Re: Data Retention Law Violates German Constitution
On 02.03.2010 15:27, Robert Marquardt wrote: We should not forget that the court did not forbid the storage of data but rather criticised the specific legislation. It did not challenge the 2006 EU directive thats the basis of the law. The only way to get rid of the data retention laws across europe is that the european union repeal the directive. It's still a great success. A new law based on the very strict limitations of the court would be so much better than what we had until now, if they are able to implement it at all. And it triggered a new dynamic on this topic, so we can even hope, that the data retention will be canceled in general on EU level. Sven *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Data Retention Law Violates German Constitution
On 02.03.2010 14:13, Sven Anderson wrote: On 02.03.2010 14:04, Marco Bonetti wrote: Sven Anderson wrote: Here a German article: http://www.spiegel.de/netzwelt/netzpolitik/0,1518,681122,00.html Do you, or anyone else, have an English article on this topic? In Italy we've something very similar since many years. Here is is a short one in English. There are probably more out there. http://www.spiegel.de/international/germany/0,1518,681251,00.html And here you can find a lot more: http://news.google.com/news/story?pz=1&hl=en&cf=all&ncl=dXnRA1R1tBEsHBMJx79e2_2dX3AbM *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Data Retention Law Violates German Constitution
On 02.03.2010 14:04, Marco Bonetti wrote: Sven Anderson wrote: Here a German article: http://www.spiegel.de/netzwelt/netzpolitik/0,1518,681122,00.html Do you, or anyone else, have an English article on this topic? In Italy we've something very similar since many years. Here is is a short one in English. There are probably more out there. http://www.spiegel.de/international/germany/0,1518,681251,00.html *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Data Retention Law Violates German Constitution
Hi there, regardless of it's relevance for Tor nodes, there are very good news for Germany, and probably the rest of the European Union. Today the Federal Constitutional Court decided, that the data retention law violates the German Constitution and all data must be deleted immediately. This is great and as one of the many plaintiffs I'm very happy about the result. Here a German article: http://www.spiegel.de/netzwelt/netzpolitik/0,1518,681122,00.html Best regards, Sven *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy
Am 13.04.2009 um 15:47 schrieb Tripple Moon: Try to look at the big-picture what i want to accomplish as a whole, not just from tor's P.O.V. I want to circumvent the poluted DNS-service of my ISP/country and at same time block personally chosen domains. You always have to make clear about what you are exactly talking about. Are you talking about blocking parts of your personal access or also the access of all users that are exiting through your Tor-relay? The first is ok, the second not. Sven smime.p7s Description: S/MIME cryptographic signature
Re: exit counts by port number over 61 days
Hi Scott, Am 13.04.2009 um 19:00 schrieb Scott Bennett: 1) Why is the nicname/whois port the most heavily used? In fact, why is it getting much use at all? My guess: spammers and profilers, scanning for email adresses and other personal data. 2) Why are there so many exits to the standard socks port? It seems kind of strange to go all the way through the tor network fully encrypted, only to exit in the clear to a port somewhere else for re-encryption. Similarly, what about pptp? There are Trojans opening backdoors on that port. http://isc.sans.org/port.html?port=1080 4) Who still uses RFS? Didn't that die out a *long* time ago? (The rfs port had 70 exits.) I bet nobody. That's why there seems to be somebody using the port for something else. Sven smime.p7s Description: S/MIME cryptographic signature
Re: Abuse ticket
Am 17.03.2009 um 17:07 schrieb pho...@rootme.org: something, but not for the general Internet connections. Since a criminal usually has a strong interest to hide something, I expect the proportion of criminal traffic to be quite high, especially in countries with a stable freedom of speech. Criminals have vastly more opportunities to hide their traffic than just using Tor. They're already willing to break the laws, most normal people aren't. I've talked to victims of domestic abuse and targets of e-stalkers, who even after everything they've endured, won't break the laws. They won't break the laws even when it's in their best interest to be safe. Criminals will always abuse a system for their own gains and move on to the next thing. Yes sure, but just to make that clear, I didn't say with a single word, that Tor "produces" criminal acts, but it collects them without doubts, since it's very secure and easy to use. Of course criminals don't use Tor because it's legal, but because it's very effective, even compared with illegal options. Sven smime.p7s Description: S/MIME cryptographic signature
Re: Abuse ticket
Am 17.03.2009 um 04:59 schrieb pho...@rootme.org: In five years of running a node, I had my share of these too. From abusive forum posts to stupid people trying to break into .mil sites. I probably had 1 abuse complaint for every 10 TB of traffic served through Not if the abuse caused 5TB of traffic. You are comparing the number of events with the number of bytes. Tor. That's a pretty good ratio of good vs. bad. This statement assumes that only complained traffic is bad traffic, which is wrong of course. I read this kind of argumentation many times and I don't like it. I'm a fan of Tor, but even more I'm a fan of clean and reasonable arguments. Still, the ratio of complained to total traffic can be a good argument for Tor. But we should be able to defend Tor also if it has a high abuse rate. At the moment Tors moderate performance requires a relatively strong interest in order to use it. My experience is that, because of this, people only use Tor in the moment they specifically want to hide something, but not for the general Internet connections. Since a criminal usually has a strong interest to hide something, I expect the proportion of criminal traffic to be quite high, especially in countries with a stable freedom of speech. Sven smime.p7s Description: S/MIME cryptographic signature
Re: UDP and data retention
Am 19.12.2008 um 14:32 schrieb Sven Anderson:
Am 19.12.2008 um 11:24 schrieb Eugen Leitl:
This is off-topic, but isn't UDP making data retention more difficult
than TCP/IP.
Since you seem to talk about Germany: Again, data retention does and
will not happen on a per-packet basis and especially not on the
transport layer (TCP/UDP) with the current law. There will "only" be
records which dynamic IP-address was assigned to which customer at
which time. That's it. See Paragraph 4 in [1] (German).
[1]
http://de.wikipedia.org/wiki/Vorratsdatenspeicherung#Verkehrsdatenspeicherung
I should add that anonymizing services, as far as the law can be
applied to them, only have to record the mapping of data replacements,
but _only_ for data that has to be recorded by another party anyways.
This is only true for IP adresses in case of Tor (not so for email
anonymizers). So, port numbers and the like are never allowed to be
recorded by anonymizing services regarding data retention law, since
port numbers are also not allowed to be recorded by the internet
access providers or any other party.
Beside that, the data retention law does only apply to services in
return for payments ("in der Regel gegen Entgelt erbrachte Dienste").
Since Tor is a completely free service (no payments, no ads), it is
very likely that Tor operators are not allowed to store _any_ data.
In any case, UDP or TCP makes no difference.
Beside the data retention, there is also the "normal" lawful
interception in case of a probable cause. But in this case there are
no restrictions what to record, AFAIK. So I don't see why UDP would be
more of a problem for them.
Sven
smime.p7s
Description: S/MIME cryptographic signature
Re: UDP and data retention
Am 19.12.2008 um 11:24 schrieb Eugen Leitl: This is off-topic, but isn't UDP making data retention more difficult than TCP/IP. Since you seem to talk about Germany: Again, data retention does and will not happen on a per-packet basis and especially not on the transport layer (TCP/UDP) with the current law. There will "only" be records which dynamic IP-address was assigned to which customer at which time. That's it. See Paragraph 4 in [1] (German). [1] http://de.wikipedia.org/wiki/Vorratsdatenspeicherung#Verkehrsdatenspeicherung Sven smime.p7s Description: S/MIME cryptographic signature
Re: Need help with MPAA threats
Am 15.12.2008 um 14:11 schrieb David Kammering: And, if I see things right, the bandwidth argument doesn't compute. IIRC, only the client<->tracker traffic is relayed via tor, and that's not the mass traffic of the actual big files. Hmm, I must admit that I'm not too deep into p2p via Tor, but what I noticed from my mrtg stats of the exit node is that running a more restrictive exit policy gives me typical traffic flows with some spikes and so on; reverting to the standard policy peaks out the bandwith completely. I have no further checked what is the cause of this as it would have involved logging traffic but I think most of it is p2p traffic as running on the restrictive exit policy got me no further notes from the MPAA. Actually it is an observation I already thought about asking on the list, maybe someone could clarify if it is really p2p traffic peaking out the link with the open exit policy? My experience is exactly the same. As long as you allow arbitrary ports your bandwidth is always maxed out because of file transfers. If you only allow port 80 you have a very erratic bandwidth usage. Of course it's possible to download large files over HTTP as well. But the users obviously don't do it. Sven smime.p7s Description: S/MIME cryptographic signature
Re: Need help with MPAA threats
Am 15.12.2008 um 12:57 schrieb Hannah Schroeter: After all, a running Exitnode relaying on the "standard" ports like HTTP seems to be (for me) better than a completely switched off node because of legal troubles regarding file sharing. But in the end, the situation is all the same for HTTP(S) as for BT. BT can (and *is*) used for legal content. E.g. I've already pulled (and redistributed, i.e. contributed) OpenBSD *legally* via bittorrent (of course not via tor). OTOH, you can use http(s) for illegal content, too. Especially via ssl. Yes, in theory everything is possible with every protocol, as long as _some_ information is getting through. So it makes no sense to discuss theoretic possibilities. We should rather discuss the reality, that is the actual usage patterns. And it's matter of fact that, if you restrict your exit policy, the MPAA complaints just stop, while the investigations regarding crimes like financial fraud and child porn are all related to port 80 traffic. So both protocols are used for crimes, but different types. And, if I see things right, the bandwidth argument doesn't compute. IIRC, only the client<->tracker traffic is relayed via tor, and that's not the mass traffic of the actual big files. That's different when you pull big files via http(s) which you keep allowing (and big files also encompasses just bloated web sites with tons of inline and background images, or even flash stuff or whatever). How can you claim "only the client<->tracker traffic is relayed via tor"? Most users don't have it configured that way I suppose, and that is backed up by my personal experience. There are a lot of Bittorrent file transfers over Tor if you allow arbitrary ports. Sven smime.p7s Description: S/MIME cryptographic signature
Re: Bittorrent packets
Am 15.12.2008 um 14:35 schrieb Mitar: Without adding those IP to ExitRules it is not really "nice" that I would be blocking them just with a firewall but this could be maybe also seen as a feature: making Tor network unstable for Bittorrent users (for data transmissions). I also had these BitTorrent traces in my Apache log. I looked into this and realized that, although the default exit policy claims to block P2P ports, there was still a lot of Bittorrent traffic. Unfortunately my own tests showed that you cannot block Bittorrent traffic with a black-list exit policy, but only with a white-list policy, that only selectively allows the ports you want to support. It is worth to note that even downloads from hosts behind NAT (or Tor for this matter) are possible with Bittorrent clients. The other clients who want to download but cannot connect directly because of NAT/Tor seem to publish their requests on the tracker and the offering client connects to the requesting clients in order to _upload_ the data blocks. So it is actually possible that a Bittorrent client _offers_ files for download over your exit node. Sven smime.p7s Description: S/MIME cryptographic signature
Re: No data retention in germany for donated services
Am 09.12.2008 um 14:23 schrieb Hans Schnehl: Unfortunatelly it does not solve the problem, the mere fact traffic is going to be logged and held for 6 months is the problem, not who does the actual logging. So the necessary data will be easily obtained on request of executives from the isp's where nodes are hosted/running. But it may keep up the number of nodes in that country. This is not correct! I have to repeat myself: There will be no general traffic logging at hosters! The data retention only records the information who used which "identifier" at which time. For access networks this is which dynamic IP address a customer used at a certain time. There will be no IP packet or TCP connection logging (at least not because of the data retention law)! Sven smime.p7s Description: S/MIME cryptographic signature
Re: technical solution for censorship [was: UK internet filtering]
Am 08.12.2008 um 14:05 schrieb Benjamin S.: Am Samstag, den 06.12.2008, 19:49 -0500 schrieb Gregory Maxwell: http://community.zdnet.co.uk/blog/0,100567,10009938o-2000331777b,00.htm?new_comment I've confirmed the reports of UK ISPs censoring Wikipedia using some UK tor exists. I think it's time to find a better technical solution to deal with censorship in different countries. Technical solutions to circumvent censorship are welcome of course. But don't forget that Tor is designed to be an anonymity tool, not an anti-censorship tool. At the moment I see it as the responsibility of the user to choose an appropriate exit-node when he/she suspects censorship. Of course you could use the exit-policies to publish the censorship for each exit node, but that would result in the directories to hold a list of all blocked IPs for each ISP, what would impair performance I guess. Sven smime.p7s Description: S/MIME cryptographic signature
Re: [OT] theoretical (but probably never practical) quantum encryption flaw found
Am 06.12.2008 um 15:56 schrieb Scott Bennett: It appears that a theoretical method of breaking quantum key distribution has been found, there's no cause for alarm (yet:-) because it requires the use of wormholes or some equivalent. :-) The abstract looks intriguing, but the paper was submitted to _Physical_Review_Letters_ only a month ago, so it will be a long time, if ever, before it sees publication. If you're curious, see the abstract at http://arxiv.org/abs/0811.1209 There is a link to the PDF of the full paper as well, so you don't have to wait for the PRL publication. But my Quantum-Mechanics course 10 years ago was obviously not enough for me to be able to follow that paper. ;-) smime.p7s Description: S/MIME cryptographic signature
Re: No data retention in germany for donated services
Am 05.12.2008 um 10:22 schrieb Seth David Schoen: Sven Anderson writes: Karsten N. just sent to the German exitnodes list a link to an article, which is very convincing and legally well-founded (see below). It explains that any service that is being donated to the public, that is, without taking money or any other return service (like advertisements) for it, is _not_ obliged to retain any connection data! Furthermore, since there is no gray area, who isn't obliged to retain data is not _allowed_ to retain data, and can be charged with a fee up to 10.000 EUR for doing so! I'm not a lawyer in Germany or any jurisdiction and I don't have any knowledge or opinion of the convincingness or legal well-foundedness of this article. I encourage anyone who might want to rely on it to seek the expert opinion of a German lawyer. But I do read German, so I've translated Karsten's note and (most of) the text of the article below for the benefit of anyone interested in this material who doesn't read German. Wow, that was probably a lot of work, thanks! However, I want to emphasize that the author of the article, Patrick Breyer, IS a German lawyer and wrote his PhD about data retention. [1] So I think the article itself can be seen as an expert opinion. [1] http://events.ccc.de/congress/2006/Fahrplan/speakers/1207.en.html Best regards, Sven smime.p7s Description: S/MIME cryptographic signature
No data retention in germany for donated services
Hi, Karsten N. just sent to the German exitnodes list a link to an article, which is very convincing and legally well-founded (see below). It explains that any service that is being donated to the public, that is, without taking money or any other return service (like advertisements) for it, is _not_ obliged to retain any connection data! Furthermore, since there is no gray area, who isn't obliged to retain data is not _allowed_ to retain data, and can be charged with a fee up to 10.000 EUR for doing so! Since Tor is without doubts such a donated service, this turns the tables, and it is clearly a risk for a Tor operator in Germany to retain any data. (You would have to proof that you're financing your Tor node by a return service of the users and therefore are obliged to retain connection data. ;-) ) Thanks for that link, Karsten! Best regards, Sven Anfang der weitergeleiteten E-Mail: Von: "Karsten N." <[EMAIL PROTECTED]> Datum: 24. November 2008 10:26:02 MEZ An: [EMAIL PROTECTED] Betreff: keine VDS für unentgeltliche Dienste Hallo Tor-Admin, bei datenspeicherung.de gibt es einen interessanten Aufsatz zu Speicherpflichten aus §113a TKG (VDS). http://www.daten-speicherung.de/index.php/keine-vorratsdatenspeicherung-fuer-unentgeltliche-dienste/ Demnach dürfen Tor-Nodes (ausdrücklich erwähnt!) *keine* Daten speichern. Karsten N. smime.p7s Description: S/MIME cryptographic signature
Tor and DNS attacks
Hi, I just wondered if Tor might be vulnerable to DNS attacks during the bootstrapping phase? Is there a public key of a directory server included in all the Tor download packages to secure the initial contact to the directory servers? I also want to emphasize again that everybody, but especially Tor node operators, should check that he/she is not vulnerable to DNS cache poisoning, for example by visiting this website: http://member.dnsstuff.com/tools/vu800113.php or by querying the TXT record of the domain porttest.dns-oarc.net with a command like 'host -t TXT porttest.dns-oarc.net'. Sven smime.p7s Description: S/MIME cryptographic signature
Re: Any plans to fix tor for OpenDNS?
Am 13.11.2008 um 19:48 schrieb Praedor Atrebates: What about this: I run a relay server on my laptop and my home desktop. My laptop can end up on whatever network I connect to (obviously). I DO have my own registered domain name and use it no matter what network I connect to, so my IP for my laptop can vary a lot. Can OpenDNS settings still be set to hold in this circumstance (tie it to a domain name)? Yes, IIRC there is an option for dynamic IPs when you add a network. Then you can update your IP whenever you connect to the net with a small tool. (Like the one of DynDNS.org). Sven smime.p7s Description: S/MIME cryptographic signature
Re: Any plans to fix tor for OpenDNS?
Am 13.11.2008 um 17:26 schrieb Matt LaPlante: The very nature of OpenDNS conflicts with the concept of anonymity and privacy. By using the service, you're not only giving them the opportunity to track your requests, you're also allowing them to redirect your lookups to third parties at will. If you switch off the redirects, this is true for any DNS resolver you might use and not OpenDNS specific. If your local DNS resolver has not recently been updated and doesn't use random ports for queries it's always better to use OpenDNS for security reasons, since else you are vulnerable by cache poisoning.[1] For the same reasons, if want to use your own caching resolver, make sure you are using a current version that uses random query ports, and make sure the resolver is NOT behind a NAT router, because NAT destroys the port randomization. Sven [1] http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html smime.p7s Description: S/MIME cryptographic signature
Re: Any plans to fix tor for OpenDNS?
Am 13.11.2008 um 17:17 schrieb Praedor Atrebates: I use OpenDNS servers and tor messages always contain a message that my service provider "may be hijacking DNS requests". It isn't a problem for functionality of tor but it is somewhat annoying to see that warning all the time. Is there any plan to make tor fully friendly with OpenDNS so these messages can go away? Go to the OpenDNS website, create an account, add a network for your IP and then uncheck options in "advanced settings". Then the warnings will go away. Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 01.11.2008 um 02:50 schrieb Scott Bennett: I will also not log even after January 1st. And I am fighting against the law. But I was talking about the last resort, if a court will In what way? Are you participating in a lawsuit and requesting an injunction against the government to prevent it from enforcing the law until after the court case has been decided? Stashing hand grenades? The first option, exactly. The injunction was already successful in a way that the data is not allowed to be used, until the final decision is made. And I'm fighting by word of mouth. No grenades, sorry. Second, the rest of the Tor community would not easily believe that trading off network security for network capacity in this way is a tradeoff they want. How do you know that? Good grief, Sven! Haven't you been reading this list during the last couple of years? The attitudes and reactions presented on this list ought to be enough to convince anyone to take Roger's point for granted. Oh, so "Tor community" equals the people on the or-talk list? Ok, then I agree. I was talking about the Tor users in general, which is of course not the same. Third, if Tor tolerates this law because its network architecture resists it, and we let the law survive, then the next iteration of the law will be better adapted to Tor's threat model. If we switch off the Tor nodes, it's like the law was well adapted from the beginning. So at least we gain more time. (If Tor "tolerates" the law or not will not influence legislation.) Not so. First off, no one is suggesting not running tor. The choice many tor *exit* operators appear to be considering is to stop providing *exit* service, nothing else. Most of them would still run tor as a relay. I don't agree with other people on the list that DR law only affects exit nodes. If the DR law affects Tor, then it affects all kind of nodes. Secondly, the old adage that it is better to ask forgiveness than to ask permission frequently will not keep you out of jail, while a lawsuit to overturn enacted, but uncontitutional, legislation can usually be handled without the plaintiff having to go to jail. Don't spread FUD. Nobody will go to jail because of non-loggin Tor nodes. And the lawsuit is on it's way. There is no either or. But I think you are not arguing against me here. I proposed minimal-logging Tor nodes (in line with the DR law!) instead of switching them off _only_ in case that non-logging Tor nodes turn out to be illegal. So what I propose is supported by your argumentation. Fourth, we don't want to undermine the effort to make this data retention law go away, by showing "oh, the law isn't so bad". I didn't suggest that. I'm talking about the time _after_ we lost the fight against it. The last I saw posted here, that fight hadn't been lost, so please do not refer to it in the past tense that way. The fight can go on with or without exits in Germany. Sorry for my imprecise English, I should have written "_after_ we might have lost...". Regards, Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 31.10.2008 um 06:03 schrieb Roger Dingledine: I'm still surprised at all the people who think the choice is between keeping their Tor relay without logs or adding logging. The choice is to keep the relay running with no logs, or to shut down the relay. Let's beat it here and now, rather than letting them gnaw us to death. I will also not log even after January 1st. And I am fighting against the law. But I was talking about the last resort, if a court will decide that Tor operators have to log. To your fours reasons: First, Tor isn't actually that bulletproof against a distributed attacker (see all the recent papers we've been adding to http://freehaven.net/anonbib/ as well as the upcoming attack papers we keep hearing rumors about), and we don't want to make the job even easier by making each of these relays into a juicy data target. Unfortunately I don't have time now to go through the papers in detail now, but what about Racoons calculations? Don't they apply to these papers? Second, the rest of the Tor community would not easily believe that trading off network security for network capacity in this way is a tradeoff they want. How do you know that? Third, if Tor tolerates this law because its network architecture resists it, and we let the law survive, then the next iteration of the law will be better adapted to Tor's threat model. If we switch off the Tor nodes, it's like the law was well adapted from the beginning. So at least we gain more time. (If Tor "tolerates" the law or not will not influence legislation.) Fourth, we don't want to undermine the effort to make this data retention law go away, by showing "oh, the law isn't so bad". I didn't suggest that. I'm talking about the time _after_ we lost the fight against it. Regards, Sven smime.p7s Description: S/MIME cryptographic signature
Re: Performance
Hi Camilo, Am 22.10.2008 um 17:02 schrieb Camilo Viecco: Currently, there are two research paths to solve this on Tor : A proposal by Joel Reardon that creates per circuit and hop userspace TCP stacks for each circuit and a proposal by Camilo Viecco (myself) to use a single TCP session for active each stream from the application at the client to the exit node. Can you elaborate that? I don't understand that sentence, but I'd like to get the idea. Thanks, Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 20.10.2008 um 00:06 schrieb Roger Dingledine: So it will be very interesting how this will continue, since it is assumed by many, that the data retention law violates the German constitution. Quite so. Good thing all the German laws are so clear. :) As long as the constitution has the higher priority, I'm fine with it. ;-) And we do not want to see any Tor relays that log traffic information. So should Tor's role for now be to simply say "the only risk from the German data retention law is if its vague wording convinces Tor operators to install backdoors in their relays. If you think your new law is enforceable, and would like to backdoor your relay, please shut it down instead.", and then wait to see how the people fighting the law fare? Shouldn't we differentiate what is being logged before making such a statement? Regarding that a large amount of Tor bandwidth is provided by German nodes, it is IMHO too hasty to generally claim that no Tor node is better than a logging Tor node. I claim, that even if a node follows the DR law it will almost not impair the security of the Tor users, since Tor is somehow "DR proof". The law-authors didn't have concepts like Tor in mind, when they wrote the specific stuff for anonymization services. They were thinking of simple one-hop anonymizers (if they were thinking at all). So, what the law asks for, is that if you change any information, which has to be logged by another party because of the DR law, you have to log that change as well. Since Tor works on TCP level, the _only_ DR relevant information it changes is the source IP address (ports and destination are NOT DR relevant). So in order to fulfill the DR law you only have to log at which time you had incoming connections from which IP. Since the connections are persistent, these are a lot. For my node that would be 4000-5000 at any time. I'm happy to give the investigators a list of 5000 IP addresses for a given time, since they will not have the slightest chance to get any useful information out of this. Even if we assume perfect worldwide cooperation and they are able to get this data from any Tor node, they will end up with nothing more than a list of _all_ Guard nodes, and there are far easier ways of getting it, and as a result of that _all_ Tor users at a given time. So even this unrealistic scenario would just reveal very useless information. So if the german courts and prosecutors don't realize this beforehand, and really demand Tor logging, I'd just say: ok, do it. They will soon realize that they will not get any useful information out of this and drop the regulation for Tor again. It's "just" a cost issue for Tor operators (because of necessary HD space), but not really an privacy issue. So even in the worst-case-scenario, please don't let the usability of Tor decrease even more by switching off the German nodes, just for a questionable and theoretical privacy improvement. But I still hope, that somebody will tell them before, and we will never have to log at all. Are there actually any design changes in Tor that are needed for now? Assuming ISPs don't suddenly start becoming logging stations, and assuming not very many Tor relays become compromised, there really aren't any new threats for Tor users. Exactly. Regards, Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 20.10.2008 um 15:29 schrieb Dominik Schaefer: Roger Dingledine schrieb: On Sun, Oct 19, 2008 at 02:30:32AM +0200, Sven Anderson wrote: All sources I know don't let any doubt that ISPs will _only_ keep data, which they log anyways, that is which IP has been assigned to which user at which time. IMHO it is not true, that ISPs will only have to retain data, they anyway log. Until now, they weren't even allowed to log the IP address if they don't need it for billing purposes. The DR law defines, what they have to log. You have to look at the details here. The law tells them what to _retain_, not what to _log_. It assumes that ISPs log that stuff anyways. I have my information from a talk of the data security officer of the Deutsche Telekom[1], but I just had a look at TKG 113a (1), and it seems indeed that if you don't log, you have to make sure somebody else logs it. Maybe they changed that paragraph after the talk has been held? Regarding your example: I wrote the same one sentence after the one you quoted from me. With a little difference: they are allowed to log it, but they have to immediately delete it after the connection.[2] [1] http://www.jura.uni-duesseldorf.de/institute/zfi/materialien/Informationsrechtstag5/070627-Ulmer.pdf (german) [2] http://www.heise.de/newsticker/meldung/80614 (german) Regards, Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 19.10.2008 um 17:06 schrieb krishna e bera: On Sun, Oct 19, 2008 at 01:45:22PM +0200, Dominik Schaefer wrote: As already said, much more difficult is the part about anonymizing services, which brings us right to the still missing 'technical directive'. That will define the specifics: who is exempted (e.g. WLAN hotspots in hotels are said to be exempted, WLAN hotspots at airports not), what format has to be used for transmitting the data to law enforcement, what precision the timestamps must have, what 'immediate response' to a request from a law enforcement actually means, what availability the systems for data retrieval must have and so on... Most of that will be defined first by the European Telecommunications Standards Institute. Then the german agency, which has to supervise the implementation of the law, will adopt that directive. That is expected to happen in spring 2009. Curiously, the telecommunication service providers in germany now have to log stuff, but know nearly nothing about the technical implementation and that is even worse for small service providers or private persons. The conclusion is more or less: nobody knows for sure if Tor relays have to log or not. It seems, that some courts will have to decide that. The data retention law seems to be partly an attempt to make private operators do the government's work of law enforcement. However, suppose the technical implementation is something like requiring ISPs to allow wholesale teeing of the pipes as is now done at AT&T in the USA, at government/taxpayer expense. Then we will not know whether some or all of the data is logged. This will not (legally) happen. Germany has an old tradition of data protection, and as I wrote before, until now the ISP are _not_allowed_ to keep the exact same data, which the new data retention law requires them to store. It's a clear contradiction by different laws. There is a pending lawsuit against the data retention law going on, and if the storage is legal at all, it will be under very strict conditions. Further, what prevents European (or Chinese etc) data spies from cooperating with American data spies, enabling monitoring both ends of most connections? The work of intelligence services is a complete different story. In most countries it is already possible for investigators and intelligence services to intercept the communication of suspects. And they don't need Tor logs for this. If they have a suspect person, they intercept his/her access line and the destination server and they might time-correlate the connections. So, Tor logfiles are irrelevant for them. We cannot divide the world in logging and non-logging areas. Just in areas were we _know_ about logging, and areas where we don't know about it, what doesn't mean that they don't log! I would still trust a node more that is located in Germany and is affected by the data retention, but where I know there also (still) exists one of the strongest data protection laws, and the data is not easily accessed, than a node located in China, where they officially even don't have censorship, but of course they will log the hell out of every bit, if they are technically able to. Regarding the improvement of Tor: I would suggest to assume that _every_ node is compromised more or less, and that there are different likelihoods between two nodes, that they will cooperate. These pairwise likelihoods could be estimated (same country, same legislation, same provider, good relations between countries and so on...) and be used for circuit building in a way that this likelihood is minimal for the circuit. The location of the client and the final destination should be included in this calculation. But to be honest: I'm not sure that it is worth it. Regards, Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 18.10.2008 um 22:13 schrieb Roger Dingledine: 2) Maybe, consider starting circuits unpredictably before we want to attach a stream to them (we already mostly do that, since we build circuits preemptively), and closing circuits unpredictably after we are done using them. The idea there is to make the TCP connection logs at ISPs not correlate with when a given Tor stream started or stopped. I say "maybe" because it's far from clear that all ISPs will be forced to log TCP connection start and stop timestamps. Wait, ISPs will _not_ log TCP connections (in general). Do you have any reference for that assumption? All sources I know don't let any doubt that ISPs will _only_ keep data, which they log anyways, that is which IP has been assigned to which user at which time. And even this information has to be deleted immediately after the internet connection (access, not TCP!), if it is not necessary for billing (flat rate contracts). This has been confirmed by German courts already. And this is in clear contradiction to the new data retention law. So it will be very interesting how this will continue, since it is assumed by many, that the data retention law violates the German constitution. point. According to our research if an attacker manages to get data from both sides, this appears sufficient for linking the user to the website. According to Raccoons calculations some weeks ago this isn't so easy as it seems. Did you do experiments in the real Tor network? Regards, Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 18.10.2008 um 10:49 schrieb Karsten N.: Some papers of non-gouverment organizations like ULD: "Tor and JAP are not affected by the telecommunication law, because it is not a telecommunication service (in the case of law) and tor nodes have NOT to log." That's not true, the ULD is a 100% governmental institution (at least financially). Its task is among others to supervise the data protection in the government agencies of Schleswig-Holstein (German province). Or, if it was more simple for the developer, a feature for exit nodes to define a country (based on geoip) to reject all exit routes. If all german relays used this feature, it may work. This would be a good option anyway. Rejecting exit connections to your own country would dramatically reduce the investigation requests. In my case 100% were because of connections to German servers so far. Otherwise, all german nodes have to switch to middle man. I suggest to keep calm. There is a long way to go, before we will have a final judgment about this. And until then there's no need to act. In general I don't like to create the impression that the logging in Tor nodes is so essential for the reliability of Tor. If the trust in Tor would be based on the assumption, that the Tor nodes are not compromised and not logging, the whole concept would be flawed, and I would never support it. The new data rentention law is a danger for the simple one-hop-proxys, but not for Tor. You would need a detailed log on _circuit_ level of every single node in order to trace it back. I don't even know if Tor is able to create these logs (not with info level, what about debug level?). But it's very unlikely that the German courts will demand even this. The worst case will be TCP connections, which are almost useless, since you hardly can correlate in- and outgoing connections. (My node has always 4000-5000 parallel open connections, and connections to other Tor nodes are persistent.) This whole law anyway will turn out as a big joke (as usually), since there are so many networks that hide thousands of users behind a single NAT address, which _officially_ don't have to log, because they are not public. (Like big companies, university networks and student dormitories, for example.) Regards, Sven smime.p7s Description: S/MIME cryptographic signature
Re: German data rentention law
Am 18.10.2008 um 13:46 schrieb Dieter Zinke: Tor developers: I demand to ban all german tor server per /1/1/2009 from the tor network. Don' t trust the german regulators. This is a joke, right? 1. It is absolutely unclear how this law affects Tor servers. I will definitely not keep any data, and I anyway don't gather any data which I _could_ keep in the first place. 2. Even if a court forces the german Tor operators to gather and keep data, it will be useless because of Tor's design. If you put so much trust in the Tor nodes and operators in order to trust Tor in general you shouldn't use it. Sven smime.p7s Description: S/MIME cryptographic signature
Re: about the legal consequences of the data-retention in germany for tor server owners
Hi Sebastian, Am 17.10.2008 um 13:51 schrieb Sebastian Schmidt: I'm a law student at the saarland university. I got noticed in the newest blog entry of the tor-blog that you wanna gather some information about what the owner of tor-servers in germany have to do on 01.01.2009. And what are the legal consequences for them in germany of the data retention law. on the German mailing list [EMAIL PROTECTED] we recently had a discussion about that topic. It started with the following mail by Karsten N. If you are interested I can forward you the whole thread. Regards, Sven Am 04.10.2008 um 20:59 schrieb Karsten N.: Hallo Tor-Admins, Die German Privacy Foundation e.V. wird zusammen mit der JonDos GmbH die sich aus dem Gesetz zur Vorratsdatenspeicherung (§113 TKG) ergebenen Speicherpflichten für Anonymisierungsdienste klären und gegebenenfalls juristische Schritte ergreifen, um die Einhaltung der verfassungsmäßigen Grenzen zu garantieren. Zu diesem Zweck wurde die renommierten internationalen Kanzlei Osborne Clarke von der JonDos GmbH und der GPF e.V. mit der Prüfung beauftragt, ob das Gesetz verfassungsgemäß und zumutbar ist. (Insbesondere unter dem Gesichtspunkt, dass das Ergebnis für Tor nur Datenschrott sein könnte.) Die Bundesnetzagentur ist sowohl fuer die technische Umsetzung der Überwachungsmaßnahmen zuständig als auch dafür, Bußgelder zu verhängen, falls nicht gespeichert wird. Wir werden auch mit der Bundesnetzagentur Gespräche zur Interpretation des Gesetzes im Hinblick auf Anonymisierungsdienste führen. Persönliche Kommentare: 1: Dass die VDS unserer Ansicht nach grundsätzlich gegen die Verfassung verstößt, ist unter den Lesern dieser Liste sicher selbstverständlich, muss nicht extra betont werden. 2: Derzeit hat die JonDos GmbH mit der Bundesnetzagentur noch keine Einigung zu den Speicherpflichten für JAP-Server erzielt. Die Gespräche werden bis zum 1.1.09 wahrscheinlich keine Klärung bringen, ob das angebotene Quick-Freeze ausreichend ist. JAP-Server sollen evtl. bis zur eindeutigen Klärung nicht behelligt werden. (Für Tor gibt es diese Lösung mit Quick-Freeze nicht.) 3: Die ganze Sache wird zusätzliches Geld kosten. Ich weiß, dass ihr alle schon mit eigener Finanzierung aktiv Server betreibt. Trotzdem eine Kontonummer für Spenden zur Finanzierung der nötigen Schritte (falls ihr jemanden kennt, der uns unterstützen möchte): German Privacy Foundation e.V. Kontonummer: 329 31 80 BLZ: 100 700 24 Institut: Deutschen Bank Danke. Karsten N. smime.p7s Description: S/MIME cryptographic signature
Re: How I Learned to Stop Ph34ring NSA and Love the Base Rate Fallacy
Dear Raccoon, Am 28.09.2008 um 14:27 schrieb The23rd Raccoon: [2]. http://www.stinkymeat.net/ thanks for that reference. Great! As for your article: as far as I can tell the calculations seem to be valid, but I wonder, why others didn't address this in their timing attack work before. One question: You assume 250,000 users and 5000 concurrent connections, so one connection per 50 users? Is this realistic? I know, that most of the time a user is idle, but still this seems to low to me, since once the user becomes active he will open several concurrent connections (like for opening a website). And why do you assume the number of users at all, I don't see a reference to it in your calculations. Sven
Re: hijacking DNS server
Am 24.09.2008 um 00:04 schrieb Marco Bonetti: This is the part I don't like: as I pointed out with the command ouputs, they not only "hijack" your queries in order to "protect" your navigation, but they also spoof google services. If I'd been using OpenDNS, I'll think twice before sending my credentials to (what my browser think is) google.com :) I will quote myself from a mail regarding "OpenDNS configuration" on August 24: You have to add a network for your IP and uncheck "Enable typo correction" in "advanced settings". Then non-existing names are answered with NXDOMAIN. I suggest to uncheck all other options as well. Regards, Sven
Re: OnionCat 0.1.9 now supports IPv4
Am 15.09.2008 um 16:16 schrieb Bernhard Fischer: We have a new version of OnionCat ready which is now capable of IPv4-forwarding. Read http://www.abenteuerland.at/onioncat/ for further instructions on how to use OnionCat and IP. Does it really work in an acceptable way? I ask because "TCP Over TCP Is A Bad Idea"[1]. I would expect it to have an awful performance. [1] http://sites.inka.de/~bigred/devel/tcp-tcp.html Regards, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: invitation to directory server operators
Am 12.09.2008 um 17:50 schrieb John Brooks: Also, if this is enabled by default, it will still only be respected if you are already serving the normal tor directory - in countries with laws restrictive enough to prevent mirroring the hidden service directory, it seems that you'd have issues with the standard directory as well, not to mention actual tor traffic. I think the legal risks of the hidden service directory are minimal beside the risks of normal tor traffic, so I doubt it'd be a problem for many node operators (and if it were, they could disable this option again). I don't agree. Normal Tor directories list _routers_, HS directories list _servers_ and therefore _content_ in most cases. And I don't have a good feeling with mixing these two things. To make a graphic example: I don't have a bad conscience if somebody anonymously accesses child pornography sites over my tor node, which is accessible anyways. The site can still be tracked down and removed by the local authorities. And as a node operator I even have the possibility to block such sites with according exit policies if I like to. With HS there is a new service space created. And therefore more responsibility. With running a Tor node supporting HS I also make arbitrary services available, which otherwise might not exist. I really like the idea of HS in general, and there are some great applications for it. But on the other hand there are services which I can not accept to support (to create) with my resources. Accordingly, it would be much more cleaner to separate HS as much as possible from Tor and to see it as an application _on_top_ of Tor. So I don't like the idea to make every Tor node a HS node by default. They are two different things. To promote hidden services by foisting them to all Tor node operators is not fair, I think, and can even become dangerous for the Tor project. They should be promoted separately. As a Tor node operator in the case of HS I'm much more in the need for fine grained access policies due to the higher responsibility. As I wrote in a mail before, at the moment the opposite is true. I can control access of general exit node traffic in exit policies. But I have no control if and for what HS my node becomes an entry point. Similar is true for the HS directory, which I can only switch on or off in general. If for example the public in Germany will find out, that there are HS for sharing child pornography and nobody can do something about it, the whole Tor project and especially the HS directories and entry points (but the public will not be able to discriminate) will get under heavy fire here (don't know how sensitive this issue is in other countries). If Tor will support the blocking of certain HS for node operators at that moment, the attack might be a bit milder and can be "rerouted" to the HS to some extent. Regards, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: Block hidden services
Am 29.08.2008 um 07:15 schrieb F. Fox: xiando wrote: is it - in analogy to exit policies - possible to block certain (or all) hidden services of using my node as directory or introduction point and to disable rendezvous point functionality for my node? (I understand that I cannot block being a rendezvous point for specific hidden services.) If not, I vote for such a feature. I strongly disagree with your vote for such a feature. There may be anonymity issues involved. Your refusal to have involvement with hidden service introduction may ease the adversarys attempts to locale my hidden service and identify me as the operator. I cannot follow how this shall be possible, can you elaborate this? The exit policies allow me as a tor node operator not to offer connections to certain IPs. In the same way I should have the possibility not to offer services for certain hidden services as long as I can identify them (that is directory and introduction point services). I want to point out, that there are hidden services which are (at least) anonymity issues by their own. At the very least, such a new feature - if introduced - should be opt-in; by default, a node should have the ability to be an introduction or rendezvous point. I'm fine with that. But I think it's not fair to force Tor operators, that want to offer their resources for anonymous access, to automatically support hidden services as well. They are to different services and should be decoupled. So at least an option to switch off hidden service functionality is needed. But I prefer a flexible option like the one above. Regards, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Block hidden services
Hi, is it - in analogy to exit policies - possible to block certain (or all) hidden services of using my node as directory or introduction point and to disable rendezvous point functionality for my node? (I understand that I cannot block being a rendezvous point for specific hidden services.) If not, I vote for such a feature. Regards, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide) smime.p7s Description: S/MIME cryptographic signature
OpenDNS configuration (was: Re: tor provided me first warning of corrupted ISP name servers)
Am 24.08.2008 um 22:52 schrieb Sven Anderson: You can switch off a lot of things, and I guess then they will also not answer the non-existing domains. However, that only works for static IP addresses (which is true for most Tor nodes I assume). For the records, I tested it: You have to add a network for your IP and uncheck "Enable typo correction" in "advanced settings". Then non-existing names are answered with NXDOMAIN. I suggest to uncheck all other options as well. Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: tor provided me first warning of corrupted ISP name servers
Am 24.08.2008 um 20:10 schrieb Scott Bennett: I guess OpenDNS.com has become quite popular, since Dan Kaminsky =20 himself proposed to use it, if you have no chance to fix your DNS =20 against the recently published security hole. So if your provider =20 Oh? What is this new hole? I haven't heard much lately about named(8) or resolver routines in terms of current problems with them. It's not a problem of named. It's a problem of the DNS system itself. The new attack is a sophisticated variant of cache poisoning. There was a lot fuss about it in the last months. Here is a good explanation of Kaminskis attack: http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html The interim fix is that recursing resolvers have to use random source ports for queries. Since almost no DNS server was doing this, all of them have to be patched. As of now about 50% are patched. You can check your own vulnerability at http://www.doxpara.com/ Cheers, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: tor provided me first warning of corrupted ISP name servers
Am 24.08.2008 um 20:26 schrieb Drake Wilson: Quoth Sven Anderson <[EMAIL PROTECTED]>, on 2008-08-24 19:08:57 +0200: Are these tests done by the tor software? I think this tests are not valid, since services like OpenDNS.com reply _every_ name with an address: DNS semantics say that when a name does not exist, you receive an NXDOMAIN response. Returning an arbitrary A record instead breaks the semantics of the Internet. You may consider this valid for your own network, and that is okay, but inflicting changes to Internet semantics on Tor exit traffic is a classic bad exit scenario. This is true for authoritative DNS servers. OpenDNS is not part of it, but a pure resolving service, so they can do what they want, and users can choose to use it ore not. But I see your point that there is a conflict if a Tor exit node is using such a service. But Tor node operators might be forced to use it, so I suggest to look at this with less dogma and more reason, trading off the pros against the cons. Supposedly it is possible to submit a control request to OpenDNS to turn this behavior off for certain source addresses; I haven't confirmed this first-hand. If this is true, I imagine that Dan Kaminsky &c. would also tell people to issue this request if they started forwarding to OpenDNS for other unrelated people in a non-temporary fashion. Kaminsky didn't mention it, at least not in his blog. He wrote for example on July 27: "Patch, and verify the patch is working (NATs continue to be a headache). If it’s not working, forward to something that is. OpenDNS has capacity to spare." (http://www.doxpara.com/?p=1194) You can switch off a lot of things, and I guess then they will also not answer the non-existing domains. However, that only works for static IP addresses (which is true for most Tor nodes I assume). Can I switch off these tests in tor? Short answer: don't. Well, if one is forced to use such a service, because his own DNS servers are vulnerable against the cache poisoning, he wouldn't be able to run a Tor node then. Cheers, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: tor provided me first warning of corrupted ISP name servers
Am 24.08.2008 um 17:47 schrieb Scott Bennett: Yesterday my tor server logged a message advising me of name server problem at the Comcast name servers whose addresses are given via DHCP to my computer upon connection to the Comcast network: Aug 23 17:11:32.227 [notice] Your DNS provider gave an answer for "y75smsh5mk7ggb.test", which is not supposed to exist. Apparently they are hijacking DNS failures. Trying to correct for this. We've noticed 1 possibly bad addresses so far. Are these tests done by the tor software? I think this tests are not valid, since services like OpenDNS.com reply _every_ name with an address: --- $ host -v -t a y75smsh5mk7ggb.test. 208.67.220.220 Trying "y75smsh5mk7ggb.test" Using domain server: Name: 208.67.220.220 Address: 208.67.220.220#53 Aliases: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33093 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;y75smsh5mk7ggb.test. IN A ;; ANSWER SECTION: y75smsh5mk7ggb.test.0 IN A 208.69.34.132 Received 53 bytes from 208.67.220.220#53 in 36 ms --- This is due to the fact, that they want to redirect typos to the correct addresses. If you want, they even do stuff like ad blocking, phishing protection and similar. That would also explain redirects of known addresses like google.com. I guess OpenDNS.com has become quite popular, since Dan Kaminsky himself proposed to use it, if you have no chance to fix your DNS against the recently published security hole. So if your provider forwards to OpenDNS for security/financial reasons, you will see such behaviour. You can check if your DNS is safe on DK's blog (in the sidebar): http://www.doxpara.com/ Can I switch off these tests in tor? Cheers, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: xB Mail: Anonymous Email Client
Am 22.08.2008 um 11:41 schrieb Dawney Smith: Arrakis wrote: 2.) Obfuscate the data sent in the EHLO so it doesn't leak the hostname/ip I'll have to check how thunderbird implements smtp. It must be possible as TorButton manages to do it. BTW: Wouldn't it be good to have a local privacy mail-relay, like a "Prilay", which is to mail clients what Privoxy is to browsers? They would work with any client. Cheers, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Hidden service gateway
Hi, is there any known hidden service gateway, that makes hidden services available without using tor? What I mean is something like a website that takes requests of the form http://5kdgyjnpcihfzskc.onion.com/foo/bar.html and will fetch http://5kdgyjnpcihfzskc.onion/foo/bar.html over Tor for you. Thanks, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: Bandwidth distribution (was: Re: AllowInvalidNodes entry, exit, ... ?)
Am 20.08.2008 um 20:16 schrieb Scott Bennett: [1] http://sven.anderson.de/misc/en_bw_dist.pdf [2] http://sven.anderson.de/misc/en_bw_cdf.pdf Very nicely done. I was just curious, though, what other flags you used, if any. Running? Not BadExit? Thanks much for the graphs! Sorry for replying so late, it seems I got distracted by something. ;-) I just selected "Exit=yes" in the advanced query options at http://torstatus.kgprog.com . I don't know if "Running" or "BadExit" is included by default, but I let everything "Off". (After having a look, it seems that default is Running=Yes and BadExit=No, but I'm not sure.) Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: [OT] Off-topic posts
Am 21.08.2008 um 18:19 schrieb Nick Mathewson: * Please don't get in the habit of responding to insane off-topic people. When you do, there are now _two_ people discussing the Fiendish Fluoridators on rec.pets.cats. Oh, this will be a tough one. The temptation is just too big sometimes. ;-) -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: [OT] Off-topic posts
Am 21.08.2008 um 15:13 schrieb [EMAIL PROTECTED]: On Thu, Aug 21, 2008 at 12:12:32PM +0200, [EMAIL PROTECTED] wrote 0.6K bytes in 22 lines about: : Tor-related are marked with [OT] in the subject. I think this is the : least we can do for those who are just interested in the Tor stuff, so : they can filter/skip those mails. I vote for just kicking people off the list. While this may feed into their fascism/censorship fantasies, dropping the signal to noise ratio doesn't help anyone search the archives nor get their questions answered. That is not exclusive, the owners of the list are still free to do that, but it will be difficult to make a clean cut. You can never avoid OT posts, and I wouldn't say they have no value in general. I prefer some (few) of these discussions happening off-topic than not happening at all. I bet it's easier to convince people to use a [OT] tag than to convince them not to post OT-mails at all, but prove me wrong. Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
[OT] Off-topic posts
Hi all, since there seems to be quite a demand for off-topic discussions on this list and still it's not worth to open another mailing-list for the side-discussions, I propose that all mails that are not _directly_ Tor-related are marked with [OT] in the subject. I think this is the least we can do for those who are just interested in the Tor stuff, so they can filter/skip those mails. Agreed? Regards, Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
[OT] Re: Illuminati (was: Re: Paid performance-tor option?)
WARNING: This mail has NOTHING to do with Tor. Am 21.08.2008 um 08:13 schrieb Roy Lanek: You watched "Zeitgeist" once too often? Oh dear ... No, but it's perhaps about time for _you_ to watch ... http://www.journalof911studies.com/ a bit say, so to have a chance to discover-once/learn-more-on Galileo, Newton, and Celsius [Fahrenheit respectively]. (About time ... anno 2008, at the least.) But be warned, journalof911studies.com collect writings by 1st order researchers and professionals only, or mainly: on mathematics, physics, chemistry, crystallography, engineering, etc.^1 These researchers, and professionals, are NOT hired muddlers, NOT damage-controllers, NOT deniers, NOR any other lackeys; in fact, they make honor to science in general, and to the branches in which they are expert in particular. (Though of course, as in many other sombre circumstances it has happened in history before already--guess--they have put at risk their own careers.) Dear readers, don't trust him. He doesn't know what he is talking about and is just blindly repeating what he read on their front page. I am a physicist myself and just wasted my time looking at that site. There is not a single "1st order researcher" and the "papers" are just ridiculous. The "peer-review" is a joke, since the peer-group are all "believers". And the statement from their front page: "the case for falsity of the official explanation is so well established and demonstrated by papers in this Journal", proofs they are breaking basic scientific rules, since intention spoils your results. I just randomly picked out one paper (WTC 7: A Short Computation, Vol 1.) and it took just 30 seconds to find the first wrong assumption about the collaps, not to mention that he arbitrarily concludes at the end that the "falling floors encountered very little resistance", although he assumed _no_ resistance for his own calculations which resulted in a _longer_ collapse time! Seriously, although he put some awe-inspiring square roots in it, this is incredibly bad work! It's really pathetic, if no serious journal accepts your stuff, you just create you own. It's exactly like the Creationists, who now try to give themselves a scientific appearance by calling the same bullshit "Intelligent Design". Also, given that you have mentioned FUD [keep reading], maybe you are confused: journalof911studies.com is related to sites such popularmechanics.com as, say, Switzerland and New Zealand on the planet--they are at the antipodes. No, it's not, unfortunately they are quite similar. And FUD is equally used by governments and conspiracy theorists. Plus, you may be missing how the thing has started ... do you? (And about the "conspiracy theories," and on how to solve your defect on knowledge and information, you should have got enough suggestions already.) You are one of those dangerous persons, who don't make a difference between knowledge and assumptions. Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: Couple more questions
Am 21.08.2008 um 10:55 schrieb M: I set it up through 8118 and it connected through TOR and Privoxy. Should i keep it this way or use SOCKS? I guess you are using TLS connections? Then it doesn't matter anyways. -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: Couple more questions
Am 21.08.2008 um 07:58 schrieb M: Hey guys, a few more questions for the experts: 1) I noticed that the Tor-IM-Browser package uses GAIM, routed through SOCKS 5:9050. If I am using GAIM with TOR/Privoxy, should i set Gaim to use SOCKS 5:9050 or, or HTTP 127.0.0.1:8118 and routing it through privoxy? No, Privoxy is an HTTP-Proxy AFAIK. GAIM uses XMPP (Jabber) as protocol, so Privoxy can probably not handle it. But if GAIM is not a patched version, I fear that there are many possible information leaks. For example when triggering a file transfer, the real IP address might be disclosed. Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Re: Update to default exit policy
Am 20.08.2008 um 19:58 schrieb Dawney Smith: The only reason that your 10.100.145.215 IP appears in the headers there is because your email client sends it. Your email client doesn't need to send it, and as someone else mentioned, it's "scrubbed" if you're using TorButton with Thunderbird for example. Yes, it doesn't make sense to use tor with a normal mail-client. But if you are behind a NAT router, it's not as bad as it looks first. It's at least as safe as using a webmail interface if you configure your email client correctly. Didn't I write "normal mail-client"? Of course you can use Thunderbird with (an old?) TorButton. But it's important to point that out. Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Illuminati (was: Re: Paid performance-tor option?)
Am 20.08.2008 um 05:49 schrieb Roy Lanek: 9/11 has been planned much earlier than 2001. Dear Mr Fletcher (sic!), I don't think that this mailing-list is the appropriate place to propagate your FUD based conspiracy theories as if they were facts. So would you mind to stop it? Beside that, as other posters stated already, your style of writing with all these brackets and sidetracks is very stressful to read, especially for a non-native-speaker like me. I get headaches every time I try. But this is probably due to the implant in my head, that some secret agency equipped me with in an unwary moment, and now wants to hinder me to find out THE TRUTH. You watched "Zeitgeist" once too often? Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+23-232-3232323 Doubt those who find it." mobile: +32-323-2323232 (André Gide)
Re: Update to default exit policy
Am 20.08.2008 um 19:04 schrieb [EMAIL PROTECTED]: Sorry, I didn't get it: in case I'm using Thunderbird and Torbutton, and connect to the smtp server trough tor. Will my "real" ip adress occur in the mail headers, or the ip of the exit node? I'm guessing the ip of the exit node, right? Because if not, it would be senseless to use tor? Would be great if someone could clarify this! Both. Look at my headers (Apple Mail): Received: from [134.76.55.100] (helo=[10.100.145.215]) by serv-80-156.SerNet.DE with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.51) id 1KVqPO-0002gu-4k for or-talk@freehaven.net; Wed, 20 Aug 2008 18:19:42 +0200 When using tor, 134.76.55.100 will be the tor exit node ip, and 10.100.145.215 will still be your local client ip. Yes, it doesn't make sense to use tor with a normal mail-client. But if you are behind a NAT router, it's not as bad as it looks first. Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
Bandwidth distribution (was: Re: AllowInvalidNodes entry, exit, ... ?)
Hi Mac, Am 18.08.2008 um 16:43 schrieb macintoshzoom: Using "valid nodes" I have noticed too many times mu browsing is going to the same exit nodes yes fast, but always the same tor exit nodes "club". this is not really a surprise if you look at the distribution of the bandwidth. I did some graphs for the bandwidth distribution of yesterday. As you can see in [1] the distribution of bandwidth over the exit nodes follows a power-law (aka Pareto, Zipf, heavy/long tail, ...), like so many other distributions. In the double-logarithmic plot this is expressed in a linear relation. In this case the linearity starts between 20 and 30 kB/s. (The bandwidth of the exit nodes is exponentially binned which results in the equidistant data points.) These power-law distributions have the well-known characteristic of many small values and very few big values, also referred to as 90/10 or 80/20 rule. In plot [2] you can see the cumulative distribution function (CDF) over the ranked exit nodes. As you can see, the 30 biggest exit nodes are holding 50% of the total tor exit bandwidth, and the 100 biggest hold 70%. While this is still quite moderate it shows how often you will see the top 30, even if the exit node selection would only be based on bandwidth. But the "Fast" and "Stable" flags of course increase this effect. So there's no conspiracy, it's a natural law. [1] http://sven.anderson.de/misc/en_bw_dist.pdf [2] http://sven.anderson.de/misc/en_bw_cdf.pdf Sven -- http://sven.anderson.de"Believe those who are seeking the truth. tel:+49-551-9969285 Doubt those who find it." mobile: +49-179-4939223 (André Gide)
