[tor-talk] Tor cameo in the comic “Les Vieux Fourneaux”
Hi! “Les Vieux Fourneaux” [1] is a comic in French published last year by Wilfrid Lupano and Paul Cauuet. Amongst other characters, it features a group of anarchist elders called “Ni Yeux Ni Maîtres” [2]. In the story you see them fighting gentrification by filling up a trendy lounge bar until it goes out of business. One of the elder is getting hacking lessons from “Arno Nimousse”. The latter has an onion sticker on his laptop. Some images: https://people.torproject.org/~lunar/volatile/2015-11-04-WplBy28xyVg/Les_Vieux_Fourneaux_1.jpg https://people.torproject.org/~lunar/volatile/2015-11-04-WplBy28xyVg/Les_Vieux_Fourneaux_2.jpg https://people.torproject.org/~lunar/volatile/2015-11-04-WplBy28xyVg/Les_Vieux_Fourneaux_3.jpg [1]: https://fr.wikipedia.org/wiki/Les_Vieux_Fourneaux [2]: Meaning “No Eyes No Masters”, but it sounds more funny in French. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] updating Tor
Zenaan Harkness: > On 10/19/14, Lunar wrote: > > Hartmut Haase: > >> how do I update Tor in Linux without loosing my data? InWin7 it is quite > >> easy. > > > > Tor Browser 4.0 now contains an automated upgrade system. To start the > > update, go to the Help menu, open About Tor Browser. If there's an > > upgrade available, there will be a button right there. > > Some of us support/admin more than one computer of the same OS. > Does this TBB 4.0 upgrade-with-state function, support offline upgrade > on Debian GNU/Linux - ie download installer, save somewhere, and > update an existing TBB installation, maintaining state (eg guard node, > bookmarks)? I don't think so. But you could help with #13252 which might pave the way for differentiating Tor Browser from its user data. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] updating Tor
Grace H: > Great that Tor Browser has automated upgrade system. > > Does it check SSL certificate (pinning) and checks the download > against a signature? How does it actually works? Quoting the release announcement: Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures. https://blog.torproject.org/blog/tor-browser-40-released -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] updating Tor
Hartmut Haase: > how do I update Tor in Linux without loosing my data? InWin7 it is quite > easy. Tor Browser 4.0 now contains an automated upgrade system. To start the update, go to the Help menu, open About Tor Browser. If there's an upgrade available, there will be a button right there. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] firewall prompt gone in 4.0?
bm-2ctjsegdfzqngqwuqjswro6jrwlc9b3...@bitmessage.ch: > It appears the nice firewall prompt has been removed in TBB 4.0. For > those of us who block all but a couple outgoing ports (and all the > incoming), is the only way to retain this functionality to edit the > "torrc" file with something like below for every new download? > > ReachableAddresses accept *:80 > ReachableAddresses accept *:443 You can still configure this option through the Network Settings available from the onion menu. The ReachableAddress setting is a bonus: Tor will try to connect to relays in turn until it succeeds, so it should eventually try to connect to a relay that listens on the right port. The rationale from removing the option is the amount of headaches for users and support: how many users know what a firewall is? How many users know the difference between an outgoing and an incoming firewall? How many users actually *have* an outgoing firewall? So they would enable ReacheableAddress for the two ports you mention, and then configure bridges. And so Tor was not ever able to connect because it wasn't allowed to connect to the configured bridges. > Compared to the menu item, this seems rather inconvenient for linux > users who (quite surprisingly) don't have any well-developed means > to block outgoing traffic on a per-application basis, and resort to the > less effective, though slightly more cautious practice of just opening a > couple outgoing ports? If it's about networw security, how about configuring bridges and only allowing these specific IP and port in the firewall? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Relay Smartphone App
Jeremy Olexa: > You are abit late on the project idea :) > https://www.kickstarter.com/projects/augustgermar/anonabox-a-tor-hardware-router If this needs repeating on this list: this is a bad idea. It will give people illusions instead of actual protection. The Tor Browser is already having a hard time fighting against the numerous browser fingerprinting scheme that exists today. Telling people they will be anonymous using their normal Internet Explorer is misleading if not dishonest. Using evercookies will be enough to track them across restarts and networks. Going through Tor will still protect them from monitoring by their ISP, which is highly desirable. But this is not what the selling pitch is about, here. Users of such products might be able to download OS X security updates without revealing their IP address to Apple. I am not sure this will actually hide their location (as the OS can figure it out by looking at nearby Wi-Fi networks), but it will surely not hide their Mac serial number or Apple ID. I am not sure this is what people would call anonymity… [1]: http://samy.pl/evercookie -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — October 8th, 2014
Tor Weekly NewsOctober 8th, 2014 Welcome to the fortieth issue in 2014 of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community. Setup ooniprobe in five minutes --- New versions of the Open Observatory of Network Interference [1] (OONI) tools are out. On October 1st, Arturo Filastò announced [2] ooniprobe 1.2.0 and oonibackend 1.1.4. “One of the most interesting new features that are now part of ooniprobe is the ability to generate test decks for the country you are in a way that is much easier than before”, writes Arturo. He adds: “As a matter of fact to start contributing useful measurements it’s just a matter of 5 minutes of setup [3].” So don’t be shy about adding your measurements to the project! [1]: https://ooni.torproject.org/ [2]: https://lists.torproject.org/pipermail/ooni-dev/2014-October/000171.html [3]: https://pypi.python.org/pypi/ooniprobe#ooni-in-5-minutes Monthly status reports for September 2014 - The wave of regular monthly reports from Tor project members for the month of September has begun. Juha Nurmi released his report first [4], followed by reports from Georg Koppen [5], Damian Johnson [6], George Kadianakis [7], Matt Pagan [8], Lunar [9], Sherief Alaa [10], Leiah Jansen [11], Harmony [12], Pearl Crescent [13], Nick Mathewson [14], Karsten Loesing [15], Sukhbir Singh [16], Nicolas Vigier [17] (in addition to July [18] and August [19]), Arlo Breault [20], J. Todaro [21], and Colin C. [22] [4]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000652.html [5]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000653.html [6]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000654.html [7]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000655.html [8]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000656.html [9]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000658.html [10]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000659.html [11]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000660.html [12]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000661.html [13]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000662.html [14]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000663.html [15]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000665.html [16]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000666.html [17]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000669.html [18]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000667.html [19]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000668.html [20]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000670.html [21]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000672.html [22]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000673.html Lunar also reported on Tor help desk [23], Mike Perry for the Tor Browser team [24], and Arturo Filastò for OONI [25]. [23]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000657.html [24]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000664.html [25]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000671.html Miscellaneous news -- Orbot users should rejoice at the news that orWall [26] 1.0.0 has been released [27]! orWall will force selected applications through Tor while preventing unauthorized applications to have any network access. “Any feedback from Tor/Orbot users interests me in order to improve orWall. I think the current release is pretty good, but as the main dev I’m maybe not that neutral regarding this statement” joked CJ. [26]: https://orwall.org/ [27]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035040.html The OONI project has been “developing a test that allows probes in censored countries to test which bridges are blocked and which are not”. George Kadianakis is seeking help [28] to create interesting visualization of the resulting data. He shared a sketch about countries and pluggable transports [29] and another one showing time before blocks happened [30]. [28]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007585.html [29]: https://people.torproject.org/~asn/bridget_vis/countries_pts.jpg [30]: https://people.torproject.org/~asn/bridget_vis/tbb_blocked_timeline.jpg Nick Mathewson announced [31] the release of Trunnel [32] 1.3. Trunnel is a code generator for
Re: [tor-talk] Tor in the media
Derric Atzrott: > There are some strong ethical questions in logging all traffic from a > relay, but I can't see any other way to get this sort of data. The answer to the ethical question is simple: this is plain wrong. You don't spy on people. But there's also a legal aspect to it: in many jurisdictions, as soon as you start looking at the traffic, you become liable for it. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden Services - Access control.
coderman: > On 9/30/14, Lluís wrote: > > ... > > I didn't find anything about access control, > > is there anyway of doing this ? > > Can I hide the *.onion address to anyone, but me ? > > you cannot hide the existence of the *.onion, as these are "location > hidden" not "existence hidden". I believe you are mistaken. Quoting tor manpage: HiddenServiceAuthorizeClient auth-type client-name,client-name,... If configured, the hidden service is accessible for authorized clients only. The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients. Only clients that are listed here are authorized to access the hidden service. Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is not accessible for clients without authorization any more. Generated authorization data can be found in the hostname file. Clients need to put this authorization data in their configuration file using HidServAuth. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
Öyvind Saether: > I get these CloudFlare errors so often now that I have decided to use > this thread as a log of every Cloudflare-broken site and action (if > any) I take as a result of it. Please don't. tor-talk has 1600+ subscribers. For a log, a wiki page is a better tool than everyone's inbox. Feel free to create a new one or complement what's already there: https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Merging all languages (locales) into one Tor Browser package?
Georg Koppen: > So, in short: I am quite concerned about the usability issues (and I > probably missed a bunch) that would follow from having all locales in > one bundle. Would it be over the top to do both? Build packages with only one locale, and one package with all locales? The latter could be used by Tails or support more users in a sneakernet distribution scenario. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] 5 million dollar company close to shut down due to an exposure on the Dark Net
John Pinkman: > It all started 4 days ago, when PinkMeth site posted a profile with > the self-taken nudes of the daughter of the company owners. > > http://pinkmeth[…] Please refrain from posting such links. Tor stands for privacy and against harrasment. Tor communication channels should not be used to promote sexist, privacy-intruding, harrasment-based websites. Also, it's not because some random site uses Tor hidden services that one can say “that’s Tor”. If you do the same with “the Internet”, you'll realize how it's hardly helpful. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] BBC: NSA and GCHQ agents 'leak Tor bugs', alleges developer
krishna e bera: > Would be nice to see Tor media coverage linked to from TWN > (maybe it already is..) Tor Weekly News is open to contributions, as written at the bottom every week. So far Tor Weekly News has very rarely mentioned media coverage because most things media cover are actually already known to Tor Weekly News readers. For what I remember, the few articles that have been mentioned were listed because they could be used as tools by the Tor community when advocating Tor to others. I don't find this particular BBC article relevant to Tor Weekly News. It's just one more drop on the “BBC hates Tor” series. Starting a regular column that would be “Tor in the press” is a different matter. But then, we would have to cover way way more things than just one BBC article… -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hiding the presence of hidden services
Nam-Shub: > Is there any good way to hide the presence of services? See `HiddenServiceAuthorizeClient` and `HidServAuth` options in tor(1) manpage: HiddenServiceAuthorizeClient auth-type client-name,client-name,... If configured, the hidden service is accessible for authorized clients only. The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients. Only clients that are listed here are authorized to access the hidden service. Valid client names are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is set, the hidden service is not accessible for clients without authorization any more. Generated authorization data can be found in the hostname file. Clients need to put this authorization data in their configuration file using HidServAuth. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Performance
Martin S: > Considering the responses in this thread, I am now testing the Tor BB. > However the startup time for this is monstruous. Running through the > initial setup routine, the thing just seems to hang on connecting to > Tor network. What could be wrong? Please contact the Tor help desk: . It's probably better than solving the problem with 1600+ subscribers watching. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] website-design
Tim Jahn: > i'm a graphic designer from austria and want to make you an offer: i would > like to do a free redesign of your website, inclusive a new logo, within the > next few months. i will restructure the site, optimize the hierarchies and > give it a new appearance. if you like it you can take it, if you think of a > few changes, we can talk about them and if you don't want to take it you > leave it and i have done some work for my portfolio Great you want to help. To see the current efforts and communication channels, please have a look at: https://trac.torproject.org/projects/tor/wiki/Website -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — August 13th, 2014
] was also a Sybil attack: a large number of malicious nodes joined the network at once. This led to a renewal of interest in detecting Sybil attacks against the Tor network more quickly. Karsten Loesing published some code [17] computing similarity metrics, and David Fifield has explored visualizations [18] of the consensus that made the recent attack visible. [16]: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack [17]: https://github.com/kloesing/SAD [18]: https://bugs.torproject.org/12813 Gareth Owen sent out an update [19] about the Java Tor Research Framework. This prompted a discussion with George Kadianakis and Tim about the best way to perform fuzz testing [20] on Tor. Have a look if you want to comment on Tim’s approaches [21]. [19]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007328.html [20]: https://en.wikipedia.org/wiki/Fuzz_testing [21]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007334.html Thanks to Daniel Thill [22] for running a mirror of the Tor Project website! [22]: https://lists.torproject.org/pipermail/tor-mirrors/2014-August/000651.html ban mentioned [23] a new service collecting donations for the Tor network. OnionTip [24], set up by Donncha O’Cearbhaill, will collect bitcoins and redistribute them to relay operators who put a bitcoin address in their contact information. As the redistribution is currently done according to the consensus weight, Sebastian Hahn warned [25] that this might encourage people to “cheat the consensus weight” because that now means “more money from oniontip”. [23]: https://lists.torproject.org/pipermail/tor-relays/2014-August/005073.html [24]: https://oniontip.com/ [25]: https://lists.torproject.org/pipermail/tor-relays/2014-August/005077.html Juha Nurmi sent another update [26] on the ahmia.fi GSoC project. [26]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000620.html News from Tor StackExchange --- arvee wants to redirect some TCP connections through Tor on OS X [28]; Redsocks [27] should help to route packets for port 443 over Tor. mirimir explained that given the user's pf configuration, the setting “SocksPort ” was probably missing. [27]: https://tor.stackexchange.com/q/3802/88 [28]: http://darkk.net.ru/redsocks/ meee asked a question and offered a bounty for an answer: the circuit handshake entry in Tor’s log file contains some numbers, and meee wants to know what their meaning is [29]: “Circuit handshake stats since last time: 1833867/1833868 TAP, 159257/159257 NTor.” [29]: https://tor.stackexchange.com/q/3213/88 Easy development tasks to get involved with --- The bridge distributor BridgeDB [30] usually gives out bridges by responding to user requests via HTTPS and email. A while ago, BridgeDB also gave out bridges to a very small number of people who would then redistribute bridges using their social network. We would like to resume sending bridges to these people, but only if BridgeDB can be made to send them via GnuPG-encrypted emails [31]. If you’d like to dive into the BridgeDB code and add support for GnuPG-encrypted emails, please take a look at the ticket and give it a try. [30]: https://bridges.torproject.org/ [31]: https://bugs.torproject.org/9332 Upcoming events --- Aug. 13 13:30 UTC | little-t tor development meeting | https://lists.torproject.org/pipermail/tor-dev/2014-August/007314.html | #tor-dev, irc.oftc.net | Aug. 13 16:00 UTC | Pluggable transport online meeting | https://lists.torproject.org/pipermail/tor-dev/2014-August/007317.html | #tor-dev, irc.oftc.net | Aug. 18 18:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tbb-dev/2014-August/000100.html | August 18 | Roger @ FOCI ’14 | San Diego, California, USA | https://www.usenix.org/conference/foci14 | August 20-22 | Roger @ USENIX Security Symposium ’14 | San Diego, California, USA | https://www.usenix.org/conference/usenixsecurity14 This issue of Tor Weekly News has been assembled by Lunar, qbi, Karsten Loesing, harmony, and Philipp Winter. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [32], write down your name and subscribe to the team mailing list [33] if you want to get involved! [32]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [33]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list
Re: [tor-talk] Why tor doesn't support UDP?
Yuri: > It is well known that tor only supports DNS UDP requests, and not > other UDP. > > Tor could relay UDP through the same path as TCP. And the chosen exit > node could act as a UDP gateway, much like regular routers relay UDP > packets from different LAN hosts. Routers substitute source port of > UDP packets and later map back the ip/port in response packets. It > could be easily imagined how tor could do just the same. > When I use the virtual machine connected to network through the tor, > only http apps work, and all UDP apps fail. Even skype is unable to > connect. > > So what is the reason that UDP isn't supported? There are many reasons. I guess patches would be happily discussed if you had some. SOCKS5 supports UDP, TransPort could be made to support UDP too. Then there's circuit handling and session tracking — the connection is never opened or closed with UDP. But then, the underlying connections between relays are still going to be TCP. Previous research on switching to datagram designs: http://static.usenix.org/event/sec09/tech/full_papers/reardon.pdf https://research.torproject.org/techreports/datagram-comparison-2011-11-07.pdf https://research.torproject.org/techreports/libutp-2013-10-30.pdf -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Three questions
m...@ruggedinbox.com: > 1. when running a service as a hidden service, for example a web server, the > client IP address is always 127.0.0.1. > Is there a way to have some more 'unique' information about the visitor, in > order to mitigate a DDOS attack ? See “Client identification in hidden service applications” in the April 2nd 2014 issue of Tor Weekly News: https://lists.torproject.org/pipermail/tor-news/2014-April/39.html I don't remember seeing any progress toward merging a patch answering Nick's comments. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — August 6th, 2014
free to mess with things we don’t look for.” A better future and more transparency probably lies in adaptive test systems run by multiple volunteer groups. Until they come to existence, as a small improvement, Philipp Winter wrote [9] it was probably safe to publish why relays were disabled, through “short sentence along the lines of ‘running HTTPS MitM’ or ‘running sslstrip’”. [6]: https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays [7]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034198.html [8]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034219.html [9]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034216.html Monthly status reports for July 2014 Time for monthly reports from Tor project members. The July 2014 round was opened by Georg Koppen [10], followed by Philipp Winter [11], Sherief Alaa [12], Lunar [13], Nick Mathewson [14], Pearl Crescent [15], George Kadianakis [16], Matt Pagan [17], Isis Lovecruft [18], Griffin Boyce [19], Arthur Edelstein [20], and Karsten Loesing [21]. [10]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000598.html [11]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000599.html [12]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000601.html [13]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000603.html [14]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000604.html [15]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000605.html [16]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000608.html [17]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000609.html [18]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000610.html [19]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000611.html [20]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000612.html [21]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000614.html Lunar reported on behalf of the help desk [22] and Mike Perry for the Tor Browser team [23]. [22]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000602.html [23]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000607.html Miscellaneous news -- Anthony G. Basile announced a new release of tor-ramdisk, an i686 or x86_64 uClibc-based micro Linux distribution whose only purpose is to host a Tor server. Version 20140801 [24] updates Tor to version 0.2.4.23, and the kernel to 3.15.7 with Gentoo’s hardened patches. [24]: http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-August/000132.html meejah has announced [25] a new command-line application. carml [26] is a versatile set of tools to “query and control a running Tor”. It can do things like “list and remove streams and circuits; monitor stream, circuit and address-map events; watch for any Tor event and print it (or many) out; monitor bandwidth; run any Tor control-protocol command; pipe through common Unix tools like grep, less, cut, etcetera; download TBB through Tor, with pinned certs and signature checking; and even spit out and run xplanet configs (with router/circuit markers)!” The application is written in Python and uses the txtorcon library [27]. meejah describes it as early-alpha and warns that it might contain “serious, anonymity-destroying bugs”. Watch out! [25]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007295.html [26]: https://github.com/meejah/carml [27]: https://txtorcon.readthedocs.org/ Only two weeks left for the Google Summer of Code students, and the last round of reports but one: Juha Nurmi on the ahmia.fi project [28], Marc Juarez on website fingerprinting defenses [29], Amogh Pradeep on Orbot and Orfox improvements [30], Zack Mullaly on the HTTPS Everywhere secure ruleset update mechanism [31], Israel Leiva on the GetTor revamp [32], Quinn Jarrell on the pluggable transport combiner [33], Daniel Martí on incremental updates to consensus documents [34], Noah Rahman on Stegotorus enhancements [35], and Sreenatha Bhatlapenumarthi on the Tor Weather rewrite [36]. [28]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000600.html [29]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000606.html [30]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007282.html [31]: https://lists.eff.org/pipermail/https-everywhere/2014-August/002199.html [32]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007284.html [33]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007285.html [34]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007287.html [35]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007288.html [36]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007293.html The
Re: [tor-talk] Tor DNS
Mike Fikuart: > My thought was that [hiddenservice].onion would be dealt with by the > Tor NameServer to return the hostname (derived from public key). So if I understand correctly, you would like some entity to keep a directory of human memorizable names pointing to hidden service addresses. The problem is this entity will be subject to pression from many different actors. How should litigation over a unique name be handled? What if some state decides this site should be censored? This is not a very good place to be if you care about freedom of communication (vs. only making money). -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — July 30th, 2014
authorities [41]. Tor users can circumvent this block by getting bridges from BridgeDB [42] and entering the bridge addresses they receive into their Tor Browser. [40]: https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2014-04-30&end=2014-07-28&country=ir&events=on#userstats-relay-country [41]: https://bugs.torproject.org/12727 [42]: https://bridges.torproject.org/ Upcoming events --- Aug. 1 16:00 UTC | Pluggable transports online meeting | #tor-dev, irc.oftc.net | Aug. 3 19:00 UTC | Tails contributors meeting | #tails-dev, irc.indymedia.org / h7gf2ha3hefoj5ls.onion | https://mailman.boum.org/pipermail/tails-project/2014-July/00.html | August 18 | Roger @ FOCI ’14 | San Diego, California, USA | https://www.usenix.org/conference/foci14 | August 20-22 | Roger @ USENIX Security Symposium ’14 | San Diego, California, USA | https://www.usenix.org/conference/usenixsecurity14 This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, harmony, and Philipp Winter. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [43], write down your name and subscribe to the team mailing list [44] if you want to get involved! [43]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [44]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] how many verify their tbb ?
mick: > I have just checked on my tails mirror and I get the slightly > depressing results below: > > cat tails.log.1 | grep tails-i386-1.1.iso | grep -v .sig | sort -t. +0 > -3 -u | wc -l > > 1774 > > cat tails.log.1 | grep tails-i386-1.1.iso.sig | sort -t. +0 -3 -u | wc > -l > > 12 > > which I make 0.68% Except that if you folow the “download, verify, install” instructions, the link to download the signature is hosted on <https://tails.boum.org/>. So users are unlikely to get the signature from your mirror. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] how many verify their tbb ?
shm...@riseup.net: > are there any stats available to see the % of people who verify their > tbb download (cross ref same IP for both the .xz and .asc or shasum txt > file ???) as a % of total tbb downloads ? would you have any suggestions on how to gather such stats? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
CJ: > But yeah, I know, users like "all-in-one apps" — who knows, once > torrific is ready (i.e. no more broken rules, no more bugs like "craps, > network's broken")… the devs may get some PR ;). > Torrific is also, for me, a way to play with android without annoying > other applications. Sorry for not pointing this earlier, but Torrific is really not an ideal name for your application. People tend to belive that things named “Tor-something” are from the Tor Project. See: <https://www.torproject.org/docs/trademark-faq.html.en>. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Android app: Torrific
CJ: > Just a small announce (not sure if this is the right ML, sorry). > I'm developing an Android app allowing to block all IP traffic, and > force only selected app through Orbot. > This is done because neither Orbot nor AFWall (or other free, opensource > Android iptables managment interface) seem to be able to do that… Orbot is free software. Isn't there a way to add the needed features directly to it? Sorry if it's a naive question, I'm not very knowledgable regarding Android. But I know that asking our users to install 3 different apps or even more is not friendly. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — July 23rd, 2014
://twistedmatrix.com/ [17]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007166.html Roger Dingledine posted [18] an official reaction to the cancellation of a proposed talk at the upcoming Blackhat2014 conference dealing with possible deanonymization attacks on Tor users and hidden services. [18]: https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation Tor ships with a sample webpage [19] that can be used by exit node operators to identify their system as such to anyone wishing to identify the source of Tor traffic. Operators most often copy and adapt this template to the local situation. Mick Morgan discovered than his version was out of sync [20] and contained broken links. “If other operators are similarly using a page based on the old template, they may wish to update”, Mick advised. [19]: https://gitweb.torproject.org/tor.git/blob_plain/HEAD:/contrib/operator-tools/tor-exit-notice.html [20]: https://lists.torproject.org/pipermail/tor-relays/2014-July/004982.html Michael Rogers, one of the developers of Briar [21], announced [22] a new mailing list [23] for discussing peer-to-peer-based communication systems based on Tor hidden services. As Briar and other systems might be “running into similar issues”, a shared place to discuss them seemed worthwhile. [21]: https://briarproject.org/ [22]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007161.html [23]: https://fulpool.org/cgi-bin/mailman/listinfo/hidden-services Karsten Loesing and Philipp Winter are looking for front-end web developers [24]: “We are looking for somebody to fork and extend one of the two main Tor network status websites Atlas [25] or Globe [26]” writes Karsten. Both websites currently need love and new maintainers. Please reach out if you want to help! [24]: https://blog.torproject.org/blog/looking-front-end-web-developers-network-status-websites-atlas-and-globe [25]: https://atlas.torproject.org/ [26]: https://globe.torproject.org/ The database which holds Tor bridges, usually called BridgeDB [27], is able to give out bridge addresses through email. This feature was recently extended to make the email autoresponder support more bridge types, which required introducing new keywords that must be used in the initial request. Matthew Finkel is looking for feedback [28] on the current set of commands and how they could be improved. [27]: https://gitweb.torproject.org/bridgedb.git [28]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007164.html Lunar wrote a detailed report [29] on his week at the Libre Software Meeting in Montpellier, France. The report covers the booth jointly held with Nos Oignons [30], his talk in the security track, and several contacts made with other free software projects. [29]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000593.html [30]: https://nos-oignons.net/ Here’s another round of reports from Google Summer of Code students: the mid-term: Amogh Pradeep on Orbot and Orfox improvements [31], Israel Leiva on the GetTor revamp [32], Quinn Jarrell on the pluggable transport combiner [33], Juha Nurmi on the ahmia.fi project [34], Marc Juarez on website fingerprinting defenses [35], and Daniel Martí on incremental updates to consensus documents [36]. [31]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007152.html [32]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007156.html [33]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007157.html [34]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000594.html [35]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000595.html [36]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007163.html Tim Retout announced [37] that apt-transport-tor [38] 0.2.1 has entered Debian unstable. This package enables APT to download Debian packages through Tor. [37]: http://retout.co.uk/blog/2014/07/21/apt-transport-tor [38]: https://tracker.debian.org/pkg/apt-transport-tor Atlas [39] can now also be used to search for Tor bridges. In the past, Atlas was only able to search for relays. This was made possible thanks to a patch [40] developed by Dmitry Eremin-Solenikov. [39]: https://atlas.torproject.org/ [40]: https://bugs.torproject.org/6320 Thanks to Tim Semeijn [41] and Tobias Bauer [42] for setting up new mirrors of the Tor Project’s website and its software. [41]: https://lists.torproject.org/pipermail/tor-mirrors/2014-July/000642.html [42]: https://lists.torproject.org/pipermail/tor-mirrors/2014-July/000646.html Tor help desk roundup - Some Linux users have experienced missing dependency errors when trying to install Tor Browser from their operating system’s software repositories. Tor Browser should only be installed from the Tor Project’s website, and never from a software repository. In other words, using apt-get or yum to install Tor Browser is discouraged. Downloading
Re: [tor-talk] Tor use metrics
mshel...@uci.edu: > I'm interested in mapping the adoption of Tor over the past couple of > years. One enduring challenge is that the available traffic statistics > (https://metrics.torproject.org) reportedly also include a huge spike in > use around mid-2013, connected to a botnet routing through Tor. > > If anyone might offer advice on getting more precise statistics, the > assistance is appreciated. You might want to have a look at: https://trac.torproject.org/projects/tor/ticket/10675 and: https://trac.torproject.org/projects/tor/attachment/ticket/10675/tbbhits.txt Unfortunately the effort staled and the latter file only covers November 2013 to January 2014. That might still give a couple data points. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — July 16th, 2014
. Until new documentation on using the up-to-date images and Amazon Web Services interface lands, users not already familiar with AWS may want to use a different virtual server provider to host their bridges. Easy development tasks to get involved with --- The setup scripts of the Flashproxy and Obfsproxy pluggable transports attempt to download and build the M2Crypto library if they are not already installed. We´d really want to avoid this and have the setup script fail if not all libraries are present for building Flashproxy. The ticket that describes this bug also outlines a possible workaround that disables all downloads during the setup process [43]. If you know a bit about setuptools and want to turn this description into a patch and test it, please give it a try. [43]: https://bugs.torproject.org/10847#comment:4 Upcoming events --- July 15-19| 14th Privacy Enhancing Technologies Symposium | Amsterdam, The Netherlands | https://petsymposium.org/2014/ | August 20-22 | Roger @ USENIX Security Symposium ’14 | San Diego, California, USA | https://www.usenix.org/conference/usenixsecurity14 This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, Karsten Loesing, and George Kadianakis. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [44], write down your name and subscribe to the team mailing list [45] if you want to get involved! [44]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [45]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] GnuPG and Tor
Red Sonja: > Rejo Zenger: > > ++ 15/07/14 14:09 -0400 - grarpamp: > >>> secured server. Or anybody can see your whole addressbook. So it is a > >>> secured server. But still, it is quite obvious who am I just by looking > >>> at that list. So I figured out, maybe if I push the refresh through Tor, > >>> talking with a secured server that would make things more private. I > >> > >> And unless one by one with --recv-keys, keyserver sees your > >> entire list at once. > > > > Which means: the only thing you are protecting (by using Tor when > > updating your keychain) is the source IP-address for the refresh, e.g. > > your location. > > So the whole GnuPG is antithetical to anonymity? If you use public key cryptography, we can say yes. That's why we often differenciate between anonymity and pseudonymity. With GnuPG, one can create a strong pseudonymous identity. Using Tor while using this identity will make it harder to link it with other identities. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Hidden service 1024-bit
Fedor Brunner: > Is is possible to replace the 1024-bit RSA key in Hidden Services with > a longer key? Or is it possible to replace it with Ed25519 ? It's on the roadmap. Feel free to help: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Can NAT traversal be Tor's killer feature?
Helder Ribeiro: > tl;dr: how about a virtual global flat LAN that maps static IPs to > onion addresses? Are you aware of OnionCat? https://www.onioncat.org/ From the description of the Debian package: OnionCat creates a transparent IP layer on top of Tor hidden services. It transparently transmits any kind of IP-based data through the Tor network on a location hidden basis. You can think of it as a point-to-multipoint VPN between hidden services. OnionCat is a stand-alone application which runs in userland and is a connector between Tor and the local OS. Any protocol based on IP, such as UDP or TCP, can be transmitted. OnionCat supports IPv6; native IPv4 forwarding, though still available, is deprecated: the recommended solution for IPv4 forwarding is to build a IPv4-through-IPv6 tunnel through OnionCat. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — July 9th, 2014
Tor Weekly News July 9th, 2014 Welcome to the twenty-seventh issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. On being targeted by the NSA Das Erste has published an article [1] and supporting material [2] showing how the NSA explicitly targets Tor and Tails user through the XKEYSCORE Deep Packet Inspection system. Several other media picked up the news, and it was also discussed in various threads on the tor-talk mailing list [3,4,5,6,7,8,9]. The Tor Project’s view has been reposted [10] on the blog. To a comment that said “I felt like i am caught in the middle of a two gigantic rocks colliding each other”, Roger Dingledine replied [11]: “You’re one of the millions of people every day who use Tor. And because of the diversity of users […], just because they know you use Tor doesn’t mean they know *why* you use Tor, or what you do with it. That’s still way better than letting them watch all of your interactions with all websites on the Internet.” [1]: http://daserste.ndr.de/panorama/aktuell/nsa230_page-1.html [2]: http://daserste.ndr.de/panorama/xkeyscorerules100.txt [3]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033473.html [4]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033564.html [5]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033640.html [6]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033642.html [7]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033656.html [8]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033703.html [9]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033749.html [10]: https://blog.torproject.org/blog/being-targeted-nsa [11]: https://blog.torproject.org/blog/being-targeted-nsa#comment-64376 More monthly status reports for June 2014 - The wave of regular monthly reports from Tor project members for the month of June continued, with submissions from Georg Koppen [12], Lunar [13], Noel David Torres Taño [14], Matt Pagan [15], Colin C. [16], Arlo Breault [17], and George Kadianakis [18]. Mike Perry reported on behalf of the Tor Browser team [19]. [12]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000576.html [13]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000577.html [14]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000578.html [15]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000579.html [16]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000580.html [17]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000583.html [18]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000585.html [19]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000584.html Miscellaneous news -- An Austrian Tor exit node operator interpreted [20] their conviction in a first ruling as judging them “guilty of complicity, because he enabled others to transmit content of an illegal nature through the service”. Moritz Bartl from Torservers.net [21] commented [22]: “We strongly believe that it can be easily challenged. […] We will definitely try and find some legal expert in Austria and see what we can do to fight this.” [20]: https://network23.org/blackoutaustria/2014/07/01/to-whom-it-may-concern-english-version/ [21]: https://www.torservers.net/ [22]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033613.html Linus Nordberg is expanding the idea of public, append-only, untrusted log à la Certificate Transparency [23] to the Tor consensus. Linus submitted a new draft proposal to the tor-dev mailing list for reviews [24]. [23]: http://www.certificate-transparency.org/ [24]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007092.html Miguel Freitas reported [25] that twister [26] — a fully decentralized P2P microblogging platform — was now able to run over Tor. As Miguel wrote, “running twister on top of Tor was a long time goal, […] the Tor support allows a far more interesting threat model”. [25]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033580.html [26]: http://twister.net.co/ Google Summer of Code students have sent a new round of reports after the mid-term: Israel Leiva on the GetTor revamp [27], Amogh Pradeep on Orbot and Orfox improvements [28], Mikhail Belous on the multicore tor daemon [29], Daniel Martí on incremental updates to consensus documents [30], Sreenatha Bhatlapenumarthi on the Tor Weather rewrite [31], Quinn Jarrell on the pluggable transport combiner [32], Noah Rahman on Stegotorus enhancements [33], Marc Juarez on website fingerprinting
Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000
AntiTree: > If I were a betting person, a beer says that they will be summarizing the > current issues with hidden services, and as Adrian said, doing a client > side disbanding attack (e.g. Java + DNS) My own speculations is that they have used the attacks on guard relays described in the following blog post, maybe in combination with other attacks: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters They wanted a NDA, so most Tor Project's core contributors don't know what's in the air. Improving the situations of guard relays is tricky to get right. There's an open proposal in discussion: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/236-single-guard-node.txt It will also be a “hot topic” at the next Privacy Enhancing Technology Symposium: https://www.petsymposium.org/2014/papers/Dingledine.pdf https://www.petsymposium.org/2014/hotpets.php -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Exit Operator convicted in Austrian lower court
MacLemon: > German language Austrian Legalese background: > Austrian E-Commerce Law §15: Ausschluss der Verantwortlichkeit bei > Zwischenspeicherungen http://j.mp/1iYdg4L > > § 15. Ein Diensteanbieter, der von einem Nutzer eingegebene > Informationen in einem Kommunikationsnetz übermittelt, ist für eine > automatische, zeitlich begrenzte Zwischenspeicherung, die nur der > effizienteren Gestaltung der auf Abruf anderer Nutzer erfolgenden > Informationsübermittlung dient, nicht verantwortlich, sofern er > > 1. die Information nicht verändert, > 2. die Bedingungen für den Zugang zur Information beachtet, > 3. die Regeln für die Aktualisierung der Information, die in > allgemein anerkannten und verwendeten Industriestandards > festgelegt sind, beachtet, > 4. die zulässige Anwendung von Technologien zur Sammlung von > Daten über die Nutzung der Information, die in allgemein > anerkannten und verwendeten Industriestandards festgelegt sind, > nicht beeinträchtigt und > 5. unverzüglich eine von ihm gespeicherte Information entfernt > oder den Zugang zu ihr sperrt, sobald er tatsächliche Kenntnis > davon erhalten hat, dass die Information am ursprünglichen > Ausgangsort der Übertragung aus dem Netz entfernt oder der > Zugang zu ihr gesperrt wurde oder dass ein Gericht oder eine > Verwaltungsbehörde die Entfernung oder Sperre angeordnet hat. > > > > IANAL Paraphrased: > == > A service provider who transmits user-input over a > communications-network is not liable for a automated, time restricted > caching which only purpose is to more effectively provide information > requested by a user given that: > 1. the information is not altered > 2. access requirements are honored > 3. commonly accepted rules and industry standards for updating are > honored > 4. the lawful application of technology to collect data about > the usage of information as defined in commonly accepted and > applied industry standards is not harmed > 5. recorded information is immediately deleted or access to that > recorded information is denied as soon as they are informed of > the fact that the information has been deleted at it's point of > origin, access has been denied or in case a court or > regulatory-body(?) has ordered the blocking. For the record, this is the transcription of Article 12 of the european directive 2000/31/CE of 8 June 2000 which defines the “mere conduit” status. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0031:En:HTML Unless I'm mistaken, this means that this can also be appealed at the european level. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — July 2nd, 2014
Tor Weekly News July 2nd, 2014 Welcome to the twenty-sixth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. Tor Weekly News turns one - The very first issue [1] of Tor Weekly News [2] was released on July 3rd last year. Since then, we have been able to provide you news about the Tor community every week (except one). Tor Weekly News is a community newsletter, so let’s all appreciate everyone who contributed so far: Andreas Jonsson, bastik, Colin, Damian Johnson, David Fifield, David Stainton, dope457, Georg Koppen, George Kadianakis, harmony, Jacob Appelbaum, Jesse Victors, Johannes Fürmann, Karsten Loesing, Kostas Jakeliūnas, Lunar, luttigdev, malaparte, Matt Pagan, Mike Perry, moskvax, murb, Nick Mathewson, Nicolas Vigier, nicoo, Nima, Paul Feitzinger, Peter Palfrader, Philipp Winter, Phoul, qbi, ra, rey, Roger Dingledine, Sandeep, sqrt2, the Tails developers, velope, whabib, Yawning, and several anonymous contributors. Join us [3]! The Tor community is always growing and there are always interesting topics to report about! [1]: https://lists.torproject.org/pipermail/tor-talk/2013-July/028770.html [2]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [3]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team 2014 Summer Tor meeting --- Dedicated Tor contributors are having a five day meeting [4] this week in Paris. Expect less online activity while keyboards are put away in favor of unmediated human interactions. Pictures of post-it-note-based brainstorming sessions can already be seen online [5], and more minutes should be coming soon. Unfortunately, due to several factors, there will be no widely open event around meeting this time. [4]: https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting [5]: https://people.torproject.org/~isis/2014-summer-tor-dev-meeting.postits.tar.xz Tails user experience experiments - Tails is experimenting on how to improve its user experience. u. reported on the first Tails UX experiments session [6]. Five people attended, trying to realize three different missions: “create a new encrypted document of your choice […], and save it to Tails, using persistence”, “find out the number of Tails downloads this month, and pass on this information using GPG via email”, “find one or more images [… and] clean up these files to erase any metadata”. Some of what has been learned by watching users has already been converted into concrete bugs and enhancement proposals. For the rest, read the detailed and insightful report! In the meantime, the first dialog window that appears when using Tails — also known as “the greeter” — is being redesigned. A first round of test images is now ready [7] for your feedback. [6]: https://mailman.boum.org/pipermail/tails-dev/2014-June/006200.html [7]: https://mailman.boum.org/pipermail/tails-dev/2014-June/006194.html Monthly status reports for June 2014 While Kevin Dyer sent out his report for May [8], the wave of regular monthly reports from Tor project members for the month of June has started. Damian Johnson released his report first [9], followed by reports from Pearl Crescent [10], Nick Mathewson [11], Karsten Loesing [12], and Sherief Alaa [13]. Lunar reported on behalf of the help desk [14]. [8]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000565.html [9]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000569.html [10]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000570.html [11]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000572.html [12]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000573.html [13]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000574.html [14]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000575.html Miscellaneous news -- Lunar shared some highlights [15] on a trip to Calafou, near Barcelona, to attend Backbone 409 [16], an event for “projects actively building infrastructures for a free Internet from an anti-capitalist point of view”. Topics under discussion included hosting websites in the face of legal threats; secure operating systems; and the logistics of running a Torservers.net partner organization. [15]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000568.html [16]: http://backbone409.calafou.org/ Juha Nurmi submitted a status report for the ahmia.fi Google Summer of Code project [17]. [17]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000571.html Nusenu warned [18] users of the Tor Project’s
Re: [tor-talk] torbirdy default settings
fari...@arcor.de: > It's not clear to me why torbirdy by default sets the port for socks > forwarding to 9150 while on the other hand the default port for tor is > 9050. And Torbirdy explicitely underlines it presumes the installation > of tor. The default port of the Tor Browser is 9150. Idea is that you start Tor Browser and then start Thunderbird with Torbirdy. Makes sense? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] unregister exit relay - how to
Luca: > Few days ago I have tried to setup an exit relay on my home laptop .. > with great success :) > > The bad part is after seeing my external ip address published to the > world on atlas or globe I have discovered I cannot access anymore to > some site with my payed premium login credential because the sites > policy don't allow access from the tor network even if I don't use a > tor client to browse the net. :( > > For this reason I stopped my exit relay, but to solve the problem I > need to unregister my external ip from the public list as well. > > How can I do that? It will be out of the consensus soon enough if it's down. The problem is that the blacklist used by the various sites you mention might keept it longer. The best thing you can do is get in touch with them. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — June 25th, 2014
[22]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007043.html Researchers from the Internet Geographies project at the Oxford Internet Institute produced a cartogram [23] of Tor users by country, using archived data freely available from the Tor Project’s own Metrics portal [24], along with an analysis of the resulting image. “As ever more governments seek to control and censor online activities, users face a choice to either perform their connected activities in ways that adhere to official policies, or to use anonymity to bring about a freer and more open Internet”, they conclude. [23]: http://geography.oii.ox.ac.uk/?page=tor [24]: https://metrics.torproject.org Andrew Lewman reported [25] that users with email addresses at Yahoo and AOL have been removed from the tor-relays mailing list [26], as these addresses have been bouncing list emails. [25]: https://lists.torproject.org/pipermail/tor-relays/2014-June/004752.html [26]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Thanks to the FoDT.it webteam [27] and Maxanoo [28] for running mirrors of the Tor Project’s website! [27]: https://lists.torproject.org/pipermail/tor-mirrors/2014-June/000617.html [28]: https://lists.torproject.org/pipermail/tor-mirrors/2014-June/000619.html fr33tux shared [29] the slides [30] for a French-language presentation on Tor, delivered at Université de technologie Belfort-Montbéliard. The source code (in the LaTeX markup language) is also available [31]: “feel free to borrow whatever you want from it!” [29]: https://lists.torproject.org/pipermail/tor-talk/2014-June/07.html [30]: http://fr33tux.org/data/prez.pdf [31]: http://git.fr33tux.org/conference_tor_utbm.git Thanks to Ximin Luo, the server component of Flashproxy [32] is now available in Debian [33] in the “pt-websocket” package. [32]: https://crypto.stanford.edu/flashproxy/ [33]: https://packages.debian.org/sid/pt-websocket A couple of weeks ago, Roger Dingledine wondered “how many relays are firewalling certain outbound ports (and thus messing with connectivity inside the Tor network)”. ra has just published the results [34] of a three-week-long test of the interconnectivity between 6730 relays. Contacting the operators of problematic relays is probably the next step for those who wish to keep the network at its best. [34]: https://bugs.torproject.org/12131#comment:11 George Kadianakis slipped on his storyteller costume to guide us [35] through layers of the Tor core, motivated by the quest for knowledge. That accursed riddle, “Why does Roger have so many guards?”, now has an answer. Be prepared for a “beautiful stalagmite” and the “truly amazing” nature of Tor! [35]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007042.html Tor help desk roundup - If the Tor Browser stalls while “loading the network status”, please double-check that the system clock is accurate; the same goes for the timezone and daylight saving time settings. Tor needs an accurate clock in order to prevent several classes of attacks on its protocol. It won’t work properly when the local time does not match the one used by other network participants. Easy development tasks to get involved with --- When the tor daemon is configured to open a SOCKS port on a public address, it warns about this possible configuration problem twice: once when it reads the configuration file, and a second time when it opens the listener. One warning should be enough. We had a friendly volunteer two years ago who sketched out possible fixes and even wrote a patch, but then concluded that his patch had a problem and went away. If you’re up to some digging into tor’s configuration file handling, and want to clean up a two-year-old patch potentially to be included in tor 0.2.6, please find the details in the ticket [36]. It’s tagged as easy, so how hard can it be? [36]: https://bugs.torproject.org/4019 Upcoming events --- June 25 19:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html | June 27 15:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tbb-dev/2014-April/49.html | June 30 — July 4 | Tor’s Summer Dev Meeting | Paris, France | https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting | July 5-11 | Lunar @ Libre Software Meeting 2014 | Montpellier, France | https://2014.rmll.info/?lang=en This issue of Tor Weekly News has been assembled by harmony, Lunar, Matt Pagan, Karsten Loesing, and Roger Dingledine. Want to continue reading TWN? Please help us create this newsletter. We still need
Re: [tor-talk] Torproject's package server dumped...
ttzeqq: > My ubuntu shows 404 not found while using " > http://deb.torproject.org/torproject.org"; for reaching debs. Which version of Ubuntu are you running? Can you give us the relevant line from your sources.list in full? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — June 18th, 2014
on how to actually achieve better Drupal.org support for Tor users”. [33]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033250.html Chris Double described [34] a detailed but experimental method for using Tor with Firefox OS, the mobile operating system from Mozilla. “This is just a proof of concept. Don’t depend on this […] Ideally Tor would be integrated with Firefox OS so that you can start and stop it as a service and maybe whitelist or blacklist sites that should and shouldn’t use Tor. I hope to do some of this over time or hope someone else gets excited enough to work on it too.” [34]: http://bluishcoder.co.nz/2014/06/12/using-tor-with-firefox-os.html Tor help desk roundup - The help desk has received some complaints regarding the default window size of the Tor Browser. To prevent window size fingerprinting, the browser window size has been set to a multiple of 100 pixels according to the detected screen resolution. Taskbars in the user workspace making selecting an appropriate window size slightly more complicated though; more details are available on the bug’s ticket [35]. [35]: https://bugs.torproject.org/9268 News from Tor StackExchange --- bk201 found some random-looking domain names in the logs of some network software. These connection attempts disappeared when Tor was closed [36], so bk201 wants to know what they are. Lunar explained that they are requests for non-existent domain names. Tor wants to find out if some DNS servers send fake answers. This feature was added in 2007 [37]. [36]: https://tor.stackexchange.com/q/3324/88 [37]: https://gitweb.torproject.org/tor.git/blob/HEAD:/ReleaseNotes#l6663 user1747 often visits web sites which provide their services both within the visible web and as a hidden service (DuckDuckGo might serve as an example). Does the Tor Browser Bundle (TBB) automatically switch to a hidden service in this case [38]? mirimir explained that there is no connection between DNS and the names of hidden services, so TBB doesn’t know about this hidden service and can’t connect automatically. user2949 pointed to a plugin [39], similar to HTTPS Everywhere, that forwards a request to a hidden service if it is available. [38]: https://tor.stackexchange.com/q/3262/88 [39]: https://github.com/chris-barry/darkweb-everywhere Upcoming events --- June 18 19:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html | June 20 15:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tbb-dev/2014-April/49.html | June 20 16:00 UTC | Pluggable transports online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-April/006764.html | June 30 — Jul 4 | Tor’s Summer Dev Meeting | Paris, France | https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting This issue of Tor Weekly News has been assembled by harmony, Lunar, the Tails developers, Matt Pagan, Karsten Loesing, and qbi. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [40], write down your name and subscribe to the team mailing list [41] if you want to get involved! [40]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [41]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Decentralized internet with Tor
Brian Barker: > > The Tor group just released their plan for TorCoin > > <https://docs.google.com/file/d/0B7r4osQgWVqKTHdxTlowUVpsVmJRcjF3Y3dtcTVscFhEaW5F/view?sle=true> > > to deal with this issue. It's a method of mining TorCoins as you host a > > node, using the proof-of-work schemes to verify you contributed a given > > amount to the network. Seems like a great way to make this more popular. This document does not come from the Tor Project and to the best of my knowledge is not endorsed by the project in any way. > > Lastly, the Grugq has a project called Portal > > <https://github.com/grugq/portal> which configures routers as tor-only > > network nodes. There's also a Raspberry Pi version > > <https://github.com/grugq/PORTALofPi>. These could be a fantastic > > starting point to creating easily-configurable devices to put on the mesh > > net. > > I would love to hear more from Tor experts or anyone else interested in how > this could work. One thing that Tor gives you: it makes it hard for your Internet access provider to learn your network activities. This is best achieved when the Tor client is running on your computer if you want to avoid monitoring from people sharing the local network. The other thing is that applications tend to reveal much more that you think about your system or your work. Without an audit (and some changes), most applications will leak sensitive data. Channeling their network traffic blindly to the Tor network might just give you a false sense of security. I'm not saying that approaching the question at the router level is uninteresting, but it's far trickier to get right than one may think. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — June 4th, 2014
Tor Weekly News June 4th, 2014 Welcome to the twenty-second issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. Tails moves to Wheezy - The Tails live system [1] is a Debian derivative [2] aiming at preserving the privacy and anonymity of its users. The first Tails releases were based on Debian Lenny [3] (2009-2012); since version 0.7, Tails has been based on Debian Squeeze [4] (2011-). Meanwhile, Debian has released a new stable version dubbed Wheezy [5], and the upcoming Tails 1.1 will be the first release to be based on the latter. The general set of features should not change much from the previous Tails release, but almost every software component has been updated. On May 30th, the Tails team released a beta image [6]; given the number of changes, testing is even more welcome than usual. Testers can also try out the new UEFI support, which enables Tails to boot on recent hardware and on Macs. Several issues [7] with the current beta image have already been identified, so be sure to have a look at the list before reporting [8]. The details of the release schedule are still being discussed [9] at the time of writing, but Tails 1.1 is likely to be out by the end of July. Please help make it a great release! [1]: https://tails.boum.org/ [2]: https://wiki.debian.org/Derivatives [3]: https://www.debian.org/releases/lenny/ [4]: https://www.debian.org/releases/squeeze/ [5]: https://www.debian.org/releases/wheezy/ [6]: https://tails.boum.org/news/test_1.1-beta1/ [7]: https://tails.boum.org/news/test_1.1-beta1/#index3h1 [8]: https://tails.boum.org/doc/first_steps/bug_reporting/ [9]: https://mailman.boum.org/pipermail/tails-dev/2014-May/005917.html Stem 1.2 brings interactive interaction with the Tor daemon --- On June 1st, Damian Johnson announced [10] the release of Stem [11] 1.2. Stem is a Python library for interacting with the Tor daemon. It is now used by several applications [12] like the arm [13] status monitor and Philipp Winter’s exit scanner [14]. The new version brings an interactive control interpreter, “a new method for interacting with Tor’s control interface that combines an interactive python interpreter with raw access similar to telnet”. This should make Tor hackers happy by saving them from having to manually poke the control port through telnet or create complete Stem scripts. For the complete list of changes, head over to the changelog [15]. [10]: https://blog.torproject.org/blog/stem-release-12 [11]: https://stem.torproject.org/ [12]: https://stem.torproject.org/tutorials/double_double_toil_and_trouble.html [13]: https://www.atagar.com/arm/ [14]: http://www.cs.kau.se/philwint/spoiled_onions/ [15]: https://stem.torproject.org/change_log.html#version-1-2 Monthly status reports for May 2014 --- The wave of regular monthly reports from Tor project members for the month of May has begun. Pearl Crescent released their report first [16], followed by Sherief Alaa [17], Damian Johnson [18], Nick Mathewson [19], Colin C. [20], Georg Koppen [21], Lunar [22], Arlo Breault [23], and Matt Pagan [24]. Lunar also reported on behalf of the help desk [25], while Arturo Filastò did likewise for the OONI team [26], and Mike Perry for the Tor Browser team [27]. [16]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000539.html [17]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000540.html [18]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000542.html [19]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000543.html [20]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000544.html [21]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000545.html [22]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000546.html [23]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000548.html [24]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000550.html [25]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000541.html [26]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000547.html [27]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000549.html Miscellaneous news -- Pups, a chat system implemented by Sherief Alaa for real-time invitation-based user support, has gone live [28], and can now be used by Tor’s support assistants when that method promises a quicker resolution of an issue. [28]: https://bugs.torproject.org/11657 In response to a question about the writing of unit tests for tor, Nick Mathewson shared [29] a
Re: [tor-talk] Craigslist now giving Tor the slows, lol
Mirimir: > NOW=`date +%F_%H-%M` > echo " dump IP Chicken at $NOW" > links2 -g -dump http://ipchicken.com/ > ~/dumps/IP-$NOW & > NOW=`date +%F_%H-%M` > echo " dump Craigslist URL http://$CLURL at $NOW" > links2 -g -dump http://$CLURL > ~/dumps/$CLURL-$NOW & TTBOMK this won't work as you'd like. Tor will create a different circuit for each host you try to contact. The circuit used by the first `links2` will be different that then one that follows. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Best onion email system?
Bobby Brewster: > From the Hidden Wiki. > > Bitmessage - http://bitmailendavkbec.onion/ - > MailTor - http://mailtoralnhyol5v.onion/src/login.php - > Mail2Tor - http://mail2tor2zyjdctd.onion/ - > TorBox - http://torbox3uiot6wchz.onion/ > > These all provide a SquirrelMail box. Bitmessage also has a nicer box where > you can sent / receive HTML (not that I want to do that). > > Does anyone have any comments about these free services? I would not trust them. Someone has at least to pay for the bandwidth and the electricity somehow. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — May 28th, 2014
Tor Weekly News May 28th, 2014 Welcome to the twenty-first issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. OnionShare and tor’s ControlPort Micah Lee published OnionShare [1], a program that “makes it simple to share a file securely using a password-protected Tor hidden service”. It originally ran only in Tails, but has now been made compatible with other GNU/Linux distros, Windows, and OS X. As part of that process, Micah wondered [2] about the best way to make the program work with a Tor Browser or system tor process, as “I would really like to not be in the business of distributing Tor myself”. meejah [3] and David Stainton [4] responded with relevant details of the Stem [5] and txtorcon [6] controller libraries, which allow this kind of operation to take place via tor’s ControlPort. [1]: https://github.com/micahflee/onionshare [2]: https://lists.torproject.org/pipermail/tor-dev/2014-May/006895.html [3]: https://lists.torproject.org/pipermail/tor-dev/2014-May/006896.html [4]: https://lists.torproject.org/pipermail/tor-dev/2014-May/006899.html [5]: https://stem.torproject.org/ [6]: https://github.com/meejah/txtorcon The “Tor and HTTPS” visualization made translatable --- Lunar announced [7] the creation of a repository [8] for an SVG+Javascript version of the EFF’s interactive “Tor and HTTPS” visualization [9], which has proven useful in explaining to users the types of data that can be leaked or intercepted, and by whom, when using Tor or HTTPS (or both, or neither). As Lunar wrote, “The good news is that it’s translatable”: copies have so far been published in over twenty languages. The amount of translation required is very small, so if you’d like to contribute in your language then download the POT file [10] and submit a patch! [7]: https://lists.torproject.org/pipermail/tor-talk/2014-May/033001.html [8]: https://people.torproject.org/~lunar/tor-and-https/ [9]: https://www.eff.org/pages/tor-and-https/ [10]: https://gitweb.torproject.org/user/lunar/tor-and-https.git/blob/HEAD:/tor-and-https.pot A Child’s Garden of Pluggable Transports David Fifield published [11] “A Child’s Garden of Pluggable Transports” [12], a detailed visualization of different pluggable transport protocols, including “aspects of different transports that I think are hard to intuit, such as what flash proxy rendezvous looks like, and how transports look under the encrypted layer that is visible to a censor”. A few other transports supported by Tor [13] are not yet discussed in the guide; “if you know how to run any of those transports, and you know an effective way to visualize it, please add it to the page”, wrote David. [11]: https://lists.torproject.org/pipermail/tor-dev/2014-May/006891.html [12]: https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports [13]: https://www.torproject.org/docs/pluggable-transports Miscellaneous news -- Anthony G. Basile released [14] version 20140520 of tor-ramdisk [15], the micro Linux distribution “whose only purpose is to host a Tor server in an environment that maximizes security and privacy”. The new version upgrades Tor to version 0.2.4.22, which “adds an important block to authority signing keys that were used on authorities vulnerable to the “heartbleed” bug in OpenSSL”, among other fixes; upgrading “is strongly recommended”. [14]: http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-May/000131.html [15]: http://opensource.dyc.edu/tor-ramdisk Cure53 audited the security [16] of the Onion Browser [17], a web browser for iOS platforms tunneling traffic through Tor. From the conclusion: “we believe that the Onion Browser project is on the right track, however there is still a long way ahead for the project to be appropriately ‘ripe’ for usage in actually privacy-relevant and critically important scenarios.” All reported issues should have been fixed in release 1.5 [18] on May 14th. [16]: https://cure53.de/pentest-report_onion-browser.pdf [17]: https://mike.tig.as/onionbrowser/ [18]: https://mike.tig.as/onionbrowser/security/#v1_5 A new pluggable transport, currently named obfs4 [19], is being crafted by Yawning Angel: “obfs4 is ScrambleSuit with djb crypto. Instead of obfs3 style UniformDH and CTR-AES256/HMAC-SHA256, obfs4 uses a combination of Curve25519, Elligator2, HMAC-SHA256, XSalsa20/Poly1305 and SipHash-2-4”. The feature set offered by obfs4 is comparable to ScrambleSuit, with minor differences. Yawning is now asking the community for comments, reviews, and tests [20]. [19]: https://github.com/Yawning/obfs4 [20]: https
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
harmony: > > For “connection”, I can try with the other fonts you've mentioned, > > but I would be happy if you could tell me what I should be looking > > at. :) > > Now that I look again, I think that's just the style of the font > coupled with the smallness of the image (and my bad eyes), rather than > a problem with the rendering. Thanks for fixing it. Mh… I've switch to Droid Arabic Naskh: https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-0.png https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-3.png Is it better? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
harmony: > Lunar: > > The SVG should now use the default “sans-serif” font and be ok. The > > PNG are still using Amiri and do not look too awful at first > > sight. > > The words I pointed out are still messed-up in the PNGs, but other > than that everything looks fine as you say. *sigh* I belive “password” is wrong because of the mishandling of bidirectionality. Is there a way to have only Arabic and drop latin symbols from that string? For “connection”, I can try with the other fonts you've mentioned, but I would be happy if you could tell me what I should be looking at. :) -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
harmony: > harmony: > > Lunar: > >> harmony: > >>> It all looks great to me, but other Arabic speakers may have comments. > >> > >> Took me a while, but now rasterized versions are properly rendered as > >> well: > >> https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-0.png > >> https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-1.png > >> https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-2.png > >> https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-3.png > >> > >> Hope the new Arabic font (Amiri) is still readable. > > > > Hmm, to my mind it is less readable at that size than the first > > version, and these images seem to have trouble with some ligatures > > like lam-mim in the middle of the first part of the word for > > 'password' (the word for 'connection' also looks weird for some less > > obvious reason). > > The interactive SVG is also now broken for me in Tor Browser (the Arabic > letters do not connect up). In Firefox it looks fine, and the font is > not affected by the same ligature problems as the PNG images; could > still do with being a bit larger though, if it'll fit. Localization is so much fun. So PhantomJS 1.9.0 does not properly display Arabic without a webfont. And Firefox 24 does not properly display Arabic with a webfont. *grin* (Firefox 29 is fixed though.) The SVG should now use the default “sans-serif” font and be ok. The PNG are still using Amiri and do not look too awful at first sight. I believe the translation for ISP to be too long. Is there any shorter string that could convey the meaning? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
irregula...@riseup.net: > here's another version. I removed the accents from the strings which are > showed capitalized, earning a little space. The translation of "user / > pw" is the main problem and i decided to chop the words in greek. Hope > it fits now. Great! :) https://people.torproject.org/~lunar/tor-and-https/gr/tor-and-https.svg https://people.torproject.org/~lunar/tor-and-https/gr/tor-and-https-0.png https://people.torproject.org/~lunar/tor-and-https/gr/tor-and-https-1.png https://people.torproject.org/~lunar/tor-and-https/gr/tor-and-https-2.png https://people.torproject.org/~lunar/tor-and-https/gr/tor-and-https-3.png -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
harmony: > It all looks great to me, but other Arabic speakers may have comments. Took me a while, but now rasterized versions are properly rendered as well: https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-0.png https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-1.png https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-2.png https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https-3.png Hope the new Arabic font (Amiri) is still readable. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
irregula...@riseup.net: > On 05/23/2014 02:25 PM, irregula...@riseup.net wrote: > > > > a greek translation file is attached. I hope the strings aren't too big > > to fit. > > See the result: https://people.torproject.org/~lunar/tor-and-https/gr/tor-and-https.svg It seems that the Tor Browser does not render Greek characters with a good font. The rasterized version looks better: https://people.torproject.org/~lunar/tor-and-https/gr/tor-and-https-0.png Some still are too long though, you might want to fix them. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Onion Pi and Tor Talk Meta
Charles Thomas: > Adafruit has a tutorial <https://learn.adafruit.com/onion-pi/overview> on > how to make a Onion Pi, that was featured in Make Magazine. (It was actually > my first exposure to Tor.) It works by having a Raspberry Pi run Tor and > broadcast a WiFi signal that uses the Tor connection. Then, laptops can > connect to the Wifi and use their computer as usual, but using Tor. I was > wondering with all of the DNS leak issues and such, am I correct in thinking > that this simulates running Tails? (i.e. does it effectively remove DNS > leaks and prevent programs such as Skype from using non-Tor pathways?) Such setup is called “transparent proxying”. This does not simulate using Tails. Tails has removed transparent proxying (except for hidden services) a while ago (0.10, 2012-01-04). Transparent proxying means that applications will just happily connect to wherever they want to connect. That means sending local IP address, serial number for software updates, usernames and many other identifying information. Often without proper encryption or peer authentication. It is true that such setup will make all DNS requests go through Tor. But DNS requests are not the only leaks you need to protect from. Such setup makes it hard to use the Tor Browser which contains many changes needed to prevent fingerprinting while using the web. To sum it up, this is likely to give a false sense of security or worse. > Also, how do I only respond to part of peoples emails in the list? (i.e. > have a some of their text with a blue bar next to it, then some of mine, > etc) I'm using Thunderbird. Configure Thunderbird to only compose plain text messages. Then delete the text you don't want to quote. It's simply text. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
Kus: > Turkish translation fie is attached. Merged. Result is visible at: https://people.torproject.org/~lunar/tor-and-https/tr/tor-and-https.svg Thanks! -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
Rejo Zenger: > ++ 22/05/14 00:32 +0200 - Lunar: > >Thanks! Have a look at the result at: > >https://people.torproject.org/~lunar/tor-and-https/nl/tor-and-https.svg > > Less generic, but a lot shorter and probably better. See attachment. Updated, thanks! :) -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
Jon: > One thought as I played around with it would be to replace "..." with > a strike-through of the information that is not available based on the > combination of technologies chosen? That would be a nice idea to try. Unfortunately, the current Tor Browser rendering engine does not implement "text-decoration: strikethrough" (the one based on Firefox 32 should) and I'm not sure Inkscape does either… -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Browser for Raspbian
SecTech: > I want to use my Raspberry as a easy and cheap Tor access. But not to > setup Tor is the problem, to setup the browser in a secure way is the > problem. I had a browser setup before I used TBB and thought I could > setup it for myself. > At first I tried to copy the TBB profile to my Raspbian and use it > with Iceweasel. No success, the Torbutton was missbehaving and the > browser was not using Tor. > The second thing I tried was to extract the browser profile from > TAILS. No success too. The Tor Browser is not only a Firefox profile and extensions. It is also change to Firefox code without which it will not work. You might try to rebuild the iceweasel package made by Tails for Raspbian, but it's likely to take some time: http://deb.tails.boum.org/pool/main/i/iceweasel/iceweasel_24.5.0esr-1%2btails1~bpo70%2b1.dsc -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
harmony: > harmony: > >> Hi! > >> > >> A while ago, the EFF published the “Tor and HTTPS” visualization at: > >> <https://www.eff.org/pages/tor-and-https/>. It has always been a good > >> tool to explain what Tor can and cannot do for you. > >> > >> With the help of Mark Burdett from the EFF who retrieved the original > >> vector drawings, I've worked on a SVG+JavaScript version. It works fine > >> in the Tor Browser and Firefox. I did not tests other browsers. The good > >> news is that it's translatable. > > > > An Arabic version is attached. There may be layout issues but I can edit > > it if need be. Oh my, I knew handling RTL correctly was going to be party time. Have a look at the result: https://people.torproject.org/~lunar/tor-and-https/ar/tor-and-https.svg How does it feel? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
Rejo Zenger: > ++ 21/05/14 10:34 +0200 - Lunar: > >POT file for translators: > >https://gitweb.torproject.org/user/lunar/tor-and-https.git/blob/HEAD:/tor-and-https.pot > > Here's a Dutch translation. I have choosen for the best words possible, > from a language and enduser readability point-of-view. If some of them > are too long, let me know and I'll shorten them a bit. Thanks! Have a look at the result at: https://people.torproject.org/~lunar/tor-and-https/nl/tor-and-https.svg -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — May 21st, 2014
should really abort. This sounds like a trivial change, but maybe there’s more to fix in the nearby code. If you like Python and want to give it a try, there’s more information for you on the ticket. [44]: https://www.torproject.org/projects/obfsproxy.html [45]: https://trac.torproject.org/projects/tor/ticket/9823 Upcoming events --- May 21 19:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html | May 23 15:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tbb-dev/2014-April/49.html | May 23 16:00 UTC | Pluggable transports online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-April/006764.html | May 27-28| Tor @ Stockholm Internet Forum | Stockholm, Sweden | http://www.stockholminternetforum.se/ This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, Karsten Loesing, qbi, and Georg Koppen. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [46], write down your name and subscribe to the team mailing list [47] if you want to get involved! [46]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [47]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] “Tor and HTTPS”: visualization of information leaks
Jens Kubieziel: > * Lutz Horn schrieb am 2014-05-21 um 10:54 Uhr: > > I've attached a German version. In German words tend to be longer so > > You were a bit faster. :-) Thanks to you both. Pushed and visible at: https://people.torproject.org/~lunar/tor-and-https/de/tor-and-https.svg I guess the font needs to be made smaller now. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] “Tor and HTTPS”: visualization of information leaks
Hi! A while ago, the EFF published the “Tor and HTTPS” visualization at: <https://www.eff.org/pages/tor-and-https/>. It has always been a good tool to explain what Tor can and cannot do for you. With the help of Mark Burdett from the EFF who retrieved the original vector drawings, I've worked on a SVG+JavaScript version. It works fine in the Tor Browser and Firefox. I did not tests other browsers. The good news is that it's translatable. English version: https://people.torproject.org/~lunar/tor-and-https/en/tor-and-https.svg French version: https://people.torproject.org/~lunar/tor-and-https/fr/tor-and-https.svg Source: https://gitweb.torproject.org/user/lunar/tor-and-https.git POT file for translators: https://gitweb.torproject.org/user/lunar/tor-and-https.git/blob/HEAD:/tor-and-https.pot All under CC-BY 3.0. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ICANN and .onion
Anders Andersson: > A few years ago, ICANN started to accept suggestions for new top-level > domain names. A friend recently posted a .onion link to me, and it made me > realize that there might be a big problem if a company or organization > other than Tor actually registered .onion and made it work in any browser. > > 1) Has there been any discussions regarding the severity of the problem if > it should eventually happen? If so, are the discussions or the result of > them available online for reading? > > 2) Has Tor applied to ICANN about the .onion domain, or discussed the pro > and con of doing this? https://lists.torproject.org/pipermail/tor-dev/2013-November/005747.html The document actually expired yesterday: https://tools.ietf.org/html/draft-grothoff-iesg-special-use-p2p-names-02 The last call for review on DNSOP has seen no reaction: https://www.ietf.org/mail-archive/web/dnsop/current/msg11364.html I am not familiar enough of IETF processes to know what that means. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — May 14th, 2014
Tor Weekly News May 14th, 2014 Welcome to the nineteenth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. Tor Browser 3.6.1 is released - On May 7th, version 3.6.1 of the Tor Browser was released [1]. Apart from updating HTTPS Everywhere and NoScript, the new release mainly solves a regression experienced by proxy users [2]. The new version should not error out with “You have configured more than one proxy type” anymore. [1]: https://blog.torproject.org/blog/tor-browser-361-released [2]: https://trac.torproject.org/projects/tor/ticket/11658 More monthly status reports for April 2014 -- More monthly reports from Tor project members have arrived this week with submissions from Nicolas Vigier [3] and Roger Dingledine [4]. Roger also sent the report for SponsorF [5]. The Tails team has released theirs [6]. [3]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000531.html [4]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000533.html [5]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000532.html [6]: https://tails.boum.org/news/report_2014_04/ Miscellaneous news -- ooniprobe 1.0.2 has been released [7]. The new version brings security fixes, a manpage, a test for Tor bridge reachability among other improvements. [7]: https://lists.torproject.org/pipermail/ooni-dev/2014-May/000114.html As the Tor blog should migrate away from its current decaying software [8], Eric Schaefer wrote [9] to tell that he had extracted all blog posts in a format ready for a static site generator. Comments are also available. One option would be to import them in a dedicated commenting system. Tom Purl has setup [10] a test Juvia instance for anyone who wish to give it a shot. [8]: https://bugs.torproject.org/10022 [9]: https://lists.torproject.org/pipermail/www-team/2014-May/000316.html [10]: https://lists.torproject.org/pipermail/www-team/2014-May/000318.html David Fifield released [11] a new round of Tor Browser packages modified to include meek [12]. “Unlike previous bundles […], these ones aren’t configured to use meek automatically. You have to select ‘Configure’ on the network settings screen and then choose meek from the list of transports.” Please give them a try! [11]: https://lists.torproject.org/pipermail/tor-qa/2014-May/000410.html [12]: https://trac.torproject.org/projects/tor/wiki/doc/meek Isis Lovecruft rewrote [13] the email bridge distributor in order to fix some fundamental design problems with the old code. Reviews are welcome. [13]: https://lists.torproject.org/pipermail/tor-dev/2014-May/006856.html Tor help desk roundup - A relay operator contacted the Tor Help Desk after seeing the following message in the Tor log: “http status 400 ("Fingerprint is marked rejected") response from dirserver '128.31.0.34:9131'”. One might see this message is if one’s relay was found to be vulnerable to the Heartbleed OpenSSL bug and subsequently removed from the Tor consensus. Instructions for upgrading one’s relay [14] are on the Tor project’s blog. [14]: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 Upcoming events --- May 14 19:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-March/006616.html | May 16 15:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tbb-dev/2014-April/49.html | May 18-21| 35th IEEE Symposium on Security and Privacy | San Jose, California, USA | http://www.ieee-security.org/TC/SP2014/ | May 27-28| Tor @ Stockholm Internet Forum | Stockholm, Sweden | http://www.stockholminternetforum.se/ This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, Karsten Loesing and Roger Dingledine. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [15], write down your name and subscribe to the team mailing list [16] if you want to get involved! [15]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [16]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-
[tor-talk] Tor Weekly News — May 7th, 2014
Tor Weekly NewsMay 7th, 2014 Welcome to the eighteenth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. Tor Browser 3.6 is released --- The long-awaited Tor Browser 3.6 was finally declared stable [1] on April 29th. Tor Browser 3.6 is the first version to fully integrate pluggable transports, enabling easier access to the Tor network on censored networks. The browser is based on the latest Firefox ESR 24.5.0 and includes a new round of security fixes [2]. When configuring how to access the Tor network, users can now select one of the included list of “obfs3“ [3] or “fte” [4] bridges. Using Flashproxy is also an option, but often requires further configuration [5] on the local firewall and router. Manually specifying bridges [6] is still an option, now with support for the aforementioned pluggable transports. Many small usability enhancements have been made: Tor error messages are translated, the wording on several dialog windows has been improved based on user feedback, and Mac users now install the browser from the usual disk image format. Turkish localization has also been enabled. Read the release announcement for a complete changelog. Be sure to upgrade [7]! [1]: https://blog.torproject.org/blog/tor-browser-36-released [2]: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.5 [3]: https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/refs/heads/master:/doc/obfs3/obfs3-protocol-spec.txt [4]: https://fteproxy.org/ [5]: https://trac.torproject.org/projects/tor/wiki/FlashProxyHowto [6]: https://bridges.torproject.org/ [7]: https://www.torproject.org/download/download-easy.html Tails 1.0 is out “Version 1.0 is often an important milestone that denotes the maturity of a free software project. The first public version of what would become Tails was released on June 23 2009 […]. That was almost five years ago. Tails 1.0 marks the 36th stable release since then.” The release announcement [8] could have not said it better. On top of the simple idea of having a system entirely running in memory that guarantees Tor usage for all network connections, Tails has been extended with an USB installer, automatic upgrades, persistence, support for Tor bridges, MAC address spoofing, an extensive and translated documentation and many more features [9]. Over Tails 0.23, the new version brings security fixes from Firefox and Tor [10], an updated I2P, several enhancements to the Tor configuration interface, and the appearance of the new Tails logo [11]. More details are in the release announcement. For those who have not made use of the integrated updater, time to download [12] the new version! [8]: https://tails.boum.org/news/version_1.0/ [9]: https://tails.boum.org/doc/about/features/ [10]: https://trac.torproject.org/projects/tor/ticket/11464 [11]: https://tails.boum.org/promote/logo/ [12]: https://tails.boum.org/download/ Monthly status reports for April 2014 - The wave of regular monthly reports from Tor project members for the month of April has begun. Georg Koppen released his report first [13], followed by reports from Arthur D. Edelstein [14], Sherief Alaa [15], Karsten Loesing [16], Lunar [17], Nick Mathewson [18], Matt Pagan [19], Damian Johnson [20], George Kadianakis [21], Pearl Crescent [22], Colin C. [23], Kevin Dyer [24], Isis Lovecruft [25], Kelley Misata [26], Arlo Breault [27], and Andrew Lewman [28]. Lunar also reported on behalf of the help desk [29], Mike Perry for the Tor Browser team [30], and Arturo Filastò for the OONI team [31]. [13]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000511.html [14]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000513.html [15]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000514.html [16]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000515.html [17]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000516.html [18]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000517.html [19]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000518.html [20]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000520.html [21]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000521.html [22]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000523.html [23]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000524.html [24]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000525.html [25]: https://lists.torproject.org/pipermail/tor-reports/2014-May/000527.html [26]: https
[tor-talk] Tor Weekly News — April 30th, 2014
ensure that Tails works properly with such hardware. [16]: https://mailman.boum.org/pipermail/tails-testers/2014-April/10.html Matthew Finkel forwarded a copy of the email that was sent to bridge operators [17] to warn them about the “Heartbleed” vulnerability, and the actions that should be taken as a result. If you know any bridge operator who might not have filled in their contact information, please forward the message! [17]: https://lists.torproject.org/pipermail/tor-relays/2014-April/004428.html Karsten Loesing has been working on switching Onionoo — the web service to retrieve information about the Tor network — to use the Gson library instead of plain string concatenation to format its JSON output. As the change might break some applications, client authors should test their applications [18] and see if everything still works as it should. [18]: https://lists.torproject.org/pipermail/tor-dev/2014-April/006772.html Tor help desk roundup - The help desk has been asked why the Tor Project’s hidden service site mirrors are offline. The sites were taken down during the fallout from the Heartbleed security vulnerability. New hidden service addresses were not generated. The sysadmin team has expressed that they no longer wish to maintain these services [19]. [19]: https://bugs.torproject.org/11567 News from Tor StackExchange --- Kristopher Ives is working on a card game using Tor. Each user accepts inbound connections through hidden services, and also needs to make outbound connections [20]. Tom Ritter acknowledged it was possible to use only one Tor daemon to do both. [20]: https://tor.stackexchange.com/q/1592/88 Dan gets the error message “Cannot load XPCOM” whenever Tor Browser is started [21]. Jens Kubieziel pointed to the discussion at #10789 [22]. The culprit is WebRoot Internet Security as it prevents the proper loading of all browser components; either uninstalling it or adding DLL files to the whitelist has helped other users [23]. [21]: https://tor.stackexchange.com/q/2012/88 [22]: https://bugs.torproject.org/10789 [23]: https://blog.torproject.org/blog/tor-browser-352-released#comment-47052 Upcoming events --- Apr 30 19:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-March/006616.html | May 2 15:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tbb-dev/2014-April/49.html | May 27-28| Tor @ Stockholm Internet Forum | Stockholm, Sweden | http://www.stockholminternetforum.se/ This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, qbi, and Karsten Loesing. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [24], write down your name and subscribe to the team mailing list [25] if you want to get involved! [24]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [25]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — April 16th, 2014
OpenVPN traffic and can’t get obfsproxy running [40] because the latest version only implements SOCKS4. Yawning Angel answered that version 0.2.7 of obfsproxy uses SOCKS5 and works with OpenVPN. However there is a bug that needs to be worked around [41]. [40]: https://tor.stackexchange.com/q/693/88 [41]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006427.html Upcoming events --- Apr 16 19:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-March/006616.html | Apr 18 18:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tbb-dev/2014-March/26.html This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, qbi, Roger Dingledine, Karsten Loesing and the Tails team. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [42], write down your name and subscribe to the team mailing list [43] if you want to get involved! [42]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [43]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Bring back Vidalia
C B: > TBB regularly gives me a new exit node without abruptly restarting the > browser. What is the harm in allowing me to manually do that when needed? I > know how to close the browser, and do that whenever I want, but all I want is > a new exit mode. And yes the map and the other things from the control panel > would be nice too. 1. Install Python 2. Install Stem 3. Run: python -c 'from stem.control import Controller; from stem import Signal; c = Controller.from_port("127.0.0.1", 9151); c.authenticate(); c.signal(Signal.NEWNYM)' Or you can help the community and work on the following: https://trac.torproject.org/projects/tor/ticket/8641 https://trac.torproject.org/projects/tor/ticket/9442 -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — April 2nd, 2014
Tor Weekly News April 2nd, 2014 Welcome to the thirteenth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. Tor Project website redesign takes two steps forward Andrew Lewman put out two calls for help with the ongoing Tor Project website redesign: one for the sponsor page [1], and another for the download area [2]. Both were immediately met with proposals and design suggestions from the www-team mailing list: Olssy produced two mock-ups [3] of the sponsorship page as possible models for further work, while William Papper and Lance Tuller have been working on a repository [4] for the download page, with comments from other list members on topics such as the use of Javascript and possible layout decisions. If you’d like to give the website redesign further momentum, please see the dedicated project page on the wiki [5] for open tickets and advice on how to contribute, then come to the www-team mailing list [6] and join in! [1]: https://lists.torproject.org/pipermail/www-team/2014-March/000238.html [2]: https://lists.torproject.org/pipermail/www-team/2014-March/000249.html [3]: http://tor.harrytuttle.net/ [4]: https://github.com/wpapper/tor-download-web [5]: https://trac.torproject.org/projects/tor/wiki/Website [6]: https://lists.torproject.org/cgi-bin/mailman/listinfo/www-team QR codes for bridge addresses - Since most pocket computers (sometimes called “phones”) and laptops began incorporating cameras, QR codes [7] have become a ubiquitous way to enter short sequences of data into our devices. URLs are the canonical example, but the process also works for Bitcoin addresses or OpenPGP fingerprints [8]. Bridges are the standard tool for circumventing filters that prevent access to the Tor network. Users currently enter bridge addresses in Tor by copy/pasting from the BridgeDB web page [9] or auto-responder email. But manually giving IP addresses and fingerprints to Orbot on keyboard-less devices is an error-prone process. QR codes might be a solution to this problem. They could also enable peer-to-peer exchange among friends, or circumvention strategies involving IPv6 addresses and paper. According to Isis Lovecruft, adding QR codes to the BridgeDB web interface would be easy [10]. Would any reader feel like hacking Orbot [11] or the Tor Launcher [12] Firefox extension (see relevant documentation [13] and API [14])? [7]: https://en.wikipedia.org/wiki/QR_code [8]: http://web.monkeysphere.info/monkeysign/ [9]: https://bridges.torproject.org/ [10]: https://bugs.torproject.org/11345 [11]: https://bugs.torproject.org/5096 [12]: https://gitweb.torproject.org/tor-launcher.git [13]: https://developer.mozilla.org/en-US/docs/WebRTC/taking_webcam_photos [14]: https://developer.mozilla.org/en-US/docs/Web/API/Navigator.getUserMedia Client identification in hidden service applications Applications behind hidden services currently cannot easily differentiate between client connections. Tor will make a different local TCP connection for each connections it receives, but the software is unable to tell if they are coming from the same circuit. Harry SeventyOne felt [15] the latter would be useful to enable applications for diagnostic log analysis, identifying traffic trends, rate-limiting or temporarily blocking operations coming from the same client. Harry sent a very rough patch to the Tor development mailing which enables circuit distinction by using a different source IP address from the IPv4 localhost pool (127.0.0.0/8) for each circuit. Nick Mathewson liked the idea [16] and gave several comments about the preliminary patch. Hopefully this work will make the life of hidden service operators easier in the future. [15]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006576.html [16]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006610.html Monthly status reports for March 2014 - The wave of regular monthly reports from Tor project members for the month of March has begun. Georg Koppen released his report first [17], followed by reports from Pearl Crescent [18], Damian Johnson [19], Sherief Alaa [20], Nick Mathewson [21], Matt Pagan [22], Lunar [23], and Karsten Loesing [24]. Lunar also reported help desk statistics [25]. [17]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000487.html [18]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000488.html [19]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000489.html [20]: https://lists.torproject.org/pipermail/tor-reports/2014
Re: [tor-talk] CAPTCHA for getting bridges too strong
Moritz Bartl: > On 03/30/2014 06:58 AM, Артур Истомин wrote: > > It is very strong. I was trying more than ten times and did not solve > > it. I am realy do not need bridges, but for those who need, this way > > getting bridges (through web page and CAPTCHA) is useless. > > This is a known problem, a fix is being worked on. Actually the new version of BridgeDB deployed 4 days ago should have vastly improved the situation. See: https://bugs.torproject.org/10809 -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB - Correct/proper use of TOR_SKIP_LAUNCH=1 ?
Zenaan Harkness: > Lunar: > > Zenaan Harkness: > […] Sorry, but your message is too long. You should try to ask less questions at the same times, as the answer from one is likely to help you answer the other. I'm jumping to the most obvious ones here. > > TOR_SKIP_LAUNCH was designed for Whonix and Tails use cases. For both > > the tor daemon is started independently of the Tor Browser. For the > > former on a different host and for the latter under a different system > > user. > > My proposed "VPN" scenario is similar to the Whonix concept. I believe it's not. The Whonix Workstation is unable to reach the Internet except by connecting to the tor daemon running on the gateway. To the best of my understanding, with what you describe, the computers that would run the Tor Browser would not be isolated of the network. > When you say "running tor locally", are you referring only to a "local > always-on relay" - eg one connected to ADSL permanently? Or do you > also include in that term, 'running TBB locally on the spot which > creates its own local tor instance'? As in, are you also including in > the term "running tor locally" a "local sometimes-on relay (or > 'private' bridge?)"? When I say “running tor locally”, I mean running the tor daemon on the computer that will run the Tor Browser. That's how Tor is generally used. The tor daemon takes care of reaching the Tor network and relaying information through it. This is sometimes referred in the literature as an “Onion Proxy”. This has nothing to do with relaying the traffic of others. I still don't understand why you want to do things differently than just run the Tor Browser and eventually configure Tor to use a bridge. > >> Q2) When connecting to a trusted friend's relay via VPN, [...] > > > > Why would you want to do that instead of using a (private) bridge? > > High-latency, low-bandwidth, only sometimes-on internet connections. Users of high-latency, law-bandwidth, only sometimes-on Internet connections are perfectly able to use bridges. > Also, I am struggling to find a proper definition of 'private bridge' > and what that exactly means and how it actually works. Bridges are unlisted Tor relays, but they are normally part of the bridge database and get distributed to users in need through specific channels (see <https://bridges.torproject.org/>). Private bridges do not record themselves to the bridge database. Their addresses need to be explicitly given by the bridge operator to be used. > >> Q5) When connecting to a trusted friend's relay via the open Internet, > >> is this what's called using the relay as a "bridge"? > > > > Using a relay as a bridge is when you configure a public Tor relay > > instead of an unlisted bridge as one of tor bridges. There are very few > > use cases where it makes sense. See "Bridge" and "UseBridge" in tor(1) > > manual page. > > My point is, the exit relay I installed is a 'public tor relay' - as > in it is not configured as 'private', but is that what you mean? All Tor relays are public as the list of all Tor relays if available to everyone. That's the differences with bridges. The list of all (public) bridges is not available anywhere else than the bridge database. There is no list of all private bridges. There is no such thing as a private Tor relay, except on a test network. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB - Correct/proper use of TOR_SKIP_LAUNCH=1 ?
Zenaan Harkness: > From here: > https://trac.torproject.org/projects/tor/ticket/6009 > > we see addition of > TOR_SKIP_LAUNCH=1 > command line option to effect start-tor-browser. > > My questions all assume using TBB. TOR_SKIP_LAUNCH was designed for Whonix and Tails use cases. For both the tor daemon is started independently of the Tor Browser. For the former on a different host and for the latter under a different system user. > Q1) When is it sensible to use the above TOR_SKIP_LAUNCH=1 option? > For example: > - when connecting to local always-on relay? > - when connecting to local sometimes-on relay? > - when connecting to ones own 'cloud' relay via VPN? > - when connecting to ones own physical host relay via VPN? > - when connecting to a friend's home host relay via VPN? None of the above. What is the problem of running tor locally? > Q2) When connecting to a trusted friend's relay via VPN, […] Why would you want to do that instead of using a (private) bridge? > Q5) When connecting to a trusted friend's relay via the open Internet, > is this what's called using the relay as a "bridge"? Using a relay as a bridge is when you configure a public Tor relay instead of an unlisted bridge as one of tor bridges. There are very few use cases where it makes sense. See “Bridge” and “UseBridge” in tor(1) manual page. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — March 19th, 2014
sly by a Tor client. Following up on the paper written by Tariq Elahi et al. [23], Roger’s blog post, and recent discussions during the winter dev. meeting, George Kadianakis made a detailed analysis of the implications of switching to a single guard node [24]. He studied the performance implications of switching to a single guard, the performance implications of raising the minimum guard bandwidth for both clients and the overall network, and how the change would affect the overall anonymity and fingerprintability of Tor users. Jumping to conclusions: “It seems that the performance implications of switching to 1 guard are not terrible. […] A guard bandwidth threshold of 2MB/s […] seems like it would considerably improve client performance without screwing terribly with the security or the total performance of the network. The fingerprinting problem will be improved in some cases, but still remains unsolved for many of the users […] A proper solution might involve guard node buckets [25]”. For a better understanding, be sure to look at George’s work which includes graphs and proper explanations. [22]: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters [23]: http://freehaven.net/~arma/cogs-wpes.pdf [24]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006458.html [25]: https://bugs.torproject.org/9273#comment:4 Miscellaneous news -- George Kadianakis announced [26] obfsproxy version 0.2.7. The new release fixes an important bug [27] “where scramblesuit would basically reject clients if they try to connect a second time after a short amount of time has passed.” Bridge operators are strongly advised to upgrade from source [28], pip [29], or the upcoming Debian packages. [26]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004074.html [27]: https://bugs.torproject.org/11100 [28]: https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/commit/6cdbc64 [29]: https://pypi.python.org/pypi/obfsproxy/0.2.7 The submission deadline for this year’s Google Summer of Code [30] is the 21st: this Friday. Several students already showed up on the tor-dev mailing list, but as Damian Johnson says [31]: “If you’re procrastinating until the last minute then please don’t!” [30]: https://blog.torproject.org/blog/tor-google-summer-code-2014 [31]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006498.html Tails logo contest [32] is happily on-going. Several submissions have already been received and can be seen on the relevant blueprint [33]. [32]: https://tails.boum.org/news/ [33]: https://tails.boum.org/blueprint/logo/ Kelley Misata and Karen Reilly attended the South by Southwest (SXSW) Interactive festival [34] in Austin, Texas. [34]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000485.html Relay and bridge operators might be interested in Ramo’s first release [35] of a Tor plugin for Nagios [36]. It can currently check for a page fetch through the SOCKS proxy port, the hibernation state, the current bandwidth, ORPort reachability, DirPort reachability, and the bytes remaining until hibernation. [35]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004062.html [36]: https://github.com/goodvikings/tor_nagios Nicolas Vigier sent his monthly report for February [37]. [37]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000486.html Tails won the 2014 Endpoint Security prize [38] from Access. The prize recognizes [39] Tails “unique positive impact on the endpoint security of at-risk users in need”. Congrats! [38]: https://twitter.com/accessnow/status/441043400708857856 [39]: https://www.accessnow.org/prize The Format-Transforming Encryption project at Portland State University received [40] an unexpected 100,000 USD grant from Eric Schmidt. [40]: http://www.oregonlive.com/silicon-forest/index.ssf/2014/03/psu_professor_wins_surprise_10.html Tor help desk roundup - The help desk has seen an increase in Russian language support requests amidst news that the Russian Federation began censoring a number of websites. Unfortunately, the help desk is not able to provide support in Russian for now. Changes in the number of Tor users by country can be observed on the project’s metrics page [41]. [41]: https://metrics.torproject.org/users.html Upcoming events --- Mar 19 19:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-March/006513.html | Mar 22-23| Tor @ LibrePlanet 2014 | Cambridge, Massachusetts, USA | http://libreplanet.org/2014/ | Apr 11 11:00 EDT | Roger @ George Mason University | Washington, DC, USA | http://today.gmu.edu/64330/ This issue of Tor Weekly News has been assembled by Lunar
[tor-talk] Tor Weekly News — March 12th, 2014
(not to mention the multiple runs).” To all participating relay operators, he added: “Thank you very much for your support, you officially rock!” [23]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004037.html [24]: http://web.engr.illinois.edu/~das17/tor-traceroute_v1.html Tails reported on their 2013 bounty program [25] which led to several changes useful for Tails in upstream software. [25]: https://tails.boum.org/news/bounties_2013_report/ Erinn Clark discovered [26] another fake OpenPGP key with her name and email address. Watch out! The canonical list of keys used for Tor signatures [27] is still available on the Tor Project’s website. Also consider verifying all signatures [28] for the reproducible Tor Browser Bundles [29]. [26]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006422.html [27]: https://www.torproject.org/docs/signing-keys.html [28]: https://github.com/isislovecruft/scripts/blob/master/verify-gitian-builder-signatures [29]: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise Tor help desk roundup - Users have asked us why “About TorBrowser” in the Tor Browser’s Help menu displays the Firefox Logo instead of the Tor logo. This has been a known issue for some time, and fixing it is not as easy it would seem. Relevant bug tickets here are #2176 [30], #5194 [31], #5698 [32], and #10888 [33]. [30]: https://bugs.torproject.org/2176 [31]: https://bugs.torproject.org/5194 [32]: https://bugs.torproject.org/5698 [33]: https://bugs.torproject.org/10888 News from Tor StackExchange --- The last few weeks have seen several vulnerabilities in the GnuTLS library and the SSL protocol in general [34]. Ivar wanted to know if the GnuTLS bug affected Tor somehow [35]; as Tor uses OpenSSL instead of GnuTLS, the answer is no. [34]: http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 [35]: https://tor.stackexchange.com/q/1652/88 tor_user found the option “Socks5Proxy” in the Tor manual, and wanted to know what OR connections are and if this option allows running a Tor node over a SOCKS proxy [36]. Jens Kubieziel explained that OR connections are those between two relays or between a client and a relay. While this config option can be used to proxy outgoing OR connections from a relay, it won’t proxy exit streams, and also the relay still needs to be reachable on its advertised ORPort, so it is simplest to say that no, it can’t be used to run a relay over a SOCKS proxy. [36]: https://tor.stackexchange.com/q/1654/88 Upcoming events --- Mar 12 19:00 UTC | Tor Browser development meeting | #tor-dev, irc.oftc.net | Mar 12 20:00 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | https://lists.torproject.org/pipermail/tor-dev/2014-March/006432.html | Mar 14 17:00 UTC | Pluggable transports online meeting | #tor-dev OFTC | Mar 22-23| Tor @ LibrePlanet 2014 | Cambridge, Massachusetts, USA | http://libreplanet.org/2014/ | Apr 11 11:00 EDT | Roger @ George Mason University | Washington, DC, USA | http://today.gmu.edu/64330/ This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, qbi and Roger Dingledine. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [37], write down your name and subscribe to the team mailing list [38] if you want to get involved! [37]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [38]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — March 5th, 2014
Tor Weekly News March 5th, 2014 Welcome to the ninth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community. Tor 0.2.4.21 is out --- Roger Dingledine announced the release of Tor 0.2.4.21 [1], whose major new feature is the forced inclusion of at least one NTor-capable relay in any given three-hop circuit as a defence against adversaries who might be able to break 1024-bit encryption; this feature was first seen in the latest alpha release (0.2.5.2-alpha) three weeks ago [2], but is here incorporated into the current stable series. You can find full details of this release’s other features and bugfixes in Roger’s announcement. [1]: https://lists.torproject.org/pipermail/tor-talk/2014-March/032242.html [2]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032150.html Tor in Google Summer of Code 2014 - As has been the case over the past several years, Tor will once again be participating [3] in Google’s annual Summer of Code program — aspiring software developers have the chance to work on a Tor-related project with financial assistance from Google and expert guidance from a core Tor Project member. Several prospective students have already contacted the community with questions about the program, and Damian Johnson took to the Tor Blog to give a brief summary of what students can expect from the Summer of Code [4], and what the Tor Project expects from its students. In particular, Damian encouraged potential applicants to discuss their ideas with the community on the tor-dev mailing list or IRC channel before submitting an application: “Communication is essential to success in the summer of code, and we’re unlikely to accept students we haven’t heard from before reading their application.” If you are hoping to contribute to Tor as part of the Summer of Code program, please have a look through Damian’s advice and then, as he says, “come to the list or IRC channel and talk to us!” [3]: https://www.google-melange.com/gsoc/org2/google/gsoc2014/tor [4]: https://blog.torproject.org/blog/tor-google-summer-code-2014 Two ways to help with Tails development --- One of the most interesting upcoming additions to the Tails operating system is the ability to thwart attempts at tracking the movements of network-enabled devices by spoofing the MAC address on each boot. As part of the testing process for this new feature, the Tails developers have released [5] an experimental disk image which turns it on by default, alongside a step-by-step guide to trying it out and reporting any issues encountered. However, as the developers state, “this is a test image. Do not use it for anything other than testing this feature.” If you are willing to take note of this caveat, please feel free to download the test image and let the community know what you find. Turning to the longer-term development of the project, the team also published a detailed set of guidelines for anyone who wants to help improve Tails itself by contributing to the development of Debian [6], the operating system on which Tails is based. They include advice on the relationship between the two distributions, tasks in need of attention, and channels for discussing issues with the Tails community; if you are keen on the idea of helping two free-software projects at one stroke, please have a look! [5]: https://tails.boum.org/news/spoof-mac/ [6]: https://tails.boum.org/contribute/how/debian/ Monthly status reports for February 2014 The wave of regular monthly reports from Tor project members for the month of February has begun. Georg Koppen released his report first [7], followed by reports from Sherief Alaa [8], Pearl Crescent [9], Nick Mathewson [10], Colin C. [11], Lunar [12], Kelley Misata [13], Damian Johnson [14], George Kadianakis [15], Philipp Winter [16], and Karsten Loesing [17]. Lunar also reported on behalf of the help desk [18], while Mike Perry did the same on behalf of the Tor Browser team [19], and Arturo Filastò for the OONI team [20]. [7]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000464.html [8]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000465.html [9]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000466.html [10]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000467.html [11]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000468.html [12]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000471.html [13]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000472.html [14]: https
Re: [tor-talk] Using HTTPS Everywhere to redirect to .onion
Roger Dingledine: > That said, the question in my mind is how to move this from "if you're > very smart, you can write your own https-everywhere rule for yourself" > to "ordinary TBB users get this benefit". I don't really want to get > into the business of writing an /etc/hosts file for public website -> > hidden service mappings. I think the answer for this is the “AdBlock plus model”: https://trac.torproject.org/projects/tor/ticket/2161 If HTTPS Everywhere users were able to subscribe to external feeds, interested people could curate a ruleset of plain → .onion redirects. They could decide on their own policy and Tor Browser users would be free to subscribe to it if they trust the owners. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TIMB vs TextSecure
Gordon Morehouse: > With the news hitting some tech sites about TIMB, I went digging > around briefly to find the reasoning for rolling something anew rather > than backing e.g. TextSecure. (I know there are serious questions > about the security of Telegram.) > > I'm sure there is a good reason, but what is it? Is TextSecure available on Windows, Mac OS X and Linux? Does it support IRC and XMPP? Can it be built with only free software? Are the builds reproducible? Does it have an integrated update mecanism? Can it configure Tor (e.g. to use bridges)? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — February 26th, 2014
discussion on tor-relays [20]. [19]: https://lists.torproject.org/pipermail/tor-relays/2014-February/003942.html [20]: https://lists.torproject.org/pipermail/tor-relays/2014-February/003913.html Responding to a message from someone interested in writing a DNS-based pluggable transport, George Kadianakis suggested [21] several ways in which the existing obfsproxy code could be reworked to accommodate this. [21]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006250.html George also recommended [22] that operators of obfs3 or ScrambleSuit bridges install the python-gmpy package on their relays, as it can significantly increase the speed of some cryptographic operations. [22]: https://lists.torproject.org/pipermail/tor-relays/2014-February/003951.html Jens Kubieziel wrote up [23] the results of an attempt to determine whether the recent transition between the TAP and NTor handshake protocols is connected to some users’ reports of hidden service unavailability. [23]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006260.html Max Jakob Maass published [24] the preliminary results of a test in which the RIPE Atlas measurement API was used to retrieve the SSL certificate of torproject.org from as many countries as possible in order to detect attempted attacks or censorship, and wondered whether it might be worth running such a test on a regular basis. [24]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032173.html With regard to a coming redesign of the “Volunteers” section on the Tor Project’s website, Moritz Bartl wrote up a list of proposed volunteer categories that was the fruit of a brainstorming session at the Tor developers’ meeting, and asked for suggestions [25] of “obvious” missing sections, as well as “acceptably-licensed” graphics that could serve as icons for each category. [25]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032176.html Nathan Freitas wrote [26] from the Tor developers’ meeting with a request for help in compiling “user stories” on the Tor wiki: that is, stories of the form “a [type of Tor user] wants to [some feature of a Tor app] in order to [some reason related to security, privacy, etc]” [27]. If you have any to add, please write them up on the dedicated wiki page! [26]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032174.html [27]: https://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting/notes/UserStories Yawning Angel sent out [28] a draft of a proposal to “extend the SOCKS5 protocol when communicating with pluggable transports to allow passing more per-bridge meta-data to the transport and returning more meaningful connection failure response codes back to Tor”. [28]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006300.html Josh Ayers wrote [29] to the Tor-ramdisk list suggesting possible ways to ensure that sufficient entropy is available to the kernel by the time tor-ramdisk generates its long-term keys. [29]: http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-February/000119.html Tor help desk roundup - A common question the help desk receives is how to respond to the Tor Browser Bundle’s download warning message. The message indicates that the Tor Browser Bundle only routes browser traffic through Tor, not traffic from any other application. For example, a PDF file that connects automatically to a URL will not route its traffic through Tor if the file is opened with an external application. An open bug ticket for improving this warning message has more information about the issue [30]. [30]: https://bugs.torproject.org/7439 Upcoming events --- Feb 26 18:00 UTC | Tor Weather development meeting | #tor-dev, irc.oftc.net | Feb 28 17:00 UTC | Pluggable Transports development meeting | #tor-dev, irc.oftc.net | Mar 01 10:00 EST | Andrew @ Boston/Cambridge Countersurveillance DiscoTech | Boston, Massachusetts, USA | https://surveillance.hackpad.com/BostonCambridge-Countersurveillance-DiscoTech-lpF9SgcyhR2 | Mar 03-07| Tor @ Financial Cryptography and Data Security 2014 | Barbados | http://fc14.ifca.ai/ | Mar 05 21:00 UTC | Tails contributors’ meeting | #tails-dev, oftc.net | Mar 22-23| Tor @ LibrePlanet 2014 | Cambridge, Massachusetts, USA | http://libreplanet.org/2014/ This issue of Tor Weekly News has been assembled by harmony, Lunar, Matt Pagan, Nicolas Vigier, Roger Dingledine, and George Kadianakis. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [31], write down your name and subscribe to the team m
Re: [tor-talk] IRC Connectivity
Nishaanth_Kumar: > I am not able to connect to #tor via freenode. > It says "This channel is invite-only. You must have an invite from an > existing member of the channel to join." > > Any suggestions on what to do? Connect to the right IRC network: OFTC at irc.oftc.net -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Ostel and WebRTC over Tor?
Griffin Boyce: > So I've been fiddling around with Ostel and various webrtc bits for a > while now. Curious: has anyone tried Ostel or any webrtc > implementations over Tor? If so, what were your findings? The official > word on Ostel is that it can't reliably run over Tor due to the latency > involved. Using Mumble over Tor worked out on the few occasions I've tried it. So sadly, this is a misconception. My latest attempt to manually configure a recent Firefox to go through Tor and use the WebRTC on <https://freephonebox.net/> failed. I had a firewall denying all connections not routed through Tor. I have also not been able to make Jitsi (2.4) work in the same setup. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — February 12th, 2014
detailed blog post [40]. Sam Whited also pointed out some settings for Firefox and noted that Firefox 27 improved the rating to “probably good” [41] which will help the Tor Browser in the future. [38]: https://www.howsmyssl.com/ [39]: https://tor.stackexchange.com/q/1455/88 [40]: http://kubieziel.de/blog/archives/1564-Using-SSL-securely-in-your-browser.html [41]: https://blog.samwhited.com/2014/01/fixing-tls-in-firefox/ fred set up a relay on a Windows machine where µTorrent is used besides Tor. When Tor is enabled many trackers become unreachable, but come back as soon as the relay is disabled. An explanation to this behaviour [42] has yet to be found, don’t hesitate to chime in. [42]: https://tor.stackexchange.com/q/1243/88 Upcoming events --- Feb 18 20:00 | Crypto Party at Múltikúlti | Reykjavík, Iceland | http://www.multi-kulti.org/ | Feb 19 18:30 | Talk: “Tor: Lessons Learned over the past 12 months” | Reykjavík University M101, Iceland | http://en.ru.is | Feb 20 9:00 | Digital Safety for Journalists — ½ day hands-on workshop | Grand Hotel, Reykjavík, Iceland | Feb 21 9:30 | Tor public hack day | Grand Hotel, Reykjavík, Iceland This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, Paul Feitzinger, qbi, Roger Dingledine and Karsten Loesing. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [43], write down your name and subscribe to the team mailing list [44] if you want to get involved! [43]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [44]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Obfsproxy on Raspberry Pi
Patrick ZAJDA: > I want to set an obfuscated bridge on my Raspberry Pi. > > When I do sudo apt-get source obfsproxy apt notices me it needs > python-pyptlib which cannot be found. > > How can I install python-pyptlib on Raspbian? > > I know python-pyptlib is available on backports, but no backports exist > for Raspbian. python-pyptlib and obfsproxy are both “Arch: all” packages and should be usable directly on Raspbian. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Pissed off about Blacklists, and what to do?
grarpamp: > So many sites that we all use are now blacklisting Tor. It's unclear > whether it is via their use of tools that blindly utilize blacklists, > or if they are making a conscious choice to deny Tor users. As far > as I'm concerned, we are all legitimate users of their services and > quite frankly, I've had enough... exactly the same as I'm sure you > have all had. > […] > What do we do? Write to every support channel you can find. Explain what Tor is. How useful it is. Explain that banning Tor is not a solution because anyone can use an open Wi-Fi access point and that people willing to break the law can break into other's people computers to do their bidding. Try to establish connection with the workers inside these companies. They usually understand Tor better than management and inside pressure sometimes works wonders. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — February 4th, 2014
://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Mumble [10]: https://github.com/mumble-voip/mumble/issues/1033 [11]: https://lists.torproject.org/pipermail/tor-dev/2014-January/006158.html Monthly status reports for January 2014 --- The wave of regular monthly reports from Tor project members for the month of January has begun. Damian Johnson [12] released his report first, followed by reports from Philipp Winter [13], Sherief Alaa [14], the Tor Browser team from Mike Perry [15], Colin C. [16], the help desk [17], Matt [18]. Lunar [19], George Kadianakis [20], and Pearl Crescent [21]. [12]: https://lists.torproject.org/pipermail/tor-reports/2014-January/000435.html [13]: https://lists.torproject.org/pipermail/tor-reports/2014-January/000436.html [14]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000437.html [15]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000438.html [16]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000439.html [17]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000440.html [18]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000441.html [19]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000442.html [20]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000443.html [21]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000445.html Miscellaneous news -- Nick Mathewson came up [22] with a Python script [23] to convert the new MaxMind GeoIP2 binary database to the format used by Tor for its geolocation database. [22]: https://lists.torproject.org/pipermail/tor-dev/2014-January/006157.html [23]: https://github.com/nmathewson/mmdb-convert Thanks to John Ricketts from Quintex Alliance Consulting [24] for providing another mirror for the Tor Project’s website and software. [24]: https://lists.torproject.org/pipermail/tor-mirrors/2014-February/000464.html Abhiram Chintangal and Oliver Baumann are reporting [25] progress on their rewrite [26] of the Tor Weather service. [25]: https://lists.torproject.org/pipermail/tor-dev/2014-January/006142.html [26]: https://github.com/baumanno/tor-weather-rewrite Andreas Jonsson gave an update [27] on how Mozilla is moving to a multi-process model for Firefox [28] and how this should positively affect the possibility of sandboxing the Tor Browser in the future. [27]: https://lists.torproject.org/pipermail/tor-talk/2014-January/031959.html [28]: https://bugzilla.mozilla.org/show_bug.cgi?id=925570 As planned [29], to help “developers to analyze the directory protocol and for researchers to understand what information is available to clients to make path selection decisions”, Karsten Loesing has made [30] microdescriptor archives available on the metrics website. [29]: https://lists.torproject.org/pipermail/tor-dev/2014-January/006061.html [30]: https://lists.torproject.org/pipermail/tor-dev/2014-January/006141.html Christian has deployed [31] a test platform [32] for the JavaScript-less version of Globe, a tool to retrieve information about the Tor network and its relays. [31]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032012.html [32]: https://globe-node.herokuapp.com/ In an answer to Shadowman’s questions about pluggable transports, George Kadianakis wrote a detailed reply on how Tor manages pluggable transports [33], both on the server side an on the client side. [33]: https://lists.torproject.org/pipermail/tor-talk/2014-January/031984.html Arthur D. Edelstein has advertised a GreaseMonkey script [34] to enable Tor Browser to access YouTube videos without having JavaScript enabled. Please be aware of the security risks that GreaseMonkey might introduce [35] before using such a solution. [34]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032010.html [35]: https://lists.torproject.org/pipermail/tor-talk/2014-January/031623.html Andrew Lewman reports on his trip to Washington DC [36] where he met Spitfire Strategies to learn about “Tor’s brand, media presence, and ideas for the future”. For a short excerpt: “It’s interesting to get critiques on all our past media appearances; what was good and what could be better. Overall, the team there are doing a great job.” [36]: https://lists.torproject.org/pipermail/tor-reports/2014-January/000434.html Lunar accounted [37] for Tor’s presence at FOSDEM, one of the largest free software event in Europe. The project had a small booth [38] shared with Mozilla and there was even a relay operator meetup [39]. [37]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000444.html [38]: https://twitter.com/anthraxx42/status/429600652399247361 [39]: https://twitter.com/FrennVunDerEnn/status/429636610603233280 Yan Zhu has released [40] the first version of HTTPS Everywhere for Firefox Mobile. A
Re: [tor-talk] Shutting down the relay-search service by the end of the year
Christian: > I deployed a version on https://globe-node.herokuapp.com/ . Feel free to > check it out and give me some feedback. Looks good. :) I'm really happy that we'll be able to give pointers to a page with information about a specific relay, e.g. https://globe-node.herokuapp.com/relay/011FDD1EE84DAC7758119B69829C74A9D197B35E -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — January 29th, 2014
.html The media and some terminology -- BusinessWeek published “The inside story of Tor, the best Internet anonymity tool the government ever built” [15]. Better that what one can usually read about Tor in the press, the piece — courtesy of Dune Lawrence — still sparkled a discussion on the tor-talk mailing list about terminology [16]. Katya Titov quoted a misleading part of the article: “In addition to facilitating anonymous communication online, Tor is an access point to the ‘dark Web’, vast reaches of the Internet that are intentionally kept hidden and don’t show up in Google or other search engines, […].” As references to the “dark web”, the “deep web”, or the “dark deep shady Knockturn Alley of the Internet” have been popping up more and more in the media over the past months, Katya wanted to come up with proper definitions of commonly misunderstood terms to reduce misinformation and FUD [17]. She summarized the result of the discussion in a new “HowBigIsTheDarkWeb” wiki page [18]. Be sure to point it to your fellow journalists! [15] http://www.businessweek.com/articles/2014-01-23/tor-anonymity-software-vs-dot-the-national-security-agency [16] https://lists.torproject.org/pipermail/tor-talk/2014-January/031863.html [17] http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt [18] https://trac.torproject.org/projects/tor/wiki/doc/HowBigIsTheDarkWeb Miscellaneous news -- To follow up on last week’s Tor Weekly News coverage, Philipp Winter wrote a blog post to explain “what the ‘Spoiled Onions’ paper means for Tor users” [19]. [19] https://blog.torproject.org/blog/what-spoiled-onions-paper-means-tor-users Thanks to Sukhbir Singh, users with @outlook.com email addresses can now request bridges and bundles via email [20]. [20] https://bugs.torproject.org/6591#comment:4 Karsten Loesing dug some statistics [21] about the Tor Weather service. There are currently 1846 different email addresses subscribed for 2349 Tor relays. [21] https://bugs.torproject.org/10699#comment:3 Tor developers will be present at the Mozilla booth during FOSDEM’14 [22]. Drop by if you have questions or want to get involved in Tor! [22] https://twitter.com/torproject/status/427922491948818432 Tor help desk roundup - Users repeatedly contact Tor help desk about unreachable hidden services. If that happens, please first make sure the system clock is accurate and try to visit the hidden service for the Tor Project’s website [23]. If it works, it means that Tor is working as it should and there’s nothing more the Tor Project can do. Hidden services are solely under the responsibility of their operators and they are the only one that can do something when a hidden service goes offline. [23] http://idnxcnkne4qt76tg.onion/ News from Tor StackExchange --- Alex Ryan has been experiencing crashes of his relay running on a Raspberry Pi [24] due to circuit creation storms. He found out that the problem disappeared after upgrading to the new 0.2.4 series of Tor. There are currently no official Raspbian packages, so users will have to build the package manually from source. [24] https://tor.stackexchange.com/q/1302/88 User cypherpunks wanted to know how to report security issues to the Tor Project [25]. Until a proper process is decided [26], the best way at the moment is to contact Nick Mathewson, Andrea Shepard, or Roger Dingledine privately using their GnuPG keys. [25] https://tor.stackexchange.com/q/1339/88 [26] https://bugs.torproject.org/9186 How many hidden services can be served from a single Tor instance? [27] Syrian Watermelon is looking to know if there is a hard limit and how memory usage will go. The question is still open and has attracted some interest from other users. [27] https://tor.stackexchange.com/q/1337/88 Upcoming events --- Feb 1-2| Tor @ FOSDEM | Brussels, Belgium | https://fosdem.org/2014/ | Feb 8 | Aaron @ New Media Inspiration 2014 | Prague, Czech Republic | http://www.tuesday.cz/akce/new-media-inspiration-2014/ | Feb 8 | Colin @ Winnipeg CryptoParty | Winnipeg, Canada | http://wiki.skullspace.ca/CryptoParty This issue of Tor Weekly News has been assembled by Lunar, George Kadianakis, qbi, Karsten Loesing and dope457. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [28], write down your name and subscribe to the team mailing list [29] if you want to get involved! [28] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [29] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other
Re: [tor-talk] Vidalia has been replaced with Tor Launcher
Michael Wolf: > Sometimes you don't actually want your "identity" to change, but you > want to move to a different exit node because there is a connection > issue between the exit node and the destination. You're browsing, and > then your exit node changes after so many minutes... but the new exit > node could be overloaded so it drops half of the requests coming > through, or the exit node is banned (HTTP 403) on the site being > requested, or the exit node is misbehaving and modifying traffic, or... > > At this time, using Vidalia is the only way to change exit nodes without > losing all your tabs, or to see which exit node is misbehaving. It > would be really useful to be able to change exit nodes without Vidalia, > even if this function is hidden somewhat. I agree, see: https://trac.torproject.org/projects/tor/ticket/9892 Anyone is welcome to help implementation-wise, as always. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Thunderbird leak
Mike Cardwell: > I am not on the Tails list. Perhaps somebody who is already there might > bring it up? No point in doing so. Thunderbird is not currently shipped by Tails. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia has been replaced with Tor Launcher
Katya Titov: > New Identity works from both TBB and Vidalia. The difference is that > from TBB the entire browser closes and restarts and you lose open tabs. > When choosing a new identity from Vidalia the browser remains open. I need to point this out one more time: In the case of the latter, the browser content stays the same. All the browser content. Including cookies, history, and many other things that are used to fingerprint a browser session. This means that from the websites point of view, nothing changes except the IP address. You keep the same identity there. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia has been replaced with Tor Launcher
Joe Btfsplk: > I missed the memo on all reasons why Vidalia - bad, Tor Launcher - > good. At least: http://users.encs.concordia.ca/~clark/papers/2007_soups.pdf http://petsymposium.org/2012/papers/hotpets12-1-usability.pdf and Vidalia has no maintainers for a while now. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — January 8th, 2013
Tor Weekly NewsJanuary 8th, 2013 Welcome to the first issue for the year 2014 of Tor Weekly News, the weekly newsletter that covers what is happening in the impressive Tor community. The tor-news mailing list has reached a thousand subscribers. Thanks for following us! Tor at the 30th Chaos Communication Congress The Chaos Computer Club held its thirtieth congress [1] in Hamburg, Germany during the days and nights of December 26th-30th. The congress had over 9,000 participants. The topic of pervasive surveillance was more present than ever, and Tor was a common answer to many questions. [1] https://events.ccc.de/congress/2013/ “We are living in interesting times” was the subtitle of Jacob Appelbaum and Roger Dingledine’s talk for this year [2]. Their tour of what happened to Tor in the past years and more importantly in the past months was seen by more than 3,000 attendees in Hamburg and a couple more from the live stream and recordings. Later on, Sophie Bayerlein had decorated a wall with her visual summary of the talk [3]. [2] http://media.ccc.de/browse/congress/2013/30C3_-_5423_-_en_-_saal_1_-_201312272030_-_the_tor_network_-_jacob_-_arma.html [3] https://events.ccc.de/congress/2013/wiki/Projects:VisualNotes#The_TOR_Project The talk was quickly followed by a “How to help Tor?” workshop. Lunar reported [4] “an overwhelming success as more than 200 people showed up. We were not prepared for helping so many folks waiting to learn how they can help Tor. It still created interesting discussions, I believe, and I hope we will find ways to interact more with the larger community in the upcoming weeks, especially concerning outreach to the general public.” [4] https://lists.torproject.org/pipermail/tor-reports/2014-January/000420.html Earlier the same day, a meetup of Tor relay operators was held. The small room was packed with at least 60-70 attendees. Several relay operator organizations reported on their progress: DFRI [5], Frënn vun der Ënn, Icetor [6], Noisetor, Nos oignons [7], Swiss Privacy Foundation [8] and Zwiebelfreunde. Many of these projects did not exist last year, and new organizations are still being created, like The Torrorists [9] who also gave a quick status update. Nikita Borisov gave a quick presentation of the traceroute research experiment [10] and encouraged more operators to run the test script. Several operators of important relays and directory authorities also assisted the session. Let’s hope everyone shared the same feelings as Jason from Icetor: “It was really excellent meeting all of you and great for my morale to see all the people understanding and working towards common goals. Perhaps it’s just due to my remoteness, but I rarely get to discuss projects like this at such an intricate level.” [5] https://www.dfri.se/wiki/20131227-DFRI.pdf [6] http://icetor.is/slides/icetor-relay-slides.pdf [7] https://nos-oignons.net/Pr%C3%A9sentations/30C3/2013-12-27-30C3-Tor_relay_ops-Nos-oignons.pdf [8] http://www.privacyfoundation.ch/assets/files/presentation_association_20131227.pdf [9] http://www.torrorists.de/ [10] http://web.engr.illinois.edu/~das17/tor-traceroute_v1.html On the lightning talks front, Kai Engert presented DetecTor [11,12,13], David Fifield covered the basics of Tor pluggable transports [14], and Michael Zeltner introduced tor2tcp [15,16]. Some OnionCat [17] developers have also been spotted in the corridors. [11] http://detector.io/ [12] Slides: https://events.ccc.de/congress/2013/wiki/images/1/1b/LT-Day_3-14.45-DetecTor.IO.pdf [13] Video: http://media.ccc.de/browse/congress/2013/30C3_-_5563_-_en_-_saal_g_-_201312291245_-_lightning_talks_day_3_-_nickfarr.html at 1:56:25 [14] https://www.bamsoftware.com/talks/30c3-pt/ [15] https://poum.niij.org/ [16] Video: http://media.ccc.de/browse/congress/2013/30C3_-_5564_-_en_-_saal_g_-_201312301245_-_lightning_talks_day_4_-_nickfarr.html at 1:41:00 [17] https://www.onioncat.org/ The Chaos Communication Congress is one of the rare events where an impressive number of members of the Tor community have a chance to interact. Let’s hope it has been a fruitful time for everyone! Tor website needs your help! One of the outcomes of the “How to help Tor?” session at the 30C3 was that there were quite some people interested in helping the Tor project with its website. In order to foster anyone’s participation, a larger call for help [18] has been sent. It starts by acknowledging that “Tor has shifted in the recent years from being a project prominently used by researchers, developers, and security experts to the wider audience of anyone concerned about their privacy”. As its primary
Re: [tor-talk] Elementary question
kelemen...@aim.com: > Since I installed TBB 3.5, I've been unable to use AOL mail. A search > of the Tor Project Web site (perhaps too cursory) failed to yield > clues that might lead to a solution. Any thoughts on what to do or > where to look for more information? This might be an instance of #10569. Feel free to comment on the ticket if adequate. https://trac.torproject.org/projects/tor/ticket/10569 -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Download Helper
Olivier Cornu: > I haven't checked the project in the last couple years, yet in the past GM > had to deal with significant security issues. > As so many projects it grew from a few hacks and ended much wider than ever > intended, with the usual design and coding scars. But the main obstacle was > that it introduced a new level of privilege between embedded javascript and > chrome code, which was not intended to exist in firefox and impossible to > enforce in pure javascript. It was long the case that, although relatively > safe when used properly, it could quickly be used in unsafe ways -- even in > good faith. Thanks for raising these aspects I did not consider earlier on. :) -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Download Helper
Alexander Dietrich: > >I am not an expert in Firefox tweaks, but it was my understanding that > >Greasemonkey could be used to turn nice hacks into scripts. We could > >then maybe improve the situation for all Tor Browser Bundle users by > >shipping the script with the bundle. > > If this is just about transforming the URL, couldn't you use an HTTPS > Everywhere rule? Then you wouldn't have to install ( and audit :) ) > Greasemonkey. I had more in mind of locating the “normal” video window, and replacing it with an iframe with the “embed” version. Isn't that the kind of things that Greasemonkey can do? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Download Helper
Tempest: > don't use a plugin. i've had success with a simple url tweak in the > instances where youtube claims flash is required. you just need to place > "embed" in the url at the right place. > > for example, if you wanted to watch > https://www.youtube.com/watch?v=AHsM10hhmIU and got the error saying you > needed to install flash in the tor browser, you need to use "embed" and > the video id to get it to play. The url would be > https://www.youtube.com/embed/AHsM10hhmIU > > this should allow you to watch youtube videos that claim to ned flash > without needing to install any third party plugins. I am not an expert in Firefox tweaks, but it was my understanding that Greasemonkey could be used to turn nice hacks into scripts. We could then maybe improve the situation for all Tor Browser Bundle users by shipping the script with the bundle. Any Greasemonkey wizard reading that could come up with such script? -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] No Tor Weekly News for January 1st, 2014
Hi! Given a combination of calendar, Chaos Communication Congress and holidays, we decided to skip this week's edition of Tor Weekly News. We will resume our regular schedule on January 8th. Stay tuned or come help us! https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Tor Weekly News — December 25th, 2013
profile users breaking news about the network itself, discussions about funding, FBI/NSA exploitation of Tor Browser users, botnet related load on the Tor network, and other important topics”. Their talk will be followed by a discussion involving everyone interested in helping Tor [15] at the NoisySquare assembly. The Tor ecosystem is now made up of more than forty different projects, and there are sure to be ways you can help. Bring your skills and your energy! Torservers.net will be holding a meeting of Tor relay operators and organizations [16], featuring “quick presentations on recent and future activities around Torservers.net”, to be followed by the official members’ meeting of the German Torservers.net partner organization, Zwiebelfreunde e.V. #youbroketheinternet will hold a session on the future of crypto routing backends [17]: “Even the IETF is now considering that Onion Routing should be a fundamental capability of the Internet. How would that look in practice?” If you are attending the Congress, feel free to come along and participate in these sessions; if not, you should be able to catch up with the talks online. [12] https://www.ccc.de/en/updates/2013/30c3 [13] https://media.torproject.org/video/29c3-5306-en-the_tor_software_ecosystem_h264.mp4 [14] https://events.ccc.de/congress/2013/Fahrplan/events/5423.html [15] https://events.ccc.de/congress/2013/wiki/Session:How_to_help_Tor%3F [16] https://events.ccc.de/congress/2013/wiki/Session:Tor_Relay_Operators_Meetup [17] https://events.ccc.de/congress/2013/wiki/Session:YBTI_Cryptographic_Routing Miscellaneous news -- Anthony G. Basile released version 20131216 [18] of Tor-ramdisk, a “uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy.” This new release is the first to ship the 0.2.4 branch of Tor. [18] http://opensource.dyc.edu/pipermail/tor-ramdisk/2013-December/000107.html For those who like hazardous experiments, intrigeri sent a call for testing [19] an experimental Tails image with preliminary UEFI support — users of Apple hardware should be particularly interested. anonym also announced [20] that test images from the MAC spoofing branch were available. [19] https://mailman.boum.org/pipermail/tails-dev/2013-December/004538.html [20] https://mailman.boum.org/pipermail/tails-dev/2013-December/004547.html Nick Mathewson sent his now-monthly review of the status of Tor’s proposals [21]. Karsten Loesing followed-up by commenting on several of those related to the directory protocol. Have a look, you might also be able to move things forward! [21] https://lists.torproject.org/pipermail/tor-dev/2013-December/005957.html Many thanks to John Sweeney of otivpn.com [22], Jeremy J. Olson of EPRCI [23], and les.net [24] for running mirrors of the Tor Project website. [22] https://lists.torproject.org/pipermail/tor-mirrors/2013-December/000403.html [23] https://lists.torproject.org/pipermail/tor-mirrors/2013-December/000411.html [24] https://lists.torproject.org/pipermail/tor-mirrors/2013-December/000415.html Karsten Loesing has been experimenting with replacements [25] for the “fast exits” graphs that would convey a better feeling of the network growth. He also deployed a new visualization for the fraction of connections used uni-/bidirectionally [26]. [25] https://bugs.torproject.org/10460 [26] https://metrics.torproject.org/performance.html#connbidirect Tor help desk roundup - Multiple users have now emailed the help desk regarding a particular type of “ransomware” [27] that encrypts the hard drive of Windows computers and won’t give users the decryption key until a payment is made. Victims of this malware have emailed the help desk because the ransomware message includes a link to a tor hidden service site. Malware victims wanted to know how to install the Tor Browser, or thought the Tor Project was the source of the malware. The Tor Project does not make malware; in the past Tor developers have worked with anti-virus developers to help stop other types of malware. Users affected might find useful information in the guide assembled by BleepingComputer.com [28]. If you have not been affected, the story might be a good reminder to think about your backups. [27] https://en.wikipedia.org/wiki/Ransomware_%28malware%29 [28] http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information Upcoming events --- Dec 27-30 | Tor @ 30th Chaos Communication Congress | Hamburg, Germany | https://events.ccc.de/congress/2013/ | Jan 13-15 | Tor @ Real World Crypto 2014 | New York City, USA | https://realworldcrypto.wordpress.com/ This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan and dope457. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers
Re: [tor-talk] TBB 3.5 and Debian Repo
anonymous: > I would like to use the Tor broswer along with the tor and tor-arm > packages from the Debian repo. I don't really understand why add extra complications and not directly use the Tor Browser Bundle. Why is preventing you from using the bundled Tor instance? You can use tor-arm with the Tor Browser Bundle. Just issue `arm -i 9151` on a command-line. > In the past it has been possible to do so by disabling the > tor-launcher in the start-tor-broswer script, but this no longer > works. You should be able to set the environment variable `TOR_SKIP_LAUNCH=1`, like: TOR_SKIP_LAUNCH=1 ./start-tor-browser > Can someone please explain to me what the base tor package has to do > with Firefox add-ons and how this would be different between debian > and the bundle? Removing or adding add-ons from the Tor Browser might give to your own browser a specific fingerprint. > Also, isn't it hypocritical to suggest users run a tor relay from the > debian package while using the TBB for browsing alongside as well? Why would it be a problem? > I seem to recall the project frowning upon Tor over Tor situations in > the past, but perhaps this has changed. Running two instances of the tor daemon on one system will not create a Tor over Tor situation. There's just two distinct tor daemons. One acting as an “Onion Proxy”, the other as an “Onion Router”. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Request for "Tor, king of anonymity" graphic
grarpamp: > This... > https://bayimg.com/BAfJGAafB Sorry, but no. Tor mailing lists are not places where spreading rape culture is ok, whatever the point you are trying to make. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] VPS Suggestions for Middle Relay
David: > So I'm looking to spend around $20-$30 dollars a month, and was > wondering if this awesome list had any recommendations? > > Online.net has some very cheap unmetered dedicated servers, and I hear > that they're currently changing their policy to allow middle relays, but > I've also heard that they have been terrible in the past with shutting > down relays. Anyone have any comments on this? (The question might have been better suited to the tor-relays mailing list.) AS12876 now hosts 13% of the network: <https://compass.torproject.org/#?ases=AS12876&top=-1> That makes it the most important autonomous system of the whole network, before Hetzner and OVH: <https://compass.torproject.org/#?top=10&by_as> I strongly recommend not adding more relays there, especially as Tor does not currently have an AS-aware path selection algorithm. -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk