[tor-talk] Profiling Tor users via keystrokes
Hi! (I didn't find this topic discussed here yet and I think it might be interesting) the article http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/ says that apparently it's possible to deanonymise Tor users by analysing their keystrokes in input fields of websites. Is it valid to assume that such a technique is possible to be deployed by, for example, cloudflare? (needs JavaScript, has an input field) (or is it required for learning to always enter the same text by the same user?) Is there need for modifications in the Tor Browser Bundle/upstream Firefox? Cheers, ~flapflap signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Qubes? debian? binary? reproducible?
carlo von lynX wrote: My current state of information is such that any source-code based distribution is less likely to be affected by backdoors until debian and all derivates indeed ship reproducible binaries. If Whonix can be rebuilt from source, so can Qubes OS? how do you securely distribute sources to be built? a source based distribution has different trade-offs, rather than being immune to tampering. Gentoo provides cryptographic hashes for all tars and zips it uses for over ten years now. It's really no black magic. Gentoo has other issues and I don't understand why there is so little interest in OS built from source. If techies were admitting what a crazy risk it is to trust binary distributions, maybe source-code based ones would be much more advanced usability-wise by now. But I acknowledge the work being done for reproducible debian and I wished I would also have time to participate in that. You might as well be interested in GNU Guix https://www.gnu.org/software/guix/ a package manager for the GNU system. It allows you to install pre-built packages, or just download the source and build locally with separable build environments. https://www.gnu.org/software/guix/manual/guix.html#Features Finally, Guix takes a purely functional approach to package management, as described in the introduction (see Introduction). Each /gnu/store package directory name contains a hash of all the inputs that were used to build that package—compiler, libraries, build scripts, etc. This direct correspondence allows users to make sure a given package installation matches the current state of their distribution. It also helps maximize build reproducibility: thanks to the isolated build environments that are used, a given build is likely to yield bit-identical files when performed on different machines (see container). This foundation allows Guix to support transparent binary/source deployment. When a pre-built binary for a /gnu/store item is available from an external source—a substitute, Guix just downloads it and unpacks it; otherwise, it builds the package from source, locally (see Substitutes). https://www.gnu.org/software/guix/manual/guix.html#Substitutes Today, each individual’s control over their own computing is at the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using hydra.gnu.org substitutes can be convenient, we encourage users to also build on their own, or even run their own build farm, such that hydra.gnu.org is less of an interesting target. Guix has the foundations to maximize build reproducibility (see Features). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on guix-de...@gnu.org. An interesting talk on Guix was given this August at GNU Hacker's Meeting: http://audio-video.gnu.org/video/ghm2014/2014-08--courtes--were-building-the-gnu-system--ghm.webm ~flapflap signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Merging all languages (locales) into one Tor Browser package?
Hi, David Balažic: On 7 September 2014 14:29, Sebastian G. bastik.tor bastik@googlemail.com wrote: [snip] - Users have to select their language during install. (UI problem?) Users already made a language choice when installing the OS (or booting an OEM install for the first time). [snip] The users do not have to choose their language again/one more time: Now, they already do this choice -- before downloading TBB through the website. What I'm saying is, having the user choose to download only one package and then selecting the language is just the reverse as is done at the moment, not a new/additional step. I'm not sure if the order doesn't matter, because (maybe) you're in another mood (calm, reading, searching) when browsing the torproject website, whereas when you launch TBB you want to see something/get to your goal soonish.. ~flapflap signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] TORrorist Shirt from Pirate Party Luxemburg
no.thing_to-h...@cryptopathie.eu: Obviously we on these lists belong to the most extreme dangerous people one can think of :-)) . Pirate Party Luxemburg thinks the same and offers for 20 EUR or 0.043 BTC a nice TORrorist Shirt (3). The profit will be donated to the Tor project. Also RMS wrote about the Torrorist shirt :-) https://stallman.org/archives/2014-may-aug.html#07_July_2014_%28TORorists%29 signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Liability to Prosecution for Operating Tor Nodes in Austria
Hi, FYI (both only in German): https://network23.org/blackoutaustria/2014/07/01/to-whom-it-my-concern/ (via https://blog.fefe.de/?ts=ad4dd623) (I'm not familiar with the language of law, just try to summarize it to inform you; maybe someone else could translate it more accurately...) A court in Austria ruled that one can be held liable to prosecution for operating a Tor Exit [but likely also Middle] Node, when it is used by someone to commit a criminal action. The judge justifies the decision by §12 of the penal code: Not only the direct perpetrator commits a criminal action, but also everyone who appoints someone else to commit it or otherwise adds to its execution. what a sad and poor decision :( To cite (and roughly translate) Fefe: As a precaution, Austrians should stop operating communication infrastructure like Jabber, email, and web servers with comment or upload functionality, or telephones and fax machines. If I [Fefe] were the post, I [Fefe] would stop operations, too. ~flapflap signature.asc Description: OpenPGP digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] ICANN and .onion
Anders Andersson: A few years ago, ICANN started to accept suggestions for new top-level domain names. A friend recently posted a .onion link to me, and it made me realize that there might be a big problem if a company or organization other than Tor actually registered .onion and made it work in any browser. 1) Has there been any discussions regarding the severity of the problem if it should eventually happen? If so, are the discussions or the result of them available online for reading? 2) Has Tor applied to ICANN about the .onion domain, or discussed the pro and con of doing this? I have been out of the Tor loop for a couple of years, so I'm sorry if this topic has come up in previous discussions - regardless, I could not find an answer. // Anders Christian Grothoff and others (from GNUnet) wrote about this already last November: https://lists.torproject.org/pipermail/tor-dev/2013-November/005747.html I don't know the current status though... Cheers, ~flapflap -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk