Re: [tor-talk] seeking someone to fix a Tor rpm bug
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/10/2011 09:16 AM, Erinn Clark wrote:
> I work on the Tor packages, including the RPMs, but I don't know
> enough about rpm-based systems to confidently fix this one:
> https://trac.torproject.org/projects/tor/ticket/1134
It's either looking too trivial to me or I really do not understand
anything about it (which is probably the right one as I'm really low on
coffee right now).
> Primarily I am worried about the upgrade scenario and changing groups
> in a way that doesn't break previous versions of the packages.
Could you elaborate a bit on the issues?
So far my understanding is that "--with-tor-group" should not be called
anymore during configure, so a patch would be to just remove
"--with-tor-group=%{torgroup}" from the rpm spec %configure line :-P
> Anyone here wanna take a stab at it?
If noone wants to go first I'll gladly take a look at it: I did rpm
packaging in the past and I'm mantaining Slackware Tor build script over
at http://www.slackbuilds.org/ .
ciao
- --
Marco Bonetti
Tor research and other stuff: http://sid77.slackware.it/
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
My GnuPG key id: 0x0B60BC5F
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk14sZUACgkQTYvJ9gtgvF9MbACdE3TRlTs2AxDEZoeSIJQwIC5j
Xp4AnReHJyPYyod9fn2QYnAoEXG/ajGE
=bG97
-END PGP SIGNATURE-
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] seeking someone to fix a Tor rpm bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 12:38 PM, Erinn Clark wrote: > Yes, you could just remove that. But do you need to change the group > for all of the people who already have a _tor group created upon > upgrade? Should you delete the group from existing systems > altogether? Is it as simple as just removing all of the other > torgroup mentions from the .spec (and there are quite a lot of them)? > Does it do the right thing when it gets installed for a new user as > well? I think the best solution is to just remove the configure entry and keep creating the _tor (or tor) user and assigning it the _tor (or tor) group. I can't see why there shouldn't be a _tor group for the _tor user: you will need a group for the application user anyway and changing it from its standalone one to a shared one like "proxy" is a system upgrade nightmare as you correctly said and a security weakness as well (a broken application could leverage its belonging to the shared group to try to modify Tor configuration files). Just my 2 cents, obviously! - -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk14wHAACgkQTYvJ9gtgvF+vdQCfUyWjOEkLsI889ZA37BFImhOY ncAAnivvVGuY7cvppGbHSQBjhhTm4krm =ybNp -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] embedding tor into apps?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/29/2011 04:38 PM, MacLemon wrote: > ToS require everything to be in a single binary. Beware of the cellular data bandwidth comsumption limitation too (no reference on hand, sorry). I do not have enough math skills to prove it but I suspect it could facilitate statistical attacks against hypothetical iOS Tor users. Anyway, your project looks promising :) keep us informed! P.S.: an even better solution for jail broken devices would be that of running Tor in transparent proxy mode but I still don't know how to enable such support in iOS - -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4LRJkACgkQTYvJ9gtgvF9xiwCeJV6W2aNBPrUTif3pg4FWI4Aj abMAnR3tz13IlsLkApMxE1Ac+zrxM2iQ =hsq4 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB 2.2.32 & Automatic Updates
According to Mozilla: https://www.mozilla.org/en-US/mobile/sync/ everything should be encrypted, both in the browser-server communication and on the server side, while storing your data. They also affirm data is encrypted in such way they cannot retrieve the plaintext. I haven't wiresharked my connection to get a proof but, since the user has to specifically log in, as already noted by Erinn, I would say it's safe to leave it enabled. Ciao! -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] notice - newer ver available just after install latest TBB
I did some quick tests with TBB on Linux, versions 0.2.33-2 and 0.2.33-3. In both cases I get these results: 1) https://check.torproject.org/ - no warning 2) https://check.torproject.org/?lang=en-US&small=1 - warning 3) https://check.torproject.org/?lang=en-US&small=1&uptodate=1 - no warning 2 was the home page used in TBB 0.2.33-2 3 is the newer home page used in TBB 0.2.33-3 Ciao, Marco -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TBB as user debian-tor
- Original Message - > it's files to debian-tor with: chown -R debian-tor tor-browser_en-US/ maybe "chown -R debian-tor:debian-tor tor-browser_en-US/" should be a little better > xhost + & sudo -u debian-tor /tor-browser_en-US/start-tor-browser as already pointed out, "xhost +" is a bit too wide open, try with "xhost local:" to accept only localhost X11 connections -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] using themes in Aurora
- Original Message - > On Friday, October 14, 2011 12:49:32 Joe Btfsplk wrote: > > No one's EVER looked into Tor security issues of using themes (from > > Mozilla addons site) or Firefox GUI enhancement addons, like Tab > > Mix Plus? > > You could be the first! > > My first step would be to see what information is sent back to > mozilla's getpersonas.com site by the theme. I took a look at personas back in 2009: when it was still in an early experimental stage and it was distributed as an extension, I was able to register a cookie exchange with your browser and personas server. The exchanged cookie contained the IP address of the browser as seen by the server. I noted it in my 2009 e-privacy talk: http://sid77.slackware.it/tor/TorWeb20.pdf (Italian only, sorry). However, since personas get stable and became an official feature of Firefox I wasn't able to record that cookie again, so I didn't mention it in the next events. -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Vidalia for Iphone 3g
- Original Message - > Marco's Tor-for-iphone packages are great for testing, but without an > analysis of the application-level vulnerabilities, like the one for > Tor Browser (https://www.torproject.org/projects/torbrowser/design/), > you're going to have to really know what you're doing to use it > correctly. Totally agree: Tor itself works out of the box on iOS but this is not enough to get a safe browsing experience. By the way, a tutorial for installing Tor on jailbroken devices is here: http://sid77.slackware.it/ios/howto/ I do not want to spread out the wrong assumption that installing Tor from my repository is enough to be completely anonymous with your iDevice so I need users to be able to follow not-brain-dead-easy instructions ;-) -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Aurora only build
- Original Message - > TBB isn't available for OSX PPC, so I'd have to build it - a mammoth > task, but since I already have the latest Tor running and a working > Vidalia, building Aurora would be a sensible step if possible, to > get away from my outdated browser. Mozilla moved away from the PPC platform around version 5.x and the code base has grown incompatible since then. You should take a look at http://www.floodgap.com/software/tenfourfox/ if you need something which looks like recent Firefox versions without all the hassle of building it up yourself. HTH, Marco -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Aurora only build
- Original Message - > though perhaps it would not provide as strong anonymity as Aurora - any > views? Errr... I think you missed a point ;-) Aurora IS Firefox or, at least, it's the release name. When building custom version of Mozilla products from source you can't use the same name as the official packages. That's the TL;DR of the Mozilla Public Policy. TBB is a custom version of Mozilla Firefox built by the Tor Project and shipped together with Vidalia and some other programs and libraries. So, if you want to have something which looks like TBB on a PowerPC Mac, install Vidalia, grab a copy of TenFourFox and install required extensions. Beware this is not enough! TBB has been built to address a specific threat model and Firefox has been patched and configured accordingly to that model so I'm the first to warn you that "just run Firefox with required extensions" is close enough but not the same thing. Ciao! -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Unsafe for Tor?
Use TrackHostExits, then :) It will fail if the home banking system is actively denying access from Tor exit nodes, though. -- Marco Bonetti Tor research and other stuff: http://sid77.slackware.it/ Slackintosh Linux Project Developer: http://workaround.ch/ Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My GnuPG key id: 0x0B60BC5F ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] HTML5 video and Tor anonymity.
TL;DR: If you're using TBB, you are safe I address this specific problem at DeepSec 2009 with the talk "Breaking Tor Sessions with HTML5", at the time it was possible to de-anonimyze a Tor user using the HTML5 video tag together with a specific poster attribute. The idea was to instruct the browser to fetch the main video via http and the poster via ftp, bypassing Tor. TorButton and the Tor Browser Bundle in general put defenses into place to protect your from this kind of attack. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
