Exclude nodes from certain countries
I'm using Tor on windows I prefer to avoid tor nodes from certain countries. I know that I can manually add nodes into ExcludeNodes setting in Tor Config. However there are over hundred different Tor nodes in one country I want to exclude. And they're constantly changing (news ones pop up, old ones disappear, etc). It's impossible to do such a task manually using ExcludeNodes setting. Didn't anybody find a better way?
Re: Exclude nodes from certain countries
On Fri, 14 Sep 2007 19:47:56 -0400, Ringo Kamens wrote: > The best option is to run a squid server on localhost with a block by > country filter. Then, route your tor client through it. > Comrade Ringo Kamens I understand the part about running squid on localhost and routing web brouser through it. I can route the traffic from the brouser to squid and then into tor. But how can I route Tor client through localhost proxy? Tor client has to make an encrypted connection to Tor entry node. Do you mean putting squid in the middle of that encrypted connection? How would you do that? Plus, that will only filter the entry nodes by country. But I want to avoid EXIT nodes from certain countries. The entry nodes do not see my traffic, so I don't really care about them. However the exit nodes can see all my traffic in clear text, so it's the exit nodes that I want to filter by country (sorry if I didn't make it clear in my original post).
Re: Exclude nodes from certain countries
On Sat, 15 Sep 2007 12:29:16 -0700, Wesley Kenzie wrote: > www.pickaproxy.com So your server can see all the traffic in cleartext before it enters Tor network AND where the traffic is coming from. In other words users do not have any protection from your server. If you have not been approached by N$A/C1A/echel0n/etc yet, it will happen sooner than you think. Do you realize that fairly soon you will have a choice of various unpleasant consequences versus obediently logging everything that goes through your server and submitting the logs to proper channels? That is, if you don't work there already >:( Do you, Wesley? This smells to me like a honeypot...
Re: Exclude nodes from certain countries
On Sat, 15 Sep 2007 17:57:51 -0500 (CDT), Scott Bennett wrote: > > Why would they waste their time? They will have already gotten copies > of what they want as it traveled in the clear between its origin and the web > server. Remember the news articles a while back about all those snoop boxes > in the locked rooms at AT&T? > As noted above, if they want it, they will have already gotten it. The > only reason to bother the web site operator(s) is for the general purpose of > intimidation. Scott, anybody who is browsing to www.pickaproxy.com to use Tor there would OBVIOUSLY use SSL (https://www.pickaproxy.com). SSL support was the first thing I checked when I went onto their web-site. (If they didn't support SSL, I probably would not have even bothered replying to that post). The connection to www.pickaproxy.com would be encrypted with SSL, then the traffic would be decrypted at www.pickaproxy.com and redirected into their Tor client, where it would be re-encrypted. Therefore the ONLY party knowing the author IP and the contents of communication will be www.pickaproxy.com (unless you use anonymous proxy-chain to connect to www.pickaproxy.com). I'm aware of those ISP rooms sucking the traffic from internet backbones into N$A. So I can only imagine how much pressure this particular web-server operator will be under, if that's not a honeypot from the start.
Re: Exclude nodes from certain countries
On Fri, 14 Sep 2007 19:47:56 -0400, Ringo Kamens wrote: > The best option is to run a squid server on localhost with a block by > country filter. Then, route your tor client through it. > Comrade Ringo Kamens > I researched it more and everybody is saying squid goes between the browser and tor: Browser -> Squid -> Tor Please explain how can you route Tor through squid?
Re: Exclude nodes from certain countries
On Sat, 15 Sep 2007 21:39:17 -0400, Ringo Kamens wrote: > I don't think you get the problem here. Squid wouldn't be able to > affect the choice of exit nodes. It would just be able to filter entry > nodes. > Comrade Ringo Kamens I know how to filter entry nodes. I can do it with Protowall or another firewall. That's easy. I wonder if Tor makes an initial connection to all nodes from which it later constructs a circuit. If Tor is never allowed to connect to certain nodes, and therefore "doesn't know" about them, can they still be used as exit nodes?
Re: Exclude nodes from certain countries
On Sat, 15 Sep 2007 22:20:16 -0400, Ringo Kamens wrote: > > AFAIK tor connects to an entry guard which then connects to the exit > node for you. This way, they can't take the logs from the exit node > and go "well.. the IP in question connected to you 20 seconds before > the alleged connection was made, so that's who it probably was". This > should be all explained in the docs somewhere. > Comrade Ringo Kamens But if I click on "network map" in Vidalia I see various Exit Nodes there. So obviously Tor knows about them. Also, to determine if a node is an entry or exit node, Tor has to exchange some sort of traffic with it, right? Since there is no centralized place where Tor can get a list of all entry nodes, wouldn't it have to poll all the nodes to determine their status?
Re: Exclude nodes from certain countries
On Sat, 15 Sep 2007 23:17:14 -0500 (CDT), Scott Bennett wrote: > Please read the tor documentation. If you think you've already done > that, please go back and read it again. That brings back the pain of reading it the first time :) I must admit I gave up after first few pages. I found it was too technical and overwhelming, even though I'm not a computer novice. > Once you understand the functions > of the directory authorities and the directory mirrors, take a few minutes > to browse through the files that tor maintains on your computer. Note > especially the contents of the files named cached-routers and > cached-routers.new, and also the status document files in the cached-status/ > subdirectory. All should be clear to you after you do those basic things. > Note that this is a user safety issue: one should *not* use tor > without having gained first a minimal understanding of what tor is doing > and what it is not doing. Without that understanding, a user is in grave > danger of assuming his/her anonymmity is being maintained when, in fact, > it may not be. Now that you pointed me to specific things to research, it's a bit easier and it's a place to start. Is there some sort of "in-a-nutshell" documentation without excessive technicalities that you can recommend?
Re: Exclude nodes from certain countries
On Sun, 16 Sep 2007 01:25:51 -0500 (CDT), Scott Bennett wrote: > I'd strongly recommend that you start with the tor overview > document at > > https://tor.eff.org/overview > > paying special attention to the cartoon describing how circuits are built, > which should begin to straighten you out on some of the other misconceptions > you've indicated regarding tor. To learn about the process in greater detail, > continue reading at > > http://tor.eff.org/svn/trunk/doc/spec/path-spec.txt > > To understand how tor clients (and servers) know what choices of servers > are available, you need to read the directory protocol document(s) appropriate > to the version of tor you run. For 0.1.2.1[67], read > > http://tor.eff.org/svn/trunk/doc/spec/dir-spec-v2.txt > > For 0.2.0.6-alpha, read the above and > > http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt Thanks Scott, I understand now that Tor client downloads network-status documents with descriptors of available onion routers and then chooses the routers for building circuits from that list. I understand that tor client connects directly only to entry nodes, and never makes a direct connection with middle or exit nodes (unless they're later used as entry nodes for different circuits). I understand that I can use firewall to control the entry nodes used (the firewall would prevent connecting to bad IPs, certain countries, etc). But I still do NOT see how Tor connections to entry nodes can be controlled with Squid. It would make sense to use Protowall (with a blocklist from bluetack.co.uk) to prevent connections to bad IP ranges. That way entry nodes run by various "bad" organizations will not be used. But I'm still left with a problem of how to avoid nodes from certain countries. What especially bothers me is when ALL THREE NODES are chosen from the same bad country. I would really like to avoid that. I hope solution for Windows will come soon.
Re: Exclude nodes from certain countries
On Sun, 16 Sep 2007 08:42:32 +0100, Robert Hogan wrote: > TorK allows you to do this (in a rough and ready way using the geoip database > (maxmind.com) - about 9x% accurate). TorK is available only for Linux/BSD > unfortunately, but you could you use the Incognito LiveCD which uses TorK as > the default Tor interface. > > http://www.patdouble.com/index.php?option=com_content&task=view&id=11&Itemid=18 > http://files1.cjb.net/incognito Thanks, I'll check it out
No-mail mode for this list
How can I put this list into "no-mail mode" (so that I do not receive any e-mails from it)? I'm accessing it using the newsreader, so I do not need hundreds of e-mails simultaneously going to my e-mail account.
Re: No-mail mode for this list
On Mon, 17 Sep 2007 09:42:43 +1000, Steven Huf wrote: > Quote: "How can I put this list into "no-mail mode" (so that I do not > receive any > e-mails from it)?" > > Same, it's really filling up my inbox unnecessarily... > > On 9/17/07, misc <[EMAIL PROTECTED]> wrote: >> >> How can I put this list into "no-mail mode" (so that I do not receive any >> e-mails from it)? >> >> I'm accessing it using the newsreader, so I do not need hundreds of >> e-mails >> simultaneously going to my e-mail account. I e-mailed the list owner at [EMAIL PROTECTED] No reply, nothing. Maybe it's a wrong e-mail? Does anybody know how we can contact the owner or administrator of this mailing list?
Re: No-mail mode for this list
On Wed, 19 Sep 2007 22:43:41 -0400, Roger Dingledine wrote: > > The answer is that you should mail me and I'll whitelist your > address -- then you can post while not receiving mails. Thanks Roger. I guess I was expecting to find an automated way of doing this. With Mailman one can just send automated commands to the list-server, in the body of the e-mail. E.g. "set delivery off" to put the list into no-mail mode. I've gotten a list of commands that [EMAIL PROTECTED] understands, and it's surprisingly small. They're still running Majordomo 1.94.5. Apparently "nomail" is a majordomo 2 command and is not supported with 1.94.5 So you have to add each user who wants no-mail/delivery-off mode to a white-list manually, er? That sucks! Are those folks at seul.org planning to upgrade majordomo 2 anytime soon? > Actually, I did answer. Here are some hints: > > Date: Wed, 19 Sep 2007 13:51:31 -0400 > From: Roger Dingledine <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: No-mail mode > Message-ID: <[EMAIL PROTECTED]> > > Does anybody know how I can contact [EMAIL PROTECTED] :) Sorry, I've never seen your e-mail. My mailbox was total a mess. I set up all types of filters and deleted a whole bunch of e-mails on the server without downloading them. But I was keeping an eye on this thread in nntp://news.gmane.org/gmane.network.tor.user So I saw right away when your reply appeared there :)
Re: No-mail mode for this list
On Thu, 20 Sep 2007 00:49:47 -0400, Roger Dingledine wrote: > > We're running mailman here too. One of the things I've been meaning to > do in my copious free time is move the Tor lists over. Move them to mailman? That would be great! > you're roughly the second person to ask for this feature The whole "list" consists of me and Steven Huff? :) Well, it's is not working. I 'm still getting e-mails from the list, just as before, including all the messages posted this morning.
Re: No-mail mode for this list
On Thu, 20 Sep 2007 12:22:26 -0400, Jay Goodman Tamboli wrote: > On Sep 20, 2007, at 12:02:50, misc wrote: > >> Well, it's is not working. I 'm still getting e-mails from the >> list, just >> as before, including all the messages posted this morning. > > I think the idea of the whitelist is that you can now post to the > list without being subscribed. So you should unsubscribe now. > > /jgt Thanks, I understand now. I'll try unsubscribing.
Re: No-mail mode for this list
On Fri, 21 Sep 2007 09:26:28 +1000, Steven Huf wrote: > Would you be able to tell me how to unsubscribe then please? > Send e-mail to [EMAIL PROTECTED] with empty subject and body containing text: unsubscribe or-talk
Need to run UDP & ICMP through Tor
Is there a way to torrify UDP (I'm not talking about DNS) and ICMP? For example how can I ping somebody through Tor?
Re: Need to run UDP & ICMP through Tor
On Sat, 22 Sep 2007 13:27:03 -0400, Roger Dingledine wrote: > On Sat, Sep 22, 2007 at 01:21:59PM -0400, misc wrote: >> Is there a way to torrify UDP (I'm not talking about DNS) and ICMP? >> >> For example how can I ping somebody through Tor? > > No. At least, not in 2007. > > http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#TransportIPnotTCP > > --Roger OK, I'll keep my fingers crossed...
Re: Maybe Firfox isn't the best choice for privacy?
On Fri, 15 Feb 2008 13:38:58 -0800, Mike Perry wrote: > Thus spake kazaam ([EMAIL PROTECTED]): > > A few comments on this. First off, the fact that window sizes factor > into a hash means as soon as you resize your window 1 pixel, they get > a completely new identifier, uncorrelated to the previous one. So this > is a trivial identifier to modify on your own if you are aware of it, > or even to change accidentally. > > But otherwise, I agree it is pretty interesting work, and Torbutton > 1.1.14 will address many of these items, including a couple of modes > of operation for masking window size, and protection against revealing > extension installation during Tor. The ability to use chome urls to > determine true user agent, extension presence, and platform > information was brought to our attention courtesy of Gregory > Fleischer about a month ago. Unfortunately, fixes for his issues and > the window size spoofing code didn't make it into the 1.1.13 release > because of the more serious javascript and plugin issues recently > descovered in Firefox that that release had to work around. What about NoScript extension? Will that prevent gathering information about installed plugins and other settings?
Re: Maybe Firfox isn't the best choice for privacy?
On Sat, 23 Feb 2008 16:49:32 -0800, Mike Perry wrote: > Thus spake misc ([EMAIL PROTECTED]): > >> What about NoScript extension? Will that prevent gathering information >> about installed plugins and other settings? > > Not to my knowledge. Adblock Plus has support to hide extension > presence, but I believe extensions have to programmatically request it > from an Adblock service. Torbutton 1.1.14 should be out early next > week, and will address these issues. NoScript disables javascript. Total Recall uses Javascript to retrieve most of the information about firefox addons and other unique settings. So why wouldn't NoScript be a solution to this leak?
TTL settings for Tor
I'm using Tor 0.2.0.22 and it's very slow. Is there a way to tune TCPIP parameteres in Windows to better work with Tor? I'm talking most about values in this registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] For example, should DefaultTTL be increased, so that packets don't expire in transit? What TCPWindowSize is better suited for Tor? My browser connection constantly times out, even though I set timeout to 1200 (as opposed to usual 300). Any suggestions?
Re: TTL settings for Tor
On Mon, 14 Apr 2008 02:14:37 +0200, Juliusz Chroboczek wrote: >> Is there a way to tune TCPIP parameteres in Windows to better work with Tor? > > Short answer -- no. Tor's slowness is at the application layer, you > won't achieve much by tweaking the transport layer. > >> For example, should DefaultTTL be increased, so that packets don't expire >> in transit? > > No. > >> What TCPWindowSize is better suited for Tor? > > This is not specific to tor -- you should set this to be larger than > your bandwidth-delay product. Since Internet paths tend to be in the > 20 to 300 ms range, if you've got enough memory you may want to set it > to one-third your throughput in *bytes* per second. > > For example, if you're running on a 1Mbit ADSL line, you should set it > to 42 kB or more (100 / 8 / 3). > > A few caveats: > > - do *not* tweak your TCP windows if you're running Windows Vista or >a recent Linux (don't know about the BSDs); these systems do >automatic tuning, and are likely to do a better job than you; > - do *not* tweak your TCP windows if you are a gamer; increasing >your TCP windows will increase your latency; > - do *not* tweak your TCP windows if you're short on memory; you pay >for one TCP window for every single TCP socket. > > Juliusz Thanks. I'll leave those settings alone. But is there anything else I can do? I tried everything except "procedure 3" and DNS cache tweaks as per: http://wiki.noreply.org/noreply/TheOnionRouter/FireFoxTorPerf I do not see any difference. In fact, it got slower. I'm tired of hitting "reload" button in Firefox after constantly getting "connection times out" error >:( Is everybody suffering like that or am I doing something wrong?
GnuPG through Tor
Is it possible to run GnuPG through Tor? (when connecting to LDAP and HKP servers to exchange keys)?
Re: GnuPG through Tor
On Tue, 21 Oct 2008 03:37:56 -0500 (CDT), Scott Bennett wrote: > On Tue, 21 Oct 2008 00:45:10 -0400 [EMAIL PROTECTED] wrote: >>On Monday 20 October 2008 22:48:32 misc wrote: >>> Is it possible to run GnuPG through Tor? (when connecting to LDAP and HKP >>> servers to exchange keys)? >> >>Hello, >> >>If you don't mind my asking, is there anything you (or anyone else, chime >>in!) >>feel could be incriminating about obtaining someone's public key block from a >>keyserver? > > I don't think that is the issue here, but rather one of whether doing > so breaks or weakens one's anonymity. For example, if Bob fetches an > infrequently fetched key (e.g., a key belonging to Lureen) and two minutes > later Lureen's in box receives an encrypted message via an anonymous remailer, > does knowing the IP address of the key fetcher is also Alice's IP address > help Charlie point the finger at Alice as being the source of the message? You hit it right on the money! If you download the public key without Tor and then email the person through Tor, it doesn't take a rocket scientist to put two and two together: that the person who downloaded the key is probably the one who emailed "anonymously" later. That's a no-brainer, esp if nobody else downloaded that key for months :) I have a real problem downloading public keys of Hushmail users. I don't want to install java, which is required to download their keys through the browser. They don't propagate their keys to public HKP servers (which I indeed could assess using Tor & Privoxy). They have their own free LDAP server: ldap://keys.hush.com:389 Is there any way at all to get keys from LDAP server through Tor?
Re: GnuPG through Tor
On Tue, 21 Oct 2008 17:32:43 +0200, Alexander W. Janssen wrote: > misc wrote: >> Is there any way at all to get keys from LDAP server through Tor? > > LDAP uses TCP, so yes, it should be working if you configure GnuPG to > use a proxy. > > Alex. GnuPG only has options for HTTP proxy. But LDAP doesn't work through HTTP proxy. I would imagine for LDAP I would need to direct traffic from GnuPG directly into Tor (without Privoxy). But how can I do that? How can you run command-line applications (like GnuPG) under a sockifier like TorCap?
Re: GnuPG through Tor
On Tue, 21 Oct 2008 12:39:48 -0700, scar wrote: > > i think if you are using Torbutton in Firefox and have the default > options set, then it is OK to use java: Torbutton will block all > malicious attempts by Java/Javascript to bypass your anonymity. > > is that a reasonable assumption? I really don't want to install java. It is a bloatware, it is a security risk, it's a buggy and useless mountain of code that I won't need for anything else other than downloading these Hushmail keys. I don't have a single other application that I'd need java for. No, I'm definitevely not going to install java.
Re: GnuPG through Tor
On Tue, 21 Oct 2008 23:07:14 -0400, [EMAIL PROTECTED] wrote: > On Tue, Oct 21, 2008 at 09:28:04PM -0400, [EMAIL PROTECTED] wrote 0.6K bytes > in 13 lines about: >:> i think if you are using Torbutton in Firefox and have the default >:> options set, then it is OK to use java: Torbutton will block all >:> malicious attempts by Java/Javascript to bypass your anonymity. > > java virtual machines can be made to directly connect to other hosts, > regardless of the settings in the browser or the java proxy config. Absolutely! Do yourselves a favour guys and don't use java on your anonymous systems. If you have to have java at work, because your company requires it for something, that's another story. But putting java on your private system (where you're trying to do everything through Tor and be anonymous), that's like shooting yourself in the foot. So any solutions for LDAP key download issue?
Re: GnuPG through Tor
On Tue, 21 Oct 2008 08:04:26 -0400, Ted Smith wrote: > On Mon, 2008-10-20 at 22:48 -0400, misc wrote: >> Is it possible to run GnuPG through Tor? (when connecting to LDAP and HKP >> servers to exchange keys)? >> > > The way I do it is: > > keyserver x-hkp://d3ettcpzlta6azsm.onion/ > keyserver-options http_proxy="localhost:8118" > keyserver-options auto-key-retrieve > keyserver-options honor-http-proxy broken-http-proxy > > ...in my ~/.gnupg/gpg.conf. > That works for HKP only, not for LDAP.
MapAddress not working
The function MapAddress in tor config no longer works. Tor simply ignores it and connect using any node. Any solutions? Tor 0.2.0.33/Vidalia 0.1.9
Re: MapAddress not working
On Sun, 1 Mar 2009 20:32:26 -0500, misc wrote: > The function MapAddress in tor config no longer works. > > Tor simply ignores it and connect using any node. Any solutions? > > Tor 0.2.0.33/Vidalia 0.1.9 What am I doing wrong? Please advise how to make MapAddress setting to work in Tor config! There are forums where I have to constantly re-login because of IP changes. I need to use one IP. It worked before, with older Tor versions. HELP!
