Re: [OT]FW: Invitation to connect on LinkedIn
And just how can you add a mailing list to your professional network??? This is a feature of these sort of sites .. you (stupidly) provide your email password, they suck in all the addresses of your contacts and attempt to befriend them. One person's marketing and/or networking is everyone else's spam. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Automated threat messages force limitation of Exit Policy (Softlayer)
As in, MediaSentry doesn't want Tor to exist (for obvious reasons), so it DMCA-DoS's new exit nodes? No, they pick on everyone pretty much equally .. easy to do when you're just using a script to scrape a tracker and complain. I've investigated many of the complaints over the years, and have yet to find any evidence that that Mediasentry (et.al.) makes any effort to download or verify that the client they are complaining about is in fact, offering the content in question. This was most hilariously demonstrated by Washington University when they spoofed a bunch of printers and got DMCA notices for them(*). (*): http://dmca.cs.washington.edu/ Also, as I've mentioned previously, it's not at all unusual to get complaints for IP addresses (within our block) that have never been used. I get the impression that folks (probably the media companies themselves) are intentionally injecting fake information into BitTorrent like they used to do with Napster .. except that BitTorrent handles this much better. The fallout from that is companies get a bunch of bogus complaints. My 0.02. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Automated threat messages force limitation of Exit Policy (Softlayer)
If you can get SoftLayer to do SWIP on the IP address/range assigned to you, that will offload their complaint person and let you handle everything automatically. Agreed. Having the whois info for your TOR box come to you as an ORG-ABUSE will offload a lot of this from Softlayer. BayTSP, et.al. don't bother doing ASN lookups, they complain by IP whois. BayTSP/MediaSentry/etc have heard all the excuses, including when they tagged my printer as serving up movies; they don't care. True. We get tons of them for nonexistant IP ranges. They never answer any questions about it. The response is probably then catalogued for some future court case. As are all of the bogus notices and supporting documentation that nothing has ever occupied that IP address. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
Could you bind your exit traffic to IPs outside your University's primary block? Not sure what you mean by bind to outside IP, but our network is a contiguous /16. We would have to register for extra /24s from ARIN, and that costs money. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
Why not simply block that entire network in the Exit policy? You're missing the point .. we already blocked our *own* /16 in the exit. The problem was the thousands of academic journals, all of which have distinct addresses, that consider any traffic from our /16 as being on campus and thus not needing of authentication. As the exit node resided with that /16, any traffic sourced from it would appear to be on campus from the perspective of the other entity. I could have : a) created an exit policy thousands of lines long prohibiting a.b.c.d/32:* for each of them b) used IPtables to do the same thing, but that would not make the prohibition known to clients and break things. c) use entries in /etc/hosts to accomplish the same things as b) with the same results. We found that since the list of exit nodes is known, people would actively seek those that ended in .edu and try to rape the journals with them .. downloading entire issues of various scientific journals (this happens on-campus too from misguided students, but that's easier to track down). If the network spec could easily handle any number of exit nodes, each with a policy of unlimited length .. this wouldn't be a problem (other than the ongoing maintenance headache). Likewise, if we had a few /24s to stick stuff like this into that were outside the primary /16 we could make it work .. but IP space is getting harder to come by, and it's hard to justify additional allocations when you already have a class B (plus, it costs money). Before anyone tells me it's broken to authenticate just by IP address .. I already know that .. but that's how most of the academic publishers do it at the moment. For the record, the DMCA complaints, subpoenas, and various angry phone calls were never a problem. It was the theft of academic journals (and that doing so jeopardized our subscriptions) that did it in. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Torbutton : please offer better user agent choices
Perhaps the best choice would be the one used by the most people. http://www.eff.org/deeplinks/2010/01/tracking-by-user-agent Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
Why couldn't your exit policy just block the IPs of the journal sites? Because there's 1000 of them (and each would be a /32). It was discussed in another thread at the time, and the developers led me to the conclusion that such hugely long exit policies were a bad idea. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: browser fingerprinting - panopticlick
The main cause was the screen resolution. Running TOR and leaving javascript enabled sort of defeats the point, doesn't it? Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Need for sane ISP's?
Is there a need for a 'by the books' ISP/hoster based in the USA? It's a capitalist market. If someone's willing to pay the premium for that type of service, it'll be offered. The reason it isn't is that each warrant, subpoena, DMCA request, etc. requires an army of technicians, lawyers, and the like to deal with. Just because you might be immune under US law doesn't stop them from suing you, and you needing to pay council to go in there and defend you (and your techs to testify, outside experts, etc.). It doesn't take very many of those cases to drive up costs. If you can justify the need for your own ASN (because you're multi-homed, etc.) then you *become* the ISP. This is completely impractical for an end-user, but it's how Universities (and the like) get away with hosting the nodes .. there's nobody else to complain to but the entity itself. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Why governments fund TOR?
may i know why governmetns fund TOR. i read 49% funds coming from government. TOR is usually considered for passing government restriction by journalists and activists. so why should governments fund this? Consider that many of the nodes are run by public Universities, which are partially funded by their respective states. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR and ISP
Toward a U.S. Data-Retention Standard for ISPs http://www.educause.edu/EDUCAUSE+Review/EDUCAUSEReviewMagazineVolume41/TowardaUSDataRetentionStandard/158105 Current law, as contained in Title 18 U.S.C. Section 2703(f), outlines the process by which law enforcement can contact ISPs to request the preservation of identified records or communications related to a particular person. The information cannot be deleted for 90 days, during which time law enforcement obtains the proper legal process.7 This is called a request to preserve records and is quite common. Basically it's a FAX from $agency to your legal department (and then forwarded to the IT folks) that says hey, IF (and only IF) you have data relating to $x $y and $z, don't delete it until you get the subpoena This is meant to counteract the routine log rotation in place almost everywhere. The first request gets them 90 days to follow up with the appropriate paperwork (subpoena or warrant, depending on what and how old it is). Those preservation requests do not create any duty to BEGIN collecting anything .. you just can't destroy what you've already got. Also, there's no duty to retain other records that may relate tangentially to the request but aren't specifically requested(*). (*) : IANAL, check with your company lawyers in all cases when answering legal process, etc. A forward-going request is known as a Title III Order AKA wiretap. These are quite rare by comparison. Regards, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR is for anonymization; so how to add encryption as well?
1) is no one able to decrypt the tor's encryption? As for the node-to-node encryption, you can assume the answer to be probably not. AES128 is seen to be reasonably secure at the present time, enough so to be used for classified communication channels by the US Government. Does this mean $they probably couldn't brute-force a given key with enough time and/or resources? .. No. 2) how can i trust the person who runs the tor's exit node? You can't. Hence the need to use encrypted end-services like SSH, HTTPS, IMAPS, etc. optional -3) [forgive me if it is too silly] why people run TOR nodes? is that only to support the community or other benifits as well? Yes, to support the community and to generally frustrate repressive governments (our own included, since doing so is still within the bounds of the law at the moment). Benefits? If you need a recent real-life example .. during the Iran election protests, people were creating S3/Vmware instances for TOR that allowed access to Twitter, etc. and created an ever-moving target for the authorities over there .. enough so that information continued to leak out to the rest of us. The same is true for China, WikiLeaks, etc. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Talking w/local service CEOs [LJ, goog...]
Yahoo does not block access. However you will frequently get an error 999. You can get around this by using their CAPTCHA based login. Do realize that while the login is https, the mail viewing/sending is not. So malicious exit nodes will be able to view all of the email you view/send. And sniff/steal the session cookie. Regards, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: I Write Mass Surveillance Software
http://www.reddit.com/r/IAmA/comments/9kwph/i_am_a_guy_who_writes_covert_software_that_runs/ Thoughts? The mention of C like code and the DPI makes me think the hardware uses Intel's IPX series network processors. For those, the ruleset is basically written in C and uploaded to the device. SANS has a whitepaper on doing Snort IDS with them, a fairly similar application to the above (this is for the 24xx series @ 2.5gbps) http://www.sans.org/reading_room/whitepapers/detection/intel_ixp_network_processor_based_intrusion_detection_32919 The IXP2800 can do line-rate 10gbps http://download.intel.com/design/network/ProdBrf/27905403.pdf Cheers, Michael Holstein Cleveland State University
Re: I Write Mass Surveillance Software
The IXP2800 can do line-rate 10gbps http://download.intel.com/design/network/ProdBrf/27905403.pdf Here's one more link that explains the IXP series architecture http://www.cs.uiuc.edu/homes/luddy/PROCESSORS/IXP2850.pdf (basically, all the OP on Rededit was saying, was he's the guy that writes the microengine code) .. the processors themselves aren't capable of realtime brute-force decryption ... but they are the sort of thing that can look for signatures/keywords/etc in a stream and act upon it at wire-speed. As for breaking encryption, this would be a task better suited for a large farm of purpose-programmed FPGAs, since I'm not aware of any commercially-produced ASIC that does this (although the NSA does list jobs for semiconductor fabrication, so I'm sure they're in that game). IIRC the Russians had purpose-built their own ASICs to break DES when it was en-vouge .. I'm sure our side of the pond actively does the same. Sneakier mice, better mousetraps. Lather, rinse, repeat. while(). Cheers, Michael Holstein Cleveland State University
Re: Gmail
Noticed today that gmail is again requiring new account creation to use SMS verification. Tried with a number of exits. Anyone else? There are email-SMS gateways .. do the reverse not exist? What about SMS-SIP services? .. eg : http://www.iptel.org/ser/doc/modules/sms
Re: UDP and data retention
This is off-topic, but isn't UDP making data retention more difficult than TCP/IP. I don't see how .. tcpdump -s 1514 -w evidence.pcap ip proto \\udp is any harder than .. tcpdump -s 1514 -w evidence.pcap ip proto \\tcp Now I guess you could rig a communications network that dealt entirely in header-source forged UDP packets, but as best practices dictate (not the everybody follows them) .. one should filter egress of packets with a source address not within your netblock. Cheers, Michael Holstein Cleveland State University
Re: Abuse complaint
Does anyone have any suggestions on how to respond to these complaints? Is IP filtering the best (or only) option for addressing TWC's issues? You do know that running a server of ANY kind on a residential connection is generally against the provider's terms of service, right? Cheers, Michael Holstein Cleveland State University
Re: Abuse complaint
Yup, and I suspected that they would say something about that...but they didn't. The TWC representative just asked me to assure that the attack would not occur again. So perhaps ISPs are accepting the reality that customers will run servers on residential cable modem service? Actually, I was looking up TWC's terms of service to support my claim, and it seems in light of being beat up upon by the FCC for the network management foolishness, they've simplified it quite a bit. http://help.twcable.com/html/twc_misp_aup.html However, like many ISPs, it still contains this clause : The ISP Service may not be used to breach or attempt to breach the security, the computer, the software or the data of any person or entity, including Operator, to circumvent the user authentication features or security of any host, network or account, to use or distribute tools designed to compromise security, or to interfere with another's use of the ISP Service through the posting or transmitting of a virus or other harmful item to deliberately overload or flood that entity's system. ... and they make no distinction between YOU (as in the real you) and TOR (as in traffic that appears to come from you, but isn't the real you) .. all they care about is what comes out of your pipe. Anyway .. good luck, and keep up the good fight! Cheers, Michael Holstein Cleveland State University
Re: Paid performance-tor option?
A lot easier to sell to WHOM? (Let's say you are Novartis ... who are those which you are--implicitly or not, and slip of the tongue or not--mentioning as a destination for selling attested, proven sneak-oil ... a lot easier?) Management. When I approached the higher-ups about doing a TOR node, I needed to pick a repressive regime to use as the reason for doing it. I didn't think using our own country (equally repressive, for mostly the same reasons) would fly. It worked, btw .. we ran one @10mbps for almost a year, until folks started raping online academic journals with it. Michael Holstein Cleveland State University
Re: Paid performance-tor option?
If tor is incompetent to find HUGE funding for free, it may be time to setup an international tor paid option. Many of TORs current high-bandwidth nodes are run by universities .. who would be legally prohibited from participating in a for-profit system (even if the model was just cost recovery). It's also a lot easier to sell the idea of exposing yourself to endless abuse complaints if you can use the ...but we're helping Chinese dissidents... angle. If you want paid-for anonymity services, there's tons to choose from .. but consider that once you attach payment to a username, you've created an easily attributable path back to you. TOR from the coffee shop's wifi is a lot harder to trace. I guess it depends on *why* you need the performance .. if it's p2p you're trying to do (which you shouldn't be doing on TOR anyway) I'd suggest you take a look at what the friendly pirates at PRQ have come up with (Relakks .. www.relakks.com). Cheers, Michael Holstein Cleveland State University
Re: About WLAN and monitoring..
I run a Tor client on a laptop at easy to access pub wifi access points. What I need to know is, assuming I have disallowed file sharing, ect what info could a wifi host be able to access on my computer? I have heard they could only log my MAC address, the unique code identifying my wifi card. Is more available to an attacker? The MAC of the wireless card (which can be changed .. from the advanced properties tab in Windows, or 'ifconfig hw ether' in *nix). The hostname sent to the DHCP server (also modifiable) Just turning off file sharing does not disable all the exposed ports .. run netstat -an |findstr LISTEN to see what's open (replace 'findstr' with 'grep' for *nix). Also : consider things like Windows Update, Weatherbug, Webshots, AntiVirus progs, etc. All of those apps send a unique ID to the remote side, and could be used to associate the non-TOR-you with the TOR-you. So could your web-based email if you've EVER used it from an identifiable location. Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: [OT] NSA to spy on rest of government, launch counterattacks at crackers
It reminds me of some of the stuff out of the Matrix... hackers casing damage by manipulating the code of the Matrix, Machines moving in and out of everything... Greetings professor .. would you like to play a game?
Re: Restrict relay to internet2
The final part of my scheme would require that I be able to restrict my tor node to ONLY relay traffic to/from I2 nodes. I can't figure out how to do this. I doubt your school will do this for you, but the only way it's gonna work is to get a BGP feed into quagga (or some other BGPd) and build your netfilter tables from that. Here is a (somewhat dated) article on doing it : http://www.ibiblio.org/john/pubs/route-qos/index.html I see why you're trying though .. when I was running a TOR node here, it was by far the largest user of Internet2 bandwidth (since many other TOR nodes are on academic sites). Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: SORBS vs Tor and the world
and no involvement with SORBS idiots is required. If you don't like SORBS, don't use them. TOR doesn't try to be invisible .. if a site admin wants to block anonymous ($whatever) .. they're free to do so, and SORBS just makes it easier (the TOR dnsbl). Statistically speaking, the volume of non-legitimate email coming from anonymous routers makes TOR a pretty easy target. Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: Testing bridge capabilities
I've got my OR set up to be a bridge, and everything seems to be going ok. However, I suspect that my ISP (Cox Communications) may be blocking HTTP port 433, as I can't get a confirmation on it. Well geez .. that's easy .. just tell us your IP address and we'll see if we can telnet to port 443. Email somebody privately if you want ONE test, email the list if you want several. ~Mike.
Re: another seeming attack on my server's DirPort
The symptom, like the last time, was that output rate on my machine's main Ethernet interface was running steadily around the transmit rate limit imposed by my ADSL line. tweak as desired ... this would permit 1 connection per minute from a given IP. Replace (torDirPort) with whatever TCP port you're serving the DIR on. iptables -A INPUT -p tcp --dport (torDirPort) -m state --state NEW -m recent --set --name TORdir -j ACCEPT iptables -A INPUT -p tcp --dport (torDirPort) -m recent --update --seconds 60 --hitcount 1 --rttl --name TORdir -j LOG --log-prefix TORdir flood iptables -A INPUT -p tcp --dport (torDirPort) -m recent --update --seconds 60 --hitcount 1 --rttl --name TORdir -j DROP (adapted from a SSH bruteforce mitigation rule to do a similar thing..) Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: Encrypted Web Pages?
I have what may perhaps seem like a strange question. Is there any commonly used software for encrypting and decrypting web pages? Yes, SSL .. and it's been around for quite a while. Let me explain that a little better: imagine a web site which has content destined for specific individuals. For each individual there is separate content on separate pages, and no one but the individual for whom the content is destined should be able to read the content, not even the creator of the content! Why not just SSL the site, and then restrict access to it using certificates (still X.509, but separate from the one used for transport security) In other words, is there a private/public key mechanism similar to PGP (or even a PGP web page plugin) that will work transparently while browsing the web? The transparently part would mean that a user can provide a private key to a browser and any pages encrypted with the user's public key would automatically be decrypted for him when he views them. Again, this can be easily provided by issuing X.509 certificates to the end-users and then requiring those certificates to authenticate to the webserver. Transport security (as it pertains to TOR, etc.) is provided by a separate X.509 certificate who's purpose is to sign the encrypted channel over which the data is transfered. You would manage the X.509 certificates assigned to your users by yourself, so you could handle revolkations (although Verisign, et.al. will happily sell you a commercial X.509 solution for client auth). If you had a scenario where you needed to deploy a webserver in hostile territory and needed to ensure the security of the data thereon, you could conceivably gzip and GPG each .html page and associated items with multiple public keys based on some other criteria (like what cert the browser provided) and then let the end-user decrypt it with their private .. but this definitely won't be automatic .. but you could wrap it in Java to make it somewhat portable if you wanted. You could also write an ActiveX or XPI plug-in to incorporate it into the browser .. but then you're putting a lot of trust in a 3rd party with your GPG keys. ~Mike.
Re: Encrypted Web Pages?
Despite my bias, an embedded java app would not work since it would be controlled (provided) by the hostile server right? You could sign the applet with a key provided to your clients, since you're using a distribution model where you have known end-users (as you need their keys to encrypt the data). My thought on Java was to be able to automate the key scheme within the browser, versus requiring them download a .gz.gpg file and decrypt it on their own. A (sort-of) working example of this is how HushMail does it (using Java to code the PGP stuff). It's an interesting threat model though :) ~Mike.
Re: Encrypted Web Pages?
Is there a mechanism to use HTTPS to preencrypt web pages so that they are encrypted on the server (and so the server does not have the keys to decrypt them!) Not using HTTPS per-se, but you can use SSL to encrypt files. My initial constraints are that once the data is put on the server that no one except for the intended recipient could decrypt it, including the original poster, server admin... Or, to basically do with HTTP what GPG does with email. The original poster would necessarily need to have access to the plaintext, as they would need to encrypt it with the end-user's public keys (each of them individually). I'm not a mathematician, but it can't be wise to store multiple copies of the same plaintext encrypted by the same cipher using different keys .. much crypto has historically been broken that way. ~Mike.
Re: Best Hardware for TOR server..
P4 processor @ 3GHZ, Intel MB, 2GB DDR2 RAM, 80 GB SATA HD This will be fine (more than fine, actually) .. I had no issues running a ~10mbit (symmetric) node on an old P3/1ghz with 1gb RAM (it was FreeBSD). all behind a Linksys Firewall Router. This will be a problem. Cheap-o routers don't have enough memory to manage huge state tables. You'd be better off getting a second NIC card for the PC and just using the server to firewall/NAT your LAN, in addition to running TOR. If that scares you, just re-use an old PC and run Smoothwall on it (or any of the other many appliance distros that do this). My service provider will most likely be Comcast cable broadband. YMMV, but Comcrap will axe you if they know you're running servers, and they WILL know that if you decide to run an exit, because they'll get lots of complaints about it. I lost count of the number of complaints mine generated, but I still have copies of the various subpoenas I got (*). Good luck in any case! Cheers, Michael Holstein CISSP GCIA Cleveland State Unviersity (*): ultimately, it wasn't all the legal problems that made me take down our node, it was the fact that I couldn't stop folks who were stealing journal articles from various academic publishers that (stupidly) rely on CIDR subnetting to authenticate a campus.
Re: Best Hardware for TOR server..
I've been running a server (phrenograph) on a Comcast connection in the Washington, DC, area for a few months now, and I haven't heard anything from Comcast about it. I guess I should have been more clear .. I ran the tor node on an academic network, and we have our own ASN, so there's no provider to complain to (but that didn't stop them from trying .. one idiot used our public email/phone directory to email the president of our .edu). I'm also the ORG-ABUSE contact on our ARIN record, and I'm the one that reads security@ and [EMAIL PROTECTED] I did, however, annoy Comcast in Indiana by using honeyd to answer every one of their stupid FTP/HTTP probes that they were sending out back in the day to see if you were running servers. Again, YMMV .. but their TOS is pretty clear on the issue : http://www.comcast.net/terms/subscriber.jsp *Prohibited Uses of HSI.* You agree not to use HSI for operation as an Internet service provider, a server site for ftp, telnet, rlogin, e-mail hosting, Web hosting or other similar applications Cheers, ~Mike.
Re: Best Hardware for TOR server..
Are you sure OpenWRT on a Linksys can't handle the states with 32 MBytes RAM, and a 0.2..0.5 MBit/s upstream? Yeah, but the standard store-bought WRT54G (ver 6) is only 8mb. Linksys uses Linux (Vxworks for its more braindead types of routers which I know nothing about), but the default firmware is pretty pathetic. No they don't .. they've been using VxWorks on those standard Linksys boxes for quite a while. They created the WRT54GL (Linux model) which was basically the same hardware as earlier generation WRT54G's. The reason they (Linksys) changed was to save a few bucks on hardware costs (and because they know the Linux tinkerers will pay the extra $20). ~Mike.
Re: Spam over Tor
What exactly is happening? Somebody is using your Tor exit node to access a website (yahoo mail) and using that to send spam? And this is being traced back to you by the spam being traced back to Yahoo, and Yahoo checking their webmail logs and finding your exit node's IP? Look at a Yahoo! mail's headers .. the IP of the submitter (by HTTP from ...) is in there. I don't see how this is any different than the pwned calls (eg: hey dood .. somebody flamed my blog from yer server!) .. people have been using free porno (or whatever) to get folks to answer Yahoo/Hotmail catchpas for a while now .. and then using those accounts to send spam until Yahoo/Hotmail/etc figures it out and they move on to the next account. Actually blocking Yahoo mail without causing other problems would require a fair amount of work, but could be done by proxying outbound traffic and filtering the specific bits of the URL that allow composing an email.
Re: Hello Ringo Kamens,,, Having trouble setting up TOR server behind firewall...
http://your.router.ip username: blank password: admin Go to the advanced tab - forwarding set up two applications, ORport, DIRport .. select TCP, select 9001 and 9030, and point them to whatever IP you have on your linux box. Make sure you tell TOR to advertise your external IP address via torc. ~Mike. Hello Ringo Kamens Nice to hear from you, and thank you for your response. I am running RHEL v5, and a Linksys hardware firewall. I do not know yet how to configure port forwarding, am going to check with firewall settings to see if port forwarding is available there and confirm that I have entered the right IP of my RHEL system behind the firewall. I will reply with updated news, thanks for reply, hope ppl stay interested.,,:),, Algenon */Ringo Kamens [EMAIL PROTECTED]/* wrote: It sounds like you haven't enabled port forwarding on your firewall. Even if the ports are unblocked, the traffic might not go to the server. You need to forward all traffic coming to the firewall on ports 9001 and 9030 to your tor server. Comrade Ringo Kamens On 10/23/07, algenon flower wrote: Hello experienced TOR ppl, I am trying to set up a TOR server on Linux Redhat Enterprise v5,, I am using a Linksys hardware firewall that does have NAT and have modified the system to open ports 9001-9031. I have just installed TOR and Vidalia for Redhat on my system,and, using Vidalia configured TOR ot act as a server. My problem is: (TOR log below) Oct 22 20:45:19.089 [Notice] Tor v0.2.0.7-alpha (r11572). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Oct 22 20:45:29.624 [Notice] Tor has successfully opened a circuit. Looks like client functionality is working. Oct 22 20:45:29.769 [Notice] Now checking whether ORPort 24.22.67.176:9001 and DirPort 24.22.67.176:9030 are reachable... (this may take up to 20 minutes -- look for log messages indicating success) Oct 22 20:46:37.127 [Warning] eventdns: All nameservers have failed Oct 22 20:46:37.299 [Notice] eventdns: Nameserver 68.87.69.146 is back up Oct 22 20:47:29.326 [Notice] Freeing linked Socks connection [waiting for circuit] with 65 bytes on inbuf, 0 on outbuf. Oct 22 20:54:35.222 [Notice] Freeing linked Socks connection [waiting for circuit] with 65 bytes on inbuf, 0 on outbuf. Oct 22 21:00:39.050 [Notice] Freeing linked Socks connection [waiting for circuit] with 65 bytes on inbuf, 0 on outbuf. Oct 22 21:05:25.858 [Warning] Your server (24.22.67.176:9001) has not managed to confirm that its ORPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. Oct 22 21:05:25.876 [Warning] Your server (24.22.67.176:9030) has not managed to confirm that its DirPort is reachable. Please check your firewalls, ports, address, /etc/hosts file, etc. *** To simplify things, I have disabled Redhat's software firewall, to make sure it is not causing the problem. I am a little unsure I have configured my firewall to accept traffic on ports 9001 and 9030,, I can supply info from the firewall to whomever is interested in helping. Does anyone have any good ideas about how I can get my TOR server up what the problem is?? Love to hear,,, Algenon __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Filtering traffic from your node - for exit points
Don't forget the side effect - that the more questionable material we filter the more remains to be used in legal ways. You're missing the point. If you live under a repressive regime whereby you feel legally obligated to filter the exit traffic, you should be using the client, not running a server.
RE: exit policies (WAS: Re: Filtering traffic from your node)
The only problem I have with the latter is that blocking beyond IP and/or port blocking is not handled by the directories. Not only that, but the directory structure doesn't scale to those of us that need large exit policies. I ran a 10MB/sec exit node at my .edu for a while, and it was ultimately the politics of people ripping off journal articles, accessible since we have a /16 netblock and that's how the journal services differentiate an on-campus versus off-campus user (yes, I know that's a bad idea, but that's how they do it) that made me shut it down. I have thousands of IPs I'd need to block .. and it's detrimental to TOR to fib about what you'll exit (I tried lying via /etc/hosts, and later nullrouting with ipfw .. BOTH were a BAD idea, but the only thing I could think of). How about this idea .. what if a TOR server could send a reply back to the client (via the TOR network) that says my local exit policy prohibits that. It could be a HTTP status code, a TCP flag, anything .. not as efficient as telling the client to not try in the first place, but better than just breaking it without notifying. (I mention the HTTP code because that would be easy to implement in a proxy, and the TCP mangling because it'd be easy with NetFilter). Performance-wise, you'd want to cache the list of nodes/can't-do's in memory, since you wouldn't want that stuff written to disk (ever). That might be the Achile's heel in my idea. Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: Connections to botnet masters
Some times ago we have a thread about SORBS and many exit nodes were listed in this DNSBL with the attribut trojan hacked. Conclusion of the thread was: They have no glue! Yeah .. well SORBS is to be taken with a grain of salt. Google sometimes does not work with several exit nodes and give you the message You may have a virus or malware, please clean your computer! (or something like that). As do Slashdot, Craigslist, and a bunch of others. People tend to be jerks when they are anonymous .. and yes, it is sort of the price you pay
Re: Ideas on increasing the significance of tor
Mrtg motoring of my box clearly shows what's going on with throughput and cpu load. Thus I'm bothering this mailing list with more enhanced multithread capabilities, taking better advantage from multiple cores. Two ideas : run multiple instances (and use family option), and let each instance handle ($X) amount of traffic. Since TOR doesn't thread itself very well, that's one way to do it (sort of like what you've got to do with Snort). (or) run tor using hardware crypto acceleration (it's sort-of supported, usually via patches to OpenSSL) Side note to developers .. why not create one parent thread and ($n) worker threads (like Apache, etc. does) to solve this?
Re: ISP TOS restrictions on servers
Do ISPs really care about whether people run servers on residential accounts Depends on who you ask .. but generally, as long as you pay your bill and you don't make them do paperwork on your behalf (eg: DMCA crapola), they ignore it. do they scan ports? If so, how often? Again .. depends. Back when I had ComCrap (Comcast), I'd get hits on tcp/21 fairly often. Run your ftpd on some obscure port (better yet with starttls) and you'll be fine. Will they be able to decrypt the data from a middle node? Not in this lifetime. Is it worth also running a public web\ftp server (on a different port than 80\21)? Always .. they don't have the patience to scan every port .. avoid the well-known ones and you'll be fine. If they find out, will it be a warning letter or termination? Usually you get a warning first, unless they get a DMCA or some-such on your behalf .. then you generally get a 1-year ban from that company. On the plus side, getting canceled by them gets you out of your contract agreements. Play your cards right and keep mis-spelling your name when you sign-up, and you can switch between cable and DSL forever. Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: Tor nodes blocked by e-gold
SORBS marks TOR servers as zombie spammers I believe.
Um, in the interest of settling this argument :
grep router cached-routers |grep -v signature |awk -F '{print host
$3.dnsbl.sorbs.net}' |sh
(most return NXDOMAIN, meaning not listed by SORBS). The ones that do,
return the database in which they're listed as the last octet.
http.dnsbl.sorbs.net127.0.0.2
socks.dnsbl.sorbs.net127.0.0.3
misc.dnsbl.sorbs.net127.0.0.4
smtp.dnsbl.sorbs.net127.0.0.5
new.spam.dnsbl.sorbs.net127.0.0.6
recent.spam.dnsbl.sorbs.net127.0.0.6
old.spam.dnsbl.sorbs.net127.0.0.6
spam.dnsbl.sorbs.net127.0.0.6
escalations.dnsbl.sorbs.net127.0.0.6
web.dnsbl.sorbs.net127.0.0.7
block.dnsbl.sorbs.net127.0.0.8
zombie.dnsbl.sorbs.net127.0.0.9
dul.dnsbl.sorbs.net127.0.0.10
badconf.rhsbl.sorbs.net127.0.0.11
nomail.rhsbl.sorbs.net127.0.0.12
Of the 887 IPs I have in my cached-routers file, 709 return NXDOMAIN.
The others :
0 http.dnsbl.sorbs.net
0 socks.dnsbl.sorbs.net
0 misc.dnsbl.sorbs.net
0 smtp.dnsbl.sorbs.net
2 *.spam.dnsbl.sorbs.net
0 web.dnsbl.sorbs.net
0 block.dnsbl.sorbs.net
0 zombie.dnsbl.sorbs.net
46 dul.dnsbl.sorbs.net
0 badconf.rhsbl.sorbs.net
0 nomail.rhsbl.sorbs.net
So, according to SORBS, they're blacklisted because they're in dynamic
IP ranges
Cheers,
Michael Holstein CISSP GCIA
Information Security Administrator
Cleveland State University
Re: Tor nodes blocked by e-gold
(gaak .. make that 759 queries, 709 NXDOMAIN, and 48 that appear somehow
.. the rest of what's below is correct).
~Mike.
Michael Holstein wrote:
SORBS marks TOR servers as zombie spammers I believe.
Um, in the interest of settling this argument :
grep router cached-routers |grep -v signature |awk -F '{print host
$3.dnsbl.sorbs.net}' |sh
(most return NXDOMAIN, meaning not listed by SORBS). The ones that do,
return the database in which they're listed as the last octet.
http.dnsbl.sorbs.net127.0.0.2
socks.dnsbl.sorbs.net127.0.0.3
misc.dnsbl.sorbs.net127.0.0.4
smtp.dnsbl.sorbs.net127.0.0.5
new.spam.dnsbl.sorbs.net127.0.0.6
recent.spam.dnsbl.sorbs.net127.0.0.6
old.spam.dnsbl.sorbs.net127.0.0.6
spam.dnsbl.sorbs.net127.0.0.6
escalations.dnsbl.sorbs.net127.0.0.6
web.dnsbl.sorbs.net127.0.0.7
block.dnsbl.sorbs.net127.0.0.8
zombie.dnsbl.sorbs.net127.0.0.9
dul.dnsbl.sorbs.net127.0.0.10
badconf.rhsbl.sorbs.net127.0.0.11
nomail.rhsbl.sorbs.net127.0.0.12
Of the 887 IPs I have in my cached-routers file, 709 return NXDOMAIN.
The others :
0http.dnsbl.sorbs.net
0socks.dnsbl.sorbs.net
0misc.dnsbl.sorbs.net
0smtp.dnsbl.sorbs.net
2*.spam.dnsbl.sorbs.net
0web.dnsbl.sorbs.net
0block.dnsbl.sorbs.net
0zombie.dnsbl.sorbs.net
46dul.dnsbl.sorbs.net
0badconf.rhsbl.sorbs.net
0nomail.rhsbl.sorbs.net
So, according to SORBS, they're blacklisted because they're in dynamic
IP ranges
Cheers,
Michael Holstein CISSP GCIA
Information Security Administrator
Cleveland State University
SORBS and TOR
Okay, I flummoxed the dnsbl .. forgot that you had to reverse the octets.
This is more like it ..
grep router cached-routers |grep -v signature |awk -F '{print $3}'
|awk -F \. '{print host $4.$3.$2.$1.dnsbl.sorbs.net}' |sh
(yes, I know I probably could have done that easier with perl, just
didn't want to think on it long)
Total queries : 892
573 NXDOMAIN
0http.dnsbl.sorbs.net
0socks.dnsbl.sorbs.net
0misc.dnsbl.sorbs.net
0smtp.dnsbl.sorbs.net
4*.spam.dnsbl.sorbs.net
68 web.dnsbl.sorbs.net
0block.dnsbl.sorbs.net
0zombie.dnsbl.sorbs.net
247 dul.dnsbl.sorbs.net
0badconf.rhsbl.sorbs.net
0nomail.rhsbl.sorbs.net
(so yes, they still block most because they're in dynamic address
ranges, but they block a bunch as web proxies too).
I didn't test as to which ones were exits or not, so I assume most of
the middlemen didn't get listed.
Sorry about the earlier screw-up. Mea culpa.
Michael Holstein CISSP GCIA
Cleveland State University
AHBL and TOR
(while we're on the subject..) Using the same testing method, AHBL's standard dnsbl lists 14 of the routers, but they have a second one (tor.ahbl.org) that lists 823 of them (only 63 return NXDOMAIN). It's also not rocket science to run a client (or wget the directory from router/tor) and parse it for the IPs. TOR's developers have always made it clear that people can block them, and even has a Google SoC project to write their own dnsbl, It was just a business decision on behalf of eGold .. I'm guessing their risk analysis folks looked at the fraud numbers and saw a few too many from addresses associated with proxies (as always, a few bad apples spoil the lot...). Ironic though, since eGold's claim to fame is making anonymous payments. Why wouldn't they want someone to make an anonymous payment *anonymously*? ~Mike.
Re: Building tracking system to nab Tor pedophiles
I've seen a VM that routes all traffic over TOR, invisibly to the O/S. (Not sure what they do about UDP). Developed at Georgia Tech. One better .. TOR on OpenWRT on a Linksys router. Tor at the *hardware* level. ~Mike.
Re: Compile error w/0.1.2.9-rc on Kubuntu 6.10
checking for libevent directory... configure: error: Could not find a linkable libevent. You can specify an explicit path using --with-libevent-dir ./configure --with-libevent-dir=/usr/local/lib that got it working for me (also Ubuntu 6.10 here, but the gnome variety)
Re: Norwegian DNS compromized
Poor kids DON'T!!! Okay .. we're seriously off-topic here, but many a person's rights are trampled because : it's for the children... There is no okay form of censorship. A spade is a spade is a spade. If you believe in censoring this or that, under any guise, then maybe TOR isn't the project for you. ~Mike.
Re: Newbie's questions
(1) Does it mean that even when I visit unencrypted sites, nobody would be able to tell what sites or pages I am requesting? Correct. As long as you're also proxying the DNS via SOCKSv4, the only person that could see your traffic in the clear is the folks between the exit node and the destination. However .. if you do something like access your (real) Yahoo mail, someone could connect that traffic with the real you .. because they could see your name in the HTTP traffic. Thus, it's unwise to leak the recipe to the secret sauce, and then go check your Hotmail account all in the same session. You also need to be mindful of combining your anonymous and regular activities .. if, for example, you allow sites to set cookies and you visit two sites both using DoubleClick .. that cookie will connect the real you and the tor you. Same goes for any website that requires authentication (eg: Yahoo mail, etc.). Someone could check the logs and say well, I see it was TOR this time, but yesterday it was Comcast. (2) Can the green line be cracked by intercepting the packets or headers? An attack against AES that's more effective than bruteforce is not (yet) known, so I'd say probably not, although TOR developers are clear to tell you it doesn't defend against a global adversary (eg: $3_letter_agencies). (3) I don't know where the encryption key is stored. Can it be stolen if my pc is hacked? The client key is in memory, so no .. unless you do something like suspend your laptop while TOR is running (thus writing it to disk). Also, it's possible to have the key written to swap accidently. You can prevent both those problems with a liveCD distro that dosen't touch the hard disk. There are many such internet privacy appliances, my personal favorite being the one based on OpenBSD (Anonym.OS). Other general recommendations : Firefox (dump cookies on exit, no cache, etc) NoScript plugin (no javascript) FlashBlock plugin (no flash) Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: building pages with tor in mind
Have a look over here : http://gemal.dk/browserspy/ Cheers, Michael Holstein CISSP GCIA Cleveland State University Bryan Fordham wrote: on a more general note: Does anyone actually have an example of how javascript can compromise your anonymity? Not it can obtain your IP-type stuff, but actual code.
Re: building pages with tor in mind
I have yet to see an example of pure JavaScript code that can read an end-user's IP address. Any code I've seen returns either localhost or 127.0.0.1. Bear in mind you need not get javascript to return the results of something like ipconfig /all to work .. all you need do is create a non SOCKS'ed connection to somewhere. Flash is one excellent way to do that .. invoked via JS.
Re: Tor server web page?
Run Apache (or whatever) on the same box and follow these instructions : http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients specifically : To offer your directory mirror on port 80, where apache is already listening, add this to your apache config: IfModule mod_proxy.c ProxyPass /tor/ http://localhost:9030/tor/ ProxyPassReverse /tor/ http://localhost:9030/tor/ /IfModule Then just set the basic html page as you describe in httdocs. It's also a good idea to have the reverse dns say something like tor-anonymous-proxy.whateverdomain.com because that's the first place folks will look. Cheers, Michael Holstein CISSP GCIA Cleveland State University Sam Creasey wrote: I know I've seen this discussed on here, and it's pretty much just a FAQ at this point, but somehow my google skills are failing me... Does anyone have a link to some example text to reply to HTTP queries for the / page of an ip which runs *only* a tor exit server? (http://torserver/) Something along the lines of Any traffic you've seen from this IP was generated by a tor server. there is nothing to see here. Thanks. -- Sam
Re: PHP coder needs Tor details
Um .. send the signal to the pid of tor? (or do it the lazy way and do 'killall -SIGNAL tor' from the command line) see the PidFile part of torrc. Something sensible like /var/run/tor.pid comes to mind ... Then just 'kill $signal $pid'. Note : to make this work, the command that executes the SIG_WHATEVER will have to be either the same UID as what started TOR, or root .. a security concern since I'm guessing you want to do some web $foo with it and PHP. Regards, Michael Holstein CISSP GCIA Cleveland State University Mr. Blue wrote: Hello, I am new here and am trying to utilize Tor by PHP from command line. I have read all manual and all faq but it helped me very little. With that information I've only achived to install tor and make PHP do request through Tor. Problem 1: I start Tor by simply typing tor in command line(FreeBSD 6.x). When I tried to stop it by SIGNALS form Tor man pages none of them worked. Obviously SIGNALS are not ment to be passed to Tor through command line(This MUST be in a man but it ISN'T!), while options with theirs values ARE ok if passed to Tor through command line. So let's firstly solve this - How to start and stop Tor through command line? After that I will pas question 2. Thanks in advance! Ipsens Any questions? Get answers on any topic at Yahoo! Answers http://answers.yahoo.com/;_ylc=X3oDMTFvbGNhMGE3BF9TAzM5NjU0NTEwOARfcwMzOTY1NDUxMDMEc2VjA21haWxfdGFnbGluZQRzbGsDbWFpbF90YWcx. Try it now.
Re: About http request of browser.
True, but that's configurable in most sensible browsers. In Firefox, check out the stuff in about:config specifically the general.useragent.* stuff. Better yet, get the User Agent Switcher plugin. ~Mike devel wrote: Hello, In some cases when OS version or architecture are not popular, I think that browser HTTP request can be bad for anonymity.
Re: Forwarding email ports
(responses inline) : I read through the january archives on email ports, specifically 465, 587, and 995. First, are these the ports needed to support standard secure email (SMTP and PoP)? Except for tcp/587 (submission), yes. 465 is smtps (smtp via SSL) and 995 is pops (pop via SSL). tcp/587 is part of the standard exit policy (deny). Second, why were there three of them for two protocols? Did I misunderstand something? Nope .. 587 is an alternative to 25. Unlike the other two, it's not encrypted. Third, what are the implications -- both security, and legal -- if I open these on my machine. I'm thinking in particular, that: 1. If only one exit node is outputting these ports, it becomes an obvious snoop target -- how does that affect security? Well, with TOR (and any anon proxy) you've got to trust the exit operator. This is why TOR says you should only trust it for transport, not end-to-end security, and you should use your own transport-layer security (eg: ssl, tls, ssh, ...) 2. If I'm forwarding email, am I likely to find my site blacklisted somewhere? Yep .. 100%. Open proxies are an email-admin's worst friend. Exiting tcp/25 is a sure way to never send email again from that IP. Also, many websites that you probably enjoy (craigslist, slashdot, etc) have been hassled by tor-wielding vandals one-too-many times and will block even read-only access. Thus, it's wise to have the TOR box on a separate IP (that you'll never-ever need again .. the one we used here -- 5.13 -- a year ago is still blocked a number of places). 3. Am I likely to get some sort of Cease and desist letter, or other legal hassle, for this? Maybe .. but those are easy to respond to. A standard I'm a TOR exit.. email usually does the trick. See the archives for examples .. I've posted one (SXW format) that has worked for $3_letter_agency subpoenas. 4. Since my machine has about 22K/s bandwidth, how likely is it that I will be badly backlogged / overtargetted? Set the BandwidthMax and Min to appropriate values and sleep easy. Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: Fwd: EZZI.net Abuse Warning
Here's the boiler plate I use for such things (137.148.5.13 was previously the exit-node router csutor). You should obviously 's/137.148.5.13/your.ip.address/g': --snip-- 137.148.5.13 is an anonymous proxy that's part of the TOR network. You can learn more about TOR at http://tor.eff.org. We are unable to assist you in tracing the source of this attack, but it did not originate from us -- TOR requires all traffic traverse three onion routers in physically separate locations -- 137.148.5.13 just happened to be the exit node for this particular session. You're welcome to block 137.148.5.13 as you see fit. There are also several free sites that assist in dynamic (DNSBL) blocking of TOR if you so desire -- one is http://www.ahbl.org. TOR developers also make available a Python script : http://tor.eff.org/cvs/tor/contrib/exitlist which can obtain the IP addresses of all TOR exit nodes, given a copy of the current directory : http://belegost.mit.edu/ Please let me know if I can be of further assistance. Regards, Michael Holstein CISSP GCIA IST Information Security Cleveland State University xiando wrote: Subject: EZZI.net Abuse Warning Date: Tuesday 23 januar 2007 22:39 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Regarding Server Main IP: 66.199.236.130 We got a notice from the Undernet IRC Network about a number of servers on our network making suspicious connections to their network, your server appears to be one of those boxes. It appears whoever caused this hacked the servers by brute forcing SSH logins and uploading a fake httpd binary and launching it. Please look into this matter immediately, if you need help feel free to open a trouble ticket. It is also suggested you check your servers password policy and make sure your passwords are secure. We suggest at least 6 characters, uppercase and lowercase letters and numbers. We thank you in advance for your swift cooperation in this important matter. Thank you, EZZI.net Support Team --- I got multiple copies of this (I have more than one Tor exit server). There are - apparently - bad people on the Internet (no shit). It is likely the first time EZZI.net has got a (very much likely) Tor-related abuse complaint. Please share any view on how to respond to EZZI.net about some person on the Internet hacking some box on the Internet using Tor (which seems to be why EZZI.net wants me to explain myself). Thanks.
Re: more letters from the feds
However, I don't know what that -HUP is about. man signal (-HUP is 'hangup' .. )
Re: Opening 2 Firefox profiles |was: Re: Tor and Thunderbird: Outgoing Email Unsafe?
It's easy. Start your first instance of firefox as usual. Start the second one like this : /path/to/firefox -ProfileManager and create a new profile (call it TOR, or whatever). You'll need to reinstall plugins (eg: FoxyProxy, NoScript, etc) under that new profile, but the settings are separate from your normal one. Then just set up a shortcut to involke the second instance using the -ProfileManager switch, and select the 2nd profile. GeorgeDS wrote: On Tue, 2007-01-02 at 13:23, Michael Holstein wrote: The reason I suggested seperate Firefox profiles is you can have the anonymous one and a regular one open at the same time, since routing everything through TOR makes your highspeed connection more like dialup (there's always a trade-off...). If you could tell me how to do do this I'd really appreciate it. This may vary with OS. I've tried multiple times on Linux (CentOS/Red Hat Enterprise 3.4) and not succeeded. Once one or more Firefox windows are open, the -ProfileManager flag does not appear to be recognized, so I've been unable to find a way to get copies of Firefox using different profiles to open at the same time. It's a real nuisance to have to close a dozen tabs, to do a few things with Tor. Thanks. George Shaffer _ Get now your FREE e-mail! http://freemail.1net.gr Live your Myth in Greece! http://www.gotogreece.gr Register Domains for $9.5/year! http://www.aegeas.net Hosting 100mb only $2.5/mo! http://www.hostingkey.com
Re: Opening 2 Firefox profiles
I'm on Linux 2.6.17 (Ubuntu), and the -ProfileManager switch works fine for me, regardless of what windows are open. Did you check the box always ask which profile when starting firefox the first time you created the 2nd profile? ~Mike. George Shaffer wrote: It may be easy on your system but not mine. I've read this works on Windows. My experience is that it does not on Linux. I've used -ProfileManager with firefox on the path, with the entire explicit path to firefox, and switching to the firefox directory and using ./firefox. I've tried this on Linux, CentOS 3.3 and 4.4, which should be functionally identical to Red Hat Enterprise Linux 3.3 and 4.4. I've even cut and pasted -ProfileManager from the Firefox Help: How To Manage Profiles page to assure I was spelling and capitalizing it correctly. The 3.3 system is much older but fully patched. The -Profilemanager switch has never worked once any Firefox window is open. On the 3.3 system, I have three quite different profiles, including one specific to Tor, that I can switch between, but I've never succeeded in opening two Firefox windows using different profiles at the same time. If there is anyone who has solved this problem on a similar **Linux** system, I'd like to know how. Thank you, George Shaffer On Wed, 2007-01-03 at 08:51, Michael Holstein wrote: It's easy. Start your first instance of firefox as usual. Start the second one like this : /path/to/firefox -ProfileManager and create a new profile (call it TOR, or whatever). You'll need to reinstall plugins (eg: FoxyProxy, NoScript, etc) under that new profile, but the settings are separate from your normal one. Then just set up a shortcut to involke the second instance using the -ProfileManager switch, and select the 2nd profile. GeorgeDS wrote: On Tue, 2007-01-02 at 13:23, Michael Holstein wrote: The reason I suggested seperate Firefox profiles is you can have the anonymous one and a regular one open at the same time, since routing everything through TOR makes your highspeed connection more like dialup (there's always a trade-off...). If you could tell me how to do do this I'd really appreciate it. This may vary with OS. I've tried multiple times on Linux (CentOS/Red Hat Enterprise 3.4) and not succeeded. Once one or more Firefox windows are open, the -ProfileManager flag does not appear to be recognized, so I've been unable to find a way to get copies of Firefox using different profiles to open at the same time. It's a real nuisance to have to close a dozen tabs, to do a few things with Tor. Thanks. George Shaffer
Re: Tor and Thunderbird: Outgoing Email Unsafe?
Most exit nodes disallow port 25 (smtp) because NOT doing so would make TOR a spammer's paradise. If you know a relay-server that runs smtps or uses an alternate smtp port, use that. Cheers, Michael Holstein CISSP GCIA Cleveland State University. Job wrote: Hello, I just got Tor to be safer online and used the Tor-button to automatically confugure Firefox and Thunderbird for Tor. In Thunderbird however I have to exclude the server I use to SEND emails from being handled by Tor. Maybe I am wrong but doesnt this defeat the whole purpose of Tor? Cause if my outgoing email is not handled by Tor the receives can still see my IP and all the other data and so can easely identify me. The most essential thing is to have the outgoing emails handeled by Tor so the receiver can see my private information right? How do I set thunderbird in such a waythat the receiver of my emails wont be able to trace me or see my private info(IP etc etc)?
Re: Tor and Thunderbird: Outgoing Email Unsafe?
So if i use a web based email and use firefox with Tor to access it with my normal settings(the settings that I always use when i use the Internet) so not a totally separate profile.The receiver still wont be able to trace me right? Well .. sort of. The problem is cookies from the likes of doubleclick. You run the risk of having them re-check an existing cookie and seeing your real IP as well as your TOR ip. Would somebody subpoena doubleclick because you sent your boss a shitty email? probably not, but then again, doubleclick sells your personal info to anyone that can cough up an account number. on my own computer they have nothing to do with any info the receiver of email might be able to get from the header or whatever of the email i sent, am i correct? Receiver of email, no .. but cookies are managed by 3rd parties (and bear in mind that many 3rd party cookies (yahoo, for example) are used for customization of your page and are also read during a mail session -- so you run the risk of Yahoo knowing your real IP as well as your TOR one by identifying the UID in the cookie, and what IP accessed it. You can use the same browser for regular and anonymous browsing, but only have one window/tab open, go to about:blank and clear cookies/cache/sessions, then fire up tor and do your email. When done, kill tor, close all but one window/tab, clear cookies/cache/sessions from the about:blank page, and resume normal activities. The reason I suggested seperate Firefox profiles is you can have the anonymous one and a regular one open at the same time, since routing everything through TOR makes your highspeed connection more like dialup (there's always a trade-off...). Some web based email services,like mail.com if i am not mistaken, give you the option to download a little prog that warns you when a new emailis in. Does this affect my anonymity? I suppose it does as the server from mail.com will connect to my comp to tell me there is a new message. On the other hand, if I use tor enabled firefox wouldn't that connection also be anonymous? Depends. If that little program has SOCKS v4a support, then it'll work fine with TOR. Most of them only support a HTTP proxy though, which TOR is not (although you can use it with other programs to make it work). I say this because I have personally assisted in investigations where something like weatherbug (which broadcasts a unique ID) has positively identified a user, despite their use of a proxy. If you just want to send a few anonymous emails here and there, I'd look into one of the many internet privacy appliances that are boot-from-cdrom operating systems that are totally locked down and route everything through TOR. ~Mike.
Re: Tor and Thunderbird: Outgoing Email Unsafe?
Here's another idea ... gmail allows SMTP via SSL (smtps on tcp/465). You've got to authenticate for in/out (meaning google account) but you can get one of those anonymously. They do POP via SSL as well (pop3s on tcp/995). Combine the two and you've got a functional client. This should help you out .. (applies to Outlook, but Thunderbird would use same settings in different places) : http://mail.google.com/support/bin/answer.py?answer=13278query=smtptopic=type=fctx=search Cheers, ~Mike. Job wrote: Tanks Mike for your fast and helpful replies I am not that worried about traces of activities left on my computer. I just want to be sure receivers of email wont be able t see my IP and stuff. So if i use a web based email and use firefox with Tor to access it with my normal settings(the settings that I always use when i use the Internet) so not a totally separate profile.The receiver still wont be able to trace me right? I understand that for complete security I should make a new browser profile so the cookies wont mix. but as cookies are on my own computer they have nothing to do with any info the receiver of email might be able to get from the header or whatever of the email i sent, am i correct? Some web based email services,like mail.com if i am not mistaken, give you the option to download a little prog that warns you when a new emailis in. Does this affect my anonymity? I suppose it does as the server from mail.com will connect to my comp to tell me there is a new message. On the other hand, if I use tor enabled firefox wouldn't that connection also be anonymous? last question: Why cant I access the account without Tor?(safety wise i mean). As long as i dont send any emails to anyone isnt it safe? I understand my ISP and mail.com will be able to trace me but not receivers of emails as I am not sending any at that moment. Michael Holstein schreef: ps: am i correct that if i use a webbased email account(for example gmail) without pop3 and I use (Torified)Firefox to acces it I CAN send emails out without the receiver being able to see my personal IP etc? I dont mind of they se my email address ofcourse as they need that to reply to me, just dont want them to be able to view my info. Yes. TOR and (yahoo|hotmail|gmail|$whatever) is an anonymous way to go about it. Just make sure you use a totally separate browser profile (eg: start firefox with -ProfileManager) as to not cross-contaminate cookies, etc. and do everything regarding that email account -- including signup -- using TOR, and never access it outside of TOR, nor access anything else with that browser profile. ~Mike.
Re: suggestion for 'is my installation of tor working?' page
what about http://www.showmyip.com It will tell you if you're using a TOR node (and which one, as well as its exit policy) ~Mike. Robert Hogan wrote: Hi all, http://lefkada.eecs.harvard.edu/cgi-bin/ipaddr.pl?tor=1 https://tns.nighteffect.com/ https://torstat.xenobite.eu/ All of the above provide useful information for the first-time tor user. But the last two are only really meaningful to initates (and probably confusing to everyone else), while the first is reassuring but could really offer a little more. What is needed (IMVHO) is a page that confirms you are using tor successfully, but also introduces you to the other services that tor offers and also some advice for the tor debutante. A sort of official or unofficial 'welcome to the tor network' page. This could be linked to in the FAQ/INSTALL and used by controllers/front-ends. Would the maintainers of any of the above be interested in providing such a thing? Given that the heavy lifting has already been done on all of the above, it would be very trivial to create. Would there be an appetite for such a thing on the tor homepage itself? Suggestions for content: * A warm greeting! * Top Five things all tor users should know * Appeal for users to run servers and link to how-to * An introduction to some hidden services Anyway, just a thought... Robert
Re: Stephen Soghoian on U.S. Gov't Attitudes Toward Tor
What about the Department of the Navy that initially funded it? I wonder if it was pointed out in these meeting that it was the DoD that wanted this in the first place through the Office of Naval Research and DARPA? Simple. It's okay for them to be sneaky to avoid *US* (the citizens) from knowing what they're up to, but *NOT* okay when we try to hide from them. TINFOIL HAT It's the .. you shouldn't mind if we're listening if you don't have something to hide... mentality that I've been told from many an $agency. /TINFOIL HAT Keep in mind these are the same folks that think we should keep subscriber records for 3 years (and give them a key to our wiring closets) but stall like crazy when they get a FOIA request. ~Mike.
Re: setup tor in private intranet
i am new to tor and was wondering if it is possible to setup tor in a private intranet without gateways to the internet? i have to assume it is, but where would i find documentation and code to build such a system? Yep .. just setup your own DirServer. See : http://tor.eff.org/tor-manual.html.en (excerpt): DirServer [nickname] [v1] address:port fingerprint Use a nonstandard authoritative directory server at the provided address and port, with the specified key fingerprint. This option can be repeated many times, for multiple authoritative directory servers. If the v1 option is provided, Tor will use this server as an authority for old-style (v1) directories as well. (Only directory mirrors care about this.) If no dirserver line is given, Tor will use the default directory servers: moria1, moria2, and tor26. NOTE: this option is intended for setting up a private Tor network with its own directory authorities. Cheers, ~Mike.
Re: hijacked SSH sessions
There have been various TOR exit nodes that have been behaving badly lately (check the tor-talk list) .. some are doing frames, popups, etc .. there is a list of bad nodenames somewhere on that list (can't find it at hand..) Personally, I wouldn't use any exit node in China .. use the ExcludeNodes part of your torrc. ~Mike. Taka Khumbartha wrote: today i have had several attempted man in the middle attacks on my SSH sessions. i am not sure which exit node(s) i was using, but the MD5 hash of the fingerprint of the spoofed host key is: 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57 and it does not matter which host i connect to, the MD5 hash presented it always the same. just a heads up
Re: Tor Defense Fund...an idea.
I agree that being behind someone else's firewall is a problem as the user may not understand the implications of this and thus advertise an impossible exit policy. Suggestion for the coders .. make the client test itself and adjust the exit policy on the fly.
Re: Exit Node sniffing solution...an idea...
4. A couple dozen _fast_ 24x7 exit nodes are run by trusted operators (read: known personally by Nick or Roger) on a local machine the operators control. The $3_letter_agency would just *love* to have a dozen places (or 2 people) they already know about to serve the subpoenas. 7. All Tor traffic exits from these .EXIT.onion nodes. Again .. you've just defined where to wiretap. The beauty of TOR is that anybody, anywhere can setup an exit node. The design of the network allows an operator to sniff the exit, but still can't tell where it came from. If you're using TOR, you shouldn't be using your name in the first place (what's the point of *anonymously* identifying yourself?). I know there are other arguments for TOR like defeating geolocation, but if that's all you're after, there are easier ways to do it (like just rent a shell account somewhere and use SSH redirection). /mike.
Re: My ExcludeNodes list...post yours
Depending on what constitutes authentication (and encryption). If the encryption adds integrity to the authentication (if not there already) and prevents an eavesdropper from being able to trivially learn what is needed to masquerade as you, then it has value against adversaries not sophisticated enough or motivated enough for stream hijacking. Good enough for many purposes. But in principle and for more sensitive usage your point is well taken, thus worth raising. You need not stream-hijack .. you can cookie-jack (like in Yahoo's case .. would give you 24hr access) .. then you look through old mail to see who else somebody does business with, request password-resets be emailed to you, and viola! You're in. If you use TOR 24x7, I'd suggest judicious use of FoxyProxy's rules to ensure traffic that you'd rather be secure than anonymous just use your own ISP (why pass a message through 3 strangers when you don't have any desire to deny you sent it?). Alternately, you can use FoxyProxy to *only* annonymize some things (like your Google searches). /. published an article on this a week or so ago. ~Mike.
Re: Can governments block tor?
what prevents government from running Tor (exit) points and sniffing exit (incoming) traffic on them? Nothing .. but the incoming traffic (between nodes 2 and 3) would be TLS and encrypted. (this is what I thought was happening when I saw a .cn exit node) ~Mike.
Re: Sending mail through TOR/Socks
what about configuring your SMTP/POP3 port to something else? Sure .. if you can find a MTA that will do that (and of course you could always set one up, but that'd totally defeat the purpose of trying to hide the path). Really, you're better off with tools like Mixmaster. The alternative is you could (using TOR) setup a Hotmail or Gmail account, and then (also using TOR) use one of the various Perl modules that offer an interface to those and send it that way. Note that both limit the number of messages/day. ~Mike.
Re: DNS Server question
There is no way in Windows to redirect all DNS queries over Tor at a system level yet. Only at an application level. You can use TorDNS to accomplish that. http://sandos.ath.cx/~badger/tordns.html /mike.
Re: Easy Firefox hacks to improve anonymity (HTTPS Header Scrubbing)
Why not just install the User Agent Switcher plugin for firefox?
http://releases.mozilla.org/pub/mozilla.org/extensions/user_agent_switcher/user_agent_switcher-0.6.8-fx+fl+mz.xpi
Does the same thing on the fly.
~Mike.
Anothony Georgeo wrote:
---
*CONCEPT*
There has been bit of dicussion latley about filtering
HTTP/S environmental variable headers and creating a
default HTTP/S header template for Tor users.
The last big hurdle (now solved) in header scrubbing
is the scrubbing of HTTPS headers.
I think the solution is to use Firefox or FF
extensions to filter the HTTPS headers as FF and FF
extensions have access to the verifed and decrypted
HTTPS headers on-the-fly by default.
I will describe how to edit the about:config menu
and how to configure the FF extensions User Agent
Switcher and RefControl.
The goal is to enable HTTPS header scrubbing while
using the *same* anonymity set charastics as those
which may be used by future relases of Tor bundled
with Privoxy (using the default template).
http://archives.seul.org/or/talk/May-2006/msg00327.html
For example, FF and FF extensions should make the
HTTPS headers identical the HTTP headers created by
Privoxy. Thus inceasing the anonymity set and
everyone's anonymity in general.
The anonymity set that I am attempting to use is as
follows:
A. User-Agent:
Mozilla, Windows XP, 128-bit encryption, English
(non-localized), Firefox.
-
Mozilla/5.0 (Windows; U; Windows NT 5.1; en;
rv:1.7.10) Gecko/20050716 Firefox/1.0.5
-
B. Referer(Referrer):
Is set to the root (home page) of the site you are
currently visiting (eg.http://www.example-root.com;).
I think it is wise to use {forge} for the template
Referer setting. If we use a real domain with the
{custom} paramiter it may get Tor in trouble with the
real domain's owners. I am pretty sure we can not use
{block} as it breakes many sites.
Note:
HTTPS referrer from one HTTPS URL directly to another
HTTPS URL is set to {block} incase RegControl can not
properly handle these headers. This is because I have
not tested (and I don't know) HTTPS to HTTPS referrer
headers.
-Questions:
-Can 'referer' {custom} be set to a fake URL without
breaking sites?
- 'referer' {forge} will generate random headers for
Tor users, will this increase anonymity set?
C. Keep-Alive:
Close
D. Compression:
Prevented
E. X-Forwarded-for:
Not removed or spoofed as FF does not have this
capibility. Besides, the entry node removes your real
X-Forwarded-for: header and it already has your real
IP.
F. Ping:
FF will supress the Ping function in HTTP/S.
---
**PROOF**
(More testing required)
1. Results from HTTPS (eg. SSL) envrionmental variable
test at
http://www.stilllistener.com/checkpoint1/ssi/
REMOTE_ADDR:
149.9.0.21
HTTP_ACCEPT:
text/xml,application/xml,application/xhtml+xml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_CHARSET:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING:
gzip;q=0,deflate;q=0,compress;q=0
HTTP_ACCEPT_LANGUAGE:
en-us,en;q=0.5
HTTP_CONNECTION:
close
HTTP_COOKIE:
$1
HTTP_HOST:
www.stilllistener.com
HTTP_REFERER:
http://www.stilllistener.com/
HTTP_USER_AGENT:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en;
rv:1.7.10) Gecko/20050716 Firefox/1.0.5
2. Results from HTTP envrionmental variable test at
http://www.stilllistener.com/checkpoint1/test2/
REMOTE_ADDR:
64.74.207.50
HTTP_ACCEPT:
text/xml,application/xml,application/xhtml+xml,
text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_CHARSET:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING:
gzip;q=0,deflate;q=0,compress;q=0
HTTP_ACCEPT_LANGUAGE:
en-us,en;q=0.5
HTTP_CONNECTION:
close
HTTP_COOKIE:
$1
HTTP_HOST:
www.stilllistener.com
HTTP_REFERER:
http://www.stilllistener.com/
HTTP_USER_AGENT:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en;
rv:1.7.10) Gecko/20050716 Firefox/1.0.5
---
**Directions**
--
Note:
I will attached the settings for Privoxy's
user.actions file which mirror those here in my next
post in this thread.
--
1.
Start Firefox
2.
Type this into the URL bar and hit [enter]:
about:config
3. -HTTPS Referrer-
http://kb.mozillazine.org/Network.http.sendSecureXSiteReferrer
3a. Copy/paste the following line into the Filter:
bar:
network.http.sendSecureXSiteReferrer
3b. Right click on the title and choose toggle
ensure the 'Value' entry reads False.
{false} = Don't send the Referer header when
navigating from a https site to another https site.
4. -Keep-Alive(proxy connection)-
http://kb.mozillazine.org/Network.http.proxy.keep-alive
4a. Copy/paste the following line into the Filter:
bar:
Network.http.proxy.keep-alive
4b. Right click on the title and choose toggle
ensure the 'Value' entry reads False.
{false} = Never use keep-alive connections.
5. -Keep-Alive-
http://kb.mozillazine.org/Network.http.keep-alive
5a. Copy/paste the following line into the Filter:
bar:
Re: TOR on Academic networks (problem)
iptables -t nat -A POSTROUTING -p tcp -d ip of journal --dport 80 -j DNAT --to-destination ip of you webserver FreeBSD here, but I'll try something along those lines. Still, I would also agree that rejecting *:80 would be the best until this IP as authentication issue is resolved. Since the /etc/hosts approach posions the DNS for clients, it now seems the better (although not ideal) approach is to allow legitimate DNS lookups, and then just blackhole the traffic. After 15 seconds, the client will give up and pick another node. In reality, what I should do is just get a new /24 and put all the potentially bad stuff in there. Only problem is it'd be a subassignment since ARIN dosen't do a /24, and that gives people a higher place to complain. At least now, there's nobody besides us that folks can fuss at (unless they want to try and whine to our routing peers and get laughed at). In ~6 months of running an exit, this is the first time this has ever been an issue .. so it hardly seems worth the effort .. but the potential for getting into hot water involving the contracts with publishers means I've got to do something. grr /mike.
Re: TOR on Academic networks (problem)
Thus making Tor suck for everyone. The better approach would be to just say reject *:80 or reject *:* or something like that. Your node is still useful as a middleman and wouldn't actively harm clients. Everyone how? .. it'd just affect people trying to access a specific set of academic journals through TOR, and only for 15 seconds or so until it picked another node. Academic networks represent a large portion of the TOR servers, and because of the way these journals operate, we all have this problem. Either allow the ExitPolicy to be longer somehow, or change the program so the basic routing policy is published, and allow each server to have a more specific one that is checked only when someone's using that exit -- to say no, I don't allow that specific site, pick another node. /mike.
TOR on Academic networks (problem)
I'm sure this has happened to others, but here goes on my problem. Many academic networks have a variety of online journals they subscribe to (like thousands of them) .. most allow campus-wide use restricted only by IP address, usually the whole /16 or greater. This of course presents a problem when you have a TOR router in that /16. Sometimes the admin at the journals will understand that TOR is just one of those 65k+ IP addresses and block that, and sometimes they get into a snit and say they'll block the whole /16. Since we can't put thousands of lines in the exit policy without causing a cascading problem, what about null-routing them .. either by putting entries in /etc/hosts that will be denied by the exit policy (thus causing the client to pick another exit -- but not preventing access directly by IP address), or the more secure, but more problematic, blocking by changing the kernel routing tables to send those networks into a blackhole on the TOR router. The first approach causes a minimal problem performance-wise since the client will choose a new path. The second will cause timeouts and significantly impact performance. Problem is, if these sort of issues persist, most of our institutional support will evaporate -- so I'm going to have to do something. I really don't want to hear about censorship, et.al. because I already know that's what it is, and don't have a problem admitting it. What I want is viable solutions to the problem. Any suggestions? Regards, Michael Holstein CISSP GCIA Cleveland State University
data remanence (was: Some legal trouble with TOR in France)
There are methods (and they are used) to read data from a overwritten disk. Has anyone tried creating a (ro) flash-boot linux system for TOR with all the (rw) stuff mounted in RAM ? Such a device would raise the bar quite a bit, no? (AFIK, there is no data remanence problem with DRAM .. unless $they can stop the clock and keep power applied). (seeing the $agency come in with a UPS and trying to splice the A/C without shutting it off, and then carrying out the server on battery power conjures up memories of a certian Seinfield episode). /mike.
Re: [off topic] Configuring an IP blind Apache server
It seesm like there should be a way to plub in privoxy or something, but I can quite think how. Any suggestions or pointers? Wouldn't it just be easier to edit your httpd.conf to change the log format to *not* log the IP address? eg : take out the %h (for the IP address) LogFormat %l %u %t \%r\ %s %b common Complete docs : http://httpd.apache.org/docs/1.3/logs.html#accesslog Perhaps I'm missing something, but if all you want to do is have an Apache server that dosen't log what comes in, there are much easier ways than using Privoxy (et.al.) to do it. Cheers, Michael Holstein CISSP GCIA Cleveland State University
Re: [off topic] Configuring an IP blind Apache server
The idea is a system wide solution that allows any user group to install any semi-random PHP/MySQL frob without having to hack around trying to find and disable its IP logging. Then do as Dan just suggested and forward it using your firewall .. advantage there is you can still ban a user if you see the need by inserting the appropriate DENY rule above your forward one. Note that other things in your network may still log the traffic though .. (most hardware firewalls, for example) .. so be sure you know what the end-to-end security is at least as far as your perimeter router.(*) /mike. (*): well .. unless you use ATT as an ISP, since we know they forward everything to the ($3_letter_agency) anyway.
Re: Weird behavior of my server
Bridged will work if you have an extra IP for the VM. NAT will also work, but you need to modify the config to make it aware of it's external address (and configure vmware-natd to forward 80/443). ~Mike. Landorin wrote: Okay, I'll try that out, thanks. I just ran into another problem: the orport appears to be unreachable. I really don't know how the connection works in VMWare environments. Do I have to forward the orport to the VMWare IP or to my Windows IP? Also, does it need bridged, NAT or host-only mode in VMWare? Michael Holstein schrieb: Okay, I just tried out a different orport and now the server starts up. So somehow either port 443 is blocked already by something else or it's because the permission is denied (since it's a blank Ubuntu I guess it's the permission thing). Anything I can do about it? netstat -apn |grep 443 (as root) lsof |grep 443 (as root) either one will tell you what process is binding to 443. My guess is Apache. Try killall httpd (as root) and then try again. Also try (path might vary) /etc/rc.d/rc.httpd stop ~Mike. -- Accelerate cancer research with your PC: http://www.chem.ox.ac.uk/curecancer.html GPG key ID: 4096R/E9FD5518
Re: Firefox through Tor
So the problem is that a motivated adversary can subpoena or simply ask DoubleClick to hand over their IP/cookie logs. If you are using Tor for /everything/, then what they get from DoubleClick for that email address is just a Tor IP, no harm no foul. However, if the user had set up a filter that only sends *yahoo.com through Tor, then DoubleClick will have their /real IP/ on file in association with whatever unique ID yahoo passed for that email address, even though yahoo's records show only the Tor IP. Swichproxy (as well as CTRL+SHIFT+DEL) in Firefox will clear all cookies. Anytime you switch between TOR/Direct you should close down to all but one blank window, clear cookies/cache one way or another, and *then* proceed. /mike.
Re: Firefox extension: TorButton
SwitchProxy lets you manage and switch between *multiple proxy configurations* quickly and easily. You can also use it as an anonymizer to protect your computer from prying eyes. Main bummer about that is it's a global setting. I wish I could control the proxy settings per TAB, not globally -- since if you've got Hotmail (or whatever) open when you switch, you've just advertised your identity associated with your new (tor) IP address. Remember to close everything before you switch (and turn on the option to clear cookies in SwitchProxy). ~Mike.
