Re: [tor-talk] please help
Date: Mon, 13 Jun 2011 01:22:12 -0700 From: sstollenw...@yahoo.co.nz To: tor-talk@lists.torproject.org Subject: [tor-talk] please help u cant use flash at all with tor...3) can tor let me play flash games ( you can pronably tell why i am asking this) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ServerDNSRandomizeCase and GoDaddy
On Mon, Jun 13, 2011 at 4:53 PM, Anders Sundman and...@4zm.org wrote: $ dig WiMp.com @ns03.domaincontrol.com. Thanks. I've passed this on to GoDaddy. Cheers AGL -- Adam Langley a...@imperialviolet.org http://www.imperialviolet.org ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] US Senators Seek to Crackdown on Bitcoin
From the article as it applies to Tor: Senators Charles Schumer (D, New York) and Joe Manchin (D, West Virginia) have written to Attorney General Eric Holder and the DEA asking that action be taken to crackdown on the Silk Road. Silk Road is an online exchange that deals in drugs and Bitcoins. Since the Bitcoin transactions are anonymous, and Silk Road is accessed through Tor, authorities have no way to track down users buying drugs. Original article here: http://www.maximumpc.com/article/news/us_senators_seek_crackdown_bitcoin A more verbose version here: http://www.rawstory.com/rs/2011/06/09/senators-call-for-crackdown-on-bitcoin-as-drug-traffickers-take-hold/ Since it appears they're going to be targeting a Hidden Service, it will be an interesting test of Tor's resilience given the resources available to the US government. Take care, Chris -- Christopher A. Lindsey clind...@garudallc.com Garuda, LLC signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] When to use and not to use tor.
On 6/12/2011 1:22 AM, Seth David Schoen wrote: Your communication with an online banking site usually _would_ be encrypted with HTTPS, which would encrypt your login password. For instance, if you were banking with Bank of America, you would normally start your login process at https://www.bankofamerica.com/ You are correct Seth. I misspoke when I said login info on an encrypted site would not be encrypted - it would be. I'm not sure of the answers to questions I'm posing - but they are good questions. Note, there are significant differences of the cipher strength of encryption used on different HTTPS site - even financial institutions. How hard would it be for a exit node operator to crack your (captured) encrypted PW? Depends. If a Tor exit node can capture a packet (and they can), what prevents them from using sophisticated software, available to any 14 yr old, to try crack the encryption? They do know the packet was headed to SomeBank.com. If Fernan's goal is anonymous online banking, I guess he'll need to use some proxy. What does anonymous banking mean - not wanting your ISP to know which bank sites you use (even if they can't see encrypted data)? Once logged in, the bank pretty much knows it's you. Just a thought - what if one logged directly into their bank's encrypted site - using no proxy their site was hacked (their site, not your computer). Or something goes wrong using a 3rd party of any kind to log into bank's site, and you tell them / they find out, I was using Tor (or other) to login the 3rd party intercepted my info. In which case is the bank likely to be more sympathetic? I don't know that using Tor or other proxies enhance security of logging into secure sites at all. AFAIK, Tor is intended to increase anonymity, not security. There are regularly many, many new posts articles about ongoing experiments on capturing evaluating Tor traffic (and I'm sure other proxies). What was impossible yesterday is often common tomorrow. But if you're using webmail, you could use HTTPS to connect to the webmail operator over Tor, thereby protecting your e-mail from the exit node operator. HTTPS would protect it from an exit node, but not from from the email provider or from gov'ts of most technologically developed countries. If you want to be sure others besides the recipient aren't reading your email, use encryption. Even then, unless you're sure what the recipient will do w/ it, or their level of computer security, don't send anything in email you might not want others to read. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Does my ISP know I'm using Tor?
Does my ISP know I'm using Tor? Is that answer any different if I were to switch to Tails? I read the best is end to end encryption.but have no idea what that means? Does it mean my connection is https? Does my ISP know what information I'm looking at while using Tor? Let's say I use DuckDuckGo to search for suppliers of Silly String. I click on a link in the search results that takes me to SillyStringSupplier.com Does my ISP know what I was looking for and where I went? -- http://www.fastmail.fm - IMAP accessible web-mail ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Good email services?
I don't trust anything related to Google...or Yahoo. Can anyone recommend a good (anonymous, secure and not in based in the US) email service, it doesn't have to be fancy? -- http://www.fastmail.fm - Access your email from home and the web ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Does my ISP know I'm using Tor?
Hi Andre, Does my ISP know I'm using Tor? Very short answer: Yes. If your ISP would check, they would know, unless you're using bridges. The more technical explanation is this: Unless you're using bridges, you are connecting to a server from a publicly available list. If you would like to check that one out, you could open http://torstatus.blutmagie.de. Even if you are using bridges, it is technically possible, albeit rather hard (you need DPI for that one, probably), to determine that someone is using Tor. That being said, I don't see any reason why an ISP would care, unless you're in a country with questionable practices regarding the internet (China, Burma etc). Tor is completely legal in nearly all countries. Any ISP that tells you what servers you can or can not connect to should be avoided. An ISP has nothing to gain from preventing customers to use completely legal services that don't put excessive load on their networks. Is that answer any different if I were to switch to Tails? No. Tails (and all other Tor live CDs) just give you a pre-configured system optimized for privacy. The basic circumstances remain the same. I read the best is end to end encryption.but have no idea what that means? Does it mean my connection is https? End-to-end encryption basically means that only your computer and the server (e.g. the website you are visiting) can read the content of your communication. https is one example of this - if you're browsing the web, make sure to only enter any account credentials (username/password) and stuff like credit card data on sites that use https. To make this a bit more general and paranoid: You should only enter personally identifiable information on sites using https. That includes your mail address, home address, phone number etc. The reason for this is that the Exit Node (the last Tor node in a circuit, i.e. the computer that actually does the request to a web site on your behalf) can read all unencrypted communication. (it can not determine, however, who you are - at least not from metadata) End-to-end encryption also exists for protocols other than http (which is the one your browser usually speaks when visiting websites). One example is mails (imaps/pop3s for receiving, smtps/ssmtp/smtp-over-starttls for sending). Basically, whenever you see a field that asks if you want to use encryption, you should answer yes ;) Does my ISP know what information I'm looking at while using Tor? Let's say I use DuckDuckGo to search for suppliers of Silly String. I click on a link in the search results that takes me to SillyStringSupplier.com Does my ISP know what I was looking for and where I went? No. That's what Tor is good for - your ISP knows _only_ that you are connecting to a Tor node to do an encrypted transmission. It doesn't know where you're connecting to and also can't read the content of the communication. It doesn't know what the other Tor nodes in your circuit (the path from your computer to the web site/server you're using) are, either. To sum it up, your ISP knows WHO you are, but not WHAT you send. The same goes for the entry node (see the reply to your first question). The middle nodes basically know nothing. The exit node knows WHAT you send, but not WHO you are. Cheers, Manuel ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] When to use and not to use tor.
On Wed, Jun 15, 2011 at 6:33 AM, Joe Btfsplk joebtfs...@gmx.com wrote: On 6/12/2011 1:22 AM, Seth David Schoen wrote: Your communication with an online banking site usually _would_ be encrypted with HTTPS, which would encrypt your login password. For instance, if you were banking with Bank of America, you would normally start your login process at https://www.bankofamerica.com/ You are correct Seth. I misspoke when I said login info on an encrypted site would not be encrypted - it would be. I'm not sure of the answers to questions I'm posing - but they are good questions. ... If Fernan's goal is anonymous online banking, I guess he'll need to use some proxy. What does anonymous banking mean - not wanting your ISP to know which bank sites you use (even if they can't see encrypted data)? Once logged in, the bank pretty much knows it's you. ... Hi Please note my original intent with I started this thread was to create a base set of rules for my users to follow to maximimize tor anonymity and not become a tool against anonymity. So when I started googling I found suggestions from various mailing lists and forums, however I could not find anything specifically suggested by the tor developers or privacy advocate groups like eff. Another vector I was looking at is to send out a set of suggestion to the tor button in setting up warnings to prevent users from using tor incorrectly like. 1. if somebody runs bittorrent traffic send a warning 2. if somebody sends an unencrypted web form through tor send a warning 3. set the always warn unencrypted webpage when tor is enabled. etc that said, I did found this https://www.torproject.org/download/download.html.en#warning. It forms a general guideline in using tor. It's not as specific as the ones from other forums, but it seems to be inline with that. thanks fernan ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] When to use and not to use tor.
On Wed, Jun 15, 2011 at 08:44:24AM +0800, Fernan Bolando wrote: Please note my original intent with I started this thread was to create a base set of rules for my users to follow to maximimize tor anonymity and not become a tool against anonymity. Which ones are 'your' users (so I can figure out how to help better)? 1. if somebody runs bittorrent traffic send a warning 2. if somebody sends an unencrypted web form through tor send a warning 3. set the always warn unencrypted webpage when tor is enabled. etc What frustrates me is that Firefox *has* that warning enabled at first, and everybody knows to just click it away. You'll have to make your browser popup windows dire indeed before users will even notice you're trying to get their attention. that said, I did found this https://www.torproject.org/download/download.html.en#warning. It forms a general guideline in using tor. It's not as specific as the ones from other forums, but it seems to be inline with that. The challenge is that good advice differs from user to user. It depends on your situation, what you're worried about (what your threat model is), what's at risk, what online activities you need to do, etc. When Tor does trainings for activists in dangerous countries, the conversation always starts out the same but it never ends up in the same place. All that said, I agree that it would be nice to have things spelled out in more detail for the users who need that. There are a lot of handbooks out there named things like security in a box that aim to explain it all -- not just Tor but disk encryption, anti-virus, etc etc -- and they're always forced to make tradeoffs and leave out important topics. And they even have a specific type of user in mind when they start. That said, here are some specific answers: dont use tor in banking or financial transactions Agreed in general, but not for the reason you might think: a lot of banks these days freak out when you log in from a foreign country, and end up locking your account until you go through a little dance. So it is because of poorly tuned anti-fraud algorithms that you may not want to use Tor to connect to your bank. That said, I used Tor when logging into my bank account on the Defcon wireless network. So it depends on your context and what you're worried about. dont use tor in non encrypted email Don't use the Internet for non encrypted email. It's a bad idea no matter where you are -- Starbucks, your cablemodem at home which your neighbors can sniff, the Tor network, anywhere. --Roger ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] When to use and not to use tor.
On Wed, Jun 15, 2011 at 10:41 AM, Roger Dingledine a...@mit.edu wrote: On Wed, Jun 15, 2011 at 08:44:24AM +0800, Fernan Bolando wrote: Please note my original intent with I started this thread was to create a base set of rules for my users to follow to maximimize tor anonymity and not become a tool against anonymity. Which ones are 'your' users (so I can figure out how to help better)? I think We can target just a set of general users. Like people who are gun enthusiast or military afficionados can read about all about those stuff without blipping as dangerous person. 1. if somebody runs bittorrent traffic send a warning 2. if somebody sends an unencrypted web form through tor send a warning 3. set the always warn unencrypted webpage when tor is enabled. etc What frustrates me is that Firefox *has* that warning enabled at first, and everybody knows to just click it away. You'll have to make your browser popup windows dire indeed before users will even notice you're trying to get their attention. I try to limit myself to educating people, not increase there IQ. If they chose to ignore popups and a documented set of guidelines and suddenly a malicous tor exit captured there banking password thats up to them. that said, I did found this https://www.torproject.org/download/download.html.en#warning. It forms a general guideline in using tor. It's not as specific as the ones from other forums, but it seems to be inline with that. The challenge is that good advice differs from user to user. It depends on your situation, what you're worried about (what your threat model is), what's at risk, what online activities you need to do, etc. When Tor does trainings for activists in dangerous countries, the conversation always starts out the same but it never ends up in the same place. All that said, I agree that it would be nice to have things spelled out in more detail for the users who need that. There are a lot of handbooks out there named things like security in a box that aim to explain it all -- not just Tor but disk encryption, anti-virus, etc etc -- and they're always forced to make tradeoffs and leave out important topics. And they even have a specific type of user in mind when they start. That said, here are some specific answers: dont use tor in banking or financial transactions Agreed in general, but not for the reason you might think: a lot of banks these days freak out when you log in from a foreign country, and end up locking your account until you go through a little dance. So it is because of poorly tuned anti-fraud algorithms that you may not want to use Tor to connect to your bank. That said, I used Tor when logging into my bank account on the Defcon wireless network. So it depends on your context and what you're worried about. Yeah, a one size fits all guideline is probably not possible so the warning from the tor website will suffice for now. dont use tor in non encrypted email Don't use the Internet for non encrypted email. It's a bad idea no matter where you are -- Starbucks, your cablemodem at home which your neighbors can sniff, the Tor network, anywhere. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] [FYI] Further Gmail restrictions/nonsense
Only an FYI. This is now appearing on occaision after login and before access to the mail GUI. Note to Gmail staff... some of us would be quite happy if you gave us a don't nanny me option. And also let us download our own OTP list, say up to 1000 at a time. Thanks. Hey usern...@gmail.com, is that really you? It looks like you're signing in to your account from a new location. Just so we know this is you - and not someone trying to hijack your account - please complete this quick verification. Learn more about this additional security measure: https://www.google.com/support/accounts/bin/answer.py?answer=1281737 Choose a verification method... Answer my security question: question and formfield or Enter the name of the city or town where I usually sign in: formfield ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Good email services?
Can anyone recommend a good (anonymous, secure and not in based in the US) email service, it doesn't have to be fancy? The Hidden Wiki has a page on this. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk