Re: Selecting an Exit Server By State?
On Sat, Aug 14, 2010 at 09:27:29AM +0100, pump...@cotse.net wrote 1.1K bytes in 34 lines about: > Is there a way to select an exit server by state? For example, choosing > a working exit server in California? No, we don't ship with that level of resolution, just IP to country. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject Skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project 2008 Tax Return Now Online
On Sat, 14 Aug 2010 12:26:57 +0100 Anon Mus wrote: > It looks like 90% of the funding is from the US, nearly all US > government. > > > Internews Europe - France $183,180 (35.6%) > (http://www.sourcewatch.org/index.php?title=Internews) > Stichting Nlnet - Netherlands $42,931 > International Broadcasting $260,000 (50.5%)) > (http://en.wikipedia.org/wiki/International_Broadcasting_Bureau) > Google US $28,500 (5.5%) > > Total $514,611 Last I checked, France and the Netherlands aren't under US Government rule. Internews Europe is different from Internews, and funded completely differently. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project 2008 Tax Return Now Online
On Sat, 14 Aug 2010 01:20:28 -0400 Jimmy Dioxin wrote: > Cryptome has posted the Tor Project 2008 Tax Return available at: > http://cryptome.org/0002/tor-2008.zip > > As many know, all US non-profit corporation returns are available upon > request by the public. In fact, these documents are already public. They are available through us on request, as required by US tax laws. Or, generally through GuideStar or Charity Navigator. There's nothing secret here, it's all public. Every 501c3 has to file these every year. Tor develops in public, meets in public, and is generally approachable for questions, comments, or concerns. We specifically chose to be a 501c3 for the transparency factor. We could easily have been a for-profit entity with many willing investors to create black box software. We believe in the right to online anonymity and developing and improving it with Tor. The adversaries to online anonymity are vastly better funded to the tune of trillions of dollars, and in some cases, can tax their populace to better oppress them. > Firstly, people need to look through these returns in the same way we > audit code. Looking at funding sources and expenditures is important > to insuring Tor is a useful anonymity tool for years to come. There are two points in that statement. First, we've repeatedly stated that you should evaluate our designs, the code, and to verify the binaries we produce. Second, many organizations want anonymity online. These organizations need Tor and/or our advice to accomplish their goals. Our examples of Tor users gives you an idea of who wants their anonymity online, https://www.torproject.org/torusers. We will accept funding from people who understand our mission, our goals, and generally our research and development model of progress. We don't take funding we don't feel comfortable handling. We generally work along two paths at once: 1) Research, attack, and improve the Tor design. Low-latency anonymity and the general field of anonymous Internet communications are still relatively young. Research into these fields takes anywhere from 3 to 10 years to solidify designs, develop attacks, and then develop defenses to attacks; 2) Turn the research into code. Improving the codebase and the growing number of accessory programs for Tor is a growing challenge. We have a live Tor network that is used by half a million people a day. We want to make sure that Tor works for those putting their life on the line. Therefore, we must make sure Tor is the strongest we can make it to provide anonymity online. The US and European Governments are large entities. They feed people, protect citizens, save lives, make bombs, and get involved in wars. They do not speak with one voice and one mission. For all of the people who publicly state anonymity should disappear, there are just as many who want to see anonymity strengthened. > Secondly, can the Tor project release these returns on the site for > the above purpose? I don't think there needs to be some onerous > accounting process for reporting to the public (ya'll have better > things to do anyways), but these returns would be nice to have in the > interest of transparency. We are finishing up the 2009 audits and filings this month. We will announce our first ever annual report soon, and post the 2007 through 2009 IRS 990 forms, financial statements, and reviews. This is what you want to watch for progress on this front, https://trac.torproject.org/projects/tor/milestone/2009%20Financial%20%26%20Compliance%20Audit The best way we know to combat conspiracy theories and cranks is for the organization to be as transparent as possible. We hope you'll join us in protecting, providing, and strengthening anonymity online. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project 2008 Tax Return Now Online
On Sat, Aug 14, 2010 at 12:26:57PM +0100, Anon Mus wrote: > It looks like 90% of the funding is from the US, nearly all US government. If you know any funders outside the US who care about privacy, anonymity, or circumvention, we're all ears. :) > Add to this the number of Tor nodes run from US institutions (many at US > gov funded edu's) and you should be able to see who that "Global > Adversary" is! > > US - GOV Conspiracy theories aside, this is an important open research question that still needs more research attention: if you can watch a given amount of Internet backbone traffic, how much of the Tor network can you surveil? Here are three papers to get you started if you want to learn more about this issue: http://freehaven.net/anonbib/#feamster:wpes2004 http://freehaven.net/anonbib/#DBLP:conf/ccs/EdmanS09 http://freehaven.net/anonbib/#murdoch-pet2007 Designs like Tor have always accepted that they will be vulnerable to a global passive adversary: https://svn.torproject.org/svn/projects/design-paper/tor-design.html#subsec:threat-model The key point to realize here is that you shouldn't so much think about the locations of the Tor relays, but instead think about which networks the communication between Tor users and the Tor network traverses, and which networks the communication between the Tor network and the destination services (e.g. websites) traverses. The Internet itself has bottlenecks that make our task hard even if we could engineer a good diversity of relay locations. We can certainly imagine that some pieces of the US government have the capability to tap large pieces of the Internet: https://www.eff.org/nsa/faq But what saves us here is that the US government, like all governments, is not one person. It's a lot of different groups, all with different goals and different capabilities. So a) that means some parts of the government actually want to support freedom of speech and/or need for themselves the security properties that Tor provides, and b) there's a huge amount of bureaucracy to slow down coordination between different pieces of the government -- so even if somebody at NSA can beat Tor, that doesn't mean somebody at FBI can call him up and ask for answers. --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project 2008 Tax Return Now Online
The US Government also gets extensive use out of Tor. Law enforcement uses it for informants etc. As explained on the Tor website, this is actually a good thing as it makes you more anonymous (are you a fed, a journalist, somebody looking for porn, etc) Jimmy Dioxin On 08/14/2010 07:26 AM, Anon Mus wrote: > Jimmy Dioxin wrote: >> Hey Folks, >> >> Cryptome has posted the Tor Project 2008 Tax Return available at: >> http://cryptome.org/0002/tor-2008.zip >> >> As many know, all US non-profit corporation returns are available upon >> request by the public. >> >> Firstly, people need to look through these returns in the same way we >> audit code. Looking at funding sources and expenditures is important to >> insuring Tor is a useful anonymity tool for years to come. >> >> > > Thanks for this. > > It looks like 90% of the funding is from the US, nearly all US government. > > > Internews Europe - France $183,180 (35.6%) > (http://www.sourcewatch.org/index.php?title=Internews) > Stichting Nlnet - Netherlands $42,931 > International Broadcasting $260,000 (50.5%)) > (http://en.wikipedia.org/wiki/International_Broadcasting_Bureau) > Google US $28,500 (5.5%) > > Total $514,611 > > > Add to this the number of Tor nodes run from US institutions (many at US > gov funded edu's) and you should be able to see who that "Global > Adversary" is! > > US - GOV > > So perhaps we should not expect Tor to protect us from the hand that > feeds it (and anyone else who has access to their data) > > >> Secondly, can the Tor project release these returns on the site for the >> above purpose? I don't think there needs to be some onerous accounting >> process for reporting to the public (ya'll have better things to do >> anyways), but these returns would be nice to have in the interest of >> transparency. >> >> Thanks, >> Jimmy Dioxin >> >> > > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ > signature.asc Description: OpenPGP digital signature
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, Aug 14, 2010 at 12:19 PM, morphium wrote: >> An "exit enclave" is when a service operates a Tor exit node with an >> exit policy permitting exiting to that service. Tor will automagically >> extend circuits built to that host from three hops to four, such that >> your traffic will exit on localhost of the service you are intending to >> use. This means that users will use DDG's node when building circuits >> that terminate at duckduckgo.com or whatever. > > Oh cool, so I declare my Tor exit node as an enclave for > emailProviderNotUsingHTTPS.com and can get a lot of passwords? > > Thats easy! > > I hope enclaves in that sense don't exist! I hope thats a > misunderstanding! Such a thing would be pretty bad! Why don't you search the archives? The exit enclave functionality has been discussed many times. It only happens when the service the user is connecting to and the exit have the same IP. Moreover, the attack you're describing already exists— though I don't know if I should encourage people shove beans up their noses by going into the details here. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 14 Aug 2010 18:19 +0200, "morphium" wrote: > > An "exit enclave" is when a service operates a Tor exit node with an > > exit policy permitting exiting to that service. Tor will automagically > > extend circuits built to that host from three hops to four, such that > > your traffic will exit on localhost of the service you are intending to > > use. This means that users will use DDG's node when building circuits > > that terminate at duckduckgo.com or whatever. > > Oh cool, so I declare my Tor exit node as an enclave for > emailProviderNotUsingHTTPS.com and can get a lot of passwords? > > Thats easy! > > I hope enclaves in that sense don't exist! I hope thats a > misunderstanding! Such a thing would be pretty bad! well if the circuit can only be extended to localhost, your exit wouldn't be able to connect to emailProviderNotUsingHTTPS.com's server unless you owned emailProviderNotUsingHTTPS.com and it was on the same machine, by the sound of it . I'm not sure how you protect from modified versions of Tor though. GD -- http://www.fastmail.fm - Email service worth paying for. Try it for free *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
> An "exit enclave" is when a service operates a Tor exit node with an > exit policy permitting exiting to that service. Tor will automagically > extend circuits built to that host from three hops to four, such that > your traffic will exit on localhost of the service you are intending to > use. This means that users will use DDG's node when building circuits > that terminate at duckduckgo.com or whatever. Oh cool, so I declare my Tor exit node as an enclave for emailProviderNotUsingHTTPS.com and can get a lot of passwords? Thats easy! I hope enclaves in that sense don't exist! I hope thats a misunderstanding! Such a thing would be pretty bad! morphium *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 14 Aug 2010 16:09:18 +0100 "Geoff Down" wrote: > On Sat, 14 Aug 2010 09:20 -0400, "Ted Smith" wrote: > > > An "exit enclave" is when a service operates a Tor exit node with an > > exit policy permitting exiting to that service. Tor will automagically > > extend circuits built to that host from three hops to four, such that > > your traffic will exit on localhost of the service you are intending to > > use. This means that users will use DDG's node when building circuits > > that terminate at duckduckgo.com or whatever. > > > Really? Duckduckgo.com is on AS19262 Verizon, but when I accessed it, it > was via an exit node on AS30058 ACTIVO-SYSTEMS. I don't remember where I read this, but at the moment, exit enclaving only works if your Tor client has already downloaded and cached the relay descriptor for the destination host. Robert Ransom signature.asc Description: PGP signature
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, Aug 14, 2010 at 11:09 AM, Geoff Down wrote: > On Sat, 14 Aug 2010 09:20 -0400, "Ted Smith" wrote: >> An "exit enclave" is when a service operates a Tor exit node with an >> exit policy permitting exiting to that service. Tor will automagically >> extend circuits built to that host from three hops to four, such that >> your traffic will exit on localhost of the service you are intending to >> use. This means that users will use DDG's node when building circuits >> that terminate at duckduckgo.com or whatever. >> > Really? Duckduckgo.com is on AS19262 Verizon, but when I accessed it, it > was via an exit node on AS30058 ACTIVO-SYSTEMS. Exit enclaves need a lot of work. E.g. Your node can't tell if an exit enclave exists for your destination until after its done the DNS resolution. They also add an extra in-network hop. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 14 Aug 2010 09:20 -0400, "Ted Smith" wrote: > An "exit enclave" is when a service operates a Tor exit node with an > exit policy permitting exiting to that service. Tor will automagically > extend circuits built to that host from three hops to four, such that > your traffic will exit on localhost of the service you are intending to > use. This means that users will use DDG's node when building circuits > that terminate at duckduckgo.com or whatever. > Really? Duckduckgo.com is on AS19262 Verizon, but when I accessed it, it was via an exit node on AS30058 ACTIVO-SYSTEMS. GD -- http://www.fastmail.fm - The professional email service *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
On Sat, 2010-08-14 at 13:01 +0200, Michael Scheinost wrote: > Hi Eugen, > > I'm wondering why you posted this without any comment. > > On 08/13/2010 06:32 PM, Eugen Leitl wrote: > > DuckDuckGo now operates one of these relays, and more importantly an exit > > enclave for DDG search engine traffic. > > As far as I could see, DDH is a search engine frontend. > So what does this statement exactly mean? Do you use their exit nodes > when doing a browser request to their search engine or is it when using > links on DDG search results? > How can such a behaviour be technically achieved? > An "exit enclave" is when a service operates a Tor exit node with an exit policy permitting exiting to that service. Tor will automagically extend circuits built to that host from three hops to four, such that your traffic will exit on localhost of the service you are intending to use. This means that users will use DDG's node when building circuits that terminate at duckduckgo.com or whatever. signature.asc Description: This is a digitally signed message part
Re: Tor Project 2008 Tax Return Now Online
Jimmy Dioxin wrote: Hey Folks, Cryptome has posted the Tor Project 2008 Tax Return available at: http://cryptome.org/0002/tor-2008.zip As many know, all US non-profit corporation returns are available upon request by the public. Firstly, people need to look through these returns in the same way we audit code. Looking at funding sources and expenditures is important to insuring Tor is a useful anonymity tool for years to come. Thanks for this. It looks like 90% of the funding is from the US, nearly all US government. Internews Europe - France $183,180 (35.6%) (http://www.sourcewatch.org/index.php?title=Internews) Stichting Nlnet - Netherlands $42,931 International Broadcasting $260,000 (50.5%)) (http://en.wikipedia.org/wiki/International_Broadcasting_Bureau) Google US $28,500 (5.5%) Total $514,611 Add to this the number of Tor nodes run from US institutions (many at US gov funded edu's) and you should be able to see who that "Global Adversary" is! US - GOV So perhaps we should not expect Tor to protect us from the hand that feeds it (and anyone else who has access to their data) Secondly, can the Tor project release these returns on the site for the above purpose? I don't think there needs to be some onerous accounting process for reporting to the public (ya'll have better things to do anyways), but these returns would be nice to have in the interest of transparency. Thanks, Jimmy Dioxin *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: DuckDuckGo now operates a Tor exit enclave
Hi Eugen, I'm wondering why you posted this without any comment. On 08/13/2010 06:32 PM, Eugen Leitl wrote: > DuckDuckGo now operates one of these relays, and more importantly an exit > enclave for DDG search engine traffic. As far as I could see, DDH is a search engine frontend. So what does this statement exactly mean? Do you use their exit nodes when doing a browser request to their search engine or is it when using links on DDG search results? How can such a behaviour be technically achieved? > That means if you're on Tor, and you access DDG, you'll likely exit through > our relay and get service much faster. Tor can be slow, but this should speed > it up a bit (when using DuckDuckGo). I don't see any chance how for doing such a thing. Even if so, what's its purpose? I am really confused by this. Seems like I oversee something important. Perhaps someone can help me out of this. Regards, Michael -- Michael Scheinost mich...@scheinost.org Jabber: m.schein...@jabber.ccc.de GPG Key ID 0x4FF8E93B signature.asc Description: OpenPGP digital signature
Selecting an Exit Server By State?
Is there a way to select an exit server by state? For example, choosing a working exit server in California? Thanks.