Re: [tor-talk] Tor and Financial Transparency

2013-09-12 Thread Nathan Freitas 
On 09/12/2013 12:31 AM, Kragen Javier Sitaker wrote:
> I broadly agree with you (as I assume everyone does) that Tor is still
> worthwhile even though it doesn't try to defend against the global
> passive adversary.  However, I think you made a number of overreaching
> statements in your defense of Tor, some quite dangerous, and I want to
> call those out here.

Overreach maybe, but I do not think I veered into the "quite dangerous"
territory. Still, when you start trying to reason through discussion
like these, you can easily go down that road.

> There are any number of safes that have been opened with, say, a thermic
> lance, only to discover that the contents have been incinerated in the
> process.  Brute force does not always work even in the case of physical
> safes.

Right, but you can hypothetical talk about nanobot atom-disassemblers,
who can safely chew through the safe, and how the safe was not designed
for that potential eventuality, and so it is flawed.

I personally assume, that someone could always open the safe, and access
the contents within. What I consider is, are the requisite resources to
do so equal with my value as a target? Will the adversary even know I
have the safe in the first place? I don't think most normal humans on
the planet have access to thermic lance proof safes.

>> This is a basic security metaphor that must be understood. There are
>> no absolutes. It is about how hard you make your adversary work.
> 
> We do have to accept that in the physical world, but in general in
> information security we do not; we can aspire to much better.  Most
> currently-deployed cryptosystems cannot be broken by known means within
> the lifetime of the universe to date, for example.  Tor is excellent,
> but we should not become complacent and stop seeking to do better.

Agreed. I am not saying be complacent. I am just trying to counter the
perspective that because Tor cannot do something, that it is
fundamentally flawed, broken, or without value.

>> Finally, one of the most promising uses of Tor are around
>> whistleblowing services like Globaleaks, which require a Tor hidden
>> service to access. In that case, the global adversary problem does not
>> exist, as the Tor exit and the web service are on the same box.
> 
> Even Tor hidden services are not designed to defeat the global passive
> adversary.  If, hypothetically speaking, you have traffic analysis
> (passive or active) that can trace circuits through the Tor network, you
> can probably figure out where hidden services are, and who is using
> them, and perhaps even who they are communicating with through them
> (particularly if the hidden service uses Comet).

Okay, but that is different than the entrance/exit correlation that most
people speak about when they are discussing global adversaries.

Anyhow, I've made my one comment per month, for better or for worse.
Considering the private email response I have received from Juan, it
probably was not a useful effort on my part to engage.

+n






-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Financial Transparency

2013-09-12 Thread Juan Garofalo 

>
>Anyhow, I've made my one comment per month, for better or for worse.
>Considering the private email response I have received from Juan, it
>probably was not a useful effort on my part to engage.


For what it's worth  : I didn't mean to send you a private message. For 
some reason your message had a to:juan@g71... field so "reply to" sent you a 
private message - and I failed to notice it. 

Feel free to foward my messages and your reply(ies) to the list if you 
want.




>+n
>
>
>
>
>
>
>-- 
>tor-talk mailing list - tor-talk@lists.torproject.org
>To unsusbscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk 

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

2013-09-12 Thread Marthin Miller 
>>On Wed, 11 Sep 2013 12:50:41 -0400 (EDT)>>Marthin Miller 
 wrote:>> Hi. The main problem for what you 
made public as Tor software is that>> it uses 1024bit RSA keys which can 
be cracked in a few hours and>> compromise Tor path. >Do you have a 
source for this claim? All I've seen is speculation about>what the NSA or 
GCHQ can possibly do.
>
>I believe this to be false currently.>(But that doesn't mean we 
shouldn't fix it, because it will become true>some time in the next few 
decades, and we don't know when that will be.>(Good thing we're fixing it.))
>
>Can you provide proof of this?>kthxnbai
>>The articles I've been reading about the NSA breaking encryption 
have>suggested that 1024bit encryption may be totally compromised, 
or>ineffective... but proof is hard to come by.

its not just a possibility, that's a fact! Adi shamir described how RSA 
cracking machine (TWIRL) works (that's old! today we have much faster hardwares 
as 
IBM modern chips do) but RSA is even worse when it comes to discrete logarithm 
problem 
(http://www.slideshare.net/astamos/bh-slides), this algorithm crack even large 
RSA keys 
by regular computers without spending lots of energy and money for chips, well 
individual 
researchers don't have it yet but its wise to assume the worse scenario 
happening in the 
worse agency in the world as they always surprise us not boring us. ECC solve 
this problem 
for now.i recommend to be more careful and add a post-quantum cipher (NTRU is 
patented but 
you can talk to inventors for a license as Tor is not a commercial software) 
for safety in 
the future (2020?...) to encrypt session keys multiple time (first by ECC then 
by NTRU).
the proof is our logic. using ECC and NTRU is not so hard, lets do that now 
instead of 
waiting for somebody officially tell us how they cracking weak RSA keys or 
strong ones...
to make sure cracking short RSA keys is not a possibility just contact 
greenwald 
(guardian reporter) and ask him how long it takes and how much it cost, he have 
the paper works.

>> Also if you let users choose how much security they want that's 
better>>(for example choose high padding and time delay on relays if 
security>>have more priority than speed)>Unfortunately, this one is 
more complex than you imply as well. Take a>look at "Anonymity Loves 
Company: Usability and the Network Effect">for much more discussion 
here:http://freehaven.net/anonbib/#usability:weis2006
>
>This is not so clear, but there's a ticket for it just the same, 
seehttps://trac.torproject.org/projects/tor/ticket/9387

that option slow down everything yes but it depend on our choice, better speed 
or better 
privacy? if there be an option to choose what we need (like freenet) every time 
we open the Tor
is much better. 
for example when somebody want to check out facebook he might choose low 
security high speed 
(three level of padding amount and time delay) but when they want to publish 
something secretly 
 then user looking for more security. current design is really dangerous as one 
bad relay can compromise the whole path, but with choosing third level of 
padding amount and 
time delay for packets, just one good relay on the path guaranty our safety. 
doing this is 
not very complex. when packet comes to relay after decryption just one flag 
header at the 
beginning of packet let it know add how much padding and after how much 
random delay send the packet to next relay. using third level of security will 
increase load 
on relay network ya (in the worst case adding double size padding to packet is 
fine so load become 2x time more on relays)) 
and decrease browsing speed for user much more (they can choose more speed if 
they need) 

>> but Tor browser have another big problem also>> which compromise 
user's anonymity (fixing it is very simple). i>> checked out 
http://browserspy.dk/screen.php from different machines>> running Tor. 
problem is screen resolution is kind of unique!
>Maybe still 
relevant,https://blog.torproject.org/blog/effs-panopticlick-and-torbutton

window size is really unique specially in resized virtual machines. lots of 
people don't know
about this window size problem! lets assign a uniform size to the Tor browser 
window
which popup automatically after connecting to network and warn users about how 
unique screen
size can be when they click on maximize button... because even if we use Tor 
browser 
carefully but other Tor users make mistake, still we're unique as others don't 
have my screen 
size... 
(default screen size is 1000x674 hmm?)

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

2013-09-12 Thread mick 
On Wed, 11 Sep 2013 17:17:47 -0700
Andrew F  allegedly wrote:
> 
> If your not targeted, you have nothing to worry about.
> 
Conversely, if you are targeted you are pretty much hosed whatever you
do. 

It all depends on your personal threat model. Who/what are you trying
to evade, why and what level of risk are you prepared to take.

Mick  

-

 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 http://baldric.net

-



signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

2013-09-12 Thread Lunar 
Marthin Miller:
> window size is really unique specially in resized virtual machines. lots of 
> people don't know
> about this window size problem! lets assign a uniform size to the Tor browser 
> window
> which popup automatically after connecting to network and warn users about 
> how unique screen
> size can be when they click on maximize button... because even if we use Tor 
> browser 
> carefully but other Tor users make mistake, still we're unique as others 
> don't have my screen 
> size... 

#7255: Prompt if Tor Browser is Maximized


Patches welcome, that's for sure.

-- 
Lunar 


signature.asc
Description: Digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

2013-09-12 Thread harmony 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Is the window size that Tor Browser uses when you first open it to be
taken therefore as some kind of default, not to be changed, or can you
resize the window as much as you like, as long as you don't maximize it?

This would be quite useful information for users with small screens.

Lunar:
> Marthin Miller:
>> window size is really unique specially in resized virtual
>> machines. lots of people don't know about this window size
>> problem! lets assign a uniform size to the Tor browser window 
>> which popup automatically after connecting to network and warn
>> users about how unique screen size can be when they click on
>> maximize button... because even if we use Tor browser carefully
>> but other Tor users make mistake, still we're unique as others
>> don't have my screen size...
> 
> #7255: Prompt if Tor Browser is Maximized 
> 
> 
> Patches welcome, that's for sure.
> 
> 
> 

-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJSMbnkAAoJEPIBzxrnTA33B5sP/1SVZwx+BypyW2catcMjxk79
/dv24JGfg7raqovZYIgkdaZdpjvstOLe/ufVTDB3k9vCeP8cPP5VZdTLTUwDiCWn
nvpLXF2T2JPD7KLYLpNC3ydb9Z2SKonfP17hIpn1y/S5Dpk3K4cTfwox4m77yBRr
Q4L3ngf+naiClta43BF7xiDBmkmVQl24m/blv75zGiILh9wCe0KG9ESNLQpCulCk
82QTDmV47ZL/oFEfulehjhlVf0NJwGqLvrgAJ6HKNKkbgIn3+G4/nTxjd0QlZAna
1hk/0UHSU41JZ4FQTdbMwU3zUZ5caKfjox4DU6G5mqoo7FAZ1iasZpSCZGeSE2X+
rA+hj7Nqp1eKopA1NjuKWzDXCsmy8u8eIhxcBhHNmsVjR0Owqnraxso1UtyAYRFS
ZUna62xo3dd2lJoqaJHqpHVa9wKFpyUpgEwQ5alZib6m17cttMuSW+mAD9lB0myr
/QwdDEjvDRCIHAyV8VMFbJhOCCokN7RbaWjtZPhxegWssAEBSBfpNgyyVdZQw2uf
7o3NC7qpt8nlNEbriVm9goVuBDz+HBOEhWm+I1e6ckXQ3t9Esi/75F3GgNKi7opM
iFPJWPXqdpqOirDRo7cqBtKFuaNzLO6Ey4Q0Fb8LuijNz4lWD0ZHNPhured7L6R6
NdTFjTCxG2jjNYoyeR0t
=kA+n
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Financial Transparency

2013-09-12 Thread Nathan Freitas 
On 09/12/2013 03:13 AM, Juan Garofalo wrote:

> I made a concrete point. Tor doesn't protect individuals from 
> particular* governments. You replied with a general truism of sorts : It's 
> better to have more security than less security. Well, yeah, true. But that 
> doesn't address my point, I think.  
> *first and foremost, the US government and its 'allies'.

My response was not a general truism. It was an important lesson for
users of any system, that there is always a weakness, always an exploit,
even if Tor were engineered itself to protect from all adversaries.

I remember when the FBI arrested one member of Lulzsec by sitting
outside a potential suspects house, sniffing his wifi (potentially by
cracking it?), and seeing that there was a lot of traffic to Tor
entrance nodes. If he had only uses ethernet or a VPN to wrap his Tor
connection, it would not have happened. This is not a flaw in Tor (that
Tor does not do a better job in obfuscating entrance nodes), this is
just the reality of atoms and flesh.

When I work with Chinese and Tibetan activists, and they can actually
get an obfs3 bridge connection working inside of China, they are happy
to have it, but know it is only a matter of time before the IP is
scanned and blocked. I am eager for all of the various pluggable
transport R&D to help expand this time window to days, weeks and months,
but I am under no impressions that any implementation will solve the
problem forever. It will just force the Chinese surveillance system to
spend more processing power, more money, more energy. That is NOT a flaw
in Tor.

> I mean, you don't think the topic is interesting and it's been 
> discussed multiple times. Why bother replying then.

I think you have something useful to contribute, and seem like a
thoughtful person. I am just became interested in trying to push the
conversation to somewhere different than the usual territory. If you are
not interested in that, then EOM.

> 
> 
>> >I am just trying to steer the conversation into more
>> >interesting territory. I think you are making good points about the
>> >perception of Tor by some users ("Always Anonymous From Everyone All of
>> >the time!!!") and the reality. 
>> >Perhaps we can talk about then what Tor
>> >can do to better communicate this to users, so they can make their own
>> >decisions.
> I'm not sure I fully grasp what you're getting at. I personally am 
> presenting a skeptical view of Tor but maybe it's just me, in which case you 
> don't really need to better communicate anything to other users. 
> 
> If on the other hand there's a more general skepticism regarding US 
> military projects, then maybe yes, you should try to make a better case for 
> Tor.

If we are still at the point where you are calling Tor a "US military
project" then I am not sure I can make any case that would satisfy you.

Google is a US Military Project (see USG/DARPA funding of Standard
Digital Library research in the 1990s), yet you are using Gmail, you
find value in it. If you have a mobile phone, that is largely the result
of a US Military Project (World War II), and is clearly a tool for mass
surveillance and logging. Perhaps you do not use one? Maybe.

Ultimately, I come at this as an activists looking for tactics and tools
to help me win. I am not a cryptologist, I am not a mathematician. I
believe myself clever enough, and the people I support, to use these
tools in a way that provide maximum benefit, and outweigh their risks.

Tor does a better job than any other technology product that exists to
maintain my faith that the technology does what is says on the box. That
is the best case I can make for it.

+n




















-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

2013-09-12 Thread Nico De Wilde 
Additionally (my 2 cents)

People tend to mixup various things, when looking for 100% anonymity there
is much more that needs to be done then downloading the bundle.

It's a change of lifestyle especially if you have very high requirements
about a 100% solution.  Tor is a part in this, but for sure not the only
thing that needs consideration.

As Mick mentioned, a proper analysis requires full information regarding
the threat model.

Willing to elaborate further on this.

Peace

Nico

On 12/09/13 13:38, "mick"  wrote:

>On Wed, 11 Sep 2013 17:17:47 -0700
>Andrew F  allegedly wrote:
>> 
>> If your not targeted, you have nothing to worry about.
>> 
>Conversely, if you are targeted you are pretty much hosed whatever you
>do. 
>
>It all depends on your personal threat model. Who/what are you trying
>to evade, why and what level of risk are you prepared to take.
>
>Mick  
>
>-
>
> Mick Morgan
> gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
> http://baldric.net
>
>-
>

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Bandwidth Scheduling for Relays

2013-09-12 Thread Lars Noodén 
I have a feature request.  It would be nice for a future version of Tor
to allow scheduling at least one alternate values for RelayBandwidthRate
and RelayBandwidthBurst for a span of time.  This would allow relays to
operate at higher speeds when their host network is normally less active.

One example is from torrent software.  Transmission allows one alternate
speed for one block of time.  kTorrent allows much more complex
scheduling varying by hour and day of week.

However, this is not a high priority compared to some other things.  And
one current workaround is to have multiple configuration files and to
load them with cron.

Regards,
/Lars

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Bandwidth Scheduling for Relays

2013-09-12 Thread Andrew Lewman 
On Thu, 12 Sep 2013 17:34:43 +0300
Lars Noodén  wrote:

> I have a feature request.  It would be nice for a future version of
> Tor to allow scheduling at least one alternate values for
> RelayBandwidthRate and RelayBandwidthBurst for a span of time.  This
> would allow relays to operate at higher speeds when their host
> network is normally less active.

Sounds great. We just need some code,
https://trac.torproject.org/projects/tor/ticket/2740

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Indirect Tor question

2013-09-12 Thread The Doctor 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/09/2013 05:27 PM, Eugen Leitl wrote:

> Even coreboot helps you very little, as there is simply too much 
> proprietary crap in a typical PC platform where you can drop 
> undetectable (out of band) malware.

For everyone who is sufficiently motivated to start working on this
problem, the following archive will undoubtedly be interesting:

http://opencores.org/

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"You and the chief are the only ones in this section whose bodies
don't come with a warranty."

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIx9psACgkQO9j/K4B7F8FG9QCg2/bTWgW4j1sCstDzmOWZJC2Z
kT4AoL91bAt+JPeQaAwNfXyMTDAEAZZF
=4gnk
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [Fwd: My reason to stop using Tor]

2013-09-12 Thread Antonio J. Delgado 

Hi,

Computer with Ubuntu 12.04 and tor 0.2.3.25-1~quantal+1 as exit node.
NATed and port redirected by a dd-wrt router connected to a fibre 
connection at home (just RJ-45 in the wall).


So not compromised at all, I was just used to try to contact a website 
(don't know which one, not revealed by my ISP), but the way was 
contacted that site was in a way looking for a vulnerability so the site 
owner contacted my provider to inform of an abuse. The attacker tried to 
inject some SQL query using the tor network to hide him self (and 
leaving my ass uncover).


Some people said, don't use your connection at home and use a server. 
I'm running a server too for services I want to have... but I don't want 
to lose that service for a demand! And paying a host just for tor... 
it's more than what I can afford (and why should I pay for a host so a 
guy can play hacking games?).

And, do I want to support this kind of people?
I fully support freedom, and privacy. But my freedom ends where other 
people's freedom start, and using freedom in a way other people get 
hurts or are abused is something I don't want to support. And I don't 
want to be the cover of someone else. So I think this project needs some 
changes to avoid abuse, don't know what yet, but otherwise I'm afraid it 
will die.


On 2013-09-11 23:01, bm-2d9whbg2vekslcsgbtplgwdlqypizsq...@bitmessage.ch 
wrote:

Hi,
As someone who runs a tor relay at home, is there anything you can share
about how your system was set up?

For example:
Which version of the software were you using, and on which operating system?
Were you running a relay or an exit node?
How was your network configured (e.g. was the relay/exit node behind a
router with NAT?), and were any of your other machines compromised?

Just hoping to avoid the same fate...thanks!


 Original Message 
Subject: [tor-talk] My reason to stop using Tor
From:"Antonio J. Delgado"
Date:Wed, September 11, 2013 12:30 pm
To:tor-talk@lists.torproject.org
--

Hi,
I just receive a letter from my ISP abuse department. Someone tried to
do some SQL injection attack using my tor node and my IP address is now
banned from a lot of services and websites (not Google or Facebook, more
important sites for me like the EU site and universities). Yes, it's not
fare, I can cry to my ISP saying that the agreement is not fare. But I
will lose. And of course there is no other option for me, than
disconnect tor.
I wanted to post this message somewhere, where persons that use tor to
hack into other system can read it, hope this is a good place. You're
killing tor, dude!
I began working with computer for knowledge, and hacking is one great
way to know more. But hacking is not what people do when they hide using
tor. This is cracking, this is not knowledge, this is not activism.
So, maybe I'm just one, but probably I'm just the one who took sometime
to post about this before closing you a door.
Regards




Antonio J. Delgado
"Desapruebo lo que usted dice, pero defender hasta la muerte que pueda
decirlo." (Evelyn Beatrice Hall citando a François Marie Arouet alias
Voltaire)






Antonio J. Delgado
"Desapruebo lo que usted dice, pero defender hasta la muerte que pueda
decirlo." (Evelyn Beatrice Hall citando a François Marie Arouet alias
Voltaire)
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Indirect Tor question

2013-09-12 Thread Nathan Suchy 
I like that idea. We need processer companies to stop owning their products
and to just let them go after we buy the product. It sucks being locked
into one solution...


On Thu, Sep 12, 2013 at 1:15 PM, The Doctor  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 09/09/2013 05:27 PM, Eugen Leitl wrote:
>
> > Even coreboot helps you very little, as there is simply too much
> > proprietary crap in a typical PC platform where you can drop
> > undetectable (out of band) malware.
>
> For everyone who is sufficiently motivated to start working on this
> problem, the following archive will undoubtedly be interesting:
>
> http://opencores.org/
>
> - --
> The Doctor [412/724/301/703] [ZS]
> Developer, Project Byzantium: http://project-byzantium.org/
>
> PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
> WWW: https://drwho.virtadpt.net/
>
> "You and the chief are the only ones in this section whose bodies
> don't come with a warranty."
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.20 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlIx9psACgkQO9j/K4B7F8FG9QCg2/bTWgW4j1sCstDzmOWZJC2Z
> kT4AoL91bAt+JPeQaAwNfXyMTDAEAZZF
> =4gnk
> -END PGP SIGNATURE-
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsusbscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Nathan Suchy
If this email was not intended for you delete it and any copies you have of
it. The email was intended for "FirstName LastName". Information in this
email may be confidential and releasing it may be a violation of US law.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] [Fwd: My reason to stop using Tor]

2013-09-12 Thread shutterbug 
Let's calm down for a second. I'm sorry you had trouble with abuse handling. 
However, you chose to run an exit node and got trouble with abuse handling. 
That's unfortunate but there were tons of warnings on the Tor web site. I can 
understand that this is very frustrating, but emotional driven rants against 
Tor don't help you out. There is a Tor relays list where you could ask 
operators for advice.

> And, do I want to support this kind of people?
> I fully support freedom, and privacy. But my freedom ends where other 
> people's freedom start, and using freedom in a way other people get hurts or 
> are abused is something I don't want to support.

You don't get to chose the people that are using you as exit node and you 
shouldn't. To me, that's the freedom Tor provides. There are bad guys abusing 
the system and there always will be.

There are people being killed with knifes. Should that make you stop selling / 
buying / using them?

> And I don't want to be the cover of someone else.

Then don't run an exit node. Run a relay or a bridge instead.

> So I think this project needs some changes to avoid abuse, don't know what 
> yet, but otherwise I'm afraid it will die.

To me, this is not a technical matter that can be fixed in software. There are 
organizations (e.g., tor servers, CCC) out there that run exit nodes and do 
abuse handling. These things already exists.


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

2013-09-12 Thread Bernard Tyers 


Nico De Wilde  wrote:

>As Mick mentioned, a proper analysis requires full information
>regarding
>the threat model.
>
>Willing to elaborate further on this.

I agree with this, but I'd still be interested in hearing what you have to say 
about it.

Thanks
Bernard

-- 
Sent from Kaiten Mail. Please excuse my brevity.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Relays (not just exit nodes) blocked on Healthcare.gov?

2013-09-12 Thread The Doctor 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/11/2013 02:22 PM, Elrippo wrote:
> Confirmed, sadly...

Via Tor:

Access Denied
You don't have permission to access "http://www.healthcare.gov/"; on
this server.

Reference #18.e3f9645f.1379006784.1eeadc63

Via clear Internet:

The Health Insurance Marketplace is coming soon... blah blah blah...

Confirmed.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"You and the chief are the only ones in this section whose bodies don't
come with a warranty."

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIx+YIACgkQO9j/K4B7F8G7ggCgiRxRgDrAixoJLQWe7YblTOFb
+XsAnRaytRI+wP5timrfHgIBChoGvJlz
=4poS
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor browser can be fingerprinted

2013-09-12 Thread Asa Rossoff 
>From Marthin Miller, Thursday, September 12, 2013 10:58 UTC:
> window size is really unique specially in resized virtual machines. lots
of people
> don't know about this window size problem! lets assign a uniform size to
the Tor
> browser window which popup automatically after connecting to network and
warn
> users about how unique screen size can be when they click on maximize
button...
> because even if we use Tor browser carefully but other Tor users make
mistake,
> still we're unique as others don't have my screen size... 
> (default screen size is 1000x674 hmm?)

One idea I have is to support only two pixel resolutions, but allow the
window to be resized.  Use the pixel resolution that is at or higher than
the current window size, and use the full-page scaling feature.

I don't have the stats (widely available) on normal screen resolutions, or
more importantly perhaps (unless both figures are available by script or
some other means), the available display area, which we could determine the
likely such display areas for Firefox browsers and limit to that.  And even
allow sidebars, toolbars, etc., but always report one of the two screen and
display areas.

For screen sizes, as I recall:
800x600 is almost unused now
1024x768 is also not most common anymore
1280x720 or 1280x960 may be most common by a fair bit??

Typical users have displays ranging from 1024x768 to 1920x1080 or 1920x1200
(with some users having even high resolutions such as ~2560xN). 16:9
displays are the most common on new laptops for several years, with 16:10
being most common before that and possibly most common for desktops still...
4:3 is used in only a minority of laptops, and I suspect laptop use
surpasses desktop use.  In any case, the current estimates are widely
available, as logged by a couple of major sites, and surely some minor sites
as well.

My thought is have it appear that all Tor users have either:
(A) the most common resolution display/display area (resize the window to
maintain proportion when toolbars/sidebars/menus modified or user resizes
the window), or;
(B) a common wide-screen high resolution display, e.g. 1920x1080 (choice to
be made after considering popularity statistics and balancing with usability
for actual Tor high-res users).

With both options, enforce fixed to one of the two display area proportions
(nearest) and virtual resolutions (>= actual).  Full-page scale
automatically to actual resolution.  Allow user to scale page by normal
means from their if they wish, unless that would expose the user in some
way.

Handle full-screen mode similarly, but if the user's display aspect ratio is
different than one of the two supported ones, part of the display should be
unusable and resolution unnoticable to websites or scripts.  (e.g. 16:9
"full screen" on a 16:10 display will have black top and bottom bars than
cannot be measured or used by websites).  In full-screen mode it is
acceptable to support the full emulated display resolution.

Asa

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk