General question about exit policies...

[Michael]

   Hi all,

   One thing I do not see is support for an exit policy such as:

   accept *.yahoo.com:80
   accept *.google.com:80

   Is this type of statement supported but undocumented, and what would 
people think of having that ability?


   From my standpoint, it would certainly make running an exit easier 
for me to handle from an abuse management standpoint. In this way server 
admins who might have servers in unfriendly environments could perhaps 
allow exits to hard to abuse locations that are high traffic sites. Thus 
increasing bandwidth overall.


   And while I know I can dig up the addresses myself with some degree 
of accuracy and provide exit in that manner, it would allow admins to 
ensure that the port that was opened, was actually being used for the 
protocol for which it was intended, by only allowing exit to an intended 
target.


   This isn't a judgment about the people using Tor, but rather a tool 
that admins can use to provide bandwidth in a less risky manner.


   Thoughts or comments?

   Michael

Re: FYI: router BillyGoat is offline

[Kyle Williams]

On Tue, Jun 30, 2009 at 6:37 PM, Michael  wrote:

> Kyle Williams wrote:
>
>> reject 0.0.0.0/8:* 
>> reject 169.254.0.0/16:* 
>> reject 127.0.0.0/8:* 
>> reject 192.168.0.0/16:* 
>> reject 10.0.0.0/8:* 
>> reject 172.16.0.0/12:* 
>> reject 66.109.20.52:*
>> accept *:80
>> accept *:443
>> accept *:43
>> reject *:*
>>
>
>   Kyle,
>
>   One more question if you would indulge my curiosity. What service was the
> course of the "spam"?
>
>   Michael
>

Here's the whole thing.  Don't follow the links in this e-mail, it's not
worth your time.


--
*From:* WebMaster AFBNetwork [mailto:webmas...@afbnetwork.com]
*Sent:* Tuesday, June 30, 2009 10:24 AM
*To:* ab...@frienster.com; h...@friendster.com; eve...@friendster.com
*Cc:* ab...@1and1.fr; ab...@gmail.com; ab...@galaxyvisions.com
*Subject:* Complaint about spammers
*Importance:* High

*From :* webmas...@afbnetwork.com
*To :* ab...@friendster.com & h...@friendster.com & eve...@friendster.com
*Copy To :* ab...@1an1.fr & ab...@gmail.com & ab...@galaxyvisions.com

*Dear Madam, Dear Sir,*

I am the webmaster of www.afbnetwork.com. My name is Alain Bippus and I also
own the said site hosted by 1and1.fr
Due to harassment and spam from some of your members, I would like you to
register your following members as "intensive spammers",
both by e-mail and by registering news in our web site:

http://profiles.friendster.com/109627291 - NAKED CELEBRITIES
http://profiles.friendster.com/109628091 - CELEBRITY SEX
http://profiles.friendster.com/109629116 - CELEBRITY SEX TAPES
http://profiles.friendster.com/109629302 - CELEBRITY FAKE FREE GALLERY
http://profiles.friendster.com/109629590 - CELEBRITIES EXPOSED

These members of yours are spamming mainly throug email address
triarm...@gmail.com
with "erydranient" as Pseudo. (most probably forger email address).
Their spam actually originate from *IP address : 66.109.20.52*
This IP address is owned by Galaxyvisions Inc - Domain Name : efnet.net -
Registrar : Godaddy.com Inc.
All this spamming is of pornographic type, which is not accepted by us as it
is clearly written in the public rules of our site.

*COPY OF LOGS :*

*1)- Last Access to web site :*

*66.109.20.52 - - [30/Jun/2009:12:48:03 +0200]* "GET /poster.php HTTP/1.0"
200 15290 afbnetwork.fr "http://afbnetwork.fr/poster.php"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC" "-"
*66.109.20.52 - - [30/Jun/2009:12:48:12 +0200]* "POST /poster.php HTTP/1.0"
200 15481 afbnetwork.fr "http://afbnetwork.fr/poster.php"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC" "-"
*2)- Last Spamming mail :*

*2009-06-30 12:48:12* u39437102 4AgGp3-1MLasm18N1-0001py |< *
REMOTE=66.109.20.52* SCRIPT=/afbnetworkcom/poster.php -- /usr/sbin/sendmail
-t -i
*2009-06-30 12:48:12* u39437102 4AgGp3-1MLasm18N1-0001py <=
s=cgi-mailer-bounces-148125...@kundenserver.de SZ=2108 D=0 SID=148125414
*2009-06-30 12:48:12* u39437102 4AgGp3-1MLasm18N1-0001py =>
webmas...@afbnetwork.com msmtp.kundenserver.de[172.19.35.7] 250 Message
0MKv1o-1MLasm1cJb-000cNe accepted bymreu1.kundenserver.de

Please note that the .php page of our news service is protected by program
against news messages containing the word "frienster" in insensitive case,
but despite this, those news messages still succeed to reach in our base. It
means that the spammers must be using some robot or program in order to
short-circuit the web site control.

So, we would like you to investigate the matter and take appropriate action.

Thanks in advance.
I am at your disposal at Phone: 0033 (4) 67.23.83.70
Your faithfully,
Alain Bippus,
webmas...@afbnetwork.com
--

That's all they had to say.  I have not heard back in regards to my reply.

- Kyle

Re: Firefox video tag

[Gregory Maxwell]

On Tue, Jun 30, 2009 at 6:02 PM, Erilenz wrote:
> Hi,
>
> Firefox 3.5 was released today. Has anyone investigated the new video tag that
> it supports with regards to whether or not it can cause leaks with Tor?

 and  should have exactly the same attack surface as  has.

Thats one of the benefits that firefox's approach of building the
codecs internally rather than invoking an external media framework
(like safari does) should have.

I've been hoping very much that tor would not ultimately need to filter these…

Re: FYI: router BillyGoat is offline

[Kyle Williams]

On Tue, Jun 30, 2009 at 6:47 PM, Michael  wrote:

> Michael wrote:
>
>> Kyle Williams wrote:
>>
>>> reject 0.0.0.0/8:* 
>>> reject 169.254.0.0/16:* 
>>> reject 127.0.0.0/8:* 
>>> reject 192.168.0.0/16:* 
>>> reject 10.0.0.0/8:* 
>>> reject 172.16.0.0/12:* 
>>> reject 66.109.20.52:*
>>> accept *:80
>>> accept *:443
>>> accept *:43
>>> reject *:*
>>>
>>
>>   Kyle,
>>
>>   One more question if you would indulge my curiosity. What service was
>> the course of the "spam"?
>>
>>   Michael
>>
>
>   I'm replying to my own post because my comment makes me look like a
> moron.
>
>   I was wondering if the complaint was about abuse of whois servers or web
> based services.
>
>   Michael
>


Web based services.
I see you caught was I was looking into.  From what I was able to tell, the
large amount of request to whois server where just that, lookups on a whois
server.  Yet, they take up a very small portion of the overall network
traffic that moved through my node.

I would have to say that blocking whois servers through Tor wouldn't help
the speed of the overall network.  I'll have more stats on this later.


- Kyle

Re: FYI: router BillyGoat is offline

[Michael]

Michael wrote:

Kyle Williams wrote:

reject 0.0.0.0/8:* 
reject 169.254.0.0/16:* 
reject 127.0.0.0/8:* 
reject 192.168.0.0/16:* 
reject 10.0.0.0/8:* 
reject 172.16.0.0/12:* 
reject 66.109.20.52:*
accept *:80
accept *:443
accept *:43
reject *:*


   Kyle,

   One more question if you would indulge my curiosity. What service 
was the course of the "spam"?


   Michael


   I'm replying to my own post because my comment makes me look like a 
moron.


   I was wondering if the complaint was about abuse of whois servers or 
web based services.


   Michael

Re: FYI: router BillyGoat is offline

[Michael]

Kyle Williams wrote:

reject 0.0.0.0/8:* 
reject 169.254.0.0/16:* 
reject 127.0.0.0/8:* 
reject 192.168.0.0/16:* 
reject 10.0.0.0/8:* 
reject 172.16.0.0/12:* 
reject 66.109.20.52:*
accept *:80
accept *:443
accept *:43
reject *:*


   Kyle,

   One more question if you would indulge my curiosity. What service 
was the course of the "spam"?


   Michael

Re: FYI: router BillyGoat is offline

[Kyle Williams]

On Tue, Jun 30, 2009 at 6:21 PM, Michael  wrote:

> Kyle Williams wrote:
>
>> So some ass thought it would be great to spam from my node, because today
>> I got a complaint about abuse.
>>
>>
>> The node "BillyGoat" (FP: 12b9b187422b2a7752f861aa0b86e4d99fa88dc0) has
>> been taken offline because of this.  I'm not going to argue with my hosting
>> company as they support my websites, and I like having them.  I gave them
>> the informational lecture about Tor and how it helps people, but they only
>> care about the abuse.  Further more, the people on the other end of the
>> phone don't seem like the sharpest tool in the shed.  This is the second
>> time this has happened within a week of firing up a Tor server, and now I
>> remember why I do not like running a exit node.
>>
>> Consider this just a FYI, router BillyGoat is down and will not be back
>> online.
>>
>>
>> Best regards,
>>
>> Kyle
>>
>
>   Kyle,
>
>   Just from an informational standpoint, what were your exit policies?
>
>   Michael
>

reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject 66.109.20.52:*
accept *:80
accept *:443
accept *:43
reject *:*
*
*
*
*

Re: FYI: router BillyGoat is offline

[Michael]

Kyle Williams wrote:
So some ass thought it would be great to spam from my node, because 
today I got a complaint about abuse.



The node "BillyGoat" (FP: 12b9b187422b2a7752f861aa0b86e4d99fa88dc0) 
has been taken offline because of this.  I'm not going to argue with 
my hosting company as they support my websites, and I like having 
them.  I gave them the informational lecture about Tor and how it 
helps people, but they only care about the abuse.  Further more, the 
people on the other end of the phone don't seem like the sharpest tool 
in the shed.  This is the second time this has happened within a week 
of firing up a Tor server, and now I remember why I do not like 
running a exit node.


Consider this just a FYI, router BillyGoat is down and will not be 
back online.



Best regards,

Kyle


   Kyle,

   Just from an informational standpoint, what were your exit policies?

   Michael

Re: FYI: router BillyGoat is offline

[John Brooks]

Unfortunately some ISPs just aren't willing to deal with the issues;
that's how it works. You could always run a non-exit relay if you wish
to, since they'll pretty much never have abuse complaints
(theoretically, you could receive complaints related to an end user
connecting to you, but that's quite unlikely). It's basically
impossible to run an exit node with an ISP that doesn't understand tor
or isn't willing to stand up for you in the instance of abuse
complaints; i've got an informal relationship with mine where all
abuse complaints are forwarded (as per their policy) and I reply to
them and the original sender with a template letter about Tor. I've
never had anything go beyond the first mailing, and never a complaint
from the ISP.

Anyway, rambling aside, if you wish to keep contributing, consider a
non-exit node (ExitPolicy reject *:*); other than the bandwidth, your
ISP would have no reason to complain about that.

  - John Brooks

On Tue, Jun 30, 2009 at 7:09 PM, Kyle Williams wrote:
> So some ass thought it would be great to spam from my node, because today I
> got a complaint about abuse.
>
> The node "BillyGoat" (FP: 12b9b187422b2a7752f861aa0b86e4d99fa88dc0) has been
> taken offline because of this.  I'm not going to argue with my hosting
> company as they support my websites, and I like having them.  I gave them
> the informational lecture about Tor and how it helps people, but they only
> care about the abuse.  Further more, the people on the other end of the
> phone don't seem like the sharpest tool in the shed.  This is the second
> time this has happened within a week of firing up a Tor server, and now I
> remember why I do not like running a exit node.
> Consider this just a FYI, router BillyGoat is down and will not be back
> online.
>
> Best regards,
> Kyle

FYI: router BillyGoat is offline

[Kyle Williams]

So some ass thought it would be great to spam from my node, because today I
got a complaint about abuse.


The node "BillyGoat" (FP: 12b9b187422b2a7752f861aa0b86e4d99fa88dc0) has been
taken offline because of this.  I'm not going to argue with my hosting
company as they support my websites, and I like having them.  I gave them
the informational lecture about Tor and how it helps people, but they only
care about the abuse.  Further more, the people on the other end of the
phone don't seem like the sharpest tool in the shed.  This is the second
time this has happened within a week of firing up a Tor server, and now I
remember why I do not like running a exit node.

Consider this just a FYI, router BillyGoat is down and will not be back
online.


Best regards,

Kyle

Re: Obfuscated URLs?

[Freemor]

On Tue, 30 Jun 2009 13:34:45 -0700 (PDT)
Martin Fick  wrote:


> In my scenario, the point of hard coding the path is to 
> obfuscate the final URL, how could this be done 
> differently?  In this scenario, it requires all 3 nodes 
> to decrypt the final URL, one node by itself cannot, 
> this should provide the same protection that you get
> today by surfing with tor, should it not?

It should. But hidden services provide this functionality already. I do
understand the potential difficulties in setting up a hidden service.
But I think it would be easier to automate this aspect of Tor then to
write a new protocol. (some more thoughts on this below)


 
> I don't see why this is more open to abuse than the
> general tor network, could you explain your reasoning?

Agreed.. I'm a security minded IT guy and since drive-by-downloads are
the top vector for computer infection any time I hear "obvascated URL"
and "Untraceable" in the same paragraph the is a knee jerk reaction to
see the security implications.

> 
> As for use cases, I envision that as a simple whistle 
> blower or reporter, I would post my content on various 
[snip]

OK I now have a clearer idea of what you are wanting to do:
 
1). Simple anonymous publishing
2). Remove the single point of failure that a a hidden service may
represent
3). Plausable deniability by not having the information hosting tied
to you.

I think that this could be solved in a couple of different ways.

1). Someone sets up a hidden service that automatically re-directs to
the content hosted on non-Hidden sites the URL would probably end up
looking like:

http://blahblahblah.onion?3gYzX2(url_part)&egrtyebefrs(hashed password
part)

one could argue that there is still a single point of failure but if
it was popular enough I'm sure it could be hidden mirrored.

2.) GnuNet may be much better suited to what you are looking to do. It
already has a lot of these features (see http://gnunet.org ) Once you
inserted the information into GnuNet you could share the hash for it in
as many open sites as you wanted. As for making the content password
protected GnuPG would work wonders for this (prior to insertion of
course) 

Regards,
Freemor
  

-- 
free...@gmail.com
free...@yahoo.ca

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )


signature.asc
Description: PGP signature

Re: Obfuscated URLs?

[Edward Langenback]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Max wrote:
> already in here:
> http://offsystem.sf.net 

I've had a look at OFF system and I think I'd rather stick with Freenet
for such purposes.


> On Tue, Jun 30, 2009 at 8:47 PM, Martin Fick  > wrote:
> 
> 
> Obfuscated URL Paths?
> 
> Would it be possible to create a URL or some longer string that
> describes a hidden path through the tor network to a specific
> hidden URL and to implement a routing mechanism to access
> documents (files) using this "Obfuscated URL"?
> 
> I am fully aware of hidden services, and I am suggesting something
> that I think is quite different.  I am suggesting a way to point
> someone to a file on the normal non-hidden internet without
> telling them where I am pointing to!
> 
> I envision an onion encrypted URL along with the exact path through
> tor (the three hops) also onion encrypted.  This would be similar
> to the way a client normally wraps requests through tor, but the
> wrapping would happen up front and then the wrapper would become
> the "Obfuscated URL" which could be handed off to someone else
> obfuscating both the path through tor and the final destination to
> the person receiving the "Obfuscated URL".
> 
> Obviously, this would not allow a user to chose their own route
> through tor to maintain anonymity according to their standards,
> so allowing them to route through 3 original nodes before using
> the obfuscated URL inside the tor network might be necessary.
> This I believe should be similar to the way accessing hidden
> services works (3 hops in, 3 hops out).
> 
> The hard part is that it seems like it would also be necessary
> to layer a document fetching mechanism ontop of tor instead of
> simply wrapping TCP to make this effective though?  If not,
> obfuscating the URL from the fetcher is likely to be useless since
> end point servers are likely to divulge their locations via most
> protocols (headers...).  Would there be an easier way, to avoid
> this disclosure than creating a new fetching protocol?  Perhaps,
> by adding a built-in simple obfuscating proxying mechanism such
> as polipo on the exit side?
> 
> The intent of the Obfuscated URL would not necessarily be to
> maintain long term obfuscation of the URL (could it?), but at
> least to be the basis of a mechanism that would allow users to
> publish hard to censor anonymous content without a hidden service.
> Perhaps the user changes the hidden location every now and then
> in case the real URL is eventually disclosed, but it the
> obfuscation mechanism works for a long enough time, in some case,
> this might be a lot easier and safer than using a hidden service
> (easier to change the location, ability to use free web space
> anonymously...).  Of course, I neglected to mention how the
> user would publish their obfuscated URLs in the first place,
> but that problem exists with onion URLs also?
> 
> Any thoughts?  Crazy, useless, impossible...
> 
> Cheers,
> 
> -Martin
> 
> 
> 
> 
> 


- --
The best way to get past my spam filter is to sign or encrypt
your email to me.
My PGP KeyId: 0x84D46604
http://blogdoofus.com
http://tinfoilchef.com
http://www.domaincarryout.com
Un-official Freenet 0.5 alternative download
http://peculiarplace.com/freenet/
Mixminion Message Sender, Windows GUI Frontend for Mixminion
http://peculiarplace.com/mixminion-message-sender/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBSkqpH3V+YnyE1GYEAQjuPAf+NxUCFiYNVuTkqID2A7Wyazu8gLi47+Uh
kwVMudAbnLXy/iJ/LmZ+bsWLvOsIGnO6O3NA2P7+QEVTP+geOFefu8/2DpHY2Kaz
ZHLglRT7licUQ2aFaQaJRx4xF2ics5BX8D93xZz+tMiJaKpCveCjQbHgcgOCTjsu
CdyTgjj5bFo5JflZfth+oCFQbB6+41EaG8RVA2Y4UWhF6FOFvzYBsUj3yvvdsh/9
NljIyhm8RZfP/FHQ+l9RE92foP44ff1lFhWJ/g32uqXOTtt7DK7bS7loS0SgEnFf
tmIUQiuLwMf7QL+IiktF1CCbWnVBEfk4JCQfkTcvOOWg7c1DDk79WA==
=95U7
-END PGP SIGNATURE-

Re: Suggested IT Text... Edit or destroy as fitting.

[Michael]

Bill Weiss wrote:

Michael(co...@cozziconsulting.com)@Fri, Jun 26, 2009 at 11:44:03AM -0400:
  


Similar to all of these:

 * To troubleshoot connectivity problems from the outside of their network
   (i.e. to see what parts of the internet can or can't see their site).
  


   Hi Bill,

   I like it.

   By using "ExitNodes" and "StrictExitNodes" you could specify which 
exit relay you would use for testing.


   Excellent- I hadn't thought of that.

   Michael

Firefox video tag

[Erilenz]

Hi,

Firefox 3.5 was released today. Has anyone investigated the new video tag that
it supports with regards to whether or not it can cause leaks with Tor?

-- 
Erilenz

Tor Installation fails on Mac

[Beirne Konarski]

It has been a while since I have run Tor and wanted to get current and  
configure a server.  I pulled down the installations bundles, both  
2.0.35-0.1.14-universal and 2.1.16-rc-0.1.14-universal.  I'm trying to  
do the installation on my Intel Mac running OX X 10.5.7 and Firefox  
3.5.  When I run the installation bundle it gets partway through and  
then I get the failure message: "Install Failed.  The following  
install step failed: run postflight script for Tor."  If I look at the  
console I see this:


6/30/09 4:05:20 PM runner[44595] postflight[44638]: /Applications/ 
Firefox.app/Contents/MacOS/firefox-bin: /Applications/Firefox.app/ 
Contents/MacOS/firefox-bin: cannot execute [Exec format error]

6/30/09 4:05:20 PM runner[44595] postflight[44638]:
6/30/09 4:05:20 PM Installer[44592] Install failed: The following  
install step failed: run postflight script for Tor. Contact the  
software manufacturer for assistance.
6/30/09 4:05:20 PM Installer[44592] IFDInstallController 8619D0 state  
= 7

6/30/09 4:05:20 PM Installer[44592] Displaying 'Install Failed' UI.
6/30/09 4:05:20 PM Installer[44592] 'Install Failed' UI displayed message:'The 
 following install step failed: run postflight script for Tor.  
Contact the software manufacturer for assistance.'.


I can run firefox-bin from the command line copying and pasting the  
path.  I made sure Firefox wasn't already running.  I also tried a  
custom install with the Torbutton turned off but still got the error.   
Any ideas?

Re: Obfuscated URLs?

[Martin Fick]

--- On Tue, 6/30/09, Max  wrote:

> already in here:
> http://offsystem.sf.net


I don't think that system is like what I am suggesting.  
I will have to read more (it does sound cool), but it 
sounds a lot more like freenet.  

I am not just talking about a system to create 
distributed storage (although it would be nice to be 
able to do so with what I am suggesting), but a
mechanism to hide stuff on the normal internet.  

Maybe I just want to send you a URL to an article
but don't want you to know where that article is
hosted so as to not bias you towards its content!


Lastly, just because some other projects achieve 
similar objectives to what tor achieves does not 
mean that tor is useless.  I suspect many of 
these systems will eventually achieve similar 
results coming from different angles.  I see that 
as a good thing, not a bad thing, especially 
since it is hard to know what is the best 
implementation before hand.  I hardly think that 
anyone would complain if tor could magically 
replace all those other systems without 
compromising it's stated objectives, do you?  
Surely, it would be nice to not have to install 
another system to deal with one slightly 
different use case.


> On Tue, Jun 30, 2009 at 8:47 PM,
> Martin Fick  wrote:
> 
> Obfuscated URL Paths?
> 
> Would it be possible to create a URL or some longer string
> that describes a hidden path through the tor network to a
> specific hidden URL and to implement a routing mechanism 
> to access documents (files) using this "Obfuscated URL"?
...
> -Martin



  

Re: Obfuscated URLs?

[Max]

already in here:
http://offsystem.sf.net



On Tue, Jun 30, 2009 at 8:47 PM, Martin Fick  wrote:

>
> Obfuscated URL Paths?
>
> Would it be possible to create a URL or some longer string that
> describes a hidden path through the tor network to a specific
> hidden URL and to implement a routing mechanism to access
> documents (files) using this "Obfuscated URL"?
>
> I am fully aware of hidden services, and I am suggesting something
> that I think is quite different.  I am suggesting a way to point
> someone to a file on the normal non-hidden internet without
> telling them where I am pointing to!
>
> I envision an onion encrypted URL along with the exact path through
> tor (the three hops) also onion encrypted.  This would be similar
> to the way a client normally wraps requests through tor, but the
> wrapping would happen up front and then the wrapper would become
> the "Obfuscated URL" which could be handed off to someone else
> obfuscating both the path through tor and the final destination to
> the person receiving the "Obfuscated URL".
>
> Obviously, this would not allow a user to chose their own route
> through tor to maintain anonymity according to their standards,
> so allowing them to route through 3 original nodes before using
> the obfuscated URL inside the tor network might be necessary.
> This I believe should be similar to the way accessing hidden
> services works (3 hops in, 3 hops out).
>
> The hard part is that it seems like it would also be necessary
> to layer a document fetching mechanism ontop of tor instead of
> simply wrapping TCP to make this effective though?  If not,
> obfuscating the URL from the fetcher is likely to be useless since
> end point servers are likely to divulge their locations via most
> protocols (headers...).  Would there be an easier way, to avoid
> this disclosure than creating a new fetching protocol?  Perhaps,
> by adding a built-in simple obfuscating proxying mechanism such
> as polipo on the exit side?
>
> The intent of the Obfuscated URL would not necessarily be to
> maintain long term obfuscation of the URL (could it?), but at
> least to be the basis of a mechanism that would allow users to
> publish hard to censor anonymous content without a hidden service.
> Perhaps the user changes the hidden location every now and then
> in case the real URL is eventually disclosed, but it the
> obfuscation mechanism works for a long enough time, in some case,
> this might be a lot easier and safer than using a hidden service
> (easier to change the location, ability to use free web space
> anonymously...).  Of course, I neglected to mention how the
> user would publish their obfuscated URLs in the first place,
> but that problem exists with onion URLs also?
>
> Any thoughts?  Crazy, useless, impossible...
>
> Cheers,
>
> -Martin
>
>
>
>
>

Re: Obfuscated URLs?

[Martin Fick]

--- On Tue, 6/30/09, Freemor  wrote:
> > I envision an onion encrypted URL along with the exact
> > path through tor (the three hops) also onion encrypted.  This
> > would be similar  to the way a client normally wraps requests through
> > tor, but the  wrapping would happen up front and then the wrapper
> > would become the "Obfuscated URL" which could be handed off to
> > someone else  obfuscating both the path through tor and the final
> > destination to the person receiving the "Obfuscated URL".  
> > 
> >
> 
> An interesting idea. I see two possible problems with it.
> Firstly I'm not sure storing the route is useful. Due to the nature
> of Tor some relays may not be up all the time so having them hard
> coded in the URL could be a path to failure. Also I am not sure
> there would be any security advantage (other then possibly specifying
> the exit node to keep it in a friendly jurisdiction or something ..
> but this too has it's potential problems (see next point).

Yes, I attempt to address the weak link idea in my reply 
to the previous poster, however a suggestion to eliminate 
this weak link is obviously desired.  

In my scenario, the point of hard coding the path is to 
obfuscate the final URL, how could this be done 
differently?  In this scenario, it requires all 3 nodes 
to decrypt the final URL, one node by itself cannot, 
this should provide the same protection that you get
today by surfing with tor, should it not?


> Secondly this idea seems more suited to malicious uses
> (obviscated URL to exploit site/etc) then to the more 
> dissident need for anonymity. (I could be wrong. I 
> welcome some examples to get me thinking in the right
> lines.). 

I don't see why this is more open to abuse than the
general tor network, could you explain your reasoning?

As for use cases, I envision that as a simple whistle 
blower or reporter, I would post my content on various 
free forums in an encrypted file and publish an 
obfuscated URL and password to the content.  This would 
be a lot simpler publishing mechanism, especially with 
helper programs potentially designed for this, or by 
adding the encryption directly to tor (and the 
password to the obfuscated URL) thus eliminating the 
need for the extra password, than setting up and 
maintaining a hidden service, and perhaps safer with 
respects to protecting my own anonymity.


> One of the reasons I say this is that if the
> information is not running on a hidden server 
> then it will most likely be found and shutdown. 
> Since anyone that could use these URLs would need
> to have TOR installed and running I'm having a 
> hard time seeing the advantage to this over a .onion 
> URL. (Again I welcome examples)

Again, as I mentioned to the previous poster, I
could make several URLs to the same content posted
in different places, this completely eliminates
the single point of failure which a hidden service
does not.  Of course, I could setup several hidden
services, but I think that you can see how that
would be much more complex than what I am 
proposing.

Add the extra encryption layer mentioned in my 
previous paragraph and I think that the content 
could be as well, or better protected than 
with a hidden service.


> Just my thoughts

Thanks for the feedback, :)


-Martin

Re: Obfuscated URLs?

[mogulguy]

--- On Tue, 6/30/09, Karsten Loesing  wrote:
> 
> On 06/30/2009 08:47 PM, Martin Fick wrote:
> > Would it be possible to create a URL or some longer
> > string that describes a hidden path through the tor 
> > network to a specific hidden URL and to implement a 
> > routing mechanism to access documents (files) using 
> > this "Obfuscated URL"?
> 
> Two thoughts:


Thanks, for the feedback...

> - - What you describe as obfuscated URLs sounds a lot like
> precursor designs of hidden services. For example, encoding 
> a path into the locator works only as long all nodes in 
> that path are functional. Hidden services (and other 
> designs) have directory services to overcome that
> problem. Why make a step backwards?

Yes, it probably is a path that one would take while
designing hidden services.  However, I think that it
is a different fork of the main thought process that
leads to a different (not better, but better for 
somethings) use case.

Agreed, a single path encoding is a weak point, but this
may be acceptable in some cases.  Also, other mechanisms
could eventually be built on top of this mechanism to 
replicate a document to several places and provide 
several obfuscated URLs to the same content.  This 
suddenly makes this content much less vulnerable to 
single points of failure than a hidden service, 
hopefully. :)


 
> - - Tor is made for interactive communication, not for
> exchanging single files. 

I agree that it is optimized for this, but I hardly
think that you could make the claim that static content
has no place in tor, could you?  Anti censorship is not
just about dynamic content, visit onion land for plenty
of static content examples.

...not to mention that dynamic systems could potentially
be layered on top of this static mechanism, again 
hopefully. :)


> Even if you don't intend to exchange bulk files, others 
> will do so. Unfortunately, the Tor network does not have 
> the necessary capacity.

Relevance?  How does this enable bulk files transfers
anymore than what tor provides today?  I fail to see
the connection, but perhaps I a missing something.


-Martin

Re: Obfuscated URLs?

[Freemor]

On Tue, 30 Jun 2009 11:47:33 -0700 (PDT)
Martin Fick  wrote:


> 
> I envision an onion encrypted URL along with the exact path through 
> tor (the three hops) also onion encrypted.  This would be similar 
> to the way a client normally wraps requests through tor, but the 
> wrapping would happen up front and then the wrapper would become 
> the "Obfuscated URL" which could be handed off to someone else 
> obfuscating both the path through tor and the final destination to 
> the person receiving the "Obfuscated URL".  
> 
>

An interesting idea. I see two possible problems with it. Firstly
I'm not sure storing the route is useful. Due to the nature of Tor
some relays may not be up all the time so having them hard coded in
the URL could be a path to failure. Also I am not sure there would
be any security advantage (other then possibly specifying the exit
node to keep it in a friendly jurisdiction or something .. but this
too has it's potential problems (see next point).

Secondly this idea seems more suited to malicious uses (obviscated URL
to exploit site/etc) then to the more dissident need for anonymity.
(I could be wrong. I welcome some examples to get me thinking in the right
lines.). One of the reasons I say this is that if the information is
not running on a hidden server then it will most likely be found and
shutdown. Since anyone that could use these URLs would need to have
TOR installed and running I'm having a hard time seeing the
advantage to this over a .onion URL. (Again I welcome examples)

Just my thoughts
Freemor
   


-- 
free...@gmail.com
free...@yahoo.ca

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )


signature.asc
Description: PGP signature

Re: @Scott Bennett

[Ansgar Wiechers]

On 2009-06-30 Scott Bennett wrote:
 On 2009-06-30 Scott Bennett wrote:
> On Tue, 30 Jun 2009 03:14:29 -0600 Jim McClanahan wrote:
>> Ah, I see.  It is the duplicate messages from you that were
>> confusing me.
>> 
>> Why duplicate messages?  As somebody else has pointed out recently,
>> the fact that I can post on or-talk means I am subscribed to
>> or-talk.
> 
> Just standard netiquette for followups to messages posted on mailing
>> ^^^
> What about it?

Had you taken an actual look at RFC 1855 you wouldn't have to ask.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Re: Obfuscated URLs?

[Karsten Loesing]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/30/2009 08:47 PM, Martin Fick wrote:
> Would it be possible to create a URL or some longer string that 
> describes a hidden path through the tor network to a specific 
> hidden URL and to implement a routing mechanism to access 
> documents (files) using this "Obfuscated URL"?

Two thoughts:

- - What you describe as obfuscated URLs sounds a lot like precursor
designs of hidden services. For example, encoding a path into the
locator works only as long all nodes in that path are functional. Hidden
services (and other designs) have directory services to overcome that
problem. Why make a step backwards?

- - Tor is made for interactive communication, not for exchanging single
files. Even if you don't intend to exchange bulk files, others will do
so. Unfortunately, the Tor network does not have the necessary capacity.

Best,
- --Karsten

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpKZfAACgkQ0M+WPffBEmWljwCdEOJBNfRbMXJcOyWwZF9GcSBN
7LgAniCxgTT/eNlvMmBWHIVPuIUGvTo+
=iwWY
-END PGP SIGNATURE-

Obfuscated URLs?

[Martin Fick]

Obfuscated URL Paths?

Would it be possible to create a URL or some longer string that 
describes a hidden path through the tor network to a specific 
hidden URL and to implement a routing mechanism to access 
documents (files) using this "Obfuscated URL"?

I am fully aware of hidden services, and I am suggesting something 
that I think is quite different.  I am suggesting a way to point 
someone to a file on the normal non-hidden internet without 
telling them where I am pointing to!  

I envision an onion encrypted URL along with the exact path through 
tor (the three hops) also onion encrypted.  This would be similar 
to the way a client normally wraps requests through tor, but the 
wrapping would happen up front and then the wrapper would become 
the "Obfuscated URL" which could be handed off to someone else 
obfuscating both the path through tor and the final destination to 
the person receiving the "Obfuscated URL".  

Obviously, this would not allow a user to chose their own route 
through tor to maintain anonymity according to their standards,
so allowing them to route through 3 original nodes before using 
the obfuscated URL inside the tor network might be necessary.
This I believe should be similar to the way accessing hidden
services works (3 hops in, 3 hops out).

The hard part is that it seems like it would also be necessary
to layer a document fetching mechanism ontop of tor instead of 
simply wrapping TCP to make this effective though?  If not,
obfuscating the URL from the fetcher is likely to be useless since 
end point servers are likely to divulge their locations via most 
protocols (headers...).  Would there be an easier way, to avoid 
this disclosure than creating a new fetching protocol?  Perhaps, 
by adding a built-in simple obfuscating proxying mechanism such 
as polipo on the exit side?

The intent of the Obfuscated URL would not necessarily be to 
maintain long term obfuscation of the URL (could it?), but at 
least to be the basis of a mechanism that would allow users to 
publish hard to censor anonymous content without a hidden service.  
Perhaps the user changes the hidden location every now and then 
in case the real URL is eventually disclosed, but it the 
obfuscation mechanism works for a long enough time, in some case, 
this might be a lot easier and safer than using a hidden service 
(easier to change the location, ability to use free web space 
anonymously...).  Of course, I neglected to mention how the 
user would publish their obfuscated URLs in the first place, 
but that problem exists with onion URLs also?

Any thoughts?  Crazy, useless, impossible...

Cheers,

-Martin



  

Re: @Scott Bennett

[Scott Bennett]

 On Tue, 30 Jun 2009 19:33:38 +0200 Ansgar Wiechers 
wrote:
>On 2009-06-30 Scott Bennett wrote:
>> On Tue, 30 Jun 2009 13:18:50 +0200 Ansgar Wiechers 
>>> On 2009-06-30 Scott Bennett wrote:
 On Tue, 30 Jun 2009 03:14:29 -0600 Jim McClanahan wrote:
> Ah, I see.  It is the duplicate messages from you that were
> confusing me.
> 
> Why duplicate messages?  As somebody else has pointed out recently,
> the fact that I can post on or-talk means I am subscribed to
> or-talk.
 
 Just standard netiquette for followups to messages posted on mailing
> ^^^

 What about it?

 lists.
>>> 
>>> RFC 1855 does not say any such thing, and it's usually frowned upon
>>> on virtually every mailing list that I frequent. YMMV.
>> 
>> Did someone claim that RFC 1855 said something on this issue?
>
>You did.
>
 That is false.  I've just searched through all of my postings to
OR-TALK since last August.  My followup to *your* claim is the only one
until right now that contained the string "1855".  You must be thinking
of someone else.
 I've already offered not to send you direct copies of my followups
to your messages.  Drop it.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

Re: 25 tbreg relays in directory

[Alexander Cherepanov]

Hello!

[Please reply to list only. Thanks.]

Scott Bennett wrote to or-t...@seul.org, punkle.jo...@gmail.com on Tue, 30 Jun 
2009 02:15:32 -0500 (CDT):

> I haven't lately looked at the distribution of relays over version strings,

Just quick stat from

  perl -e '
while (<>) {
  $tor{$1}++ if /^platform (.*?) on /;
}

for (sort keys %tor) {
  printf "%8d %s\n", $tor{$_}, $_;
}
  ' cached-descriptors

and some manual reordering:

   1 Tor 0.1.1.19-rc
   4 Tor 0.1.1.23
   2 Tor 0.1.1.25
   3 Tor 0.1.1.26
   1 Tor 0.1.2.9-rc
   1 Tor 0.1.2.13
   5 Tor 0.1.2.14
   1 Tor 0.1.2.15
   5 Tor 0.1.2.16
  26 Tor 0.1.2.17
  18 Tor 0.1.2.18
  87 Tor 0.1.2.19
   1 Tor 0.2.0.2-alpha (r10455)
   1 Tor 0.2.0.4-alpha
   2 Tor 0.2.0.6-alpha (r11277)
   1 Tor 0.2.0.7-alpha (r11572)
   1 Tor 0.2.0.28-rc (r15188)
   6 Tor 0.2.0.30 (r15956)
  30 Tor 0.2.0.31 (r16744)
  28 Tor 0.2.0.32 (r17346)
  60 Tor 0.2.0.33 (r18212)
1410 Tor 0.2.0.34 (r18423)
 411 Tor 0.2.0.35
   1 Tor 0.2.1.1-alpha (r15195)
  19 Tor 0.2.1.2-alpha (r15383)
   2 Tor 0.2.1.7-alpha (r17216)
   1 Tor 0.2.1.8-alpha (r17523)
   1 Tor 0.2.1.9-alpha (r1)
   2 Tor 0.2.1.10-alpha (r17969)
   8 Tor 0.2.1.11-alpha (r18192)
  15 Tor 0.2.1.12-alpha (r18423)
  14 Tor 0.2.1.13-alpha (r18828)
   2 Tor 0.2.1.13-alpha-dev
   1 Tor 0.2.1.13-alpha-dev (r19091)
   2 Tor 0.2.1.13-alpha-dev (r19200)
   1 Tor 0.2.1.13-alpha-dev (r19220)
   1 Tor 0.2.1.14-rc
  43 Tor 0.2.1.14-rc (r19307)
   1 Tor 0.2.1.14-rc (r19364)
   1 Tor 0.2.1.14-rc (r19712)
   1 Tor 0.2.1.14-rc (r19715)
  56 Tor 0.2.1.15-rc
 118 Tor 0.2.1.16-rc
  18 Tor 0.2.2.0-alpha-dev

Alexander Cherepanov

Re: Suggested IT Text... Edit or destroy as fitting.

[Bill Weiss]

Michael(co...@cozziconsulting.com)@Fri, Jun 26, 2009 at 11:44:03AM -0400:
>
>Not to jump in with both feet, but here's some possible starting text 
> ideas for the "IT People Use Tor" section...
>
>Ahem...
>
>"IT Professionals use Tor:
>
>* To verify IP based firewall rules: A firewall may have some policies 
> that only allow certain IP addresses or ranges. Tor can be used to verify 
> those configurations by using an IP number outside of the company's alloted 
> IP block.
>
>* To bypass their own security systems for sensitive professional 
> activities: For instance, a company may have a strict policy regarding the 
> material employees can view on the internet. A log review reveals a 
> possible violation. Tor can be used to verify the information without an 
> exception being put into corporate security systems.
>
>* To connect back to deployed services: A network engineer can use Tor 
> to remotely connect back to services, without the need for an external 
> machine and user account, as part of operational testing.
>
>* To access internet resources: Acceptable use policy for IT Staff and 
> normal employees is usually different. Tor can allow unfettered access to 
> the internet while leaving standard security policies in place.
>
>* To work around ISP network outages: Sometimes when an ISP is having 
> routing or DNS problems, Tor can make internet resources available, when 
> the actual ISP is malfunctioning. This can be invaluable is crisis 
> situations.

Similar to all of these:

 * To troubleshoot connectivity problems from the outside of their network
   (i.e. to see what parts of the internet can or can't see their site).

?

-- 
Bill Weiss

Re: @Scott Bennett

[Ansgar Wiechers]

On 2009-06-30 Scott Bennett wrote:
> On Tue, 30 Jun 2009 13:18:50 +0200 Ansgar Wiechers 
>> On 2009-06-30 Scott Bennett wrote:
>>> On Tue, 30 Jun 2009 03:14:29 -0600 Jim McClanahan wrote:
 Ah, I see.  It is the duplicate messages from you that were
 confusing me.
 
 Why duplicate messages?  As somebody else has pointed out recently,
 the fact that I can post on or-talk means I am subscribed to
 or-talk.
>>> 
>>> Just standard netiquette for followups to messages posted on mailing
 ^^^
>>> lists.
>> 
>> RFC 1855 does not say any such thing, and it's usually frowned upon
>> on virtually every mailing list that I frequent. YMMV.
> 
> Did someone claim that RFC 1855 said something on this issue?

You did.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Re: many new relays

[Karsten Loesing]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/28/2009 09:05 AM, grarpamp wrote:
> I'd give it a 15 minute mile high eyeball if I
> had the 'before the jump' cache files or
> a 'getinfo desc/all-recent' from back then.
> I just don't have that dataset.

I have uploaded a tarball of the 00:00 UTC consensuses from June 1 to
30, 2009 here (3.3 M):

http://freehaven.net/~karsten/volatile/consensuses-2009-06.tar.gz

If someone needs the consensuses in between (709 M including votes) or
the server descriptors (760 M uncompressed), please let me know via
private email. (We're still in the process of finding a better way to
make these files public, but then there are always tasks with higher
priority..)

- --Karsten

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpKEtcACgkQ0M+WPffBEmWg1gCffDinyt8/6wwH+C4PjaD9f4U/
B+MAoNksVGRxVXkfsl2XvpU+L9gbUIcm
=R9aq
-END PGP SIGNATURE-

Re: @Scott Bennett

[Scott Bennett]

 On Tue, 30 Jun 2009 13:18:50 +0200 Ansgar Wiechers 
>On 2009-06-30 Scott Bennett wrote:
>> On Tue, 30 Jun 2009 03:14:29 -0600 Jim McClanahan wrote:
>>> Ah, I see.  It is the duplicate messages from you that were confusing
>>> me.
>>> 
>>> Why duplicate messages?  As somebody else has pointed out recently, the
>>> fact that I can post on or-talk means I am subscribed to or-talk.
>> 
>> Just standard netiquette for followups to messages posted on mailing
>> lists.
>
>RFC 1855 does not say any such thing, and it's usually frowned upon on
>virtually every mailing list that I frequent. YMMV.
>
 Did someone claim that RFC 1855 said something on this issue?
 On every list I've been on in more than two decades with the sole
exception of OR-TALK, sending a followup directly to the author of the
message being followed up in addition to a copy to the list has been
the norm.  Individuals have not always followed that practice consistently,
but it has been the expected practice for as long as I've participated on
mailing lists.
 I do not know how/why the practice got started, but I can offer some
speculations.  Many mailing lists are also available as digests.  Without
knowing whether the author of an item to which one is following up might
be subscribed to the digest rather than the list, there is a clear advantage
to sending an immediate copy of one's followup to that other author, so
that that other author need not wait till the next issuance of a digest to
see the followup.  Another situation is that many lists allow posting from
people who are not subscribed to those lists.  In such cases, the direct
followups are crucial lest the author of the item being followed up never
see the followup item.
 By the tone of your followup, I infer that you do not want direct
copies of followups, so I am only sending this one to the list.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

Re: @Scott Bennett

[Ansgar Wiechers]

On 2009-06-30 Scott Bennett wrote:
> On Tue, 30 Jun 2009 03:14:29 -0600 Jim McClanahan wrote:
>> Ah, I see.  It is the duplicate messages from you that were confusing
>> me.
>> 
>> Why duplicate messages?  As somebody else has pointed out recently, the
>> fact that I can post on or-talk means I am subscribed to or-talk.
> 
> Just standard netiquette for followups to messages posted on mailing
> lists.

RFC 1855 does not say any such thing, and it's usually frowned upon on
virtually every mailing list that I frequent. YMMV.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Re: @Scott Bennett

[Scott Bennett]

 On Tue, 30 Jun 2009 03:14:29 -0600 Jim McClanahan 
wrote:
>Ah, I see.  It is the duplicate messages from you that were confusing
>me.
>
>Why duplicate messages?  As somebody else has pointed out recently, the
>fact that I can post on or-talk means I am subscribed to or-talk.
>
 Just standard netiquette for followups to messages posted on mailing
lists.  If you'd rather not get the direct messages, I'll try to remember
not to send them to you in the future.  (I'm only sending this followup
to the list this time, just in case that's what you prefer.)


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

@Scott Bennett

[Jim McClanahan]

Ah, I see.  It is the duplicate messages from you that were confusing
me.

Why duplicate messages?  As somebody else has pointed out recently, the
fact that I can post on or-talk means I am subscribed to or-talk.

@Scott Bennett

[Jim McClanahan]

I was trying to email you and it bounced:

Final-Recipient: rfc822; benn...@cs.niu.edu
Original-Recipient:
rfc822;benn...@cs.niu.edu
Action: failed
Status: 5.7.1
Remote-MTA: dns; mp.cs.niu.edu
Diagnostic-Code: smtp; 550 5.7.1
... Access denied

Re: 25 tbreg relays in directory

[Scott Bennett]

 On Tue, 30 Jun 2009 01:13:13 -0500 punkle jones 
wrote:
>On Mon, Jun 29, 2009 at 2:59 PM, Scott Bennett  wrote:
>
>> On Mon, 29 Jun 2009 09:19:21 -0500 punkle jones <
>> punkle.jo...@gmail.com>
>> wrote:
>> >Unlurking for the first time, I think.
>>
>>  Welcome to the fray! ;)
>> >
>> >Why not join forces with a popular freeware/shareware product like Aim or
>> >Winamp, with an "uncheck to opt out" option and a description of tor.
>>  Such
>> >a bundle could be preset to relay, and there's got to be a magic bandwidth
>> >that most western users could tolerate.  Is it ethically wrong to insert
>> TOR
>> >into the userspace of the less-informed by associating it with a popular
>> >(hopefully not unsavory) download?  Does this concept fly in the face of
>> >free will?  Is it just too sneaky?  It's not like you'd be putting five
>> new
>> >toolbars into their browser.
>> >
>> Take a look at some reasons, beginning at
>>
>> https://www.torproject.org/download.html.en#Warning
>>
>> Then let us know whether you still see a way for such an "uncheck to opt
>> out"
>> arrangement to be a good idea.  Keep in mind that, in general, people do
>> not
>> currently read EULAs displayed by software installer packages, so you're
>> not
>> likely to get them to read and understand a bunch of pages from the tor
>> project's web site in the middle of installing a different package that
>> also
>> includes tor.
>>
>> Well, my thinking was along the lines of causing more TOR installations,
>with the motivation provided up front and not during an installation..  Just

 Well, we have recently and suddenly gotten about 40% more relays, very
few of which seem to be tbreg relays, so it certainly looks like someone or
something has achieved that result.

>because it's installed doesn't mean it has to be used.  I imagined a
>good-faith service that someone runs because they feel it benefits everyone
>without necessarily needing it themselves.  The sketchy part is getting
>folks to run another thing on their computer to help other folks out.
>Unless a ton of new tor installations would be a burden instead of a boon.
>
 If they are legitimate, it would be very much a boon.  I haven't lately
looked at the distribution of relays over version strings, so I don't have
a good benchmark to use for comparison if I decided to look at the current
distribution.  Does anyone else happen to have any records that could be
used for this purpose?
 If, OTOH, they are new relays using insecure, out-of-date versions like
the 0.2.1.2-alpha that was reported as being the version used by the tbreg
relays, then "burden" would still not be a good description of the situation.
8-|


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at cs.niu.edu  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

Re: 25 tbreg relays in directory

[Scott Bennett]

 On Mon, 29 Jun 2009 07:13:42 -0600 Jim McClanahan 
wrote:
>Scott, when I did a "reply" on your email, it (tried to) sent it your
>personal email account rather than the list.

 You probably were replying to the message sent directly to you, so that
is quite likely. :-)
>
>--
>
>Scott Bennett wrote:
>> 
>>  On Mon, 29 Jun 2009 05:14:25 -0600 Jim McClanahan 
>> wrote:
>> >Scott Bennett wrote:
>> >
>> >>  Ouch.  This provides another example in support of having a way
>> >> for the directory authorities to render insecure versions ...
>> >> and only usable as clients to connect to the tor project's web site to
>> >> download a current version of tor.
>> >
>> >This kind of thinking baffles me.  It seems diametrically opposed to the
>> >notion of free software.  I could understand if the outdated client was
>> 
>>  How so?  It's still free of charge, freely available, and freely
>> modifiable and redistributable.  (GPL3-licensed software doesn't
>> qualify, IMO.)
>
>I did not not mean it was not technically free software.  The license
>takes care of that.  My meaning is that the goal is to restrict people
>rather than to grant freedom.  It is an issue of perspective rather than
>license technicalities.  I probably could have phrased it better.

 Oh, okay.  Thanks for clarifying.
 The intent of my suggestions has been to restrict abuse harmful either
to an uninformed and unsuspecting user or to the tor network overall, not to
restrict "people".
>
>(I happen to like, to the extent I understand it, GPLv3.  But I don't
>see how it is relevant to this discussion and I don't know why it was
>injected into it.)
>
 That was just a side comment.  The viral license is, as I understand it,
the primary motivating reason for the recent decision by the FreeBSD project
to write its own gcc-compatible C compiler in order to keep GPL3 contamination
from getting the upper hand over FreeBSD.  Replacement of other GNU tools in
FreeBSD has been underway for some time already.  The BSD license does not
suffer from the pernicious interference of GPL3, and the FreeBSD project would
like to keep it *Free*BSD.
 There is a history to this way of thinking.  Remember that all of the
modern *BSDs are descended from 4.4BSD-lite, which was released in response
to all the difficulties caused by the AT&T UNIX license that had culminated
in a lawsuit against the University of California Board of Regents (or
Trustees--I don't now recall what they were called at the time).  The AT&T
license problems are also the reason Linus Torvalds decided so long ago that
he'd dump UNIX and write his own.  Likewise for MINIX.  I don't know what
Torvalds will do this time around w.r.t. GPL3, nor what the other *BSD projects
will do.
>> 
>> >endangering the Tor network (which was discussed in the portion of the
>> >comment I skipped over with the ellipsis).  And I would have no problem
>> 
>>  Insecure relays endanger the network
>
>That is why I inserted the ellipsis and made the parenthetical comment
>about it.  I am not arguing against neutralizing insecure relays.  The
>danger to the network is perfect justification IMO.

 Note that the version of tor that Pei Hanru reported here had been part
of the tbreg distribution is *not* secure.
>
>> Insecure clients installed
>> virally onto systems without notice to the users endanger those users.
>
>It's not like the clients ended up there on their own w/o the consent of
>the user or owner.  Trying to enforce a policy on people when those

 Pei Hanru suggested otherwise.

>people are not harming others reeks (IMO) of unsavory things like police
>states and nanny states.  I am opposed.  It is personal perspective, not

 I would argue that those unsuspecting, involuntary tor operators were
indeed harmed and further that they were placed at significant risk of far
greater harms at the hands of that State.

>technical argument.  Obviously, it is technically possible to do what
>you describe.  And because of the free license, it is technically
>possible and legally permissible for people to undo those changes on
>their copies of the software.  It is also possible for the software to
>lie to the network about what it is.  But as I stated, this attitude of
>trying to coerce other people baffles me.  I am not saying nobody does
>it.  The world is full of tyrants.

 Clearly, the above comments are inapplicable to this situation and
to what I was suggesting as a way to deal with similar situations in the
future.  No one suggested that anyone be prevented from deliberately
installing and, at their option, configuring tor to suit their taste.
What was suggested was a way to disable bad software to prevent it from
harming the unsuspecting.  tor is still open source software.  If you
have a bad version, but really do want to run a bad version, you are free
to change it to make it think it is valid even when it isn't.  Of course,
if a large enough fraction of tor users w