Re: Scroogle and Tor
scroo...@lavabit.com wrote: I've been fighting two different Tor users for a week. Each is apparently having a good time trying to see how quickly they can get results from Scroogle searches via Tor exit nodes. [snip] As the person who (recently) raised the question about the availability of Scroogle via Tor, I want to thank you both for running Scroogle and for coming on this list to explain what happened. I also apologize to the list for not mentioning that Scroogle is once again available via Tor. (I discovered that and meant to publish that fact aprox. 24 hours ago.) You are obviously much more knowledgable about network issues than I am so I will leave it to others to advise you about possible mitigations for your problems. It is a real shame about the script kiddies, but such is the world we live in. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Can't Contact Scroogle
I currently cannot reach https://ssl.scroogle.org:443/ via Tor. I can reach it going directly to the Internet. In the past Scroogle has seemed tor-friendly. Is anybody else having this problem? Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Design Change Causing More Traffic?
and...@torproject.org wrote: On Mon, Feb 07, 2011 at 09:51:57PM -0700, jimmy...@copper.net wrote 0.6K bytes in 11 lines about: : I am on dialup and so I am very sensitive to the amount of traffic : overhead in the operation of Tor. Lately that seems to have increased : significantly. Assuming I am not just imagining it (I have no objective : measurements to back this up) is this just because of the build-out of : the network or has then there been a design change that would cause this? Which version of tor? Apologies for not including that. I am running Tor 0.2.1.29 compiled from source. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Design Change Causing More Traffic?
I am on dialup and so I am very sensitive to the amount of traffic overhead in the operation of Tor. Lately that seems to have increased significantly. Assuming I am not just imagining it (I have no objective measurements to back this up) is this just because of the build-out of the network or has then there been a design change that would cause this? Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor exits in .edu space
Andrew Lewman wrote: > We're trying to figure this out ourselves. I've personally been the > introduction point between exit relay operators and a lawyer in their > country to help them when something goes wrong. ... > [snip]] > I am always impressed that 95% of those accused of something due to > their exit node fight harder to keep running a Tor exit node. It's > people like this that help keep your liberties around the world. Once > again, thank you. And thank you, Andrew, for all the ways you support these people. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
Jim wrote: thomas.hluch...@netcologne.de wrote: Without understanding details of the tor design, did you mention that tor knows the "real" time? So why dont you let tor set the right time. There could be a torrc setting like "when connecting to tor set system time according what tor says". This would enforce to run tor as root, not as unprivileged user, but this is a Live system, so this might be no problem(?). Would this be a nice tor extension to help the LiveCD users? Presumably some people will be running live CDs (or USBs) on systems where they don't have the necessary privilege to set the system time. To address these situations, what might be more useful is to be able to tell Tor to offset the system clock by a given amount to get the "real time". Possbily in connection with this there could be a setting which would cause Tor to automically determine this offset at initialization. Oops. Sorry about responding to my own post, but I just realized that the lack of permission problem I mentioned would pertain to running something like a Tor bundle from a USB stick on a public computer rather than a running a Live CD/USB. But I still think my proposal might be useful for that situation. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
Jim wrote: thomas.hluch...@netcologne.de wrote: Without understanding details of the tor design, did you mention that tor knows the "real" time? So why dont you let tor set the right time. There could be a torrc setting like "when connecting to tor set system time according what tor says". This would enforce to run tor as root, not as unprivileged user, but this is a Live system, so this might be no problem(?). Would this be a nice tor extension to help the LiveCD users? Presumably some people will be running live CDs (or USBs) on systems where they don't have the necessary privilege to set the system time. To address these situations, what might be more useful is to be able to tell Tor to offset the system clock by a given amount to get the "real time". Possbily in connection with this there could be a setting which would cause Tor to automically determine this offset at initialization. Oops. Sorry about responding to my own post, but I just realized that the lack of permission problem I mentioned would pertain to running something like a Tor bundle from a USB stick on a public computer rather than a running a Live CD/USB. But I still think my proposal might be useful for that situation. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor and google groups
forc...@safe-mail.net wrote: > Hello! > > Though I could open an account at gmail, it is impossible to login to > post in google groups. I am told, whetever the exit node is, "Your > browser's cookie functionality is turned off. Please turn it on.". > > I am using Tor, Privoxy, Firefox and Torbutton, both in their last > updated releases for Win7. Do you perhaps have Privxoy configured to reject cookies? Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: System time in anonymity oriented LiveCDs
thomas.hluch...@netcologne.de wrote: > Without understanding details of the tor design, did you mention that > tor knows the "real" time? So why dont you let tor set the right > time. There could be a torrc setting like "when connecting to tor > set system time according what tor says". This would enforce to > run tor as root, not as unprivileged user, but this is a Live > system, so this might be no problem(?). > > Would this be a nice tor extension to help the LiveCD users? Presumably some people will be running live CDs (or USBs) on systems where they don't have the necessary privilege to set the system time. To address these situations, what might be more useful is to be able to tell Tor to offset the system clock by a given amount to get the "real time". Possbily in connection with this there could be a setting which would cause Tor to automically determine this offset at initialization. Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Very low performance in CriptolabTORRelays*
Daniel Franganillo wrote: Hi, still no luck with our bandwidth problems. I even tried to set up a tor relay under windows (to discard a linux problem) and it does not work. Also, if I setup an https server at 9001 or 9030 and download a file from there it works fine. Can you help me to gather some clues on how our School is filtering Tor? I need that information so i can fill a request to stop Tor filtering. Thanks. PD: Will it help if I pastebin a debug log? Hi Daniel, I am surprised that nobody on this list that is more knowledgeable than I has responded to your request. I am certainly no expert here, but based both on what has been posted on this list previously and the TLS entries that ended up in your debug log, I would have to wonder if your problem doesn't have to do with an incompatibilty between the version of Tor you are using and the version of SSL you are using rather than being a problem with your school's filtering Tor. I did not respond sooner in part because, based on my (admittedly limited) understanding of these issues, I did not see a conflict between what you posted you were using, based on recent other posts about this. Still there have been recent (say the last 6 months or so) issues between Tor and SSL. I can only hope that either you can research this some yourself or somebody else with more knowledge about this will post. Good luck! Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Debian/Ubuntu tor users, please check for core files
Jan Weiher wrote: Hi, no core files on my Ubuntu 8.04 relay. regards, Jan Has anybody checked to see whether the Tor instances running on Ubuntu have the ability to leave core files? I've never delved into the details, but I know on older versions of Ubuntu, running ulimit in a shell showed the maximum core file size set to 0. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Congrats on Torservers Bandwidth
It's been a while since I looked at http://us1.torservers.net/ Congratulations to Moritz for getting the throughput back above 30MB/s! Nice! Cheers Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: AdvTor
Anon Mus wrote: These were added because, as I already said, they were repeatedly (5+ times on 5 different circuits) "unable to resolve DNS and so failed page access",. this is a standard privoxy message. FYI, when you get that Privoxy message while using Tor (or any other downstream proxy) it just means that Tor was unable to retrieve the page. Privoxy has no way of knowing whether this was because of a DNS failure or some other reason. (If Privoxy is the final proxy then it knows whether the problem is DNS or not. They should probably use a different failure message when Privoxy passes the request onto another proxy.) Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BetterPrivacy - necessary?
grarpamp wrote: As usual, it would be awesome to have a tool that could de and re encapsulate https so that proxies and caches could do their thing with it. I am very far from an expert in these matters, but it would seem to me that the ability to do so without the explicit cooperation of the browser (or other client) would indicate that your attempt at end-to-end encryption was hopelessly broken. If you could de/re-encapsulate then so could any other man-in-the-middle, and you would never be the wiser. But I do understand the usefulness of what you suggest. The only way I can see of doing it that had any possibility of being secure would be if A) your proxy/cache handled the real end-to-end encryption/authentication with the website, and B) there was a plugin (or built-in functionality) on the browser that maintained a secure AND AUTHENTICATED connection with the proxy/cache. I.e. the browser would have to be aware of what was going on and would suspend its verification of the website's certificate while insisting that it authenticate that it was talking to the approved proxy/cache which is tasked with the secure communication to the website. If the proxy/cache detected a problem with the website's certificate, then it would have to have a way of signalling this, perhaps just by serving up its own page with the relevant information. That's the best I can come up with. Comments? Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Privoxy doesn't start on booting
James Brown wrote: OS - Ubuntu 9.10 on a laptop Privoxy version 3.0.13 Tor version 0.2.1.26 I have installed tor and privoxy and now I have the next problem. When I boot my system privoxy does not start as daemon and I need to start it manually (/etc/init.d/privoxy start). I have files with privoxy skripts in my /etc/rc1.d - /etc/rc5.d (named K20privoxy), I can see through sysv-rc-conf that it must start on 1 level but it doesn't. I am not sure how startd (what Ubuntu uses for process 1) might interact with this, but on traditional SysV systems, the services you want to run in a particular runlevel should start with "S" (for start) rather than than "K" (for kill = stop). Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Google and Tor.
Gregory Maxwell wrote: > On Wed, Aug 25, 2010 at 11:31 AM, Matthew wrote: >>> People are running automated datamining queries _via tor_ in order to >>> gain control of more IPs and avoid being blocked. > I think it would be nice if captchas and blocking weren't the only > anti-DOS/anti-abuse mechanisms used on the web today, but this is the > world we live in. While I usually use scroogle or ixquick, on occasion I do a google query. Sometimes it works, frequently it is blocked. When they give me a captcha, I've learned to just give up right then (or maybe try with a new exit node). I have never had a successful result with a Google captcha ... it just keeps giving me new ones. So while your explanation for blocking makes sense, it doesn't explain why they don't fix their capthca. (Maybe it's tied to cookies, but I'm not going to allow google cookies for that one instance only to disable them again.) I realize there is nothing anybody on this list can do (unless a Google employee subscribes to the list). I'm just venting ... Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Bigger Thinking [was: Tor Project 2008 Tax Return]
Roger Dingledine wrote: On Sat, Aug 21, 2010 at 10:53:48PM -0600, Jim wrote: I connect to the Internet with dialup. I have been successfully using Tor clients for 4+ years. One of the issues with using Tor over a slow connection is the amount of time it takes to update the information about the network when Tor is first started after having been off-line for a while. Depending on connection speed and how long the client has been off-line, this typically takes about 3 to 10 minutes. Perhaps a bit longer. My experience is that during this time the connection is pretty much useless for any other purpose. Yep. While inconvenient, this situation is certainly manageable. My concern has been what happens as the Tor network grows. At some point the delay would start being a serious problem. Here's some reading: https://blog.torproject.org/blog/overhead-directory-info%3A-past%2C-present%2C-future We haven't gotten the "microdescriptor" out in practice yet, but it's on its way: https://trac.torproject.org/projects/tor/ticket/1748 That's good to know. Thanks for the links. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Bigger Thinking [was: Tor Project 2008 Tax Return]
Mike Perry wrote: Actually there are several large-userbase companies that want to include Tor by default in their product, either as a client, a relay, or a bridge. Unfortunately, the only answer we have for them in the immediate term is "For the love of goddess don't do that, you'll destroy Tor". Our immediate concern is making it possible to support at least a fraction of one of these userbases in either the relay or the bridge roll. The relay role will require a significant update to Tor's directory mechanisms, and we are trying to drive academic research forward in these areas. ... This might be a good time to bring up a concern that has been on my mind for a while. I don't know if this is one of the concerns that has already been identified when thinking about a much larger relay pool. I connect to the Internet with dialup. I have been successfully using Tor clients for 4+ years. One of the issues with using Tor over a slow connection is the amount of time it takes to update the information about the network when Tor is first started after having been off-line for a while. Depending on connection speed and how long the client has been off-line, this typically takes about 3 to 10 minutes. Perhaps a bit longer. My experience is that during this time the connection is pretty much useless for any other purpose. While inconvenient, this situation is certainly manageable. My concern has been what happens as the Tor network grows. At some point the delay would start being a serious problem. So as you think about how to change the directory mechanisms to handle a significantly larger number of relays I request that you also think about changing how this information is distributed to clients. Perhaps with a much larger Tor network, each client doesn't actually have to know about all of the nodes but can make do with a reasonably sized "sampling." Or maybe there is a way to spread out over time the increased amount of information available. I can imagine that a solution to the problems a slow connection has might not be acceptable for relays. As such, maybe there could be a "slow connection" option in torrc that would not be used by relays. Thanks for giving consideration to this issue. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Bigger Thinking [was: Tor Project 2008 Tax Return]
Curious Kid wrote: >> And what about Microsoft? >> at least $20M a year. Why would they even consider doing this? To be a good >> corporate citizen, to better protect the anonymity of their users, to do >> their >> part to fight the good fight for freedom of speech, and to possibly give >> them a >> chance to one-up Google for once. > > Possibly the fact that they are our enemies and want to end online anonymity. > > > Microsoft Exec Calls For 'Driver's License For The Internet' > > http://techdirt.com/articles/20100204/1925188060.shtml Plus, would you trust Microsoft's (binary only, no doubt) implimentation of Tor? I wouldn't (Yes, I realize that even running a known, good instance of Tor on a proprietary system can result in that instance of Tor being subverted.) Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor notice
and...@torproject.org wrote: On Mon, Aug 09, 2010 at 09:48:24PM +0200, spacem...@gmail.com wrote 0.4K bytes in 9 lines about: : why in every Tor version (a/b/stable) there is "Do not rely on it for : strong anonymity"? If not Tor, what should we use for strong : anonymity? excluding Freenet and cryptography apps. Many other tools simply state they are anonymous, without mentioning any of the R&D on current anonymity attacks, their success probabilities, and design flaws. If you're interested in learning more about the current state of the field of anonymity in research, start here; http://freehaven.net/anonbib/full/topic.html Would it make sense to add that link, or some other link, to the message Tor prints out so the casual user can get some idea of what the message means? Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: A suggestion to TOR [a proxy server]
emigrant wrote: and i think, this can be a step towards the increasing trend of cloud computing, if i have correctly understood what is cloud computing. :D I guess this is off-topic, but some of us don't think moving toward "cloud computing" is necessarily a good thing. Since this is OT, I'll leave it at that. Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: gwget and tor?
Scott Bennett wrote: On Wed, 26 May 2010 09:40:29 -0400 "Aplin, Justin M" wrote: I don't know about gwget, but plain wget supports http proxies, which you can point at Polipo. If you're only going to need to do this every once in a while, I'd pop open a terminal and do the following: HTTP_PROXY=127.0.0.1:8118 && HTTPS_PROXY=127.0.0.1:8118 && FTP_PROXY=127.0.0.1:8118 export HTTP_PROXY && export HTTPS_PROXY && export FTP_PROXY wget your://url.to/download.here Once again, I strongly recommend that you set the *_proxy environment variables to full URLs rather than to the abbreviated forms you've shown above. See fetch(3) in the man pages for details. Hi Scott, This is the second time I've seen you reference the fetch(3) man page, so I thought maybe I should post. I believe you run one of the BSDs. Just FYI, I cannot find a fetch man page on my Linux systems. I know that several years ago when I was proxying Lynx I looked up this information /somewhere/. I thought it was in some man page but I cannot find it now. Maybe I pulled the info off the web? Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Answer by perfect-privacy.com Re: perfect-privacy.com, Family specifications, etc.
Roger Dingledine wrote: On Mon, May 17, 2010 at 09:44:21PM +0200, Moritz Bartl wrote: Original Message Subject: Re: - Medium - Tor servers, Tor community wants to disable your nodes - General Date: Mon, 17 May 2010 13:46:04 +0200 From: Perfect Privacy Administration Organization: PP Internet Services [snip] A proposal to the TOR developers: I don't know if it's technically possible, but maybe one could introduce a "BelongingToFamily" entry or a similarly named command in future versions of TOR which could work as such, as that every server which contains the same "BelongingToFamily" entry (e.g. "BelongingToFamily xyz") belongs to the family "xyz". That way one wouldn't have to enumerate all server names in the "MyFamily" section of each and every individual torrc file what causes an enormous effort if one adds a lot of servers (and donates a lot of traffic) to the Tor network. As mentioned, we currently would have to edit 45+ torrc files on 45+ TOR servers whenever a server is added or removed, and the number of our servers is constantly increasing. The trouble here is that if we make family declarations one-sided, then I can tell everybody that I'm in blutmagie's family (and X's family and Y's family and Z's family and ...), and suddenly I'm influencing the path selection of other clients in a way I shouldn't be able to. We need to have each set of relays in a family declare the others, or it's open to attacks like this. In situations like Perfect Privacy's where there are a significant number of nodes that are dynamically changing. which all need to be in one family, the basic proposal seems useful enough that I wonder if it can be rehabilitated to take care of the concerns Roger just expressed. So let me just float an idea here that maybe others can flesh-out/simplify/correct ... What if families could be "declared" by giving them a name (say XYZ123) and publishing a public key for them. Then to add a node to the family, the server operator would issue a BelongToFamily XYZ123 declaration that is somehow signed by the corresponding private key. If the details can be worked out correctly, then only the person/organization with access to the private key can add servers to that family. I think that would take care of Roger' concern about relay operators adding their server to others' families. If this is too much information to reasonably contain in a torrc file, then perhaps it could be included in a separate file. Either one the Tor client automatically looks for or one referenced in torrc. Does anything like that seem viable? Maybe the developers can comment about the doability and whether it addresses all of the security concerns?And maybe Perfect Privacy can somehow be pulled into the conversation to see if such a thing would be useful for people in their situation. Jim P.S. The above was written while off-line. After seeing the newer posts, I realize my proposal might essentially be the same as The23rdRaccoon's. I am not sure. But I don't remember seeing anything about using a signature to limit who could add themselves to a family in Bruce's original proposal. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Reducing relays = reducing anonymity ? Tortunnel.
Sebastian Hahn wrote: Hi Niklas, On May 19, 2010, at 6:06 PM, Attac Heidenheim wrote: Is tortunnel evil since it maybe hacks Tor-cirucits to reduce the number of relays ? Yes, unfortunately quite a few people use it. It hurts the network by endangering exit node operators, and by completely ignoring any of the load balancing that happens in normal Tor. Just wondering if anybody from the Tor Project has contacted the author to express the concerns with tortunnel. Particularly about it being detrimental to the Tor network. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: [GSoC] Improving Snakes on a Tor
Anders Andersson wrote: The way to do better at that one is to teach users and service providers about end-to-end authentication and encryption. From what I've seen I don't think there is any realistic hope for any significant number of web pages to be served with end-to-end encryption (not sure what your reference is to end-to-end authentication) in the foreseeable future. Jim I take it that you don't consider HTTPS to be end-to-end encryption then? Because I don't see why it would be unlikely for at least sensitive websites to switch to HTTPS. Of course HTTPS is end-to-end encryption! And, of course, it is already used some. We apparently have different assements of what the future holds and how quickly. Time will tell ... Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: [GSoC] Improving Snakes on a Tor
Roger Dingledine wrote: On Sat, May 01, 2010 at 02:55:53PM -0700, Damian Johnson wrote: An easy place to start would be to solicit input on or-talk for a better definition and enumerable attributes we can look for. Some obvious starting ones would be ssl stripping, certificate tampering (checking for differences like the Perspectives addon [2]), and bad DNS responses. I'd imagine Scott Bennett would be glad to jump in with some more ideas. :) The balance here is between making use of imperfect exit resources that people volunteer, and keeping the content you can reach through Tor "clean". There is a separate arms race of detecting intentionally broken exits. But imo that isn't really an arms race we can win with SoaT. Thanks for clarifying that. I had (mistakenly) thought the latter was the purpose of the GSoC project. The way to do better at that one is to teach users and service providers about end-to-end authentication and encryption. From what I've seen I don't think there is any realistic hope for any significant number of web pages to be served with end-to-end encryption (not sure what your reference is to end-to-end authentication) in the foreseeable future. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Using tor as proxy for the command line
Scott Bennett wrote: On Thu, 06 May 2010 11:05:17 +0200 Jacob Appelbaum wrote: % cat tor-wget #!/bin/bash -x export http_proxy=3D127.0.0.1:8118 export https_proxy=3D127.0.0.1:8118 wget -U " " $@ EOF I would recommend using the full form in each of those above. There are apparently a few cases where the abbreviated form you show here will not work. Could you elaborate on what you mean by "full form" and "abbreviated form" please? Thanks. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Firefox configurations for tor with Mac ppc
zzzjethro...@email2me.net wrote: > Here are a few configs (firefox-windows vs. mac), that are different and > I'm wondering if I should change them? > network.proxy.http 127.0.0.1 my mac is localhost > network.proxy.socks 127.0.0.1 my mac is local host > network.proxy 127.0.0.1 my mac is localhost Hi, I'll let others respond to other configuration differences, but for what is listed above, you should know that localhost and 127.0.0.1 are two different ways of referring to the same thing. (It is an IP address that allows different programs on your computer to talk to each other using Internet Protocol.) So what you've listed above is not really a difference, so there is no need to change those. (I am assuming you simply made a typo on the second line and on your computer "localhost" actually is one word.) Also, would you be so kind in future posts to put your responses *below* what you are responding to, like I have done in this email and like most posts you see on this list? It really does make reading the posts *much* easier. (As such, it probably also increases the chance that somebody will reply.) -- Thanks. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
Erinn Clark wrote: https://blog.torproject.org/blog/tor-browser-bundle-gnulinux Tor Browser Bundle for GNU/Linux is now available for x86 and x86_64 architectures in 12 languages. The Tor Browser Bundle lets you use Tor without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser and is self-contained. You can download it from the Tor Browser page which also has instructions about how to extract and use it. http://www.torproject.org/torbrowser/ Hi, Thanks for doing this. The fingerprints for your your signing keys seem to be missing from the "verifying signatures" page: https://www.torproject.org/verifying-signatures Also, on a minor housekeeping note, the link for "how to verify package signatures" on http://www.torproject.org/torbrowser/ points to an old page with a message that the page has moved. Thanks again, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: How does TOR deal with mac addresses
Faraaz Damji wrote: On 10-03-27 8:03 PM, Simon Ruderich wrote: On Sat, Mar 27, 2010 at 08:00:44PM +0530, emigrant wrote: On Fri, 2010-03-26 at 19:48 +0100, Marco Predicatori wrote: If you use Tor correctly, he can't figure out what site you are connecting to, and that's the whole point. thanks for the reply, what do you mean by using Tor correctly? If Tor is not correctly used you can still leak information regarding your identity. See this link on the main Tor page: https://www.torproject.org/download.html.en#Warning Since "he" in Marco's original post referred to the client's ISP, just to clarify, your ISP can't even see "leaked" data sent through Tor. It would be encrypted before being sent through the Tor network. I believe what you say is technically true but potentially misleading. The operative phrase in your statement is "'leaked' data sent through Tor". Yet much of the potential for leaked data that is warned about in that link is *not* sent through Tor (as I understand it). This is (part of) the hazard of using things like Flash, Java, PDF plugins, etc. To the extent these extensions bypass Tor, then the ISP *will* be able to see the leaked data. As always, if I misunderstand, I am willing to learn ... Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Firefox woes with .onion and proxies
Stephen Carpenter wrote: : Now, I put in my onion address and firefox dutifully adds a "www." : before it, and immediately times out. This is a bit of a guess (so make sure you remember how to revert!), but in about:config try setting browser.fixup.alternate.enabled to false. I believe that is how you turn off the browser attempting a prefix of www. and/or a suffix of .com if it doesn't think the URL you entered is correct. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor Project infrastructure updates in response to security breach
Mike Perry wrote: Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg sign .xpis, but have been sloppy about posting them publicly. For now, I think the right answer is "Fetch it over SSL" or "Check the git/gpg sig". Could you make a point of publicly posting the .xpi gpg signatures along with the .xpis? I have never liked the method of downloading the extensions via the browser and installing all in one step. I prefer to download the extension, convince myself it is authentic (such as gpg), possibly install it locally in a test accound, and finally install it locally in the account(s) where I intend to use it. At present, the missing ingredient in being able to do that is not having a signature to verify against. So I'd much appreciate being able to get the signature w/o having to figure out git. Particularly if that signature has already been created. Thanks, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Trend Micro blocking Tor site?
Seth David Schoen wrote: > Flamsmark writes: > >> Can you attach the image, and send it to the list? > > I'm not sure that I want to start a precedent of people sending > graphical attachments to this list. Thank you. Much appreciated. > I put a copy of the image at > > http://www.loyalty.org/~schoen/capture.gif Thank you again. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Vidalia Bundle and RSS in Thunderbird 3.0
Programmer In Training wrote: > I've been testing some time out changes in FF to see if there is any > difference. So far I haven't seen any but I've yet to fully put it to > the test (I'm having problems with pages not fully loading, mainly on > techrepublic.com.com) I've sometimes wondered if some websites were terminating connections themselves wen the connection took too long. Of course, that would be the connection itself rather than setting up a circuit since the website wouldn't know about that. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Why governments fund TOR?
arshad wrote: > hi all, > forgive me for my ignorance. > may i know why governmetns fund TOR. i read 49% funds coming from > government. TOR is usually considered for passing government restriction > by journalists and activists. so why should governments fund this? I can't speak for all governments but it might be relevant to point out that onion routing started (as I understand it -- anybody, feel free to correct) as a project of the U.S. Navy and was used by the various branches of the U.S armed forces to use the Internet anonymously. Trouble was, that although their targets could not tell *exactly* who was visiting their website, they could tell it was U.S. military. So, as I understand it, they released the technology so they could hide among the civilians. Even within a particular govt you can have conflicting goals. Part may wish to prevent its citizens from being anonymous while another part may find it useful to use civilians for cover. Just my speculation ... Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR and ISP
Scott Bennett wrote: The key here is that the ISPs not only cannot detect encrypted URLs, they cannot detect what the user is doing, not even whether the user is trying to connect to a port or is simply transmitting packets over an already open connection or is closing a connection. They cannot detect the destination address or port number. Perhaps you meant when /using Tor/ the ISP cannot detect the destination address or port number? (I read your email several times and did not detect this meaning.) Surely on a generic encrypted connection the ISP can determine the destination of the connection. (For a Tor user, that would be the the IP address of the entry guard.) Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Privoxy and Polipo
arshad wrote: hi all, what is the difference in using privoxy and polipo? im in ubuntu and have used both. and privoxy seems unable to render all .gifs file. it shows part of the gif or in some cases won't show the animation. Privoxy has the ability to "deanimate" gifs. Check your Privoxy configuration. The "Look up which actions apply to a URL and why" link in Privoxy's web interface may be useful to you. Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Talking w/local service CEOs [LJ, goog...]
--- jbrownfi...@gmail.com wrote: > And what can you tell about blocking the Tor-access to the mail > accounts of the Yahoo? Yahoo does not block access. However you will frequently get an "error 999". You can get around this by using their CAPTCHA based login. Do realize that while the login is https, the mail viewing/sending is not. So malicious exit nodes will be able to view all of the email you view/send. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Firefox and Tor? Forget about it!!
--- n...@safe-mail.net wrote: > Please tell me what you think of all of this and whether or not this > is a proper direction to go on or if Dillo's audience is limited and > doesn't receive enough testing to warrant switching to Dillo. The last I knew Dillo did not support Java Script and had no plans to do so. You can argue that that is a good thing, but it will break a number of websites. It is also possible I am completely out of date and they have changed their minds about Java Script. You should also think about the user agent string. I suspect Dillo's might stand out a bit. Unless it is in more common use than I thought. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor: Scroogle blocked, Google not ? (November 2009)
Gitano wrote: > Jim wrote: > >>> The past few days I've noticed that all http requests to >>> https://ssl.scroogle.org have invariably failed. >> About a year ago I stopped being able access to Scroogle via Tor. After >> half a day or so of such failure I sent the operator an email about it. >> I never received a reply, but it started working again. >> >> I just sent the operator another email some hours ago. I'm hoping for >> the best ... > > Thanks - now 'ssl.scroogle.org' is reachable over Tor again! It turns out I had nothing to do with it. My email bounced! :-) But I am glad it is working again. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor: Scroogle blocked, Google not ? (November 2009)
dreamcat four wrote: Hi, The past few days I've noticed that all http requests to https://ssl.scroogle.org have invariably failed. This appeared as a DNS failure. After switching over to the regular http (non-ssl) version of scroogle, I found that was generally working for another couple of days then that went away too with the same can't resolve host / No such domain. Anyone else also experienced this? About a year ago I stopped being able access to Scroogle via Tor. After half a day or so of such failure I sent the operator an email about it. I never received a reply, but it started working again. I just sent the operator another email some hours ago. I'm hoping for the best ... And google. Nearly as strange have been my experience google lately. The reason I started using Scroogle a while back was simply because google had been blocking Tor exit nodes from performing searches. But just today my first 2 searches worked. By prior experience this is very uncommon. The first search had accepted cookies, the second search cookies were disabled and it still worked just fine. Maybe simply a coincidence and/or blind luck? Again, can anyone confirm / deny? Some months back, by accident, I discovered Google working via Tor for me. After subsequent tries I decided it occasionally worked, but not often enough to make trying it worth my while. (BTW, my impression/assumption was that Google was not *explicitly* blocking Tor, but that it depended on what was hitting Google from the particular exit node I happened to be using.) AFAIK, the only thing cookies would be good for (other than spying) would (possibly) be if you were using their CAPTCHA. And I've never had their CAPTCHA let me through (via Tor), so I stopped trying. Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Reduce hops when privacy level allows to save Tor network bandwidth
Tim Wilde wrote: On 11/18/2009 4:17 AM, Jim wrote: Google was actually the motivating factor in causing me to get serious about overcoming whatever problem I had when I first tried to use Tor. Although my concern at the time was more the ubiquity of google-analytics. But still concerned about using their search engine. My problem was that (for quite a while now), when I try to do a search on Google via Tor, more often than not Google calls me a virus and tells me to go away ("unusual network activity" or some such). My solution has been to connect to Scroogle via Tor. I am not nearly as anti-Google as the guy (people?) who run Scroogle and I don't mind the unobtrusive right column adds on Google search results. Its just my (usual) inability to use Google directly w/o dropping anonymity. There's another relatively easy solution to the Analytics part - surf with a plugin like Firefox's NoScript installed, and forbid google-analytics.com from ever running scripts. Boom, no more analytics, I believe NoScript won't even allow Firefox to fetch the code from the URL, so they don't even get the hit (note: I haven't actually confirmed that part explicitly). Plus you get a ton of other safety benefits from browsing the web with scripting off by default, and the various other nasty things like clickjacking and XSS that NoScript attempts to block. Yes. I've long recognized that one of the possible ironies in my story is that google-analytics motivated me to get off my duff and get Tor working. However, in the process of setting up Tor I found out that Privoxy could very nicely take care of google-analytics on its own. But as I've alluded to, while google-analytics was the top motivator for me, there is other motivation from Google (as search engine) and others wishing to track me. Others more knowledgeable than I may wish to comment on this, but I believe I have read that it is not a good idea to combine NoScript with Tor. I can't give you the gory details. While I don't know the details of how NoScript handles google-analytics, I do know (on the last version I checked) that by default Privoxy won't allow anything from google-analytics to load, including their script(s). Cheers, Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Reduce hops when privacy level allows to save Tor network bandwidth
Gregory Maxwell wrote: There are a great many people who have merely encountered one too many examples of the ubiquitious tracking on the Internet. For example, Google's abuse of JS fake out the link target display and intercept outbound links on search has been driving me nuts lately as it makes it impossible to copy and paste links from the search results. This makes me aware of and irritated by Google's surveillance. You might want to look into using something like Scroogle ( http://www.scroogle.org ). I thnk Scroogle scrubs those redirects. Google was actually the motivating factor in causing me to get serious about overcoming whatever problem I had when I first tried to use Tor. Although my concern at the time was more the ubiquity of google-analytics. But still concerned about using their search engine. My problem was that (for quite a while now), when I try to do a search on Google via Tor, more often than not Google calls me a virus and tells me to go away ("unusual network activity" or some such). My solution has been to connect to Scroogle via Tor. I am not nearly as anti-Google as the guy (people?) who run Scroogle and I don't mind the unobtrusive right column adds on Google search results. Its just my (usual) inability to use Google directly w/o dropping anonymity. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: minimal traffic footprint Tor on the road
grarpamp wrote: > > > Besides plugging DNS leaks, the two programs serve somewhat different > > purposes. > > Indeed, however neither program's purpose is to 'plug dns leaks'. > They simply feed what connection [dns] requests they receive on towards Tor. I thought the reason you could not send Firefox's SOX5 straight to Tor was because of a bug in Firefox that would cause a DNS leak. Perhaps I misunderstood or my information is outdated? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: minimal traffic footprint Tor on the road
Jan Reister wrote: > > Il 28/09/2009 15:25, Eugen Leitl ha scritto: > > Why the switch to Polipo from Privoxy? Is Privoxy officially > > deprecated now? > > I just found out today and am wondering myself. From hearsay, Polipo > should perform faster and better. There was a somewhat extended discussion about Privoxy vs Polipo on this list not too long ago (a month or two?). You may wish to review that. My recollection of that discussion is that Polipo being better was called into question. Certainly Privoxy is alive and well. Besides plugging DNS leaks, the two programs serve somewhat different purposes. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: [OT]RE: Unsubscribe
downie - wrote: > > You have to send to a different address. Instructions [to unsubscribe] > are in the headers. Having seen this situation on this list multiple times, it occurs to me that beyond "To", "From", and "Date", many people have probably never seen the headers. Most non-techies probably don't even know it exists. I believe most GUI mail clients, by default, only show the abbreviated version I just mentioned. I know mine does. I don't know what the solution is, but I thought I would throw this out there for people's consideration. Jim
Re: Thanks for the inclusion...
Michael Cozzi wrote: > > Hello Tor Team. > > I'm not sure who to thank, but I noticed my suggested text regarding > what "IT Professionals use Tor for" was included whole cloth on the web > page. > > Thank you, that gave me geek-warm-fuzzies. > > Michael Very nicely done. It has been quite a while since I have looked at that page. The whole page is quite nice. Kudos to those involved.
Re: seven bloxortsipt* relays ought *not* to be Valid
Scott Bennett wrote: > a) are running an obsolete version of tor (0.1.2.19) under LINUX, >which is far enough back to be a security problem due to the SSL >key generation bug in LINUX, If the key generation problem refers to what I think, and just for the record, that was only a problem for Debian and Debian derived distributions of Linux. > That much, IMO, ought to justify removal of their Valid flags by the > authorities. In the meantime, I have them all in my ExcludeNodes list, and > I recommend that all relay operators concerned about security in tor do > likewise. My comment above should *not* be construed to mean I disagree with this conclusion.
Re: Best practice for DNS through tor
basile wrote: > > Hi everyone, > > I'd like to set up an situation where users on a LAN can optionally > reroute just their DNS queries through tor. What I have is a gateway > router where bind9 runs on udp 53 (caching only) and tor uses DNSPort > 5300. I'd like the users to be able to "do something" on their local > computers which switches DNS queries to the router on port 5300 rather > than 53. Any suggestions on a best practices? Here's what I've tried: > > If you have an unused LAN address that is guaranteed to get routed to your gateway for forwarding, then I *think* the following should work. Set your gateway up to redirect any packets sent to this address on port 53 to port 5300 on the gateway (I am just parroting what I think you said above w/o having any experience about Tor's DNS capabilities; please adjust details for any misunderstanding I have). A user would then use the normal gateway address for normal DNS. Using the "new" address would cause the request to go to 5300. I.e. this changes the problem from altering the desitnation port to altering the destination address. So the problem then is providing a mechanism for the user to change the entry in resolv.conf > 3) I tried redirection with iptables on the local host but I can't > get that to work --- I'm not sure its possible. ... I would think that should work. (I've done similar DNATing -- with DNS even! :-) Something like: iptables -t nat -A OUTPUT -p udp --dport 53 \ -j DNAT --to-destination $router_ip:5300 And then you need to make sure you don't have any filtering rules blocking that. And you could add an analogous rule for tcp/53 if you feel you need it.
Re: Yahoo Mail and Tor
Andrew Lewman wrote: > A) The Privoxies after 3.06 have a local "web control interface" > which we believe is a security risk. We think that remote websites can > probably reconfigure your privoxy via that interface, maybe even without > your noticing. If newer versions have the ability to disable this > interface, we can consider testing and subsequently including those with > our packages. Can you provide a link to what you are talking about? I just searched on the terms/phrase "web control interface" with "privoxy" and only had a few matches, none of which seemed relevant. I also checked privoxy's online manual ( http://www.privoxy.org/user-manual/index.html , v 1.60 2009/03/21 12:58:53) and I didn't see anything about changing configuration that had substantively changed since I started using privoxy 3+ years ago. At *least* since that time there there has been the ability to edit action files via browser (web interface) if allowed in the configuration file. The configuration file itself had to be manually edited, and, at least in *nix, the config file could be owned by root and set to be not writeable by privoxy (assuming privoxy was running w/o privilege). You could also toggle "enable/disable" through privoxy's web interface if allowed in the config file. It should be noted that "disabling" merely turns off the application of the rules -- it does *not* affect packet routing. So if something was sent via Tor with privoxy "enabled," it is still sent through Tor with privoxy "disabled." I have specifically verified that using http://torcheck.xenobite.eu . So could you point me to what has changed since 3.0.6 that causes security concerns? Thanks. P.S. Oops, I just noticed others have requested a link. Did not mean to repeat. I believe the rest of what I said is relevant.
Re: .exit handling (was Yahoo Mail and Tor)
downie - wrote: > > > Date: Fri, 10 Jul 2009 11:15:25 -0400 > > From: eril...@gmail.com > > To: or-talk@freehaven.net > > Subject: Re: Yahoo Mail and Tor > > > If I'm proxying through Tor and I type this into my browser: > > > > www.google.com.example.exit > > > > My browser asks the proxy for a connection to > "www.google.com.example.exit" > > > > Once my browser receives the connection, it then sends this down it: > > > > GET / HTTP/1.1\r\n > > Host: www.google.com.example.exit\r\n > > \r\n > > > > The problem is that some web servers have multiple websites on the > same IP > > and they decide which website to serve by looking at the HTTP Host > header. > > So you need privoxy/polipo to strip the "example.exit" from the HTTP > Host > > header before forwarding on the actual HTTP request, so it sends > this > > instead: > > > > GET / HTTP/1.1\r\n > > Host: www.google.com\r\n > > \r\n > > > > -- > > Erilenz > > So far so good. A possible problem then arises when the served page > contains absolute URLs for resources, links etc which no longer use > the .exit notation, and so could be fetched from a different exit. How > often that would happen is open to question. > Another Privoxy rule could be written to rewrite those page URLs I > guess, but how would you pass the name of the required exit to the > rule? Should the tor exit be removing the .exit notation from the header instead of privoxy? Or perhaps the tor client, which selects the route? (I mistakenly thought one of those did it now. It has been a long time since I've used .exit ...)
Re: Yahoo Mail and Tor
Scott Bennett wrote: > > On Thu, 9 Jul 2009 20:37:38 -0400 downie - > wrote: > >Will Polipo be able to filter out .exit notation? > > > Why would you want it to do that? The .exit notation has to be passed > along to tor for it to work. If it were filtered out, then the user would > see a connection failure of some kind. I believe you are correct that you don't want to filter it out at the privoxy level. But I don't think it would result in a connection failure, but rather that the exit node specification would not be honored (other than by accident). A long time ago I think there was a problem with the .exit... in the URL being passed along to the website in the GET (or other) requests, which sometimes caused problems. Somebody correct me if I am wrong, but I believe now something in the tor chain of software (client, relays, exit) filters that out.
Re: Yahoo Mail and Tor
bao song wrote: > The standard Tor bundle download for non-Windows still includes > Privoxy 3.0.6, which mangles Yahoo mail. I am running privoxy 3.0.6. If you want to email me off-list I will be happy to send you my user.action file which seems to more or less work adequately for Yahoo mail. (Sometimes there is some weirdness with scroll bars, but it is usuable. And the page *after* logging out is somewhat mangeled, but who cares about that?) You will have to sort the relevant yahoo rules from the rest for yourself. You can also simply "disable" privoxy (via its menu -- it still forwards to tor appropriately) while using Yahoo mail. If you email me, I would appreciate text (not html) email.
Re: Google and Tor
grarpamp wrote: > > > GMail doesn't do this anymore. You can sign up through Tor just fine. > > Yes, there was a time years ago where they were invite only :( > Then they opened up. This does not refer to that historical thing. > > I tried making four different acct names over the span of a day > about a day before I first posted this. Clearing cookies and > newnym between each. > > Account creation tests between then and now have worked without issue. > Don't know what google was up to when I posted Seems fine now. > Thanks, sorry for the noise. It may have been related to the traffic from those exit nodes that Google was seeing *at* *that* *time*. There was a time when Google's search engine would sometimes tell me something along the lines of "we think you are a virus" that was definitely time/exit-node dependent. (Now it is very rare that exiting from Tor does not cause me problems with Google's search.)
Re: Google and Tor
James Brown wrote: > I use the gmail within Tor very easy but I have some problems sometimes > with other services of Google. For maybe I couple of years it has been almost impossible for me to use Google's search via Tor. (It keeps calling me a virus.) Somebody eventually told me about Scroogle ( http://www.scroogle.org/scraper.html ) which I have had good luck with via Tor. I *think* that recently, after Google flags you as "suspicious activity" it allows you to proceed with a captcha *if* you accept cookies. Not a good way to remain anonymous unless you immediately delete the cookies. (When I first tried to use Tor I had some, now long forgotten, problem. Google-analytics was my motivation for solving the problem.) > But about last two monthes there is problems with using the Yahoo mail > through Tor. If you are talking about "error 999" (Yahoo's term), I have occasionally had problems with that for a long time. Recently it seems to have become routine. You can immediately go to the captcha login for email (which I don't have trouble with from Tor) with: https://login.yahoo.com/config/login?.ab=1&.done=http%3A//mail.yahoo.com (of course, Yahoo might break that link at any time) Be aware that although *login* to Yahoo mail is https, the other transmissions are in clear text. So you are exposing your email (both send and receive) to exit nodes. P.S. After seeing bao song's post, I remembered I have fiddled with Privoxy's settings to keep it from mangling Yahoo mail. But I have routed Yahoo's mail clear text straight to the Internet to avoid any exit node mischief. I send the https login via Tor because it it too difficult to separate from my other Yahoo traffic.
Re: 25 tbreg relays in directory
Arjan wrote: > > Jim McClanahan wrote: > [...] > > Certainly, protecting > > the network is a priority. Protecting "uninformed or unsuspecting" > > users gets trickier IMHO. I'll admit this is a bit of a hot-button > > issue for me and I may have overreacted. But I think care needs to be > > taken before cavalierly shutting something down to protect uninformed or > > unsuspecting users. I agree with Ringo <2600den...@gmail.com> when he > > wrote (at Tue, 30 Jun 2009 00:06:01 -0400) "Remotely disabling Tor nodes > > is a slippery slope." > > In my humble opinion, protecting uninformed or unsuspecting users / > relay operators should be a priority. The discussion was about Tor *clients* not Tor *servers*. I have repeatedly stated I didn't have problems with disabling the servers if that was needed to protect the network. And while I didn't specifically mention "client" in what was quoted above, I did reiterate that protecting the network was important.
Re: 25 tbreg relays in directory
Edward Langenback wrote: > Jim McClanahan wrote: > > I probably should have canned the sarcasm, but I do think that any > > disabling of the client from the network should be easily reversible. > > Part of that is just my philosophy. But it also has a practical element > > in terms of what is required to resume functionality if the client > > suddenly and unexpectedly stop working. Somebody may not wish to take > > the time to install at that moment. > > I assume that Tor can (or could be made to) detect what OS it's being > run on. Given that, what if Tor were to check it's current version > against the directory servers while it's creating circuits. > > Then if the version running is judged too far out of date to be safe, it > could download the most recent version (via the Tor network of course) > for the OS it's running on and "auto-update" itself. I guess that would depend on the OS and how it is configured. If Tor is running without privilege, as recommended, I would think in most scenarios it would not have the ability to update itself. If something is configured "non-standard" (whatever that may mean in a particular situation) then I would guess the attempt to update would not have the desired result even if Tor had privilege. That said, it is my understanding that on MS Windows, Firefox has such an auto-update mechanism although I am not familiar with the details. Personally, I like to be in charge of what happens on my computers. I remain unconvinced that what happened in the case of "tbreg" should be determining policy for the Tor project, at least as far as client activity is concerned. To the extent the people who installed really didn't know it involved Tor, it seems to me that, if not technically malware, it is at least a close cousin (where software creators are not being up front with users). Trying to, in effect, be the guardian of such users is (IMHO) a losing proposition.
Re: 25 tbreg relays in directory
Scott Bennett wrote: > > On Mon, 29 Jun 2009 07:13:42 -0600 Jim McClanahan > >Scott Bennett wrote: > >> > >> On Mon, 29 Jun 2009 05:14:25 -0600 Jim McClanahan > >> > >> wrote: > >> >Scott Bennett wrote: > >> > > >> >> Ouch. This provides another example in support of having a way > >> >> for the directory authorities to render insecure versions ... > >> >> and only usable as clients to connect to the tor project's web site to > >> >> download a current version of tor. > >> > > >> >This kind of thinking baffles me. It seems diametrically opposed to the > >> >notion of free software. I could understand if the outdated client was > >> > >> How so? It's still free of charge, freely available, and freely > >> modifiable and redistributable. (GPL3-licensed software doesn't > >> qualify, IMO.) > > > >I did not not mean it was not technically free software. The license > >takes care of that. My meaning is that the goal is to restrict people > >rather than to grant freedom. It is an issue of perspective rather than > >license technicalities. I probably could have phrased it better. > > Oh, okay. Thanks for clarifying. > The intent of my suggestions has been to restrict abuse harmful either > to an uninformed and unsuspecting user or to the tor network overall, not to > restrict "people". I have no problems with either of those goals. Certainly, protecting the network is a priority. Protecting "uninformed or unsuspecting" users gets trickier IMHO. I'll admit this is a bit of a hot-button issue for me and I may have overreacted. But I think care needs to be taken before cavalierly shutting something down to protect uninformed or unsuspecting users. I agree with Ringo <2600den...@gmail.com> when he wrote (at Tue, 30 Jun 2009 00:06:01 -0400) "Remotely disabling Tor nodes is a slippery slope." > will do. > >> > >> >endangering the Tor network (which was discussed in the portion of the > >> >comment I skipped over with the ellipsis). And I would have no problem > >> > >> Insecure relays endanger the network > > > >That is why I inserted the ellipsis and made the parenthetical comment > >about it. I am not arguing against neutralizing insecure relays. The > >danger to the network is perfect justification IMO. > > Note that the version of tor that Pei Hanru reported here had been part > of the tbreg distribution is *not* secure. > > I was aware of that at the beginning of this discussion. > >It's not like the clients ended up there on their own w/o the consent of > >the user or owner. Trying to enforce a policy on people when those > > Pei Hanru suggested otherwise. My point was the users knew that they were installing *some* software. They may not have know that the software contained Tor or even what Tor is. But I see the situation as similar to unscrupulous people slipping malware or other unknown software into packages people willingly install. While I don't approve of that, neither do I feel compelled to police it. Which would be a futile endevour anyway. > I would argue that those unsuspecting, involuntary tor operators were > indeed harmed and further that they were placed at significant risk of far > greater harms at the hands of that State. Yet the "harm at the hands of that State" has nothing to do (TMK) with the fact that the clients were insecure, but rather that they were Tor. > > >technical argument. Obviously, it is technically possible to do what > >you describe. And because of the free license, it is technically > >possible and legally permissible for people to undo those changes on > >their copies of the software. It is also possible for the software to > >lie to the network about what it is. But as I stated, this attitude of > >trying to coerce other people baffles me. I am not saying nobody does > >it. The world is full of tyrants. > > Clearly, the above comments are inapplicable to this situation and > to what I was suggesting as a way to deal with similar situations in the > future. Again, maybe I was overreacting. But I do think people who are not trying to be tyrants nonetheless need to be very careful with "for your own good" attitudes. IMO it gets very tricky. > >Just to flesh out my view a little more, I would have no problem with a > >configuration option that says "allow the tor network to nearly disable > >this client at discretion." As long as it could be &g
@Scott Bennett
Ah, I see. It is the duplicate messages from you that were confusing me. Why duplicate messages? As somebody else has pointed out recently, the fact that I can post on or-talk means I am subscribed to or-talk.
@Scott Bennett
I was trying to email you and it bounced: Final-Recipient: rfc822; benn...@cs.niu.edu Original-Recipient: rfc822;benn...@cs.niu.edu Action: failed Status: 5.7.1 Remote-MTA: dns; mp.cs.niu.edu Diagnostic-Code: smtp; 550 5.7.1 ... Access denied
Re: 25 tbreg relays in directory
Scott, when I did a "reply" on your email, it (tried to) sent it your personal email account rather than the list. -- Scott Bennett wrote: > > On Mon, 29 Jun 2009 05:14:25 -0600 Jim McClanahan > wrote: > >Scott Bennett wrote: > > > >> Ouch. This provides another example in support of having a way > >> for the directory authorities to render insecure versions ... > >> and only usable as clients to connect to the tor project's web site to > >> download a current version of tor. > > > >This kind of thinking baffles me. It seems diametrically opposed to the > >notion of free software. I could understand if the outdated client was > > How so? It's still free of charge, freely available, and freely > modifiable and redistributable. (GPL3-licensed software doesn't > qualify, IMO.) I did not not mean it was not technically free software. The license takes care of that. My meaning is that the goal is to restrict people rather than to grant freedom. It is an issue of perspective rather than license technicalities. I probably could have phrased it better. (I happen to like, to the extent I understand it, GPLv3. But I don't see how it is relevant to this discussion and I don't know why it was injected into it.) > > >endangering the Tor network (which was discussed in the portion of the > >comment I skipped over with the ellipsis). And I would have no problem > > Insecure relays endanger the network That is why I inserted the ellipsis and made the parenthetical comment about it. I am not arguing against neutralizing insecure relays. The danger to the network is perfect justification IMO. > Insecure clients installed > virally onto systems without notice to the users endanger those users. It's not like the clients ended up there on their own w/o the consent of the user or owner. Trying to enforce a policy on people when those people are not harming others reeks (IMO) of unsavory things like police states and nanny states. I am opposed. It is personal perspective, not technical argument. Obviously, it is technically possible to do what you describe. And because of the free license, it is technically possible and legally permissible for people to undo those changes on their copies of the software. It is also possible for the software to lie to the network about what it is. But as I stated, this attitude of trying to coerce other people baffles me. I am not saying nobody does it. The world is full of tyrants. Just to flesh out my view a little more, I would have no problem with a configuration option that says "allow the tor network to nearly disable this client at discretion." As long as it could be disabled. But I really wonder why Tor developers would be interested in spending the time to implement such a thing. > > >with a friendly advisory as long is it wasn't incessant nagware that > >couldn't be disabled. But I don't understand the desire to dictate to > > I don't think the current log messages are so influential as all that. > Just take a look at the current consensus. :-( > > >people or some nanny viewpoint of trying to save people from > >themselves. (Before somebody makes an argument of keeping the Internet > >free of compromised machines, I rather imagine the number of machines > >compromised because of Tor software would be lost in the statistical > > Again, when the software is installed by stealth onto the machines > of unsuspecting users, then the probability on each user's machine becomes > 100%. In other words, the number of machines w.r.t. the user is 1 out of 1, > a ratio that cannot be considered "lost in the noise" for that user. By stealth??? If that is really so, I guess you could try to make the same argument about *any* free software that somebody decided to turn into malware. But I am still unconvinced the people who installed didn't know they were installing something. > >noise of all the other ways machines get compromised. And I don't think > >the unsavory purpose these "tbreg" instances are put to is a relevant > >factor.) > > > How so? I note that you deleted all the relevant context in your reply. I did not reproduce Pei Hanru's email in its entirety because I did not see it as necessary. Or particularly relevant for this discussion. As I stated, "I don't think the unsavory purpose these 'tbreg' instances are put to is a relevant factor." The unsavory purpose I referred to and perhaps what you call "relevant context" is the fact that Tor was part of software sold to (for the purpose of) (quoting Pei Hanru) "automatically register large number o
Re: 25 tbreg relays in directory
Scott Bennett wrote: > Ouch. This provides another example in support of having a way > for the directory authorities to render insecure versions ... > and only usable as clients to connect to the tor project's web site to > download a current version of tor. This kind of thinking baffles me. It seems diametrically opposed to the notion of free software. I could understand if the outdated client was endangering the Tor network (which was discussed in the portion of the comment I skipped over with the ellipsis). And I would have no problem with a friendly advisory as long is it wasn't incessant nagware that couldn't be disabled. But I don't understand the desire to dictate to people or some nanny viewpoint of trying to save people from themselves. (Before somebody makes an argument of keeping the Internet free of compromised machines, I rather imagine the number of machines compromised because of Tor software would be lost in the statistical noise of all the other ways machines get compromised. And I don't think the unsavory purpose these "tbreg" instances are put to is a relevant factor.)
Re: Question About Security Threat from Tor
Michael wrote: > > Jim McClanahan wrote: > > Hi, > > > > I have read on this mailing list several times about how some > > previous versions of Tor contain vulnerabilities that can > > threaten the host machine itself. > Hi Jim, > > Not so much related to Tor itself, but more toward general > security. If a standard user account were to be compromised, > that's the first step in getting control of a machine. Thanks, Michael. My impression from the list was it was a direct threat rather than just a stepping stone. Maybe the references were to Microsoft Windows, or maybe I misunderstood. And I know next to nothing about the security model of MS Windows ... Jim
Question About Security Threat from Tor
Hi, I have read on this mailing list several times about how some previous versions of Tor contain vulnerabilities that can threaten the host machine itself. I am reminded of this again with Pei Hanru's excellent work tracking down the "tbreg mystery." (I too say "thank you".) While I understand that all software has bugs, some of which can be exploited for malicious purposes, I've long wondered how such vulnerabilities in Tor threaten the host itself if Tor is being run (as recommended) as an unprivileged user. Can somebody explain, or point me to an explanation? Thanks.
Re: Lynx leaks DNS
Phil wrote: > > I realize this needs a fix not a workaround, but if a workaround is enough > for now you could try running lynx via proxychains --> tor > > Proxychains might grab all the DNS requests. Thanks for your response. Now that I know lynx doesn't leak DNS when the protocol (e.g. http://) in included, using full URLs is enough of a "workaround" for me. (And a relief that I haven't been leaking all of this time.) For everybody's information, I think I learned more about the leaks while I was playing with proxychains. It *appears* that lynx is using DNS to try variations on the supplied name to find one that works. (Maybe there is an option to stop this?) So while I have a solution for myself, I think people using lynx with tor ought to be warned about this. > You could also probably leave privoxy in the proxy chain or test it with and > without. > > I haven't tried this with lynx, but proxychains does work with tor. I have tried using proxychains to chain to privoxy. Trying to chain directly to Tor would require more fiddling and I haven't tried that. Lynx couldn't get to the website *and* it DNS leaked. Maybe I didn't have it configured correctly? (privoxy is listening on 192.168.1.27:8119) The non-comment, non-blank lines of the configuration file were: strict_chain tcp_read_time_out 15000 tcp_connect_time_out 1 [ProxyList] http192.168.1.27 8119 I used the command: proxychains lynx http://torcheck.xenobite.eu With tcpdump I saw a DNS query, a TCP handshake with Privoxy, and then proxychains terminated the connection. The page request was not logged in Privoxy's logfile. proxychains reported: "strict chain:192.168.1.27:8119..broken", and backgrounded and stopped lynx. # tcpdump -nni eth0 not tcp port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 23:20:08.950239 IP 192.168.2.102.42865 > 65.247.xx.xx.53: 28346+ A? torcheck.xenobite.eu. (38) 23:20:08.952037 IP 65.247.xx.xx.53 > 192.168.2.102.42865: 28346 1/2/2 A 217.160.111.190 (137) 23:20:08.952807 IP 192.168.2.102.51357 > 192.168.1.27.8119: S 3021896822:3021896822(0) win 5840 23:20:08.954018 IP 192.168.1.27.8119 > 192.168.2.102.51357: S 3677520579:3677520579(0) ack 3021896823 win 5792 23:20:08.954052 IP 192.168.2.102.51357 > 192.168.1.27.8119: . ack 1 win 183 23:20:08.954245 IP 192.168.2.102.51357 > 192.168.1.27.8119: F 1:1(0) ack 1 win 183 23:20:08.955321 IP 192.168.1.27.8119 > 192.168.2.102.51357: P 1:54(53) ack 2 win 1448 23:20:08.955353 IP 192.168.2.102.51357 > 192.168.1.27.8119: R 3021896824:3021896824(0) win 0 23:20:08.955686 IP 192.168.1.27.8119 > 192.168.2.102.51357: F 54:54(0) ack 2 win 1448 23:20:08.955702 IP 192.168.2.102.51357 > 192.168.1.27.8119: R 3021896824:3021896824(0) win 0
Re: Lynx leaks DNS
Fabian Keil wrote: > > Jim McClanahan wrote: > > > Quite by accident I discovered that the lynx browser is leaking DNS > > addresses. I have verified this on: > > > >Lynx Version 2.8.4dev.7 (03 Aug 2000) and > >Lynx Version 2.8.5rel.1 (04 Feb 2004) > > Is there a reason why you aren't using a more recent build? That was what I had readily available. I just installed lynx on Ubuntu 8.04 LTS for more testing: lynx --version Lynx Version 2.8.6rel.4 (15 Nov 2006) libwww-FM 2.14, SSL-MM 1.4.1, GNUTLS 2.0.4, ncurses 5.6.20071124(wide) Built on linux-gnu Apr 8 2008 13:48:42 It shows the same behavior I saw before. But further investigation reveals this interesting twist: It does not leak if the URL with protocol is given. But if the http:// is omitted, it leaks, yet still loads the page. Without thinking, I had just been using p.p. When I used http://p.p, it did not leak. But it is not only p.p that leaks: tcpdump -nni eth0 udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 08:22:23.435995 IP 192.168.2.102.45063 > 65.247.xx.xx.53: 46608+ A? p.p. (21) 08:22:23.437732 IP 65.247.xx.xx.53 > 192.168.2.102.45063: 46608 2/2/0 A 64.158.56.50, A 63.251.179.30 (109) 08:33:39.447099 IP 192.168.2.102.54845 > 65.247.xx.xx.53: 19107+ A? torcheck.xenobite.eu. (38) 08:33:39.679776 IP 65.247.xx.xx.53 > 192.168.2.102.54845: 19107 1/2/2 A 217.160.111.190 (137) (The returned addresses for p.p is bad behavior on the part of my ISP. They lead to a "not found" page with advertising.) Both of the above were without http:// . And When http:// was added, neither leaked. torcheck.xenobite.eu (both with a w/o http://) verified I was accessing via Tor. Not as bad as I thought when I originally posted. But still disconcerting, particularly considering that it will happily render the page w/o http:// . > > I can't reproduce the problem with: > > f...@tp51 ~ $lynx --version > Lynx Version 2.8.6rel.5 (09 May 2007) > libwww-FM 2.14, SSL-MM 1.4.1, OpenSSL 0.9.8k, ncurses 5.7.20081102(wide) > Built on freebsd8.0 Feb 27 2009 22:36:34
Lynx leaks DNS
Hi, Quite by accident I discovered that the lynx browser is leaking DNS addresses. I have verified this on: Lynx Version 2.8.4dev.7 (03 Aug 2000) and Lynx Version 2.8.5rel.1 (04 Feb 2004) lynx is called from scripts with the following statements: export http_proxy=http://localhost:8119 export https_proxy=http://localhost:8119 export ftp_proxy=http://localhost:8119 export gopher_proxy=http://localhost:8119 export news_proxy=http://localhost:8119 export newspost_proxy=http://localhost:8119 export newsreply_proxy=http://localhost:8119 export snews_proxy=http://localhost:8119 export snewspost_proxy=http://localhost:8119 export snewsreply_proxy=http://localhost:8119 export nntp_proxy=http://localhost:8119 export wais_proxy=http://localhost:8119 export finger_proxy=http://localhost:8119 export cso_proxy=http://localhost:8119 Privoxy is listening on localhost:8119 and sends requests to tor in the standard way. I have verified from Privoxy's log that requests are received and http://torcheck.xenobite.eu verifies the request is coming through the Tor network. Supplying linx with the url of p.p (an alias that Privoxy understands) demonstrates that lynx does a DNS request and then ignores the result. Comments? Suggestions?
Re: Banners injected in web pages at exit nodes TRHCourtney*
> Strange the the provided link didn't have injection... Adaptation on > the nodes part? A few minutes ago I tried http://www.torproject.org.TRHCourtney01.exit/ and got a banner ad. Maybe they do it on a sporadic basis?
Re: GSoC Introduction! (TorButton)
Chris Humphry wrote: > > Hi Kroy! > > > > I > informened Tor team how RefContorl will spoof the root of the site you > are visiting as the referrer. I will also point out functionality Privoxy has as an option. When you come from another site, it spoofs the referrer as the root of the site being visited as indicated above. But as you move around within a site it reports the referrer accurately. Some sites require this for proper functioning.
Re: TOR and HADOPI
Freemor wrote: > > On Thu, 28 May 2009 22:25:49 -0700 (PDT) > Curious Kid wrote: > > > > > This policy model, applied globally, may put and end to Tor. Imagine > > if exit nodes in every country were shut down, yet their operators > > were still required to pay for an Internet connection for a long > > period of time thereafter. Each country having their own special > > blend of banned activities further complicates matters. > > > > Maybe Tor could go completely hidden. > > I really can't see how the pay for something you aren't receiving part > of this bill will stand any kind of a legal challenge. Cutting off a > persons service is one thing. Forcing a person to pay for nothing is > almost universally considered theft/extortion. Particularly when the "pay for nothing" was not part of any due process. But we shall see.
Re: Iptables configuration for a transparent proxy for a singleuser
unknown wrote: > > INET_IFACE=eth0 #our internet interface > > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9050 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9040 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 53 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport 53 -j DROP > # Block incoming traffic for this ports from outside. > # Tor already ignore non-local connections by default. > > > $IPTABLES -t nat -A OUTPUT -o lo -j RETURN > $IPTABLES -t nat -A OUTPUT -d 127.0.0.1 -j RETURN > # Pass direct connection to localhost services. > # We can trying use privoxy at first before redirecticting unfiltered traffic > to Tor. > > > TOR_UID=debian-tor > #see tor uid in file: > #tor:x:XXX:YYY::/var/lib/tor) > > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN > $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user -m tcp > --syn \ > -j REDIRECT --to-ports 9040 > $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user -m udp > --dport 53 \ > -j REDIRECT --to-ports 53 > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT > # Transparent redirection of the traffic to Tor for tornet_user > > > # $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DROP > # This rule will not working anymore in new iptables. > > > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DNAT \ > --to-destination 127.0.0.1 > # Use DNAT instead of nat > # Any traffic from tornet user if not redirected to tor, redirected to > localhost. > # If no services in localhost can accept this traffic than this packets dying > quietly in our localhost. > > I test this rules with sniffer and cannot see any DNS leakage and everithing > is works fine. > Any possible vulnerabilities here? Rather than to just DNATing all un-REDIRECTed traffic of tornet_user to local host, I wonder whether it would be safer to direct udp & tcp traffic to a particular port where you explicitly DROP (or REJECT) it. Something along the lines of: DROPDEAD=12345 $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user \ -j REDIRECT --to-port $DROPDEAD $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user \ -j REDIRECT --to-port $DROPDEAD $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user \ -j REDIRECT $IPTABLES -A INPUT -p tcp --dport $DROPDEAD -j DROP $IPTABLES -A INPUT -p udp --dport $DROPDEAD -j DROP (BTW, DNATing to localhost for a locally generated packet is the same as REDIRECT.) Also, it looks to me like the following rule is not needed, as any packets that would match have already been RETURNed. $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
Re: Version checking (was Re: 25 tbreg relays in directory)
Tripple Moon wrote: > IMHO, all and i mean *all* modifications of the original code and/or design > should be committed to the development-tree, that's how things get improved > and fixed etc by the community that maintains the development of the project. The problem with your logic (leaving aside the questions of whether it is desire or doable) is that it is *source* code that gets committed to the development tree, but you are wanting to authenticate against *object* code (at least that's what it used to be called), i.e., binaries. If there were a way to authenticate against *source* code (yeah, right) then your plan might be doable, even if not desirable. But when I compile my code (and I do), the resulting binary is dependent on the particulars of my system. I suspect if I compiled it on two different machines (and I have) I would get two different binaries even when I start with the same source. > If the tor application wont get means to authenticate itself's internals, then im afraid (IMHO) we will be looking at a future with *many* independent tor networks who are not connected to each others cloud because of differences... The need is for the code to be interoperable. Interoperability is a much lower threshold than authenticating binaries people run. Presumably your desire to authenticate stems from lack of trust -- i.e. fear of an attacker. But attackers are (or can be) clever and I don't think that even in *prinicple* you can reliably authenticate w/o requiring things that would destroy anonymity. That is, before you can trust me, you have to know who I am (with certainty) and what I am doing. If you don't know who I am I can tell you anything I want (such as what binary I'm running) and you won't know the difference.
Re: Version checking (was Re: 25 tbreg relays in directory)
> By "remotely calculated CRC-value of the client" i mean that the destination does the CRC calculation of the connecting client. > Yes this means the client needs to send all of its binary-self to the > destination. That would be a pretty big upload for a dial-up user! I am also wondering what kind of danger you think a *client* can have for the Tor network. And if somebody wanted to circumvent, I would think the client could be modified so that when it claimed to be uploading itself, it was actually uploading a copy of an unmodified binary. Am I missing something? Also what would be gained from a CRC based on the *binary*? Wouldn't that change according to the system that compiled it?
Setting up a Tor private network
I'm in the process of playing around with Tor (beyond just using it as a client -- using it as a client has been no problem). In so doing, I am attempting to first set up a "tor private network" on a system and see how things work when running a couple of tor server processes. I am using the make-private-tor-network.py (I've also tried hand configuring) but things do not appear to work. In the debug log, I am consistently seeing the following debug statement: Oct 04 01:12:50.107 [info] router_have_minimum_dir_info(): We have 0 of 1 network statuses, and we want more than 0. Is there something I am missing? It doesn't look lik eroutes are being established. Each of the non-directory nodes does connect and give information to the directory node, but that appears to be it. Is there a better writeup/discussion on setting up a private tor network? And for the record, this is on both OS X and Linux -- the behaviour is consistent. Thanks -jim
Re: Precompiled tor binary for openwrt/dd-wrt?
glymr writes: > perhaps openwrt hasn't got urandom? urandom is pretty intensive as far > as i know, it'd definitely load the little router hard. i'd say the devs > will be able to tell you if there's anything that can be done. OpenWrt has /dev/random and /dev/urandom. The SSH daemon dropbear, which is installed by default under OpenWrt, uses /dev/urandom. > my initial thought is edit the source and change all references to > /dev/urandom to /dev/random - this would reduce the randomness a bit > but would also reduce loading (and in this case, may enable it to > run) Isn't it vice versa? AFAIK /dev/random provides strong random data, which /dev/urandom doesn't guarantee. I don't know why the tor binary crashes on the Linksys router. I can't reproduce this bug on my Asus router. I used a current OpenWrt WhiteRussian build tree to create the binary packages. So far I never had problems to mix packages from the current build tree with packages from WhiteRussian RC5, but maybe something has changed recently.
Re: Precompiled tor binary for openwrt/dd-wrt?
glymr writes: > HUMMM looking at that, doesn't look like it'd be a very enjoyable > process without me actually having a linksys wrt router sitting > around. I've put a diff for OpenWrt's tor package and binary packages at the following location: http://www.hepe.com/~jim/openwrt/whiterussian/ I've tested these packages briefly on my Asus 500g Deluxe.