Re: [tor-relays] SSH scans from Tor exit
grarpamp: The servers aren't the one's that shouldn't be online, it's their idiot operators who think SSH's DEFAULT SCREAMING ABOUT DENIED HACK ATTEMPTS in the logs is some kind of important, and then go reporting it to every place they can think of, each of those places staffed by more clueless idiots, etc. Grow up people, quit whining about ssh and learn to admin. Meanwhile, Theo laughs heartily at everyone. Often, SSH brute-force login attempts come directly from compromised machines, not Tor exit nodes. Reporting such attacks helps administrators realize a machine is compromised, which is a good thing. It could be helping protect the privacy of someone whose machine is compromised. I'd suggest the problem is administrators treating a Tor exit node the same as a compromised machine. If the goal of an administrator is to eliminate SSH attacks emanating from Tor, they should simply block port 22 connections from Tor exit nodes. It is a bit cynical or defeatist, I think, to say There are a lot of these attacks, so administrators should have to just accept them. If you see someone attempting to break into cars, do you report it, or do you say There are so many car thefts in the world, what's the point? Delton ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay down, rejected, help
Roger Dingledine: You're using arm dangerously. See item #14 on https://www.torproject.org/docs/tor-relay-debian for the safer way to run arm with your Debian / Ubuntu relay. Followed item #14, but after logging out/in I get: $ arm Connection refused. Is the ControlPort enabled? 'groups' shows the 'debian-tor' group. 'sudo -u debian-tor arm' still works. Anyone have an idea what I've missed? Thanks, Delton ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] NSA knew about Heartbleed
Jesse Victors: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA said in response to a Bloomberg News article that it wasn?t aware of Heartbleed until the vulnerability was made public by a private security report. The agency?s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government?s top computer experts. I'm skeptical of this report. The Office of the Director of National Intelligence responded to the story by saying: Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong This is believable because if it were a lie, they would risk an outright contradiction from a leak or Snowden document, which would further damage their already terrible credibility and reputation. Two sources familiar with matter could merely be two computer security experts who have an unsubstantiated opinion that the NSA was exploiting this beforehand. We have no idea how credible these sources are. One thing I am sure of is this generated a lot of clicks for Bloomberg. NSA rumors involving hot technology topics seems like a good way to make money for a news website. That said, if you carefully parse the statement from DNI, it seems to me to imply they were aware of the Heartbleed vulnerability in 2014. Why would they say before 2014 instead of before its disclosure Monday or something? They may have known about it weeks or months in advance, and been exploiting it or patching their systems. But that is not as egregious as it would be to conceal this flaw for years. Delton ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] NSA knew about Heartbleed
Delton Barnes: That said, if you carefully parse the statement from DNI, it seems to me to imply they were aware of the Heartbleed vulnerability in 2014. Why would they say before 2014 instead of before its disclosure Monday or something? They may have known about it weeks or months in advance, and been exploiting it or patching their systems. But that is not as egregious as it would be to conceal this flaw for years. Another statement I see now says they were not aware of the vulnerability before April 2014. If true (which I believe it is) they had at most about a week's foreknowledge. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] 2.5.3-alpha packages
Is the nightly repository currently the Debian repository to use for 2.5.3-alpha packages? I ask because I am looking to move off of nightlies and onto more stable packages once they are available. Am running scramblesuit so need 2.5.x. Thanks, Delton ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ScrambleSuit maintenance question
George Kadianakis: Delton Barnes delton.bar...@mail.ru writes: Is there a way to configure things so obfsproxy and Tor will later automatically be upgraded to a *stable* release that includes ScrambleSuit? And how to know when I need to upgrade obfsproxy and Tor? you will need to wait till tor-0.2.5.1 becomes stable if you want to use scramblesuit with a stable Tor. Till then, please keep on using Tor nightlies. As far as your second question goes, unfortunately we don't have good upgrade processes yet. I suggest you do 'apt-get upgrade' every once in a while to get the latest nightlies of obfsproxy/tor. If there are any urgent upgrades that you need to perform I will send an email to tor-relays. Thanks for the response. Will do as you suggested. Seems like there ought to be a way though to configure apt so that when a new stable Tor is released, 'apt-get upgrade' will install the stable package and cease installing nightlies. Currently, I am having to periodically manually check the stable repository to see if a new stable has been released. I will look more into the problem sometime. Delton ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] ExtORPort notice
Upon upgrading obfsproxy to 0.2.6 and Tor to 0.2.5.1-alpha-dev (git-f63b394d90583b77+96972c4) for scramblesuit, I got this in the Tor log: Feb 15 04:40:03.000 [notice] We are a bridge with a pluggable transport proxy but the Extended ORPort is disabled. The Extended ORPort helps Tor communicate with the pluggable transport proxy. Please enable it using the ExtORPort torrc option. How should this be set? What does it do? I saw some web pages suggesting ExtORPort 6699 for statistics-gathering purposes. Thanks, Delton ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] ScrambleSuit maintenance question
Inexperienced Debian administrator here with a question about how to maintain the new obfsproxy/Tor for ScrambleSuit. I installed as follows: 1. Updated /etc/apt/sources.list (new lines prefixed with *): deb http://server.name.redacted/debian wheezy main contrib non-free *deb http://server.name.redacted/debian unstable main contrib non-free deb http://server.name.redacted/debian-security wheezy/updates main contrib non-free deb http://deb.torproject.org/torproject.org wheezy main *deb http://deb.torproject.org/torproject.org tor-nightly-master-wheezy main 2. Created apt.conf to prevent all packages from being pulled from unstable by default: echo 'APT::Default-Release stable;' /etc/apt/apt.conf 3. Edited torrc with following: ServerTransportPlugin obfs3,scramblesuit exec /usr/bin/obfsproxy managed 4. Installed the new packages: apt-get update apt-get -t unstable install obfsproxy apt-get upgrade -- Installed Tor nightly. 5. service restart tor My question: Is there a way to configure things so obfsproxy and Tor will later automatically be upgraded to a *stable* release that includes ScrambleSuit? And how to know when I need to upgrade obfsproxy and Tor? Thanks, Delton ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays