Re: tor removed from ubuntu jaunty
On Apr 19, 2009, at 5:28 PM, Roger Dingledine wrote: Ubuntu hardy and intrepid are still shipping known-remote-vulnerable versions of Tor. The version they have in Intrepid is even known-remote-root-vulnerable. And they still haven't gotten around to fixing it. Ubuntu has this strange way of maintaining the packages in hardy and intrepid. It seems like you have to request a backport if you want a new version of package foo. You then have to build this package on the distro you wish to backport it to, test it and then include the results in the bug report. Loop this for every new release of package foo. No one had requested a backport to hardy and intrepid _with_ the documentation necessary. I know that it was pointed out that the tor project does have packages ready for both hardy and intrepid, but it seemed like the developers wanted someone to officially build, install and test the packages, as well as test for regressions etc. Also, Martin Pitt said that he would sponsor the packages for hardy and intrepid soon, and care about the rest. It seems like things are moving forward, slowly. Those interested can follow the bug report in Launchpad: https://bugs.launchpad.net/ubuntu/+source/tor/+bug/328442 - Runa
Information at exit node.
Hiya Still kinda new to Tor, so my questions is, what information can exactly be gathered by an exit node? If someone can help me understand, if would be appreciated. Kind Regards Brent Clark
Re: Information at exit node.
On Tue, 21 Apr 2009 09:30:08 +0200 Brent Clark brentgclarkl...@gmail.com wrote: Still kinda new to Tor, so my questions is, what information can exactly be gathered by an exit node? If someone can help me understand, if would be appreciated. For starters, the exit node has to have the IP address and port number to which the stream wants a connection. After that, the exit node sees all data passing in either direction as part of the stream. If those data happen to be unencrypted, then anything embedded in the data can be collected. This latter is why the various recommended tor-related plug-ins for browsers have been made available. Each one performs many tasks, including attempts to disable anything embedded in HTML, JavaScript, Java, etc. from being able to report originating IP address information or other identifying inforemation anywhere. Please see, for example, the following warning. https://www.torproject.org/download.html.en#Warning See also the tor FAQ article, especially section 6, at https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Information at exit node.
Information available on exit node: * Somebody is trying to communicate to some IP address * Exit node knows identity of previous relay * Exit node knows amount of transfered data * In case of unsecured protocol (HTTP, FTP, Telnet) have exits full access to transfered data and bad exits are able to modify this content. Interesting paper on this topic: http://www.fortconsult.net/images/pdf/Practical_Onion_Hacking.pdf Marek 2009/4/21 Brent Clark brentgclarkl...@gmail.com: Hiya Still kinda new to Tor, so my questions is, what information can exactly be gathered by an exit node? If someone can help me understand, if would be appreciated. Kind Regards Brent Clark
Re: Google Summer of Code 2009
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/21/2009 12:42 AM, Stephen Tyree wrote: I want to start by saying thank you. It is an honor to be selected for Google Summer of Code on the Tor Project. Glad to have you with us! :) And thank you for starting the introductions on this list. It would be neat if the other GSoC students did the same. A paragraph or two about you and your projects would be nice. Just go ahead, it's the community bonding period [0]. Community meet $student, $student meet community! Thanks! - --Karsten [0] http://googlesummerofcode.blogspot.com/2007/04/so-what-is-this-community-bonding-all.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknts0wACgkQ0M+WPffBEmXGlACfeyq2+h1+c7iW6QChbBYeG5WK fAkAoNsKbyyhfLvOz89O2U5W12dyNFkv =35Jj -END PGP SIGNATURE-
Re: Information at exit node.
Hi Brent, At the very least the src ip (although this would be another tor server), src port, dst ip, dst port, protocol (tcp), timestamp. If the traffic is unencrypted (i.e. you browse to www.google.com) then you can also add application protocol (i.e. HTTP) and payload (i.e. GET / HTTP/1.1 Host: www.google.com) HTH, Harry Brent Clark wrote: Hiya Still kinda new to Tor, so my questions is, what information can exactly be gathered by an exit node? If someone can help me understand, if would be appreciated. Kind Regards Brent Clark
PurpleOnion: HS Address Generator (+ Managed Router Impl?)
Hello all, I wanted to let the Tor community know about a little side project of mine, a .onion address generator. Basically, all that it does is generate RSA key-pairs, determine the associated onion address (as for a hidden service) and attempts to match it to a provided regular expression. If there is a match, the program exports the key to a directory in a ready-made format for use as a hidden service directory. If there is not a match, the entropy doesn't have to be wasted; the generated keys can be logged to a file (933 bytes per onion). This file can then be read back in by the program to test against other regular expressions. The program is also setup to take advantage of multi-core machines for the creation of RSA keys, though a there is a synchronous bottleneck that I'm looking at removing in the near future to get a much better speedup. Also, as I'll note later, this implementation is on top of Mono. Thus, implementations with managed crypto stacks are slower than those with native crypto stacks (.NET on Windows). There are no shortcuts taken here in the address generation; if there were any, then the security of hidden services in general would be suspect. Only pure brute-force is used. Hence its utility is limited, but if you wanted a hidden service that had, say wiki in the onion address, this would help you get there (eventually). It does have another application; if your entropy sink is just too darn random, the onion generator will help you burn that excess digital entropy into heat energy. The onion generator is one part (and currently the only part) of a greater project I'm calling PurpleOnion, short for Purple Onion Router, mainly as I'm partial to the color. I started off by writing the onion generator and found that I'd written a couple of reusable components that, with some work, could be used in a greater exercise to write another implementation of the Tor Onion Router. PurpleOnion is written on the Mono framework in C# using MonoDevelop, requires Mono 2.0 to compile, and is licensed under the MIT/X11 license. I've also tested the compiled binary copied into a Windows environment (with Mono.Security available). The program runs great on Windows, and I added some exception handling to allow the compiled binary to JIT properly even without OS Posix support. The project is being hosted on github at: http://github.com/neoeinstein/purpleonion The repository is still a little bit dirty as I work on figuring out namespacing, so the Makefile is out of service. You can compile using MonoDevelop, but if you have gmcs, the following command in the repository root should get you a properly built generator: # gmcs -t:exe -o:build/Por.OnionGenerator.exe \ -r:System -r:System.Core -r:Mono.Security \ -r:Mono.Posix src/Por.OnionGenerator/*.cs # mono Por.OnionGenerator.exe --help I'd love to hear comments, both on the .onion address generator in specific and the possibility of a compliant onion router on a managed runtime, -- Marcus Griep —— Ακακια את.ψο´, 3° (Excuse the double post if it occurred; I first sent this from an un-subscribed address)
