Re: [tor-talk] Iran cracks down on web dissident technology
--- On Mon, 3/21/11, Joe Btfsplk wrote: > It's a serious question. Please save the "check the > source code yourself" comments. Open source code means > literally nothing. You have three choices when it comes to trusting something: 1) you can check yourself, 2) you can have someone you trust check, 3) you can trust an authority. Having the source code enables option 1 and 2. Option 3 is pretty much useless if your concern is authority in the first place, no? So like it or not, having the source code is more useful than anything else anyone can propose. It is not perfect, but it is the ONLY recourse that has even a remote chance of being useful against trusting authority. -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Securing a Relay - chroot
--- On Wed, 5/25/11, cac...@quantum-sci.com wrote: > I am seeing evidence that a chroot jail is not secure, even > in Linux, due to breakouts such as someone running > os.fork() from python and spawning processes to do bad > stuff. > > For torrents I run Debian in a VirtualBox virtual machine > which is bridged directly to The Internets, with the VM user > and user inside being very non-prived. My best > information is that this is quite secure. I run mine in a linux vserver, it should run in lxc also, those are both much more lightweight than a virtual machine. I would suggest that. > Has anyone done any research on best practices for securing > a daemon? Not sure. -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Securing a Relay - chroot
--- On Thu, 5/26/11, cac...@quantum-sci.com wrote: > Martin Fick wrote: > > I run mine in a linux vserver, it should run in lxc > also, > > Problem is you need to patch the kernel, and it must share > network setup with the host. lxc does not require any patching. With lxc, you can setup the network anyway you want, it can be setup the same way you would setup a VM. What specifically are you gaining from using a VM? -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Securing a Relay - chroot
--- On Thu, 5/26/11, cac...@quantum-sci.com wrote: > > So you're worrying about a compromised vserver guest > > compromising the host, which is then used to attack > > your LAN segment? > > Doesn't even have to compromise the host. With the > guest in the same class C it can monitor traffic. This is not true with a vserver, they use IP aliases, and do not have raw access to the network interface (unless you give them those specific capabilities). With lxc you could give it that access, but you could also firewall its interface from within the host so that this is not possible (unless the host is compromised). -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Securing a Relay - chroot
> > You do not mention the threats you worry about and assets > > you care about (thread model + security requirements). > > Yes that's because I don't know what threats there may be. > I am a user, I don't have an MS in Computer Science. > For example I don't understand, "maps subnets and/or ports > to inside. Separating traffic into VLANs. In general > having a lot more control of the hardware layer." > > What good is this if users can't secure their own machine > effectively? Why set up a relay if my own machine could > be compromised? No wonder you have a hard time > recruiting relays, much less exit points. I guess the > coyness here is for some good reason, but it's not doing > the cause any good. Looks like I have to give up on a relay. Well, it appears that you do have a threat model in mind. It seems that you are concerned with people using your relay to attack your local machines. Those are valid concerns, that is the threat model you are hoping to get advice against. You have received some advice against it, but you do not appear to understand this advice, which is fine, please ask more questions then. I think that your concerns are valuable, they often concern me also, and I am sometimes surprised that others are not concerned about this on their home networks. I agree that the tor project could provide some more advice on dealing with this. I suspect the reason that you don't see this is because either most people assume it is just too hard, or to those for whom it is not too hard, they just know how todo it and think that it will be too hard to explain to others (with good reason). Nevertheless, it might be worth trying. > Nevertheless it is still necessary to share 192.168.*.* > with the local LAN. I want to avoid this The reason you want to avoid this I suspect is because you want to prevent someone from owning your relay, and then attacking the rest of your network from inside your local hardware firewall (likely a DSL or cable modem)? Is that correct? The solution that I suggested with vservers will allow you to prevent local network snooping (eavesdropping on packets not intended for you vserver), but it will not prevent your vserver from directly attempting to communicate with other machines (including your host) inside your firewall unless additional rules are added to your host, likely using iptables or something like this. Using lxc you would likely want those same rules, but perhaps you would need more to prevent eavesdropping. It would be nice is someone who has done this could help write a guide to do this. If no one has done this yet, I think that it would be valuable, and perhaps it should even become recommended practice eventually. Just my .02 cents, -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] EFF Tor Challenge
--- On Thu, 6/2/11, t...@lists.grepular.com wrote: > "If Tor has vulnerabilities, it might get exploited!" > > Of course, you can replace "Tor" with any other application > name. Tor is not special in this regard. It is a server though, and every other application is not. Most home user's are not used to running and securing servers. While I may not have taken the approach (or tone) the original post did, I do think that his concern should be taken more seriously and not trivialised falsely, -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] EFF Tor Challenge
--- On Thu, 6/2/11, cac...@quantum-sci.com wrote: > For those interested, so far my best idea is running the > daemon in a VirtualBox VM running SELinux as guest, and > bridged to the outside. This should substantially > solve most problems except membership in the local > LAN. I don't think that this would make for a best practice, I think that a linux lxc should be encouraged instead, it is way more efficient. > If only consumer-grade routers had VLan, although routers > aren't necessarily secure. Maybe a switch on the WAN > side of the router, to flange the LAN and Tor interface > together in a class C different from the LAN. As fir isolation, I think that a best practice should use iptable rules. But if you want to go the cheap hardware route, buy a $5/15 nic and add it to your box and plug that nic into your modem's DMZ port, most of them have one. -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] EFF Tor Challenge
--- On Thu, 6/2/11, cac...@quantum-sci.com wrote: > > > For those interested, so far my best idea is > running the > > > daemon in a VirtualBox VM running SELinux as > guest, and > > > bridged to the outside. This should > substantially > > > solve most problems except membership in the > local > > > LAN. > > > > I don't think that this would make for a best > practice, > > I think that a linux lxc should be encouraged > instead, > > it is way more efficient. > > I looked at containers in depth. They are simply not > secure. Could you be more specific? I understand that different people have different opinions/biases of how secure a system is, but I don't think that anyone can make the claim that either of these two setups are more obviously secure than the other. Both perform similar logical isolations, neither has the obvious advantage here. Both have the potential to have the isolation compromised by bugs, the full VM solution has more code, so likely has a greater attack surface, but that likely means little in this argument. If you think it is "simple", please explain on what basis you are making this claim. Since I do not think that it is a simple evaluation to determine which solution is more secure, and both solutions perform a similar logical isolation (when not compromised), I would suggest that other criteria be used to judge which solution should be used to suggest to others as a best practice. Naturally, I would not tell you that you are wrong for running virtualbox, but I don't think that it is a great solution for a best practice. And, if you think that lxc is not appropriate for a best practice, please provide some good reasons so that we can all benefit. > Most ppl have consumer-grade routers; no DMZ > port. Wish there was... I am sorry you don't, but many consumer-grade routers actually do have a DMZ port, it is certainly not out of the ordinary. -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] EFF Tor Challenge
--- On Fri, 6/3/11, cac...@quantum-sci.com wrote: > > --- On Thu, 6/2/11, cac...@quantum-sci.com > > wrote: > > > I looked at containers in depth. They are > simply not > > > secure. > > > > Could you be more specific? > > It's been a long time since I looked into this, but I came > across some fairly damning evidence which caused me to > eliminate containers out-of-hand and look for other > options. I don't have time to research it now. Well, without specifics, we usually call this spreading FUD. Not a good recipe when you are requesting help, -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] New Tool Keeps Censors in the Dark - mentions Tor.
--- On Fri, 8/5/11, berta...@ptitcanardnoir.org wrote: > > http://www.technologyreview.com/communications/38207/?p1=A1 > > >>>It's worth reading the paper: I think that simply getting high profile sites to run to r nodes would be more likely and less invasive to the internet as a whole. If google were to simply run a bunch of bridges, or even known tor entry nodes, that would likely be more reliable and be less pie in the sky. If you compare the advocacy it would take to get enough ISPs to implement this scheme versus the advocacy to get a few high profile (can't live without them) sites to run tor nodes, I suspect the latter would be much easier. -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] virtual private servers for Tor?
--- On Fri, 8/26/11, coderman wrote: > Rhona Mahony > wrote: > > What virtual private server software do you > know works well--or > > badly--with running a Tor server? > > Xen, VMWare work best in bridged mode; alas most providers > don't > configure them this way. > > OpenVZ is worthless from a networking standpoint and > Virtuozzo only > somewhat better. > > you'll want to peruse the wiki for vserver tuning > tricks... Since such discussions are generally likely to be highly opinion based, it would help if you gave technical reasons for your opinions. Both of your preferred solutions will have much higher performance overheads than any container like solution (OpenVz, Vserver, lxc...). I see no glaring reason why any of those container solutions could not be used. I use a Vserver, on a very low BW link, -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Exit Node Operator Raided in USA.
--- On Mon, 8/29/11, Matthew wrote: > https://www.eff.org/deeplinks/2011/08/why-ip-addresses-alone-dont-identify-criminals > > > If you run an exit relay, consider operating it in a > Tor-friendly commercial facility instead of your home > to make it less likely that law enforcement agents will > show up at your door. Hmm, I am surprised by the EFFs advice here. It it is legal as they claim, shouldn't they be heralding us to run an exit node at home and not be intimidated by ignorant law enforcement? And that they will help defend us in case of an issue? After all, they are recommending open wireless access points from individuals: http://www.eff.org/deeplinks/2011/04/open-wireless-movement Strange, -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor Exit Node Operator Raided in USA.
--- On Wed, 8/31/11, Fabian Keil wrote: > Martin Fick > wrote: > > > --- On Mon, 8/29/11, Matthew > wrote: > > > https://www.eff.org/deeplinks/2011/08/why-ip-addresses-alone-dont-identify-criminals > > > > > > > > > If you run an exit relay, consider operating it in a > > > Tor-friendly commercial facility instead of your home > > > to make it less likely that law enforcement agents will > > > show up at your door. > > > > Hmm, I am surprised by the EFFs advice here. > > > > It it is legal as they claim, shouldn't they be > > heralding us to run an exit node at home and not > > be intimidated by ignorant law enforcement? And > > that they will help defend us in case of an > > issue? > > > > After all, they are recommending open wireless > > access points from individuals: > > > > http://www.eff.org/deeplinks/2011/04/open-wireless-movement > > I think getting raided due to running a Tor exit node at > home (or even remotely) is a lot more likely than getting > raided due to running an open wireless access point. Tell that to this guy: http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-pornography-innocent_n_852996.html That raid sounds worse than any tor related raid I have read about in any country, -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] How to make 100.000 bridge?
--- On Fri, 1/13/12, Runa A. Sandvik wrote: > > Or just https://cloud.torproject.org/ Perhaps this is naive question, but has anyone considered targeting bridge users directly? In other words, if someone lives in a censored region, why not make it trivial for them to run their own personal EC2 bridge? This way it will likely never be blocked. After all, wouldn't it be better to get volunteers to host relays or exit nodes than it would be to get them to host bridges? Make it simple and easy for people to have their own bridges and no longer rely on volunteers for bridges at all. Do bridges support a password or key to access them? If so, then users could ensure that others are not using their personal bridge. Access control might even help further disguise such bridge from being probed and recognised as bridges? This seems so obvious to me, that I suspect it is completely flawed... -Martin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
