtyT1ds8qw8VMCIqE659JMmERA G1uxtlK+TQD/dj51Atik/PxQ+CHwjtYnaWVbLpREx7TTdPc12wNfFFA= =KvAx -END PGP SIGNATURE-
Re: storage privacy (was: Nice quiet, private, anonymous life??)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 coderman wrote: > apologies in advance for veering this far off topic... > > On Dec 2, 2007 2:25 PM, F. Fox <[EMAIL PROTECTED]> wrote: >> [ strange, dangerous, and likely to fail methods for destroying drives ] > > use full disk encryption, even the latest ubuntu supports this. > > destroy the disk keys and you've got platters full of entropy. > > anything else is just a bad idea. > (snip) I don't think much of the aforementioned physical "destruction" methods; I also agree in that full disk encryption is the best way to go, if at all possible. However, given that a system has already been deployed without such encryption, wouldn't secure overwriting be a reasonable way of destroying such data? It'd be slow, and maybe not effective against the most determined (and well-funded) attackers - but at least it wouldn't be dangerous, weird, and violent... =:oD - -- F. Fox CompTIA A+, Net+, Security+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHU2HfbgkxCAzYBCMRAj0dAJ92NHfJqZVVcK/u99gbWTo0jsSnFACeOSJW EmV8OG+cGBSMlWBGXfqvh1M= =hc2d -END PGP SIGNATURE-
Re: Question: How to set where you emerge from the Tor Cloud?
See "4.9. Can I control what nodes I use for entry/exit?" at http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ Comrade Ringo Kamens On Dec 2, 2007 5:39 PM, David Hill <[EMAIL PROTECTED]> wrote: > That's fine... for this exercise I don't really care about the > anonymity. Can you literally describe how to do that? the UI has me > a bit confused on how to do this? > > thanks > > Tetsu > > > > > On Dec 2, 2007 2:27 PM, Ringo Kamens <[EMAIL PROTECTED]> wrote: > > You can specify which exit node to use, but this makes you less anonymous > > because tor can't randomize your circuits. The best way (AFAIK) is to block > > all nodes except those in the particular country you want to use. > > Comrade Ring Kamens > > > > > > > > On Dec 2, 2007 5:22 PM, David Hill <[EMAIL PROTECTED]> wrote: > > > Hey Folks, > > > > > > New to Tor, but love the idea and the functionality. Privacy is my > > > business right now, so I find this a great effort. > > > > > > I've installed Tor and all on Firefox, and it works great. Problem is > > > I can't quite figure out how to control the country from which I > > > emerge from the Tor Cloud. I need this to be able to check how a > > > particular website treats me based on my in-country IP addresss. e.g., > > > I want to go to Facebook through Tor and emerge with a UK IP address > > > to assess whether Facebook sees me as coming from a UP IP addy. > > > > > > Any help would be appreciated. > > > > > > thanks, > > > David > > > > > > > >
Re: javaprogram using tor
On Nov 1, 2007 2:02 PM, Frozen Flame <[EMAIL PROTECTED]> wrote: > You can use a java socks api or use an external app, such as tsocks > (Linux) to socksify your app without it even knowing about it. my understanding is that doing DNS resolution via tsocks is spotty at best since it forces the resolver library to use TCP which may not be reliable. it is better to have the application use socks 4a, socks 5 with names, or perhaps a transparent Tor proxy. best regards,
Re: storage privacy (was: Nice quiet, private, anonymous life??)
On Dec 2, 2007 2:25 PM, F. Fox <[EMAIL PROTECTED]> wrote: [ strange, dangerous, and likely to fail methods for destroying drives ] use full disk encryption, even the latest ubuntu supports this. Last time I tried this with the Ubuntu 7.10 Alternate CD it didn't work. The installer crashes over and over.. With the latest debian testing netinstall cd no problems..
Re: javaprogram using tor
On Oct 28, 2007 12:36 PM, Juliusz Chroboczek <[EMAIL PROTECTED]> wrote: > [ configuring SOCKS in java ] you can also use the system and/or user level deployment properties file to set the SOCKS proxy settings: http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/properties.html > Note however that Java most probably implements SOCKS with IP > addresses, and unless you take special precautions, you will suffer > from DNS leaks. Which may or may not be a problem for your application. this is correct. the only way to do this securely is via transparent Tor proxy. (it may be possible to implement your own lookups through Tor via JNDI naming service hooks, but this would require a significant effort and still leave you vulnerable to third party jars and such...) best regards,
Re: Win32 / netsh
On Nov 20, 2007 8:06 AM, chris misztur <[EMAIL PROTECTED]> wrote: > ... I'm thinking that the 'v4tov4' port proxy is only for > inbound connections... hi chris, this works the opposite way you'd need it to for the behavior you seek. it is indeed for inbound connection relay only. note that even if this could redirect outbound connections, you'd still need to proxy DNS requests to avoid compromising your anonymity through name resolution. best regards,
Re: storage privacy (was: Nice quiet, private, anonymous life??)
apologies in advance for veering this far off topic... On Dec 2, 2007 2:25 PM, F. Fox <[EMAIL PROTECTED]> wrote: > [ strange, dangerous, and likely to fail methods for destroying drives ] use full disk encryption, even the latest ubuntu supports this. destroy the disk keys and you've got platters full of entropy. anything else is just a bad idea. see the Tor Operational Security wiki page for more not bad ideas: http://wiki.noreply.org/noreply/TheOnionRouter/OperationalSecurity best regards,
Re: Question: How to set where you emerge from the Tor Cloud?
That's fine... for this exercise I don't really care about the anonymity. Can you literally describe how to do that? the UI has me a bit confused on how to do this? thanks Tetsu On Dec 2, 2007 2:27 PM, Ringo Kamens <[EMAIL PROTECTED]> wrote: > You can specify which exit node to use, but this makes you less anonymous > because tor can't randomize your circuits. The best way (AFAIK) is to block > all nodes except those in the particular country you want to use. > Comrade Ring Kamens > > > > On Dec 2, 2007 5:22 PM, David Hill <[EMAIL PROTECTED]> wrote: > > Hey Folks, > > > > New to Tor, but love the idea and the functionality. Privacy is my > > business right now, so I find this a great effort. > > > > I've installed Tor and all on Firefox, and it works great. Problem is > > I can't quite figure out how to control the country from which I > > emerge from the Tor Cloud. I need this to be able to check how a > > particular website treats me based on my in-country IP addresss. e.g., > > I want to go to Facebook through Tor and emerge with a UK IP address > > to assess whether Facebook sees me as coming from a UP IP addy. > > > > Any help would be appreciated. > > > > thanks, > > David > > > >
Re: Question: How to set where you emerge from the Tor Cloud?
You can specify which exit node to use, but this makes you less anonymous because tor can't randomize your circuits. The best way (AFAIK) is to block all nodes except those in the particular country you want to use. Comrade Ring Kamens On Dec 2, 2007 5:22 PM, David Hill <[EMAIL PROTECTED]> wrote: > Hey Folks, > > New to Tor, but love the idea and the functionality. Privacy is my > business right now, so I find this a great effort. > > I've installed Tor and all on Firefox, and it works great. Problem is > I can't quite figure out how to control the country from which I > emerge from the Tor Cloud. I need this to be able to check how a > particular website treats me based on my in-country IP addresss. e.g., > I want to go to Facebook through Tor and emerge with a UK IP address > to assess whether Facebook sees me as coming from a UP IP addy. > > Any help would be appreciated. > > thanks, > David >
Re: Nice quiet, private, anonymous life??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander W. Janssen wrote: > [EMAIL PROTECTED] wrote: >> If I was in your position I might consider putting some bulk >> demagnetizers near my hard drives with a panic switch, with backups to a >> secure unknown location. > > Now this is definitively a bizarre idea... :-) > > That reminds me of the "nuke gateway"-function in the game Uplink[1]. (snip) Although bizarre, this thread is not the first where I've heard of non-electronic panic-button-triggered data destruction mechanisms. Some I've heard of, at least purportedly: * Magnetism; * Incindieries (I can't spell that word worth crap); * Microwaves (the "Firedrive"); * Explosives (the plastique idea from earlier - I don't recommend it). I still think the best idea is a few scrubs of pseudorandom data, and then a sledgehammer to disable the physical mechanism (if you want extra security, and have no intentions of reusing the drive); of course, for the ultra-paranoid, this method will require a while for the PR streams to finish. =:oD - -- F. Fox CompTIA A+, Net+, Security+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHUzDObgkxCAzYBCMRAo/7AJ9j17R/zzQdzmO+GY1g/Yg7b48fxgCeKdGx 1Q+Asn6zHyb/Z2ujAz5zwVU= =hAMe -END PGP SIGNATURE-
Re: Question: How to set where you emerge from the Tor Cloud?
Hey Folks, New to Tor, but love the idea and the functionality. Privacy is my business right now, so I find this a great effort. I've installed Tor and all on Firefox, and it works great. Problem is I can't quite figure out how to control the country from which I emerge from the Tor Cloud. I need this to be able to check how a particular website treats me based on my in-country IP addresss. e.g., I want to go to Facebook through Tor and emerge with a UK IP address to assess whether Facebook sees me as coming from a UP IP addy. Any help would be appreciated. thanks, David
Re: Nice quiet, private, anonymous life??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > If I was in your position I might consider putting some bulk > demagnetizers near my hard drives with a panic switch, with backups to a > secure unknown location. Now this is definitively a bizarre idea... :-) That reminds me of the "nuke gateway"-function in the game Uplink[1]. Alex. [1] http://www.uplink.co.uk/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) iQCVAwUBR1MpERYlVVSQ3uFxAQLmXAP9FKqkC/3tqzYVgWK7DwqUlme+nOsMyVXw kPjRjl/vbZAHC1MuRlMsakMP6caKladDpX0JH8nMcNfjmIcDbm7B5qDjmrw6UuVv y+u9f8oNWth1Nv0w7Qty84cTABkrrs/68zwJnLwvUoZwNgBObIftUZcjDKHraazi yHKZyQ51N34= =yQ5u -END PGP SIGNATURE-
Re: Nice quiet, private, anonymous life??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eugen Leitl wrote: > On Sat, Dec 01, 2007 at 02:06:22PM -0700, [EMAIL PROTECTED] wrote: > >> If I was in your position I might consider putting some bulk >> demagnetizers near my hard drives with a panic switch, with backups to a > > Doesn't work, you'd need too many Teslas. Plastique or thermite would work. > Cryptographic filesystem would work, since you only would have to lose > power for a couple seconds. > It might be a bit late for buying and placing explosives or incindieries. =:oD In any case, I'm not about to give advice on explosives, etc. - I'm not anonymized from here, forgetting the fact that it's a moot idea. A cryptographic filesystem is a day late and a dollar short... however, he might be able to start overwriting with something like Darik's Boot & Nuke: http://dban.sourceforge.net To finish would take forever, but IIRC, the Gutmann-style wipe starts with a pseudorandom stream - and if even a single one of those were to complete before they got the drive, they'd need to stick the thing in a cleanroom to get anything (again, IIRC). They don't always do that... software usually comes first. I guess it depends on the value of the data. If something really, really nasty got relayed through your node - like an [alleged] "terrorist threat" or similar hogwash - they might use such a method. But, DBAN's a free, practical, and non-violent idea. - -- F. Fox CompTIA A+, Net+, Security+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHUyhabgkxCAzYBCMRAsRVAJ9qTRxiTe8iCT2ntp/4WQ6HST6hpgCfYFMD 3GFNNSinPPreEFdMUKfS2qQ= =Z6VG -END PGP SIGNATURE-
Re: [Political/Legal] Passing ideas on German Tor nodes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 F. Fox wrote: > However, let's suppose that we're in a time when German Tor nodes are > now actively keeping logs of all connections. What would be the best way to: As I already said in an earlier posting, German Tor nodes won't be starting logging before 1/1/2009 - if they'll log at all - there's still a pending lawsuit against the data retention law in the supreme court. And I bet that there will be a lot civil disobedience when it comes to logging. > [... idea ...] > So, what if a maximum of one German Tor node were allowed in a circuit? > Would that achieve both numbered goals? If that's the idea, than it should only be the middleman node. Entry-node might be possible too, but only if you make sure that this node is the only German node in the circuit. > Given the logging, it might be wise to not allow the German node to be > the exit node; I'm not sure about the entry guard. Considering the pressure which piled up in the last couple of months in Germany, running an exit-node in Germany is not encouraged anyway. > I would think that a German middleman node would be safe, though, right? If it's the only German node in the circuit: Possibly. Alex. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) iQCVAwUBR1Mn5BYlVVSQ3uFxAQK/fQQAqe496ityWEiTZovIazse0XpBusyV0G+8 Zn5mVkZpREl9J0PZ4uKFRB6ydwBZ1TJNFsMIbgHZhhGsJqstGBQBfR8U5gAI2FtS kAEv62vTm8EPBOAUWx7UZKwuekmo2veQD0c5b/t77jaXUph067Qbdnh/7PnqQ7vn ESTZOMavZis= =i84f -END PGP SIGNATURE-
[Political/Legal] Passing ideas on German Tor nodes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just a couple ideas I had, regarding the issue of German Tor nodes and the upcoming data retention policies; keep in mind that my own knowledge regarding the Tor network isn't all that deep, so these may be flawed. However, let's suppose that we're in a time when German Tor nodes are now actively keeping logs of all connections. What would be the best way to: 1.) Protect the anonymity of Tor users as much as possible, while 2.) Attempting to allow some way for German Tor nodes to contribute to the overall capacity of the network. If I read things right, there are two things - barring client misconfigurations or other SNAFUs - that are likely to reveal the identity of a client: * An adversary owning all three Tor nodes in a circuit, in which case the client is *definitely* screwed; * An adversary owning the entry guard and exit node in a circuit, which may allow an end-to-end attack. So, what if a maximum of one German Tor node were allowed in a circuit? Would that achieve both numbered goals? Given the logging, it might be wise to not allow the German node to be the exit node; I'm not sure about the entry guard. I would think that a German middleman node would be safe, though, right? - -- F. Fox CompTIA A+, Net+, Security+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHUyYtbgkxCAzYBCMRAq+hAJ4rDJLsXT+L6EYDK+jms+skZhotrwCdExnx 3zO/PlzAaT+4+uJu4GWAWks= =wJKO -END PGP SIGNATURE-
German Privacy Foundation
Hi, I am the chairman of the German Privacy Foundation (www.privacyfoundation.de). We run two tor-servers in germany. If you have any questions about the GPF, ask me. (also: [EMAIL PROTECTED]) Greetz from Berlin Burks -- GnuPG-Key: www.burks.de/burks.asc | ID: 92B46AB6 | Fingerprint: 5609 942A F50F 8FA9 F9C3 F355 CF9C 634A 92B4 6AB6
Re: Help me understand tor with SSL?
>> Firefox should in principle not use the DNS if >> >> network.proxy.socks_remote_dns >> >> is set to true (in about:config). > Hm, I'm not sure - I thought this option only works if you're using a > SOCKS-proxy, e.g. connecting directly to the Tor-socks interface? > > Is that also true for http-style proxies? You're correct, this is only true for direct connections to tor. Juliusz
Re: Nice quiet, private, anonymous life??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > Not a professional techie, since running an exit node this fall I am > being habitually banned from Google, Charter has asked me to stop > spamming, and now today the police are at my door looking for Tobias. (snip) > > Hope this post goes to list, can't find list post commands. > It made it to the list. =:o) In any case, I set my node up as "middleman" from the beginning. Given that I'm just running from my home, I wouldn't have a whole lot of backing to defend from legal or police troubles; running as a middleman allows me to provide capacity to the network, while avoiding most of the liability (potentially) carried by exit nodes. As others have suggested, I strongly recommend trying "going middleman" before leaving the network completely. Taking an occasional peek at my Tor service via TCPView (shouldn't be a problem, since I'm only connected to other nodes), you'd be surprised how much utilization I get even as a middleman! =:oD Every little bit of bandwidth helps. - -- F. Fox CompTIA A+, Net+, Security+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHUxmLbgkxCAzYBCMRAkmKAKCOIqmLACMxAckS5UusOLF7fGgNHACgkVaK doirLmxSDOzuFRlpId0nVSI= =+7/B -END PGP SIGNATURE-
[Politics/Legal] Re: German Tor Legal Fund
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Onion wrote: > Alexander W. Janssen wrote: (snip) > > (ignore at will) > > First of all, I'm not fond of political discussions in tech groups, > but in this specific case of an aid, that was developed not least for > sociopolitical reasons, motivating statements can't be misplaced. (snip) Here's an idea: Perhaps we could voluntarily tag the subject lines of sociopolitical/legal-type messages, so people who want to ignore or filter them can. My proposition is in the subject of this email. - -- F. Fox CompTIA A+, Net+, Security+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHUxcEbgkxCAzYBCMRAjjKAJ4/53vwclaanVlyXEkiOanctv2IewCfcOBz v4waOhebilkXY/Y5SeOVkIU= =83n4 -END PGP SIGNATURE-
Re: Reducing java leakage in windows
On Dec 2, 2007 11:02 AM, Arrakis <[EMAIL PROTECTED]> wrote: > It appears that Java attacks for causing external IP data to be leaked > can be mitigated to some good degree. The upshot is that you can now run > Java applets that even when attempting to phone home directly (revealing > your IP), they are routed through the socks port > ... [ discussion of deployment.properties for socks setup ] the last time i looked into this (over a year ago) the socks proxy settings, either 4 or 5, still did name lookup external to the proxy (not 4a nor 5 with names). this means the same DNS resolution tricks to leak your IP will work, even if the simpler "open a TCP sock to eve" does not. i think HD Moore's revealer used this as one of the tricks, so it might be worth checking against that with an updated deployment.properties to confirm. if you really want to use java you should use it behind a transparent Tor proxy. best regards,
Re: Help me understand tor with SSL?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Juliusz Chroboczek wrote: > Firefox should in principle not use the DNS if > > network.proxy.socks_remote_dns > > is set to true (in about:config). Hm, I'm not sure - I thought this option only works if you're using a SOCKS-proxy, e.g. connecting directly to the Tor-socks interface? Is that also true for http-style proxies? > Juliusz Alex. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) iQCVAwUBR1MJExYlVVSQ3uFxAQKkpgQAoaO14Cdw+U9XcUKylFkUaT4c6PEoNlWr G8DBZ8BwLtLw31I4mbNI5CwsGiqETG29c1zG0ydfXJHeHoPmCj9b8x7q3/sQpxQn TgDWWlM2pNtx4EkczCQaprkbFjctu66dDk/pI2UYeosEvL26L0rRRqWt2NoAX6gg sP+nszQAyxQ= =gM35 -END PGP SIGNATURE-
Re: Insecurities in Privoxy Configurations - Details
> 1) Those of us who use polipo should pay attention too, and make sure > to put > disableLocalInterface=true > in our polipo config file. Otherwise a remote attacker can reconfigure > our polipo out from underneath us, examine our cache to see where we've > been browsing, etc. FWIW, both the cache index and the list of recently accessed servers are disabled by default. Reconfiguring Polipo is enabled by default, and I agree that it is a good idea to disable it, ass suggested by Roger above. I'm trying to put together all hints about running Polipo with Tor on http://www.pps.jussieu.fr/~jch/software/polipo/tor.html Please send your additions to the [EMAIL PROTECTED] mailing list. Thanks, Juliusz
Re: Help me understand tor with SSL?
> Using privoxy is necessary because > browsers leak your DNS requests when > they use a SOCKS proxy directly, > which is bad for your anonymity. Firefox should in principle not use the DNS if network.proxy.socks_remote_dns is set to true (in about:config). > Privoxy also removes certain > dangerous headers from your web > requests, and blocks obnoxious ad > sites like Doubleclick. This is better done in the browser, for quite a few reasons, including the fact that there is no way a proxy can do that for SSL connections. Juliusz
Reducing java leakage in windows
It appears that Java attacks for causing external IP data to be leaked can be mitigated to some good degree. The upshot is that you can now run Java applets that even when attempting to phone home directly (revealing your IP), they are routed through the socks port and thus Tor or any other socks speaking application. What we are doing is changing the proxy settings of the Java Control Panel in windows. The following will shortly be applied to xB Browser after testing, and I highly suggest it for other proxy programs. Needs lots of testing of course, and I would also like to know if Java applets can acquire the authority to modify that file as well. May require administrative access, but I imagine Vista will popup a priv escalation window. There are probably variations in the directories and syntax if you are running JRE <1.4. A good indicator of old versioning is to see if your shoes employ the use of velcro, you have a pair of 'jams' in your closet, or you've found yourself to be too legitimate to quit. Regards, Steve Topletz - 1. Look for $APPDATA\Sun\Java\Deployment\deployment.properties If there is no deployment.properties file there, try all administrative usernames we can enumerate until we find the file. This is not a certianty. 2. Back up deployment.properties to a new file name. 3. Open it up 4. Read and store all lines beginning with "deployment.version" 5. Read and store all lines beginning with "deployment.javapi" 6. Close the file 7. Create a new file deployment.properties where the old one was. 8. Open the file 9. Insert the following lines #deployment.properties deployment.system.tray.icon=false deployment.browser.vm.iexplorer=false deployment.proxy.socks.host=localhost deployment.proxy.type=1 deployment.proxy.same=true deployment.browser.vm.mozilla=false deployment.capture.mime.types=true deployment.proxy.socks.port=8080 (where port 8080 is your socks port. in Tor, use 9050 by default) 10. Write all previously stored lines from old opened file. 11. Close the new deployment.properties Continue starting your proxy program On program exit... 12. Delete the deployment.properties file we created. 13. Restore the deployment.properties file we backed up.
