Re: Ports 443 & 80
On Sun, May 18, 2008 at 2:38 PM, Scott Bennett <[EMAIL PROTECTED]> wrote: > On Sat, 17 May 2008 18:53:35 -0500 Nathaniel Dube <[EMAIL PROTECTED]> > wrote: [snipped] >>DirPort 80 >>DirListenAddress 0.0.0.0:9091 > > No, no, no. You've misunderstood the documentation pretty thoroughly. > First, the firewall referred to is not your "software firewall" for Windows. > The final image file you list above shows that your router is allowing packets > through with address redirection but not port redirection. Use the following > in torrc: > > Address [whatever your router's external IP address is] > ORPort 443 > ORListenAddress 0.0.0.0:443 > DirPort 80 > DirListenAddress 0.0.0.0:80 > > Undo all the stuff you did in your Windows firewall that is displayed in the > other image files you mention above. Now make sure that your Windows firewall > allows tor to receive packets on ports 443 and 80 and to transmit packets on > any port. > That's all you need to do for the way you have your router configured. >> >>Also, here's the log when I run tor in Konsole as root. =A0I know, don't ru= >>n Tor=20 >>as root. =A0I'm just doing that to test it to make sure it's working before= >> I=20 >>set it to start on boot under the "tor" user. > > Why would you run something as root *before* you test it? In any case, > if you're running Windows, "root" is sort of meaningless. > > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: bennett at cs.niu.edu * > ** > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > *-- Gov. John Hancock, New York Journal, 28 January 1790 * > ** > I'm not too sure where you are getting the Windows argument from. All of the pictures I can find appear to be on a Linux distribution, and it is mentioned above that this set is on OpenSUSE. Kasimir -- Kasimir Gabert
Re: lots of DMCA request's... (1/day)
On Sun, May 18, 2008 at 04:58:08PM -0400, Brian Puccio wrote: > On May 15, 2008, at 6:56 PM, [EMAIL PROTECTED] wrote: > >> Hi everyone, I run an exit node (nickname: swopusa), and now I'm >> averaging 1 DMCA request per day for TV shows, movies and the like, >> from paramount, NBC universal, etc. >> >> I do BW limiting @ 100k/sec -- 2GB/day. Otherwise it's the default >> configuration. >> >> I'm really not all that smart about tor, I've never even used it as a >> client. I don't mind occasional DMCA requests but 1 a day is starting >> to piss off my ISP (linode.com) and frustrate me. > > For what it is worth, here is Linode's position on running an exit node: > > http://www.linode.com/forums/viewtopic.php?t=3082 The comment from caker is important: http://www.linode.com/forums/viewtopic.php?p=14063&sid=d0c8a8f83495edf787592499f4fdb5f5#14063 "Eventually, we'd run tired of handling these and ask you to knock it off." Linode staff are exercising discretion in determining which circumstances warrant threatening their customers with disconnection. There is no refinable, repeatable way for a customer to know whether her deployment of a Tor exit node is acceptable to Linode or not -- that decision rests squarely with Linode on a case-by-case basis. Unchecked discretion offers an opportunity for discrimination. Who is to say that some customers running Tor nodes will not cause Linode admins to "run tired" sooner than others for reasons entirely unrelated to the activity of their exit nodes? What is not clear is why Linode staffers want to take on such responsibility -- do they really want to be in a position of judging what constitutes acceptable behavior and what does not, any more than is necessary to satisfy legal requirements and fairness issues with respect to network performance?
Re: ContactInfo?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Nathaniel, | In the torrc file is the ContactInfo option. Here's an example. | | #ContactInfo 1234D/ Random Person | | My question is, what format should I put my GPG key? That doesn't matter so much. The intention of the contact line is not to parse it automatically (previous attempts were not very successful), but are read by humans. In fact, it might be better to obfuscate that line a bit in order to prevent the bots from collecting your address -- or make their "lives" a bit harder. Further, in most cases your GPG key won't be used to encrypt notice message to you or verify your mails to us anyway. By the way, thank you for running a relay! - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIMKJu0M+WPffBEmURAiRYAJ4kt9GAxLzj8ZFb1MvU8k4ZSCljBgCcCwwe 5fjeF2xi8RUc2fH7QLiKuj0= =v3ae -END PGP SIGNATURE-
Re: USAF wants to violate federal criminal law
if that was the case, kids, then how does the client read it? Your DHS airport x-ray machines are a third type of "accepts interference", not to mention whatever is in your belly. Try wrapping 1 bit encryption keys in infinite wrappers, and see if hushmail.ai makes any difference. Welcome to New Haven-Co. Traffic on a single wire is only a wire. Especially when the entire sytem is a false ploy to begin with. hilariously, DieBold! On 5/18/08, Ben Wilhelm <[EMAIL PROTECTED]> wrote: > Wilfred L. Guerin wrote: >> Even worse, you read FCC Part 15 rules and ask "why would I WANT it to >> ACCEPT INTERFERENCE??" > > You may want to read > http://www.proz.com/kudoz/english/electronics_elect_eng/1105076-device_must_accept_any_interference_received.html > for information on what "accept interference" means. Basically, it means > that it must not explode or melt down - not that it must take orders > from arbitrary other people and send them your credit card numbers. > > > This httpS message sends the wire negotiated encryption key over the > > wire WITH the "encrypted" data. Do you frequently write the lock > > combination on the safe or tape the key to the lock when it is left in > > hostile environments? > > I think you really, really need to go learn more about cryptography and > the https protocol, as there's no point where what you described > actually happens. The closest is when the client sends a chunk of random > data to the server, which they both use to generate the encryption keys > . . . and this only happens once it's already encrypted by the server's > public key, meaning nobody besides the server can read it. > > As a side note, HTTPS is basically HTTP wrapped in an SSL/TLS session . > . . and guess what Tor uses? If it's as insecure as you claim, Tor is > pretty hilariously broken. > > -Ben >
Re: lots of DMCA request's... (1/day)
On May 15, 2008, at 6:56 PM, [EMAIL PROTECTED] wrote: Hi everyone, I run an exit node (nickname: swopusa), and now I'm averaging 1 DMCA request per day for TV shows, movies and the like, from paramount, NBC universal, etc. I do BW limiting @ 100k/sec -- 2GB/day. Otherwise it's the default configuration. I'm really not all that smart about tor, I've never even used it as a client. I don't mind occasional DMCA requests but 1 a day is starting to piss off my ISP (linode.com) and frustrate me. For what it is worth, here is Linode's position on running an exit node: http://www.linode.com/forums/viewtopic.php?t=3082
Re: USAF wants to violate federal criminal law
On Sun, 18 May 2008 13:10:01 -0700 Ben Wilhelm <[EMAIL PROTECTED]> wrote: >Scott Bennett wrote: >> It's >> worth noting that the BSD users and even LINUX users don't have Windows >> users' problem of always having to watch where they step to avoid falling >> through security holes. > >Yes, the great strength of Linux is that there are never massive >pervasive security holes, and even if there were, they would certainly >be fixed within days. > >Oh wait, http://www.theregister.co.uk/2008/05/16/debian_openssl_flaw/ - >whoops! Linux has serious long-term security breaches also! > >Well, at least there aren't any constantly-exploited packages with a >history of insecurity that are still commonly used, oh wait ha ha >http://www.phpbb.com/ yes there are. > >Is Linux *more secure*? Absolutely. Does Linux let you walk along in >cheerful oblivion, knowing that the Grandmaster of Linux won't let any >security holes onto your computer? Not in the least. If you don't watch >where you go, you won't fall through as *many* security holes - but >you'll still fall through a few. > >Claiming that isn't the case, especially with such a horrible >counterexample mere days ago, isn't really inclined to make people >believe you. > I really don't know how you got that from what I wrote. I have never claimed that any operating system was completely free of security problems. I simply wrote that Windows has orders of magnitude more security problems than LINUX or the BSDs, which is clearly the case. Please do try to read more carefully before you get your blood pressure up. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Ports 443 & 80
As I understand it, there's still a problem here - Tor thinks it's listening on port 9001, so it'll advertise to the directories that it's waiting on port 9001. Which obviously won't work all that well if they have to connect to port 80. Here's what the relevant section of my torrc looks like: ## Required: what port to advertise for Tor connections. ORPort 80 ## If you want to listen on a port other than the one advertised ## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the ## line below too. You'll need to do ipchains or other port forwarding ## yourself to make this work. ORListenAddress 0.0.0.0:8080 There's a chunk below it for directory ports also, although I have that disabled due to low bandwidth. -Ben Nathaniel Dube wrote: I just tried something else and I managed to get it working. :-) The problem was I was over thinking the solution. I set the ports in torrc back to their defaults ORPort 9001 & DirPort 9030. Instead, what I did was have the port forwaring on the router level... 443 --> 9001 & 80 --> 9030. Then I had the router forward ports 9001 & 9030 to my private IP on the network. So now I only need open ports 9001 & 9030 on my local software firewall. This solution is the easiest and most efficient way I can see doing it. I hope this helps out every one else. Here's my entire torrc so every one knows what settings I used to get it working. SocksPort 9050 SocksListenAddress 127.0.0.1 DataDirectory /home/tor/.tor ControlPort 9051 Nickname [Left Out] ContactInfo [Left Out] ORPort 9001 DirPort 9030 It's with this torrc and hardware router settings I managed to get every thing working. Thanks every one for all the help.
Re: Ports 443 & 80
On Sunday 18 May 2008 12:50:27 pm morphium wrote: > why don't you set ORListenAddress to 0.0.0.0:443 and don't do anything > with your firewall? I'm running Linux. You can only open certain lower ports (such as 80 & 443) in root. And it's bad to run tor as root.
Re: Ports 443 & 80
I just tried something else and I managed to get it working. :-) The problem was I was over thinking the solution. I set the ports in torrc back to their defaults ORPort 9001 & DirPort 9030. Instead, what I did was have the port forwaring on the router level... 443 --> 9001 & 80 --> 9030. Then I had the router forward ports 9001 & 9030 to my private IP on the network. So now I only need open ports 9001 & 9030 on my local software firewall. This solution is the easiest and most efficient way I can see doing it. I hope this helps out every one else. Here's my entire torrc so every one knows what settings I used to get it working. SocksPort 9050 SocksListenAddress 127.0.0.1 DataDirectory /home/tor/.tor ControlPort 9051 Nickname [Left Out] ContactInfo [Left Out] ORPort 9001 DirPort 9030 It's with this torrc and hardware router settings I managed to get every thing working. Thanks every one for all the help.
Re: USAF wants to violate federal criminal law
Wilfred L. Guerin wrote: Even worse, you read FCC Part 15 rules and ask "why would I WANT it to ACCEPT INTERFERENCE??" You may want to read http://www.proz.com/kudoz/english/electronics_elect_eng/1105076-device_must_accept_any_interference_received.html for information on what "accept interference" means. Basically, it means that it must not explode or melt down - not that it must take orders from arbitrary other people and send them your credit card numbers. > This httpS message sends the wire negotiated encryption key over the > wire WITH the "encrypted" data. Do you frequently write the lock > combination on the safe or tape the key to the lock when it is left in > hostile environments? I think you really, really need to go learn more about cryptography and the https protocol, as there's no point where what you described actually happens. The closest is when the client sends a chunk of random data to the server, which they both use to generate the encryption keys . . . and this only happens once it's already encrypted by the server's public key, meaning nobody besides the server can read it. As a side note, HTTPS is basically HTTP wrapped in an SSL/TLS session . . . and guess what Tor uses? If it's as insecure as you claim, Tor is pretty hilariously broken. -Ben
Re: USAF wants to violate federal criminal law
Scott Bennett wrote: It's worth noting that the BSD users and even LINUX users don't have Windows users' problem of always having to watch where they step to avoid falling through security holes. Yes, the great strength of Linux is that there are never massive pervasive security holes, and even if there were, they would certainly be fixed within days. Oh wait, http://www.theregister.co.uk/2008/05/16/debian_openssl_flaw/ - whoops! Linux has serious long-term security breaches also! Well, at least there aren't any constantly-exploited packages with a history of insecurity that are still commonly used, oh wait ha ha http://www.phpbb.com/ yes there are. Is Linux *more secure*? Absolutely. Does Linux let you walk along in cheerful oblivion, knowing that the Grandmaster of Linux won't let any security holes onto your computer? Not in the least. If you don't watch where you go, you won't fall through as *many* security holes - but you'll still fall through a few. Claiming that isn't the case, especially with such a horrible counterexample mere days ago, isn't really inclined to make people believe you. -Ben
Re: USAF wants to violate federal criminal law
"some secret deal..." This is what DMCA was designed to contradict. It is illegal to have an awareness of deadly threats against you, no less exploits embedded in disinformation systems. Simply knowing about interference between signals, ripples interacting in a pool of water, or patterns in the sand gets you on the terrorist watch list. God forbid you realize you can manually audit your chip or device with a hammer and microscope by eye. Even worse, you read FCC Part 15 rules and ask "why would I WANT it to ACCEPT INTERFERENCE??" And beyond, that "Stealth" on missiles a funny shaped airplanes has nothing to do with insulative coatings on common materials and more to do with very large observation and jamming systems eminating from nowhere near the vehicle or the targeted "fcc compliant" sensor devices. Welcome to the modern era, children. This httpS message sends the wire negotiated encryption key over the wire WITH the "encrypted" data. Do you frequently write the lock combination on the safe or tape the key to the lock when it is left in hostile environments? DieBold! On 5/18/08, Scott Bennett <[EMAIL PROTECTED]> wrote: > On Sun, 18 May 2008 16:25:58 +0200 Andrew <[EMAIL PROTECTED]> wrote: >>Scott Bennett wrote: >>> For those who are interested in seeing how little difference in >>> principle >>> there is between the U.S. government of today and that of Stalin's >>> U.S.S.R. of >>> yesterday, check out the article at >>> >>> http://blog.wired.com/defense/2008/05/air-force-mater.html >>> >>> which discusses the Air Force's desire to be able to take over any and >>> every >>> computer on the net, regardless of where those computers may be. They >>> want >>> not only to be able to take control of those computers, but also to be >>> able >>> to install undetectable spyware. >>> >>Sure, I want to take over every computer on the net too... >>And by the way, so does the German Federal Police (BKA). Doesn't mean >>they can. >>Luckily there's always an antivirus-company outside of these countries' >>jurisdiction so any "Federal Spyware" would still be detected as exactly >>that: Spyware. No German, or U.S., law will stop Kaspersky from treating >>that thing as what it is. On the contrary, it's a good sales argument >>for Kaspersky ;) > > Yes, yes, of course. Although there does seem to be a fairly steady > flow of things that go undetected by all the major security packages for > Windows for quite some time before they get noticed and dealt with. It's > worth noting that the BSD users and even LINUX users don't have Windows > users' problem of always having to watch where they step to avoid falling > through security holes. In fact, pretty much any other operating system > seems to be orders of magnitude safer than Windows, so that isn't what > worries me. >> >>I don't really think this is a threat to the average user or even >>criminal. If they were really going to use a Federal Virus of some sort, >>it would have to be custom-developed for each and every target so it >>won't be detected easily. And no government can afford to employ >>something that expensive on a larger scale. >>At least I hope so. >> > Do we know for certain that the feds haven't worked some deal with > the chip manufacturers? (I think it's only reasonable to operate on the > assumption that Microslop may well have made a deal with them. What I > want to know is whether uglier approaches will be used to violate federal > statute that might affect better operating systems.) What can they have > built into things like keyboards, motherboard chip sets, even DIMMs and > other memory cards, that might escape notice indefinitely? Are there > other potential methods? > > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: bennett at cs.niu.edu * > ** > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > *-- Gov. John Hancock, New York Journal, 28 January 1790 * > ** >
Re: USAF wants to violate federal criminal law
Scott Bennett <[EMAIL PROTECTED]> wrote:Do we know for certain that the feds haven't worked some deal with the chip manufacturers? (I think it's only reasonable to operate on the assumption that Microslop may well have made a deal with them. What I want to know is whether uglier approaches will be used to violate federal statute that might affect better operating systems.) What can they have built into things like keyboards, motherboard chip sets, even DIMMs and other memory cards, that might escape notice indefinitely? Are there other potential methods? They can build networked computing devices into wires. Imagine Ethernet, USB and keyboard cables all capable of phoning home. They could sell them at Best Buy.
Re: USAF wants to violate federal criminal law
Part 15 of the FCC Rules. Ever wonder what those excessively long exposed wires between chips in your computer are designed to do when they are intrinsicly not necessary? Why there (per policy) must be conventional electrical communication between physical chips where that implementation is fundamentally invalid and should always be one single chip? diebold. On 5/18/08, Scott Bennett <[EMAIL PROTECTED]> wrote: > For those who are interested in seeing how little difference in > principle > there is between the U.S. government of today and that of Stalin's U.S.S.R. > of > yesterday, check out the article at > > http://blog.wired.com/defense/2008/05/air-force-mater.html > > which discusses the Air Force's desire to be able to take over any and every > computer on the net, regardless of where those computers may be. They want > not only to be able to take control of those computers, but also to be able > to install undetectable spyware. > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: bennett at cs.niu.edu * > ** > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > *-- Gov. John Hancock, New York Journal, 28 January 1790 * > ** >
Re: lots of DMCA request's... (1/day)
[EMAIL PROTECTED] wrote: > I'm really not all that smart about tor, I've never even used it as a > client. I don't mind occasional DMCA requests but 1 a day is starting to > piss off my ISP (linode.com) and frustrate me. > > Any one have thoughts, besides NOT running an exit node? Don't know about the DMCA bots, but some people don't try to shoot the messenger. It probably won't solve your problem, but you could try to make it more obvious that you are running Tor, like some of the other exit nodes do. You could change the hostname that will show up in server logs from plm.swopusa.org to the more descriptive tor-anon-proxy.swopusa.org. The website at plm.swopusa.org only says "It works!" You could change this to the don't blame me template. https://tor-svn.freehaven.net/svn/tor/trunk/contrib/tor-exit-notice.html This is what it says to DMCA complainers: "If you are a representative of a company who feels that this router is being used to violate the DMCA, please be aware that this machine does not host or contain any illegal content. Also be aware that network infrastructure maintainers are not liable for the type of content that passes over their equipment, in accordance with DMCA "safe harbor" provisions. In other words, you will have just as much luck sending a takedown notice to the Internet backbone providers. Please consult EFF's prepared response for more information on this matter."
Re: Traffic on a node
I'd just use the throughput graph in Vidalia. If there are unexpected spikes, then people are using it. It'll take a few hours before your node gets popular enough to attract much traffic. Look for your node here: https://torstatus.blutmagie.de On Sat, May 17, 2008 at 2:59 PM, <[EMAIL PROTECTED]> wrote: > Hi, > > I have setup a middle node on my PC (Win XP). The Vidalia log says all is ok, > but the node is not listed yet in the list on Vidalia. > > Moreover, how can I see which traffic there is on my node? Or at least IF > there is any traffic?! > > Thank you
Re: Ports 443 & 80
why don't you set ORListenAddress to 0.0.0.0:443 and don't do anything with your firewall? 2008/5/18, Nathaniel Dube <[EMAIL PROTECTED]>: > I read somewhere that you can use ports 443 and 80 to help out people stuck > behind really restrictive firewalls. I've been trying to manually configure > Tor to do just that. I've configured the router for port forwaring. I'm > pretty sure I did the same for my Linux firewall. I told the firewall to > listen on ports 443/80 and redirect to 9090/9091. So the way I understand it > is, Tor servers/clients should be trying to connect to ports 443/80 --> my > router listens on 443/80 and bounces to my firewall --> my firewall listens > to 443/80 and bounces to 9090/9091 which the tor server is really listening > in on. I'm running openSUSE 10.3. I used yast to set the firewall. If I > understand what I'm doing I use the "Masquerading" section to do firewall > port forwaring. Which I'm pretty sure I did correctly but for some reason > servers/clients are still unable to connect to my tor server. > > I could really use some help getting this working. I can get the normal > ports > working no problem and have my server join the tor network. It's when I try > doing the port 443/80 trick that things get harry. > > Here are screenshots of my configuration screens I did for the port > forwarding. > > http://img246.imageshack.us/img246/303/443zb6.png > http://img265.imageshack.us/img265/1403/80xv7.png > http://img253.imageshack.us/img253/483/yastmasqsm4.png > http://img253.imageshack.us/img253/2820/yastrulesyl0.png > http://img338.imageshack.us/img338/5127/routerpn3.png > > Here's portions of tor's config file. I Xed out stuff that might be > considered a security risk on my part. > > SocksPort 9050 > SocksListenAddress 127.0.0.1 > DataDirectory /home/tor/.tor > ControlPort 9051 > > ORPort 443 > ORListenAddress 0.0.0.0:9090 > DirPort 80 > DirListenAddress 0.0.0.0:9091 > > Also, here's the log when I run tor in Konsole as root. I know, don't run > Tor > as root. I'm just doing that to test it to make sure it's working before I > set it to start on boot under the "tor" user. > > May 16 23:09:16.449 [notice] Tor v0.1.2.19. This is experimental software. Do > not rely on it for strong anonymity. > May 16 23:09:16.450 [notice] Initialized libevent version 1.3b using method > epoll. Good. > May 16 23:09:16.450 [notice] Opening OR listener on 0.0.0.0:9090 > May 16 23:09:16.450 [notice] Opening Directory listener on 0.0.0.0:9091 > May 16 23:09:16.450 [notice] Opening Socks listener on 127.0.0.1:9050 > May 16 23:09:16.450 [notice] Opening Control listener on 127.0.0.1:9051 > May 16 23:09:16.451 [warn] You are running Tor as root. You don't need to, > and > you probably shouldn't. > May 16 23:09:16.642 [notice] Your Tor server's identity key fingerprint > is 'XXX' > May 16 23:09:18.240 [notice] We now have enough directory information to > build > circuits. > May 16 23:09:18.438 [notice] Guessed our IP address as X. > May 16 23:09:21.856 [notice] Tor has successfully opened a circuit. Looks > like > client functionality is working. > May 16 23:09:21.856 [notice] Now checking whether ORPort XXX:443 and > DirPort :80 are reachable... (this may take up to 20 minutes -- > look for log messages indicating success) > May 16 23:29:18.900 [warn] Your server (XXX:443) has not managed to > confirm that its ORPort is reachable. Please check your firewalls, ports, > address, /etc/hosts file, etc. > May 16 23:29:18.900 [warn] Your server (XX:80) has not managed to > confirm that its DirPort is reachable. Please check your firewalls, ports, > address, /etc/hosts file, etc. >
Re: Ports 443 & 80
Oops, the DirPort section of the sample should have read: ## Optional: what port to advertise for TOR directory connections. DirPort 80 DirListenAddress 2.2.2.2:9091 On May 18, 2008, at 10:38 AM, Robert W Capps II wrote: I've not tried to setup a TOR node with your config, but I'll tell you how I got mine to work : Assumptions for the following configuration: 1.1.1.1 - Public IP address of Firewall (assumes you are using NAT internally) 2.2.2.2 - Private IP address in use on the TOR server :9090 - Private OR Port :443 - Public OR Port :9091 - Private DIR Port :80 - Public DIR Port First I set my firewall up to accept the following external ports, and forward them to the TOR server - basically port forwarding with NAT: 1.1.1.1:443 -NAT and port forward to-> 2.2.2.2:9090 1.1.1.1:80 -NAT and port forward to-> 2.2.2.2:9091 The TOR server was then configured to listen locally for TOR traffic on 2.2.2.2:9090 and 2.2.2.2:9091, so you'll need to set the following items in your torrc file: ## The IP or FQDN for your server. Leave commented out and Tor will guess. Address 1.1.1.1 ## Required: what port to advertise for Tor connections. ORPort 443 ORListenAddress 2.2.2.2:9090 ## Optional: what port to advertise for TOR directory connections.Uncomment this to mirror the directory for others. DirPort 80 DirListenAddress 192.168.3.20:9091 So, without validating your firewall setup, I would think you need to modify your 'ORListenAddress' and 'DIRListenAddress' to reflect the ACTUAL IP address (not 0.0.0.0) of your TOR server, and set your 'Address' value to the actual public IP address of your firewall (note, no port required on the 'Address' value). Hope this helps! Robert On May 17, 2008, at 4:53 PM, Nathaniel Dube wrote: I read somewhere that you can use ports 443 and 80 to help out people stuck behind really restrictive firewalls. I've been trying to manually configure Tor to do just that. I've configured the router for port forwaring. I'm pretty sure I did the same for my Linux firewall. I told the firewall to listen on ports 443/80 and redirect to 9090/9091. So the way I understand it is, Tor servers/clients should be trying to connect to ports 443/80 --> my router listens on 443/80 and bounces to my firewall --> my firewall listens to 443/80 and bounces to 9090/9091 which the tor server is really listening in on. I'm running openSUSE 10.3. I used yast to set the firewall. If I understand what I'm doing I use the "Masquerading" section to do firewall port forwaring. Which I'm pretty sure I did correctly but for some reason servers/clients are still unable to connect to my tor server. I could really use some help getting this working. I can get the normal ports working no problem and have my server join the tor network. It's when I try doing the port 443/80 trick that things get harry. Here are screenshots of my configuration screens I did for the port forwarding. http://img246.imageshack.us/img246/303/443zb6.png http://img265.imageshack.us/img265/1403/80xv7.png http://img253.imageshack.us/img253/483/yastmasqsm4.png http://img253.imageshack.us/img253/2820/yastrulesyl0.png http://img338.imageshack.us/img338/5127/routerpn3.png Here's portions of tor's config file. I Xed out stuff that might be considered a security risk on my part. SocksPort 9050 SocksListenAddress 127.0.0.1 DataDirectory /home/tor/.tor ControlPort 9051 ORPort 443 ORListenAddress 0.0.0.0:9090 DirPort 80 DirListenAddress 0.0.0.0:9091 Also, here's the log when I run tor in Konsole as root. I know, don't run Tor as root. I'm just doing that to test it to make sure it's working before I set it to start on boot under the "tor" user. May 16 23:09:16.449 [notice] Tor v0.1.2.19. This is experimental software. Do not rely on it for strong anonymity. May 16 23:09:16.450 [notice] Initialized libevent version 1.3b using method epoll. Good. May 16 23:09:16.450 [notice] Opening OR listener on 0.0.0.0:9090 May 16 23:09:16.450 [notice] Opening Directory listener on 0.0.0.0:9091 May 16 23:09:16.450 [notice] Opening Socks listener on 127.0.0.1:9050 May 16 23:09:16.450 [notice] Opening Control listener on 127.0.0.1:9051 May 16 23:09:16.451 [warn] You are running Tor as root. You don't need to, and you probably shouldn't. May 16 23:09:16.642 [notice] Your Tor server's identity key fingerprint is 'XXX' May 16 23:09:18.240 [notice] We now have enough directory information to build circuits. May 16 23:09:18.438 [notice] Guessed our IP address as X. May 16 23:09:21.856 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. May 16 23:09:21.856 [notice] Now checking whether ORPort XXX: 443 and DirPort :80 are reachable... (this may take up to 20 minutes -- look for log messages indicating success) May 16 23:29:18.900 [warn] Your serve
Re: Ports 443 & 80
I've not tried to setup a TOR node with your config, but I'll tell you how I got mine to work : Assumptions for the following configuration: 1.1.1.1 - Public IP address of Firewall (assumes you are using NAT internally) 2.2.2.2 - Private IP address in use on the TOR server :9090 - Private OR Port :443 - Public OR Port :9091 - Private DIR Port :80 - Public DIR Port First I set my firewall up to accept the following external ports, and forward them to the TOR server - basically port forwarding with NAT: 1.1.1.1:443 -NAT and port forward to-> 2.2.2.2:9090 1.1.1.1:80 -NAT and port forward to-> 2.2.2.2:9091 The TOR server was then configured to listen locally for TOR traffic on 2.2.2.2:9090 and 2.2.2.2:9091, so you'll need to set the following items in your torrc file: ## The IP or FQDN for your server. Leave commented out and Tor will guess. Address 1.1.1.1 ## Required: what port to advertise for Tor connections. ORPort 443 ORListenAddress 2.2.2.2:9090 ## Optional: what port to advertise for TOR directory connections.Uncomment this to mirror the directory for others. DirPort 80 DirListenAddress 192.168.3.20:9091 So, without validating your firewall setup, I would think you need to modify your 'ORListenAddress' and 'DIRListenAddress' to reflect the ACTUAL IP address (not 0.0.0.0) of your TOR server, and set your 'Address' value to the actual public IP address of your firewall (note, no port required on the 'Address' value). Hope this helps! Robert On May 17, 2008, at 4:53 PM, Nathaniel Dube wrote: I read somewhere that you can use ports 443 and 80 to help out people stuck behind really restrictive firewalls. I've been trying to manually configure Tor to do just that. I've configured the router for port forwaring. I'm pretty sure I did the same for my Linux firewall. I told the firewall to listen on ports 443/80 and redirect to 9090/9091. So the way I understand it is, Tor servers/clients should be trying to connect to ports 443/80 --> my router listens on 443/80 and bounces to my firewall --> my firewall listens to 443/80 and bounces to 9090/9091 which the tor server is really listening in on. I'm running openSUSE 10.3. I used yast to set the firewall. If I understand what I'm doing I use the "Masquerading" section to do firewall port forwaring. Which I'm pretty sure I did correctly but for some reason servers/clients are still unable to connect to my tor server. I could really use some help getting this working. I can get the normal ports working no problem and have my server join the tor network. It's when I try doing the port 443/80 trick that things get harry. Here are screenshots of my configuration screens I did for the port forwarding. http://img246.imageshack.us/img246/303/443zb6.png http://img265.imageshack.us/img265/1403/80xv7.png http://img253.imageshack.us/img253/483/yastmasqsm4.png http://img253.imageshack.us/img253/2820/yastrulesyl0.png http://img338.imageshack.us/img338/5127/routerpn3.png Here's portions of tor's config file. I Xed out stuff that might be considered a security risk on my part. SocksPort 9050 SocksListenAddress 127.0.0.1 DataDirectory /home/tor/.tor ControlPort 9051 ORPort 443 ORListenAddress 0.0.0.0:9090 DirPort 80 DirListenAddress 0.0.0.0:9091 Also, here's the log when I run tor in Konsole as root. I know, don't run Tor as root. I'm just doing that to test it to make sure it's working before I set it to start on boot under the "tor" user. May 16 23:09:16.449 [notice] Tor v0.1.2.19. This is experimental software. Do not rely on it for strong anonymity. May 16 23:09:16.450 [notice] Initialized libevent version 1.3b using method epoll. Good. May 16 23:09:16.450 [notice] Opening OR listener on 0.0.0.0:9090 May 16 23:09:16.450 [notice] Opening Directory listener on 0.0.0.0:9091 May 16 23:09:16.450 [notice] Opening Socks listener on 127.0.0.1:9050 May 16 23:09:16.450 [notice] Opening Control listener on 127.0.0.1:9051 May 16 23:09:16.451 [warn] You are running Tor as root. You don't need to, and you probably shouldn't. May 16 23:09:16.642 [notice] Your Tor server's identity key fingerprint is 'XXX' May 16 23:09:18.240 [notice] We now have enough directory information to build circuits. May 16 23:09:18.438 [notice] Guessed our IP address as X. May 16 23:09:21.856 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. May 16 23:09:21.856 [notice] Now checking whether ORPort XXX:443 and DirPort :80 are reachable... (this may take up to 20 minutes -- look for log messages indicating success) May 16 23:29:18.900 [warn] Your server (XXX:443) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. May 16 23:29:18.900 [warn] Your server (XX:80) has not manage
Tor browsing setups and practices [Was: Re: Quick question about TOR and use of SSL]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris Burge wrote: > All of that said, what kind of > setup do you use and how does it provide you extra anonymity/security > versus others? On most sites, you just can't get by without some sort > of use of cookies. Of course, this too limits your ability towards > privacy so I'm trying to create a best practice scnario for myself on a > site-by-site basis. (much snippage) My setup is Firefox 2.x, with the development-branch Torbutton (which provides a LOT of extra control), NoScript (I pretty much cleared the whitelist it comes with, and enabled every possible block), and CookieSafe. I find CookieSafe to be handy, because you can block all cookies by default, and allow them on a site-by-site basis. It also can be set to make all cookies last only for one session - which, of course, I do. (To not do so opens you to a slip-up where you connect without Tor with a "dirty" cookie, or a type of intersection attack involving persistent cookies which I've only heard rumors about.) Generally, there's three rules I follow, if I want to log into a site using Tor: 1.) The account was made on Tor, for anonymous usage, and will only ever be handled through Tor. You never want to log into a site with identifying info with Tor (as it opens you up to a stream correlation attack at the exit) - plus, it just kind of defeats the point. =;o) 2.) Any account I use through Tor, is considered expendable - since on sites without SSL, it's definitely possible for an exit to sniff the login and take it over (this also stresses the importance of the first rule). 3.) If a site or service offers it, I use the SSL version, since it greatly increases resistance to things like stream correlation and the lifting of credentials. - -- F. Fox AAS, CompTIA A+/Network+/Security+ Owner of Tor node "kitsune" http://fenrisfox.livejournal.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSC9Ggej8TXmm2ggwAQiQUBAAy6CfiAtYoNKvMhlUKqPgJGq8uHu0Ik+V 2lCBBMdqJKK+aQ8VxsX6V9bq2Odf73Sbluu7EDDUGOhyDAWvPoETkYmOqIVAbjBs 3JNfAn+KbXksytQ6+YMlOJlVuOqML7KYMGMsFZTuJ/rqy+gMBGq+wvC1Roa+pJ2X UtvwpLPYSv97uF7APQhCZUVeeCsYb0HG7ovm21r9+n5VBhNQsZuo2pFXP+uVsqDu HbKp5Ka0CKMMlML9Oohw2lVjuKoPDzsZnCmpHVMGthwWfT8RoC1mgN7nEy+osXa5 5yFWsI9SpIFv3QpDsLaabbxjMDMZN81dw/aEEmAC8nGoM4KWWzyjM2zjl286gTZx ADdvEkqNBh92YNqaI3Uve1nm8edRlURHa4ntnPcyBELWLunVONd9AB2drlLZ03U1 qSOmWdV/aA7CBD02greXiH5qYKFfyGDJFic1cbFiKY+VObs5vdsZAiDpW+fBCd8J bgoWE7j6X68mc80xfBZzEj8lAk9X1ecF8o+8kOuPuQDaUxwXwD6xcalZnINQaiT7 YIlzK7LQ1taCJd9pNINClkERVL3YWe6p71c2x/ZNUp/l85nZTVjMcd7KoQO9Z6Vz HOOqJKRBSNeODeQaSWAfKoX8jYAb1/6QgmSMwRxHh7Fnm8kKXX2UPm6DGoYE8eoM 7ERodTNqawA= =UPtb -END PGP SIGNATURE-
Re: USAF wants to violate federal criminal law
On Sun, 18 May 2008 16:25:58 +0200 Andrew <[EMAIL PROTECTED]> wrote: >Scott Bennett wrote: >> For those who are interested in seeing how little difference in >> principle >> there is between the U.S. government of today and that of Stalin's U.S.S.R. >> of >> yesterday, check out the article at >> >> http://blog.wired.com/defense/2008/05/air-force-mater.html >> >> which discusses the Air Force's desire to be able to take over any and every >> computer on the net, regardless of where those computers may be. They want >> not only to be able to take control of those computers, but also to be able >> to install undetectable spyware. >> >Sure, I want to take over every computer on the net too... >And by the way, so does the German Federal Police (BKA). Doesn't mean >they can. >Luckily there's always an antivirus-company outside of these countries' >jurisdiction so any "Federal Spyware" would still be detected as exactly >that: Spyware. No German, or U.S., law will stop Kaspersky from treating >that thing as what it is. On the contrary, it's a good sales argument >for Kaspersky ;) Yes, yes, of course. Although there does seem to be a fairly steady flow of things that go undetected by all the major security packages for Windows for quite some time before they get noticed and dealt with. It's worth noting that the BSD users and even LINUX users don't have Windows users' problem of always having to watch where they step to avoid falling through security holes. In fact, pretty much any other operating system seems to be orders of magnitude safer than Windows, so that isn't what worries me. > >I don't really think this is a threat to the average user or even >criminal. If they were really going to use a Federal Virus of some sort, >it would have to be custom-developed for each and every target so it >won't be detected easily. And no government can afford to employ >something that expensive on a larger scale. >At least I hope so. > Do we know for certain that the feds haven't worked some deal with the chip manufacturers? (I think it's only reasonable to operate on the assumption that Microslop may well have made a deal with them. What I want to know is whether uglier approaches will be used to violate federal statute that might affect better operating systems.) What can they have built into things like keyboards, motherboard chip sets, even DIMMs and other memory cards, that might escape notice indefinitely? Are there other potential methods? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Traffic on a node
The easiest way to check for Tor traffic is to see if there are connections on ports 9001 (default entry port), 9030 (default directory port) or whatever other ports you have chosen besides the defaults. Running "netstat" from the command prompt (start->run->cmd ; at the prompt netstat) will show all open connections. There are other options if you need/want more specific information. Personally, I configured my router for QoS scheduling but it also reports outgoing bandwidth and number of connections by the class of traffic (e.g., Tor, ssh, www, and whatever else I have configured). -madjon On Sat, May 17, 2008 at 1:59 PM, <[EMAIL PROTECTED]> wrote: > Hi, > > I have setup a middle node on my PC (Win XP). The Vidalia log says all is > ok, but the node is not listed yet in the list on Vidalia. > > Moreover, how can I see which traffic there is on my node? Or at least IF > there is any traffic?! > > Thank you > -- [EMAIL PROTECTED]
Re: USAF wants to violate federal criminal law
Scott Bennett wrote: For those who are interested in seeing how little difference in principle there is between the U.S. government of today and that of Stalin's U.S.S.R. of yesterday, check out the article at http://blog.wired.com/defense/2008/05/air-force-mater.html which discusses the Air Force's desire to be able to take over any and every computer on the net, regardless of where those computers may be. They want not only to be able to take control of those computers, but also to be able to install undetectable spyware. Sure, I want to take over every computer on the net too... And by the way, so does the German Federal Police (BKA). Doesn't mean they can. Luckily there's always an antivirus-company outside of these countries' jurisdiction so any "Federal Spyware" would still be detected as exactly that: Spyware. No German, or U.S., law will stop Kaspersky from treating that thing as what it is. On the contrary, it's a good sales argument for Kaspersky ;) I don't really think this is a threat to the average user or even criminal. If they were really going to use a Federal Virus of some sort, it would have to be custom-developed for each and every target so it won't be detected easily. And no government can afford to employ something that expensive on a larger scale. At least I hope so. Andrew
USAF wants to violate federal criminal law
For those who are interested in seeing how little difference in principle there is between the U.S. government of today and that of Stalin's U.S.S.R. of yesterday, check out the article at http://blog.wired.com/defense/2008/05/air-force-mater.html which discusses the Air Force's desire to be able to take over any and every computer on the net, regardless of where those computers may be. They want not only to be able to take control of those computers, but also to be able to install undetectable spyware. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
