tor-ramdisk 20101227 released
Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhanced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP or SCP. Changelog: This release incorporates an important security fix from upstream. Tor was bumped to version 0.2.1.28 to address CVE-2010-1676. Busybox was bumped to 1.18.1 and the kernel to 2.6.32.27 plus Gentoo's hardened-patches-2.6.32-34.extras. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads x86_64: Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
tor-ramdisk 20101207 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhanced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP or SSH. Changelog: This release adds scp functionality using openssh-5.6p1 to export/import the configuration file and private RSA key. The build system was reworked to build dynamically linking binaries rather than static. Also, tor was updated to 0.2.1.27, busybox to 1.17.4, and the kernel to 2.6.32.25 plus Gentoo's hardened-patches-2.6.32-30.extras. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads x86_64: Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads - -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+LX8ACgkQl5yvQNBFVTUBRwCdHba3FDApV6IYlPsRKMO+bVQi picAoKQWkpUr/fZvHYylsxTUTniRfkIZ =T0CU -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Tor router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/11/2010 02:20 PM, James Brown wrote: I have an Asus WL-500gPv2 under dd-wrt and I want to start tor on it. I install tor, privoxy etc. and start it. After it I have the next notification: Nov 11 22:14:06.954 [warn] You are running Tor as root. You don't need to, and you probably shouldn't But I have only root user under dd-wrt. It is possible to add in the system anpther users using adduser utility from optware but it disappears after rebooting router. What is the better - use the tor under root user or make any script adding user and groop for tor after each rebooting my router? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ If you run tor as root, you run the risk that if there is some exploitable in tor, your router can be compromise. I'm curious why you don't run out of ram? I tried this long ago on a Linksys wrt54g with a wopping 16M, and tor worked but lasted about 10 mins before OOM-ing. Understandable sine the router does much of its runtime filesystem in RAM. - -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzdLT0ACgkQl5yvQNBFVTWjeQCeJ2+jaccwadODWuybsBolYBjb YuAAn3Ji4UXOsMcSTaExiAgnrLo0/5Hs =fdGQ -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
tor-ramdisk on git
Hi everyone, I've had lots of requests to add ssh support to tor-ramdisk [1] because ftp is insecure. I originally used dropbear, but after discussion with Jacob, I switched to openssh. I'm not providing images yet, but I've got the build scripts up on a git repo [2]. They're meant to be run on a x86 uclibc system, but might build on glibc and/or x86_64. When I produce the images for distribution, they are built with hardened gentoo, both toolchain and kernel [3]. This give userland pie, ssp, _FORTIFY_SOURCE=2 and the kernel GRSEC/PaX. Feel free to grab the stuff and contribute. I'll throw a GPL-2 in there. Refs. [1] http://opensource.dyc.edu/tor-ramdisk [2] git://opensource.dyc.edu/tor-ramdisk [3] http://www.gentoo.org/proj/en/hardened/ -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: tor-ramdisk 20101011 released for i686 only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/11/2010 11:25 PM, Anders Andersson wrote: On Mon, Oct 11, 2010 at 11:16 PM, Jacob Appelbaum ja...@appelbaum.net wrote: On 10/11/2010 10:52 AM, Anthony G. Basile wrote: Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Via FTP? It's probably not a good idea to export a private key without using encryption... All the best, Jake My first thought as well. Pretty much every protocol invented is better than FTP, in this case and most other cases. Another question regarding the logging: I hope you include enough to know if the node is working correctly or not. The logs that are generated could also be deleted after a couple of minutes or an hour as well, which might make it possible to log some more information if necessary to verify functionality. Great project though, a lot of people request this. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ Originally I thought of tor-ramdisk as only being accessed via FTP on a trusted LAN. However, several people have suggested using the image in the cloud. I have plans on adding sftp. Also, you can enable logging to console for diagnostics. - -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky3vpQACgkQl5yvQNBFVTXmAgCfc8NnqKGE0Ak+ZRR7cT7GIlT3 br8AoIL+YHoEX2lb57c0Jsyde+/KaiYt =afLg -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
tor-ramdisk 20101011 released for i686 only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: This is an early release to address a bug in the dhcp client for the i686 port only. We did not update tor which remains stable at 0.2.1.26, but we did update busybox to 1.17.2 and the kernel to 2.6.32.23 + Gentoo's hardened-patches-2.6.32-22.extras. - -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyzTsEACgkQl5yvQNBFVTUB6wCeMvNJjqRVQHT5OXjl2Mop1wRA ztMAoIHR+YZbV0cZy27+TuSZWlZ4S8fo =AYpK -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Tor-ramdisk 20100618 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: Tor was upgraded to 0.2.26, busybox to 1.16.1 and the kernel to 2.6.32.15 plus Gentoo's hardened-patches-2.6.32-12 for the i686 and x86_64 ports. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads x86_64: Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads - -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwcqGgACgkQl5yvQNBFVTXhiACfR1KFNS1bh842SRtWSgeAwzUQ qqYAnRPCeooAs4TIQ1pJnqLrrLmgBTEn =hiBN -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Tor-ramdisk 20100405 has been released
Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: Tor was updated to the latest stable version 0.2.1.25. Only for the MIPS port was the kernel updated to 2.6.32.9 to extend support for the Mikrotik RB433AH, RB433UAH and RB450G boards. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads x86_64: Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor-ramdisk 20100309 has been released
Hi everyone I want to announce to the list that a new release of tor-ramdisk is out. Tor-ramdisk is a uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: Tor was updated to 0.2.1.24 and busybox to 1.15.3. The build scripts now allow the option of creating images with a fully featured busybox for debugging and a minimally configured busybox for production. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads x86_64: Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Fault-Based Attack of RSA Authentication
Hi everyone, I thought this might be of interest to the list. Pellegrini, Bertacco and Austin at U of Michigan have found an interesting way to deduce the secret key by fluctuating a device's power supply. Its a minimal threat against servers, but against hand held devices its more practical. The openssl people say there's an easy fix by salting. Here's some referneces: http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/ http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor-ramdisk 20100125 is out.
Hi everyone I want to announce to the list that a new rlease of tor-ramdisk is out. Tor-ramdisk is a uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: This release incorporates an important security fix from upstream following a breach of some Tor project servers. Only tor was bumped to version 0.2.1.22 while everything else remain the same as the 20100115 release. The change was made to the i686, MIPS, and x86_64 images. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads x86_64: Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor-ramdisk 20100115 is out.
Hi everyone I want to announce to the list that a new rlease of tor-ramdisk is out. Tor-ramdisk is an i686, x86_64 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: Tor was updated to 0.2.1.21. The setup scripts now include the option of setting your own DNS server when acquiring networking information by DHCP to avoid ISPs that use DNS... blocking. These changes have been implemented in the i686, MIPS, and the new x86_64 port. These have been tested in the wild. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads x86_64: Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
tor-ramdisk testing needed.
Hi everyone, Last time I released tor-ramdisk, Georg Sluyterman requested that I add the option of allowing the user to manually set a DNS server when acquiring an IP address via DHCP. I added that feature with the next release which will be based on tor-0.2.1.21 (bumped from .20). The image is being tested now before release. Anyone want to test the new feature? *nudges Georg* Prerelease images: http://opensource.dyc.edu/pub/tor-ramdisk/archives/images.testing/ Bug reports: http://opensource.dyc.edu/flyspray/ Thanks. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: TOR is for anonymization; so how to add encryption as well?
arshad wrote: i want the traffic be encrypted as well? any workarounds? thanks. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ It is encrypted except at the exit unless you use https or imaps or whatever protocol + s. Let me illustrate. Suppose you go to http://www.google.com via privoxy+tor, then you establish a tunnel like this: Tor's encryption-- client -- clear http -Tor Relay ... Tor's encryption-- This continues until you get to the exit Tor's encryption-- -- clear http - Tor Exit -- clear http - Tor's encryption-- So sniffing is impossible except at the exit. The admin at the tor exit should never look at the traffic leaving his/her node. If you repeat the above, but go to https://www.google.com (note the http+s), then the above changes in that the clear http is replaced by encrypted https. Then even the tor exit node admin can't see your traffic. Hope this helps and that my ascii art didn't get wrapped beyond readability. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Danish TPB DNS Blocks - tor-ramdisk DNS fix, how?
Georg Sluyterman wrote: Flamsmark wrote, On 2009-11-25 20:52: Perhaps you'll just have to wait for the developer to fix the problem? I will send a feature request :-) This is a good idea and will be included. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor-ramdisk 20091123 (i686) and 20091124 (MIPS) released
Hi everyone, I want to announce to the list that new rleases of tor-ramdisk are out. Tor-ramdisk is an i686 and MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: These releases update tor to 0.2.1.20 and busybox to 1.15.2 on both architectures. Users are encouraged to upgrade since these updates address issues which may effect the memroy-restricted ramdisk environment. Nodes simba and mufasa have been running the i686 and MIPS versions for about one week in the wild. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Anyone running Tor on routing/switching hardware ?
John Case wrote: This is interesting: http://www.linux-cisco.org/index.php/Cisco_3600_Series It's only a R4700 with 128 MB of ram ... but they have Linux up and running on it. Is anyone running Tor on a Cisco router, or more generally, on networking infrastructure hardware of any kind ? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ Close, take a look at the MIPS port of tor-ramdisk: General Information: http://opensource.dyc.edu/tor-ramdisk MIPS Specific Information: http://opensource.dyc.edu/tor-mips-ramdisk Node mufasa has been running this last March I think. Its a Mikrotik RB433AH which sports an Atheros AR7161 which is a MIPS processor. If there is interest, I can port tor-ramdisk to other router archs. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
tor-ramdisk 20090926 (i686) and 20090927 (MIPS) released
Hi everyone I want to announce to the list that a new rlease of tor-ramdisk is out. Tor-ramdisk is an i686 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: A new feature was added to both the i686 (release 20090926) and MIPS (release 20090927) ports. The setup scripts and busybox's configuration were modified so that the user can now choose to set up networking either by DHCP or by static assignment. In all other respects, these releases are the same as their previous coutnerparts. i686: Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads MIPS: Homepage: http://opensource.dyc.edu/tor-mips-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor and Java
Jacob Appelbaum wrote: Hi, Roger and I recently decided we should have a list centering around Tor and Java development. The tor-java list is now live and is welcoming new subscribers: http://archives.seul.org/tor/java/ Best, Jacob Why? What are the issues? -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
The Register article about making online anonymity illegal in Australia
This was an interesting article, I thought I'd share in case you haven't seen it. http://www.theregister.co.uk/2009/09/09/anonymous_backfire/ -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor-ramdisk 20090821 released
Andrew Lewman wrote: Is it possible that some future version could support dhcp for net config? And while this is probably overkill, something like atagar's arm (https://svn.torproject.org/svn/arm/trunk/) for the tor relay would be neat in another virtual terminal. Yes, this is possible. I now have two items on the todo list: 1) support alternative sftp to ftp. 2) support dhcp over static. Neither are a problem. My teaching load is however. Can someone yell at the dean for me ... but I digress :) On a serious note, I will make these requests a priority. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor-ramdisk 20090821 released
Hi everyone, I want to announce to the list that a new rlease of tor-ramdisk is out. Tor-ramdisk is an i686 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: This is a maintenance update: tor was updated to tor-0.2.1.19 in the new stable branch and busybox to 1.14.3. The hardened toolchain to build the image was updated to uClibc-0.9.30.1 and gcc-4.4.1 patched with espf-0.3.3 to address a bug in the older hardened compiler gcc-3.4.6 (see tor's flyspray task #1060). As with all releases, this one come tested in the wild. Tor-relay node simba has been running this version with no problems for a week now. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
stack smashing attack in function command_process_cell()
Hello, I hit this bug stack smashing attack in function command_process_cell() when running the new tor-0.2.1.19 compiled for embedded x86 system, static linking. The toolchain is gcc --version = gcc (GCC) 3.4.6 (Gentoo Hardened 3.4.6-r2 p1.6, ssp-3.4.6-1.0, pie-8.7.10) uclibc-0.9.28 binutils-2.18 The stack smashing protector is triggered after tor is up and fully running, ie after it has bootstrapped, checked that its ports are reacheable, performed bandwidth-self test and started relaying. The easiest workaround is to disable ssp in the compiler which is undesireable. I manually audited command_process_cell() and it looks fairly innocent. Any suggestions from the gurus before I start a full blown attack on this bug. This problem was not present in 0.2.0.35 and below. http://www.torproject.org/dist/tor-0.2.1.19.tar.gz -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Best practice for DNS through tor
Jim McClanahan wrote: 3) I tried redirection with iptables on the local host but I can't get that to work --- I'm not sure its possible. ... I would think that should work. (I've done similar DNATing -- with DNS even! :-) Something like: iptables -t nat -A OUTPUT -p udp --dport 53 \ -j DNAT --to-destination $router_ip:5300 Thanks that did it. I was using PREROUTING which is for packets routed through the box, not packets originating from the box. I've been caught by this before but it just didn't click. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Best practice for DNS through tor
Hi everyone, I'd like to set up an situation where users on a LAN can optionally reroute just their DNS queries through tor. What I have is a gateway router where bind9 runs on udp 53 (caching only) and tor uses DNSPort 5300. I'd like the users to be able to do something on their local computers which switches DNS queries to the router on port 5300 rather than 53. Any suggestions on a best practices? Here's what I've tried: 1) I wrote a perl script to proxy dns from localhost:53 to router:5300 and then added nameserver 127.0.0.1 in resolv.conf. It works, but I would want to clean up the script or rewrite it in C before deploying. This is my best solution. 2) I tried nameserver 192.168.1.1:5300 in resolv.conf, but that syntax is not understood. 3) I tried redirection with iptables on the local host but I can't get that to work --- I'm not sure its possible. On the other hand, redirection on the router does work by port forwarding with the PREROUTING chain, and I can distinguish on a host-by-host basis, but its a pain to set up something where the user just presses the switch button locally and then an iptable rule changes on the router. I'd prefer solution #1 to this. 4) The -p option in dig works great, but I don't see how to wrap that in with ordinary DNS queries. On a different note, there must be DNS caching in tor. Is there a way to control that without jumping into the code? -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor-ramdisk MIPS 20090710 released
grarpamp wrote: survives a reboot except fot he Tor configuration file and RSA key which can be imported/exported via FTP. Wouldn't scp/sftp be better for this given the sensitive nature of the content transferred and the passive/active difficulties with FTP over Tor. You're right. I will either switch to exclusively sftp or add it as an option. We run two tor relays at DYC, Simba and Mufasa, one i686 tor-ramdisk and the other the mips port. We load up their config/RSA via ftp on a local network where ftp is relatively safe. But over insecure networks, sftp definitely, and users may need to do that. Thanks. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor-ramdisk MIPS 20090710 released
Hi everyone, I want to announce to the list that tor-ramdisk MIPS 20090710 is out. Tor-ramdisk is an i686 or MIPS uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security (hardnened binaries and kernel) and privacy (no logging at any level). Everything runs in RAM so no information survives a reboot except fot he Tor configuration file and RSA key which can be imported/exported via FTP. Change Log: This MIPS release implements the changes in the i686 release of 20090627. Tor was update to 0.2.0.35. Busybox was updated to 1.14.1 and the kernel was updated to 2.6.28.10. It has been tested in the wild: node Mufasa is running the image on a Miktrotik rb433ah board. Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-mips-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
tor-ramdisk 20090627 released
Hi everyone, I want to announce to the list that tor-ramdisk 20090627 is out. Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security (hardnened binaries and kernel) and privacy (no logging at any level). Everything runs in RAM so no information survives a reboot except fot he Tor configuration file and RSA key which can be imported/exported via FTP. Change Log: Tor was update to 0.2.0.35. Busybox was updated to 1.14.1 and the applet selection slimmed down, giving the system a more embedded feel and reducing possible attack vectors. The kernel was updated to 2.6.28.8 plus Gentoo's hardened-patches-2.6.28-10.extras. The UI was cleaned up by removing redundant features. Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Iran + tor
I thought the list might be interested in this: http://iran.whyweprotest.net/ http://torir.org/ -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor grassroots advocacy
Roc Admin wrote: Hello - A little late to the party but I'm also interested in the presentation. There is a small advocacy group in Rochester that that has responsible Tor advocacy as one of it's goals. -- Roc Tor Admin Is there contact information? I too am a little late to the party and I haven't followed the thread closely. Rochester has also been the center of unfair bandwidth caping by Time Warner Cable. U.S. Rep. Eric Massa (D-N.Y.) is considering legislation that would prohibit TWC from continuing this abuse. Massa is quoted as saying “At the very moment when access to digital information is at the heart of economic recovery, they’re going to go for corporate greed.” [1] There are more links to informative sites at [1]. I see in Massa's statement a place for Tor advocacy. Economic recovery would only be hindered if access to digital information is bought at the price of privacy. Without privacy, the internet becomes a playground for exploitive and greedy corporations, of which we've seen too many examples. Such a chilling effect would discourage the public from entering into this new economic arena and decrease economic growth. I suggest drafting a letter to Massa asking that tor nodes be also protected under his draft legislation and cite recent abuses lodged at McCabe by TWC as yet another example of corporate greed run amok. [1] http://rochesterturning.com/2009/04/08/massa-opposes-time-warner-cable-fee-increase/ -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197
Re: CPU-usage data
Dominik Sandjaja wrote: Hi, is there data available on how much of the CPU time is used by what part of Tor? I guess that most is used by crypto parts, but any reliable data would be appreciated. All given that the network is fast enough and the cpu is at 100% usage. Something like 90% of its (CPU) time Tor spends on crypto operations. Thanks in advance, Dominik I think you want oprofile: http://oprofile.sourceforge.net/news/ Look at the sample: http://oprofile.sourceforge.net/examples/ Scroll down to Symbol summary for a single application Back when I used to write heavy duty number crunching code I used a program called tprof but I'm not sure its available in Linux. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor memory usage on embedded systems.
pho...@rootme.org wrote: On Fri, Mar 06, 2009 at 01:12:51AM +0100, sl...@slush.cz wrote 3.6K bytes in 99 lines about: : Thanks for pointing that out. I'm trying to answer the question what is : the minimum amount of RAM required to run a bare minimum linux system : which can support a tor relay/exit/directory node. Suggestions? The command pmap may also work, http://linuxcommand.org/man_pages/pmap1.html It gives you a handy total at the end of its output. Alternatively, just parse /proc/{tor pid}/status for the details. Hi Andrew, this is one approach, but I want a system total, not just the memory usage on a process by process basis. It would be nice to be able to answer questions like if we want to run a tor exit and directory server at such and such a rate on an embedded device, how much ram does the device need?. Tor needs some minimal OS in which to live. The least I could do is busybox + openntp + tor. The memory requirements of these processes must be added in. Also embedded devices run purely in RAM, so the filesystem contributes to usage and tor needs about 30MB in its DataDirectory. This also needs to be added in. Rather than identifying all the pieces and adding, which is not the easiest thing to do without missing something or double counting, the approach I took is to just ask the system for a total with free. (Eg. pmap needs careful interpretaion when adding up totals for more than one process because of shared memory.) I think my MIPS numbers are good, but my i686 are misleading. slush's response jarred me to look at how free reports memory usage for transitional ramdisks (/dev/ramX) devices versus what it does with initramfs. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor memory usage on embedded systems.
Marco Bonetti wrote: Could you run the tests after settings the same BandwidthRate and BandwidthBurst for all nodes? I think that a lower rate/burst node should be less used then an higher one. Yes. I'm hoping in the long run to produce something like RAM requirements on embedded systems = function of ( tor services provided, BandwidthRate, other relavent parameters ) where the other parameters may include architecture, uclibc vs glibc etc. Not an exhaustive study, but something of a guide to the community should people want to start putting tor servers on embedded devices along the lines of what JanusPA does. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
MIT Circumvention Landscape Report
Hi everyone, This is not something we didn't know about already, but I saw it on slashdot and thought I'd share (in case you don't keep up with your slashdot!) http://tech.slashdot.org/article.pl?sid=09/03/05/1334220from=rss http://cyber.law.harvard.edu/publications/2009/2007_Circumvention_Landscape_Report -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor memory usage on embedded systems.
Hi everyone, About a month back I said I would email the list with some measurements of RAM usage for tor in embedded systems running in the wild. These preliminary numbers might be of interest. Here's what I did. I ran tor in a ramdisk environment with only 3 binaries (busybox, tor and openntpd, statically linked against uclibc) on 1) a i686 box, 4 x 2.80GHz Xeon with 4GB ram (image at http://opensource.dyc.edu/pub/tor-ramdisk/images/tor.uclibc.i686.20090131.iso) and 2) a MIPS board (Mikrotik RB433AH) with a 680 MHz Atheros AR7161 and 128MB ram (image at http://opensource.dyc.edu/pub/tor-mips-ramdisk/images.ar7161/tor-mips-ramdisk.elf). After booting, I waited until the systems established themselves as relay only and directory server nodes in the network. I then monitored ram usage as time went on. Here's what I found: 1) node simba = i686 box with BandwidthRate 150KB BandwidthBurst 200KB Day Total(MB) Disk(MB) 7246 30 9247 31 12 249 31 16 255 31 19 258 33 21 261 33 Here total = total ram usage including paging and ramdisk, while disk = ramdisk only (mostly due to DataDirectory files) I did not systematically measure CPU usage, but it was very small. 2) node mufasa = mips with BandwidthRate 40KB BandwidthBurst 80KB Day Total(MB) 1 45 2 56 3 56 4 56 5 56 6 61 7 56 8 56 Given the different way in which the ramdisk was set up on the MIPS, there was no easy way to seperate paging from disk memory. Again, I did not systematically measure CPU, but watching top occasionally, I never saw loads over 0.1 or cpu usage over 10%. I realize these numbers are rough and incomplete, but they give a ball park of what's needed. I'm going to repeat these measurements, but would like some feedback from the community regarding what you'd like to see. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor memory usage on embedded systems.
slush wrote: Hello, Im little bit confused with RAM usage of i686 box. Im running node with almost same bandwidth and after 6 days uptime, Tor process consumes only 37MB. What is different? My Tor version is 0.2.1.12-alpha (r18423). Marek On Thu, Mar 5, 2009 at 8:27 PM, basile bas...@opensource.dyc.edu wrote: 1) node simba = i686 box with BandwidthRate 150KB BandwidthBurst 200KB Day Total(MB) Disk(MB) 7246 30 9247 31 12 249 31 16 255 31 19 258 33 21 261 33 The version I used is 0.2.0.33, but I realized that's not the issue. The mistake I made in reporting these number is that on the i686 box I used an initrd image in /dev/ram0 which is sized at 128MB. Immediately upon booting, free reports 133 MB of RAM in use just before starting tor. On the MIPS I used an initramfs image and free reports 5MB in use at the same point. It looks like my i686 numbers are messed up, too high by 128 MB. Thanks for pointing that out. I'm trying to answer the question what is the minimum amount of RAM required to run a bare minimum linux system which can support a tor relay/exit/directory node. Suggestions? -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
tor-ramdisk 20090217 released
Hi everyone, I want to announce to the list that tor-ramdisk 20090217 is out. Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximize security (hardened binaries and kernel) and privacy (no logging at any level). Everything runs in RAM so no information survives a reboot except for the Tor configuration file and RSA key which can be imported/exported via FTP. Change: Tor was update to stable 0.2.0.34. The UI now allows the user to check the system time and give the option of setting it via rdate should ntpd fail. top was added when querying the system resouces. The script to build tor-ramdisk from scratch were cleaned up. The release comes tested one week in the wild on node simba. Homepage: http://opensource.dyc.edu/tor-ramdisk Download: http://opensource.dyc.edu/tor-ramdisk-downloads -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor-ramdisk 20090131 is out
How embarassing! Thanks 585. And here's the home page for a more complete description http://opensource.dyc.edu/pub/tor-ramdisk/ Roc Admin wrote: Hello from 585. :) Just wanted to throw in a link. http://opensource.dyc.edu/pub/tor-ramdisk/images/ - ROC Tor Admin On Sat, Jan 31, 2009 at 7:28 AM, basile bas...@opensource.dyc.edu wrote: Hi everyone, I want to announce to the list that a new rlease of tor-ramdisk is out. Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: This is a minor maintenance update: tor was updated to version 0.2.0.33 and busybox to 1.13.2. As with all releases, this one come tested in the wild. Tor-relay node simba has been running this version with no problems for a week now. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: Tor-ramdisk 20090131 is out
OMG! I must stop sending out these emails first thing in the morning! I meant the home page is at http://opensource.dyc.edu/tor-ramdisk Now I'm sure to get flamed for overposting! basile wrote: How embarassing! Thanks 585. And here's the home page for a more complete description http://opensource.dyc.edu/pub/tor-ramdisk/ Roc Admin wrote: Hello from 585. :) Just wanted to throw in a link. http://opensource.dyc.edu/pub/tor-ramdisk/images/ - ROC Tor Admin On Sat, Jan 31, 2009 at 7:28 AM, basile bas...@opensource.dyc.edu wrote: Hi everyone, I want to announce to the list that a new rlease of tor-ramdisk is out. Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: This is a minor maintenance update: tor was updated to version 0.2.0.33 and busybox to 1.13.2. As with all releases, this one come tested in the wild. Tor-relay node simba has been running this version with no problems for a week now. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Tor-ramdisk 20090131 is out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I want to announce to the list that a new rlease of tor-ramdisk is out. Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhenced by hardening the kernel and binaries, and privacy is enhanced by forcing logging to be off at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Changelog: This is a minor maintenance update: tor was updated to version 0.2.0.33 and busybox to 1.13.2. As with all releases, this one come tested in the wild. Tor-relay node simba has been running this version with no problems for a week now. - -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmEUhgACgkQl5yvQNBFVTVzAACfWfQQ4oJZqJ8YS99R/Kirlh54 dUYAn01QEbPYD9jNqX9senS9HELAfVa+ =bCKF -END PGP SIGNATURE-
Running tor relay on a MIPS board (Re: setting up a TOR relay)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Doctor wrote: Maurizio Lombardi wrote: Considering the fact that my bandwidth is limited to 30 Kb/s (240 Kbps) can it works with just 64 Mb of RAM? (Maybe limiting the number of connections?) I have been trying to run a Tor node on 64 MB of RAM, and it does not seem to work well. Tor stays up for two or three hours and then dies silently. I've been trying to debug it for a few weeks now and I don't know if it's a memory limitation or the same bug that's been discussed in at least one other thread on this mailing list. What about 128 Mb of RAM? No idea. Post if you give it a try, I'm interested in your results. Since my last post, I fixed some annoying problems I was having running tor embedded in a MIPS arch --- actually tor was fine, but there were issues with linking busybox and configuring the kernel. So, I've now pretty much ported my little environment (tor-ramdisk) to MIPS and I'm running a relay only tor node mufasa. Its running in QEMU but as soon as I get my board, I'll move it over. Its status can be seen here: http://torstatus.kgprog.com/router_detail.php?FP=449a610341fa08c0d8c11a2309ef7313b3721451 The biggest question we've had is how much RAM does tor need in these embedded environments. Eg. I believe Kyle Willams who built JanusPA used 256MB. The answer to this question will depend on how you are using tor: client only (like JanusPA), relay only, exit. I'm going to try to address this question systematically for a relay-only node. I'll plot RAM and cpu usage versus BandwidthRate on mufasa for a few points. I'll further break down the RAM between ramdisk versus paging memory. Since the emulated environment is probably not the place to do this reliably, I'll have to wait until my board comes. I'll also proceed carefully. eg. leave a relay up for a week before tweaking the bandwidth. This will give me good statistics and also cause minimal disruption to the tor network itself. For what its worth, here's the current usage after running about 12 hrs: ramdisk 13.8 MB, paging 50.6 MB = total 64.4 MB The mips branch of tor-ramdisk can be obtained here http://opensource.dyc.edu/tor-mipsel-ramdisk BTW, I noticed a lot of downloads after my first post while I was still changing files on the archive so you may want to redownload to get the latest. I've frozen the binaries for mufasa as release 20090125. Any wishlist or caveats before I do my little experiment? - -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl8iQEACgkQl5yvQNBFVTWtdgCgpFpX/fzhkckcmK1e+IRvpf7I ebQAn0TnnHVhXrxBmaf/v8V1a0QFXL0Z =mJC9 -END PGP SIGNATURE-
Re: setting up a TOR relay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maurizio Lombardi wrote: Hi, I have a little stupid question: In the near future i will buy a little MIPS-based board running Linux and i would like to set up a TOR relay with it. The problem is that i have an extremely limited amount of RAM ( 64 Mb ) and i read that a tor relay generally needs 768 Mb for a 10 Mbit connection. Considering the fact that my bandwidth is limited to 30 Kb/s (240 Kbps) can it works with just 64 Mb of RAM? (Maybe limiting the number of connections?) What about 128 Mb of RAM? Thanks for the help. Ciao Maurizio, I have (tried) to run a tor relay on a Linksys WRT54G board with about 4MB of ram. It does not work well and runs out of ram quickly. I gave the details of how I did it on this list so you can search the archives. As a reference for how much ram one needs, I do have experience running tor in an embedded environment but on an i386 box. Node simba has been running for months and boots tor-ramdisk, a micro linux distro which basically sets up a ramdisk root filesystem with the bare essentials for a tor server. I set aside 128MB for ramdisk and that's more than enough for BandwidthRate 150KB with BandwidthBurst 200KB --- in fact its overkill. From memory I think I only need 30 MB or so for ramdisk. What I don't have a good feeling for is how much paging memory is needed at those speed. Node simba has 4GB of ram and never comes close to using it all but I'm not in front of the box right now and I can't say what its using right now. There is no remote access. (When I walk my dog to the lab later I'll take a look and get back to you:) I also run bonob2, a relay node on an ordinary box --- its on our lab's ftp server. Its running at BandwidthRate 50KB with BandwidthBurst 75KB. As I write this, ps aux gives RSS of 448 MB and its DataDirectory holds about 21 MB. I would really like to know how these two memory requirements scale with BandwidthRate. I'm teaching a course on embedded devices and as part of our class project we're porting tor-ramdisk to a mips board, probably the RB433AH. This sounds like what you're trying to do. You may want to look at http://opensource.dyc.edu/tor-ramdisk http://opensource.dyc.edu/pub/tor-mipsel-ramdisk/ - our very alpha port to a MIPS board http://routerboard.com/ - some of the boards we're looking at - --Tony Basile -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl456MACgkQl5yvQNBFVTXZ4ACgiLyP0kTEi0GMYyEVItdLm42Y cBMAn2uNkfiBQjijj0BO/kzMiJs2HP5r =WtqX -END PGP SIGNATURE-
tor-ramdisk 20090105 is out
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone, For those not familiar, tor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Security is enhanced by employing a hardened environment, and privacy is enhanced by turning off logging at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP. Release 20090105 is a minor update release. Since tor-ramdisk follows stable Tor, we are following their upgrade to tor-0.2.0.32 to accomodate the bugfixes and new features. We also took this opportunity to upgrade the kernel to Gentoo's 2.6.25-hardened-r11 to keep up with their changes, although none that we know of effect tor-ramdisk. Finally we also made a minor fix to the setup script which is the main menu run on tty1. Since ntpd is started from init on tty3 before networking is configured and brought up, it doesn't reach any servers and just sits there. When networking is up, ntpd stays stuck and needs to be restarted. Previously one would do so manually by switching to tty3 with Alt-F3 and hitting ctrl-C. With 20090105, ntpd is automatically restarted whenever the networking is reconfigured to make sure it updates to its new environment. We still recommend checking by switching to tty3 and seeing ntpd's log output and making sure that time is well synchronized. As with all releases, this one is tested in a virtual environment and in the wild. Node simba has been running 20090105 for about a week as a relay only node with no problems. As a side note: there has been lost of discussion of putting tor on ARM and MIPS processors lately and so work is now underway to port tor-ramdisk to more router specific boards. Homepage: http://opensource.dyc.edu/tor-ramdisk Anthony G. Basile, Ph.D. Chair IT D'Youville College Buffalo NY, 14201 http://freshmeat.net/redir/tor-ramdisk/74741/url_homepage/tor-ramdisk -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkliWGYACgkQl5yvQNBFVTX9XwCfXwEdn9jL0kdoOkRRxibSITFH DHQAmQG8G0DXP7PDe2qS9O1F4wBMcfAS =iJd+ -END PGP SIGNATURE-
Time synchronization on tor servers and tor clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I had an experience a few months ago in which I was running a tor client in a virtual machine. Because of the way I'd configured vmware, the clock of the virtual machine drifted significantly. After a while it was off by days --- the machine had been up about a month. Anyhow, I noticed that tor wasn't working correctly in that it wasn't making connections to entry guards. When I would restart the daemon, I could tell that it was starting up connections, but after a while these all died. So, my question is, does tor depend explicitly or implicitly on time synchronization? Perhaps via the published line in the cached-routers list? Anthony G. Basile -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIUZyGl5yvQNBFVTURAswaAJ9pYOq6GEftW++4KOxnBc+BQCpeWwCePHYp 8UgI1Lu+HHApn1hHwNeav/k= =J1Jm -END PGP SIGNATURE-
Re: Tor-ramdisk 20080606 released.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Bennett wrote: On Tue, 10 Jun 2008 14:06:57 -0400 basile [EMAIL PROTECTED] wrote: We would like to announce a new release of Tor-ramdisk (version 20080606), an i686 uClibc-based micro Linux distro (about 3.1MB ISO) whose only purpose is to host a tor server in an environment which maximizes security and privacy. Security is enhanced by employing a monolithically compiled GRSEC/PAX patched kernel and hardened system tools. Privacy is enhanced by turning off logging at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key which may be exported/imported by FTP. Just out of curiousity, why did you choose LINUX for this project? If security is such a high priority, I would have thought that OpenBSD would have been the operating system of choice. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** Hi Scott, First let me answer a related question which is why security is a high priority for this project. We've seen lots of talk on this list about unscrupulous exit node operators. I wanted a system for the conscientious tor operator which would give a minimum amount of information in order to preserve privacy while at the same time giving enough that he/she could determine that everything is working ok. Even an innocent utility like netstat, which can be used to make sure that connections are being established by the tor server also reveal what IP addresses are connecting --- my concern may be a bit exaggerated, but I think you get the point. But while on the one hand minimizing information makes me feel good as a tor operator, it makes me very nervous as a system administrator because I no longer have the diagnotic tools that would tell me if something fishy is going on. Its not a guarantee, but hardening the kernel/system tools lets me sleep better. Having said that, why GRSEC/PaX Linux over OpenBSD? I run sereval OpenBSD and hardened Gentoo servers with GRSEC/PaX Linux and I trust both. OpenBSD is impressively secure across the board, but I what I like about GRSEC is RBAC which, when properly configured, strongly restricts a daemon's capabilities. For systems with a narrow goal, I tend towards GRSEC. (I haven't enabled RBAC yet in tor-ramdisk, but that's next.) I can also assure people that my student (Melissa) and I keep our eyes on the upstream dependencies for any security issues and will update tor-ramdisk accordingly. I don't want to annoy the list, so I think if we want to continue talking about the relative merits of the varoius hardening techniques employed by both, stackgaps, ssp, w^x and the like, we should do so privately. Anthony G. Basile -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIUBeAl5yvQNBFVTURAvjtAJ9g8cYxOGQAMdToPf6Fjl4Si+NSqwCeIrtQ TYhDrrP+KpyOwhTdeBmAdBI= =Qrlc -END PGP SIGNATURE-
Re: Tor-ramdisk 20080606 released.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marco Bonetti wrote: On Tue, June 10, 2008 20:06, basile wrote: We would like to announce a new release of Tor-ramdisk (version 20080606), an i686 uClibc-based micro Linux distro (about 3.1MB ISO) from the changleog I've read that you're running an hardened 2.6 kernel, which is it's size? I think that you can switch to 2.4 (GRSEC/PAX still supports this tree) to slim it down further. by the way: really nice project :) Ciao Marco, grazie per i complimenti. (Sono italo-canadese e parlo italiano.) The kernel right now is 1.6 MB. A lot of its size is because we're supporting all 100MB and 1GB ethernet cards in a monolithic kernel. Anyhow, that's a good suggestion. Size isn't the biggest issue, but if it slims it down, why not. Anthony G. Basile -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIUBiXl5yvQNBFVTURAugDAJ9Bqw/kkY6D7iE0LGEzWxohgpDdTACfVKf/ QVppKYIfAP+ozlxuDGpTe40= =BbYt -END PGP SIGNATURE-
Tor-ramdisk 20080606 released.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, We would like to announce a new release of Tor-ramdisk (version 20080606), an i686 uClibc-based micro Linux distro (about 3.1MB ISO) whose only purpose is to host a tor server in an environment which maximizes security and privacy. Security is enhanced by employing a monolithically compiled GRSEC/PAX patched kernel and hardened system tools. Privacy is enhanced by turning off logging at all levels so that even the Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key which may be exported/imported by FTP. The aim of the project is to really make Tor server (ie. an onion ROUTER) into a router, with no hard drives. This may be of interest to tor-operators who are worried about having their hard drives examine. Tor-ramdisk is not for hidden services since it does not support the other resources required, such as an http server and hard drive space for a web page. Two major changes in this release: 1) configuring network and configuring/running/stopping tor is now menu driven. 2) torrc and secret_id_key can be imported/exported via FTP. To do: 1) reduce system tools even further to restrict the system to just running tor, 2) consider adding RBAC rules to restrict tor's running environment, 3) consdier adding iptables firewall, 4) create a bootable usb pen drive image in addition to the ISO, 5) add some form of time syncronization Home Page: http://opensource.dyc.edu/tor-ramdisk Freshmeat page: http://freshmeat.net/projects/tor-ramdisk Anthony G Basile Melissa Carlson Information Technology D'Youville College 320 Porter Ave. Buffalo, NY 14201 USA -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFITsLBl5yvQNBFVTURApGRAJ4lMHGFr4WNLz/KHJePPS66mTiOlACcCO6Y pYgXjkRcF2ExD2DcT07NP1Q= =X0+J -END PGP SIGNATURE-