[tor-talk] Obfuscated Tor bridge
hello I am using the instructions on http://pastebin.com/09A1WgXc to set up an obfuscated Tor bridge. I get this far: /obfsproxy$ sudo /etc/init.d/tor restart ABORTED: Tor configuration invalid: Feb 14 19:11:38.039 [notice] Tor v0.2.2.35 (git-73ff13ab3cc9570d). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Feb 14 19:11:38.040 [warn] Failed to parse/validate config: Unknown option 'ServerTransportPlugin'. Failing. Feb 14 19:11:38.040 [err] Reading config failed--see warnings above. Please, how can I fix this problem and continue with the instructions? Anne ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] glibc's DNS lookups fail
On Tue, Feb 14, 2012 at 02:43:44AM -0500, douglastskill...@lavabit.com wrote: 1 0.00192.168.178.30 127.0.0.1 DNS Standard query A torproject.org 2 0.27192.168.178.30 127.0.0.1 DNS Standard query torproject.org 3 0.000155192.168.178.1 192.168.178.30 DNS Standard query response, Not implemented # tor does its magic 8 1.157351192.168.178.1 192.168.178.30 DNS Standard query response A 38.229.72.14 The IP you're sending to and the IP you're receiving form don't match. The glibc stub resolver probably trashes these. Also: tcpdump output is way easier to read. Please include that (if this doesn't fix the problem). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] glibc's DNS lookups fail
On Tue, Feb 14, 2012 at 10:50:01AM +0100, Alexander Schrijver wrote: The IP you're sending to and the IP you're receiving form don't match. The glibc stub resolver probably trashes these. Actually, the UDP datagram probably never gets received by the stub resolver, the OS trashes it since no one is listening on it. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Obfuscated Tor bridge
On Tue, Feb 14, 2012 at 07:34:06PM +1030, Anne Magarey wrote: I am using the instructions on http://pastebin.com/09A1WgXc to set up an obfuscated Tor bridge. I get this far: /obfsproxy$ sudo /etc/init.d/tor restart ABORTED: Tor configuration invalid: Feb 14 19:11:38.039 [notice] Tor v0.2.2.35 (git-73ff13ab3cc9570d). You need at least 0.2.3.11-alpha to run an obfuscated Tor bridge. It looks like you did not install the package from the `experimental-*` suite of Torproject's Debian repository. -- Jérémy Bobbio.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Obfuscated Tor bridge
Anne Magarey anne...@adam.com.au writes: Unfortunately that did not work for me. Thank you for your help. Could you have several versions of tor installed? On 14/02/12 19:42, Andy Dixon wrote: On 14/02/12 09:04, Anne Magarey wrote: Feb 14 19:11:38.039 [notice] Tor v0.2.2.35 (git-73ff13ab3cc9570d). Does it still say Tor v0.2.2.35? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Obfuscated Tor bridge
Thanks everyone. It's done. I'm pleased. anne On 14/02/12 21:02, Kevin Brubeck Unhammer wrote: Anne Magareyanne...@adam.com.au writes: Unfortunately that did not work for me. Thank you for your help. Could you have several versions of tor installed? On 14/02/12 19:42, Andy Dixon wrote: On 14/02/12 09:04, Anne Magarey wrote: Feb 14 19:11:38.039 [notice] Tor v0.2.2.35 (git-73ff13ab3cc9570d). Does it still say Tor v0.2.2.35? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] glibc's DNS lookups fail
On Tue, Feb 14, 2012 at 02:43:44AM -0500, douglastskill...@lavabit.com wrote: 1 0.00192.168.178.30 127.0.0.1 DNS Standard query A torproject.org 2 0.27192.168.178.30 127.0.0.1 DNS Standard query torproject.org 3 0.000155192.168.178.1 192.168.178.30 DNS Standard query response, Not implemented # tor does its magic 8 1.157351192.168.178.1 192.168.178.30 DNS Standard query response A 38.229.72.14 The IP you're sending to and the IP you're receiving form don't match. The glibc stub resolver probably trashes these. Also: tcpdump output is way easier to read. Please include that (if this doesn't fix the problem). Thank you very much for your reply. I agree, the IPs are odd. I have no idea how to fix it, though. Also, the wrong IPs do not explain why subsequent requests work just fine. BTW. I am running the very same setup (Debian 6 x86-64, tor, the same iptables init script) in a VM, and everything just works fine. Anyway, here is the tcpdump output. (I changed the ports of TOR; 9034 for DNS, 9044 for TCP.) ~$ date; gnutls-cli -p 80 --starttls torproject.org; date Tue Feb 14 20:18:54 Resolving 'torproject.org'... Cannot resolve torproject.org:80: Name or service not known Tue Feb 14 20:18:55 ~$ date; gnutls-cli -p 80 --starttls torproject.org; date Tue Feb 14 20:18:58 Resolving 'torproject.org'... Connecting to '86.59.30.36:80'... - Simple Client Mode: C-c C-cTue Feb 14 20:19:00 ~$ # tcpdump -i any -vvv -n tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 20:18:54.786132 IP (tos 0x0, ttl 64, id 50012, offset 0, flags [DF], proto UDP (17), length 60) 192.168.178.30.46196 127.0.0.1.9034: [bad udp cksum 5b6a!] UDP, length 32 20:18:54.786158 IP (tos 0x0, ttl 64, id 50013, offset 0, flags [DF], proto UDP (17), length 60) 192.168.178.30.46196 127.0.0.1.9034: [bad udp cksum 1543!] UDP, length 32 20:18:54.786311 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 60) 192.168.178.1.53 192.168.178.30.46196: [bad udp cksum 53fe!] 63044 NotImp q: ? torproject.org. 0/0/0 (32) 20:18:54.786388 IP (tos 0x0, ttl 64, id 43323, offset 0, flags [DF], proto TCP (6), length 638) 192.168.178.30.35661 91.208.34.12.443: Flags [P.], cksum 0xf313 (incorrect - 0x2b34), seq 1897602385:1897602971, ack 2005900685, win 501, options [nop,nop,TS val 443228 ecr 3821623177], length 586 20:18:54.834595 IP (tos 0x0, ttl 55, id 38365, offset 0, flags [DF], proto TCP (6), length 52) 91.208.34.12.443 192.168.178.30.35661: Flags [.], cksum 0x49ae (correct), seq 1, ack 586, win 501, options [nop,nop,TS val 3821625454 ecr 443228], length 0 20:18:55.352008 IP (tos 0x0, ttl 55, id 38366, offset 0, flags [DF], proto TCP (6), length 638) 91.208.34.12.443 192.168.178.30.35661: Flags [P.], cksum 0xde75 (correct), seq 1:587, ack 586, win 501, options [nop,nop,TS val 3821625583 ecr 443228], length 586 20:18:55.352038 IP (tos 0x0, ttl 64, id 43324, offset 0, flags [DF], proto TCP (6), length 52) 192.168.178.30.35661 91.208.34.12.443: Flags [.], cksum 0x4655 (correct), seq 586, ack 587, win 501, options [nop,nop,TS val 443370 ecr 3821625583], length 0 20:18:55.352158 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76) 192.168.178.1.53 192.168.178.30.46196: [bad udp cksum 76ed!] 53017 q: A? torproject.org. 1/0/0 torproject.org. [15m] A 86.59.30.36 (48) 20:18:55.352246 IP (tos 0x0, ttl 64, id 50154, offset 0, flags [DF], proto UDP (17), length 70) 192.168.178.30.41015 127.0.0.1.9034: [bad udp cksum d6b!] UDP, length 42 20:18:55.352260 IP (tos 0x0, ttl 64, id 50155, offset 0, flags [DF], proto UDP (17), length 70) 192.168.178.30.41015 127.0.0.1.9034: [bad udp cksum 23e!] UDP, length 42 20:18:55.352340 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70) 192.168.178.1.53 192.168.178.30.41015: [bad udp cksum 40f9!] 60183 NotImp q: ? torproject.org.my.search.domain. 0/0/0 (42) 20:18:55.352375 IP (tos 0x0, ttl 64, id 43325, offset 0, flags [DF], proto TCP (6), length 638) 192.168.178.30.35661 91.208.34.12.443: Flags [P.], cksum 0xf313 (incorrect - 0xa599), seq 586:1172, ack 587, win 501, options [nop,nop,TS val 443370 ecr 3821625583], length 586 20:18:55.400657 IP (tos 0x0, ttl 55, id 38367, offset 0, flags [DF], proto TCP (6), length 52) 91.208.34.12.443 192.168.178.30.35661: Flags [.], cksum 0x43fe (correct), seq 587, ack 1172, win 501, options [nop,nop,TS val 3821625596 ecr 443370], length 0 20:18:55.753876 IP (tos 0x0, ttl 55, id 38368, offset 0, flags [DF], proto TCP (6), length 638) 91.208.34.12.443 192.168.178.30.35661:
Re: [tor-talk] glibc's DNS lookups fail
Arg, I am not even sure whether glibc is the problem. A minimal sample application that performs lookups performs just fine. #include string.h #include stdio.h #include sys/types.h #include sys/socket.h #include netdb.h int main(int argc, char** argv) { struct addrinfo hints; memset(hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; printf(%s\n, argv[1]); struct addrinfo* result; int r=getaddrinfo(argv[1], NULL, hints, result); if(!r) { struct addrinfo* rp; for (rp = result; rp != NULL; rp = rp-ai_next) { size_t c; for(c=0;c!=14;++c) { printf(%u , *(unsigned char*)(rp-ai_addr-sa_data[c])); } printf(\n); } freeaddrinfo(result); } else { printf(%s\n, gai_strerror(r)); } } ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor bridge delivery method
On Mon, 13 Feb 2012 09:59:34 +0100 Xu yourdad moothecowl...@gmail.com wrote: I have recently watched a video of a conference where Tor developers discuss the arms race engaged between them and various governments to shut down access to the Tor network. I have come out with the outline of a design to a mid term solution for Tor bridge address distribution that would circumvent DPI surveillance and probing attacks, with an estimated development time of at least 4-6 months. I would like to know if there is any need for such project and if this is the right place to discuss it. There likely is a need for such a project. Have you seen https://blog.torproject.org/blog/research-problems-ten-ways-discover-tor-bridges and https://blog.torproject.org/blog/bridge-distribution-strategies per chance? -- Andrew http://tpo.is/contact pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] HOWTO : setting up an obfsproxy bridge on torcloud
Hello, I just finished writing some instructions on how to set up an obfsproxy bridge on torcloud images. http://pastebin.com/xCA9LmQt It's largely based on https://www.torproject.org/projects/obfsproxy-instructions.html.en but differs mainly on two points : 1) the way to fetch .deb files necessary to build obfsproxy, as they are not all included in the ubuntu repos 2) instructions on how to workaround bug #5104 (basically cloning tor's git, hardcoding one port in transport.c and compiling+installing it), as it affects torcloud image's tor setup. It should cover most problems/questions torcloud users may have, and be useful in getting more people to set up an obfsproxy bridge However, it is not the cleanest way to do it, it's only the current simplest way. Hopefully in a few feeks/months it'll all be a matter of two apt-get install and one torrc modification :) Let me know if something is wrong with these instructions, and feel free to spread them/reuse/modify them otherwise. -- Daniel .koolfy Faucon Tel: Belgium: (+32)(0)487/898.774 France : (+33)(0)658/993.700 PGP Fingerprint : 485E 7C63 8D29 F737 FEA2 8CD3 EA05 30E6 15BE 9FA5 signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] glibc's DNS lookups fail
On 2012-02-14, douglastskill...@lavabit.com douglastskill...@lavabit.com wrote: Hello List, I am experiencing a strange problem for about two weeks or so. I am using GNU/Liux (Debian 6 x86-64) and Tor 0.2.2.35 built from source. I forward all my tcp traffic and udp traffic on port 53 to my tor instance via netfilter. Are you using the iptables rules shown on https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy ? Robert Ransom ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] glibc's DNS lookups fail
Arg, I am not even sure whether glibc is the problem. A minimal sample application that performs lookups performs just fine. [...] Here are two strace logs, one with a working lookup and one with a failed one. Oops, forgot the links: success: http://pastebin.com/waa4fgPG fail: http://pastebin.com/7rrjFNX2 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] glibc's DNS lookups fail
On 2012-02-14, douglastskill...@lavabit.com douglastskill...@lavabit.com wrote: Hello List, I am experiencing a strange problem for about two weeks or so. I am using GNU/Liux (Debian 6 x86-64) and Tor 0.2.2.35 built from source. I forward all my tcp traffic and udp traffic on port 53 to my tor instance via netfilter. Are you using the iptables rules shown on https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy ? Yeah, pretty much. I am able to reproduce my problem with a minimal iptables setup, though. function stop() { ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT iptables -t nat -D OUTPUT -j MY_ANONYMIZE iptables -t nat -F MY_ANONYMIZE iptables -t nat -X MY_ANONYMIZE } function start() { ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP iptables -t nat -N MY_ANONYMIZE iptables -t nat -A OUTPUT -j MY_ANONYMIZE iptables -t nat -A MY_ANONYMIZE -p udp --destination-port domain -j REDIRECT --to-ports 9031 } iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.179.0/24!192.168.179.0/24masq ports: 1024-65535 MASQUERADE udp -- 192.168.179.0/24!192.168.179.0/24masq ports: 1024-65535 MASQUERADE all -- 192.168.179.0/24!192.168.179.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination MY_ANONYMIZE all -- 0.0.0.0/00.0.0.0/0 Chain MY_ANONYMIZE (1 references) target prot opt source destination REDIRECT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:53 redir ports 9031 (The POSTROUTING stuff is due to a VM I have running.) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Call for volunteers for UCL Usable Security, Privacy, and Tor study
I've started working with some students at University College London to help them figure out usable security, privacy, and tor. We need some volunteers willing to be interviewed via phone/skype/gchat by the students. Preferably, you self-identify as either an activist or a non-activist normal person who uses Tor at least monthly. Three people from each category (activist/non-activist) would be ideal. We will try to protect your privacy, but assume this first part of the study is not anonymous. If you're interested in helping out, please email me directly. I'm going to take the first three people that respond from each group. There will be a second part of the study where we'll look for a large amount of anonymous feedback at some point in the near future. Thanks! -- Andrew http://tpo.is/contact pgp 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] glibc's DNS lookups fail
On Tue, Feb 14, 2012 at 05:34:55PM -0500, douglastskill...@lavabit.com wrote: Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.179.0/24!192.168.179.0/24masq ports: 1024-65535 MASQUERADE udp -- 192.168.179.0/24!192.168.179.0/24masq ports: 1024-65535 MASQUERADE all -- 192.168.179.0/24!192.168.179.0/24 [...] (The POSTROUTING stuff is due to a VM I have running.) I think your issues might be related to these rules, though. Could you try without? Could you try to use SNAT with a specific IP address instead of MASQUERADE? Could you try to filter based on output interfaces instead of destination addresses? -- Jérémy Bobbio.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-blocking sites
Sorry for my delayed response. I got a little behind in my email. Mr Dash Four wrote: Scroogle is currently having trouble scraping Google. Maybe Dash Fours problems with it are unrelated to Tor? Nope. I am well aware of this and it isn't an issue which just popped yesterday or a week ago - it has been going on for months (scraping Google, that is). I am also aware that Scroogle has a limited (I think about 6-7) number of servers. Yes. There is a clear difference between the two issues. When Scroogle is having trouble with Google you get a Sorry ... please wait ten minutes ... page rather than getting no response at all. What I meant with my initial post though is that Scroogle started blocking tor exit nodes recently - about a week or so ago. I know that, because I tried to access it at the same time (via different machines) and all requests which used Tor exit nodes were timing out (or giving me 502) - without exception, while the normal requests (using my own IP address) made at the same time passed through to Scroogle instantaneously! This cannot be a coincidence. My issues with Scroogle have been going on for over two months. (Irritatingly enough, I started having problems with Scroogle immediately after I finally got around to giving them a small donation.) My experience is that at any given time they are blocking most but (usually) not all Tor exits. If I am patient enough, Tor sometimes finds an exit that works. I have sometimes made a stab at what exit worked and used MapAddress to force that exit, which usually works for a while. I have also sometimes used Tor - Web Proxy - Scroogle, but usually before I get to that point I just use IxQuick (which is painfully slow on dial-up). Jim ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk