Re: Rogue exit nodes - checking?
Unfortunately I cannot publish source codes because attackers can adapt own techniques (though it would be very difficult). Yummy. Security through obscurity. Let's hope the bad guys doesn't find out. Or do they already know?.. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Rogue exit nodes - checking?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 - -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Sat, Jun 19, 2010 at 10:20:19PM +0100, Matthew wrote: I am curious to know if there is a way of identifying bad exit nodes? Do people who are more technical than me (not hard!) somehow search for exit nodes with interesting configurations? Or, unless you use StrictExitNodes and are confident of the honesty of the operator, are you simply hoping the exit node owner is benign? In addition to Marek's scanner (which I'd be very interested in hearing more about ;)) there's also the SoaT Exit Scanner which Mike Perry wrote. It compares the results of queries made across Tor to those made over a direct connection to look for things like SSL certificate tampering and HTTP header or content modification. It also checks for suspicious exit policies such as allowing insecure protocols like POP and IMAP, but not allowing the corresponding secure protocol (POPS/IMAPS). There's a nice overview of its capabilities in Mike's Tor Network Analysis paper [0]. The scanner occasionally finds interesting things, but it's not seeing a lot of use at the moment as it's a bit of a chore to wade through the false positives. I'm working on improving it as part of Google Summer of Code, so if you're really interested, I post occasional updates on my progress with it at [1], and hopefully by the end of the summer things will have have progressed enough for the scanner to see more active use. [0] http://fscked.org/talks/TorFlow-HotPETS-final.pdf [1] http://anomos.info/~john/gsoc - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEAREDAAYFAkweis8ACgkQke2DTaHTnQmwUACgn2SzALUfDJWEugnu/I2hm/2u ArcAmwQ6XQ/XrQMOMNh6g052VDjNAOvT =dv8M - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEAREDAAYFAkweixEACgkQke2DTaHTnQnnswCghF390y5dUOv/qyn4qRX3XgsE yjIAn2/xiG4dtBmTvuobOvU8/dV/yYPU =C4RN -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Rogue exit nodes - checking?
I dont think you are right. There are two extremes when checking if two files are the same: * Both files are exact byte copies - we are happy, because everything is clear * Both files are absolutely different - we are also happy, because we know that something is bad But scanner which consider just these two extremes will throw many false positives, because world isn't ideal. Just download two copies of some page few minutes in sequence and you will see. Different banner? Different language (because you changed IP)? New information here? Everything these you have to consider and have to report only important things. Because it is more heuristic than exact measurement, attacker can adapt his code to be less harmful and skip notification threshold of scanner. There are two ways how to fight attackers: a) Opensource scanner and beat them by spending months on scanner improvements. b) Leave scanner closed and piss them up (my way) I think your irony isn't outright. Trust me I didn't spend almost year of my life on bullshit. John: I know SoaT quite well, I originally consider to improve it. But my attitude is quite different. SoaT checks everything else than content (as you wrote: SSL, policy etc) - and throws many false positives once content differs a bit. I'm interested just in content. Marek On Sun, Jun 20, 2010 at 11:05 PM, Anders Andersson pipat...@gmail.com wrote: Unfortunately I cannot publish source codes because attackers can adapt own techniques (though it would be very difficult). Yummy. Security through obscurity. Let's hope the bad guys doesn't find out. Or do they already know?.. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Rogue exit nodes - checking?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 - -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Sun, Jun 20, 2010 at 11:58:45PM +0200, slush wrote: [snip] There are two ways how to fight attackers: a) Opensource scanner and beat them by spending months on scanner improvements. b) Leave scanner closed and piss them up (my way) I think you and Anders are both oversimplifying the situation. An attacker may be able to determine the profile for a normal Tor user, and they may determine the profile for an exit scanner - but our job in designing any scanner (open or closed source) is to make the task of delineating between the two as difficult as possible. As I'm sure you're aware, we can actually quantify how difficult such a task is using information theoretic techniques, and so we may develop an objective measure for comparing scanners which is entirely independent of their being open or closed source. That said, SoaT also has a closed source component, specifically the configuration file we actually use when running it. Withholding this information makes an attackers job somewhat harder, so there is something to be said for not revealing your hand too soon. I think your irony isn't outright. Trust me I didn't spend almost year of my life on bullshit. John: I know SoaT quite well, I originally consider to improve it. But my attitude is quite different. SoaT checks everything else than content (as you wrote: SSL, policy etc) - and throws many false positives once content differs a bit. I'm interested just in content. Marek Marek: I for one highly doubt that you spent a year of your life on bullshit and would be very interested in reading your thesis and discussing this topic further - is it available online? SoaT does somewhat more subtle content scans than you make it out to, but I'll agree they're far from perfect, and that's why I'm spending several months of my life working to improve them :). Cheers, John - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEAREDAAYFAkwen5EACgkQke2DTaHTnQlJ1gCeJllRlBoUnE7KL9laDCJbIwkc vikAoI9rtTJUunqWoUUtDVUuY/E0KjpG =K4Aw - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEAREDAAYFAkwen8AACgkQke2DTaHTnQlFZwCfRmOtDdaD+ffz/ZBoNl785f7T 9qwAni5D4vJAuqjE/tAe2AuS3ZlTwQH8 =rg20 -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Tor logo in SVG
Hi all, I'm looking for a version of the Tor logo in SVG. Anyone have one? Standard searches have failed to turn one up. Cheers, Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor logo in SVG
On Mon, Jun 21, 2010 at 09:43:44AM +1000, mle+to...@mega-nerd.com wrote 0.5K bytes in 14 lines about: : I'm looking for a version of the Tor logo in SVG. Anyone have one? : Standard searches have failed to turn one up. There isn't one that I know of. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor logo in SVG
and...@torproject.org wrote: On Mon, Jun 21, 2010 at 09:43:44AM +1000, mle+to...@mega-nerd.com wrote 0.5K bytes in 14 lines about: : I'm looking for a version of the Tor logo in SVG. Anyone have one? : Standard searches have failed to turn one up. There isn't one that I know of. Ok, the biggest raster image I can find is 400x134. Anyone have one bigger? Cheers, Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor logo in SVG
On Mon, Jun 21, 2010 at 12:09:43PM +1000, mle+to...@mega-nerd.com wrote 0.7K bytes in 20 lines about: : Ok, the biggest raster image I can find is 400x134. Anyone have one : bigger? Unclear why you want it so bad, but have you checked our website? https://www.torproject.org/images/medium-res-sticker-logo.png -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
question on thunderbird and tor
I have read some of the previous posts but fail to understand. I have configured my portable thunderbird to use TOR. In the proxy settings, i have entered port 8118, for http and ssl, and 9050 or socks 5. I have added 3 accts: gmail, yahoo, and hotmail. i can access yahoo and hotmail thru an add-on called webmail. Also, hotmail allows pop3 if you change the type to hotmail asia. When i connect, i can see that the connections are made thru tor from the network map. I am unsure of the following: 1) DNS leak, as there is no socks4a 2) Several posts said that your outgoing mail will have my real IP. Is this true? and why when i am connected thru TOR? Also, if these things are true, then how can i go about doing it properly? Any help would be much appreciated. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
