Re: [tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?

2016-02-12 Thread Soul Plane 
On Fri, Feb 12, 2016 at 1:41 AM, Georg Koppen  wrote:

> Cain Ungothep:
> >> I would
> >> like to know if Tor Browser 5.5.1 is vulnerable. Thanks
> >
> > Looks like it is:
> >
> >
> https://gitweb.torproject.org/builders/tor-browser-bundle.git/commit/?id=7a36dbece35a307675f396a019dccf6e431efb44
> >
> > That build corresponds to a branch which includes the commit that
> > supposedly fixed bug 1246093, and this commit was only pushed less than
> > 48 hours ago.
>
> Indeed. We plan to get at least a new stable version (5.5.2) out today
> which is based on Firefox ESR 38.6.1. Mozilla released 38.6.1 just to
> address the Graphite vulnerabilities.
>


Thanks, I have downloaded version 5.5.2.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Is Tor Browser 5.5.1 vulnerable to any of the graphite font vulnerabilities?

2016-02-11 Thread Soul Plane 
I received a Firefox ESR vulnerability notice today [1] that basically says
some vulnerabilities in libgraphite were fixed in 38.6.1, released today.
The digital signature is for the 10th. Some of the issues were first
disclosed on Feb 5 [2] which is around Tor Browser 5.5.1 was released. I'm
not sure when the other smart font issue was first disclosed.

In the tor browser blog comments on the 10th someone said graphite font
rendering is vulnerable [3] but I can't tell if he's talking about in 5.5.1
or before.

I cannot find a list of vulnerability notices for Tor Browser (why not?
seems like it would be good to have). I assume it somewhat mirrors Firefox
ESR. Based on the information about this, which looks exploitable, I would
like to know if Tor Browser 5.5.1 is vulnerable. Thanks


[1]: https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
[2]:
http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html
[3]:
https://blog.torproject.org/blog/tor-browser-551-released#comment-155968
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Did the FBI Pay a University to Attack Tor Users?

2015-11-11 Thread Soul Plane 
There's an interesting article on the Tor Project's blog today that asks
that.
https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users

Is this a problem that can't be stopped, these relays that may join the
network in an effort to de-anonymize users? Can anyone still flood the
network with tons of relays? Though the relays that were identified were
removed wouldn't someone persistent just learn from that and differentiate
more?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] How do you configure a Tor relay on Windows?

2015-09-24 Thread Soul Plane 
On Thu, Sep 24, 2015 at 11:21 PM, Cypher  wrote:

> I'm helping a user try to install a relay on his Windows 7 machine. They
> have the Tor Browser Bundle. I know we have to edit the torrc config file
> but I can't' find it! The webpage says it should be under \Data director
> but it's not there.
>

Tor Browser\Browser\TorBrowser\Data\Tor\torrc
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] tor browser

2015-07-24 Thread Soul Plane 
On Fri, Jul 24, 2015 at 1:45 PM, Bill Cunningham bill...@suddenlink.net
wrote:

 For the life of me I can't get the tor browser to open. It will not
 even  start let alone install. I don't know what's going on. I have an XP
 x64. I think it's supposed to work with that. What can I be doing wrong?



To get help I think you will have to give more information and also there
may be better places to get it.
https://www.torproject.org/docs/faq.html.en#SupportMail

I tried torbrowser-install-4.5.3_en-US.exe in Windows XP x64 SP2 and it
installed and connected without a problem, so it does work there (though I
had to resize the browser slightly to fix a lack of refresh). I don't know
what you're doing wrong. Maybe you have anti virus that blocks the install
file or it is the wrong file.
https://www.torproject.org/projects/torbrowser.html.en
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] generating more donations

2015-03-04 Thread Soul Plane 
On Wed, Mar 4, 2015 at 2:18 PM, Denise Mangold denise.mang...@gmail.com
wrote:

 I have my amazon smile to donate to the Tor project.  I think there should
 be more marketing of this to generate more money/donations. I do see it in
 the donate page, but I think more people would use the Amazon smile.  A lot
 of people shop on amazon and support tor.


That is a really great idea and I don't think a lot of people know about
it. If you go to smile.amazon.com and search for charity tor project inc
the first result is The Tor Project Inc. Selecting that charity is a
frictionless way to donate. After that every time you buy from
smile.amazon.com which is basically Amazon you are supporting the project.
As far I can tell it isn't any more expensive than regular amazon.com (I've
been opening a second browser to regular amazon.com the last few times I've
bought something just to compare prices) although I don't see where they
say that explicitly.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Belarus just banned Tor and other censorship circumvention tools

2015-02-25 Thread Soul Plane 
On Wed, Feb 25, 2015 at 11:36 AM, Anton Nesterov koma...@openmailbox.org
wrote:

 Aaron Gibson:
  On 2015-02-25 14:22, Anton Nesterov wrote:
  11. If government inspection find Internet resources or anonymity tools
  (proxy servers, anonymous networks like Tor, and so on), which can be
  used to get access for Internet resources with limited access, they
  should add identifier of that Internet resources or anonymity tools to
  the list of limited access.
 
  http://pravo.by/main.aspx?guid=12551p0=T21503059p1=1p5=0 text
  (Russian)
 
  Is there any mention of penalties for circumventing the blocks?

 No, only for ISPs if they refuse to block.

 Also, news report in English
 https://meduza.io/en/news/2015/02/25/belarus-bans-tor


According to an announcement by the nation’s Communications Ministry, the
authorities intend to block access to any anonymizers that allow Internet
users to reach online resources banned inside Belarus. That seems
ambiguous, online resources physically inside the country or online
resources that could be anywhere but are banned from being accessed inside
the country? Do other countries ban all exit nodes?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] 3347 lizardNSA Relays on google cloud.

2014-12-26 Thread Soul Plane 
On Fri, Dec 26, 2014 at 1:52 PM, Thomas White thomaswh...@riseup.net
wrote:

 It is dangerous. I've run a cluster of exits for a long time and
 people like myself and Moritz know the dangers of reducing the
 diversity pool. Adding even a gigabit of exits to a single AS right
 now is dangerous and I've consulted arma on the topic before who
 agreed. Beyond 25% of the network is dangerous and higher than that
 could cause serious anonymity implications.


Why turn down more bandwidth? If all of the exits are being run by the same
person or group why not mark them all as family members of the same group?
I checked a few of them and I don't see that they list family members.
Unless I misunderstand what family members is for?

https://www.torproject.org/docs/faq.html.en#MultipleRelays
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Sybil Attack

2014-12-26 Thread Soul Plane 
On Fri, Dec 26, 2014 at 3:41 PM, Thomas White thomaswh...@riseup.net
wrote:

 There has been some worry about a possible Sybil attack on the Tor
 network and a threat of deploying a 0 day once a Sybil has been
 confirmed. The concerned relays right now are using then nickname
 LizardNSA followed by random characters


There is also FuslVZTOR followed by random characters, 246 right now all
from uk 212.38.181.x. I checked a couple the family info on a couple and
none is set. I don't know if that is normal or not I've never watched the
relays.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Including Adblock to TBB to save bandwith

2014-12-24 Thread Soul Plane 
On Wed, Dec 24, 2014 at 12:08 PM, krishna e bera k...@cyblings.on.ca wrote:

 What about making a TorProject filter list for Adblock* users so that
 we all look the same to sites visited?


Tails uses ABP what about including the same list that they use and disable
subscriptions_autoupdate.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation

2014-12-21 Thread Soul Plane 
On Sun, Dec 21, 2014 at 3:17 PM, Thomas White thomaswh...@riseup.net
wrote:

 Many of you by now are probably aware than I run a large exit node
 cluster for the Tor network and run a collection of mirrors (also ones
 available over hidden services).

 Tonight there has been some unusual activity taking place and I have
 now lost control of all servers under the ISP and my account has been
 suspended. Having reviewed the last available information of the
 sensors, the chassis of the servers was opened and an unknown USB
 device was plugged in only 30-60 seconds before the connection was
 broken. From experience I know this trend of activity is similar to
 the protocol of sophisticated law enforcement who carry out a search
 and seizure of running servers.

 Until I have had the time and information available to review the
 situation, I am strongly recommending my mirrors are not used under
 any circumstances. If they come back online without a PGP signed
 message from myself to further explain the situation, exercise extreme
 caution and treat even any items delivered over TLS to be potentially
 hostile.


What does this mean for the layman that uses Tor? If I am using Tor via
Tails am I affected by this? When you say services does that include your
exit nodes? How would I stop your exit nodes from being used? Is there not
a way for you to revoke their keys when they are seized by law enforcement?
Sorry if I misunderstand.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and solidarity against online harassment

2014-12-11 Thread Soul Plane 
On Thu, Dec 11, 2014 at 5:07 PM, Roger Dingledine a...@mit.edu wrote:

 I'd like to draw your attention to
 https://blog.torproject.org/blog/solidarity-against-online-harassment
 https://twitter.com/torproject/status/543154161236586496

 One of our colleagues has been the target of a sustained campaign of
 harassment for the past several months. We have decided to publish this
 statement to publicly declare our support for her, for every member of
 our organization, and for every member of our community who experiences
 this harassment. She is not alone and her experience has catalyzed us to
 action. This statement is a start.


Where's the harassment, what happened? Does it have to do with her work for
the Tor project? I think if you have any ideals you're going to end up
harassed at some point. There are a lot of intolerant people out there,
Roger.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] So much for using ixquick and Startpage: Now broken w/Tor

2014-11-08 Thread Soul Plane 
On Sat, Nov 8, 2014 at 10:44 AM, l.m ter.one.lee...@hush.com wrote:

 It's not broken. They explain clearly that the concurrent use of
 ixquick/startpage by multiple Tor users at a given exit relay can
 trigger automated abuse blocking. They're right. It could be abuse.
 The same reason Google does it. Why is this a surprise? The problem
 with Google is the connection sometimes 'spills' over to new circuits
 which puts you into an infinite loop of entering captchas. This makes
 Google just block some exit relays entirely for a time because of
 repeated failed captchas. Google really wants to make money so if they
 set a cookie for one of your circuits, and ask for a captcha, which
 then 'spills' to a new circuit, and you just choose a new
 identity--well it shouldn't be a surprise they decide to block a bunch
 exits for lost revenue. Just try your search on startpage/ixquick with
 a new identity.


Thanks, I know I can do that but I don't want to do that. Their help page
says  Both Ixquick and StartPage are compatible with Tor, although use of
VPNs and Proxy services (including Tor) may occasionally trigger our
anti-abuse mechanisms. If so, you will temporarily be presented with a
small warning message, or a request to complete a CAPTCHA before continuing
with your search. [1]

I didn't get captchas and the warning didn't go away. So it seems broken.
It's a block unless you change identities until you get one that works. If
you have to repeatedly change identities doesn't that do something to
lessen anonymity?

[1]:
https://support.startpage.com/index.php?/en/Knowledgebase/Article/View/288/0/how-does-startpage-interact-with-tor
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] So much for using ixquick and Startpage: Now broken w/Tor

2014-11-07 Thread Soul Plane 
On Fri, Nov 7, 2014 at 9:50 AM, Öyvind Saether oyvi...@everdot.org wrote:

 https://startpage.com/do/search is also broken.

 It is interesting how they decided that today (the day after those
 darknet raids) would be a good day to ban Tor-users.


Does anyone know anyone at startpage, maybe you should CC them this. I just
tried the startpage search box in Iceweasel in Tails and I receive a
message directed at Tor users whenever I try to search. I will paste the
message below. Unfortunately it does not appear just once, it appears every
time and I can't get search results that way. I wouldn't mind answering a
captcha once in a while but I don't know how much that's going to help them
against bots since bots apparently use opencv and tricks to break captchas.

Here is the message, it's long:

Welcome Tor Users!

We are happy to welcome you to Startpage, the world's most private search
engine. Startpage now serves well over 2 million searches per day, making
us the biggest private search service on the Internet.

Like Tor, Startpage was private long before privacy was cool. We have a
fourteen-year company track record, and we are the only search engine that
can back up our privacy promises with third-party certification.

Here are just a few of our powerful, privacy-protecting features:

We do not record anything about you — not your IP address, not your
search queries, and we never use tracking cookies.
We provide 100% Google results — We submit your search anonymously to
Google and return their results to you in total privacy.
We encrypt all traffic — using HTTPS, so even your ISP can't snoop on
your searches.
We offer a powerful free proxy — that lets you anonymously view
third-party websites with every search.
We're third-party certified and independently audited — by EuroPrise
and Certified Secure, so you can take our privacy promises to the bank.

We love Tor!

We believe in the Tor project and its privacy mission and we applaud your
efforts to pursue serious Internet privacy.

As you know, Tor recently included Startpage as the default search engine
in the new Tor Browser Bundles. Thank you! We're honored to be associated
with all of you like-minded, hard-core privacy fanatics.
Just One Small Catch...

However, the avalanche of new Tor users has created an issue with the
algorithm we use to detect and reject automated screen-scraping programs.
When multiple Tor users are searching through the same end node, Startpage
may wrongly conclude that the searches are coming from a scraper.

The unfortunate result is that Startpage may occasionally not return
results with Tor. But don't panic, we're committed to fixing it.
Here's a Temporary Solution

We are reaching out to the Tor developers to find a permanent solution. In
the meantime, here is a workaround for Tor users:

If you use the Tor Browser Bundle:
Switching to a new Tor identity is easy and fast. Click the green
onion icon next to your address bar, then click New Identity and try your
search again. In some cases, you may have to switch identities a few times
for this to work.

We want Tor users to have a great private search experience with Startpage,
and we appreciate your patience while we develop a long-term solution. As
you use Startpage, we'd love to hear from you and get your impressions.

Meanwhile, thanks for supporting the vision of Tor and Startpage and a
completely private Internet!
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Cloak Tor Router

2014-11-01 Thread Soul Plane 
On Sat, Nov 1, 2014 at 5:09 AM, Lars Boegild Thomsen 
l...@reclaim-your-privacy.com wrote:

 First of all, I would like to hear more opinions about the value of a
 device such as this. I realize that most technically adept people will
 frown on a a toy such as the Cloak, but this device is really not meant
 for anybody who can install the Tor software on their own or someone who
 can install Tor on a Rasberry Pi. It is meant for my parents, my kids or
 anyone else who - deserve privacy but might not be technically able to
 achieve it. I fully understand and appreciate that a Tor Router such as
 Cloak will NEVER in itself be able to provide any form of anonymity or
 security. It is merely a tool that if used correctly can help enforce a
 certain level of privacy (the newly introduced or discussed Australian data
 retention laws spring to mind and I am certain other countries are
 introducing the same laws). A secondary justification are devices which
 does not support Tor. I've got a Media player in my house and that does
 phone home every single time I play a movie on it and there is no way I
 could possibly install Tor on it. With Cloak and NO login - that is fairly
 anonymous.

 Second of all I would sincerely like a discussion about the firewall rules
 and other security or usability issues with a device as this. The source is
 on Github for everybody to check and I will be happy to discuss any
 technical aspect and appreciate any constructive criticism.  I am of course
 also happy to respond to any questions thrown in my direction.


What happens when a new version of Tor comes out? You want to put this in
the hands of people who really don't know anything about security. To stay
secure wouldn't you or someone have to ensure that all those devices are
using the latest Tor? And how could you do that without access to the
devices? If you leave it up to the end user to do firmware updates most
people probably aren't because they are, like you say, not able to install
Tor on their own. I really don't know if your device is a good idea or a
bad idea but I cringe at what could end up as a false sense of privacy.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Orbot/Tor talk at MIT tomorrow

2014-10-22 Thread Soul Plane 
On Wed, Oct 22, 2014 at 12:06 PM, Nathan Freitas nat...@freitas.net wrote:


 http://kb.mit.edu/confluence/pages/viewpage.action?pageId=152575577

 Anonymity on the Go: The Possibilities and Problems of Tor on Mobile
 Devices
 This talk discusses what possibilities exist for communicating more
 freely on a mobile device.


Will someone be taping this? If there's video can you point us to it after
the talk. Thank you
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] List Administrivia

2014-10-14 Thread Soul Plane 
On Tue, Oct 14, 2014 at 2:21 PM, grarpamp grarp...@gmail.com wrote:

 Time to block this rambling spam. Thanks.


  On Mon, Oct 13, 2014 at 7:17 PM, Ben Healey chewy0...@hotmail.com
 wrote:
  Here's some thought I had.
 
  Physical Digital Encryption
 --
 tor-talk mailing list - tor-talk@lists.torproject.org
 To unsubscribe or change other settings go to
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Every time I read one of those e-mails I thought maybe that guy was just
way way way over my head, or writing some kind of secret code or something.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What should our 31c3 talk be?

2014-09-08 Thread Soul Plane 
On Mon, Sep 8, 2014 at 8:05 PM, Roger Dingledine a...@mit.edu wrote:

 I wonder what would be the most useful topic for this year?


I've noticed some websites are blocking or treating Tor users differently,
not always overtly, and while it may not be the most useful topic if that's
a trend that's increasing it may be worthwhile to talk about it and what
your organization is doing or can do about it.

I tried to pay someone using a payment processor in Germany, and they kept
denying my transactions but it was clearly automated and when I asked them
about it they put the orders through manually and the same thing happened.
I tried every payment method (credit card, wire transfer, money transfer
services, paypal) through several different IP addresses using the Tor
Browser just to see what would happen. I think the payment processor was
cleverbridge. There was nothing saying Hey you're a Tor user you can't use
this method, but any order originating from an IP address connected to Tor
was not accepted. And they just wouldn't say it was due to Tor even though
I explained to them that was probably what was happening since I'd already
been through this with PayPal after they suspended my account for using Tor
(PayPal had cited proxy services are against terms of use and I hadn't
accessed any proxy except Tor).
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Performance

2014-08-14 Thread Soul Plane 
On Wed, Aug 13, 2014 at 3:20 PM, Martin S shieldf...@gmail.com wrote:

 I've set up a Tor and Privoxy chain for our organisation, especially
 for our courntry offices, of which some work in high risk countries.


Pardon me asking this maybe it's obvious but why wouldn't you use an
intranet VPN instead of Tor for your offices? You are using Tor to lower
the risk of your offices how?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What are the PPTOR relays?

2014-07-08 Thread Soul Plane 
On Tue, Jul 8, 2014 at 5:32 AM, Roger Dingledine a...@mit.edu wrote:

 On Mon, Jul 07, 2014 at 10:07:35PM -0400, Soul Plane wrote:
   Among these relays, do you know which ones were part of your circuit?
 
  First hop:
  PPTOR0006 (Online)
 
  Second hop:
  PPTOR0014 (Online)

 It looks like PTOR0014 has the Unnamed flag. I wonder if Tor clients are
 disregarding it because it's not named by fingerprint in the descriptor,
 and because it has the Unnamed flag rather than the Named flag.

 Seems like a bug.


Ok I filed it here:
https://trac.torproject.org/projects/tor/ticket/12574#ticket
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] What are the PPTOR relays?

2014-07-07 Thread Soul Plane 
On Mon, Jul 7, 2014 at 1:34 PM, Philipp Winter p...@nymity.ch wrote:

 On Sun, Jul 06, 2014 at 10:57:18PM -0400, Soul Plane wrote:
  Last night I noticed my relay path was using two PPTOR relays. I don't
  know much about Tor but from what I've read I thought servers that are
  related are supposed to identify themselves as such. Just because two
  servers have similar names does not mean they are related though. Are
  those servers all run by the same person? Is there a way to tell if
  they are? Is that unusual or not? Thanks

 Tor's MyFamily option is used to announce that a set of relays is run by
 the same operator.  Sometimes, relay operators fail to configure the
 option which could explain what you witnessed.

 At first glance, it looks like the PPTOR family correctly set the
 MyFamily option (using fingerprints and nicknames).  See for example:
 
 https://atlas.torproject.org/#details/0C45FAE12326D376997F8A233A402A6B5BB25404
 

 Among these relays, do you know which ones were part of your circuit?


Yes:

First hop:
PPTOR0006 (Online)
Location: Netherlands
IP Address: 5.79.71.195
Bandwidth: 11.72 MB/s
Uptime: 6 hours 49 mins 45 secs
Last Updated: 2014-07-05 20:12:49 GMT

Second hop:
PPTOR0014 (Online)
Location: Germany
IP Address: 217.114.218.18
Bandwidth: 22.95 MB/s
Uptime: 17 hours 27 mins 56 secs
Last Updated: 2014-07-05 09:34:38 GMT

I see both on the family list. I am using Tails 1.0.1 CD and it uses Tor
version 0.2.4.22 (git-255243866bbf9365). Thanks
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] What are the PPTOR relays?

2014-07-06 Thread Soul Plane 
Last night I noticed my relay path was using two PPTOR relays. I don't know
much about Tor but from what I've read I thought servers that are related
are supposed to identify themselves as such. Just because two servers have
similar names does not mean they are related though. Are those servers all
run by the same person? Is there a way to tell if they are? Is that unusual
or not? Thanks
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Case examples of people deanonymized while using Tor?

2014-06-10 Thread Soul Plane 
Thanks for the video. On your website there is another video Intro to
Darknets: Tor and I2P Workshop. Is one part of the other or do they cover
different material?


On Tue, Jun 10, 2014 at 7:47 AM, Adrian Crenshaw irong...@irongeek.com
wrote:

 Sorry, I forgot to come back to post this
 Dropping Docs On Darknets: How People Got Caught - Adrian Crenshaw

 http://www.irongeek.com/i.php?page=videos/showmecon2014/2-03-dropping-docs-on-darknets-how-people-got-caught-adrian-crenshaw

 It was also accepted at Defcon, but Defcon is a pretty geeky crowd and I
 should not have to spend as much time to explain how Tor works to them.
 What other things should I add?




 On Tue, Mar 25, 2014 at 11:43 AM, Артур Истомин art.is...@yandex.ru
 wrote:

  On Thu, Mar 20, 2014 at 09:16:46AM +, Adrian Crenshaw wrote:
   It will be public after ShowMeCon. Going to do a private one next week
   as practice.
 
  Can you paste link on talk here after ShowMeCon please?
  --
  tor-talk mailing list - tor-talk@lists.torproject.org
  To unsubscribe or change other settings go to
  https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
 



 --
 The ability to quote is a serviceable substitute for wit. ~ W. Somerset
 Maugham
 The ability to Google can be a serviceable substitute for technical
 knowledge. ~ Adrian D. Crenshaw
 --
 tor-talk mailing list - tor-talk@lists.torproject.org
 To unsubscribe or change other settings go to
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Small server, not much bandwidth

2014-04-10 Thread Soul Plane 
On Thu, Apr 10, 2014 at 1:57 PM, Roger Dingledine a...@mit.edu wrote:

 On Thu, Apr 10, 2014 at 06:24:00PM +0100, John Williams wrote:
  3. If I run obfsproxy, should I open the regular tor port 9001 to the
  internet also? Or will that get me onto blacklists of known tor
  bridges and cause my whole IP address to be blocked?

 Alas, if you don't open the ORPort to the Internet also, your bridge
 won't find itself reachable, so it won't publish to the bridge
 directory authority, and so bridges.torproject.org won't give out your
 bridge address automatically:
 https://trac.torproject.org/projects/tor/ticket/7349
 So it is fine to leave ORPort closed if you're giving the bridge
 address out manually, but if you want the automated system to do it,
 you need ORPort reachable.

 Fortunately, in practice China censors by IP:port, not by blacklisting
 the whole IP address, for now.


Is there a list of the automated system's IP addresses that we can allow to
reach that port and block everything else, as suggested in the bug?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] CAPTCHA for getting bridges too strong

2014-03-30 Thread Soul Plane 
On Sun, Mar 30, 2014 at 12:58 AM, Артур Истомин art.is...@yandex.ru wrote:

 It is very strong. I was trying more than ten times and did not solve
 it. I am realy do not need bridges, but for those who need, this way
 getting bridges (through web page and CAPTCHA) is useless.

 Maybe they could do something like this instead:
http://research.microsoft.com/en-us/um/redmond/projects/asirra/
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)

2014-03-29 Thread Soul Plane 
On Fri, Mar 28, 2014 at 5:34 PM, Mike Perry mikepe...@torproject.orgwrote:

 Here's a set of rules to try both --ctstate and --state invalid, as well
 as log which ones get hit, for testing purposes. Note the use of -A in
 this case, for readability wrt ordering. These rules should come before
 any other rule in the OUTPUT chain section of the firewall script you
 use:

 #iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix
 Transproxy ctstate leak blocked:  --log-uid
 iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
 iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix
 Transproxy state leak blocked:  --log-uid
 iptables -A OUTPUT -m state --state INVALID -j DROP

 iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
 --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix Transproxy leak blocked: 
 --log-uid
 iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
 --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix Transproxy leak blocked: 
 --log-uid
 iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
 --tcp-flags ACK,FIN ACK,FIN -j DROP
 iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
 --tcp-flags ACK,RST ACK,RST -j DROP

 It's likely only the first pair is needed, and you may want to comment
 out the --ctstate LOG line as I did to limit noise for successfully
 handled --ctstate INVALID DROP blocks.

 I did test this with the above repro method, and --ctstate INVALID did
 appear sufficient by itself, but reports of any --ctstate DROP rule
 bypass happening will be tremendously useful (which will result in the
 later LOG lines being hit, and sending output to 'dmesg').


I have an Ubuntu middlebox to torify. It uses TransListenAddress,
TransPort. One interface accepts incoming traffic that will be torified.
The connections to the tor network go out on the other interface which can
access the internet unrestricted. I can't find the original directions I
used to set it up. The Torbox page I have commented in my config now says
it's been replaced by Whonix. I tried the wiki there but it doesn't load:
http://sourceforge.net/p/whonix/wiki/ Does what you're saying apply to a
setup like mine? Thanks
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)

2014-03-29 Thread Soul Plane 
On Sat, Mar 29, 2014 at 12:59 PM, Patrick Schleizer adrela...@riseup.netwrote:

 Soul Plane:
  I have an Ubuntu middlebox to torify. It uses TransListenAddress,
  TransPort. One interface accepts incoming traffic that will be torified.
  The connections to the tor network go out on the other interface which
 can
  access the internet unrestricted. I can't find the original directions I
  used to set it up. The Torbox page I have commented in my config now says
  it's been replaced by Whonix. I tried the wiki there but it doesn't load:
  http://sourceforge.net/p/whonix/wiki/ Does what you're saying apply to a
  setup like mine? Thanks

 The TorBOX instructions project does no longer exist. Old instructions
 do still exist in torproject wiki history. Reviving them from wiki
 history will be tedious.


The directions I used turned a normal Ubuntu 12.04 LTS with two network
adapters into a tor middle box. It was a long time ago and I don't remember
how I did it, but I had the torbox url commented in my config next to the
transproxy option. I looked at the torbox url via internet archive (june
2012) but I can't find the directions I used. My iptables don't seem to
have any entries.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Newbie with a bunch of questions for Tor Cloud

2014-03-19 Thread Soul Plane 
I would like to set up a Tor bridge in the Amazon cloud. I have read the
project page at cloud.torproject.org and I think I can do this at little to
no cost based on what I've read. Amazon just sent me a $50 credit because I
signed up to AWS but never used it so maybe I can use that to cover any
overages. Did anyone else get one of those coupons?

More questions:

Why is the only region available for the Tor images us-east virginia? I
thought I could use the free tier in other places. Wouldn't it be better to
vary the regions instead of sticking them all in one place?

And also wouldn't it be better to vary the OS and images in case there is a
vulnerability in one, the rest of the ecosystem using different OSs are ok?

I read in Tor Weekly News today that the obfs3 protocol is vulnerable to
active probing attacks and there is a replacement ScrambleSuit. If I setup
the AWS Obfsproxy image now does that mean the Chinese can detect it and
block it? Is that image obfs2 or 3 or both? Should I just wait until
ScrambleSuit is supported, or can I modify the config file to only use
ScrambleSuit, or is that not a good idea at this point? I don't want to run
something that nobody is going to be able to use because governments can
just detect it and block it.

Is Tor obfuscation specifically more likely to come under attack from
repressive governments?

How is security handled. For example suppose there's a known vulnerability
in Tor or Ubuntu does the server shut down until it's fixed and an update
is available or does the server stay up and risk being hacked? Is there any
notification sent to the AWS administrator in these cases? I would imagine
even a small window is gold for some state run group to break in.

How can I determine the integrity of the server and do I have any
responsibility to do that? Do you guys who are running these instances in
the Tor Cloud just set it and forget it or is there some oversight required?

I would take an active role in securing the instance if necessary but I
need to know what to do. What do you guys do?

Has anyone here built their own Tor setup in EC2 similar to what Tor Cloud
offers?

Thanks
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Newbie with a bunch of questions for Tor Cloud

2014-03-19 Thread Soul Plane 
On Wed, Mar 19, 2014 at 6:01 PM, Runa A. Sandvik runa.sand...@gmail.comwrote:

 On Wed, Mar 19, 2014 at 9:05 PM, Soul Plane soulplan...@gmail.com wrote:
  More questions:
 
  Why is the only region available for the Tor images us-east virginia? I
  thought I could use the free tier in other places. Wouldn't it be better
 to
  vary the regions instead of sticking them all in one place?

 We initially had images in all regions, but due to a bug/issue (see
 https://trac.torproject.org/projects/tor/ticket/10318) I decided to
 temporarily remove all images except the ones in us-east-1. The goal
 is to bring back images for the other regions at some point.


Thanks, I read the bug and the AWS thread and it looks like there is
something wrong with the image copy process. If I wanted to setup in a
location other than Virginia would I be able to use your build script to do
that or would I run into the same image copy problem? Also I noticed in
ec2-prep.sh you have:
curl -m 5 http://169.254.169.254/latest/meta-data/reservation-id
That address is invalid, what is the reservation id for?



  I read in Tor Weekly News today that the obfs3 protocol is vulnerable to
  active probing attacks and there is a replacement ScrambleSuit. If I
 setup
  the AWS Obfsproxy image now does that mean the Chinese can detect it and
  block it? Is that image obfs2 or 3 or both? Should I just wait until
  ScrambleSuit is supported, or can I modify the config file to only use
  ScrambleSuit, or is that not a good idea at this point? I don't want to
 run
  something that nobody is going to be able to use because governments can
  just detect it and block it.

 The current image is a standard bridge, an obfs2 bridge, and an
 obfs3 bridge. ScrambleSuit is not included. If you create an SSH key
 when setting up the instance, you can log on and change whatever you
 want. The Great Firewall of China blocks standard bridges and obfs2,
 but I believe it has yet to block obfs3.


Ok so after I do a build if I want scramblesuit I change this line:
ServerTransportPlugin obfs2,obfs3 exec /usr/bin/obfsproxy --managed
to this:
ServerTransportPlugin scramblesuit exec /usr/bin/obfsproxy --managed

According to this here I need to update obfsproxy first? Is that relevant
here?
https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html



  Is Tor obfuscation specifically more likely to come under attack from
  repressive governments?

 More likely than what?


Than regular tor bridges. Are obfs3 bridges special bridges that users in
repressive countries are more likely to use because other bridges are
blocked? Maybe I don't understand.



  How is security handled. For example suppose there's a known
 vulnerability
  in Tor or Ubuntu does the server shut down until it's fixed and an update
  is available or does the server stay up and risk being hacked? Is there
 any
  notification sent to the AWS administrator in these cases? I would
 imagine
  even a small window is gold for some state run group to break in.

 The server stays up and checks for regular package updates from
 Ubuntu. If someone were to break in, they would not learn anything
 more than if they had set up a bridge themselves.


Ok. Let's say there was a security vulnerability being exploited in Tor
bridges. Is there any warning from Tor staff? Like when there is one in
Flash or Microsoft etc I will get a CERT or a security advisory saying xxx
is being actively exploited, view such and such a page for more
information. In those cases I will just turn off flash or run the fix it.



  How can I determine the integrity of the server and do I have any
  responsibility to do that? Do you guys who are running these instances in
  the Tor Cloud just set it and forget it or is there some oversight
 required?

 The Ubuntu image the Tor Cloud image is based off of is verified when
 the image is built. The Tor package is verified as it is installed
 (which happens within the first five minutes you boot the server for
 the very first time).


Thanks I took a look at the script.



  I would take an active role in securing the instance if necessary but I
  need to know what to do. What do you guys do?

 The image has been configured to automatically check for package
 updates. In addition, it is recommended that you only open certain
 ports in the firewall (22 for SSH, plus 443, 40872 and 52176 for Tor).


Is there any obfuscation benefit to using random ports, like changing
40872  to 1234 etc.

Thanks
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TorBrowser spoofed screen size?

2014-03-05 Thread Soul Plane 
I tried TBB 3.5.2 in Windows XP at 120 dpi and browserspy says I'm at 96.
However I went to whatsmyip.org and clicked the 'more info' option and it
shows what appears to be a unique browser resolution. I've never checked
the resolution before so I don't know how it compares to earlier versions.

There's a ticket about DPI here:
https://trac.torproject.org/projects/tor/ticket/8076

If there is a thorough fingerprint page somewhere I would like to know what
it is so I can see what information differs between clients. Aren't Tor
Browser users supposed to look the same?


On Wed, Mar 5, 2014 at 7:56 PM, Joe Btfsplk joebtfs...@gmx.com wrote:

 I'm sure I recently checked what screen size TBB (Windows) was giving out.
  Which ever version I checked it in, test sites did NOT show my actual
 monitor size.

 Now, in TBB 3.5.2, my actual screen size seems to show on several browser
 test sites.
 Even extracted TBB again, into clean folder  re-checked.  Still shows my
 *actual* screen size on test sites.

 I thought decision was made / implemented to report same screen size for
 everyone?
 This is a problem - for couple reasons, for me.

 IF... I set Windows system DPI slightly  default of 96 (else it's too
 damn small), then w/o TBB properly spoofing screen size, sites will detect
 a size that's NEITHER the same as other TBB users, nor a standard size.
 Changing Windows' DPI setting will make my detected screen size an
 oddball size - that almost no one has.

 Anyone else notice TBB isn't spoofing a default screen size anymore, or
 have ideas why it isn't spoofing mine correctly?
 --
 tor-talk mailing list - tor-talk@lists.torproject.org
 To unsubscribe or change other settings go to
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Security in Tor Browser related to Firefox ESR

2014-02-11 Thread Soul Plane 
Ok thanks. I checked the blog today and saw that 3.5.2 was released. I
didn't get any announcement. Why not announce the releases through
tor-announce? I'm subscribed to that but I didn't get any notice. Is there
a list or RSS feed where just releases are announced? I don't want a lot of
emails. I don't plan to stay subscribed to tor-talk (there are lots of
things that just don't concern me) but for now I am and I didn't get a
notice of the new release on this list either.


On Thu, Feb 6, 2014 at 6:18 AM, Rick reru...@gmail.com wrote:

 On 02/06/2014 02:05 AM, Soul Plane wrote:

 Yesterday I received a security alert that Firefox ESR was updated to
 24.3.
 http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

 I am wondering if since Tor Browser is based on Firefox ESR it is now
 subject to security vulnerabilities? When you release the Tor Browser
 Bundle do you identify the version (24.2, 24.3,etc) of Firefox that it is
 based on?

 When Firefox patches vulnerabilities in the ESR product and makes a new
 release do you do the same? I took a look at the git for Tor Browser and I
 can't tell whether or not it integrates whatever changes are in Firefox
 24.3.

 Thanks

 New releases are announced here and in the website blog. Changes are
 mentioned and a link to the changelog is provided. That shows that we've
 been in 24.2 since mid-December and 24.3 will appear with TBB 3.5.2, due
 for release within the next week or so (I presume).

 Are we 'now subject to security vulnerabilities'? Sure! And we'll be
 subject to the yet-unknown vulnerabilities of 24.3 when it's released in
 TBB. It's a work in progress.
 --
 tor-talk mailing list - tor-talk@lists.torproject.org
 To unsubscribe or change other settings go to
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Using Tor Browser without Tor?

2014-02-06 Thread Soul Plane 
Is it ok to use the Tor Browser without Tor? I don't need Tor but I like
the privacy features that the browser offers.

Recently I noticed that if the Tor Browser is used without Tor and is set
to manual proxy, but there is no HTTP/HTTPS/SOCKS proxy, name lookups will
fail. I filed it as a bug here:

DNS lookup fails without proxy (TorBrowser without tor)
https://trac.torproject.org/projects/tor/ticket/10808

But it was closed as not a bug. If the Tor Browser is able to be used
without Tor would you consider that a bug?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Security in Tor Browser related to Firefox ESR

2014-02-06 Thread Soul Plane 
Yesterday I received a security alert that Firefox ESR was updated to 24.3.
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

I am wondering if since Tor Browser is based on Firefox ESR it is now
subject to security vulnerabilities? When you release the Tor Browser
Bundle do you identify the version (24.2, 24.3,etc) of Firefox that it is
based on?

When Firefox patches vulnerabilities in the ESR product and makes a new
release do you do the same? I took a look at the git for Tor Browser and I
can't tell whether or not it integrates whatever changes are in Firefox
24.3.

Thanks
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk