from:"Roman Mamedov"

Re: [tor-talk] Tor 0.4.6.1-alpha is released

2021-03-19 Thread Roman Mamedov

On Fri, 19 Mar 2021 19:07:38 +0100
Markus Reichelt  wrote:

> * Nick Mathewson  wrote:
> 
> > There's a new alpha Tor release!  Because it's an alpha, you should
> > only run it if you're ready to find more bugs than usual, and
> > report them on gitlab.torproject.org.
> 
> it isnt mentioned in the changelog, but this is rather important:
> 
> Mar 19 18:57:00.911 [warn] Onion services version 2 are obsolete. Please see 
> https://blog.torproject.org/v2-deprecation-timeline for more details and for 
> instructions on how to transition to version 3.
> 
> tor 0.4.6.1-alpha refuses to start if 
> 
> HiddenServiceVersion 2
> 
> is present in torrc.

F

Let me belatedly share my joy of getting http://version6savanize.onion/, just
as this starts to go away :)

V3 names don't have a mathematical chance of getting legible, so there needs
to be some kind of decentralized DNS for them.

Not planning to run a V3 service once V2 gets shut down.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] New release candidate: Tor 0.4.5.4-rc

2021-02-05 Thread Roman Mamedov

On Fri, 5 Feb 2021 08:51:56 -0500
David Goulet  wrote:

> Can you expand here on why you think an operator using a /64 is worst than an
> operator using an IPv4 /24 to run their relays?

In the IPv4 a single person will rarely have an entire /24 to themselves; as
such connections coming from different IPs in a /24 more often assumed to have
no relation to each other.

...but in IPv6 a single person *most often* will have a /64, or more. Given
the current kinds of deployments maybe not always in datacenters, but always -
on broadband customer connections.

...so anyone and their dog can now be "using a /64" in IPv6, and if any
filtering, rate-limiting or banning solution happens to believe a /64 to be on
the equal grounds with a /24 of IPv4, they can now gain the benefit of doubt
of being considered as separate distinct entities, and reap whatever profit to
be had from that, if any.

> We have large Exit operators on the network that have racks of servers but
> only have a /48 available to them and thus they run a "fleet" of Exits on that
> very close by address range.

A /48 is 65.5 thousands of /64s, so they could use a separate /64 for each
relay and that'd still fit more relays than in the entire Tor network.

> As for sybil, we are looking for more than 2 relays per address which is the
> limit that has been for a long time now. That is true on IPv4 and IPv6 as
> well, the checked masked are /32 and /128 respectively.

The argument is that since a /64 in IPv6 is often controlled by a single
person, for the purposes of spam filtering, rate-limiting, or in this case
sybil detection, a /64 by itself should be equaled to "an address" (or "one
user"), i.e. treated the same as 1 IP (/32) in the IPv4 world.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] New release candidate: Tor 0.4.5.4-rc

2021-01-22 Thread Roman Mamedov

On Fri, 22 Jan 2021 12:02:50 -0500
Nick Mathewson  wrote:

>   o Major bugfixes (authority, IPv6):
> - Do not consider multiple relays in the same IPv6 /64 network to be
>   sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha.

Each /64 should be treated as an equivalent to 1 address in the IPv4 world, so
it seems to me that the original code was correct.

Any home user gets at least one /64 from their ISP [1]. It is not the minimum
routable block on the internet (as per bugreport[2]), the minimum is actually
a /48. But it is the minimum block that is usable on a LAN with SLAAC
auto-configuration, and as such is the minimum block any ISP will provide to a
home broadband subscriber.

Some server hosts do put multiple distinct users within the same /64 -- but
they are wrong in doing that, there should be no pampering to that practice.

I suggest to carefully reconsider if giving a free pass to run any number of
relays from a single /64, which are in most cases controlled entirely by a
single user, and then relying on path selection to limit the damage, is not
weakening the security model too much just to accommodate for a few bad
webhosts.

[1] https://www.ripe.net/publications/docs/ripe-690/

[2] https://gitlab.torproject.org/tpo/core/tor/-/issues/40243

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Expired key for deb.torproject.org?

2020-11-27 Thread Roman Mamedov

On Wed, 25 Nov 2020 07:54:39 +0100
Jonathan Marquardt  wrote:

> I am using the Debian Tor repo on quite a few Debian machines and since a few 
> days now, none of these machines are able to use the repo.
> 
> "apt update" gives me: 
> 
> Err:6 tor+http://sdscoq7snqtznauu.onion/torproject.org buster InRelease
>   The following signatures were invalid: EXPKEYSIG 74A941BA219EC810 
> deb.torproject.org archive signing key
> 
> Why does it say that the key has expired?
> 
> $ gpg -k 74A941BA219EC810
> pub   rsa2048/EE8CBC9E886DDD89 2009-09-04 [SC] [expires: 2022-08-05]
>   A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
> uid [  full  ] deb.torproject.org archive signing key
> 
> The key is valid until 2022 and I already made sure that APT is using exactly 
> that key by running "gpg --export 74A941BA219EC810 | sudo apt-key add -".
> 
> Can someone tell me what's going on?

I had the same a few days ago, and solved it with instructions from 
https://2019.www.torproject.org/docs/debian.html.en
Try that, specifically it says to use a different fingerprint for gpg --export
than you do, not sure if it matters.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Best alternative to Blutmagie?

2020-02-05 Thread Roman Mamedov

On Tue, 4 Feb 2020 23:17:32 -
mimb...@danwin1210.me wrote:

> Blutmagie seems to be permanently gone, sadly.
> 
> It was great because you could see the speeds of the exit nodes plus their
> country.
> 
> Is there a commonly accepted best replacement?

Hello,

Check out https://torstatus.rueckgr.at/

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Surge in Users

2019-06-06 Thread Roman Mamedov

On Tue, 04 Jun 2019 19:14:12 +0300
Van Gegel  wrote:

> Maybe after publication on popular Russian resource Habr: 
> https://habr.com/ru/post/448856/
> This is Android app for talking over Tor:
> http://torfone.org/download/Torfone.apk
> http://torfone.org/download/Torfone_Android_howto.pdf
> https://github.com/gegel/torfone
> https://github.com/gegel/torfone/blob/master/white.pdf 
> BR, Van Gegel

Cool development, but it is unlikely to be the reason, the Habr article
currently has 28k views, and Russia's user count now fluctuates by 150k users,
following a strong correlation with workday schedule.
https://metrics.torproject.org/userstats-relay-country.html?start=2019-05-01&end=2019-06-10&country=ru&events=points
Extra 100 to 150 thousand users during Monday to Friday (May 13-17, 20-24,
27-31), then dropping during weekends. A massive botnet on office PCs?

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser disabled NoScript, but can't update

2019-05-04 Thread Roman Mamedov

On Sat, 4 May 2019 02:21:15 -0500
Joe  wrote:

> I've used the latest stable TBB 8.0.8 (Linux) since released with the
> latest NoScript (at that time).
> Today is the 1st day I saw that NoScript was disabled by TBB.
> 
> I see now that it's not a TBB only issue, but also Firefox.
> A comment on Reddit said, "They [Mozilla] let their add-on signing
> certificate expire and it invalidated a shitload of add-ons."

It is very surprising to see that TBB relies on Mozilla like this. Turns out
an unrelated 3rd party can suddenly remotely disable Tor anonymity protections
at their whim, and possibly endanger TBB users (or deliberately help in
deanonymizing them).

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Onion website on "usual" server

2019-04-13 Thread Roman Mamedov

On Sun, 14 Apr 2019 00:54:42 +0400
meejah  wrote:

> Mirimir  writes:
> 
> > Even so, that's a little fragile. Mistakes happen. And there's the issue
> > of web server error messages from the onion site going to clearnet.
> > That's one of the mistakes that got DPR pwned.
> 
> The best solution to prevent this accident is to have the onion site
> listening on a Unix socket, and set up the Onion service in Tor to
> direct to that.

Still if you run regular and anonymous websites in the same server process, it
is a disaster waiting to happen. At least don't forget to ensure that your
clearnet listener doesn't answer to the .onion "Host: ", and vice versa. But
if this is even remotely critical, then just run a fully separate server
process, and a simple way to do that (granting you more isolation as a bonus)
as mentioned before, is a VM.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] IPv6 for relay-to-relay or client-to-relay communication?

2019-04-04 Thread Roman Mamedov

Hello,

Does Tor currently use IPv6 connections for relay-to-relay traffic?

I now got some IPv6 relays which access IPv4 via tunneling to a separate
router, so it would *really* benefit my setup if some of the Tor traffic would
move to going over IPv6 directly. However that doesn't seem to be the case at
the moment (or the share is way too low).

For client connections I see there's ClientUseIPv6 which is 0 by default, any
ETA on making it default to 1?

Also ClientPreferIPv6ORPort which bizarrely means "use IPv4" when set to auto.

I remember some time ago there was a drive for people to run more IPv6 relays
or to set up ORPort in their configs if they already do. But what is the point
if the current default settings basically mean IPv6 *won't* be used?

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Messenger

2019-02-10 Thread Roman Mamedov

On Sun, 10 Feb 2019 17:23:55 +0100 (CET)
Nathaniel Suchy  wrote:

> > So the state of available XMPP Clients today kinda sucks. There's Pidgin
> > available for Linux Systems

Any issue with Gajim?

> The alternative is "chat apps" like Signal by OpenWhisper or Wire by Wire

Might as well suggest Viber and WhatsApp.


-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Detective Conan Japanese Cartoon Advertising Tor For Criminal Activity

2019-01-08 Thread Roman Mamedov

On Tue, 08 Jan 2019 03:37:00 +
bo0od  wrote:

> Detective Conan (named as case closed in America) which considered to be
> the most famous cartoon in Japan.They produced a Movie in April,2018
> named as "Zero the Enforcer" they mentioned stuff related to Tor Project
> but in different ways, here is the comparison between the Movie and
> Torproject regarding phrases,icons,values..etc:

If you want to see a more neutral/positive portrayal, watch Zankyou no Terror
(Terror in Tokyo).

In episode 2 protagonists used Tor to upload a video anonymously. Later on it
is mentioned by the actual name (none of the "Nor" b/s): "When they accessed
the Internet they used an anonymity software called Tor, so it is effectively
impossible to determine their IP address" (at 04:33).

And it's a good show overall.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] circpathbias.c : Your Guard vs The Guard

2018-12-18 Thread Roman Mamedov

On Tue, 18 Dec 2018 10:18:55 +0200
Lars Noodén  wrote:

> On 12/18/18 10:07 AM, Kevin Burress wrote:
> > How about "A Guard"
> Yes, "A guard" would also reduce the potential for confusion, and it's
> even shorter.  The log error should clearly convey the information of
> whose guard is being noted.
> 
> The phrase "Your guard" very strongly suggests that the user is
> responsible for the guard in question and different but still concise
> wording is needed.

It does not. If you look back to the original string, it also always includes
the guard name right after that. If that name is unfamiliar to you, then how
can you assume that this must be something that you have thought up, created or
are responsible for. Only if you have too much free time and specifically look
for things to be "confused" about.

Moreover, if you know a few basic things about Tor, you would know what a
Guard is and what's their place and role in your connection to the Tor network.
And knowing at least the basic things about Tor is certainly a good idea
before starting to use it.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] torstatus.blutmagie.de

2018-10-18 Thread Roman Mamedov

On Thu, 18 Oct 2018 10:26:34 +0100
Iain Learmonth  wrote:

> On 16/10/18 13:17, George wrote:
> > While metrics. continues to be a next step, I still find myself wishing
> > for the simple birds-eye view that your Tor Status provides.
> 
> Can you provide some examples of things you can do with torstatus that
> you can't do with Tor Metrics' tools?
> 
> Perhaps they are easy to implement.

First of all, it adds a fun little competitive aspect to running a relay. In
effect it's a leaderboard of all relays ranked by bandwidth -- I like checking
out how high mine can climb, and who are the "closest competitors", with all
their funny, interesting and peculiar nicknames.

It is just the very nature of TorStatus, it is what you get right away when
loading it. Whereas with Metrics, while it does have a faint resemblance of
the same with its "top relays" display at
https://metrics.torproject.org/rs.html#toprelays...

  * Firstly, it's by far not the focus of that website, there it's just an
afterthought buried deep and under a weirdly located button in "Relay
search" of all places. Instead I would expect that to be a major or even
the primary section under "Servers".

  * Secondly, it only lists the top 250 relays -- apparently smaller ones do
not matter -- and defaults to displaying just 10 per page, making it
limited and inconvenient as the "bird's eye" overview. Clearly that's not
the use that authors had in mind.

But the more important aspect is that TorStatus feels to be basically the
place where you are given credit for running a relay. You know kind of like
ending credits in a movie. Yes even if just with a line among thousands of
other lines. But all those lines representing relays and exits are what Tor
is, and look, some of your own are now up there too! You are now a part of it.
This matters a thousand times more than a canned "thanks for running a relay"
on a mailing list.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] torstatus.blutmagie.de

2018-10-16 Thread Roman Mamedov

On Tue, 16 Oct 2018 10:58:15 +0200
Olaf Selke  wrote:

Hello,

> I'm planning to shut down my Tor network status site within the next 
> weeks. The payed SSL certificate will expire 11/06/18

You don't have a redirect to HTTPS, I never knew you had that in the first
place, always accessing the site via plain HTTP.

> Debian 6  OS is too old to switch to Let’s Encrypt without trouble.

Take a look at the "dehydrated" Let's Encrypt client:
https://github.com/lukas2511/dehydrated
It is just a single bash script.

Or maybe you could just run the site as a Tor Hidden Service?

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?

2018-09-22 Thread Roman Mamedov

On Sat, 22 Sep 2018 15:28:19 +0100
Ben Tasker  wrote:

> You need to configure your onion server block to respond on port 443 _and_
> to handle your clearnet host header (and serve a publicly trusted
> certificate matching that name). Alt-Svc tells the browser to use the
> alternate address as a trusted origin for the service it's connecting to,
> so it'll connect to 1234.onion and request www.example.com

Also, do you mean there's no way to have an Alt-Svc with "[...].onion:80",
directing to a plain HTTP connection to the hidden service? (Assuming the
initial request to the clearnet site was on HTTPS.)

There is no point in running HTTPS-over-Tor-hidden-service, as .onion traffic
is already authenticated and encrypted, it only adds useless overhead. If
there's no way around that with the alt-svc scheme, that seems like a huge
oversight.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Deploying Alt-Svc on your own website. Hello?

2018-09-22 Thread Roman Mamedov

On Sat, 22 Sep 2018 15:28:19 +0100
Ben Tasker  wrote:

> Which part are you struggling with?
> 
> The following is assuming you've got a site - www.example.com - that's
> accessible at 1234.onion.
> 
> Configure your nginx server block (or apache config) for www.example.com to
> include an Alt-Svc header to advertise the onion:
> 
>  Alt-Svc: h2="1234.onion:443"; ma=3600; persist=1

Well for instance my backend server is HTTP/1.1 only. I do run a nginx
frontend to it for HTTP/2, but due to a number of reasons I want Tor's hidden
service to point at the backend directly.

For whatever reason everyone just assumes all web servers are HTTP/2 now, and
uses "h2" like you do. What to use in case of 1.1? It almost feels like nobody
actually knows and everyone just keep reposting the same "h2" examples they
saw on the Internet.

And most importantly, how to test that the header I serve is valid and it all
actually works? I suppose there isn't any online test suite like there's
https://www.ssllabs.com/ssltest/ for general HTTPS. If not, for testing do I
load the clearnet site in the Tor browser aand then expect what to happen?
(Is there any indication in the UI that alt-svc is being used)

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Deploying Alt-Svc on your own website. Hello?

2018-09-22 Thread Roman Mamedov

On Sat, 22 Sep 2018 13:45:33 +0100
Alec Muffett  wrote:

> I've spent the morning pulling together a bunch of draft thoughts regards
> the technical pros/cons of differing forms of site onionification;
> thoughts, comments & feedback are warmly welcomed:
> 
> https://medium.com/@alecmuffett/different-ways-to-add-tor-onion-addresses-to-your-website-39106e2506f9
> 
> - alec (ps: apologies if you see 2+ copies of this, I am treating maillists
> separately)

I hoped this would finally describe how to actually deploy Alt-Svc on
a .onion+clearnet website. Right now it feels like, OK, CloudFlare knows how
to do this, and the rest of us don't matter. Not a single HOWTO or guide on
how to actually set it up. Asked on the mailing list before, complete silence.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] alt-svc supported by TBB

2018-09-18 Thread Roman Mamedov

On Tue, 18 Sep 2018 19:59:00 +
TNT BOM BOM  wrote:

> whythe hell would anyone use anything from Cloudflare with Tor???

Because people use Tor to browse the Internet, and half of the Internet is
nowadays CloudFlare. If you're looking to advance a point of view such as [1]
-- which may be valid or not -- your post is not the best way to do it.

[1] https://notabug.org/themusicgod1/cloudflare-tor


-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] torjail - run programs in tor network namespace

2018-07-25 Thread Roman Mamedov

On Wed, 25 Jul 2018 01:14:12 -0700
Mirimir  wrote:

> True. But I'd rather use the Whonix approach. It's doable using two VPS.
> That is, if the provider will cooperate. One VPS runs the web server,
> and it has no Internet connectivity or public IP, just a private IP on a
> local network. The other VPS runs the Tor client, and it has two
> interfaces. One with Internet connectivity and a public IP. And the
> other on the same local network as the server VPS.

And all your traffic before even entering Tor goes across the provider's
"local" network, where it can be captured in the clear and analyzed.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] torjail - run programs in tor network namespace

2018-07-24 Thread Roman Mamedov

On Tue, 24 Jul 2018 10:12:24 +0200
bic  wrote:

> > 2) I enjoy the print output when it's configuring the namespaces, but
> > there's no need for so much yelling :) (s/TOR/Tor/) [1]
> > 
> > > print G " * Resolving via TOR"
> > > print G " * Traffic via TOR..."
> > > print G " * Creating the TOR configuration file..."
> > > print G " * Executing TOR..."
> > 
> 
> We like colors and pedantic verbosity!

Point was that the Tor project is very particular that people should call it
"Tor", and not "TOR".

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] relayor Debian 8 deprecation notice

2018-05-31 Thread Roman Mamedov

On Thu, 31 May 2018 11:29:00 +
nusenu  wrote:

> Due to the upcoming end-of-life date of Debian GNU/Linux 8 ("jessie") 
> on the 17th of June 2018
> 
> I'll drop support for Debian 8 in 
> ansible-relayor with the next release (planned for 2018-06),
> please upgrade to Debian 9 if you want to keep using relayor 
> (and even if you are not using relayor at all ;)

Just a note that Debian 8 will be supported by the LTS team until mid-2020
https://wiki.debian.org/LTS/
It reads as if you can't wait to drop support for it at the very first
opportunity, is it causing too much effort?

Personally it is not an option for me to upgrade on one of the machines,
because I run a project incompatible with PHP 7. But then again I don't use
relayor or ansible, so my comments are here mostly due to your last note :)

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Who controls Tor's DNS Traffic?

2018-05-10 Thread Roman Mamedov

On Thu, 10 May 2018 21:53:00 +
nusenu  wrote:

> I had a look at the Tor DNS landscape:
> 
> An Analysis of the Tor DNS Landscape
> https://medium.com/@nusenu/who-controls-tors-dns-traffic-a74a7632e8ca

"Level 3" on the charts is most likely the notorious 4.2.2.2...4.2.2.6.
Those absolutely should not be used, aside from all the other reasons outlined
in the article, they also hijack NXDOMAIN results for monetization of the user.

https://www.reddit.com/r/networking/comments/3sm36w/level3_42214222_dns_servers_redirecting_to_search/
https://news.ycombinator.com/item?id=7119765

---
$ host do-not-use-4-2-2-x-they.are-crap 4.2.2.2
Using domain server:
Name: 4.2.2.2
Address: 4.2.2.2#53
Aliases: 

do-not-use-4-2-2-x-they.are-crap has address 198.105.254.11
do-not-use-4-2-2-x-they.are-crap has address 198.105.244.11
Host do-not-use-4-2-2-x-they.are-crap not found: 3(NXDOMAIN)
---

CIDR:   198.105.240.0/20
NetName:SEARCHGUIDE
OrgName:Search Guide Inc

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor bridges in China

2017-10-16 Thread Roman Mamedov

On Tue, 17 Oct 2017 01:37:55 +0500
Roman Mamedov  wrote:

> On Mon, 16 Oct 2017 16:25:43 -0400
> InterN0T  wrote:
> 
> > If you can use Tor bridges in China
> 
> You can't:
> https://metrics.torproject.org/userstats-relay-country.html?start=2017-07-18&end=2017-10-16&country=cn&events=off

Oops, wrong URL. Still, only about 1500 bridge users:
https://metrics.torproject.org/userstats-bridge-country.html?start=2017-07-18&end=2017-10-16&country=cn

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor bridges in China

2017-10-16 Thread Roman Mamedov

On Mon, 16 Oct 2017 16:25:43 -0400
InterN0T  wrote:

> If you can use Tor bridges in China

You can't:
https://metrics.torproject.org/userstats-relay-country.html?start=2017-07-18&end=2017-10-16&country=cn&events=off

Only about 1000 users in a 1.4bn country, bridges don't work there, or at
least don't work well enough to be a viable option for anyone.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Unusual Tor's spikes in Egypt and Turkey on 28th August

2017-09-20 Thread Roman Mamedov

On Wed, 20 Sep 2017 11:24:57 +0200
Fabio Pietrosanti - Lists  wrote:

> Hello,
> 
> a close friend (faffa) noticed that on 28th August 2017 there was an
> unusual spike of Tor traffic in Egypt and Turkey:
> 
> https://metrics.torproject.org/userstats-relay-country.html?start=2017-06-22&end=2017-09-20&country=tr&events=off
> 
> https://metrics.torproject.org/userstats-relay-country.html?start=2017-06-22&end=2017-09-20&country=eg&events=off
> 
> 
> Does anyone already analyzed those spikes and understood what happened?

Egypt on Aug 28:

https://afteegypt.org/right_to_know-2/publicationsright_to_know-right_to_know-2/2017/06/04/13069-afteegypt.html?lang=en
"Update 2.0.0 (29 August 2017)
On the 28th of August, 261 websites providing VPN and Proxy services where 
found blocked.
A new section was added to the report containing a schedule that lists 
monitored websites that provides VPN and Proxy services."

https://www.reddit.com/r/Egypt/comments/6wkbcw/did_they_seriously_just_block_vpns/

But it seems puzzling the spike was just for 1 day and then back to
just exactly the previous level.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor bridges over ICMP or DNS

2017-09-07 Thread Roman Mamedov

Hello,

Has anyone considered making a Tor bridge protocol with ICMP as transport?
https://github.com/DhavalKapil/icmptunnel
http://www.mit.edu/afs.new/sipb/user/golem/tmp/ptunnel-0.61.orig/web/
http://thomer.com/icmptx/
http://code.gerade.org/hans/

Or tunneling over DNS?
http://code.kryo.se/iodine/
http://thomer.com/howtos/nstx.html
http://analogbit.com/2008/07/27/tcp-over-dns-tunnel-software-howto/

The current OBFS3/OBFS4 seem to have proven ineffective (as there is nearly
zero Tor bridge use in China), so perhaps there needs to be something more
stealthy.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Is there any societal use in Bitcoin?

2017-09-04 Thread Roman Mamedov

On Mon, 4 Sep 2017 17:04:10 +0200
Jon Tullett  wrote:

> As it happens, I just recently transferred funds internationally. It
> took 36 hours to clear, at a guaranteed rate. My local bank charged
> about $8 in fees

But that's still within Europe or the like? Internationally on a wider scale
SWIFT transfers tend to cost quite a bit more, around $50 to be expected, and
there's basically a $25 minimum charge due to the way that system is set up.

See the rightmost column:
https://www.nerdwallet.com/blog/banking/wire-transfers-what-banks-charge/

Also there are horror stories like this:
https://bitcointalk.org/index.php?topic=186594.0

> By contrast BTC, in the same timeframe, dropped more than 10%. If I'd
> been using it to transfer the same funds, I'd have been massively out
> of pocket.

BTC wouldn't require "same timeframe" of 36 hours to transfer, it can be done
within less than an hour. And with the recent developments in the BTC world,
both transaction speed and cost per transaction will continue to improve.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Tor Logspam

2017-08-27 Thread Roman Mamedov

Aug 28 06:19:48.000 [warn] Permissions on directory /var/run/tor are too
permissive.
Aug 28 06:19:48.000 [warn] Before Tor can create a control socket in
"/var/run/tor/control2", the directory "/var/run/tor" needs to exist, and to
be accessible only by the user and group account that is running Tor.  (On
some Unix systems, anybody who can list a socket can connect to it, so Tor is
being careful.)
Aug 28 06:20:48.000 [warn] Permissions on directory /var/run/tor are too
permissive.
Aug 28 06:20:48.000 [warn] Before Tor can create a control socket in
"/var/run/tor/control2", the directory "/var/run/tor" needs to exist, and to
be accessible only by the user and group account that is running 
Tor.  (On some Unix systems, anybody who can list a socket can connect to it,
so Tor is being careful.)
Aug 28 06:21:48.000 [warn] Permissions on directory /var/run/tor are too
permissive.
Aug 28 06:21:48.000 [warn] Before Tor can create a control socket in
"/var/run/tor/control2", the directory "/var/run/tor" needs to exist, and to
be accessible only by the user and group account that is running Tor.  (On
some Unix systems, anybody who can list a socket can connect to it, so Tor is
being careful.)

You really, really do not need to log this once a minute. Not for 615 thousands
log lines and 123 MB worth of logs.

# grep -e "Permissions on directory" -e "Before Tor can create" 
/var/log/tor/log2 | wc -l
615101
# grep -e "Permissions on directory" -e "Before Tor can create" 
/var/log/tor/log2 | wc -c
123020038

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Autonomous System stats

2017-08-24 Thread Roman Mamedov

On Thu, 24 Aug 2017 13:55:11 +0200
Olaf Selke  wrote:

> Hello folks,
> 
> blutmagie now offers views on Tor router count and traffic for each AS. 
> It's just a different php/SQL view on the same db like the main page. 
> Maybe you find it somewhat useful.
> 
> 1.) List of AS by all Router Count, sorted by router count 
> https://torstatus.blutmagie.de/as-by-routers.php?exit=0&sortbybw=0
> 
> 2.) List of AS by Exit Router Count, sorted by router count 
> https://torstatus.blutmagie.de/as-by-routers.php?exit=1&sortbybw=0
> 
> 3.)  List of AS by all Router Count, sorted by bandwidth
> https://torstatus.blutmagie.de/as-by-routers.php?exit=0&sortbybw=1
> 
> 4.)  List of AS by Exit Router Count, sorted by bandwidth
> https://torstatus.blutmagie.de/as-by-routers.php?exit=1&sortbybw=1

Nice, one suggestion that comes to mind right away, is to have an option
to merge some obvious AS groups, such as DIGITALOCEAN-* and LEASEWEB-* (or
merge them by default).

Also there seem to be some quirks in the parser, such as "CONTABO to AS1299
announce AS34933", "HOSTING90 = UPSTREAM connectivity =" and
"KLIMENKO-AA-AS ---Upstreams---".

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Force OpenSSL AES-NI usage on a VPS without the AES CPU flag passthrough

2017-08-21 Thread Roman Mamedov

Hello,

Today I found that it is possible to force OpenSSL enable the use of CPU AES
acceleration even if it doesn't detect the "aes" CPU flag.

Many VPS hosts configure their hypervisors in a way that does not have the
flag passed through into VPSes, even though all their host nodes surely have
CPUs with support for AES-NI. In my experience hosts have not been forthcoming
in reconfiguring their systems to include that flag passthrough.

But it turns out we can force OpenSSL to believe AES is supported, even
if the CPU does not report it. This can be done with the "OPENSSL_ia32cap"
environment variable. Searching around, all I found was scenarios to use it for
disabling AES-NI (for testing), e.g.: 

  https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/

I believe the syntax used there applies "xor" over the real flag values, e.g.
OPENSSL_ia32cap="~0x202" to disable AES. But what if you need to
force-enable it. Turns out the syntax working for that is simply:

  OPENSSL_ia32cap="+0x202"

Let's take one VPS box with the aforementioned problem. 

# cat /proc/cpuinfo 
processor   : 0
vendor_id   : GenuineIntel
cpu family  : 6
model   : 13
model name  : QEMU Virtual CPU version 1.5.3
stepping: 3
microcode   : 0x1
cpu MHz : 1695.729
cache size  : 4096 KB
physical id : 0
siblings: 1
core id : 0
cpu cores   : 1
apicid  : 0
initial apicid  : 0
fpu : yes
fpu_exception   : yes
cpuid level : 4
wp  : yes
flags   : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov 
pse36 clflush mmx fxsr sse sse2 syscall nx lm rep_good nopl eagerfpu pni cx16 
hypervisor lahf_lm
bugs:
bogomips: 3391.45
clflush size: 64
cache_alignment : 64
address sizes   : 46 bits physical, 48 bits virtual
power management:

As you can see "aes" is not present.

Testing OpenSSL speed in the default configuration.

# openssl speed -elapsed -evp aes-128-gcm
...
type 16 bytes 64 bytes256 bytes   1024 bytes   8192 bytes  
16384 bytes
aes-128-gcm  32332.17k40365.80k42265.77k42376.19k  43196.42k
43401.22k

And now we force AES hardware acceleration usage:

# OPENSSL_ia32cap="+0x202" openssl speed -elapsed -evp aes-128-gcm
...
type 16 bytes 64 bytes256 bytes   1024 bytes   8192 bytes  
16384 bytes
aes-128-gcm  59047.07k   104467.39k   141712.21k   151093.93k   158321.32k  
 156827.65k

Almost 4 times faster! For Tor this leads to higher bandwidth utilization and 
lower CPU usage
(which will actually make your VPS host happier :)

But how to apply that to Tor? Well, for some initial testing I just chose to 
add the following
line to /etc/init.d/tor (not using systemd here), right after "#! /bin/bash":

  export OPENSSL_ia32cap="+0x202"

(but this will get overwritten and removed by the next Tor version upgrade).

Seems to work just fine, my CPU usage is half of what it was before, at similar 
bandwidth levels.
So now it has headroom to ramp up further.

A word of caution, firstly always test as shown above to verify that it works.

I believe if the underlying CPU actually doesn't support AES, all programs 
trying to use it,
including "openssl speed", will crash outright, with an incorrect instruction 
error, or somesuch.

So there is no risk to jeopardize encryption strength or security of Tor.

Also even if it works now, it may stop working down the line if the host 
migrates your VPS to
a node with older CPU, one which doesn't support AES. But migrations of 
customers between do not
happen very often, and in fact all CPUs used today in a hosting environment 
should support
AES, as that's been implemented in server (and even desktop) CPUs a very very 
long time ago.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor 0.3.1.5-alpha is released!

2017-08-09 Thread Roman Mamedov

On Sun, 6 Aug 2017 02:19:05 +0500
Roman Mamedov  wrote:

> > There's a new alpha Tor release available!  The source is available
> > from the "download" page on the website on the website, and packages
> > should be available before long.
> 
> So I am using:
> > deb http://deb.torproject.org/torproject.org 
> > tor-experimental-0.3.1.x-jessie main
> and still do not see the update.

And now my relays get slapped with an "Outdated Tor version" badge for running
Tor 0.3.1.4-alpha. Yet there is no newer package available from the repository.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor 0.3.1.5-alpha is released!

2017-08-05 Thread Roman Mamedov

On Tue, 1 Aug 2017 16:30:35 -0400
Nick Mathewson  wrote:

> Hi, all!
> 
> There's a new alpha Tor release available!  The source is available
> from the "download" page on the website on the website, and packages
> should be available before long.

So I am using:
> deb http://deb.torproject.org/torproject.org tor-experimental-0.3.1.x-jessie 
> main
and still do not see the update.

There are "tor_0.3.1.5-alpha-dev-*" packages in 
http://deb.torproject.org/torproject.org/pool/main/t/tor/
but there is no sources.list line on 
https://www.torproject.org/docs/debian.html.en
that would allow getting those.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Using Raspberry Pi as Tor relay is bad idea??

2017-08-01 Thread Roman Mamedov

On Wed, 2 Aug 2017 01:57:49 +0900
Tom Tom  wrote:

>  I recently heard that Raspberry Pi could be used as various server, so I'd
> like to buy and use Raspberry Pi as tor relay.

Make sure you get the Raspberry Pi version 3. It is much more powerful than
previous ones, especially than the first.

> 1. Comparing normal pc and RPi as Tor relay, there are no performance
> differ?

Yes it is slower than a normal PC, but it could be enough for a relay,
depending on the speed of your internet connection. How fast it is? Roughly,
with a Pi you should be fine at least up to 20 Mbit or more (do you have 20
Mbit upload with your ISP?)

> 2. Using RPi as Tor relay could (positively or negatively) effect the whole
> network?

It will not negatively affect the network in any case.

> 3. Using RPi as Tor relay is bad idea?

It can be an OK idea, many people run those and have no issues.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Fwd: Android Crypto Chat Apps - over Tor?

2017-07-12 Thread Roman Mamedov

On Thu, 13 Jul 2017 07:06:03 +0200
"Tom A."  wrote:

> Hi Grump,
> thanks for the classification. who is able to evaluate this? rather than
> posting vagueness?
> at which apps can you add/apply customized e2e encryption?
> https://smokeappope.sourceforge.io/#MobileScoreCard

I'm not aware what's the context of this thread, but speaking of the table
presented -- why does it claim "No" for "Client Open Source" for Telegram?

  https://f-droid.org/packages/org.telegram.messenger/

How can anyone trust this table in anything, when they get most basic facts
such as this wrong?

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] atlas.torproject.org problems

2017-05-21 Thread Roman Mamedov

Hello,

Does https://atlas.torproject.org/ work very poorly for anyone else?
Half of the time it fails to find any information about the requested relay (by
fingerprint), after some reloads it works. Searches also often fail with "Atlas
is unable to get a response from its backend server."

Also, there was another instance (mirror) of this service, anyone remembers the
URL?

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Russian social networks, search engines, E-Mail services blocked in Ukraine

2017-05-19 Thread Roman Mamedov

Hello,

https://www.rt.com/business/388502-ukraine-bans-vk-yandex/

Correspondingly we see a hockey stick graph for Tor users in Ukraine:
https://metrics.torproject.org/userstats-relay-country.html?start=2017-02-18&end=2017-05-19&country=ua&events=on
https://metrics.torproject.org/userstats-bridge-country.html?start=2017-02-18&end=2017-05-19&country=ua
almost +10 Tor users overnight.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Not comfortable with the new single-hop system merged into Tor

2016-12-22 Thread Roman Mamedov

On Thu, 22 Dec 2016 06:25:18 -0700
Mirimir  wrote:

> On 12/22/2016 06:00 AM, laurelai bailey wrote:
> > Then i completely misread the previous threads. That happens sometimes o_o
> 
> Well, you didn't _completely_ misread the thread.
> 
> By default, users will be installing a version of Tor which can be
> configured to run single-hop onion services. Alternatively, there could
> be separate versions. Perhaps someone could explain why that option was
> rejected.
They are also installing a version that can be configured into an Exit node,
which is not a good idea for a regular user to be running from home either.
Would you argue for a separate "Exit node" Tor version?
Good that you don't design any software (hopefully).

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Not comfortable with the new single-hop system merged into Tor

2016-12-21 Thread Roman Mamedov

On Tue, 20 Dec 2016 23:38:43 -0500
hi...@safe-mail.net wrote:

> I just think that this new single-hop system should have been reserved for a 
> different Tor source/installation, dedicated only to non-anonymous hidden 
> services, not merge it with the regular Tor software. And this for security.
> 
> I once witnessed a software (non-Tor related) that had a special function 
> which was disabled by default, but was accidentally enabled due to a bug 
> that occured during special circumstances, causing big trouble for some. In 
> this case it caused a big money loss for some, but with the Tor software we 
> are talking about the lives and wellbeing of humans.
> 
> How do I know that my hidden service is really running anonymously, and not
> with just 1-hop, besides just trusting the config defaults?

Did you read the blog post about this feature?
https://blog.torproject.org/blog/whats-new-tor-0298

It specifically says:

> Because this removes the anonymity aspect of the service, we took extra
> precautions so that it's very difficult to enable a single onion by mistake.
> In your torrc file, here is how you do it:

>  HiddenServiceNonAnonymousMode 1
>  HiddenServiceSingleHopMode 1

So it requires explicitly enabling not one, but two separate settings in a
lock-step. How does that not solve any "mistake" concern? Or if you want to be
400% safe from enabling this, then conversely, you can add to your config:

>  HiddenServiceNonAnonymousMode 0
>  HiddenServiceSingleHopMode 0

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

2016-12-19 Thread Roman Mamedov

On Mon, 19 Dec 2016 18:20:41 -
"podmo"  wrote:

> I could ...turn AMT off entirely.

Unfortunately that's only what it wants you to believe. With the capabilities
it has, and with its code being entirely closed source and unaudited, for a
truly secure system you can't rely on this "Okay I'm now turned off!"
make-believe.

Can't rely on "not using the on-board NIC" as suggested above either; it's
still a separate computer in your CPU, running proprietary code, and having
full read/write access to your RAM. It can mess with your apps, OS and
security in all sorts of interesting ways, and you can NOT be absolutely
certain that it doesn't.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Intel ME / AMT + NSL vs Tor Nodes

2016-12-17 Thread Roman Mamedov

On Sat, 17 Dec 2016 21:48:51 -
"podmo"  wrote:

> It cannot be used to access all your data remotely. That
> only works if you have all AMT features enabled, and you have a special
> device called a BMC card plugged into your computer and connected to the
> network.

The whole point of Intel AMT is that you CAN manage your computer remotely
without it having a separate BMC plugged in (e.g. see [1]). AMT itself is in
effect an integrated BMC by its own. After that the entire "well-written,
rational response" falls apart, the author clearly has not even a single clue
of what he's trying to talk about.

[1]
http://support.radmin.com/index.php?/Knowledgebase/Article/View/9/9/How-to-set-up-Intel-AMT-features

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and iptables.

2016-12-11 Thread Roman Mamedov

On Mon, 12 Dec 2016 00:12:54 -0700
Mirimir  wrote:

> > Also: "-A OUTPUT -i lo -j ACCEPT" is neither a valid rule, nor is it 
> > necessary, since loopback traffic is already allowed at input and stateful 
> > inspection is enabled both ways.
> 
> Not valid? It works for me. And by default, I drop all input, output and
> forward.

$ sudo iptables -A OUTPUT -i lo -j ACCEPT
iptables v1.4.21: Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.



Maybe you meant -o lo, but when people tell you it's not valid, they probably
do have a reason for telling you that.

-- 
With respect,
Roman
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Multiple CPU cores?

2016-06-27 Thread Roman Mamedov

On Mon, 27 Jun 2016 22:38:21 +0200
Aeris  wrote:

> > Except you can only run two per IPv4 address, and more IPv4 addresses bear
> > additional cost (and some management overhead).
> 
> Why can you only run 2 instances per IP ?
> AFAIK, you can run any instances you want, just change OR/Dir port, no ?

You can, but more than two per IPv4 (the third one and so on) will be ignored
by the Tor network. It's a kind of anti-abuse (anti-Sybil attack) feature.

-- 
With respect,
Roman


pgpG4Abe_UhdO.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Multiple CPU cores?

2016-06-27 Thread Roman Mamedov

On Mon, 27 Jun 2016 18:42:02 +0200
Aeris  wrote:

> > So does this mean it is useless to run an exit on my 8 core system?
> 
> Just run enough Tor instances to fill you cores or bandwidth :)
> 
Except you can only run two per IPv4 address, and more IPv4 addresses bear
additional cost (and some management overhead).

-- 
With respect,
Roman


pgp4_8uDKtmTz.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] 2 hop mode for people that only want to use Tor for censorship circumvention to conserve bandwidth and decrease latency?

2016-06-12 Thread Roman Mamedov

On Mon, 13 Jun 2016 01:17:08 +0500
Roman Mamedov  wrote:

> > entry node---> exit node ---> website
> 
> You don't even need 2 hops in this case. Why not propose 1-hop?

Oh actually, just remembered reading about that somewhere -- and turns out it
was in Tor's own man page:

   AllowSingleHopCircuits 0|1
   When this option is set, the attached Tor controller can use relays
   that have the AllowSingleHopExits option turned on to build one-hop
   Tor connections. (Default: 0)

   AllowSingleHopExits 0|1
   This option controls whether clients can use this server as a
   single hop proxy. If set to 1, clients can use this server as an
   exit even if it is the only hop in the circuit. Note that most
   clients will refuse to use servers that set this option, since most
   clients have ExcludeSingleHopRelays set. (Default: 0)

   ExcludeSingleHopRelays 0|1
   This option controls whether circuits built by Tor will include
   relays with the AllowSingleHopExits flag set to true. If
   ExcludeSingleHopRelays is set to 0, these relays will be included.
   Note that these relays might be at higher risk of being seized or
   observed, so they are not normally included. Also note that
   relatively few clients turn off this option, so using these relays
   might make your client stand out. (Default: 1)

So it seems like you can already experiment with that. Dunno how many exit
nodes actually enable the single hop mode though.

-- 
With respect,
Roman

pgpPBZB7AmlX9.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] 2 hop mode for people that only want to use Tor for censorship circumvention to conserve bandwidth and decrease latency?

2016-06-12 Thread Roman Mamedov

On Sun, 12 Jun 2016 21:56:34 +0200
gdfg dfgf  wrote:

> I have read the proposal for non hidden .onion services for sites that don't 
> need anonymity but want to use Tor's end to end encryption and 
> authentication, for  example Facebook. 
> 
> Could the same be done for people that are more interested in censorship 
> circumvention then in anonymity to decrease latency and conserve bandwidth  
> so  instead of building 3 hop circuits they could build 2 hop circuits? 
>  
> entry node---> exit node ---> website

You don't even need 2 hops in this case. Why not propose 1-hop?
But I don't think any hop reduction like this has chances to be implemented,
due to such scenario not being within the scope of Tor, or something along
those lines.

>  bridge- --> exit node ---> website

(Here 2-hop makes sense, as exit node can't be also a bridge)

-- 
With respect,
Roman


pgpwzx8_biDLC.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Are squid proxies acceptable on exit nodes?

2016-05-09 Thread Roman Mamedov

On Mon, 9 May 2016 16:28:33 +0200
Andreas Krey  wrote:

> To me it looks like the tor exit is using a squid
> proxy - is that an acceptable thing to do as a
> relay operator?

Squid itself is just a tool, sure it can cache, it can log all requests, but is
it configured to do so? Not necessarily so.

On the other hand it has very advanced filtering capabilities and ACLs by
hostname/URL/destination IP/etc (including regexp support), and maybe that's
why it's being used -- to block some of the simplest cases of malicious
behavior?

You could ask whether or not applying any filtering strips the exit node
operator from their "common carrier" status (if there was any in the first
place), but that's another question, and one that should be more troubling for
the exit node operator, not for its users.

As it stands, I'd say the mere presence of Squid does not equate "evil", it
all depends on how it's set up and what it's being used for.

-- 
With respect,
Roman

pgpF4Jia7i0ci.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Circumvent" Cloudflare Captcha alike Sites with Translation

2016-04-02 Thread Roman Mamedov

On Sat, 2 Apr 2016 23:02:09 +0200 (CEST)
tor_t...@arcor.de wrote:

> Hi Tor Talkers,
> 
> i wonder if e. g. google translator may help to read the info behind captcha 
> walls:
> just let a script translate the url-content
> e. g. google translation
> https://translate.google.com/
> 
> from detect language
> http://www.estadao.com.br/
> to portuguese/spanish/etc.
> 
> unfortunately this translation script will not translate the same languages 
> (portuguese => portuguese)
> but you can open two TABs and reverse translate it by c'n'paste into the same 
> language
> i just tested that thing on this concrete url

A simpler workaround of similar kind would be to use the Ixquick Proxy: do a
search at https://ixquick.com/, then click "Proxy" in search results. Just
tested with searching for "Cloudflare" then opening their website via the
proxy.

Sadly you can't enter an URL directly, it has to start with a search.

-- 
With respect,
Roman


pgpXetCsIiSRE.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] FPGA Tor Relay

2016-02-25 Thread Roman Mamedov

On Thu, 25 Feb 2016 12:21:42 -0800
Ryan Carboni  wrote:

> http://netfpga.org/site/#/systems/1netfpga-sume/details/
> 
> This is apparently available for an academic price of around two
> thousand dollars.

And then you have a programming job on your hands to adapt Tor into the FPGA,
that could cost one or two magnitudes more than that...

> Such cards will probably have to be used in the near future, at least
> to reduce bandwidth costs per gigabit/s speed.

Maybe I'm missing something, how anything you do inside your server (run Tor
on CPU, GPU, FPGA or magic fairies) will reduce your *bandwidth* costs?

> I imagine infrequent operations and operations likely to be changed
> between Tor versions could be offloaded to the CPU.

- Tor is already sped up immensely if you use a CPU which has the hardware AES
  acceleration, i.e. almost any modern x86 CPU. (Not sure if there are any
  other operations you could offload to FPGA, or if FPGA could be faster than
  an AES-NI CPU at AES.)

- ...then you could optimize Tor to use more than ~1.3-1.5 of a CPU core at
  most as it does currently to scale further, as many modern CPUs easily have
  6-8 cores. (This is likely easier than rewriting it to use FPGA). As a
  stop-gap measure, people with such CPUs currently have to run two instances
  of Tor per each IPv4 address their server has.

In the end, if you could just fully load 8 cores of a humble $170 AES-NI CPU, I
believe this should be already enough to process a full gigabit of traffic, or
even more. And you don't really need much more, since it is rare that you can
reasonably get more than a gigabit of unmetered bandwidth per single server.

-- 
With respect,
Roman

pgpSnXftQEFWt.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] 4 relays advertising >1000 MByte/s each

2016-02-01 Thread Roman Mamedov

On Mon, 1 Feb 2016 15:47:30 -0800
Green Dream  wrote:

> I still don't understand how such relays can gain a high consensus weight
> so quickly (in 1 or 2 days) without help from the bandwidth authorities.

Don't worry, just another sting operation to capture someone's traffic (by
directing them to relays which have behind the scenes unfairly inflated CW).
This will be explained away in a few days as "whooops, another "researcher"
messed up, nothing to see here guys".

Seriously, if this is not what we should assume, then what? Remember, some
people possibly put their lives on line by trusting the Tor project, and with
this kind of trust involved, how in your right mind you think Tor should be
given a free pass with mysterious "anomalies" like these from time to time?

-- 
With respect,
Roman

pgpE8JkLtlcbx.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Sites blocking Tor

2016-01-20 Thread Roman Mamedov

On Wed, 20 Jan 2016 20:57:57 +0200
Lars Noodén  wrote:

> I checked the FAQ and it is unclear about precisely what to do about
> sites that gratuitously block Tor.  Just recently I noticed that
> www.justice.gov blocks Tor.  For example the URL
> 
>  http://www.justice.gov/atr/cases/exhibits/1332.pdf
> 
> and the search function at the site's start.
> 
>  http://www.justice.gov/
> 
> Should these be noted somewhere or a ticket filed?

--
  www.justice.gov is an alias for www.justice.gov.edgesuite.net.
  www.justice.gov.edgesuite.net is an alias for a1170.dscb.akamai.net.
--

This is again Akamai. "Sites blocking Tor" repeatedly comes up on this list,
and in most cases it turns out they use the Akamai CDN.
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor#Akamai

They have some kind of Tor position on their blog:
https://blogs.akamai.com/2015/08/q2-soti-security-preview-tor-pros-and-cons.html
but the full text of it is pay(?)/registration-walled.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] A little more hostility towards Tor from Twitter

2015-10-31 Thread Roman Mamedov

On Sat, 31 Oct 2015 10:10:49 +
demos  wrote:

> by the way a current alternative to twitter is twister:
> http://twister.net.co/

Speaking of Twitter alternatives, I find GNU social can be made into a really
nice one. Example: https://quitter.se/

It's not full serverless/p2p/bitcoin/blockchain/whatever, just a web app which
connects to others like it and is accessible from the regular Internet. But
perhaps that's easier to grasp and set up for more people.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Browser and my location

2015-10-06 Thread Roman Mamedov

On Tue, 6 Oct 2015 20:57:53 +0100
Ben Tasker  wrote:

> Google will redirect you to a region specific version of Google based on
> geo-location of your source IP. This the the IP of the Tor exit node you're
> using, which is why it differs to your location.
> 
> If you set your homepage to https://www.google.com/ncr (append the query
> string you want to use if desired) you should stay on the .com domain

You could also try https://classic.startpage.com/eng/ which is basically an
anonymous proxy to Google. I believe it shouldn't redirect you to any
non-English versions depending on your supposed 'location'.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Potential uses for the Tor network

2015-10-04 Thread Roman Mamedov

On Sun, 4 Oct 2015 15:39:13 -0400
Bryan Gwin  wrote:

>  My name s Bryan Gwin (I have my masters in computer science) and I have a
> quick question. Is it possible for someone to design some software that can
> utilize the Tor network (i.e. software that will allow users to communicate
> with each other through the Tor Network allowing for private
> conversations). Is there only one browser that can get a list of
> participating computers and route data through them? I am not creating chat
> software (I have something else in mind but the details are irrelevant). If
> the project is somewhat open source, then could something like chat
> software be made where If one person downloads the chat software and
> another person downloads the same software, the first person would be able
> to use the software to communicate with the other person's software through
> the Tor network. Yes or no? If yes, generally how would that work (meaning
> how could the software use the network in a very broad sense).

You should take a look at https://en.wikipedia.org/wiki/TorChat

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Onionmap, a free software worldmap of Tor relays

2015-09-18 Thread Roman Mamedov

On Fri, 18 Sep 2015 15:51:14 +0200
opi  wrote:

> Hi there,
> 
> Last week Luke Millanta released OnionView [1], a nice map showing the
> location of all Tor relays around the world. It's not free software,
> and using Google Maps doesn't really make me happy.
> 
> Few days ago I started working on a similar application. I present you
> Onionmap:
> 
> https://opi.github.io/onionmap/
> 
> It's mostly a piece of JavaScript calling the Onionoo API, using
> leaflet.js to build a map.

So same problem as with OnionView, it doesn't seem to know how to usefully
present things when you zoom in. Here is what it shows when I close in on
Paris: https://lut.im/2o3vl54VYn/Fh7p3rmz.png

Not exactly useful in any way shape or form (sic).

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TWN Submission

2015-09-10 Thread Roman Mamedov

On Wed, 9 Sep 2015 23:06:28 +1000
Luke Millanta  wrote:

> Hello,
> 
> Karsten asked me to send a quick introduction about my new web service,
> OnionView.com

Upon clicking any of the circles it takes me to the maximum zoom level at the
corresponding city/location (literally nose into the ground, showin some
blank terrain and maybe a couple of streets), with no further breakdown or a
list of relays (as I would have expected).

Is this working as designed?...

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] (no subject)

2015-08-29 Thread Roman Mamedov

On Sat, 29 Aug 2015 17:11:23 +0200
blaatenator  wrote:

> Indeed, some (coincidentally???) big corps do block relays. For a while
> I ran a relay from my home connection and for instance Nike was not
> reachable without the use of a VPN (I don't mind, and even favor, Nike
> being out of the picture, not everyone feels the same way ;) ).

It's not "some big corps", it's just the same simgular entity: Akamai.
www.nike.com is using the Akamai CDN. And the issue of Akamai blocking
non-exit nodes has been raised on this list time and time again in the past.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] hardware recommendations

2015-08-29 Thread Roman Mamedov

On Sat, 29 Aug 2015 10:55:02 +0200
blaatenator  wrote:

> Are there more recommendations regarding this sort of stuff? Like a
> 'best buy' guide for secure hardware, or ways to work around insecure
> hardware.

Take a look at http://www.fsf.org/resources/hw

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] future of torstatus.blutmagie.de

2015-08-23 Thread Roman Mamedov

On Sun, 23 Aug 2015 16:22:18 +0200
Olaf Selke  wrote:

> not everybody feels comfortable relying on a service from Moscow

On Sun, 23 Aug 2015 16:53:47 +0200
Tom van der Woerdt  wrote:

> run it from a more favorable location

Really now, so everyone is silently okay with the Tor project as a whole being
run and managed from the US, but as soon as a minor third party statistics
service[1] talks about plans to migrate to Russia-based host, people are going
to raise a fuss? Is Tor community really so chauvinist and US-centric?

[1] an extremely useful one, which I use almost on a daily basis and would be
really sad to see it shut down;

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] (no subject)

2015-08-11 Thread Roman Mamedov

On Tue, 11 Aug 2015 21:08:45 -0700
Ryan Carboni  wrote:

> > Does anyone in Tor want to name a price to get this task done?
> 
> 
> 
> The price of a public dedicated ip address is at worst, $20 a month.

What. More like $3-5, and that's indeed at worst, with the price more
commonly being around $1-2.

$20 today gets you not just a public IP address, but a whole 100 Mbit
unmetered VM or a dedicated server to go with it, and not even just one, but
easily two or three.

I get it that you want to "influence" the decision making, but using comically
wrong estimates will not get you anywhere.

> Two tor nodes max per IP address, so roughly $20*6000 relays / 2 =
> $60,000 per year.
> That is perhaps the only price of no multicore support.
> Although, many Tor nodes are hosted using dynamic IPs, so perhaps the
> cost is closer to $1,000 per year.
> In any case, I'm not sure how many sequential operations there are.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] (no subject)

2015-08-11 Thread Roman Mamedov

On Tue, 11 Aug 2015 15:28:01 -0700
Yuri  wrote:

> On 08/11/2015 15:13, Ryan Carboni wrote:
> > Why is there no multicore support for Tor? I haven't been able to find an
> > answer to this question.
> 
> This is maybe because even with the quite high for the Tor network 
> bitrates of 5-6MBps tor process never comes close to 100% CPU usage on 
> the average hardware. So multicore capability will add no benefit.

> never comes close

> to 100% usage

> never

*Repeatedly headbangs on the desk*

Uhm so what was I talking about. Ah yes, I believe that's not the case. It
would add a great deal of benefit actually.

As to why it's not implemented, I think simply because no one has coded it yet.
Often things tend to not exist until someone creates them. For the reason why
it's not added, my guess is because it is rather difficult. And yeah, maybe
because other priorities, such as the need to work on other features and keep
the code reasonably simple still outweigh the performance benefit from proper
multi-threading.

Currently Tor can use about 130-150% of a CPU, so if you have 4 cores you
could run 2 copies of Tor on the same IP and attain a reasonable degree of
your resources' utilization.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Any Windows Software shipping Tor 0.2.4.23?

2015-07-31 Thread Roman Mamedov

On Fri, 31 Jul 2015 18:58:40 -0400
grarpamp  wrote:

> On Fri, Jul 31, 2015 at 6:36 PM, nusenu  wrote:
> > Is anyone aware of software (incl. malware) that ships Tor v0.2.4.23 for
> > Windows?
> > https://raw.githubusercontent.com/nusenu/tor-network-observations/master/Windows_0.2.4.23_orport443_dirport9030_nickdefault.txt
> 
> Vuze ships with a client embedded

Really, does it? It says they include built-in I2P support in a newer plugin,
but regarding Tor they just describe how to download and set up Tor from
torproject.org.
https://wiki.vuze.com/w/Anonymous_file_sharing_with_Tor_and_I2P
https://wiki.vuze.com/w/Tor_HowTo

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] comicskingdom.com inaccessible by Tor?

2015-07-27 Thread Roman Mamedov

On Mon, 27 Jul 2015 18:54:59 + (UTC)
bao song  wrote:

> A few weeks ago, I suddenly could not access comicskingdom.com with Tor.
> For several years before that, I had no problem accessing comicskingdom.com 
> with Tor.
> It might be interesting to figure out how they are blocking Tor, since we 
> want people to be able to use Tor to access sites that are otherwise blocked. 
> (I haven't had any luck with this.)

They do seem to be blocking a lot of IPs (or have some networking problem).

I couldn't access it from any of my non-exit IPs that I tried, but also from
one machine which does not run a relay at the moment (but ran previously), and
from a machine which has never ran a relay [1]. All of these are VPS/dedicated
servers. 

The site loads fine from four tested "regular user" home and office
connections. So maybe they are just blocking known "datacenter" IPs.

[1] To my knowledge. Unfortunately ExoneraTor doesn't allow to check if that's
really been the case (i.e. run a search with no date specified).

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] USB Sticks for Tails -> CCCamp

2015-07-22 Thread Roman Mamedov

On Wed, 22 Jul 2015 08:59:43 -0700
Apple Apple  wrote:

> On 22 Jul 2015 13:22, "Jacob Appelbaum"  wrote:
> > DVD drives are programmable computers until we find evidence
> > suggesting the opposite.
> 
> And USB host controllers?

DVD drives really are; see for example [1] for information about DVD-RW
firmware modding and reflashing for NEC drives. Same as HDDs or SSDs.

USB host controllers by themselves are not known to have any reprogrammable
code, they are much simpler. If it's integrated into the motherboard, you will
just need to ensure it uses a free BIOS such as Coreboot.

However I have to wonder on what is your threat scenario that you cannot trust
a random anonymously bought off-the-shelf DVD drive. If the bootable OS
verifies signatures of files it loads from the disk, then it'd have to do a
rather sophisticated and specifically targeted for that OS "evil maid" attack.

[1] http://liggydee.cdfreaks.com/page/en/FAQ/

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Question regarding some strange behavior on some exitnodes

2015-06-27 Thread Roman Mamedov

On Sat, 27 Jun 2015 17:42:35 +0200
chloe  wrote:

> 
> Hello,
> 
> I have a question regarding some strange behavior on some nodes(11 of 
> them).
> 
> 
> See this access-log:
> 
> 81.89.0.201 - - [25/Jun/2015 12:25:30] "GET /db/backups/965110218-2015 
> HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:10] "GET /db/backups/965110218-2015 
> HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:35] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:40] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:46] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:51] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:00:57] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:01:02] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> 37.187.202.46 - - [25/Jun/2015 14:01:08] "GET 
> /db/backups/965110218-2015?C=N;O=D HTTP/1.1" 200 5057
> AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68 was using URL 965110218-2015
> 
> 
> Here we can see that node (AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68) 
> with IP 81.89.0.201 first visit the unique URL 
> "/db/backups/965110218-2015"  and then around 1.5 hours later another IP 
> visits the same URL and does some indexing?
> 
> The other 10 nodes are doing the exact same thing. I'm using Bottlepy as 
> "web server" so no User Agent grabbed, but still, this is a unique URL, 
> why do I have more than 2 visits on them? The IP 37.187.202.46 is not 
> part of Tor.
> 
> Could you please look into this problem? The affected exitnodes are:
> 
> 1B6D6CCF428AF68619B0B8D9D17324D5FAD6304D
> 8AF4E4D2A13DED432208D3B3889D43256D56FC72
> 252A55672B450929374CBB7279404B22E0D69259
> F94BCE1B6E3899FA4E4CBCC3B19C4FD8CC2B33BB
> B3DA80FF09813020886578D84DD594A32EE280B1
> AA5D47D5A96AE3084379663056C321A0812154D5
> 42F752C0919357CD19B1B36865657072376960CB
> ACA45CB6D5DF151DB88AEF666D8FECC6DDED17FA
> 5C2B2A7AA55C60C56B4DC0BBF7EA3919731ABA1C
> 9FB2DCBE32859CD510EA325FA64237F5AAE78E17
> AE4E83B0BFDF679989D746C3B3DEF2EBCA35FA68
> 
> Kind regards,
> Chloe

Probably one of those studies on "what people are up to, when they use Tor".

Two that I know of (in Russian):
http://habrahabr.ru/post/92787/ and
http://habrahabr.ru/company/xakep/blog/244485/

Also keep in mind those absolutely don't have to be public, there could be
much more sniffing and crawling going on than we could imagine. Does not
seem too evil however, and I'd say that's not a reason to ban exit nodes.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Creation of TOR Linux distribution for relay or server with everything preconfigured

2015-06-26 Thread Roman Mamedov

On Fri, 26 Jun 2015 05:25:04 -0400
Griffin Boyce  wrote:

>Most of the configuration (at least in my case) has to do with 
> deciding on the right speed for the relay and setting a bandwidth cap.  
> And when using a VPS, I set "AccountingMax" and "AccountingStart" to 
> stay within my expected billing range.  So I would say that would 
> present the biggest issue for me with regards to having optimal settings 
> for something preconfigured.
> 
>However, you can make a relay just by configuring your torrc file (in 
> /etc/tor) and then restarting tor.  Here's a basic torrc file for a 
> relay:
> 
> #
> Log notice file /var/log/tor/notices.log
> RunAsDaemon 1  # Run Tor in the background
> DataDirectory /var/lib/tor # required
> ORPort 9001 # required
> Nickname relayname # Name your relay!
> AccountingMax 960 GB # only pass up to 960gb...
> AccountingStart month 3 15:00 # ...per month
> ExitPolicy reject *:* # no exits allowed
> #
> 
>Once you have your torrc file configured, run the command: sudo -u 
> debian-tor tor.

Sorry, what? Do you also build your Tor from source with "make install"?
Also this doesn't restart, but starts Tor. and you didn't mention the need (or
how) to stop it before.

The correct way to restart Tor in Debian is '/etc/init.d/tor restart'.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Atlas

2014-07-10 Thread Roman Mamedov

On Thu, 10 Jul 2014 08:02:32 -0700
C B  wrote:

> Any chance of creating a non-javascript version of the Atlas, at 
> https://atlas.torproject.org/ ? I can access it by allowing temporary all 
> access, but it seems that it would be easier if a non-javascript version 
> could be created, or added.

You could always use simpler stats engines such as
http://torstatus.blutmagie.de/
it looks like it will lose some features w/o JS, but should still work.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Benefits of Running TBB in a VM?

2014-07-05 Thread Roman Mamedov

On Sat, 5 Jul 2014 10:05:10 -0700
Bobby Brewster  wrote:

> >>>if your non-VM host system has been compromised, there is absolutely no
> >>>notable advantage to using a vm.  your vm will be affected by the
> >>>malware that sits on the host system.  
> 
> 
> I don't understand this. If my Ubuntu system has a virus / rootkit / whatever 
> then what I do on it is compromised.
> 
> The VM is, in effect, a seperate OS. How would it be affected by the malware 
> on the non-VM system?

First of all, malware at the host OS can capture and log all keypresses you do
in the VM system; can also make screenshots or video capture of what you do in
it, can also capture network traffic or even read memory of the guest VM.

Second, there is the issue of trust; your host system has unrestricted access
to the entire disk of all guest VMs it runs. If your host executes malicious
code, you can't be sure that your guest VMs haven't been accessed and tampered
with in some way. On the contrary, you should assume they HAVE been
compromised by the infected host.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] messing with XKeyScore

2014-07-05 Thread Roman Mamedov

On Sat, 5 Jul 2014 03:59:28 +
Matthew Finkel  wrote:

> This problem makes me sad on many levels, and I'm not opposed to
> implementing mitigation techniques (within reason) based on the
> rulesets, however we shouldn't do anything that will hurt our users nor
> should be do anything that makes tor more difficult to use
> (unfortunately this includes sending users bogus bridge addresses).

Well, what is the format of a E-Mail response with a bridge list?

If it's just plain text, why not instead send them as a picture in attachment,
with bridge IP addresses encoded in CAPTCHA style to not be machine-readable.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] visa.com blocked // livejournal.com

2014-07-02 Thread Roman Mamedov

On Thu, 3 Jul 2014 04:15:37 -
"Paul A. Crable"  wrote:

> It appears to me that visa.com is blocking access to its site by users
> using TOR.

Yes, and they even block IPs of non-exit relays.

But that's somewhat of an old story, in this case it is still Akamai who's to
blame, and this has been reported a number of times on this list.

On an unrelated note, yesterday a user reported they can't access a blog on
livejournal.com via Tor. Even not trying to log in and just for reading, it
just says something along the lines of "Access denied to your IP" and shows no
content.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor Exit Operator convicted in Austrian lower court

2014-07-02 Thread Roman Mamedov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 03 Jul 2014 03:54:32 +0300
s7r  wrote:

> In the blockchain I saw a pretty good fed of BTC to his donation
> address - folks in the community didn't turn back on this. With that
> sum donated there he could arrange for a top lawyer, minimum. I don't
> know what was the exact rate when he cashed those into FIAT anyway but
> still it was something.

"...261.91743313 in bitcoin donations which is worth almost $170,000 today"

"Yes, this is correct. Back then i sold them (entirely) for around 5000EUR via
Virwox and BTC24."

"For clarification: My lawyer costs 250EUR / hour, this 1EUR total
(Paypal+BTC) funded (with tax i paid ignored, else around 30) 40 hours of my
lawyer which obviously in such a case is not enough by far. I myself invested
more than this in the case."

http://lowendtalk.com/discussion/comment/644383/#Comment_644383

- -- 
With respect,
Roman
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlO0zvIACgkQTLKSvz+PZwhSqwCbB3oT+50Bumm/+XC1g41PrYh/
e48An0Yor/YePh+nBb95fjECUoCJVmi8
=sJ+g
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] StartCom certs untrusted

2014-07-01 Thread Roman Mamedov

On Tue, 01 Jul 2014 11:49:03 -0700
Garth Patil  wrote:

> Hi,
> I'm using Tor Browser 3.6.2-MacOS. I have a site that uses a free class
> 1 SSL cert from StartCom . Recent versions of
> Chrome and Firefox don't seem to have this problem, but Tor Browser
> gives the untrusted error. Is there a reason this CA isn't included?

I've just tested with TBB on Windows, and it does recognize such certs
properly. Which website are you talking about? Post the URL if it's not
sensitive. Maybe they don't attach StartCom's intermediate certs (as I think
StartCom's instructions recommend to do).

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Illegal Activity As A Metric of Tor Security and Anonymity

2014-06-25 Thread Roman Mamedov

On Wed, 25 Jun 2014 21:28:42 +0100
Mark McCarron  wrote:

> I have been examining the number of what would normally be deemed as illegal 
> sites sites on Tor.  Eliminating the narcotics trade, as these tend to be 
> intelligence agency backed enterprises, a serious decline has been noted 
> across the board.
> 
> This would tend to suggest that exposure is common place and users no longer 
> feel safe.  In the more serious categories, such as child porn and violent 
> sexual material, no functioning open sites remain and many of the sites that 
> require registration are crippled.  The entire planet has been scrubbed.
> 
> This, it would seem, indicates that Tor has been compromised on a global 
> scale with very little fanfare or moves to correct the situation.
> 
> Does anyone have any insights into the problem?

What problem?

I think you are just planting FUD, in an attempt to stifle the growth of those
very hidden services that you're trying to "protect". In almost every your
message you are repeating like a broken record: "Tor has been compromised. Tor
is dead. There is something wrong with Tor. Tor is a waste of time."

You keep hammering those like that's an accepted fact and we just "need to
stop looking for excuses", However there has been no proof of your statements
whatsoever. And no, any fluctuation in hidden service numbers, even if real,
would not "prove" that Tor is fundamentally compromised or anything of the
sort.

Such a persistent FUD campaign like yours certainly can get some .onion
operators concerned and shut down their sites. Especially if you recruit some
puppet accounts or fellow agents to "agree" with you further down the line in
this discussion.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Running an exit node which exits on a different IP than it listens to

2014-06-24 Thread Roman Mamedov

On Tue, 24 Jun 2014 15:07:16 +0200
Anders Andersson  wrote:

> The reason would be to minimize the chances of the exit IP ending up
> in some overzealous blacklist.

I think the long-time position of the Tor project was that if someone wants to
block all Tor exit relays, they should be able to do so.

> I'm pretty sure that a lot of the
> blacklist operators just scrape the public list of relays and then
> they end up in a lot of places where the customer is not even aware
> what is being blocked. This is painfully obvious to people running a
> non-exit relay from home, when trying to use IRC or other services.

And sorry but this is just a non-sequitur. "Clueless blocking of non-exit
relays is bad, therefore _EXIT_ relays should now start evading blocklists."

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Ad Blocking Software

2014-06-10 Thread Roman Mamedov

On Tue, 10 Jun 2014 10:49:01 +0200
Anders Andersson  wrote:

> On Mon, Jun 9, 2014 at 9:18 PM, Antonio Z  wrote:
> > I understand that it is not necessary, but I believe that making your
> > own ad blocking software would bring more people to tor. It does not
> > even have to come with the bundle. It could just be an optional add on
> > called, Tor Ad blocker.
> >
> > Inappropriate ads are the main reason why I would just shift back to a
> > browser in which I can maneuver easier.
> 
> What's wrong with any of the ad blockers already out there, like, adblock?

I think one objection against manually installing AdBlock (or other similar
extensions) was that you make your TBB stand out from most other TBBs out
there. If *all* TBBs had AdBlock or other standardized ad blocking software
installed, that'd be a non-issue.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Problematic ORPorts

2014-06-07 Thread Roman Mamedov

On Sat, 7 Jun 2014 14:02:43 -0400
grarpamp  wrote:

> > So my idea is, maybe consider making directory authorities blacklist some
> > ports as being unacceptable as ORPorts, 22 and 53 come to mind for a start,
> > along with maybe 25 to avoid false alarms from anti-spam countermeasures.
> 
> ORport config exists to give better anti blocking/censorship
> performance. So Tor should not exclude any OR port/protocol.
> The problem is with you and your ISP, not other relays who
> have fine working relationships with their ISP regarding binding
> to those ports.

First of all, if an end-user is affected by censorship, they are likely to use
Tor Bridges anyway, so the need of plain relays on standard ports does not
seem to be of much significance.

Second, to the contrary of what you describe regarding ISP relationships, it
could very well be that running a relay on a port like 22 or 53 is caused by
the opposite, i.e. by their ISP not being fully informed of what the relay
operator is doing on their machine, and as a result with the said operator
only being able to request opening/forwarding of a few innocent-looking ports
from their network administrator (e.g. at an university or school). Sure they
are doing this out of their best intentions to contribute bandwidth to Tor,
but if such 'contribution' ends up knocking five other much faster relays from
being able to act as relays anymore, how positive is it really.

> A relay operator who feels they are at risk of making such
> contact should probably work with their host or find another
> one instead of narrowing their possible outbound paths. (The
> impact to tor network of RelayNoORPorts would depend on
> percent nodes having your noisy ORport and traffic weights.
> May also affect clients reaching specific exit relay using said
> ports. And add more overhead signaling. Better to find new host.)

One issue is often the very fact that having a lot of such connections can be
problematic might only be discovered post-factum*, i.e. after the user already
has been forcefully "parted" with their VPS or dedi (prepaid for a some
significant period too). Trying to explain about Tor in this case can easily
result in some less-than-qualified or overly cautious ISPs banning all Tor on
their network altogether ("oh so it was Tor that caused these SSH or DNS
attacks? OK, from now on adding a 'no Tor' rule into the ToS").

* Sure you might argue that any relay operator needs to be upfront about
running a relay with their ISP, but really, the easiest and the most workable
solution when running a non-exit relay is (or at least was, before these
port 22 and port 53 relays) to stay "below the radar".

Another issue is that the pool of hosts providing cheap or reasonably priced
unmetered VPSes or dedicated servers is far from being infinite, that you
could so easily just abandon one and move over to the next one.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Problematic ORPorts

2014-06-07 Thread Roman Mamedov

Hello,

Recently on this mailing list and on tor-relays there have been some cases
when relay nodes using standard ports commonly used for other services as
their ORPort cause issues with ISPs of someone else running a relay.

Notably once a relay on port 53 have triggered "high DNS traffic anomaly" IDS
warning from the provider and almost(?) had the user's account terminated. DNS
port 53 is commonly used for DNS reflection DDoS attacks, and apparently now
ISPs have deployed measures to detect (and misdetect) these.

In one more case a relay on port 22 had the user suspicious that an SSH
brute-forcing may be going on.

And finally an ISP has suspended a relay node VPS of someone I know on a
suspicion of "having been hacked"; there was no further information on the
basis of such suspicion, but thinking about it, it's entirely plausible that
many outgoing connections to port 22 could have been the trigger.

Large amounts of traffic and a high count of open connections to these ports
is now one (and perhaps the first) case when running a non-exit relay *may*
get you in trouble with your provider.

So my idea is, maybe consider making directory authorities blacklist some
ports as being unacceptable as ORPorts, 22 and 53 come to mind for a start,
along with maybe 25 to avoid false alarms from anti-spam countermeasures.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Setting up an IPv6-supporting obfs3 bridge?

2014-05-22 Thread Roman Mamedov

Hello,

The [1] page currently does not mention anything about IPv6 at all; after
following the instructions in it, the bridge only listens on IPv4.

If I add an IPv6 ORPort as described in [2], this does make Tor itself listen
on IPv6, but still the obfsproxy only opens an IPv4 port:

May 22 09:27:13.000 [notice] Registered server transport 'obfs3' at 
'0.0.0.0:n'

How to make obfsproxy also listen on IPv6?

From the state of documentation on this matter it looks like no one needs any
IPv6-capable obfsproxy bridges.

[1] https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en
[2] https://people.torproject.org/~linus/ipv6-relay-howto.html


-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Small server, not much bandwidth

2014-04-10 Thread Roman Mamedov

On Thu, 10 Apr 2014 18:24:00 +0100
John Williams  wrote:

> 3. If I run obfsproxy, should I open the regular tor port 9001 to the
> internet also? Or will that get me onto blacklists of "known tor
> bridges" and cause my whole IP address to be blocked?

The "regular tor port" doesn't *have* to be 9001; you can set ORPort to
anything you want. And I doubt that China or whoever are going to scan all 65k
ports on your IP to check if there's Tor listening on one of them.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Terminology: Deep v Dark Web

2014-01-25 Thread Roman Mamedov

On Sat, 25 Jan 2014 14:33:12 -0700
Mirimir  wrote:

> Analogous private networks, generally called anonets, are also routed
> via VPNs through the Internet.

There is anoNet/anoNet2 [1] which are a very specific particular project; but
that's the first time ever I hear that "private networks... are generally
called anonets". I think your statement sounds a bit like "onion routing
networks ...are generally called Tors".

[1] https://en.wikipedia.org/wiki/Anonet

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Businesses blocking Tor access

2014-01-16 Thread Roman Mamedov

On Thu, 16 Jan 2014 16:25:38 -0800 (PST)
C B  wrote:

> A different error code, this time from http://www.funtrivia.com/
> 
> Access Denied: code FTTT 

F*** This Troublesome Tor? :)

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Any risks with another application using Tor's SOCKS 5 interface?

2013-12-04 Thread Roman Mamedov

On Wed, 4 Dec 2013 10:57:36 -0800
James Marshall  wrote:

> SOCKS 5 is insecure if the client and server are on different hosts and

What exactly that insecurity consists of?

If your aim is to open an client-less "in-proxy" to Tor network for anyone to
use, then you might just as well open your SOCKS 5 port to the world.

AFAIK any insecurity in SOCKS is related only to authentication, i.e.
unauthorized users may be able to connect to your SOCKS proxy. But that's not
an issue if you open it to anyone "by design" anyway.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Open Source Router

2013-11-27 Thread Roman Mamedov

On Wed, 27 Nov 2013 17:59:39 -0600
Ed Fletcher  wrote:

> There has been lots of discussion on this list about the Safeplug, which 
> didn't garner much enthusiasm from the list members.  I haven't seen 
> this project mentioned:
> 
> http://www.orp1.com/
> 
> An open-source software and hardware router for Tor, vpn, etc.  Being 
> open-source, it eliminates a lot of the concerns expressed about the 
> Safeplug.  The downside is it costs US$400.

You can make yourself an open-source router by flashing OpenWRT to any of the
hundreds of OpenWRT's supported models. Or if you are really serious and by
"open source router" mean it also must be Open Hardware, then there should be
still much cheaper options available. For example this board[1], can be
combined with any VLAN-capable switch and act as a perfectly capable router
(although this particular model does not have gigabit LAN).

[1]
http://olimex.wordpress.com/2013/11/14/a10-olinuxino-lime-eur-30-open-source-hardware-linux-sbc-first-prototypes/

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Pogoplug as a new twist on a good idea

2013-11-27 Thread Roman Mamedov

On Wed, 27 Nov 2013 11:44:04 -0800
accountabil...@bitmessage.ch wrote:

> Several have posted about setting up Pogoplug or Raspberry Pi as a
> dedicated Tor relay, but I wanted to suggest a related potential
> opportunity for contributing to Tor from your university, office, etc. for
> less than $50 because it may be more inconspicuous and offer more
> resources (1.6Ghz dual-core + 1-2GB RAM are common) for running Tor:
> 
> 1. Pick up an Android "stick" computer (basically a tablet without a
> screen), many of which run on USB power and typically offer:
> -built-in wi-fi and compatibility with USB gigabit ethernet adapters
> -ability to run CyanogenMod or Replicant in some cases

Many of those sticks run regular GNU/Linux distributions as well.

E.g. an Allwinner A10-based* "MK802" stick easily boots regular Debian armhf
(or Arch or Fedora) from an SD card: http://linux-sunxi.org/Bootable_OS_images

No need to bother with any of the Android b/s. And it costs $35 shipped:
http://www.aliexpress.com/wholesale?SearchText=MK802+A10&opensearch=true

* there is also a dual-core A20 variant, but that one may be a bit less widely
  supported with the hobbyist GNU/Linux efforts.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Safeplug"

2013-11-23 Thread Roman Mamedov

Some more information from [1]

- "users can whitelist certain sites so that their use is not run through Tor."

- "Users can also set up Safeplug to work on a per-browser basis, so for
  example Firefox may always run through Tor while Chrome won’t."

- "users can also set themselves up as Tor nodes to help others surf
  anonymously (the default setting for this is “off” as it has bandwidth
  implications)."

- "People who are sceptical can look at the Linux level(sic) and see exactly
  what processes are running. Technical users can look inside the box and feel
  safe that it’s only running Tor.”"

- "Pogoplug has even made firmware updates for the device pull-only, not push
  – “If we pushed, we’d have to track all the boxes. It’s pull-based for
  security reasons.”"

[1]
http://gigaom.com/2013/11/21/say-hello-to-safeplug-pogoplugs-49-tor-in-a-box-for-anonymous-surfing/

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Safeplug"

2013-11-22 Thread Roman Mamedov

On Fri, 22 Nov 2013 10:45:35 -0800
Yuri  wrote:

> Also, without the device being open source (and how can it really be?) 

Why can't it be?

Well, maybe not the whole device down to the CPU Verilog design level, but
they could post source-code for the firmware with the instructions to build
and flash it, and since most likely this contains at least the Linux kernel
and some GPLed tools like Busybox, they are legally obligated to provide
source to whoever they distribute the binary to, on their request. But many
router manufacturers don't bother limiting it to just that, and simply post
the source code for public download on their websites.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Safeplug"

2013-11-22 Thread Roman Mamedov

On Fri, 22 Nov 2013 10:56:55 -0500
and...@torproject.is wrote:

> Out of all the concerns about how they implemented it and such, my
> main concern is that it just adds more clients to the network without
> giving back in the form of relays or bridges.

If these are all real people using and getting benefit from Tor, well then why
not, that's what it's for.

> Or at least, none of their documentation mentions the ability to share
> freedom and privacy with others.

It kind of does in the FAQ:

> Does Safeplug slow down my browsing?
> While using Safeplug, it is likely that you will notice reductions in your
> overall Internet speed and page-loading times. This is because your Internet
> traffic is being bounced to computers across the globe to make your Internet
> browsing impossible to trace. The good news is that the more people use Tor
> the faster the service runs, so by using Safeplug you are helping the Internet
> community protect itself from tracking and surveillance.

Which is one part I am a bit amazed at, "wait is this seriously configured as
a relay by default?" and if so, what about people's home connection bandwidth
caps, etc. (no warnings about this on the website).

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] "Safeplug"

2013-11-22 Thread Roman Mamedov

On Fri, 22 Nov 2013 06:25:33 -0500
Sean Alexandre  wrote:

> On Fri, Nov 22, 2013 at 04:50:44PM +0600, Roman Mamedov wrote:
> > https://pogoplug.com/safeplug
> > 
> > Someone should buy this and post a teardown. :)
> > 
> > (via
> > http://www.cnx-software.com/2013/11/22/49-safeplug-tor-router-let-you-browse-the-net-anonymously/
> >  )
> 
> I think these kind of devices configured for Tor make good relays, but aren't
> great for anonymity. Tor anonymizes your IP address and DNS requests, but
> application protocols can still reveal your identity.

If it acts as anonymizing middlebox[1] then perhaps it can provide reasonable
anonymity, assuming the user acts as suggested and cleans out the cookies etc,
each time before browsing (yes, that's an unreasonable assumption right there).

But it's not clear at all if that's what it does, the intro and even their FAQ
are all extremely sketchy, and from the described connection scheme ("plug
into your router"?), the middlebox method of operation doesn't appear likely.

Would be nice to know more details about hardware, software, principles of
operation, default configuration (e.g. does it really setup a relaying node by
default?) and the horrendous blunders they baked in, when designing all of
this. :) That's why I mentioned that a teardown would be nice.

[1]
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#AnonymizingMiddlebox

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] "Safeplug"

2013-11-22 Thread Roman Mamedov


https://pogoplug.com/safeplug

Someone should buy this and post a teardown. :)

(via
http://www.cnx-software.com/2013/11/22/49-safeplug-tor-router-let-you-browse-the-net-anonymously/
 )

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Why my relay doesn't get any traffic and doesn't show up in the list torstatus.blutmagie.de ?

2013-11-21 Thread Roman Mamedov

On Thu, 21 Nov 2013 01:39:47 -0800
Yuri  wrote:

> I have a tor relay running with default parameters, see torrc below. 
> Ports 9001 and 9030 are forwarded WAN->tor server on LAN in router, and 
> LAN->WAN is open.
> 
> There are no messages in log, all seems to be ok.

'No messages'? So you don't even get any messages like...

Nov 18 20:01:30.000 [notice] We now have enough directory information to build 
circuits.
Nov 18 20:01:30.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
Nov 18 20:01:30.000 [notice] Self-testing indicates your ORPort is reachable 
from the outside. Excellent. Publishing server descriptor.
Nov 18 20:01:31.000 [notice] Bootstrapped 85%: Finishing handshake with first 
hop.
Nov 18 20:01:31.000 [notice] Circuit handshake stats since last time: 134/134 
TAP, 1/1 NTor.
Nov 18 20:01:31.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Nov 18 20:01:32.000 [notice] Tor has successfully opened a circuit. Looks like 
client functionality is working.
Nov 18 20:01:32.000 [notice] Bootstrapped 100%: Done.
Nov 18 20:01:39.000 [notice] Self-testing indicates your DirPort is reachable 
from the outside. Excellent.

That would not be "ok".

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR network topology

2013-10-25 Thread Roman Mamedov

On Fri, 25 Oct 2013 12:17:57 +
Mads Tinggaard Pedersen  wrote:

> shape of the network, perhaps based by country?
> 
> what nodes in the network graph is connected to one another.

There is no real shape or topology or any fixed node-to-node connections
to speak of, really. Each client picks 3 nodes randomly (with the 1st one being
from a set of chosen once and kept long-term "Guards"), then builds a so
called circuit to route a new connection via them. So a structure of the
bulk of the network is a formless cloud (the word everyone loves so much),
with maybe some silver lining representing Exit nodes.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] linux configuration, root installation

2013-10-24 Thread Roman Mamedov

On Thu, 24 Oct 2013 16:42:02 -0400
krishna e bera  wrote:

> What if TBB was labelled as "Portable Tor Browser Bundle" or "Portable
> TBB"? (on each appropriate platform)

...then everyone who doesn't need to use it in an actual portability scenario
(on an USB stick) would look for/ask if there's a non-Portable version that's
perhaps better suited to their needs.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] VOIP and tor

2013-10-23 Thread Roman Mamedov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 23 Oct 2013 22:23:48 -0700
Bry8 Star  wrote:

> As far as i'm aware there are few voice & text language
> physical-machine based translator, that can convert language, and
> then speak it out with another speakers voice in another language.

> VoIP software -> voice -> convert voice2text -> text -> sent to
> other side, over encrypted tunnel ->
> text2voice(use_profile_male_John) -> voice.

What would be the point of this, why not just a text chat?

Both voice recognition and automated translation are nowhere near good enough
to be used in this context. Add to that a 1-2 second delay of audio that you
get over Tor, and all you will get is just a complete hilarious mess, not any
kind of useful "conversation".

- -- 
With respect,
Roman
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlJotfwACgkQTLKSvz+PZwiShgCggi2+8GMvVULG1B3w+9cGvYv3
QUsAnRfvhMY5xvl8MzBeHg1B6jSTJsfk
=zC74
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB and tor-relays as a bitcoin wallets

2013-10-22 Thread Roman Mamedov

On Tue, 22 Oct 2013 19:41:27 +0200
Eugen Leitl  wrote:

> On Tue, Oct 22, 2013 at 10:09:52PM +0600, Roman Mamedov wrote:
> 
> > > 1).I think Cody Wilson is working on a bitcoin wallet in a browser.
> > 
> > Please stop trying to make people build buttcoin wallets into everything. 
> > Not
> > everyone may be a fan of your "satoshi"-shitoshi pyramid scheme, shocked eh?
> 
> Come on, Roman. No need for gratuitious offense. The suggestion was made
> in good faith, even though you consider it a poor fit.

Yeah that was a bit over the top, somewhat intentionally I must admit.
It is just so baffling to see a naive belief that "everything is better with
Bitcoin". A wake-up call with a sharpest possible negative reaction seems to
be an efficient way to convey the point across that nope, Bitcoin is a very
controversial topic and not the best idea since sliced bread as they think.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TBB and tor-relays as a bitcoin wallets

2013-10-22 Thread Roman Mamedov

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 22 Oct 2013 14:40:52 +
Trigger Happy  wrote:

> Just an idea. In theory : is it possible to implement bitcoin wallet
> into tor-relay and TBB 1) ? TBB users could tip tor-relays (f.e. 1
> satoshi for guard and middle relay,  3 satoshi for exit-node per
> circuit). Running tor-relays could be profitable or at least cheaper.
> 
> 1).I think Cody Wilson is working on a bitcoin wallet in a browser.

Please stop trying to make people build buttcoin wallets into everything. Not
everyone may be a fan of your "satoshi"-shitoshi pyramid scheme, shocked eh?
If supporting Tor will automatically mean pushing the Bitcoin scam onto people,
e.g. personally I will have to reconsider whether or not I want to continue my
participation as a relay operator.

- -- 
With respect,
Roman
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlJmo1AACgkQTLKSvz+PZwjmOwCfbyb1PWEgFvb5r51SygIS94dU
TfUAnR8JZZEqsFoSj/b4YzutwtdpqOBD
=85bF
-END PGP SIGNATURE-
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] The NSA's problem? Too much data?

2013-10-20 Thread Roman Mamedov

On Sun, 20 Oct 2013 18:58:34 +0200
Antispam 06  wrote:

> On 20.10.2013 18:09, Anonymous wrote:
> > What about users own domains? :)
> 
> Checked that list. Mostly vanity domains like $fist_name@$last_name.com. 
> I think it's the same with car licence plates.

I am not sure "what about" them, but having E-Mail on your own domain is the
only way to have an E-Mail address you can rely on to have any sort of
longevity while allowing you the choice of providers.

Services come and go, they change their policies (or even just their user
interfaces) to the worse all the time. Your domain name always stays with you.

With an E-Mail address @providername.com you're locked-in to that provider by
the huge hassle of the prospect of changing E-Mail addresses. With an E-Mail
@yourdomain.com you are free to choose who hosts your MXes today, it could be
a 486 PC in your closet, a Xeon dedicated server in a DC, a VPS or two, or if
you're so inclined to trust "cloud services", it could be "Google Apps for
Domains", "Yandex PDD" or any of the other "bring your own domain" E-Mail
services which will compete for having you as their client without you
allowing them to lock you in.

Having E-Mail at a domain name you own is the ultimate freedom as far as doing
your E-Mail is concerned. Wouldn't imagine someone around here would consider
the desire to be free just a "vanity".

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] The NSA's problem? Too much data?

2013-10-18 Thread Roman Mamedov

On Thu, 17 Oct 2013 17:22:18 +
Tempest  wrote:

> Michael Wolf:
> > 
> > I only commented that I don't click on the "tinyurl"s, since I have
> > no idea where they're going.
> 
> use longurl.org or someting similar to see where they go. It will
> expand shortened links for you

Several years down the road, when the fashionable shortener service of the day
is long dead in the water, to a future reader there is no way to tell where
this URL used to go, and not knowing the URL they can't even use the Internet
Archive to check for an archived copy if the target site is down as well.

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] The NSA's problem? Too much data?

2013-10-16 Thread Roman Mamedov

On Wed, 16 Oct 2013 02:00:23 -0400
grarpamp  wrote:

> Ironic to see them using these to link to recent revelations when...
> - it's centralized,

Irony here is that all three of you are still using GMail. :)

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] dynamically adjusting bandwidth

2013-10-13 Thread Roman Mamedov

On Sun, 13 Oct 2013 17:25:02 -0400
starli...@binnacle.cx wrote:

> Hello,
> 
> I've recently established a full-time relay
> running on a fast Linux router.  Working nice
> with version 0.2.4.17-rc.
> 
> Have a daily offsite backup that was butting heads
> with TOR traffic, so I wrote a 'tor_bwreduce' and
> 'tor_bwrestore' script like these:
> 
> nc 10.92.88.1 9151 < AUTHENTICATE "xxx"
> SETCONF RelayBandwidthRate=6
> SETCONF RelayBandwidthBurst=6
> QUIT
> EOF

Interesting... I needed a similar thing, but it never occured to me to use the
control socket. I was simply rewriting the torrc and doing '/etc/init.d/tor
reload' each time. But it did work perfectly as well.

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Hardware openness, Lemote Yeeloong

2013-10-08 Thread Roman Mamedov

On Mon, 7 Oct 2013 23:43:04 +0200
Eugen Leitl  wrote:

> Eventually, we will have completely open hardware we can trust. 
> But that day is not here yet. Meanwhile, let's minimize the amount
> of evil in the system.

One can get the Lemote Yeeloong netbook (that Richard Stallman also uses),
8.9" version of it is now discounted to 188 EUR [1]. Its specs are arguably
oudated and the performance can be considered lacking especially on the
GUI/video front.

It's not "completely open hardware", i.e. blueprints for CPU and other
circuitry may not be available; but it requires no single binary blob to fully
work, including things like the built-in wifi. And with this having a
Chinese-designed domestic CPU you can certainly feel safe from any CPU-level
*NSA* backdoors at least. :)

[1]
http://www.tekmote.nl/epages/61504599.sf/nl_NL/?ObjectPath=/Shops/61504599/Products/CFL-004-2

-- 
With respect,
Roman

signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Running an exit node thru a VPN

2013-10-08 Thread Roman Mamedov

On Tue, 08 Oct 2013 11:54:33 +0200
Walter Rudametkin  wrote:

> Hi everybody,
> 
> Is there a reason why Romania has such a high concentration of 100+ Mbit 
> exit nodes?

http://www.voxility.com/ - a popular colocation and dedicated server provider.

They are also both 37.221 and 93.115 bubbles here:
https://metrics.torproject.org/bubbles.html#network-family

Also can do a search for "voxility" on http://torstatus.blutmagie.de/

-- 
With respect,
Roman


signature.asc
Description: PGP signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

1 2 >

1 - 100 of 142 matches

Mail list logo