date:20121016

On Tue, 16 Oct 2012 01:36:28 -
fakef...@tormail.org wrote:
> Just want to use it... I don't plan to abuse something. I am willing
> to solve 1000 captcha or 1000 pictures with cats and dogs. Just give
> me the freaking account. Did google finally turn evil and wants to
> forbid any anonymous users?
> 
> Can anyone help?

Although it's not an ideal situation, a few days ago a Google employee
posted regarding access via Tor:

https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html

HTH,
Julian

-- 
3072D/F3A66B3A Julian Yon (2012 General Use) 


signature.asc
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

> Although it's not an ideal situation, a few days ago a Google employee
> posted regarding access via Tor:
>
> https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html

Hi, I'm that employee.

That post is specifically about login to existing accounts that were
created outside of Tor.

We have a policy of phone verifying every signup via anonymizing
proxies. If you signed up via Tor and didn't get asked to phone verify
it means the list of exit nodes we're using isn't up to date, or there
was a sync issue. Or you used an exit node that isn't in the list for
some reason. We use this one:
http://exitlist.torproject.org/exit-addresses

We appreciate the offer to solve 1000 CAPTCHAs. Unfortunately the cost
of 1000 CAPTCHAs is only about $1 on the open market, not exactly a
high bar.

The need for phone verification is unfortunate but real. If we had a
better way to throttle abuse we'd use it. Unfortunately we don't. In
the past I've researched and suggested using deposits of Bitcoin so we
could set the price of an account in a more nuanced way, see here for
a description of how it'd work:

  https://en.bitcoin.it/wiki/Contracts#Example_1:_Providing_a_deposit

(bitcoin is my 20% project)

For a variety of practical reasons I don't think that'll happen for
Google accounts anytime soon, even assuming the software for it
existed, which it doesn't yet. But I think it'd be great if people who
are interested in making Tor usable with abusable services worked on
the Bitcoin approach. I'd start by integrating with MediaWiki,
blogging platforms etc, forum software etc, so if people want to run
wikis/forums/blogs as hidden services or otherwise they have a way to
make spam expensive without using the proxy of identity.

Of course it does move the problem to be "how can I acquire Bitcoin?"
but you get unlinkability. Even if the Bitcoin seller you used knows
your identity, the recipient of the coins does not.

So I'm afraid we don't have a good solution for people who want to
sign up to Google anonymously today beyond buying accounts and getting
unlinkability that way, but as I said, that's against our terms of
service and can easily be confused with abuse so it's somewhat
dangerous.

thanks
-mike
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

On Tue, 16 Oct 2012 14:36:43 +0200
Mike Hearn  wrote:
> So I'm afraid we don't have a good solution for people who want to
> sign up to Google anonymously today beyond buying accounts and getting
> unlinkability that way, but as I said, that's against our terms of
> service and can easily be confused with abuse so it's somewhat
> dangerous.

Thanks for contributing, Mike. Does Google consider it against ToS to
pay somebody to create an account for you? i.e. rather than buy an
account, pay for the service of a sysadmin to create it specifically
for you and hand it over immediately?

Julian

-- 
3072D/F3A66B3A Julian Yon (2012 General Use) 

signature.asc
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread Maxim Kammerer

On Tue, Oct 16, 2012 at 2:36 PM, Mike Hearn  wrote:
> We appreciate the offer to solve 1000 CAPTCHAs. Unfortunately the cost
> of 1000 CAPTCHAs is only about $1 on the open market, not exactly a
> high bar.

Receiving an SMS via the SMS-REG service, for instance, is 10 RUR ≈
$0.33, as far as I know.

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Review request: TorVM implementation in Qubes OS

adrelanos:
> Hi,
> 
> Is it Amnesic or can it be made Amnesic?
> 
> Or in other words Can you be sure, that after deleting (or wiping)
> the torified AppVM no activity can not be reconstructed with local disk
> forensics? Could the torified AppVM be securely wiped without any
> leftovers? (Leftovers such as swap, or what else?)

Regarding deletion of the VM: I was under the impression secure deletion
was not possible on modern SSDs.

On the other hand, it should be possible to create an AppVM whose
writeable diskspace lies in enitrely in RAM.  I'll investigate this.

> 
> Is Tor's data directory persistent, i.e. does it use Entry Guards?
> 
I've not configured this explicitly, do you have any suggestions?
Here's the tor config:

https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/start_tor_proxy.sh

> Are hardware serials, such as BIOS DMI information, hdd serials etc.
> hidden? (For a more comprehensive list of hardware serials and how to
> test if them are visible, you could check Whonix less important
> protected identifies as reference. [1])
> 
I'm fairly certain this is the case, seeing as how these are all VMs
(xen is the hypervisor), but I've not verifier the hunch so I can't make
this claim

Hm, if you use the Qubes feature that lets you assign PCI (or USB)
devices to a VM, then obviously, no.

Thanks for the link, I'll investigate some more.

> Cheers,
> adrelanos
> 
> [1]
> https://sourceforge.net/p/whonix/wiki/Security/#less-important-identifies
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Review request: TorVM implementation in Qubes OS

adrelanos:
> Hi,
> 
> I am only commenting by reading the Readme:
> https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/README.md
> 

This is exactly the type of feedback I wanted, thanks. See responses inline.

> First of all, I find this most interesting!
> 
>> Non-comphrensive list of identifiers TorVM does not protect:
> 
>>Time zone
> 
> Could that be improved by editing /etc/localtime?

I need to do more research into what it would take to protect the
localtime. For example, what are the consequences (technically and
UX-wise) of changing the local timezone to, presumably, UTC?

> 
>> User names and real name
> 
> What will be the operating system user name?
> 
All Qubes VMs use the username "user", only the VM host (aka dom0) has a
user configured username

>> Name+version of any client (e.g. IRC leaks name+version through CTCP)
> 
> CTCP can also leak your local time (and therefore including timezone).
> 

Yea client leaks are something I don't have a desire to solve directly,
rather I would like to make users aware of them. I would love to see a
repository of tor-safe configurations for apps along the lines of
TorBirdy and TorBrowser.

>> For these reasons TorVM ships with two open SOCKS5 ports that provide
> Tor access with different stream isolation settings:
> 
> On which IP are they listening?
> 

Qubes automatically configures networking for client VMs (where client
in these case means clients of a ProxyVM that is providing NAT).

So, the answer to your question is, whatever the default gateway is.

>> Each AppVM will use a separate tor circuit (IsolateClientAddr)
> 
> Qubes OS takes care of assigning each AppVM their own local LAN IP?
> 
Yup.

It should be noted that AppVms are isolated from eachother on the local
network too.

>> Each destination address will use a separate circuit (IsolateDestAdr)
> 
> I am not sure, this is a good idea to have as default for any easily
> installable "Tor Distro Like" project.
> 
> Filesharing traffic already add a lot load the the Tor network. If these
> users create a new circuit for each IP they connect to, this might
> seriously harm the Tor network.
> 
>> For performance reasons less strict alternatives are provided, but
> must be explicitly configured.
> 
> I am in no position to suggest to disable it, but I guess if the Tor
> core members were reading this, they wouldn't like the idea. If they are
> not interested in this thread and therefore not reading this, I
> recommend to create an extra thread whether it's acceptable to enable
> IsolateDestAdr or IsolateDestPort by default for TransPort in a "Tor
> Distro Like" project by default for everyone.
> 

Hm, yes. After reading past discussion on this subject [1] I'm inclined
to disable these options on the default setup, and, instead provide
several more SOCKS ports with usecases (and defaults set accordingly).

>> Future Work  Integrate Vidalia
> 
> Good. Will any settings changed in Vidalia be persistent?
>
I haven't thought about this enough yet.

One problem, Vidalia's "New Identity" button doesn't make sense when you
have many stream contexts :|

Regarding persistence, do you suggest not making it so?

>> Future Work Create Tor Browser packages w/out bundled tor
> 
> Amazing.
> 
>> Future Work  Use local DNS cache to speedup queries (pdnsd)
> 
> That could make users more fingerprintable.
> 
>> Future Work  Support arbitrary DNS queries
> 
> That could make users more fingerprintable.
>

Yup, I'm aware. Really I've no plans to move forward here until
something more concrete develops. (I'm looking at who Tails and Whonix,
who've discussed this issue extensively).


> What is it needed for anyway? Which things do not work without arbitrary
> DNS queries?
>
XMPP SRV lookups for one. Not a pressing issue of course.

>> Future Work  Configure bridge/relay/exit node
> 
> Good.
> 
>> Future Work  Normalize TorVM fingerprint
> 
> I have no imagination what that could mean. Please elaborate.
> 
>> Future Work  Optionally route TorVM traffic through Tor
> 
> What is the motivation behind it?
There is no good reason I can think of yet, I'm just concerened a user
misunderstanding what a TorVM does (provides torified networking to
other AppVms), and opening firefox on it or something.
> 
>> Future Work  Fix Tor's openssl complaint
> 
> Please elaborate, one link is enough.

This is actually fixed. Tor disliked then OpenSSL ciphers available, but
upgrading openssl fixed it.

~abel

[1]:
https://sourceforge.net/p/whonix/wiki/Applications/#limited-workaround-for-tor-browser
https://lists.torproject.org/pipermail/tor-talk/2012-May/024401.html
https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html
https://trac.torproject.org/projects/tor/ticket/3455

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Review request: TorVM implementation in Qubes OS

On Tue, 16 Oct 2012 14:34:34 +
Abel Luck  wrote:
> Regarding deletion of the VM: I was under the impression secure
> deletion was not possible on modern SSDs.

A simple method is to create a disk image (loopback) encrypted with a
random key (held only in RAM) for temporary storage. As long as you
forget the key then it doesn't matter if the deleted file remains on
the underlying storage.

Julian

-- 
3072D/F3A66B3A Julian Yon (2012 General Use) 

signature.asc
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread grarpamp

> We have a policy of phone verifying every signup via anonymizing
> proxies.

I've read through the help pages but can't find the answer...
How many accounts can we have per phone number?
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

fakef...@tormail.org:
> 
> I wanted to register for youtube. For comments, voting... Youtube wants a
> gmail account...
> 
> Failed to make a gmail account. Gave them alternate mail, correct
> captcha... First thing after registration they want is sms or phone
> verification... I have no such thing as anonymous user.
> 
> Do you know any free voicemail server for use with Tor and gmail?
> 
> Do you know any free sms receiver number for use with Tor and gmail?
> 

Hm, I'm sensing a web service that uses twilio to provide short-term
SMS+voice access for this reason. It could even offer a tor hidden service.

Of course this seems like a good way to get all of Twilio's number pool
blacklisted. Though, perhaps that would not be possible? Maybe that
number pool is too large, or unknown, or used by too many others?

Hm, what about a webapp, that spinned up an ephemeral VPN on Amazon's
EC2 for several minutes? Surely EC2 can't be blacklisted?

Just some ideas.




signature.asc
Description: OpenPGP digital signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

We blacklist SMS/voice forwarding services when we find them and
re-suspend the accounts that used them. We haven't focused on it much
so there are certainly services we haven't blacklisted yet.

Generally, using these services is dangerous. If spammers have used
the same numbers you get allocated to bypass verification, you can be
treated as part of the cluster and have your account terminated
without appeal.

I don't see the distinction between "pay somebody to create an account
for you" and "buy an account". Both types of activity are likely to
hit various tripwires that will result in forced phone verification of
the account later on. Bear in mind it's not just at signup. If we
suspect an account is being used abusively then the account can be
locked until you pass SMS too.

Right now I don't believe there is any safe way to use Google accounts
via Tor if you aren't willing to provide a phone number, nor do I
believe it's safe for any other large web service. Handling abuse
whilst allowing discardable identities is a fundamental research
problem the Tor team need to solve if they don't want Tor to be
restricted to a "read only" internet (to use Greg Maxwells phrasing).
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread Andrew Lewman

On Tue, 16 Oct 2012 14:36:43 +0200
Mike Hearn  wrote:
> We have a policy of phone verifying every signup via anonymizing
> proxies. If you signed up via Tor and didn't get asked to phone verify
> it means the list of exit nodes we're using isn't up to date, or there
> was a sync issue. Or you used an exit node that isn't in the list for
> some reason. We use this one:
> http://exitlist.torproject.org/exit-addresses

I'm not sure what using a phone gets you for more verification. I
helped a domestic violence survivor get an AT&T GoPhone at the
local Best Buy for $20. Paid in cash, no identity needed, prepaid
service. They signed up for a google account via tor, used the phone
for the one sms message and then donated the phone to a homeless
shelter.

I guess $20 is more than $1 for 1000 CAPTCHA breaks, but I guess that's
because the survivor isn't criminal minded enough to steal/clone
someone's phone for the sms message.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

> I'm not sure what using a phone gets you for more verification.

It's not a form of ID verification. We don't really care who owns the
number (or indeed, who you are at all).

It's just a throttle. It's harder to get 1000 phone numbers that don't
cluster and automate them, than it is to buy 1000 CAPTCHA solutions.
End of story.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

On Tue, 16 Oct 2012 18:36:35 +0200
Mike Hearn  wrote:
> I don't see the distinction between "pay somebody to create an account
> for you" and "buy an account". Both types of activity are likely to
> hit various tripwires that will result in forced phone verification of
> the account later on. Bear in mind it's not just at signup. If we
> suspect an account is being used abusively then the account can be
> locked until you pass SMS too.

It's the difference between me (as a disabled person) buying a loaf of
bread from my neighbour, versus paying him to run to the shop for me.
It's an important distinction because at no point in the second case
does my neighbour own the bread. In terms of account creation, you're
paying somebody for the time & effort it takes them to set up an
account using your details (modulo the phone number you don't have) via
their uncensored Internet connection, i.e. to overcome the technical
obstacle. They're not reselling the Google service.

In the same way, when I set up an account for my
not-very-computer-literate partner I never transferred ownership to
her; it has always been hers, I just performed some admin. As my
condition deteriorates and my hands become less useful, it may be that
I have to ask people to do such tasks for me in future. I'm trying to
establish a “spirit of the law” here, because I can't see how it is
beneficial to require all users to physically create their account with
their own hands when there are many reasons why that might not be
possible.

Regards,
Julian

-- 
3072D/F3A66B3A Julian Yon (2012 General Use) 

signature.asc
Description: PGP signature
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread k e bera

On Tue, 16 Oct 2012 18:36:35 +0200
Mike Hearn  wrote:
> Right now I don't believe there is any safe way to use Google accounts
> via Tor if you aren't willing to provide a phone number, nor do I
> believe it's safe for any other large web service. Handling abuse
> whilst allowing discardable identities is a fundamental research
> problem the Tor team need to solve if they don't want Tor to be
> restricted to a "read only" internet (to use Greg Maxwells phrasing).

Why are anonymous signups assumed guilty of abuse before anything happens?  How 
about limiting usage initially, with progressive raising of limits based on 
time elapsed with non-abusive behaviour (something like credit card limits)?  
People should be able to establish good *online* reputations that are not tied 
to their physical identity.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread Andreas Krey

On Tue, 16 Oct 2012 10:51:37 +, k e bera wrote:
...
> 
> Why are anonymous signups assumed guilty of abuse before anything happens?  
> How about limiting usage initially,

Because per-account limits don't help when you can easily create as many
accounts as you want.

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds 
Date: Fri, 22 Jan 2010 07:29:21 -0800
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Review request: TorVM implementation in Qubes OS

Abel Luck:
> adrelanos:
>> Hi,
>>
>> I am only commenting by reading the Readme:
>> https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/README.md
>>
> 
> This is exactly the type of feedback I wanted, thanks. See responses inline.
> 
>> First of all, I find this most interesting!
>>
>>> Non-comphrensive list of identifiers TorVM does not protect:
>>
>>>Time zone
>>
>> Could that be improved by editing /etc/localtime?
> 
> I need to do more research into what it would take to protect the
> localtime. For example, what are the consequences (technically and
> UX-wise) of changing the local timezone to, presumably, UTC?

UTC is fine. Afaik Tails, Liberte Linux and Whonix are using UTC.

>>
>>> User names and real name
>>
>> What will be the operating system user name?
>>
> All Qubes VMs use the username "user", only the VM host (aka dom0) has a
> user configured username

Good!

>>> Name+version of any client (e.g. IRC leaks name+version through CTCP)
>>
>> CTCP can also leak your local time (and therefore including timezone).
>>
> 
> Yea client leaks are something I don't have a desire to solve directly,
> rather I would like to make users aware of them. I would love to see a
> repository of tor-safe configurations for apps along the lines of
> TorBirdy and TorBrowser.

Awareness is fine. If the things which can leak are spoofed, randomized
and/or shared with others, they are less severe.

Setting it to UTC is ok and another time related suggestions is coming
in an extra mail.

>>> For these reasons TorVM ships with two open SOCKS5 ports that provide
>> Tor access with different stream isolation settings:
>>
>> On which IP are they listening?
>>
> 
> Qubes automatically configures networking for client VMs (where client
> in these case means clients of a ProxyVM that is providing NAT).
> 
> So, the answer to your question is, whatever the default gateway is.
> 
>>> Each AppVM will use a separate tor circuit (IsolateClientAddr)
>>
>> Qubes OS takes care of assigning each AppVM their own local LAN IP?
>>
> Yup.
> 
> It should be noted that AppVms are isolated from eachother on the local
> network too.
> 
>>> Each destination address will use a separate circuit (IsolateDestAdr)
>>
>> I am not sure, this is a good idea to have as default for any easily
>> installable "Tor Distro Like" project.
>>
>> Filesharing traffic already add a lot load the the Tor network. If these
>> users create a new circuit for each IP they connect to, this might
>> seriously harm the Tor network.
>>
>>> For performance reasons less strict alternatives are provided, but
>> must be explicitly configured.
>>
>> I am in no position to suggest to disable it, but I guess if the Tor
>> core members were reading this, they wouldn't like the idea. If they are
>> not interested in this thread and therefore not reading this, I
>> recommend to create an extra thread whether it's acceptable to enable
>> IsolateDestAdr or IsolateDestPort by default for TransPort in a "Tor
>> Distro Like" project by default for everyone.
>>
> 
> Hm, yes. After reading past discussion on this subject [1] I'm inclined
> to disable these options on the default setup, and, instead provide
> several more SOCKS ports with usecases (and defaults set accordingly).
> 
>>> Future Work  Integrate Vidalia
>>
>> Good. Will any settings changed in Vidalia be persistent?
>>
> I haven't thought about this enough yet.
> 
> One problem, Vidalia's "New Identity" button doesn't make sense when you
> have many stream contexts :|

I think it still makes sense. Let's say you are using an extra SocksPort
for web and an extra SocksPort for IRC.

After closing the browser it's still useful to issue a new identity to
unlink the sessions before the circuit changes after 10 minutes
automatically.

I am not a expert on that topic, but from observing stream isolating
doesn't lead to circuits being used longer. All circuits switch after 10
minutes and if you want to do it earlier manually, that's still useful.

Interestingly circuit creation is internally implemented in Tor so well,
that if you have 30 SocksPorts, that won't result in 30 circuits. Tor
still only builds the required regular amount of circuits. Only if you
were to use those 30 SocksPorts all at once you had big amounts circuits.

If users understand it, new identity is a good thing. The bigger problem
are users who don't understand it:
https://tails.boum.org/todo/disable_Vidalia_new_identity_feature/

Maybe it should be better renamed to "switch Tor circuit" rather than
"New Identity"?

> Regarding persistence, do you suggest not making it so?

Persistence will be answered in the other mail along with Tor.

>>> Future Work Create Tor Browser packages w/out bundled tor
>>
>> Amazing.
>>
>>> Future Work  Use local DNS cache to speedup queries (pdnsd)
>>
>> That could make users more fingerprintable.
>>
>>> Future Work  Support arbitrary DNS queries
>>
>> That could make users more fingerprintable.
>>
> 
> Yup, I'm aware.

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread Gregory Maxwell

On Tue, Oct 16, 2012 at 12:55 PM, Andrew Lewman  wrote:
> I guess $20 is more than $1 for 1000 CAPTCHA breaks, but I guess that's
> because the survivor isn't criminal minded enough to steal/clone
> someone's phone for the sms message.

It isn't just the phone— the effort required to perform that set of
activities was a non-trivial cost— but one acceptable to a person with
an earnest need of increased anonymity—,  which also created
geographic restrictions which limited the use of cheap labor in other
locations. Not to mention the cost of the knowledge of how to do
whatever workaround you provided, the cost of convincing an internet
privacy expert to help them, etc...

Maybe at some point someone will build an industrial infrastructure
that abuses the ability to buy disposable phones and resell them and
then Google will have to adapt. But at the moment…

Fundamentally all of these attacks and their defenses are operating in
the space of a constant linear work factor.  You must do one unit of
"effort" to send a valid email, the attack must do N units _or less_
to send N units of spam/crapflood/etc.   No system that puts an
attacker at merely a simple linear disadvantage is going to look
"secure" from a CSish/cypherpunk/mathmatical basis. And in
consideration of the total cost, the attacker often has great
advantages: he has script coders in cheap labor markets whilee your
honest activist is trying to figure out where the right mouse button
is...

But the fact of the matter is that the common defense approaches are,
in general, quite effective.   Part of their effectiveness is that
many service providers (including community driven/created ones like
Wikimedia) are broadly insensitive to overblocking. Attackers are far
more salient: they are adaptive and seek out all the avenues and are
often quite obnoxious, and there are plenty of honest fish in the sea
if you happen to wrongfully turn away a few.  When considering the
cost benefit tradeoffs one attacker may produce harm greater than the
benefit of ten or a hundred honest users— and almost always appears to
be causing significant harm— and so it can be rational to block a
hundred honest users for every persistent attacker you reject
(especially if your honest users 'value' is just a few cents of ad
income). This may be wrong— in terms of their long term selfish
interests and in terms of social justice— but thats how it is, and
it's something that extends _far_ beyond TOR. For example, English
Wikipedia blocks a rather large portion of the whole IPv4 internet
from editing, often in big multi-provider /16 swaths at a time. Tor is
hardly a blip against this background of over blocking. Educating
services where their blocking is over-aggressive may be helpful but
without alternatives which are effective it will not go far beyond
just fixing obvious mistakes.

And— the effectiveness is not just limited to the fact that the
blocking rejects many people (good and bad alike) there are many
attacks like spamming which are _only_ worthwhile if the cost—
considering all factors like time discounting, knowledge, geographic
restrictions— is under some threshold.. but below that threshold there
is basically an infinite supply of demand.  The fact that the level
abuse is highly non-smooth with the level of defense makes it quite
attractive to make some blunt restrictions that screw a considerable
number (if only a small percentage) of honest users while killing most
of the abuse.

On Tue, Oct 16, 2012 at 1:51 PM, k e bera  wrote:
> Why are anonymous signups assumed guilty of abuse before anything happens?  
> How about limiting usage initially, with progressive raising of limits based 
> on time elapsed with non-abusive behaviour (something like credit card 
> limits)?  People should be able to establish good *online* reputations that 
> are not tied to their physical identity.

I think this common but flawed thinking that prevents progress on this
front.  You're thinking about this in terms of justice. In a just
world there wouldn't be any abusers... and all the just rules you can
think of to help things won't matter much because the abusers won't
follow them, and we don't know how to usefully construct rules for
this space that can't be violated. (...and some alternative ideas like
WOTs/reputation systems have serious risks of deeper systematic
kafkaesque injustice...).  And of course, _anonymous_ is at odds with
_reputation_ by definition.

The whole thinking of this in terms of justice is like expecting
rabbits and foxes to voluntarily maintain equilibrium population so
that neither dies out. That just isn't how it works.

Is it possible that all the communication advances we've made will be
wiped out by increasing attacker sophistication to the point where
turing test passing near-sentient AIs are becoming best friends with
you just to trick you into falling for a scam and we all give up this
rapid worldwide communication stuff? Will we confine ourselves to the
extre

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

> Why are anonymous signups assumed guilty of abuse before anything happens?
> How about limiting usage initially, with progressive raising of limits based
> on time elapsed with non-abusive behaviour (something like credit card
> limits)?  People should be able to establish good *online* reputations that
> are not tied to their physical identity.

We do some of that, actually. Accounts that are young are examined
more closely and treated more aggressively than older more established
accounts. Account sellers know this and sometimes try and sell "aged
accounts" for a higher price (not that it works).

But as Andreas Key correctly points out, there must still be a way to
throttle abusive signups. When signup or login security fails badness
follows, often at huge scale.

There's always some collateral damage from these schemes
unfortunately. Eg, CAPTCHAs are poor for blind users. Phone
verification is poor for Tor users, or users without phones.

If you would like to see the effect our signup security efforts have
had for yourself, visit buyaccs.com and compare the price of gmail.com
vs hotmail.com accounts.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

Mike Hearn:
> We blacklist SMS/voice forwarding services when we find them and
> re-suspend the accounts that used them. We haven't focused on it much
> so there are certainly services we haven't blacklisted yet.
> 
> Generally, using these services is dangerous. If spammers have used
> the same numbers you get allocated to bypass verification, you can be
> treated as part of the cluster and have your account terminated
> without appeal.
> 
> I don't see the distinction between "pay somebody to create an account
> for you" and "buy an account". Both types of activity are likely to
> hit various tripwires that will result in forced phone verification of
> the account later on. Bear in mind it's not just at signup. If we
> suspect an account is being used abusively then the account can be
> locked until you pass SMS too.
> 
> Right now I don't believe there is any safe way to use Google accounts
> via Tor if you aren't willing to provide a phone number, nor do I
> believe it's safe for any other large web service. Handling abuse
> whilst allowing discardable identities is a fundamental research
> problem the Tor team need to solve if they don't want Tor to be
> restricted to a "read only" internet (to use Greg Maxwells phrasing).
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 


Thanks for the frank and upfront information Mike. It's refreshing :)
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Review request: TorVM implementation in Qubes OS

Abel Luck:
> adrelanos:
>> Hi,
>>
>> Is it Amnesic or can it be made Amnesic?
>>
>> Or in other words Can you be sure, that after deleting (or wiping)
>> the torified AppVM no activity can not be reconstructed with local disk
>> forensics? Could the torified AppVM be securely wiped without any
>> leftovers? (Leftovers such as swap, or what else?)
> 
> Regarding deletion of the VM: I was under the impression secure deletion
> was not possible on modern SSDs.
> 
> On the other hand, it should be possible to create an AppVM whose
> writeable diskspace lies in enitrely in RAM.  I'll investigate this.
> 
>>
>> Is Tor's data directory persistent, i.e. does it use Entry Guards?
>>
> I've not configured this explicitly, do you have any suggestions?

Tor Browser Bundle users are using persistent Entry Guards.

Final goal should be to share the same fingerprint with them (web
fingerprint, traffic fingerprint for local observer). If you manage to
use Tor Browser in the AppVM and Entry Guards in the TorVM, the
fingerprint should be the same. Except, that you added strong security
by isolation for the case of a browser exploit.

Whonix uses persistent Entry Guards and Tor Browser.

Persistent Entry Guards are planed for Tails.
https://tails.boum.org/todo/persistence_preset_-_tor/
https://tails.boum.org/todo/persistence_preset_-_bridges/

Tor Browser is planed for Tails.
https://tails.boum.org/todo/replace_iceweasel_with_Torbrowser/

Persistent Entry Guards are considered for Liberte Linux:
Please see recent thread "[tor-talk] Location-aware persistent guards".

So the answer is yes, I in most cases I recommend persistence for Entry
Guards and Tor's data dir. The same goes for Vidalia, since it can be
used to configure Tor and bridges.

Some further thoughts on persistent Entry Guards:
On the other hand, non-persistent Entry Guards are more amnesic. So if
you decide to add a amnesic feature, that should be also possible to do
with the TorVM.

There is also in the thread "[tor-talk] Location-aware persistent
guards" or in the linked ticket
https://trac.torproject.org/projects/tor/ticket/2653 are though, that
non-persistent Entry Guards are better suited for people who travel a
lot / Live CDs.

> Here's the tor config:
> 
> https://github.com/abeluck/qubes-addons/blob/master/qubes-tor/start_tor_proxy.sh
> 
>> Are hardware serials, such as BIOS DMI information, hdd serials etc.
>> hidden? (For a more comprehensive list of hardware serials and how to
>> test if them are visible, you could check Whonix less important
>> protected identifies as reference. [1])
>>
> I'm fairly certain this is the case, seeing as how these are all VMs
> (xen is the hypervisor), but I've not verifier the hunch so I can't make
> this claim
> 
> Hm, if you use the Qubes feature that lets you assign PCI (or USB)
> devices to a VM, then obviously, no.
> 
> Thanks for the link, I'll investigate some more.
> 
>> Cheers,
>> adrelanos
>>
>> [1]
>> https://sourceforge.net/p/whonix/wiki/Security/#less-important-identifies
>> ___
>> tor-talk mailing list
>> tor-talk@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
> 
> ___
> tor-talk mailing list
> tor-talk@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TB download improvement

2012-10-16 Thread Greg Norcie

Hi,

I did a Tor usability study recently, though admittedly with
participants who were English speakers (though a large chunk were not US
citizens and did not speak English as a first language). We termed a
failure to DL the TBB as "download clarity", and found it was the one of
the least cited usability issues.

I think the current UI is well tested and conveys information well.

However, off the top of my head, two small tweaks could solve the OP's
issues:

1.) Include small windows, apple, and tux logos on the download link on
the main tor page... these could serve as a symbolic cue that it is a
download link.

2.) Once on the download page, in the drop down list of languages that
is defaulted to "English" include a US and UK flag. Include flags from
representative countries in each language[1]. This is a common design
pattern on sites being accesed by many people speaking many languages
(eg: transit sites based in Europe)

Personally, I wouldn't go beyond very minor tweaks to the current
interface without a lab study showing that a statistically significant
number of non-English speakers had trouble DLing Tor.

--
Greg Norcie (g...@norcie.com)
GPG key: 0x1B873635


[1] Admittedly this could get harder for say, Arabic - how do you pick
one country? This would probably want to be debated as to minimize
offense to nations not featured.


On 10/15/12 3:20 PM, Andrew Lewman wrote:
> On Sun, 14 Oct 2012 21:33:01 +0200 (CEST)
> Outlaw  wrote:
> 
>> Hey there, Tor devs :) IMHO present torproject.org is very difficult
>> for average internet user. For those who don`t know english well, it
>> is almost impossible to find proper link.  
> 
> Hmm, the large purple and orange 'Download tor' button on the index page
> was missed?
> 
> We spent three months testing website designs based on real user
> feedback and usability testing. The green box and purple download
> button were designed to catch your eye first, and testing proves it
> works. The testing included barely English-speaking users by design.
> 
>> I think it is the question of resources - to provide multilingual
>> website up to date, which Tor team just doesn`t have. So I have two
>> suggestions that require minimal effort:
> 
> We had one, and it was mostly out of date and giving incorrect advice
> in many languages. See
> https://trac.torproject.org/projects/tor/ticket/6851 for the current
> discussion about re-enabling website translations.
> 
>> 1. Easy one. Make a static link like
>> "https://torproject.org/download/torbrowser-win-latest.exe";
> 
> No. This is a bad idea because then everyone thinks they have the
> latest tor, all the time. When people ask for support, they explain
> they have the latest tor, when really their version is 3 years out of
> date. 
> 
> Our answer to this is a secure updater, codenamed thandy. See
> https://gitweb.torproject.org/thandy.git/blob/HEAD:/specs/thandy-spec.txt
> for the details. We just received some funding to implement this over
> the next year.
> 
>> 2. A bit harder. Make a page for each language and OS with script that
>> starts downloading latest release:
>> "http://torproject.org/download/win/de"; for example. Advantage of this
>> method will be that you can provide some message, like version or
>> other important stuff.
> 
> We have this already. When you click the big download button on the
> homepage, you are sent to
> https://www.torproject.org/download/download-easy.html.en. There are
> language drop-downs for the 13 TBB translations.
> 
>> People like one big red button DOWNLOAD and nothing else,
> 
> Consider Tor as a sophisticated as a formula 1 race car. Just because
> you have a drivers license and can drive a nice sedan on the street
> doesn't mean you can hop into a formula 1 car and even get out of the
> pit lane without killing yourself. 
> 
> People who don't want to read the warnings, and just want to
> download and run, are dangerous. They will de-anonymize themselves. At
> best, they disclose they wanted privacy, at worst, they get arrested,
> tortured, and killed while their family is blacklisted for life.
> 
> We are working on improving the usability of Tor to help users make
> smart decisions. Research takes time and thought. The same process goes
> for the website. 
> 
> Our website is free software, with the repository located at
> https://svn.torproject.org/svn/website/trunk/. Feel free to submit
> patches of your ideas to improve the usability of the site.
> 
> Thanks for the feedback.
> 
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Review request: TorVM implementation in Qubes OS: Vidalia

> Future Work Integrate Vidalia

About Vidalia again... I was quickly reading my dev ticket again (
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SHELLSCRIPTSVidaliabydefaultGraphicalGatewayWAITINGFORVIDALIA0.3.x
), why it's not yet integrated into Whonix.

Summary:

"One drawback with Vidalia 0.2.15 remains... As soon as you edit torrc
with Vidalia (i.e. add non-obfuscated bridges, all comments in torrc get
lost, i.e. comments how to add obfuscated bridges get lost.).

Solved in 0.3.2-alpha. I am waiting for 0.3.2."

Another issue was, that Vidalia is explicitly not designed to manage a
system wide installed Tor. Vidalia can not start/stop a Tor instance, it
has not started itself.

Vidalia will also not be able to edit /etc/tor/torrc out of the box,
because Vialia gets started as user, while /etc/tor/torrc is owned by root.

I am not sure how to solve it best...

Running Tor/Vidalia as user is also not the best option, that would
prevent "sudo service restart tor" (probable also the Fedora
equivalent). Breaking "sudo service restart tor" and running Tor as user
is bad, since it can not be updated with by the system apt-get (or the
Fedora equivalent). (Imagine long running servers.)

I guess the best might be to have Tor managed by the system (apt-get...)
and to start Vidalia as a user. To edit /etc/tor/torrc, Vidalia needs an
exception to have write rights on that file. Vidalia's start/stop Tor
feature will break, I don't know how that could be solved. You still had
a Tor which is partially managed by gui and partially managed by cli.
Relaxing permission on Tor's data dir further for Vidalia broke Tor.

However, in qubes-os that all might be simpler to solve. Tor/Vidalia get
updated from dom0?

Cheers,
adrelanos
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TB download improvement

2012-10-16 Thread Outlaw

Andrew Lewman:

> Hmm, the large purple and orange 'Download tor' button on the index page
> was missed?

No, but average user need to click on it, then choose language (btw
the list is barely seen) and then click "Download" again. 

> We have this already. When you click the big download button on the
> homepage, you are sent to
> https://www.torproject.org/download/download-easy.html.en. There are
> language drop-downs for the 13 TBB translations.

I was talking about descriptions outside torproject.org for
non-english-speaking people. Imagine blog post that describes benefits
of Tor and a link to page that starts downloading right away (or after
few seconds). And compare it to the same thing but with a link to page
that only leads to download by several (obscure) clicks.

It is not my imagination, people keep asking me to pass a right link
to TB, because they just can`t understand what and how they need to
find and click to start right download. 

I was talking about something like this. (just random link from main
sourceforge page)
http://sourceforge.net/projects/winscp/files/latest/download?source=frontpage&position=5

You see, I can click on it, the page has info about what would be
downloaded and downloading is started.

Maybe I`m wrong, I don`t know, but imo the main problem for users now is
not running and using (it is pretty easy, thank to devs), but finding
and getting TB.

Ok, I am not going to argue with you anyway, you`re the boss :)

-- 
Outlaw

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TB download improvement

2012-10-16 Thread Andrew Lewman

On Tue, 16 Oct 2012 14:55:02 -0400
Greg Norcie  wrote:
> 1.) Include small windows, apple, and tux logos on the download link
> on the main tor page... these could serve as a symbolic cue that it
> is a download link.

We had these in the past and people didn't recognize their own OS or
what they were. Those interviewed thought they were just odd
icons. However, I'm open to trying again. Maybe we have a new userbase.

> 2.) Once on the download page, in the drop down list of languages that
> is defaulted to "English" include a US and UK flag. Include flags from
> representative countries in each language[1]. This is a common design
> pattern on sites being accesed by many people speaking many languages
> (eg: transit sites based in Europe)

We had this in the past. The problem we ran into is people getting
really angry, or thoroughly confused, at the flag not matching their
language. You noted this in your footnote too. I don't have a good
option for this. Suggestions, advice, and patches welcome.

Making the language drop down larger can possibly help.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Review request: TorVM implementation in Qubes OS

Hi,

system time is a sophisticated issue:

Please read:
- https://tails.boum.org/contribute/design/Time_syncing/
-
http://sourceforge.net/p/whonix/wiki/Security/#whonixs-secure-and-distributed-time-synchronization-mechanism

Suggestion:
Time in torifed VMs (and perhaps TorVM) should differ from the time in
dom0 and other regular AppVMs.

Cheers,
adrelanos
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TB download improvement

2012-10-16 Thread Andrew Lewman

On Tue, 16 Oct 2012 21:12:43 +0200 (CEST)
Outlaw  wrote:

> I was talking about descriptions outside torproject.org for
> non-english-speaking people. Imagine blog post that describes benefits
> of Tor and a link to page that starts downloading right away (or after
> few seconds). And compare it to the same thing but with a link to page
> that only leads to download by several (obscure) clicks.

Ok. Our website is completely static files for scalability, to avoid a
huge class of attacks, for simplicity of maintenance, and mirroring.
Suggestions and patches welcome.

> Ok, I am not going to argue with you anyway, you`re the boss :)

Pfft, all the more reason you should question me. ;)

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread Juan Garofalo


>Right now I don't believe there is any safe way to use Google accounts
>via Tor if you aren't willing to provide a phone number, nor do I
>believe it's safe for any other large web service. Handling abuse
>whilst allowing discardable identities is a fundamental research
>problem the Tor team need to solve if they don't want Tor to be
>restricted to a "read only" internet (to use Greg Maxwells phrasing).



Perhaps the actual problem to be solved is how to deal with criminal 
organizations like the american government and its lackeys(google for 
instance)? 







>___
>tor-talk mailing list
>tor-talk@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk 

___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread Maxim Kammerer

On Tue, Oct 16, 2012 at 8:35 PM, Mike Hearn  wrote:
> If you would like to see the effect our signup security efforts have
> had for yourself, visit buyaccs.com and compare the price of gmail.com
> vs hotmail.com accounts.

SMS-verified GMail accounts: $100 per 1k. Non-SMS-verified GMail
accounts: $95 per 1k. (Annoying millions of users by ignoring their
desire for privacy: priceless.)

Looks like spammers don't value your phone verification efforts too much.

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser script pack 0.3: (multiple) Tor Browser, without Tor/Vidalia; behind a transparent proxy or Tor Router

2012-10-16 Thread The Doctor

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/10/2012 08:59 PM, adrelanos wrote:

> Alternative startup scripts for the Tor Browser Bundle. For
> starting up Tor Browser without Tor and Vidalia.

There's an easier way to go about it:

https://github.com/virtadpt/Experiments/blob/master/tbb.sh

I use this all the time (TBB's version of Firefox plus the latest
version of Tor from the Arch Linux repository) and it's a lot less
code, so it's easier to maintain in the long run.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Every day's a new beginning.  You got your country back." --Andrew
Eldritch, on stage, 20081105

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlB9uZAACgkQO9j/K4B7F8GQRACfT8b4T6ZO8NdienoXNNghQMZ3
W8MAoNOmXjZi3xQr838+RRSbUxRB8qzk
=Ng/A
-END PGP SIGNATURE-
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser script pack 0.3: (multiple) Tor Browser, without Tor/Vidalia; behind a transparent proxy or Tor Router

The Doctor:
> On 10/10/2012 08:59 PM, adrelanos wrote:
> 
>> Alternative startup scripts for the Tor Browser Bundle. For
>> starting up Tor Browser without Tor and Vidalia.
> 
> There's an easier way to go about it:
> 
> https://github.com/virtadpt/Experiments/blob/master/tbb.sh

It's nice, you could even pass additional command line parameters such
as -new-tab.

> I use this all the time (TBB's version of Firefox plus the latest
> version of Tor from the Arch Linux repository) and it's a lot less
> code, so it's easier to maintain in the long run.

Yes, I believe that works.

I didn't mess with most parts of the original. One point of the
repository is upstreaming it. People downloading TBB inside their custom
Tor proxies should be easily able to modify the stock TBB startup script.

https://trac.torproject.org/projects/tor/ticket/5611

The extra code will probable not make maintenance so much more
difficult. It's unchanged over long amounts of time.
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] registration for youtube, gmail over Tor - fake voicemail / sms anyone?

2012-10-16 Thread Maxim Kammerer

On Tue, Oct 16, 2012 at 6:36 PM, Mike Hearn  wrote:
> Handling abuse
> whilst allowing discardable identities is a fundamental research
> problem the Tor team need to solve if they don't want Tor to be
> restricted to a "read only" internet (to use Greg Maxwells phrasing).

It's not Tor's problem to solve. Both common sense and actual research
[1] suggest otherwise. Tor only needs to steadily increase its
popularity and teach users not to link their real identities to online
activities. Service providers will then need to adapt their business
models or lose users, and as a result, customers (advertisers in your
case).

[1] http://dspace.mit.edu/handle/1721.1/72901

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser script pack 0.3: (multiple) Tor Browser, without Tor/Vidalia; behind a transparent proxy or Tor Router

2012-10-16 Thread kman215


please take me off the mailing list or at least tell me how I can do that 
tykman...@aol.com


-Original Message-
From: The Doctor 
To: tor-talk 
Sent: Tue, Oct 16, 2012 4:12 pm
Subject: Re: [tor-talk] Tor Browser script pack 0.3: (multiple) Tor Browser, 
without Tor/Vidalia; behind a transparent proxy or Tor Router


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/10/2012 08:59 PM, adrelanos wrote:

> Alternative startup scripts for the Tor Browser Bundle. For
> starting up Tor Browser without Tor and Vidalia.

There's an easier way to go about it:

https://github.com/virtadpt/Experiments/blob/master/tbb.sh

I use this all the time (TBB's version of Firefox plus the latest
version of Tor from the Arch Linux repository) and it's a lot less
code, so it's easier to maintain in the long run.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Every day's a new beginning.  You got your country back." --Andrew
Eldritch, on stage, 20081105

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlB9uZAACgkQO9j/K4B7F8GQRACfT8b4T6ZO8NdienoXNNghQMZ3
W8MAoNOmXjZi3xQr838+RRSbUxRB8qzk
=Ng/A
-END PGP SIGNATURE-
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

 
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Flash, Linux and Tor