[tor-talk] (no subject)
SARRIS good day I need help . running tor onion browser bundle on a Panasonic Toughbook cf-29 running on 32bit 14.04 Ubuntu oS only . Microsoft windows has been removed out of the thoughbook . like you to send to me a how to run tor onion browser via command prompt on a Panasonic thoughbook cf-29 running only on a 32 bit 14.04 Ubuntu operating system . -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor in the media
Hi everyone, Over the past few weeks, I've talked with a number of Tor people about how the project is portrayed in the media. As a reporter on this beat, the many legitimate criticisms the community have had strike pretty close to home for me. I don't think I need to tell this list why Tor's portrayal in the media is important, now more than ever. So, with the blessing and encouragement of a couple of official Tor people, I've got a question to ask of tor-talk (secure contact info follows at the bottom of the message): -- What untold but important stories about Tor are you willing to share? When writing about Tor, it's relatively easy to write about, for instance, popular hidden services (and I've admittedly done it plenty). The drug markets that advertise themselves and run a business are often more than willing to talk to reporters. They're even proactive about it. It's much tougher for a reporter to nail down important Tor stories about, as another example, domestic abuse victims using the software or political activists protecting their lives with it. That makes perfect sense, those people rely on anonymity in a much different way than enterprising drug dealers, but this reality makes it trickier for reporters to tell the full story when it comes to Tor. The trick, then, is to be proactive as well. I recently took a swing at writing precisely the kind of article I'm talking about--an untold but important story about how Tor is used in the wild--here: http://kernelmag.dailydot.com/issue-sections/features-issue-sections/10393/tor-transgender-military-service/ ... I was inspired in large part by articles like this: http://betaboston.com/news/2014/05/07/as-domestic-abuse-goes-digital-shelters-turn-to-counter-surveillance-with-tor/. The BetaBoston article is very good, obviously, but it's a too-rare breed. I'd like to hear from anyone who might be willing to talk about (on the record or off) untold but important Tor stories that can shed light on the way the software serves its users. By design, I'll never get the full picture, but we can surely do more than surface scratching. If you have a story to tell, if you know someone who might, if you can think of others who I should be talking to, or if you have a good direction to point me in, I would love to hear from you. Or if you just want to talk more about Tor in the media, that's a topic I'm really interested in as well to be honest, so I'm happy to talk about that. If you're interested in talking (again, on the record or off, it's still valuable to hear stories I won't write about), you can find my contact info and PGP key at http://www.patrickhowelloneill.com/contact , you can email me here (my personal email), or at p...@dailydot.com. Obviously we can also work out other ways of communicating if need be. Thanks! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On Wed, 2014-10-01 at 16:33 -0400, Derric Atzrott wrote: > > So then blocking Tor is intended to block people that temporarily have > > access to large amounts of unblocked IP addresses, but usually are IP > > blocked? > > > > Who does this apply to? If a vandal has access to unblocked IP addresses > > to make accounts, they can just use those to edit or sockpuppet. > > So I don't actually administer blocks on English Wikipedia, and I am not > an editor on any other language Wikipedias, but on English Wikipedia this > is what I understand the process to be. > > When a user acts up and has an account we temporarily block that account. > If they decided to create another account we usually block the new account > permanently and hard-block the IP address that they are accessing the site > from. This prevent them from making a new account or sockpuppeting while > logged out. Most users don't evade blocks, so this tends to work pretty > well. > > With Tor unblocked a significant minority of those users who had their > IP > address hard-blocked will use Tor to create new accounts and continue > to cause problems. With Tor blocked they have to find another means. > Some of them do, but most of them give up. Its a war of attrition. > We know that problematic people /will/ find a way to cause a problem, > we just make it expensive enough that they get bored and don't bother. With Tor soft-blocked, this problem goes away. What am I missing? -- Sent from Ubuntu signature.asc Description: This is a digitally signed message part -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > So then blocking Tor is intended to block people that temporarily have > access to large amounts of unblocked IP addresses, but usually are IP > blocked? > > Who does this apply to? If a vandal has access to unblocked IP addresses > to make accounts, they can just use those to edit or sockpuppet. So I don't actually administer blocks on English Wikipedia, and I am not an editor on any other language Wikipedias, but on English Wikipedia this is what I understand the process to be. When a user acts up and has an account we temporarily block that account. If they decided to create another account we usually block the new account permanently and hard-block the IP address that they are accessing the site from. This prevent them from making a new account or sockpuppeting while logged out. Most users don't evade blocks, so this tends to work pretty well. With Tor unblocked a significant minority of those users who had their IP address hard-blocked will use Tor to create new accounts and continue to cause problems. With Tor blocked they have to find another means. Some of them do, but most of them give up. Its a war of attrition. We know that problematic people /will/ find a way to cause a problem, we just make it expensive enough that they get bored and don't bother. We block all proxies that we know of for the same reason. Apparently that significant minority of folks that would abuse Tor seems to outnumber those who legitimately use Tor, or at least that is the impression those who have to clean up the mess have. The point of an IP Block Exemption (IPBE) is to give an especially trusted user the ability to login and edit even if they are doing so from a hard-blocked IP address. All administrators automatically have this flag. As far as I know the reason why it is not given out easily is that in the past some users would create extra accounts before they were blocked, and make some constructive edits with those accounts. Then when their main account was blocked, they would wait long enough for the IP addresses on the sleeper accounts to be removed from our logs and then request IP Block Exemptions via email. This is also why you can't just email in and say "Hey, can you make me an account please and give it an IPBE? kthxby" Personally I think the policy for IPBEs has swung too far in the direction of never-give-them-out, but I don't think I will have any luck changing that unless I can find some way to help assure that it is still very expensive for vandals and sockpuppets to use Tor and proxies to evade blocks. Does that answer the question? Or am I still unclear? Thank you, Derric Atzrott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFULGUERHoDdZBwKDgRAiBUAJ43QbhZXedzO0RFOkKQNdo+C/f2DACfXcL7 7wsoZQWU1x4egsKhYfmINQM= =u9uT -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > it did. very clear now. sorry for not grokking it better first time > around. No worries. Such things happen; I could have been more clear. > Thanks for bringing this up once more! The topic seems to recur even > more frequently than once a year around here. I'm glad to hear that! > Two recent and relevant discussions: > > Your colleague Lane Rasberry started a similar thread earlier this year > and an accompanying IdeaLab page, read more here: > https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-february-19th-2014 > (third item down) and > https://meta.wikimedia.org/wiki/Grants:IdeaLab/Partnership_between_Wikimedia_com munity_and_Tor_community I'll read those and see what I can get out of them. I'm glad that Lane has been involved in trying to work on this as well. A while back he offered to work with me on a project if I wanted to. Perhaps this would be the oppurtunity to take him up on that as we seem to have similar goals here. > Not Wikimedia-specific, but Roger Dingledine recently wrote about paths > to letting web services feel they can accept anonymous users, and > mentioned an upcoming project on Wikipedia at the end: > https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anon ymous-users This was actually one of the posts that inspired me to try to take some action on this. See [1] for my original post on Wikitech-l where I mention that very blog post. Roger mentions Wikimedia several times in his blog post. > It would be good if the experience of these and other previous > discussions could be built upon, otherwise I fear this topic will > continue to circle morosely on the luggage carousel of things that ought > to be done, with no takers. I've tried to do that with the Wikitech-l discussions. I tried to read through all of the previous discussions on the topic and sum up their contents so that everyone was up to speed and could quickly figure out what had been discussed before and why it didn't work. You can see that post here: [2]. It might actually be worth giving a look over even as this is a topic that has been discussed at least a few times already in the Wikimedia Technical community. > Thank you for running an exit relay! You're welcome! Hopefully I can keep it online. I went with Leaseweb as they seem to be pretty friendly to relays. I'm in talks with a local datacentre here in my city in the United States to see if they'll let me run a relay out of there as well. Also I appologise to everyone for my long posts. I know that they are a lot to read. Thank you, Derric Atzrott [1]: https://www.mail-archive.com/wikitech-l@lists.wikimedia.org/msg78218.html [2]: https://www.mail-archive.com/wikitech-l@lists.wikimedia.org/msg78225.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFULGFnRHoDdZBwKDgRAoVhAJ4zYajyCg8O1yF1LtB7/AHbE4kJbwCdHbPg MOplkqKNYYbRxw6/wjlCHhs= =PvHP -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On Wed, 2014-10-01 at 15:50 -0400, Derric Atzrott wrote: > > this is extremely interesting--thank you! but would this work for Tor, > > since presumably the IPs that are blocked are those of the exit relays? > > > > I am proposing keeping the IPs blocked but opening them up for certain > > logged-in accounts--I don't know if that is technically possible, but it > > seems like a narrower solution, and also theoretically less open to > > abuse/spoofing than unblocking entire IP addresses. (maybe.) > > I think you may have misunderstood. An IP Block Exemption is a flag > applied to a specific account that allows it to ignore IP blocks. > > There are two types of blocks that we use for IP addresses, hard blocks > and soft blocks. A hard block means that if you are using that IP address > you cannot edit Wikipedia. A soft block means that if you are using that > IP address, you can edit Wikipedia, but only if logged in, and you cannot > make an account. Many highschools are soft-blocked. All of Tor is hard- > blocked. Having the IPBE flag on your account allows you to treat all > hard-blocks as though they are soft-blocks. So then blocking Tor is intended to block people that temporarily have access to large amounts of unblocked IP addresses, but usually are IP blocked? Who does this apply to? If a vandal has access to unblocked IP addresses to make accounts, they can just use those to edit or sockpuppet. -- Sent from Ubuntu signature.asc Description: This is a digitally signed message part -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On Wed, Oct 1, 2014 at 3:50 PM, Derric Atzrott wrote: > > Did that explain it any better? > it did. very clear now. sorry for not grokking it better first time around. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On 2014-10-01 13:57, Derric Atzrott wrote: Good day all, Hi, Thanks for bringing this up once more! The topic seems to recur even more frequently than once a year around here. Two recent and relevant discussions: Your colleague Lane Rasberry started a similar thread earlier this year and an accompanying IdeaLab page, read more here: https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-february-19th-2014 (third item down) and https://meta.wikimedia.org/wiki/Grants:IdeaLab/Partnership_between_Wikimedia_community_and_Tor_community Not Wikimedia-specific, but Roger Dingledine recently wrote about paths to letting web services feel they can accept anonymous users, and mentioned an upcoming project on Wikipedia at the end: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users It would be good if the experience of these and other previous discussions could be built upon, otherwise I fear this topic will continue to circle morosely on the luggage carousel of things that ought to be done, with no takers. Additionally it should be noted that I have a passing familiarity with Tor as both a user and recently became an exit relay operator, though if I missed something blindly obvious, definitely please point it out to me! Thank you for running an exit relay! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > this is extremely interesting--thank you! but would this work for Tor, > since presumably the IPs that are blocked are those of the exit relays? > > I am proposing keeping the IPs blocked but opening them up for certain > logged-in accounts--I don't know if that is technically possible, but it > seems like a narrower solution, and also theoretically less open to > abuse/spoofing than unblocking entire IP addresses. (maybe.) I think you may have misunderstood. An IP Block Exemption is a flag applied to a specific account that allows it to ignore IP blocks. There are two types of blocks that we use for IP addresses, hard blocks and soft blocks. A hard block means that if you are using that IP address you cannot edit Wikipedia. A soft block means that if you are using that IP address, you can edit Wikipedia, but only if logged in, and you cannot make an account. Many highschools are soft-blocked. All of Tor is hard- blocked. Having the IPBE flag on your account allows you to treat all hard-blocks as though they are soft-blocks. Did that explain it any better? Thank you, Derric Atzrott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFULFsORHoDdZBwKDgRAhRPAJ4q+f6M9/KkZ1YvRjJ8hVXJI/a3QACeNCI6 13cqgBU6HIW2jwrKNTti0Yk= =PMxs -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
> hi people > i am unfamiliar with this stuff. how many people can see/ read this here? The logs for this mailing list are publicly available. Don't say anything you don't want the world to know. Thank you, Derric Atzrott -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On Wed, Oct 1, 2014 at 2:42 PM, Derric Atzrott wrote: > > There is a mechanism for this. It is called an IP Block Exemption (IPBE), > sadly it is very hard to get because people fear its abuse so much. I have > actually only just got it after I brought up the topic of Tor and talked > to some folks off-list about why Tor matters to me. I've been editing > Wikipedia for over five years now. > > this is extremely interesting--thank you! but would this work for Tor, since presumably the IPs that are blocked are those of the exit relays? I am proposing keeping the IPs blocked but opening them up for certain logged-in accounts--I don't know if that is technically possible, but it seems like a narrower solution, and also theoretically less open to abuse/spoofing than unblocking entire IP addresses. (maybe.) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
hi people i am unfamiliar with this stuff. how many people can see/ read this here? Greg Curcio On Wed, Oct 1, 2014 at 11:34 AM, Mirimir wrote: > On 10/01/2014 12:10 PM, Derric Atzrott wrote: > > > > >> Even imposing a nontrivial cost for creating accounts (say 10 BTC) would > >> not help. Determined adversaries would pay it. And of course, that would > >> exclude numerous innocents who wouldn't or couldn't pay. > > > > Yeah, I was just listing off some items that we came up with > brainstorming > > over the past few years. Clearly that item was cut fairly quickly. Some > > type of proof of work might work, so long as it was expensive enough to > > deter attackers after the first few times while still cheap enough to > > generate just once for well behaved actors. > > Wikimedia could authenticate users with GnuPG keys. As part of the > process of creating a new account, Wikimedia could randomly specify the > key ID (or even a longer piece of the fingerprint) of the key that the > user needs to generate. Generating the key would require arbitrarily > great effort, but would impose negligible cost on Wikimedia or users > during subsequent use. Although there's nothing special about such GnuPG > keys as proof of work, they're more generally useful. > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How does Tor help abuse victims?
On 10/01/2014 12:21 PM, Sebastian G. wrote: > Mimir: >> Tor can provide anonymity, including location anonymity, for victims of >> offline abuse, who have perhaps relocated for protection. Even for >> victims of online abuse, Tor can help protect against doxing. > > I hadn't imagined that victims keep in contact with their abusers or > have their communication data exposed to their abusers. Often there are associations through family, mutual friends, etc. Errors of judgment are not uncommon. For example, it's trivial to learn someone's IP address using an image tag in email, forum post, etc. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Is there any mechanism available by which, e.g., known & trusted editors > could request Tor access for specific login credentials/accounts, and Tor > only allowed for those accounts? This would also help to address Derric's > interest in allowing users from repressive regimes without allowing the > vast amounts of destructive edits that have so far come from Tor. Since > Wikimedia accounts are designed to be at least quasi-anonymous, placing a > request for Tor access through the Wikimedia messaging system should not in > itself reveal one's identity. > > so one way to get one of these accounts would be, as many of us do, create > a regular (non-Tor) account, perform a good number of simple, > non-destructive edits (cleaning up already-marked items on WP pages, for > example), and then to request a special Tor account. There is a mechanism for this. It is called an IP Block Exemption (IPBE), sadly it is very hard to get because people fear its abuse so much. I have actually only just got it after I brought up the topic of Tor and talked to some folks off-list about why Tor matters to me. I've been editing Wikipedia for over five years now. Generally they point to the fact that you can just turn off Tor when you want to edit Wikipedia, which misses the point, but is still the general response. Erik Moller, Deputy Director, at the Wikimedia Foundation, actually tested the system for getting an IPBE once a few years ago and it failed his test miserably. The criteria are too high for most users, even established ones. > maybe if this works for established editors, a trial could be run to allow > a limited number of new accounts through Tor to be set up, again by > personal request, and edits allowed only through those approved accounts, > allowing the Wikimedia software to carefully watch over these accounts for > destructive editing and blocking them if this happens. People would > therefore not be allowed to automatically create accounts in Tor in > Wikimedia projects, nor to edit without logging in, but if the method > works, a certain amount of editing over Tor could be possible. Anyone can email in to get an account made, its getting the IPBE that is hard. > the overhead in approving accounts would be relatively low, and a limited > number could be created, so that not a great deal of oversight would be > necessary. Perhaps even a secure messaging facility could be created to > request such accounts (if it doesn't exist already). We have a system for handling emailed in requests of all sorts. We make use of OTRS to handle the sites email inboxes and have a limited number of highly trusted volunteers that handle answering mail and making sure requests, like account creation, get directed to the proper people. > I would presume that a Tor-based Wikimedia account opened solely by > messaging Wikimedia securely would be relatively hard to track down to a > specific individual (especially if it eventually becomes possible to > request these without first becoming a trusted editor), but I may not be > thinking through all the possibilities. Definitely. And the system you describe in your email is basically the status-quo. Tor and all other proxies we can find are blocked unless you have an IP Block Exemption on your account, in which case you are good to go. The problem is that getting an IP Block Exemption is so difficult for a variety of social and policy reasons. I'm hoping that if some sort of technical solution can be come up with that would allow us to reduce the risk of abuse to the level that we have with non-anonymous IP users editing (so blocks work in most cases, except for that odd guy who knows how to set up a proxy themselves, or is willing to drive to 15 different Wi-fi hotspots around town) that I will have more luck in changing the attitudes and policy towards Tor. The end goal is to either have Tor completely unblocked or have the process for getting an IPBE made significantly easier. A few folks pointed out on the Wikimedia technical mailing list that the problem is more of a social issue, that appears like it could have a clever technical solution, but is really just a social problem. Personally I believe that while it is partially a social problem, a clever technical solution might alleviate that some and help change attitudes. Thank you, Derric Atzrott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFULEr0RHoDdZBwKDgRAr1jAKCvSdfu2TS7TnGry1HUEcUmO0l/EwCgl6HP RRM2CfqewksCboVz/lPBq78= =XA+w -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On 10/01/2014 12:10 PM, Derric Atzrott wrote: >> Even imposing a nontrivial cost for creating accounts (say 10 BTC) would >> not help. Determined adversaries would pay it. And of course, that would >> exclude numerous innocents who wouldn't or couldn't pay. > > Yeah, I was just listing off some items that we came up with brainstorming > over the past few years. Clearly that item was cut fairly quickly. Some > type of proof of work might work, so long as it was expensive enough to > deter attackers after the first few times while still cheap enough to > generate just once for well behaved actors. Wikimedia could authenticate users with GnuPG keys. As part of the process of creating a new account, Wikimedia could randomly specify the key ID (or even a longer piece of the fingerprint) of the key that the user needs to generate. Generating the key would require arbitrarily great effort, but would impose negligible cost on Wikimedia or users during subsequent use. Although there's nothing special about such GnuPG keys as proof of work, they're more generally useful. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How does Tor help abuse victims?
Mimir: > Tor can provide anonymity, including location anonymity, for victims of > offline abuse, who have perhaps relocated for protection. Even for > victims of online abuse, Tor can help protect against doxing. I hadn't imagined that victims keep in contact with their abusers or have their communication data exposed to their abusers. 01.10.2014, 19:49 Derric Atzrott: >> I appear to lack imagination on how Tor helps abuse victims. Since some >> of you are involved with some organizations working in that field, I >> hope you give some insight. >> >> Personally I see no benefit in using Tor from the point of view of an >> abuse victim. Beside the properties why anyone could use Tor. >> >> Quite the opposite, the abuser seems to gain more by using Tor, if >> he/she (mostly he) is anonymous in the first place. > > I know of at least one use case that I have personally seen. > > A lot of abuse victims have never told anyone or have told very few > folks that they are victims of abuse. It's one of those things that > people just don't feel comfortable talking about, and for a good > reason, as abuse victims are often stigmatised by our society and > there is a great deal of victim blaming that happens. [break] Unfortunately that appears to be true in some cases, for whatever amount of 'some'. > There exists > online a number of websites where victims of abuse can privately > get together to discuss their past or current abuse and find ways > to either get out of the situation or move on with life. I see that this holds a higher risk of being exposed than just visiting a website dealing with abuse. > These sorts of things are a godsend for such people. Indeed, I think it is. Up to this point there is nothing I would have not claimed to be Tor not being useful for, it's just that I'd recommend people to look up or discuss their medical conditions for the same reasons. > Another use-case would be the anonymous reporting of abusers. In > this case someone who is not the abuse victim, but knows of the > abuse can report it without fearing reprisal from the abuser. This > is the same sort of logic that led to anonymous tip lines for police > stations. That is something I had not imagined for abuse cases. I'm familiar with this being useful for dissidents or leaking of documents about war crimes, environmental issues, corruption and such things. > Thank you, > Derric Atzrott > Thank you both. To avoid overloading tor-talk, I consider myself satisfied with the replies I got (because I am), if however others want to add something, because it is good to have success stories of Tor on tor-talk, then please add what you think. Regards, Sebastian G. bastik -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How does Tor help abuse victims?
I have been a victim of discrimination, for political issues, for some time. The anonymity Tor offers may improve the victim's life in many things, from finding a job to communicate to others, completely free from their abusers. They may even set up blogs or web pages to expose the ones who harass them. Lluis Sala Spain On 10/01/2014 07:49 PM, Derric Atzrott wrote: >> I appear to lack imagination on how Tor helps abuse victims. Since some >> of you are involved with some organizations working in that field, I >> hope you give some insight. >> >> Personally I see no benefit in using Tor from the point of view of an >> abuse victim. Beside the properties why anyone could use Tor. >> >> Quite the opposite, the abuser seems to gain more by using Tor, if >> he/she (mostly he) is anonymous in the first place. > > I know of at least one use case that I have personally seen. > > A lot of abuse victims have never told anyone or have told very few > folks that they are victims of abuse. It's one of those things that > people just don't feel comfortable talking about, and for a good > reason, as abuse victims are often stigmatised by our society and > there is a great deal of victim blaming that happens. There exists > online a number of websites where victims of abuse can privately > get together to discuss their past or current abuse and find ways > to either get out of the situation or move on with life. > > These sorts of things are a godsend for such people. > > Another use-case would be the anonymous reporting of abusers. In > this case someone who is not the abuse victim, but knows of the > abuse can report it without fearing reprisal from the abuser. This > is the same sort of logic that led to anonymous tip lines for police > stations. > > Thank you, > Derric Atzrott > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > You can't reliably block by IP address. It's unfair, because numerous > users behind a NAT router will have the same public IP address. And it's > also trivial to evade using proxies, with or without Tor. Blocking Tor > (or even all known proxies) only stops the clueless. Anyone serious > about evading a block could just use a private proxy on AWS (via Tor). We do not usually permanently block IP addresses, and blocking them only prevents editing not reading. The purpose of a block is not punitive, but to prevent abuse long enough that the attacker gives up and moves on with life. Blocking an IP address for a week to a couple of months and working to identify IP addresses that permanently belong to organisations such as schools or libraries stops the vast majority of abuse. We also work with Sysadmins at schools and libraries to get them to pass XFF headers through their proxies so that we can block individuals on their networks rather than the entire network. I agree that blocking Tor or proxies is a pointless exercise, but I can't argue with the folks that say that most of what comes from Tor is abuse. This is why I want to try to find a better way to solve the problem than just blocking Tor (or for that matter proxies in general as any solution to this should work pretty well for them). > Even imposing a nontrivial cost for creating accounts (say 10 BTC) would > not help. Determined adversaries would pay it. And of course, that would > exclude numerous innocents who wouldn't or couldn't pay. Yeah, I was just listing off some items that we came up with brainstorming over the past few years. Clearly that item was cut fairly quickly. Some type of proof of work might work, so long as it was expensive enough to deter attackers after the first few times while still cheap enough to generate just once for well behaved actors. > That would exclude numerous users living under repressive regimes. But > then, Wikimedia is already doing that by blocking edits by Tor users. Indeed. In some parts of China and Iran Tor is one of the only ways to even read Wikipedia. > The bottom line is that blocking Tor harms numerous innocent users, and > by no means excludes seriously malicious users. I agree that it harms numerous innocent users, but it does stop those wish to hurt Wikipedia's content or community who are savvy enough to know how to evade a simple IP block, but not savvy enough to know how to set up their own proxy server. This is apparently a surprisingly large set of people. Just a note. I've never had to stop abuse from Tor and the only evidence I have for the abuse is ancedotal stories from those who have. It is those people though that I have to convince to allow Tor because without their support I stand no chance of getting it unblocked. I am working on trying to get together an idea for a limited trial with Tor unblocked to see what happens, but I will be able to convince folks to unblock Tor for a few days to gather data. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFULEORRHoDdZBwKDgRAgGFAKCOrrCiNfs32ilAbjKgCJv1e2Q0xACeN5KS BSnOaHjpbuXU0R/zw2ypH1o= =81Ch -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How does Tor help abuse victims?
> I appear to lack imagination on how Tor helps abuse victims. Since some > of you are involved with some organizations working in that field, I > hope you give some insight. > > Personally I see no benefit in using Tor from the point of view of an > abuse victim. Beside the properties why anyone could use Tor. > > Quite the opposite, the abuser seems to gain more by using Tor, if > he/she (mostly he) is anonymous in the first place. I know of at least one use case that I have personally seen. A lot of abuse victims have never told anyone or have told very few folks that they are victims of abuse. It's one of those things that people just don't feel comfortable talking about, and for a good reason, as abuse victims are often stigmatised by our society and there is a great deal of victim blaming that happens. There exists online a number of websites where victims of abuse can privately get together to discuss their past or current abuse and find ways to either get out of the situation or move on with life. These sorts of things are a godsend for such people. Another use-case would be the anonymous reporting of abusers. In this case someone who is not the abuse victim, but knows of the abuse can report it without fearing reprisal from the abuser. This is the same sort of logic that led to anonymous tip lines for police stations. Thank you, Derric Atzrott -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How does Tor help abuse victims?
On 10/01/2014 11:20 AM, Sebastian G. wrote: > I appear to lack imagination on how Tor helps abuse victims. Since some > of you are involved with some organizations working in that field, I > hope you give some insight. > > Personally I see no benefit in using Tor from the point of view of an > abuse victim. Beside the properties why anyone could use Tor. > > Quite the opposite, the abuser seems to gain more by using Tor, if > he/she (mostly he) is anonymous in the first place. Tor can provide anonymity, including location anonymity, for victims of offline abuse, who have perhaps relocated for protection. Even for victims of online abuse, Tor can help protect against doxing. > Thank you for anything I must be missing here. > > Regards, > Sebastian G. bastik > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] How does Tor help abuse victims?
I appear to lack imagination on how Tor helps abuse victims. Since some of you are involved with some organizations working in that field, I hope you give some insight. Personally I see no benefit in using Tor from the point of view of an abuse victim. Beside the properties why anyone could use Tor. Quite the opposite, the abuser seems to gain more by using Tor, if he/she (mostly he) is anonymous in the first place. Thank you for anything I must be missing here. Regards, Sebastian G. bastik -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden Services - Access control.
Sebastian G. wrote: How does that hide the existence of the hidden-service? It shouldn't actually resolve if you don't have the authorization details in your torrc file. ~Griffin -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden Services - Access control.
01.10.2014, 15:41 Lunar: > coderman: >> On 9/30/14, Lluís wrote: >>> ... >>> I didn't find anything about access control, >>> is there anyway of doing this ? >>> Can I hide the *.onion address to anyone, but me ? >> >> you cannot hide the existence of the *.onion, as these are "location >> hidden" not "existence hidden". > > I believe you are mistaken. Quoting tor manpage: > >HiddenServiceAuthorizeClient auth-type client-name,client-name,... >If configured, the hidden service is accessible for >authorized clients only. The auth-type can either be >'basic' for a general-purpose authorization protocol or >'stealth' for a less scalable protocol that also hides >service activity from unauthorized clients. Only clients >that are listed here are authorized to access the hidden >service. Valid client names are 1 to 16 characters long >and only use characters in A-Za-z0-9+-_ (no spaces). If >this option is set, the hidden service is not accessible >for clients without authorization any more. Generated >authorization data can be found in the hostname file. >Clients need to put this authorization data in their >configuration file using HidServAuth. > > > How does that hide the existence of the hidden-service? Regards, Sebastian G. bastik -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On Wed, Oct 1, 2014 at 9:57 AM, Derric Atzrott wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I was curious if any of you here might have any ideas? How can we verify > that > a person is who they say they are, and block them if they are abusive in > such > a way that it is at least difficult for them to evade the block, but that > does > not impose a requirement so high as to be prohibitive to those who aren't > causing issues? > Is there any mechanism available by which, e.g., known & trusted editors could request Tor access for specific login credentials/accounts, and Tor only allowed for those accounts? This would also help to address Derric's interest in allowing users from repressive regimes without allowing the vast amounts of destructive edits that have so far come from Tor. Since Wikimedia accounts are designed to be at least quasi-anonymous, placing a request for Tor access through the Wikimedia messaging system should not in itself reveal one's identity. so one way to get one of these accounts would be, as many of us do, create a regular (non-Tor) account, perform a good number of simple, non-destructive edits (cleaning up already-marked items on WP pages, for example), and then to request a special Tor account. maybe if this works for established editors, a trial could be run to allow a limited number of new accounts through Tor to be set up, again by personal request, and edits allowed only through those approved accounts, allowing the Wikimedia software to carefully watch over these accounts for destructive editing and blocking them if this happens. People would therefore not be allowed to automatically create accounts in Tor in Wikimedia projects, nor to edit without logging in, but if the method works, a certain amount of editing over Tor could be possible. the overhead in approving accounts would be relatively low, and a limited number could be created, so that not a great deal of oversight would be necessary. Perhaps even a secure messaging facility could be created to request such accounts (if it doesn't exist already). As long as the basic mechanism is to allow only certain accounts to use Tor, I presume that Tor itself would make spoofing those accounts difficult. I would presume that a Tor-based Wikimedia account opened solely by messaging Wikimedia securely would be relatively hard to track down to a specific individual (especially if it eventually becomes possible to request these without first becoming a trusted editor), but I may not be thinking through all the possibilities. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden Services - Access control.
On Tue, Sep 30, 2014 at 06:59:20PM +0200, Lluís wrote: > I am trying to setup a hidden webserver, only for > testing at the moment. > > After reading the hidden services howto here: > > https://www.torproject.org/docs/tor-hidden-service.html.en > > I didn't find anything about access control, > is there anyway of doing this ? > Can I hide the *.onion address to anyone, but me ? > Where can I found more information ? To anyone I would say no, but I think IFRAME + tor2web might do the trick if you just wish to avoid having your users remembering the onion address. But this would be also a step back on the safeguards of the hidden service model, since you would need to register the domain somewhere outside tor network. signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Wikimedia and Tor
On 10/01/2014 07:57 AM, Derric Atzrott wrote: > Good day all, > > About once a year the topic of Tor comes up on Wikimedia's technical mailing > list. I recently raised the topic again. For those who aren't aware of the > situation, currently Wikimedia blocks all edits from Tor users. We are trying > to find a way that it might be possible for us to lift that block, while not > exposing ourselves to the abuse that seems to inevitably come from Tor and > other proxy services. > > The biggest concern that I have seen is how do we prevent sock puppets. It > seems that when Tor was unblocked it was regularly used by people who had been > blocked from editing to evade those blocks. There have been a couple of ideas > thrown around in the past, but most of them have some sort of objection. > > I was curious if any of you here might have any ideas? How can we verify that > a person is who they say they are, and block them if they are abusive in such > a way that it is at least difficult for them to evade the block, but that does > not impose a requirement so high as to be prohibitive to those who aren't > causing issues? You can't reliably block by IP address. It's unfair, because numerous users behind a NAT router will have the same public IP address. And it's also trivial to evade using proxies, with or without Tor. Blocking Tor (or even all known proxies) only stops the clueless. Anyone serious about evading a block could just use a private proxy on AWS (via Tor). > We've thought about setting up infrastructure for Nymble, but that would > require Tor users to expose their IP address in order to get a Nymble token. > We have also thought about blind signing certificates which are then used to > verify a person is the same as before, but it would be trivially easy for > someone to get a new one. We've thought about putting all Tor edits into a > review queue, but that imposes too high a cost on our other volunteers. > Fingerprinting Tor users seems both unethical and difficult, requiring some > form of donation seems unethical, difficult, and possibly illegal, and > requiring accounts to be created without Tor exposes Tor user's IP addresses. Even imposing a nontrivial cost for creating accounts (say 10 BTC) would not help. Determined adversaries would pay it. And of course, that would exclude numerous innocents who wouldn't or couldn't pay. > We really don't want to collect private information from Tor users like phone > numbers, government IDs, etc. as that information isn't collected for anyone > else and seems especially sensitive for Tor users. That would exclude numerous users living under repressive regimes. But then, Wikimedia is already doing that by blocking edits by Tor users. > A more personal note, this email is being sent from my work email address as > I use it for list subscriptions (I spent 12 hours a day at work or commuting > so this makes lists much easier to keep up on), but I will be signing my > emails > with my personal PGP key and any off-list messages to me should probably be > directed there. > > Additionally it should be noted that I have a passing familiarity with Tor as > both a user and recently became an exit relay operator, though if I missed > something blindly obvious, definitely please point it out to me! The bottom line is that blocking Tor harms numerous innocent users, and by no means excludes seriously malicious users. > Thank you, > Derric Atzrott > User:Zellfaze on English Wikipedia > > -BEGIN PGP PUBLIC KEY BLOCK- > Version: GnuPG v1.4.2 (MingW32) > > mQGiBFQZiyYRBACLtvclV0jwo/9suqLjfAQZNRD6wUSxBG+7WDXsFUH8lqkZvW3G > y/NvBUzHhBzyCAYvtISANk3d9MX+zjd7moSFDLmqe/bGcjBP/2v2bnQYtPUzVyCl > vBUUnSxk9Ike9irS9TBCa13Chr1/DMVS8K1AWtboFjU2lTnbIGwWLrZ8ywCguXSe > S34fksoMEdozjhz3GMz3Kn8D/3U0IpNu4cu+SYpmwGUO6pFgwa5LiR98HmoXONhC > 0I9Vz1i6yiro2+t/VAIx7F6k+/nBJ4uJcVQ/RG0BZv+oDK+avcRu9i8ReV6e6kJc > gFYOCR/yrT4UNkr33XpI6T7B4xu8dZJriAVHDhRJlbdz49bZs+9U7w4xSqdudV42 > ritVA/oCQ3tGtenR+9S2ukxz2h1y8qBTtvCgRhKpbY7elXRcEaULpyg6Lb3iZhPd > NL82ypNmHPMJtS2K5Th49o4HoAfCXvW3DdTTddpk/ga8fia28KPqbvHbtoCTBe+7 > ObQlMC6IRro6UzSTjdf5t3Ftvmxs5Ro1j7EP5z/cs5CWr+MSQrQmRGVycmljIEF0 > enJvdHQgPHplbGxmYXplQHplbGxmYXplLm9yZz6IYwQTEQIAIwUCVBmLJgUJAeCv > nAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEER6A3WQcCg4a20AoKp9hGsfG/ig > 9LJ0LKnoZ68lOJuNAJ0W6GmuKMFTTvYQFM58Eqwt7ye1I4hGBBARAgAGBQJUGYwE > AAoJEIYsJh133xw698YAnRhbb6Bur9XGQg8hmvxysK2HfbnOAJ0QA1gEjRkihn2I > YUo6KGHYEp/pg7kBDQRUGYsnEAQAurNRbriy6Skx3QdvpXuqs+MHTzxFdf3p2gOe > R/7Z2Uw5ufJI6fmW5S+altaaGS48YiW9pCxmSEGZi0aPV+3scLrUVMiYOE0v/kRG > rrhYSV4onnDb0Okr4vDj5EZJxYEVKu/XXve6RrEXUHmiwZxmT8LFErmtTcNK1p2W > kfn8zzMAAwUD/3yQHJr0a29D7AXnezVH9iOPm0uQv80LBTTcLIErboltt+C3rNNN > HkhlCHFDz85Sd2ZZ+yAH7Zep5Mt1SC1dj1mWMCzi8zFn6zSYxCbQfvTIoKsTxD/X > G8ATkzXDfLJAQ/WasQHZzC734XpJpb8l+B89SKx66BXqDux/D16spvBYiEwEGBEC > AAwFAlQZiycFCQHgr5wACgkQRHoDdZBwKDijhwCeLzma3BX6Ax8PLyV7wN7lMO/q > /XoAnRv2sTX1mT4tvO1k/a3FxEPWHN9o > =/It2 > -END PGP PUBLIC KEY BLOCK---
[tor-talk] Wikimedia and Tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Good day all, About once a year the topic of Tor comes up on Wikimedia's technical mailing list. I recently raised the topic again. For those who aren't aware of the situation, currently Wikimedia blocks all edits from Tor users. We are trying to find a way that it might be possible for us to lift that block, while not exposing ourselves to the abuse that seems to inevitably come from Tor and other proxy services. The biggest concern that I have seen is how do we prevent sock puppets. It seems that when Tor was unblocked it was regularly used by people who had been blocked from editing to evade those blocks. There have been a couple of ideas thrown around in the past, but most of them have some sort of objection. I was curious if any of you here might have any ideas? How can we verify that a person is who they say they are, and block them if they are abusive in such a way that it is at least difficult for them to evade the block, but that does not impose a requirement so high as to be prohibitive to those who aren't causing issues? We've thought about setting up infrastructure for Nymble, but that would require Tor users to expose their IP address in order to get a Nymble token. We have also thought about blind signing certificates which are then used to verify a person is the same as before, but it would be trivially easy for someone to get a new one. We've thought about putting all Tor edits into a review queue, but that imposes too high a cost on our other volunteers. Fingerprinting Tor users seems both unethical and difficult, requiring some form of donation seems unethical, difficult, and possibly illegal, and requiring accounts to be created without Tor exposes Tor user's IP addresses. We really don't want to collect private information from Tor users like phone numbers, government IDs, etc. as that information isn't collected for anyone else and seems especially sensitive for Tor users. A more personal note, this email is being sent from my work email address as I use it for list subscriptions (I spent 12 hours a day at work or commuting so this makes lists much easier to keep up on), but I will be signing my emails with my personal PGP key and any off-list messages to me should probably be directed there. Additionally it should be noted that I have a passing familiarity with Tor as both a user and recently became an exit relay operator, though if I missed something blindly obvious, definitely please point it out to me! Thank you, Derric Atzrott User:Zellfaze on English Wikipedia -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFULAfzRHoDdZBwKDgRAp8NAJ9H9Ap6BRVhpLr0TOS5Nf2gGAkBKgCeMiUX mPgZEd/DXE876lE0l6nmTIM= =Gavh -END PGP SIGNATURE- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.2 (MingW32) mQGiBFQZiyYRBACLtvclV0jwo/9suqLjfAQZNRD6wUSxBG+7WDXsFUH8lqkZvW3G y/NvBUzHhBzyCAYvtISANk3d9MX+zjd7moSFDLmqe/bGcjBP/2v2bnQYtPUzVyCl vBUUnSxk9Ike9irS9TBCa13Chr1/DMVS8K1AWtboFjU2lTnbIGwWLrZ8ywCguXSe S34fksoMEdozjhz3GMz3Kn8D/3U0IpNu4cu+SYpmwGUO6pFgwa5LiR98HmoXONhC 0I9Vz1i6yiro2+t/VAIx7F6k+/nBJ4uJcVQ/RG0BZv+oDK+avcRu9i8ReV6e6kJc gFYOCR/yrT4UNkr33XpI6T7B4xu8dZJriAVHDhRJlbdz49bZs+9U7w4xSqdudV42 ritVA/oCQ3tGtenR+9S2ukxz2h1y8qBTtvCgRhKpbY7elXRcEaULpyg6Lb3iZhPd NL82ypNmHPMJtS2K5Th49o4HoAfCXvW3DdTTddpk/ga8fia28KPqbvHbtoCTBe+7 ObQlMC6IRro6UzSTjdf5t3Ftvmxs5Ro1j7EP5z/cs5CWr+MSQrQmRGVycmljIEF0 enJvdHQgPHplbGxmYXplQHplbGxmYXplLm9yZz6IYwQTEQIAIwUCVBmLJgUJAeCv nAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEER6A3WQcCg4a20AoKp9hGsfG/ig 9LJ0LKnoZ68lOJuNAJ0W6GmuKMFTTvYQFM58Eqwt7ye1I4hGBBARAgAGBQJUGYwE AAoJEIYsJh133xw698YAnRhbb6Bur9XGQg8hmvxysK2HfbnOAJ0QA1gEjRkihn2I YUo6KGHYEp/pg7kBDQRUGYsnEAQAurNRbriy6Skx3QdvpXuqs+MHTzxFdf3p2gOe R/7Z2Uw5ufJI6fmW5S+altaaGS48YiW9pCxmSEGZi0aPV+3scLrUVMiYOE0v/kRG rrhYSV4onnDb0Okr4vDj5EZJxYEVKu/XXve6RrEXUHmiwZxmT8LFErmtTcNK1p2W kfn8zzMAAwUD/3yQHJr0a29D7AXnezVH9iOPm0uQv80LBTTcLIErboltt+C3rNNN HkhlCHFDz85Sd2ZZ+yAH7Zep5Mt1SC1dj1mWMCzi8zFn6zSYxCbQfvTIoKsTxD/X G8ATkzXDfLJAQ/WasQHZzC734XpJpb8l+B89SKx66BXqDux/D16spvBYiEwEGBEC AAwFAlQZiycFCQHgr5wACgkQRHoDdZBwKDijhwCeLzma3BX6Ax8PLyV7wN7lMO/q /XoAnRv2sTX1mT4tvO1k/a3FxEPWHN9o =/It2 -END PGP PUBLIC KEY BLOCK- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden Services - Access control.
coderman: > On 9/30/14, Lluís wrote: > > ... > > I didn't find anything about access control, > > is there anyway of doing this ? > > Can I hide the *.onion address to anyone, but me ? > > you cannot hide the existence of the *.onion, as these are "location > hidden" not "existence hidden". I believe you are mistaken. Quoting tor manpage: HiddenServiceAuthorizeClient auth-type client-name,client-name,... If configured, the hidden service is accessible for authorized clients only. The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients. Only clients that are listed here are authorized to access the hidden service. Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is not accessible for clients without authorization any more. Generated authorization data can be found in the hostname file. Clients need to put this authorization data in their configuration file using HidServAuth. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — October 1st, 2014
Tor Weekly NewsOctober 1st, 2014 Welcome to the thirty-ninth issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community. Tor 0.2.4.24 and 0.2.5.8-rc are out --- Roger Dingledine announced [1] new releases in both the stable and the alpha branches of the core Tor software. Clients accessing hidden services should experience faster and more robust connections as they will now send the correct rendezvous point address. “They used to send the wrong address, which would still work some of the time because they also sent the identity digest of the rendezvous point, and if the hidden service happened to try connecting to the rendezvous point from a relay that already had a connection open to it, the relay would reuse that connection”. This fix also prevents the endianness [2] of the client’s system from being leaked to the hidden service. The only other changes in these releases are an update of the geoip databases and the location of the gabelmoo directory authority [3]. As usual, you can download the source code from the Tor distribution directory [4]. [1]: https://lists.torproject.org/pipermail/tor-talk/2014-September/034937.html [2]: https://en.wikipedia.org/wiki/Endianness [3]: https://lists.torproject.org/pipermail/tor-talk/2014-September/034898.html [4]: https://www.torproject.org/dist/ Tor Browser 3.6.6 and 4.0-alpha-3 are out - Mike Perry announced two new releases by the Tor Browser team. Tor Browser 3.6.6 [5] includes a workaround for the bug [6] that has sometimes been preventing the browser window from opening after an apparently successful connection to the Tor network; it also stops intermediate SSL certificates from being written to disk. In addition to these fixes, Tor Browser 4.0-alpha-3 [7] resolves a number of issues to do with the upcoming Tor Browser updater, including the mistaken upgrade of non-English Tor Browsers to the English-language version. As this bug is only fixed in the new release, users upgrading from 4.0-alpha-2 will still experience this issue during the process. Furthermore, “meek transport users will need to restart their browser a second time after upgrade if they use the in-browser updater. We are still trying to get to the bottom of this issue [8]”, wrote Mike. Both releases also include important Firefox security updates, so all users should upgrade as soon as possible. See Mike’s announcements for full details, and get your copy from the project page [9] or the distribution directory [10]. [5]: https://blog.torproject.org/blog/tor-browser-366-released [6]: https://bugs.torproject.org/10804 [7]: https://blog.torproject.org/blog/tor-browser-40-alpha-3-released [8]: https://bugs.torproject.org/13247 [9]: https://www.torproject.org/projects/torbrowser.html [10]: https://www.torproject.org/dist/torbrowser/ Tails 1.1.2 is out -- The second point release in the Tails 1.1.x series was put out [11] by the Tails team, “mainly to fix a serious flaw in the Network Security Services (NSS) library used by Firefox and other products that allows attackers to create forged RSA certificates. Before this release, users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for legitimate sites.” Other packages affected by recently-disclosed security flaws and updated in this version include APT, bash, and GnuPG, so all Tails users should make sure to upgrade as soon as possible. If you have a running copy of Tails, you can make use of the incremental upgrades system; otherwise, head to the download page [12] for more information. [11]: https://tails.boum.org/news/version_1.1.2/ [12]: https://tails.boum.org/download/index obfs4 is ready for general deployment: bridge operators needed! --- Pluggable transports [13], the circumvention techniques which allow users to access the Tor network from censored areas by disguising the fact that the Tor protocol is being used, are about to take another step forward with the release of obfs4, and Yawning Angel sent out [14] a brief discussion of this new protocol. obfs4 offers a number of developments over the obfs3 and ScrambleSuit protocols, until now the most sophisticated pluggable transports in use on the Tor network. Like ScrambleSuit, obfs4 improves on obfs3 to “provide resilience against active attackers and to disguise flow signatures” [15], while a safer and more efficient key-exchange process than ScrambleSuit’s should make it impossible for attackers to launch man-in-the-middle attacks based on the client/bridge shared secret. Like its predecessors in the obfsproxy series, obfs4 is
Re: [tor-talk] Fwd: IP Banned for running a non-exit relay from home?
I actually always figured the opposite---that knowing someone was Tor user was surprisingly quite valuable for advertisers. You know the viewer is technically literate and interested in security and privacy. I don't study ads or anything, but this sounds like a target demographic to me. If nothing else show the ads for Barracuda Networks' spam firewall that I always see in SFO/SJC. -V On Tue, Sep 30, 2014 at 6:20 PM, Joe Btfsplk wrote: > Tor / TBB doesn't exactly lend itself to that business model. Maybe some > have heard, gathering personal data on internet users is now big business. > No? > Tor thwarts that objective. The trackers (who pay many site owners) say, > "We don't need no stinking Tor Browsers." -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Fwd: IP Banned for running a non-exit relay from home?
Well now that it's been mentioned in tor-talk maybe it'll appear next time Mr. DANIEL AUSTIN MBCS Googles himself. -V -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden Services - how to implement something like Round Robin DNS?
If all you want to do is load share right now today, you can set the main onion to 302 all traffic amongst an onion farm. It's only for http and isn't perfect but it does spread the traffic around. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
